NTLM packet signing gone bad - fixed by Samba restart
abartlet at samba.org
Fri Jun 24 19:46:09 MDT 2011
On Fri, 2011-06-24 at 16:08 -0700, Dave Daugherty wrote:
> I am hoping to have some time to work on this over the weekend but thought I would throw this out there to see if anyone knows what is happening.
> 1) Samba 3.5.5 with Centrify patches (no patches to packet signing that I am aware of and don't see any obvious 3.5.9 fixes for this problem).
> 6) Restart Samba
> 7) NTLM packet signing starts working again.
This sounds like the issue with the session key on the netlogon
connection from winbind being wrong.
The symptoms are just like this, and I believe a fix was made. We would
create a new schannel connection, changing the key, but still decrypt
with the old netlogon/schannel session key. (Because once
re-negotiated, the key would change for all connections, including
The fix was to move to a SamLogonEx variant that didn't double-encrypt
the user's session key with the schannel session key, or to always read
the session key from a TDB before each use.
I'm sure one of the developers who was directly involved can remember
the bug number, and what release it was fixed in.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical