[Samba] Samba 4: LookupAccountName fails
abartlet at samba.org
Sun Feb 7 01:22:45 MST 2010
On Sat, 2010-02-06 at 13:35 +0100, Christoph Theis wrote:
> I don't know if this is the right list to discuss this topic.
> I have a FreeBSD (virtual) machine running Samba 4 alpha 11 which acts
> as a AD and another (virtual) machine running Windows 2000 which is a
> domain member. When a program on the W2k machine calls
> LookupAccountName to translate an user name to the SID this translates
> roughly to the following steps:
> - Setup a SMB session with the credentials of the service account
> - Call bind to create an unsecure channel
> - Call lsa_OpenPolicy2 to obtain a policy handle
> - Call bind again to create a secure channel
> - Call lsa_QueryInfoPolicy to obtain domain info
> The last call fails because Samba finds the policy handle but the SID
> stored with the handle (the SID of the system account) does not match
> the SID of the lsa_QueryInfoPolicy call (S-1-5-7 aka Anonymous).
> I don't know what a correct behaviour would be: That the handle does
> not have any SID stored with it because it was obtained via an
> unauthenticated call or if the credentials of the bind calls shall be
> used to secure the channel only and the lsa_QueryInfoPolicy call shall
> have the credentials from the session setup.
> If necessary I can file a bug report and / or provide a pcap file.
Please file a bug, with a matching capture from both Samba4 and a
similar setup running against Windows. That way, we can match the
behaviour, and write a testsuite for it.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 190 bytes
Desc: This is a digitally signed message part
More information about the samba