Hi all. I originally suspected this problem was with netbios (which I have disabled by default) and Jerry has helped me out a bit with but I've been doing some more digging and I think the problem lies back further than I expected.
I was trying to upgrade from 3.0.7 to 3.0.11 so I've recompiled all versions back from 3.0.11 and the problem first occured in 3.0.8. The issue is with winbind, and the error I'm getting is "failed tcon_X with NT_STATUS_ACCESS_DENIED": === 3.0.7: /usr/bin/winbind -i -d3 === ... Ticket in ccache[MEMORY:winbind_ccache] expiration Wed, 16 Mar 2005 00:41:08 GMT ads: trusted_domains Connected to LDAP server 10.140.72.17 got ldap server name [EMAIL PROTECTED], using bind path: dc=DBG,dc=ADS,dc=DB,dc=COM IPC$ connections done anonymously Connecting to host=LONESWDBP4 Connecting to 10.140.72.17 at port 445 Doing spnego session setup (blob length=114) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Wed, 16 Mar 2005 00:41:18 GMT add_trusted_domain: TRAN is an NT4 domain Added domain TRAN tran.stt S-1-5-21-343818398-606747145-725345543 add_trusted_domain: ADS is an NT4 domain Added domain ADS ADS.DB.COM S-1-5-21-1960408961-1935655697-1801674531 ....etc === 3.0.8: /usr/bin/winbind -i -d3 === ... Ticket in ccache[MEMORY:winbind_ccache] expiration Wed, 16 Mar 2005 00:43:41 GMT ads: trusted_domains Connected to LDAP server 10.140.72.17 got ldap server name [EMAIL PROTECTED], using bind path: dc=DBG,dc=ADS,dc=DB,dc=COM IPC$ connections done anonymously Connecting to host=LONESWDBP4 Connecting to 10.140.72.17 at port 445 Doing spnego session setup (blob length=114) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Wed, 16 Mar 2005 00:43:51 GMT failed tcon_X with NT_STATUS_ACCESS_DENIED ... Now, if I turn on more debugging, you see this: === 3.0.7: /usr/bin/winbind -i -d10 === ... Got KRB5 session key of length 16 SMB signing enabled! cli_simple_set_signing: user_session_key [000] C1 6D 83 5F 6A 94 6B 73 57 46 0B CB 16 03 CB B1 .m._j.ks WF...... cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] CD 85 93 7F A1 A8 34 22 ......4" store_sequence_for_reply: stored seq = 1 mid = 2 ... client_check_incoming_message: seq 1: got good SMB signature of [000] 9D E9 1B CC 6F 48 42 92 ....oHB. ... === 3.0.8: /usr/bin/winbind -i -d10 === ... Got KRB5 session key of length 8 SMB signing enabled! cli_simple_set_signing: user_session_key [000] C8 5E D6 1A A1 46 10 BA .^...F.. cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] 84 84 78 B3 60 4A 05 5B ..x.`J.[ store_sequence_for_reply: stored seq = 1 mid = 2 ... client_check_incoming_message: BAD SIG: wanted SMB signature of [000] D7 08 07 13 97 AC E9 8B ........ client_check_incoming_message: BAD SIG: got SMB signature of [000] EF 85 1C D4 6A 1D AC 9D ....j... So... and please correct me if I'm wrong, but something changed between 3.0.7 and 3.0.8 to do with SMB signing. The signature size seems to have changed, but I don't know enough about the SMB protocol to work out what this would mean. I also notice this in the Changelog: o Fixes for kerberos interoperability with Windows 200x domains when using DES keys. ...and a few other people have encountered this issue: http://marc.theaimsgroup.com/?l=samba&m=110217288924619&w=2 http://marc.theaimsgroup.com/?l=samba&m=110128503324928&w=2 http://marc.theaimsgroup.com/?l=samba&m=109171118423701&w=2 but I don't see any resolutions in the mailing list. Any help would be appreciated, I'd really like to upgrade because of the security vulnerabilities. Thanks, Tim. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba