[PATCH] Always use schannel when contacting our DC.

Ken Cross kcross at nssolutions.com
Thu Jul 24 16:23:46 GMT 2003


I'm not sure I understand the implications of this.  If "we will always make
an Netlogon connection to the DC" (as opposed to a Kerberos connection?),
what happens if the DC is set up for Kerberos-only.  More and more
organizations are going that way.

Or am I totally off base?  Is this related to the transitive trust issue
(which I guess is still unresolved)?


Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org] 
> Sent: Thursday, July 24, 2003 10:05 AM
> To: Multiple recipients of list SAMBA-TECHNICAL
> Subject: [PATCH] Always use schannel when contacting our DC.
> This patch attempts to work around DCs that are set to 
> 'restrict anonymous = 1'.  This configuration allows 
> connections to IPC$, but not to some RPC services.
> By connecting to the RPC pipes using 'schannel' we not only 
> assure ourselves that the PDC is genuine, but we are 
> permitted to connect to pipes as the machine account (and 
> therefore not anonymous).
> The downsides of the current patch are:
>  - encrypted transport - we don't need to encrypt this data, and it
>    breaks our ability to sniff it.  We are very close to having
>    'signing only' support for schannel, but there remains a couple of
>    bugs that mean it it disabled for now.
>  - we will always make an Netlogon connection to the DC, 
> which will have the same effect as an NTLM login on our 
> machine account (see discussion on transitive trust relationships).
> Andrew Bartlett
> -- 
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list