Am 16.02.21 um 08:11 schrieb Andrew Bartlett via samba:> It will be the 'restrict anonymous = 2' on the DC I suppose. I don't > know why winbindd on the RODC isn't authenticating the SMB layer of the > connection, and I suppose that makes it a bug (we are almost certainly > authenticating the next layer in, the NETLOGON pipe with schannel), but > if that fixes it at least we know what is going on. > > My guess is that we are not NTLMSSP/kerberos authenticating the SMB the > netlogon pipe is on because we used to use this to bootstrap > authentication of the other pipes (also with schannel) before MS broke > that (fixed a security bug actually...). > > Anyway, try that and use the information to file a bug.Thanks Andrew. This was it. I will file a bug. Regards Christian -- Dr. Christian Naumer Vice President Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
On Tue, 2021-02-16 at 08:24 +0100, cn--- via samba wrote:> Am 16.02.21 um 08:11 schrieb Andrew Bartlett via samba: > > > It will be the 'restrict anonymous = 2' on the DC I suppose. I > > don't > > know why winbindd on the RODC isn't authenticating the SMB layer of > > the > > connection, and I suppose that makes it a bug (we are almost > > certainly > > authenticating the next layer in, the NETLOGON pipe with schannel), > > but > > if that fixes it at least we know what is going on. > > > > My guess is that we are not NTLMSSP/kerberos authenticating the SMB > > the > > netlogon pipe is on because we used to use this to bootstrap > > authentication of the other pipes (also with schannel) before MS > > broke > > that (fixed a security bug actually...). > > > > Anyway, try that and use the information to file a bug. > > Thanks Andrew. This was it. I will file a bug. > > > RegardsThe same pipe (\pipe\netlogon) is used to forward the DNS update requests so that will explain your DNS trouble also. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions