bug? Samba ADS member server does _not_ accept userid/pw but only kerberos

Fri Feb 6 14:29:26 GMT 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker.Lendecke at SerNet.DE wrote:
| On Thu, Feb 05, 2004 at 08:08:49PM +0100, Stefan Beck wrote:
|
|>I created two attachments with logs/dumps there.
|>Please let me know if you need more data.
|
|
| Just to make sure: You DC is named IWS82328? It denies
| anonymous tconX to the IPC$ share, that's the symptom.
| No idea why it does it.

That's windows 2003 default policy.  RestrictAnonymous == 2 IIRC.

| As a workaround, could you try to run winbindd (not necessarily
| nss_winbind) and give it a valid user/password with
| 'wbinfo --set-auth-user=user%pass' to use to connect to the DC?
| This user does not have to have any rights in the DC's file system,
| it just needs a correct password.

Try tridge's schannel patch just for kicks :-)






cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard            ------------------------- http://www.hp.com
SAMBA Team                 ---------------------- http://www.samba.org
GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song" --Switchfoot (2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAI6TGIR7qMdg1EfYRAuXgAJ9TNjDPQWIilOcEQmzd59PApzAH1ACghh8O
80GLdpm3WC5k1Gl5USi3s3I=
=X8T3
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: nsswitch/winbindd_cm.c
===================================================================
RCS file: /home/cvs/samba/source/nsswitch/winbindd_cm.c,v
retrieving revision 1.31.2.50
diff -u -u -r1.31.2.50 winbindd_cm.c

--- nsswitch/winbindd_cm.c	15 Jan 2004 06:55:10 -0000	1.31.2.50
+++ nsswitch/winbindd_cm.c	2 Feb 2004 06:16:44 -0000
@@ -111,6 +111,28 @@
 	}
 }
 
+/*
+  setup for schannel on any pipes opened on this connection
+*/
+static NTSTATUS setup_schannel(struct cli_state *cli)
+{
+	NTSTATUS ret;
+	uchar trust_password[16];
+	uint32 sec_channel_type;
+
+	if (!secrets_fetch_trust_account_password(lp_workgroup(),
+						  trust_password,
+						  NULL, &sec_channel_type)) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	ret = cli_nt_setup_netsec(cli, sec_channel_type, 
+				  AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, 
+				  trust_password);
+
+	return ret;
+}
+
 /* Open a connction to the remote server, cache failures for 30 seconds */
 
 static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const int pipe_index,
@@ -254,6 +276,18 @@
 
 		if (NT_STATUS_IS_OK(result))
 			break;
+	}
+
+	/* try and use schannel if possible, but continue anyway if it
+	   failed. This allows existing setups to continue working,
+	   while solving the win2003 '100 user' limit for systems that
+	   are joined properly */
+	if (NT_STATUS_IS_OK(result)) {
+		NTSTATUS status = setup_schannel(new_conn->cli);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(3,("schannel refused - continuing without schannel (%s)\n", 
+				 nt_errstr(status)));
+		}
 	}
 
 	SAFE_FREE(ipc_username);
