[Samba] Domain login - XP 64 -> Samba

Jeremy Allison jra at samba.org
Sat Jun 18 04:29:07 GMT 2005

On Fri, Jun 17, 2005 at 04:49:18PM -0700, Jeremy Allison wrote:
> On Fri, Jun 17, 2005 at 05:38:17PM -0400, Brian Ruth wrote:
> > I currently have samba setup as a file/login server. A variety of 
> > clients running Windows 2000 and XP 32-bit authenticate normally without 
> > any issues. I just brought up a Windows XP 64-bit box made the standard 
> > group policy changes and joined the domain without any issues. When 
> > attempting to login against the domain Windows returns "A remote 
> > procedure call (RPC) protocol error occurred".
> I've been looking into this with the help of Björn JACKE <bj at SerNet.DE>.
> So far I've discovered that an XP-64 box seems to do an schannel RPC
> NETLOGON bind with packet integrety selected (5), but an XP-32 box
> does the same call with packet privacy (6) selected. This may just
> be a difference between the registry settings on the 64-bit client test
> machine (I don't have one here) and my 32-bit vmware XP test machine.
> It's the reply to the NetrLogonSamLogon request that the 64-bit
> client doesn't seem to like - after that it shuts down the connection
> and doesn't talk more. The 32-bit client seems happy with the same
> reply...
> I'm still investigating, but without a 64-bit client box to test with
> it's slow going...

Ok, Thanks to Luke Howard of PADL who pointed out the RPC authenticator
must be 64-bit aligned I've committed a small fix to the RPC schannel
code which I'm hoping will fix the 64-bit Windows domain logon to a
Samba PDC.

Either check out SAMBA_3_0 SVN code or apply the attached patch to
a Samba 3.0.14a tree and if people with this problem (that's you
Brian and you Björn :-) could test it I'd appreciate it. We were
already 8 byte aligning the authenticators for NTLMSSP sign & seal
RPC's but we'd missed doing the same for schannel ones - this fixes
that oversight.

Please let me know if this fixes it.


-------------- next part --------------
Index: rpc_server/srv_pipe.c
--- rpc_server/srv_pipe.c	(revision 7706)
+++ rpc_server/srv_pipe.c	(working copy)
@@ -162,7 +162,7 @@
 	if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
 		p->hdr.flags |= RPC_FLG_LAST;
-		if ((auth_seal || auth_verify) && (data_len_left % 8)) {
+		if ((auth_seal || auth_verify || p->netsec_auth_validated) && (data_len_left % 8)) {
 			ss_padding_len = 8 - (data_len_left % 8);
 			DEBUG(10,("create_next_pdu: adding sign/seal padding of %u\n",
 				ss_padding_len ));

More information about the samba-technical mailing list