3.0.14 ok for Monday release [was Re: w2k3 sp1 and 'security =
domain']
Gerald (Jerry) Carter
jerry at samba.org
Sat Apr 9 22:50:18 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gerald (Jerry) Carter wrote:
| Volker,
|
| This is what I found out tonight.
|
| The issue: W2k3 sp1 now disallows anonymous
| samr_connectX() connects (even with schannel).
|
| To reproduce: join winbindd using 'security = domain'
| to a Win2003 SP1 domain and then run 'wbinfo -u'.
|
| Apparently to fix this in the current SAMBA_3_0 code you have
| to use a non-anonymous connection *and* disable schannel.
| Or maybe the schannel credentials take precedence over the
| ones used to connect to IPC$. In either case, schannel
| is not enough to get past the ACCESS_DENIED on the samr_connectX()
| call.
I talked this over with Jeremy some on Friday. What we will
do in 3.0.14 to deal with the problem is to have winbindd
log a DEBUG(0,("...")) message when we think that we might be
encountering this issue. The suggested woraround is either
(a) move to security = ads, or (b) set 'client schannel = no'
and wbinfo --set-auth-user.
The risks of disabling schannel on everything but \netlogon
are too high. We could break a lot of installations not using
Windows 2003 SP1 DCs.
I'm leaving schannel disabled on the \lsarpc pipe however
since this does affect 'security = ads'.
So I'm planning on the releasing 3.0.14 on Monday (from
the Usenix Technical conference in Anaheim).
cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm) ------- http://www.samba.org
GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back." Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCWFwqIR7qMdg1EfYRAsJ3AJ0T6U6G06f9EuyfsxcRCsk5FZl+FgCg9DNx
vtpNEUgPUKzJRbO3cn6zQL0=
=4z5+
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list