WinXP can negotiate schannel with signing only
A Bartlett asked me to post this so it is not lost.
This is still broken as of (5 minutes before) rc1. Neither sign or seal work atm.
*** Bug 309 has been marked as a duplicate of this bug. ***
Bug 475 and bug 309 are symptoms of this
Created attachment 174 [details] Allow Samba to use 'only signed' connections This patch should fix the issue. I was hoping to test it properly (in particular, test it on the server-side) but vorlon has confirmed that it works, so I'm putting it up here for review. My testing was client-side - the new rpcclient 'schannelsign' command can be used to test this mode. It is not possible for a MITM attack to force a 'sealed' connection down to 'signing only', as far as I can tell - it appears to be entirly the client's choice. The client then changes the header, which is validated with the checksum. Andrew Bartlett
Adding CC's. Can those people who reported the original symptoms with XP clients test this patch? Thanks.
patch applied. Tested using 2k and XP clients previously joined to the domain. Logons still successful. Nice work. :-)
originally reported against 3.0.0beta1. CLeaning out non-production release versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.