[Samba] Samba 4: LookupAccountName fails

[Andrew Bartlett]

On Sat, 2010-02-06 at 13:35 +0100, Christoph Theis wrote:
> Hello,
> 
> I don't know if this is the right list to discuss this topic.
> I have a FreeBSD (virtual) machine running Samba 4 alpha 11 which acts
> as a AD and another (virtual) machine running Windows 2000 which is a
> domain member. When a program on the W2k machine calls
> LookupAccountName to translate an user name to the SID this translates
> roughly to the following steps:
> 
>  - Setup a SMB session with the credentials of the service account
>  - Call bind to create an unsecure channel
>  - Call lsa_OpenPolicy2 to obtain a policy handle
>  - Call bind again to create a secure channel
>  - Call lsa_QueryInfoPolicy to obtain domain info
> 
> The last call fails because Samba finds the policy handle but the SID
> stored with the handle (the SID of the system account) does not match
> the SID of the lsa_QueryInfoPolicy call (S-1-5-7 aka Anonymous).
> 
> I don't know what a correct behaviour would be: That the handle does
> not have any SID stored with it because it was obtained via an
> unauthenticated call or if the credentials of the bind calls shall be
> used to secure the channel only and the lsa_QueryInfoPolicy call shall
> have the credentials from the session setup.
> 
> If necessary I can file a bug report and / or provide a pcap file.

Please file a bug, with a matching capture from both Samba4 and a
similar setup running against Windows.  That way, we can match the
behaviour, and write a testsuite for it.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100207/a13b5882/attachment.pgp>