3.0.14 ok for Monday release [was Re: w2k3 sp1 and 'security =
domain']
Jeremy Allison
jra at samba.org
Sun Apr 10 05:08:08 GMT 2005
On Sat, Apr 09, 2005 at 05:50:18PM -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gerald (Jerry) Carter wrote:
> | Volker,
> |
> | This is what I found out tonight.
> |
> | The issue: W2k3 sp1 now disallows anonymous
> | samr_connectX() connects (even with schannel).
> |
> | To reproduce: join winbindd using 'security = domain'
> | to a Win2003 SP1 domain and then run 'wbinfo -u'.
> |
> | Apparently to fix this in the current SAMBA_3_0 code you have
> | to use a non-anonymous connection *and* disable schannel.
> | Or maybe the schannel credentials take precedence over the
> | ones used to connect to IPC$. In either case, schannel
> | is not enough to get past the ACCESS_DENIED on the samr_connectX()
> | call.
>
> I talked this over with Jeremy some on Friday. What we will
> do in 3.0.14 to deal with the problem is to have winbindd
> log a DEBUG(0,("...")) message when we think that we might be
> encountering this issue. The suggested woraround is either
> (a) move to security = ads, or (b) set 'client schannel = no'
> and wbinfo --set-auth-user.
>
> The risks of disabling schannel on everything but \netlogon
> are too high. We could break a lot of installations not using
> Windows 2003 SP1 DCs.
>
> I'm leaving schannel disabled on the \lsarpc pipe however
> since this does affect 'security = ads'.
>
> So I'm planning on the releasing 3.0.14 on Monday (from
> the Usenix Technical conference in Anaheim).
We need to check JohnT's segfault isn't a problem in the RELEASE
branch before we ship I'm afraid.
Jeremy.
More information about the samba-technical
mailing list