Schannel is ANONYMOUS in Win2k3 SP1

Jeremy Allison jra at samba.org
Thu Oct 6 15:17:06 GMT 2005


On Thu, Oct 06, 2005 at 08:33:16PM +1000, Andrew Bartlett wrote:
> The recent modification to our RPC-SCHANNEL test shows that our problems
> with schannel are again a manifestation of 'restrict anonymous', and is
> is this reason that we have pain with Win2k3 SP1.
> 
> I believe this accounts for the 'access denied' on the SAMR and LSA
> pipes, at the application (not NDR) layer.  It also suggests that use of
> machine NTLMSSP or Krb5 connections is the correct approach to solving
> this: not schannel changes.

Very interesting - great detective work ! Excellent debugging there
Andrew. What made you think of that ?

We can change over to NTLMSSP calls easily, I've still not found
krb5 sign+sealed calls to work against SAMR, I'd love it if you
prove wrong :-).

Cheers,

	Jeremy.


More information about the samba-technical mailing list