samba - Apr 2017 - Fwd: Unable to change passwords from Win XP Pro clients

Just a follow-up. Still, no resolution. I've tried different combinations
with "client ipc signing" without luck.

A traffic dump shows the problem as:

i) windows XP client sends a DCE/RPC SAMR command GetDomPwInfo

ii) samba DC responds with DCE/RPC  Fault nca_proto_error

I've also tried fiddling with Local Security Policy registry values at the
Win XP machine, but got nothing good out of it.

Any more ideas to explore?

Thanks in advance
-EC

On Fri, Apr 21, 2017 at 1:50 PM, Eleuterio Contracampo <
econtracampo at gmail.com> wrote:
> Thank you once again! I'll research that link, and let everyone
interested
> know about the results.
>
> EC
>
> On Fri, Apr 21, 2017 at 12:50 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 21 Apr 2017 12:00:59 -0400
>> Eleuterio Contracampo via samba <samba at lists.samba.org> wrote:
>>
>> > [2017/04/21 12:47:55.219297, 0]
>> > ../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level)
>> >
>> > Did not manage to negotiate mandetory feature SIGN for dcerpc
>> > auth_level 6
>> >
>>
>> I think you may be running into an artefact of the badlock patches, for
>> which Win7 will have received patches, but there are no patches for XP
>> as it is no longer supported.
>>
>> Try setting 'client ipc signing =' to 'auto' or
'disabled', but note
>> this will affect win7 as well.
>>
>> See here, for more info:
>>
>> https://wiki.samba.org/index.php/Samba_4.3_Features_added/ch
>> anged#CVE-2016-2115:
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

I think the "client ip signing options" don't matter on the domain
controller, since the domain controller is not functioning as a server.  
(If this was a samba member server, then it would matter.)


You MAY want to try

     server signing = no





On 04/25/17 12:14, Eleuterio Contracampo via samba
wrote:
> Just a follow-up. Still, no resolution. I've tried different
combinations
> with "client ipc signing" without luck.
>
> A traffic dump shows the problem as:
>
> i) windows XP client sends a DCE/RPC SAMR command GetDomPwInfo
>
> ii) samba DC responds with DCE/RPC  Fault nca_proto_error
>
> I've also tried fiddling with Local Security Policy registry values at
the
> Win XP machine, but got nothing good out of it.
>
> Any more ideas to explore?
>
> Thanks in advance
> -EC
>
> On Fri, Apr 21, 2017 at 1:50 PM, Eleuterio Contracampo <
> econtracampo at gmail.com> wrote:
>
>> Thank you once again! I'll research that link, and let everyone
interested
>> know about the results.
>>
>> EC
>>
>> On Fri, Apr 21, 2017 at 12:50 PM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Fri, 21 Apr 2017 12:00:59 -0400
>>> Eleuterio Contracampo via samba <samba at lists.samba.org>
wrote:
>>>
>>>> [2017/04/21 12:47:55.219297, 0]
>>>> ../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level)
>>>>
>>>> Did not manage to negotiate mandetory feature SIGN for dcerpc
>>>> auth_level 6
>>>>
>>> I think you may be running into an artefact of the badlock patches,
for
>>> which Win7 will have received patches, but there are no patches for
XP
>>> as it is no longer supported.
>>>
>>> Try setting 'client ipc signing =' to 'auto' or
'disabled', but note
>>> this will affect win7 as well.
>>>
>>> See here, for more info:
>>>
>>> https://wiki.samba.org/index.php/Samba_4.3_Features_added/ch
>>> anged#CVE-2016-2115:
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>

Thank you for your feedback. I'm afraid it did not work either.

-EC

On Tue, Apr 25, 2017 at 1:50 PM, Gaiseric Vandal via samba <
samba at lists.samba.org> wrote:
> I think the "client ip signing options" don't matter on the
domain
> controller, since the domain controller is not functioning as a server.
> (If this was a samba member server, then it would matter.)
>
>
> You MAY want to try
>
>     server signing = no
>
>
>
>
>
>
> On 04/25/17 12:14, Eleuterio Contracampo via samba wrote:
>
>> Just a follow-up. Still, no resolution. I've tried different
combinations
>> with "client ipc signing" without luck.
>>
>> A traffic dump shows the problem as:
>>
>> i) windows XP client sends a DCE/RPC SAMR command GetDomPwInfo
>>
>> ii) samba DC responds with DCE/RPC  Fault nca_proto_error
>>
>> I've also tried fiddling with Local Security Policy registry values
at the
>> Win XP machine, but got nothing good out of it.
>>
>> Any more ideas to explore?
>>
>> Thanks in advance
>> -EC
>>
>> On Fri, Apr 21, 2017 at 1:50 PM, Eleuterio Contracampo <
>> econtracampo at gmail.com> wrote:
>>
>> Thank you once again! I'll research that link, and let everyone
interested
>>> know about the results.
>>>
>>> EC
>>>
>>> On Fri, Apr 21, 2017 at 12:50 PM, Rowland Penny via samba <
>>> samba at lists.samba.org> wrote:
>>>
>>> On Fri, 21 Apr 2017 12:00:59 -0400
>>>> Eleuterio Contracampo via samba <samba at
lists.samba.org> wrote:
>>>>
>>>> [2017/04/21 12:47:55.219297, 0]
>>>>>
../auth/gensec/gensec.c:257(gensec_verify_dcerpc_auth_level)
>>>>>
>>>>> Did not manage to negotiate mandetory feature SIGN for
dcerpc
>>>>> auth_level 6
>>>>>
>>>>> I think you may be running into an artefact of the badlock
patches, for
>>>> which Win7 will have received patches, but there are no patches
for XP
>>>> as it is no longer supported.
>>>>
>>>> Try setting 'client ipc signing =' to 'auto' or
'disabled', but note
>>>> this will affect win7 as well.
>>>>
>>>> See here, for more info:
>>>>
>>>> https://wiki.samba.org/index.php/Samba_4.3_Features_added/ch
>>>> anged#CVE-2016-2115:
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>