possible bug in winbindd netlogon handling
jeremyd at apptechsys.com
Wed Jul 30 23:43:48 GMT 2003
This all applies to trusting a win2k domain from samba and from nt4.
Digging through the code of winbindd, trying to figure out the problem
I emailed earlier, and comparing what samba does and what nt 4.0 does in
establishing a connection to the NETLOGON pipe, I discovered a
discrepancy which seems to deal with an odd security setting I can't put
my finger on. Here's how I understand what winbindd does to authenticate
users from a trusted domain in my setup:
1 Setup an anonymous session with domain controller of trusted domain
2 Connect to IPC$
3 Open NETLOGON
4 Bind to NETLOGON
5 Authenticate the trust account using ServerReqChallenge and
6 Re-open netlogon
7 attempt to re-bind to netlogon
8 receive a Bind_nak packet
9 fail out with NT_STATUS_UNSUCCESSFUL, later NT_STATUS_NO_LOGON_SERVERS
My NT4 trusting domain does things a little differently, and this way
1 Use \MAILSLOT\NET\NTLOGON to authenticate using the trust account
2 Do 1-4 of samba
3 Authenticate user in question using RPC_NETLOGON SamLogon operation.
I have tcpdump logs of both behaviors, if you want them, ask me and I'll
send them to you off-list.
If this is a known issue, I apologize, but this seems like a fall-back
behavior that samba is lacking. If you want more information, please feel
free to ask me. If you already know about this and didn't want to hear it
again, feel free to flame me. If you know what security setting in win2k
server I can change to make this a moot point, please tell me.
More information about the samba-technical