Problems with WinXP joining a Samba-head domain (and suggested solutions)

Richard Sharpe rsharpe at
Wed Sep 11 17:34:01 GMT 2002

On Thu, 12 Sep 2002, Luke Howard wrote:

> Hi Richard,
> >2. Then, once this was fixed, WinXP still would not join. I needed to 
> >switch off SignOrSeal as specified in the .reg file.
> Right, otherwise it will try and negotiate the Netlogon secure channel
> (or the "secure" Netlogon secure channel, depending on whose terminology
> you're using). 

Well, the interesting thing to me is that WinXP managed to join with 
Sign/Seal enabled, but failed on the first logon attempt.

This failure seems to occur after Samba responds SUCCESS to 
ServerAuthenticate2, but, I suspect, with the wrong bits. I noticed that 
XP includes at least one new flag bit that Win2K does not send.

I surmise that it was some bit not set in the result flags that Samba 
returns, as it still returns 0X1FF.

> Last time I looked, the secure channel bind PDU included the NetBIOS
> name, the workstation name, and the DNS domain name and host, which 
> are presumably used by the server as a key to retrieve the session key
> previously negotiated by NetrReqChallenge() and NetrServerAuthenticate3().
> The session key is used to sign/seal the channel (roughly per 
> draft-brezak-win2k-krb-rc4-hmac-04.txt). I didn't take note of how
> these were encoded (whether they were Unicode strings, etc).

Hmmm, that is interesting.

> Let me know if you have any traces, as we'd like to implement this in
> GSS-API (along with NTLMSSP). Of course, I could just turn SignOrSeal
> back on and get some traces myself :-)

These might be interesting. I might not have enough VMware engines to test 
this all out.

It might be interesting to implement SIGN/SEAL ... for a number of 

Richard Sharpe, rsharpe at, rsharpe at, 
sharpe at

More information about the samba-technical mailing list