The Samba-Bugzilla – Bug 167
We do not support schannel signing
Last modified: 2005-08-24 10:26:37 UTC
WinXP can negotiate schannel with signing only
A Bartlett asked me to post this so it is not lost.
This is still broken as of (5 minutes before) rc1.
Neither sign or seal work atm.
*** Bug 309 has been marked as a duplicate of this bug. ***
Bug 475 and bug 309 are symptoms of this
Created attachment 174 [details]
Allow Samba to use 'only signed' connections
This patch should fix the issue.
I was hoping to test it properly (in particular, test it on the server-side)
but vorlon has confirmed that it works, so I'm putting it up here for review.
My testing was client-side - the new rpcclient 'schannelsign' command can be
used to test this mode.
It is not possible for a MITM attack to force a 'sealed' connection down to
'signing only', as far as I can tell - it appears to be entirly the client's
choice. The client then changes the header, which is validated with the
Adding CC's. Can those people who reported the
original symptoms with XP clients test this patch?
patch applied. Tested using 2k and XP clients previously
joined to the domain. Logons still successful.
Nice work. :-)
originally reported against 3.0.0beta1. CLeaning out
non-production release versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.