Fix for winbindd schannel issue with win2003 sp1

Andrew Bartlett abartlet at
Wed Sep 21 06:23:33 GMT 2005

On Tue, 2005-09-20 at 21:40 -0700, Jeremy Allison wrote:
> Hi all,
> 	I think I've found a work around to allow winbindd to
> keep working correctly just using a machine account in a domain
> running w2k3 sp1 as a domain controller. Microsoft added a "security"
> feature that caused schannel queries to fail on the lsa and samr
> pipes if they are bootstrapped from an anonymous sessionsetup
> connection. In addition this fix should also remove the problem
> of having to have an account used purely for winbindd queries.
> The fix is to cause an extended security sessionsetup to
> the DC using the machine account and password, followed by
> an spnego ntlmssp authenticated bind to the relevent lsa
> and samr pipes. 

Is that an anonymous bind?  Or does that use the 'account purely for
winbindd queries'?

> We might was well use sign & seal at that
> point as we've set it all up and it keeps things more
> secure :-).

This is always a good thing.  It would be nice to enforce SMB signing on
that connection too, but I can't hope for too much :-)

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list