Bug 7945 - winbindd should try netr_Validation level 6 in netr_LogonSamLogon
winbindd should try netr_Validation level 6 in netr_LogonSamLogon
Product: Samba 3.5
Classification: Unclassified
Component: Winbind
Other Linux
: P3 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
Depends on: 7568
Blocks: 6563
  Show dependency treegraph
Reported: 2011-02-02 22:14 UTC by Stefan Metzmacher
Modified: 2014-10-01 13:53 UTC (History)
4 users (show)

See Also:

Backport Patch for v3-5-test (14.62 KB, patch)
2011-02-04 11:23 UTC, Stefan Metzmacher
gd: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2011-02-02 22:14:45 UTC
In order to get more protection against external schannel session resets,
we should try netr_Validation level 6 if the server supports it
and fallback to level 3 if not.

This is related to

The long term fix is to store the schannel client state in a
tdb, but for now it's enough to catch the error and invalidate
the all connections to the dc and reestablish the schannel
session key.
Comment 1 Stefan Metzmacher 2011-02-04 11:23:36 UTC
Created attachment 6245 [details]
Backport Patch for v3-5-test

GD: Please also test the rpc bind stuff with "net rpc testjoin" to make sure
that the user session key is correct.

Kai: if you have a chance please also test it.
Comment 2 Bjoern Meier 2011-02-07 05:13:14 UTC
I'll test winbind with the applied test. Looks good for now. I've let them try this until this friday and would give another comment then.

Comment 3 Guenther Deschner 2011-02-09 09:13:54 UTC
Comment on attachment 6245 [details]
Backport Patch for v3-5-test

tested with w2k and w2k8r2 dcs, looks good
Comment 4 Guenther Deschner 2011-02-09 09:14:13 UTC
Karolin, please add to 3.5
Comment 5 Karolin Seeger 2011-02-09 14:00:30 UTC
Pushed to v3-5-test.
Closing out bug report.