Bug 167 - We do not support schannel signing
Summary: We do not support schannel signing
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.0preX
Hardware: All other
: P3 major
Target Milestone: 3.0.1
Assignee: Andrew Bartlett
QA Contact:
: 309 (view as bug list)
Depends on:
Reported: 2003-06-14 23:35 UTC by John H Terpstra (mail address dead(
Modified: 2005-08-24 10:26 UTC (History)
4 users (show)

See Also:

Allow Samba to use 'only signed' connections (20.29 KB, patch)
2003-09-30 20:27 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John H Terpstra (mail address dead( 2003-06-14 23:35:30 UTC
WinXP can negotiate schannel with signing only
Comment 1 John H Terpstra (mail address dead( 2003-06-14 23:37:50 UTC
A Bartlett asked me to post this so it is not lost.
Comment 2 Tim Potter 2003-08-15 13:00:55 UTC
This is still broken as of (5 minutes before) rc1.

Neither sign or seal work atm.
Comment 3 Andrew Bartlett 2003-09-26 16:21:02 UTC
*** Bug 309 has been marked as a duplicate of this bug. ***
Comment 4 Gerald (Jerry) Carter (dead mail address) 2003-09-27 08:13:26 UTC
Bug 475 and bug 309 are symptoms of this
Comment 5 Andrew Bartlett 2003-09-30 20:27:51 UTC
Created attachment 174 [details]
Allow Samba to use 'only signed' connections

This patch should fix the issue.

I was hoping to test it properly (in particular, test it on the server-side)
but vorlon has confirmed that it works, so I'm putting it up here for review.

My testing was client-side - the new rpcclient 'schannelsign' command can be
used to test this mode.

It is not possible for a MITM attack to force a 'sealed' connection down to
'signing only', as far as I can tell - it appears to be entirly the client's
choice.  The client then changes the header, which is validated with the

Andrew Bartlett
Comment 6 Gerald (Jerry) Carter (dead mail address) 2003-10-01 13:09:56 UTC
Adding CC's.  Can those people who reported the 
original symptoms with XP clients test this patch?
Comment 7 Gerald (Jerry) Carter (dead mail address) 2003-10-01 14:19:35 UTC
patch applied.  Tested using 2k and XP clients previously 
joined to the domain.  Logons still successful.
Nice work. :-)
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-02-07 08:39:02 UTC
originally reported against 3.0.0beta1.  CLeaning out 
non-production release versions.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:26:37 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.