Fix for winbindd schannel issue with win2003 sp1
abartlet at samba.org
Wed Sep 21 21:14:50 GMT 2005
On Wed, 2005-09-21 at 08:13 -0700, Jeremy Allison wrote:
> On Wed, Sep 21, 2005 at 04:23:33PM +1000, Andrew Bartlett wrote:
> > On Tue, 2005-09-20 at 21:40 -0700, Jeremy Allison wrote:
> > > Hi all,
> > >
> > > I think I've found a work around to allow winbindd to
> > > keep working correctly just using a machine account in a domain
> > > running w2k3 sp1 as a domain controller. Microsoft added a "security"
> > > feature that caused schannel queries to fail on the lsa and samr
> > > pipes if they are bootstrapped from an anonymous sessionsetup
> > > connection. In addition this fix should also remove the problem
> > > of having to have an account used purely for winbindd queries.
> > >
> > > The fix is to cause an extended security sessionsetup to
> > > the DC using the machine account and password, followed by
> > > an spnego ntlmssp authenticated bind to the relevent lsa
> > > and samr pipes.
> > Is that an anonymous bind? Or does that use the 'account purely for
> > winbindd queries'?
> No, it's using the *machine* account - which is why it's a real
> fix, not a partial.
*That* isn't meant to work... :-)
I guess I better expand my testsuite...
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050922/b62bc6b0/attachment.bin
More information about the samba-technical