3.0.14 ok for Monday release [was Re: w2k3 sp1 and 'security = domain']

Gerald (Jerry) Carter jerry at samba.org
Sat Apr 9 22:50:18 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerald (Jerry) Carter wrote:
| Volker,
|
| This is what I found out tonight.
|
|     The issue:  W2k3 sp1 now disallows anonymous
|     samr_connectX()    connects (even with schannel).
|
|     To reproduce: join winbindd using 'security = domain'
|     to a Win2003 SP1 domain and then run 'wbinfo -u'.
|
| Apparently to fix this in the current SAMBA_3_0 code you have
| to use a non-anonymous connection *and* disable schannel.
| Or maybe the schannel credentials take precedence over the
| ones used to connect to IPC$.  In either case, schannel
| is not enough to get past the ACCESS_DENIED on the samr_connectX()
| call.

I talked this over with Jeremy some on Friday.  What we will
do in 3.0.14 to deal with the problem is to have winbindd
log a DEBUG(0,("...")) message when we think that we might be
encountering this issue.  The suggested woraround is either
(a) move to security = ads, or (b) set 'client schannel = no'
and wbinfo --set-auth-user.

The risks of disabling schannel on everything but \netlogon
are too high.  We could break a lot of installations not using
Windows 2003 SP1 DCs.

I'm leaving schannel disabled on the \lsarpc pipe however
since this does affect 'security = ads'.

So I'm planning on the releasing 3.0.14 on Monday (from
the Usenix Technical conference in Anaheim).





cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCWFwqIR7qMdg1EfYRAsJ3AJ0T6U6G06f9EuyfsxcRCsk5FZl+FgCg9DNx
vtpNEUgPUKzJRbO3cn6zQL0=
=4z5+
-----END PGP SIGNATURE-----



More information about the samba-technical mailing list