On Sat, 2010-02-06 at 13:35 +0100, Christoph Theis wrote: > Hello, > > I don't know if this is the right list to discuss this topic. > I have a FreeBSD (virtual) machine running Samba 4 alpha 11 which acts > as a AD and another (virtual) machine running Windows 2000 which is a > domain member. When a program on the W2k machine calls > LookupAccountName to translate an user name to the SID this translates > roughly to the following steps: > > - Setup a SMB session with the credentials of the service account > - Call bind to create an unsecure channel > - Call lsa_OpenPolicy2 to obtain a policy handle > - Call bind again to create a secure channel > - Call lsa_QueryInfoPolicy to obtain domain info > > The last call fails because Samba finds the policy handle but the SID > stored with the handle (the SID of the system account) does not match > the SID of the lsa_QueryInfoPolicy call (S-1-5-7 aka Anonymous). > > I don't know what a correct behaviour would be: That the handle does > not have any SID stored with it because it was obtained via an > unauthenticated call or if the credentials of the bind calls shall be > used to secure the channel only and the lsa_QueryInfoPolicy call shall > have the credentials from the session setup. > > If necessary I can file a bug report and / or provide a pcap file.
Please file a bug, with a matching capture from both Samba4 and a similar setup running against Windows. That way, we can match the behaviour, and write a testsuite for it. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
