s4:rpc_server/dcesrv_auth.c - Fix a RPC issue in conjunction with Windows 2000

Stefan (metze) Metzmacher metze at samba.org
Sun May 30 07:20:54 MDT 2010

Hi Matthias,

> if you are so concerned I don't have another possibility other than to
> revert it. I just would like to bring to attention that the mentioned
> "special" RPC calls work against Windows Server 2008 - so the problem is
> definitely valid.
> Before I pushed this fix I tried also to activate our header-sign
> support ("dcesrv:header sign = yes" in smb.conf) - which would be the
> expected solution. But then the whole schannel interactions with the
> Windows client broke.

We don't support header signing for all auth types yet, but also don't
have to, as the client won't use it, if the server doesn't indicate
support for it.

> I revert but I wish that you or metze take care about the issue and see
> what's still missing in our own RPC header-sign implementation. If this
> is fixed then we are done.

I'm sure we'll fix this problem, but I'm not sure that it's related to
header signing
at all.

We need a torture test that does the packet sequence as a windows 2000
first (with all the same bits set).


> Andrew Bartlett wrote:
>> On Sun, 2010-05-30 at 14:22 +0200, Matthias Dieter Wallnöfer wrote:
>>> Hi abartlet,
>>> sorry for the noise but I basically pushed a slightly modified variation
>>> of your patch, Andrew. And thought that this would be fine for you. And
>>> yes, it's not a definite solution - since as I stated in the commit
>>> comment - we need to implement full server signing to cover all aspects.
>> Yes, and that patch was clearly described as and remains a work in
>> progress that has well known issues.  Just modifying it until it passes
>> 'make test' without understanding the problem, or what the modifications
>> did is not a solution.
>> Please revert, and do not attempt to fix this bug without signoff by
>> both metze and myself.
>> I am yet to be convinced that this issue (affecting a now 10 year old OS
>> that is no longer in receipt of even security fixes) can be safely
>> fixed.
>> Andrew Bartlett

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100530/e7e94ada/attachment.pgp>

More information about the samba-technical mailing list