Fix for winbindd schannel issue with win2003 sp1

Jeremy Allison jra at
Wed Sep 21 15:13:18 GMT 2005

On Wed, Sep 21, 2005 at 04:23:33PM +1000, Andrew Bartlett wrote:
> On Tue, 2005-09-20 at 21:40 -0700, Jeremy Allison wrote:
> > Hi all,
> > 
> > 	I think I've found a work around to allow winbindd to
> > keep working correctly just using a machine account in a domain
> > running w2k3 sp1 as a domain controller. Microsoft added a "security"
> > feature that caused schannel queries to fail on the lsa and samr
> > pipes if they are bootstrapped from an anonymous sessionsetup
> > connection. In addition this fix should also remove the problem
> > of having to have an account used purely for winbindd queries.
> > 
> > The fix is to cause an extended security sessionsetup to
> > the DC using the machine account and password, followed by
> > an spnego ntlmssp authenticated bind to the relevent lsa
> > and samr pipes. 
> Is that an anonymous bind?  Or does that use the 'account purely for
> winbindd queries'?

No, it's using the *machine* account - which is why it's a real
fix, not a partial.


More information about the samba-technical mailing list