NTLM packet signing gone bad - fixed by Samba restart

Dave Daugherty dave.daugherty at centrify.com
Fri Jun 24 23:47:20 MDT 2011

Thanks Andrew,

That’s a good clue and I believe I saw a reference to that fix in a post 3.5.5 release note.  I will follow up on it later this weekend.


> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Friday, June 24, 2011 6:46 PM
> This sounds like the issue with the session key on the netlogon
> connection from winbind being wrong.
> The symptoms are just like this, and I believe a fix was made.  We
> would
> create a new schannel connection, changing the key, but still decrypt
> with the old netlogon/schannel session key.  (Because once
> re-negotiated, the key would change for all connections, including
> existing connections).
> The fix was to move to a SamLogonEx variant that didn't double-encrypt
> the user's session key with the schannel session key, or to always read
> the session key from a TDB before each use.
> I'm sure one of the developers who was directly involved can remember
> the bug number, and what release it was fixed in.

More information about the samba-technical mailing list