svn commit: samba r6219 - in branches/SAMBA_4_0/source: librpc/rpc ntvfs/posix

Richard Sharpe rsharpe at
Thu Apr 7 06:49:43 GMT 2005

On Thu, 7 Apr 2005, Andrew Bartlett wrote:

> On Thu, 2005-04-07 at 09:05 +1000, Andrew Tridgell wrote:
> > Richard,
> >
> >  > I was testing Samba 4 joined as a domain member to an NT PDC, and
> >  > authentication was not working because we could not set up credentials for
> >  > the NetLogon channel.
> >
> > Please back this change out, and your pvfs change.
> >
> > For the schannel work, please add something like this for the moment:
> >
> >   if (!lp_parm_bool(-1, "schannel", "128bit", True)) {
> > 	p->conn->flags &= ~DCERPC_SCHANNEL_128;
> >   }
> This belongs in auth_domain.c, btw.  That is where we are requesting 128
> bit security in the first place, and that is where we should option it
> out.

OK, having had a look at what a Win2K member server does with an NT PDC,
here are the bits I noticed:

1. The NegProt response returns Extended Security Exchanges supported in
Flags2, but in capabilities, that bit IS switched off.

2. Win2K does not use the extended form of session setup.

3. Win2K tries to use NetrServerAuthenticate3, but gets a fault

4. Win2K then tries NetrServerAuthenticate2, with negotiate flags set to
0x6007BFFF, which succeeds with flags 0x400001FF.

My guess is that the absence of Extended Security Exchanges in the NegProt
response capabilities word is triggering one less bit in the negotiate

However, the problem seems to be that in dcerpc_pipe_connect_ncacn_np we
throw away all information about what the server told us it was capable

Richard Sharpe, rsharpe[at], rsharpe[at],

More information about the samba-technical mailing list