Join XP into s4?

Andrew Bartlett abartlet at
Tue Jul 7 22:50:13 GMT 2009

On Tue, 2009-07-07 at 23:02 +0200, Volker Lendecke wrote:
> Hi!
> While trying to join an XP workstation into a current Samba4
> DC, I'm getting
> NTLM2: created signature over 117 bytes of input:
> BAD SIG NTLM2: wanted signature over 117 bytes of input:
> BAD SIG: got signature over 117 bytes of input:
> NTLMSSP NTLM2 packet check failed due to invalid signature on 117 bytes of input!
> on stdout. This is a merged build smbd4, but running all
> services. From looking at the sniff, to me it looks that an
> encrypted LDAP connection is being terminated by the DC.
> How do I debug this? Sniffs & any logs certainly available
> on request.

A big assistance would be to try and git bisect to figure out where we
(I, this code is my responsibility) broke it.  Matthias first noticed
what I think is the same bug a little while back, but I didn't look into
the problem properly at the time.

It may have gone unnoticed for some time, because if Kerberos works, we
don't take this codepath.  

An important step to prevent this in future would be to create more
'expected value' tests for our crypto code, the NTLMSSP stuff in


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list