LSARPC behaviour post Win2k3 SP1

Andrew Bartlett abartlet at samba.org
Tue Oct 25 07:54:40 GMT 2005


In testing against win2k3 sp1, it is interesting to note that the
OpenPolicy commands return NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED on
ncacn_ip_tcp, while LookupSids3 returns
NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED on ncacn_np.  

I started looking into this because I have a bug in the kerberos login
to win2k3 against a Samba4 DC.

It seems to me that Microsoft is finding the exposure of LSA on a high
port to be a security hazard, but because of existing use, they were
unable to simply remove the port.  It appears to me that for TCP they
allow only LsaLookupSids3, and only for schannel. 

(For what it is worth, it also removes the SystemLibraryDTC fun and
games).

I'm still chasing this down, but it certainly looks like
security-initiated hacks to me.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051025/9b1a0798/attachment.bin


More information about the samba-technical mailing list