NTLM packet signing gone bad - fixed by Samba restart

Andrew Bartlett abartlet at samba.org
Fri Jun 24 19:46:09 MDT 2011

On Fri, 2011-06-24 at 16:08 -0700, Dave Daugherty wrote:
> I am hoping to have some time to work on this over the weekend but thought I would throw this out there to see if anyone knows what is happening.
> 1)      Samba 3.5.5 with Centrify patches (no patches to packet signing that I am aware of and don't see any obvious 3.5.9  fixes for this problem).

> 6)      Restart Samba
> 7)      NTLM packet signing starts working again.

This sounds like the issue with the session key on the netlogon
connection from winbind being wrong. 

The symptoms are just like this, and I believe a fix was made.  We would
create a new schannel connection, changing the key, but still decrypt
with the old netlogon/schannel session key.  (Because once
re-negotiated, the key would change for all connections, including
existing connections). 

The fix was to move to a SamLogonEx variant that didn't double-encrypt
the user's session key with the schannel session key, or to always read
the session key from a TDB before each use. 

I'm sure one of the developers who was directly involved can remember
the bug number, and what release it was fixed in. 

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list