Fix for winbindd schannel issue with win2003 sp1

Jeremy Allison jra at
Wed Sep 21 04:40:33 GMT 2005

Hi all,

	I think I've found a work around to allow winbindd to
keep working correctly just using a machine account in a domain
running w2k3 sp1 as a domain controller. Microsoft added a "security"
feature that caused schannel queries to fail on the lsa and samr
pipes if they are bootstrapped from an anonymous sessionsetup
connection. In addition this fix should also remove the problem
of having to have an account used purely for winbindd queries.

The fix is to cause an extended security sessionsetup to
the DC using the machine account and password, followed by
an spnego ntlmssp authenticated bind to the relevent lsa
and samr pipes. We might was well use sign & seal at that
point as we've set it all up and it keeps things more
secure :-).

However the bad news is it's only available via the rewritten
rpc code and so won't be in 3.0.20a, but will have to wait for
3.0.21. Once I've coded this into the Samba HEAD branch I'd
appreciate some adventurous users testing this out... :-).



More information about the samba-technical mailing list