Bug 15987 - Winbind lsa_OpenPolicy() fails on lsa connection setup with: NT_STATUS_RPC_CANNOT_SUPPORT
Summary: Winbind lsa_OpenPolicy() fails on lsa connection setup with: NT_STATUS_RPC_CA...
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.22.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2026-01-28 16:30 UTC by Andreas Schneider
Modified: 2026-02-05 14:05 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2026-01-28 16:30:56 UTC 
When we are creating the lsa connection and authenticating withs schannel to the domain controller and call lsa_OpenPolicy() we get NT_STATUS_RPC_CANNOT_SUPPORT.

In Samba 4.21 we used NTLMSSP:

[2026/01/27 19:32:53.863799, 10, pid=2103084, effective(0, 0), real(0, 0), class=rpc_cli, traceid=1] ../../source3/rpc_client/cli_pipe.c:3508(cli_rpc_pipe_open_with_creds)
  cli_rpc_pipe_open_with_creds: opened pipe lsarpc to machine WSPS022.samba.example.com and bound as user MEMBER$@SAMBA.EXAMPLE.COM.
[2026/01/27 19:32:53.863812, 10, pid=2103084, effective(0, 0), real(0, 0), class=winbind, traceid=1] ../../source3/winbindd/winbindd_cm.c:2853(cm_connect_lsa)
  cm_connect_lsa: connected to LSA pipe for domain SAMBA using NTLMSSP authenticated pipe: user MEMBER$@SAMBA.EXAMPLE.COM
[2026/01/27 19:32:53.863830,  1, pid=2103084, effective(0, 0), real(0, 0), class=rpc_parse, traceid=1] ../../librpc/ndr/ndr.c:500(ndr_print_function_debug)
       lsa_OpenPolicy: struct lsa_OpenPolicy
          in: struct lsa_OpenPolicy
              system_name              : *
                  system_name              : 0x005c (92)
              attr                     : *
                  attr: struct lsa_ObjectAttribute
                      len                      : 0x00000018 (24)
                      root_dir                 : NULL
                      object_name              : NULL
                      attributes               : 0x00000000 (0)
                      sec_desc                 : NULL
                      sec_qos                  : *
                          sec_qos: struct lsa_QosInfo
                              len                      : 0x0000000c (12)
                              impersonation_level      : LSA_SECURITY_IMPERSONATION (2)
                              context_mode             : 0x01 (1)
                              effective_only           : 0x00 (0)
              access_mask              : 0x02000000 (33554432)
                     0: LSA_POLICY_VIEW_LOCAL_INFORMATION
                     0: LSA_POLICY_VIEW_AUDIT_INFORMATION
                     0: LSA_POLICY_GET_PRIVATE_INFORMATION
                     0: LSA_POLICY_TRUST_ADMIN   
                     0: LSA_POLICY_CREATE_ACCOUNT
                     0: LSA_POLICY_CREATE_SECRET 
                     0: LSA_POLICY_CREATE_PRIVILEGE
                     0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
                     0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
                     0: LSA_POLICY_AUDIT_LOG_ADMIN
                     0: LSA_POLICY_SERVER_ADMIN  
                     0: LSA_POLICY_LOOKUP_NAMES  
                     0: LSA_POLICY_NOTIFICATION  

...


[2026/01/27 19:32:53.865090,  1, pid=2103084, effective(0, 0), real(0, 0), class=rpc_parse, traceid=1] ../../librpc/ndr/ndr.c:500(ndr_print_function_debug)
       lsa_OpenPolicy: struct lsa_OpenPolicy
          out: struct lsa_OpenPolicy
              handle                   : *
                  handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : a1213e3d-5e07-48ed-9f26-7fe046a5c958
              result                   : NT_STATUS_OK


With Samba 4.22 we open the lsa connection using schannel:


[2026/01/21 18:15:01.861242, 10, pid=2551704, effective(0, 0), real(0, 0), class=winbind, traceid=1] ../../source3/winbindd/winbindd_cm.c:3018(cm_connect_lsa)
  cm_connect_lsa: connected to LSA pipe for domain SAMBA using schannel.
[2026/01/21 18:15:01.861269,  1, pid=2551704, effective(0, 0), real(0, 0), class=rpc_parse, traceid=1] ../../librpc/ndr/ndr.c:509(ndr_print_function_debug)
       lsa_OpenPolicy: struct lsa_OpenPolicy
          in: struct lsa_OpenPolicy
              system_name              : *
                  system_name              : 0x005c (92)
              attr                     : *
                  attr: struct lsa_ObjectAttribute
                      len                      : 0x00000018 (24)
                      root_dir                 : NULL
                      object_name              : NULL
                      attributes               : 0x00000000 (0)
                      sec_desc                 : NULL
                      sec_qos                  : *
                          sec_qos: struct lsa_QosInfo
                              len                      : 0x0000000c (12)
                              impersonation_level      : LSA_SECURITY_IMPERSONATION (2)
                              context_mode             : 0x01 (1)
                              effective_only           : 0x00 (0)
              access_mask              : 0x02000000 (33554432)
                     0: LSA_POLICY_VIEW_LOCAL_INFORMATION
                     0: LSA_POLICY_VIEW_AUDIT_INFORMATION
                     0: LSA_POLICY_GET_PRIVATE_INFORMATION
                     0: LSA_POLICY_TRUST_ADMIN   
                     0: LSA_POLICY_CREATE_ACCOUNT
                     0: LSA_POLICY_CREATE_SECRET 
                     0: LSA_POLICY_CREATE_PRIVILEGE
                     0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
                     0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
                     0: LSA_POLICY_AUDIT_LOG_ADMIN
                     0: LSA_POLICY_SERVER_ADMIN  
                     0: LSA_POLICY_LOOKUP_NAMES  
                     0: LSA_POLICY_NOTIFICATION  

...


[2026/01/21 18:15:01.862518,  1, pid=2551704, effective(0, 0), real(0, 0), class=rpc_parse, traceid=1] ../../librpc/ndr/ndr.c:509(ndr_print_function_debug)
       lsa_OpenPolicy: struct lsa_OpenPolicy
          out: struct lsa_OpenPolicy
              handle                   : *
                  handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 00000000-0000-0000-0000-000000000000
              result                   : NT_STATUS_RPC_CANNOT_SUPPORT
Comment 1 Andreas Schneider 2026-02-05 08:25:35 UTC 
The issue is that TCP/IP connections fail and we fallback to anonymous schannel over NCACN_NP.

The MR disables the fallback if it is an AD DC and creates a log entry to check the firewall.