assoc_group_id in dcesrv_bind()

Andrew Bartlett abartlet at samba.org
Tue Jul 29 09:42:28 GMT 2008 

On Tue, 2008-07-29 at 18:18 +0900, 西崎 隆志 wrote:
> Dear all,
> 
> I'm comparing the Samba4alpha5 active directory with the Windows active directory.
> 
> I found the Windows AD processed the four NETLOGON processes: 
> NetrServerReqChallenge, NetrServerAuthenticate3, NetrLogonGetDomainInfo, and NetrLogonSamLogonWithFlags.
> However, the Samba4 AD processed only NetrServerReqChallenge and NetrServerAuthenticate3.
> 
> A function dcesrv_bind() on a file "rpc_server/dcerpc_server.c" contains the following check:
> 
> 	if (call->pkt.u.bind.assoc_group_id != 0) {
> 	      return dcesrv_bind_nak(call, 0);
> 	}
> 
> This "assoc_group_id" marked non-zero values in most cases.
> If this part is commented out, the Samba4 AD can enter NetrLogonGetDomainInfo process.

Yeah, and a few other things too.  This is a bug. 

> In addition, dcesrv_bind() sets a constant value "0x12345678" to assoc_group_id for dcesrvauth_bind_ack().
> 
> Now, I would like to know why the assoc_group_id is assumed as a constant value in the code.
> Is there a document showing behaviour of assoc_group_id in DCERPC handling?

There is, see the DCE/RPC spec from the open group.  

However, the quick answer is that while we don't support association
groups, Windows Vista clients refuse to connect if we do not supply one.
In the current GIT tree we have changed the check, to allow 0x12345678
at this check.  (A client actually trying to use this feature will of
course fail, but at least SCHANNEL binds can again proceed).

Once we get some other Vista join bugs sorted (chasing down some GSSAPI
issues currently) we will issue another alpha with this corrected.  In
the meantime, if you can try the GIT tree, it should work again. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080729/063b48b6/attachment.bin

More information about the samba-technical mailing list