3.0.14 ok for Monday release [was Re: w2k3 sp1 and 'security = domain']

Gerald (Jerry) Carter jerry at samba.org
Sat Apr 9 22:50:18 GMT 2005

Hash: SHA1

Gerald (Jerry) Carter wrote:
| Volker,
| This is what I found out tonight.
|     The issue:  W2k3 sp1 now disallows anonymous
|     samr_connectX()    connects (even with schannel).
|     To reproduce: join winbindd using 'security = domain'
|     to a Win2003 SP1 domain and then run 'wbinfo -u'.
| Apparently to fix this in the current SAMBA_3_0 code you have
| to use a non-anonymous connection *and* disable schannel.
| Or maybe the schannel credentials take precedence over the
| ones used to connect to IPC$.  In either case, schannel
| is not enough to get past the ACCESS_DENIED on the samr_connectX()
| call.

I talked this over with Jeremy some on Friday.  What we will
do in 3.0.14 to deal with the problem is to have winbindd
log a DEBUG(0,("...")) message when we think that we might be
encountering this issue.  The suggested woraround is either
(a) move to security = ads, or (b) set 'client schannel = no'
and wbinfo --set-auth-user.

The risks of disabling schannel on everything but \netlogon
are too high.  We could break a lot of installations not using
Windows 2003 SP1 DCs.

I'm leaving schannel disabled on the \lsarpc pipe however
since this does affect 'security = ads'.

So I'm planning on the releasing 3.0.14 on Monday (from
the Usenix Technical conference in Anaheim).

cheers, jerry
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the samba-technical mailing list