Schannel is ANONYMOUS in Win2k3 SP1
Andrew Bartlett
abartlet at samba.org
Thu Oct 6 21:53:56 GMT 2005
On Thu, 2005-10-06 at 08:17 -0700, Jeremy Allison wrote:
> On Thu, Oct 06, 2005 at 08:33:16PM +1000, Andrew Bartlett wrote:
> > The recent modification to our RPC-SCHANNEL test shows that our problems
> > with schannel are again a manifestation of 'restrict anonymous', and is
> > is this reason that we have pain with Win2k3 SP1.
> >
> > I believe this accounts for the 'access denied' on the SAMR and LSA
> > pipes, at the application (not NDR) layer. It also suggests that use of
> > machine NTLMSSP or Krb5 connections is the correct approach to solving
> > this: not schannel changes.
>
> Very interesting - great detective work ! Excellent debugging there
> Andrew. What made you think of that ?
I figured it was a nice, simple LSA operation to test with schannel,
much like we test GetDomPwInfo on SAMR. I was also looking to verify
that we got the machine account's token, and got an answer I rather
didn't expect...
I'm looking at adding NT ACLs to LDB, and needed to figure how much
state to store for those persistent machine credentials.
> We can change over to NTLMSSP calls easily, I've still not found
> krb5 sign+sealed calls to work against SAMR, I'd love it if you
> prove wrong :-).
krb5 sign+seal only works for Win2k3 SP0, against SP1 there is a crypto
bug I've not yet chased down.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051007/dc927423/attachment.bin
More information about the samba-technical
mailing list