Fix for winbindd schannel issue with win2003 sp1
Jeremy Allison
jra at samba.org
Wed Sep 21 15:13:18 GMT 2005
On Wed, Sep 21, 2005 at 04:23:33PM +1000, Andrew Bartlett wrote:
> On Tue, 2005-09-20 at 21:40 -0700, Jeremy Allison wrote:
> > Hi all,
> >
> > I think I've found a work around to allow winbindd to
> > keep working correctly just using a machine account in a domain
> > running w2k3 sp1 as a domain controller. Microsoft added a "security"
> > feature that caused schannel queries to fail on the lsa and samr
> > pipes if they are bootstrapped from an anonymous sessionsetup
> > connection. In addition this fix should also remove the problem
> > of having to have an account used purely for winbindd queries.
> >
> > The fix is to cause an extended security sessionsetup to
> > the DC using the machine account and password, followed by
> > an spnego ntlmssp authenticated bind to the relevent lsa
> > and samr pipes.
>
> Is that an anonymous bind? Or does that use the 'account purely for
> winbindd queries'?
No, it's using the *machine* account - which is why it's a real
fix, not a partial.
Jeremy.
More information about the samba-technical
mailing list