s4:rpc_server/dcesrv_auth.c - Fix a RPC issue in conjunction with Windows 2000
Andrew Bartlett
abartlet at samba.org
Sun May 30 07:04:44 MDT 2010
On Sun, 2010-05-30 at 14:53 +0200, Matthias Dieter Wallnöfer wrote:
> Andrew,
>
> if you are so concerned I don't have another possibility other than to
> revert it. I just would like to bring to attention that the mentioned
> "special" RPC calls work against Windows Server 2008 - so the problem is
> definitely valid.
I need to understand how they solve the issue without introducing a
security hole. We have never done that study, nor have I seen an
smbtorture test that demonstrates this handle sharing (as that would be
the first part to determine if this can be safely implemented).
> Before I pushed this fix I tried also to activate our header-sign
> support ("dcesrv:header sign = yes" in smb.conf) - which would be the
> expected solution. But then the whole schannel interactions with the
> Windows client broke.
>
> I revert but I wish that you or metze take care about the issue and see
> what's still missing in our own RPC header-sign implementation. If this
> is fixed then we are done.
I can make no promises that we will support this. However, I can
promise that I will not allow this to be fixed by 'quick hacks'.
I'm sorry to be so stern, but this is a critical part of our DCE/RPC
infrastructure, and your changes have an impact on every signed or
sealed DCE/RPC connection to our server.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100530/4189b9a4/attachment.pgp>
More information about the samba-technical
mailing list