s4:rpc_server/dcesrv_auth.c - Fix a RPC issue in conjunction with Windows 2000

Stefan (metze) Metzmacher metze at samba.org
Sun May 30 07:29:35 MDT 2010 

Am 30.05.2010 15:20, schrieb Stefan (metze) Metzmacher:
> Hi Matthias,
> 
>> if you are so concerned I don't have another possibility other than to
>> revert it. I just would like to bring to attention that the mentioned
>> "special" RPC calls work against Windows Server 2008 - so the problem is
>> definitely valid.
>> Before I pushed this fix I tried also to activate our header-sign
>> support ("dcesrv:header sign = yes" in smb.conf) - which would be the
>> expected solution. But then the whole schannel interactions with the
>> Windows client broke.
> 
> We don't support header signing for all auth types yet, but also don't
> have to, as the client won't use it, if the server doesn't indicate
> support for it.
> 
>> I revert but I wish that you or metze take care about the issue and see
>> what's still missing in our own RPC header-sign implementation. If this
>> is fixed then we are done.
> 
> I'm sure we'll fix this problem, but I'm not sure that it's related to
> header signing
> at all.
> 
> We need a torture test that does the packet sequence as a windows 2000
> client
> first (with all the same bits set).

I think the correct fix should be in

schannel_session_info(), there we force auth_anonymous_session_info()
which seems to be wrong. We should not provide a session_info at all,
to indicate to the dcerpc server code that it should keep the transport
related
session info.

metze

>> Andrew Bartlett wrote:
>>> On Sun, 2010-05-30 at 14:22 +0200, Matthias Dieter Wallnöfer wrote:
>>>   
>>>> Hi abartlet,
>>>>
>>>> sorry for the noise but I basically pushed a slightly modified variation
>>>> of your patch, Andrew. And thought that this would be fine for you. And
>>>> yes, it's not a definite solution - since as I stated in the commit
>>>> comment - we need to implement full server signing to cover all aspects.
>>>>      
>>> Yes, and that patch was clearly described as and remains a work in
>>> progress that has well known issues.  Just modifying it until it passes
>>> 'make test' without understanding the problem, or what the modifications
>>> did is not a solution.
>>>
>>> Please revert, and do not attempt to fix this bug without signoff by
>>> both metze and myself.
>>>
>>> I am yet to be convinced that this issue (affecting a now 10 year old OS
>>> that is no longer in receipt of even security fixes) can be safely
>>> fixed.
>>>
>>> Andrew Bartlett
>>>
>>>    
>>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100530/b5b90fe0/attachment.pgp>

More information about the samba-technical mailing list