Problems with WinXP joining a Samba-head domain (and suggested
solutions)
Richard Sharpe
rsharpe at ns.aus.com
Wed Sep 11 17:34:01 GMT 2002
On Thu, 12 Sep 2002, Luke Howard wrote:
>
> Hi Richard,
>
> >2. Then, once this was fixed, WinXP still would not join. I needed to
> >switch off SignOrSeal as specified in the .reg file.
>
> Right, otherwise it will try and negotiate the Netlogon secure channel
> (or the "secure" Netlogon secure channel, depending on whose terminology
> you're using).
Well, the interesting thing to me is that WinXP managed to join with
Sign/Seal enabled, but failed on the first logon attempt.
This failure seems to occur after Samba responds SUCCESS to
ServerAuthenticate2, but, I suspect, with the wrong bits. I noticed that
XP includes at least one new flag bit that Win2K does not send.
I surmise that it was some bit not set in the result flags that Samba
returns, as it still returns 0X1FF.
> Last time I looked, the secure channel bind PDU included the NetBIOS
> name, the workstation name, and the DNS domain name and host, which
> are presumably used by the server as a key to retrieve the session key
> previously negotiated by NetrReqChallenge() and NetrServerAuthenticate3().
> The session key is used to sign/seal the channel (roughly per
> draft-brezak-win2k-krb-rc4-hmac-04.txt). I didn't take note of how
> these were encoded (whether they were Unicode strings, etc).
Hmmm, that is interesting.
> Let me know if you have any traces, as we'd like to implement this in
> GSS-API (along with NTLMSSP). Of course, I could just turn SignOrSeal
> back on and get some traces myself :-)
These might be interesting. I might not have enough VMware engines to test
this all out.
It might be interesting to implement SIGN/SEAL ... for a number of
reasons.
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com
More information about the samba-technical
mailing list