schannel bug

[Steve Langasek]

On Wed, Oct 01, 2003 at 01:29:32PM +1000, Andrew Bartlett wrote:
> On Sat, 2003-09-27 at 09:27, Andrew Bartlett wrote:
> > On Sat, 2003-09-27 at 00:31, Gerald (Jerry) Carter wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1

> > > Can someone who worked on the schannel code provide some feedback
> > > on bug 309?

> > > I'm seeing an rpc fault in the logs (and a "procedure is out of
> > > range" error message on the client).

> > > process_incoming_data: Start: pdu_received_len = 0, pdu_needed_len = 304,
> > > incoming data = 304
> > > process_complete_pdu: processing packet type 0
> > > 000000 smb_io_rpc_hdr_req req
> > >      0000 alloc_hint: 000000f4
> > >      0004 context_id: 0000
> > >      0006 opnum     : 0002
> > > data 256 auth 32
> > > 000108 smb_io_rpc_hdr_auth hdr_auth
> > >      0108 auth_type    : 44
> > >      0109 auth_level   : 05
> > >      010a padding      : 0c
> > >      010b reserved     : 00
> > >      010c auth_context : 000b1ca8
> > > Invalid auth info 68 or level 5 on schannel
> > > process_request_pdu: failed to do schannel processing.
> > > set_incoming_fault: Setting fault state on pipe NETLOGON : vuid = 0x64
> > > process_complete_pdu: DCE/RPC fault sent on pipe lsass
> > > set_incoming_fault: Setting fault state on pipe NETLOGON : vuid = 0x64

> > Yes, it's possible to get some domain clients into a state where they
> > will refuse to 'seal' the schannel connection, only sign it.  We don't
> > currently know how to only sign it (we are close - I have most of the
> > code there, but it doesn't quite work yet :-).

> I've uploaded a proposed fix to bug #167 in our bugzilla.

Verified to work (so far) with Win2Ksp4 as a signing-only client.

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20030930/b716d8b6/attachment.bin