On Sat, 2010-02-06 at 13:35 +0100, Christoph Theis
wrote:> Hello,
>
> I don't know if this is the right list to discuss this topic.
> I have a FreeBSD (virtual) machine running Samba 4 alpha 11 which acts
> as a AD and another (virtual) machine running Windows 2000 which is a
> domain member. When a program on the W2k machine calls
> LookupAccountName to translate an user name to the SID this translates
> roughly to the following steps:
>
> - Setup a SMB session with the credentials of the service account
> - Call bind to create an unsecure channel
> - Call lsa_OpenPolicy2 to obtain a policy handle
> - Call bind again to create a secure channel
> - Call lsa_QueryInfoPolicy to obtain domain info
>
> The last call fails because Samba finds the policy handle but the SID
> stored with the handle (the SID of the system account) does not match
> the SID of the lsa_QueryInfoPolicy call (S-1-5-7 aka Anonymous).
>
> I don't know what a correct behaviour would be: That the handle does
> not have any SID stored with it because it was obtained via an
> unauthenticated call or if the credentials of the bind calls shall be
> used to secure the channel only and the lsa_QueryInfoPolicy call shall
> have the credentials from the session setup.
>
> If necessary I can file a bug report and / or provide a pcap file.
Please file a bug, with a matching capture from both Samba4 and a
similar setup running against Windows. That way, we can match the
behaviour, and write a testsuite for it.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20100207/a13b5882/attachment.pgp>