Schannel is ANONYMOUS in Win2k3 SP1

Andrew Bartlett abartlet at
Thu Oct 6 21:53:56 GMT 2005

On Thu, 2005-10-06 at 08:17 -0700, Jeremy Allison wrote:
> On Thu, Oct 06, 2005 at 08:33:16PM +1000, Andrew Bartlett wrote:
> > The recent modification to our RPC-SCHANNEL test shows that our problems
> > with schannel are again a manifestation of 'restrict anonymous', and is
> > is this reason that we have pain with Win2k3 SP1.
> > 
> > I believe this accounts for the 'access denied' on the SAMR and LSA
> > pipes, at the application (not NDR) layer.  It also suggests that use of
> > machine NTLMSSP or Krb5 connections is the correct approach to solving
> > this: not schannel changes.
> Very interesting - great detective work ! Excellent debugging there
> Andrew. What made you think of that ?

I figured it was a nice, simple LSA operation to test with schannel,
much like we test GetDomPwInfo on SAMR.  I was also looking to verify
that we got the machine account's token, and got an answer I rather
didn't expect...

I'm looking at adding NT ACLs to LDB, and needed to figure how much
state to store for those persistent machine credentials.

> We can change over to NTLMSSP calls easily, I've still not found
> krb5 sign+sealed calls to work against SAMR, I'd love it if you
> prove wrong :-).

krb5 sign+seal only works for Win2k3 SP0, against SP1 there is a crypto
bug I've not yet chased down.

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list