svn commit: samba r6219 - in branches/SAMBA_4_0/source:
librpc/rpc ntvfs/posix
Andrew Bartlett
abartlet at samba.org
Thu Apr 7 07:40:34 GMT 2005
On Wed, 2005-04-06 at 23:49 -0700, Richard Sharpe wrote:
> On Thu, 7 Apr 2005, Andrew Bartlett wrote:
>
> > On Thu, 2005-04-07 at 09:05 +1000, Andrew Tridgell wrote:
> > > Richard,
> > >
> > > > I was testing Samba 4 joined as a domain member to an NT PDC, and
> > > > authentication was not working because we could not set up credentials for
> > > > the NetLogon channel.
> > >
> > > Please back this change out, and your pvfs change.
> > >
> > > For the schannel work, please add something like this for the moment:
> > >
> > > if (!lp_parm_bool(-1, "schannel", "128bit", True)) {
> > > p->conn->flags &= ~DCERPC_SCHANNEL_128;
> > > }
> >
> > This belongs in auth_domain.c, btw. That is where we are requesting 128
> > bit security in the first place, and that is where we should option it
> > out.
>
> OK, having had a look at what a Win2K member server does with an NT PDC,
> here are the bits I noticed:
>
> 1. The NegProt response returns Extended Security Exchanges supported in
> Flags2, but in capabilities, that bit IS switched off.
>
> 2. Win2K does not use the extended form of session setup.
>
> 3. Win2K tries to use NetrServerAuthenticate3, but gets a fault
>
> 4. Win2K then tries NetrServerAuthenticate2, with negotiate flags set to
> 0x6007BFFF, which succeeds with flags 0x400001FF.
>
> My guess is that the absence of Extended Security Exchanges in the NegProt
> response capabilities word is triggering one less bit in the negotiate
> flags.
The way to prove this is to join a Win2k DC to that domain, and point
the Win2k client at it. I've heard theories about links back to the
CIFS level before, but I doubt it, I don't think that info makes it that
far up the stack.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050407/d5ea5e70/attachment.bin
More information about the samba-technical
mailing list