NTLM packet signing gone bad - fixed by Samba restart
dave.daugherty at centrify.com
Fri Jun 24 23:47:20 MDT 2011
That’s a good clue and I believe I saw a reference to that fix in a post 3.5.5 release note. I will follow up on it later this weekend.
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Friday, June 24, 2011 6:46 PM
> This sounds like the issue with the session key on the netlogon
> connection from winbind being wrong.
> The symptoms are just like this, and I believe a fix was made. We
> create a new schannel connection, changing the key, but still decrypt
> with the old netlogon/schannel session key. (Because once
> re-negotiated, the key would change for all connections, including
> existing connections).
> The fix was to move to a SamLogonEx variant that didn't double-encrypt
> the user's session key with the schannel session key, or to always read
> the session key from a TDB before each use.
> I'm sure one of the developers who was directly involved can remember
> the bug number, and what release it was fixed in.
More information about the samba-technical