Join XP into s4?

Stefan (metze) Metzmacher metze at samba.org
Wed Jul 8 11:08:10 GMT 2009 

Andrew Bartlett schrieb:
> On Wed, 2009-07-08 at 07:54 +0200, Volker Lendecke wrote:
>> On Wed, Jul 08, 2009 at 08:50:13AM +1000, Andrew Bartlett wrote:
>>> On Tue, 2009-07-07 at 23:02 +0200, Volker Lendecke wrote:
>>>> Hi!
>>>>
>>>> While trying to join an XP workstation into a current Samba4
>>>> DC, I'm getting
>>>>
>>>> NTLM2: created signature over 117 bytes of input:
>>>> BAD SIG NTLM2: wanted signature over 117 bytes of input:
>>>> BAD SIG: got signature over 117 bytes of input:
>>>> NTLMSSP NTLM2 packet check failed due to invalid signature on 117 bytes of input!
>>>>
>>>> on stdout. This is a merged build smbd4, but running all
>>>> services. From looking at the sniff, to me it looks that an
>>>> encrypted LDAP connection is being terminated by the DC.
>>>>
>>>> How do I debug this? Sniffs & any logs certainly available
>>>> on request.
>>> A big assistance would be to try and git bisect to figure out where we
>>> (I, this code is my responsibility) broke it.  Matthias first noticed
>>> what I think is the same bug a little while back, but I didn't look into
>>> the problem properly at the time.  
>> Do you have a pointer where to start the bisect? A year ago?
> 
> I doubt it's that old, but it's possible.  I would try with the previous
> alpha (from Feb), surely some of our users would have seen it if we had
> a failure there.  
> 
> I hope it's much more recent than that.  In terms of times that this
> code has changes, it's in the past few days (I made a small change
> there), possibly the time of the Heimdal merge just before the last
> alpha, and the auth merge work I did at SambaXP.
> 
> I'm going to start chasing this down from a correctness approach (ie,
> stare at code and try and see what's wrong).

It's a bug in Windows. And this is the workaround for it:
http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=1e7171a81ca9293775a743c1fa45332f154d89f5

You can test the crypto also as a client using this hack:
http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=ed7ca2a6281f434eabd4b25485c339181d0727b3

and ldbsearch against a w2k3 or w2k8 box.

As client you'll get this if you use -d 111

[0000] 30 84 00 00 00 80 02 01   00 78 84 00 00 00 5F 0A   0....... .x...._.
[0010] 01 34 04 00 04 58 30 30   30 30 30 30 30 33 3A 20   .4...X00 000003:
[0020] 4C 64 61 70 45 72 72 3A   20 44 53 49 44 2D 30 43   LdapErr:  DSID-0C
[0030] 30 36 30 34 32 42 2C 20   63 6F 6D 6D 65 6E 74 3A   06042B,  comment:
[0040] 20 45 72 72 6F 72 20 64   65 63 72 79 70 74 69 6E    Error d ecryptin
[0050] 67 20 6C 64 61 70 20 6D   65 73 73 61 67 65 2C 20   g ldap m essage,
[0060] 64 61 74 61 20 30 2C 20   76 31 37 37 31 00 8A 16   data 0,  v1771...
[0070] 31 2E 33 2E 36 2E 31 2E   34 2E 31 2E 31 34 36 36   1.3.6.1. 4.1.1466
[0080] 2E 32 30 30 33 36                                 .20036

So as client you need to use seal and can't do the fallback hack.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20090708/a65fc565/signature.bin

More information about the samba-technical mailing list