Release 2 of Windows 2008 server broke interdomain trust between Windows 2008 domains and samba domain controllers.. This is samba bug #6697 (https://bugzilla.samba.org/show_bug.cgi?id=6697). This was reported in Debian as #575951 with severity important as this is likely to affect all organizations switching some parts of their infrastructure from W2K3 to W2K8. The problem was fixed in 3.4 series of samba, specifically 3.4.1 and the Samba Team even backported it to their 3.3 branch, which is under "maintenance" mode (something similar to our stabe release). The fix easily applies to samba 3.2.5 (which we have in lenny) and has been confirmed working by the bug submitter. The patch is listed below. I uploaded samba 2:3.2.5-4lenny10 to s-p-u (assuming, I didn't mess up) with that fix included and would appreciate if this is included in the next point release. Goal: Interdomain trusts with Windows 2008 R2 DCs. Fixes: #575951 Status wrt upstream: Fixed in 3.3 and 3.4.1 Author: Günther Deschner <gd@samba.org> Details: The Schannel verifier (aka NL_AUTH_SIGNATURE) structure (32 byte) sent from a W2k8r2 DC is passed in a buffer with the size of a NL_AUTH_SHA2_SIGNATURE (56 byte). We should just ignore the remaining 12 zeroed bytes and proceed. Index: lenny/source/include/rpc_dce.h =================================================================== --- lenny.orig/source/include/rpc_dce.h +++ lenny/source/include/rpc_dce.h @@ -150,7 +150,7 @@ }; /* Maximum size of the signing data in a fragment. */ -#define RPC_MAX_SIGN_SIZE 0x20 /* 32 */ +#define RPC_MAX_SIGN_SIZE 0x38 /* 56 */ /* Maximum PDU fragment size. */ /* #define MAX_PDU_FRAG_LEN 0x1630 this is what wnt sets */ Index: lenny/source/rpc_client/cli_pipe.c =================================================================== --- lenny.orig/source/rpc_client/cli_pipe.c +++ lenny/source/rpc_client/cli_pipe.c @@ -349,7 +349,7 @@ return NT_STATUS_OK; } - if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) { + if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) { DEBUG(0,("cli_pipe_verify_schannel: auth_len %u.\n", (unsigned int)auth_len )); return NT_STATUS_INVALID_PARAMETER; } --
Attachment:
signature.asc
Description: Digital signature