possible bug in winbindd netlogon handling

Jeremy Drake jeremyd at apptechsys.com
Wed Jul 30 23:43:48 GMT 2003

This all applies to trusting a win2k domain from samba and from nt4.

Digging through the code of winbindd, trying to figure out the problem 
I emailed earlier, and comparing what samba does and what nt 4.0 does in 
establishing a connection to the NETLOGON pipe, I discovered a 
discrepancy which seems to deal with an odd security setting I can't put 
my finger on.  Here's how I understand what winbindd does to authenticate 
users from a trusted domain in my setup:

1 Setup an anonymous session with domain controller of trusted domain
2 Connect to IPC$
4 Bind to NETLOGON
5 Authenticate the trust account using ServerReqChallenge and 
6 Re-open netlogon
7 attempt to re-bind to netlogon
8 receive a Bind_nak packet

My NT4 trusting domain does things a little differently, and this way 
1 Use \MAILSLOT\NET\NTLOGON to authenticate using the trust account
2 Do 1-4 of samba
3 Authenticate user in question using RPC_NETLOGON SamLogon operation.

I have tcpdump logs of both behaviors, if you want them, ask me and I'll 
send them to you off-list.

If this is a known issue, I apologize, but this seems like a fall-back 
behavior that samba is lacking.  If you want more information, please feel 
free to ask me.  If you already know about this and didn't want to hear it 
again, feel free to flame me.  If you know what security setting in win2k 
server I can change to make this a moot point, please tell me.


More information about the samba-technical mailing list