167 – We do not support schannel signing

Bug 167 - We do not support schannel signing

Summary: We do not support schannel signing

Status:	CLOSED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	Domain Control (show other bugs)
Version:	3.0.0preX
Hardware:	All other

Importance:	P3 major
Target Milestone:	3.0.1
Assignee:	Andrew Bartlett
QA Contact:

URL:
Keywords:

Duplicates (1):	309 (view as bug list)
Depends on:
Blocks:

Reported:	2003-06-14 23:35 UTC by John H Terpstra (mail address dead(
Modified:	2005-08-24 10:26 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Allow Samba to use 'only signed' connections (20.29 KB, patch) 2003-09-30 20:27 UTC, Andrew Bartlett	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John H Terpstra (mail address dead( 2003-06-14 23:35:30 UTC

WinXP can negotiate schannel with signing only

Comment 1 John H Terpstra (mail address dead( 2003-06-14 23:37:50 UTC

A Bartlett asked me to post this so it is not lost.

Comment 2 Tim Potter 2003-08-15 13:00:55 UTC

This is still broken as of (5 minutes before) rc1.

Neither sign or seal work atm.

Comment 3 Andrew Bartlett 2003-09-26 16:21:02 UTC

*** Bug 309 has been marked as a duplicate of this bug. ***

Comment 4 Gerald (Jerry) Carter (dead mail address) 2003-09-27 08:13:26 UTC

Bug 475 and bug 309 are symptoms of this

Comment 5 Andrew Bartlett 2003-09-30 20:27:51 UTC

Created attachment 174 [details]
Allow Samba to use 'only signed' connections

This patch should fix the issue.

I was hoping to test it properly (in particular, test it on the server-side)
but vorlon has confirmed that it works, so I'm putting it up here for review.

My testing was client-side - the new rpcclient 'schannelsign' command can be
used to test this mode.

It is not possible for a MITM attack to force a 'sealed' connection down to
'signing only', as far as I can tell - it appears to be entirly the client's
choice.  The client then changes the header, which is validated with the
checksum.

Andrew Bartlett

Comment 6 Gerald (Jerry) Carter (dead mail address) 2003-10-01 13:09:56 UTC

Adding CC's.  Can those people who reported the 
original symptoms with XP clients test this patch?
Thanks.

Comment 7 Gerald (Jerry) Carter (dead mail address) 2003-10-01 14:19:35 UTC

patch applied.  Tested using 2k and XP clients previously 
joined to the domain.  Logons still successful.
Nice work. :-)

Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-02-07 08:39:02 UTC

originally reported against 3.0.0beta1.  CLeaning out 
non-production release versions.

Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:26:37 UTC

sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.