[Samba] schannel issue on samba 3.0.3

Gerald (Jerry) Carter jerry at samba.org
Wed May 12 16:55:35 GMT 2004

Hash: SHA1

Ralf Tomczak wrote:
| Hi there,
| I've seen a strange thing not reported yet AFAIK.
| We have W2K DCs with SP3 with Samba 3.0.2a everything works
| fine in regard to winbind, but with Samba 3.0.3 winbind
| produces schannel len 24 errors and 'wbinfo -t' and
| 'id DOMAIN\userid'  doesn't work. Note that wbinfo -u|g works
| well and a join was successful as well. I tried to tune my
| krb5.conf but in the end I disabled 'client schannel' in
| smb.conf. Does anyone know what is going wrong exactly? Is
| there a reasonable security risk?

Looks like this is bug shows up when the DC doesn't support
128 bit encryption in the NTLMSSP negotiate flags.
If you turn on 128 bit encryption, it woks fine.

And for the record, the only way I could reproduce
this bug was to use a completly unpatched, windows 2000

What service packs, patches, or registry changes have been
made to your DC to not support 128 bit encrpytion?  Or is the
a US vs. non-US service pack issue ?  Trying to figure out
how to reproduce this against my 2ksp4 DC's.

cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard            ------------------------- http://www.hp.com
SAMBA Team                 ---------------------- http://www.samba.org
GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
"...a hundred billion castaways looking for a home." ----------- Sting
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list