From f8628fa330abcd50923d995d5bda1f4811582ea9 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 23 Jul 2008 16:14:20 +1000
Subject: [PATCH] Remove the 'accoc_group_id' check in the RPC server.

This check breaks more than it fixes, and while technically not
correct, is the best solution we have at this time.  Otherwise,
SCHANNEL binds from WinXP fail.

Andrew Bartlett
---
 source/rpc_server/dcerpc_server.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/source/rpc_server/dcerpc_server.c b/source/rpc_server/dcerpc_server.c
index d8dafd61f61..91ae5fcd94a 100644
--- a/source/rpc_server/dcerpc_server.c
+++ b/source/rpc_server/dcerpc_server.c
@@ -534,9 +534,20 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 	uint32_t context_id;
 	const struct dcesrv_interface *iface;
 
+#if 0
+	/* It is not safe to enable this check - windows clients
+	 * (WinXP in particular) will use it for NETLOGON calls, for
+	 * the subsequent SCHANNEL bind.  It turns out that NETLOGON
+	 * calls include no policy handles, so it is safe there.  Let
+	 * the failure occour on the attempt to reuse a poilcy handle,
+	 * rather than here */
+
+	/* Association groups allow policy handles to be shared across
+	 * multiple client connections.  We don't implement this yet. */
 	if (call->pkt.u.bind.assoc_group_id != 0) {
 		return dcesrv_bind_nak(call, 0);	
 	}
+#endif
 
 	if (call->pkt.u.bind.num_contexts < 1 ||
 	    call->pkt.u.bind.ctx_list[0].num_transfer_syntaxes < 1) {
-- 
2.34.1