samba/sme10/samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch

From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 12 Apr 2016 09:36:12 +0300
Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
 domains DCs

  Allow cm_connect_netlogon() to talk to trusted domains' DCs when
  running in a domain member configuration.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
 source3/winbindd/winbindd_cm.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 63175e5..1ef3d17 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  anonymous:
 
        /* Finally fall back to anonymous. */
-       if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+       if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+           (IS_DC || domain->primary)) {
                status = NT_STATUS_DOWNGRADE_DETECTED;
-               DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
+               DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
                          "without connection level security, "
                          "must set 'winbind sealed pipes = false' and "
                          "'require strong key = false' to proceed: %s\n",
@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 
  anonymous:
 
-       if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+       if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+           (IS_DC || domain->primary)) {
                result = NT_STATUS_DOWNGRADE_DETECTED;
-               DEBUG(1, ("Unwilling to make LSA connection to domain %s"
+               DEBUG(1, ("Unwilling to make LSA connection to domain %s "
                          "without connection level security, "
                          "must set 'winbind sealed pipes = false' and "
                          "'require strong key = false' to proceed: %s\n",
@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 
  no_schannel:
        if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-               if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+               if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+                   (IS_DC || domain->primary)) {
                        result = NT_STATUS_DOWNGRADE_DETECTED;
-                       DEBUG(1, ("Unwilling to make connection to domain %s"
+                       DEBUG(1, ("Unwilling to make connection to domain %s "
                                  "without connection level security, "
                                  "must set 'winbind sealed pipes = false' and "
                                  "'require strong key = false' to proceed: %s\n",
-- 
2.5.5

1	vip-ire	1.1	From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001
2			From: Alexander Bokovoy <abokovoy@redhat.com>
3			Date: Tue, 12 Apr 2016 09:36:12 +0300
4			Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
5			domains DCs
6
7			Allow cm_connect_netlogon() to talk to trusted domains' DCs when
8			running in a domain member configuration.
9
10			Signed-off-by: Alexander Bokovoy <ab@samba.org>
11			---
12			source3/winbindd/winbindd_cm.c \| 15 +++++++++------
13			1 file changed, 9 insertions(+), 6 deletions(-)
14
15			diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
16			index 63175e5..1ef3d17 100644
17			--- a/source3/winbindd/winbindd_cm.c
18			+++ b/source3/winbindd/winbindd_cm.c
19			@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain domain, TALLOC_CTX mem_ctx,
20			anonymous:
21
22			/* Finally fall back to anonymous. */
23			- if (lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) {
24			+ if ((lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) &&
25			+ (IS_DC \|\| domain->primary)) {
26			status = NT_STATUS_DOWNGRADE_DETECTED;
27			- DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
28			+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
29			"without connection level security, "
30			"must set 'winbind sealed pipes = false' and "
31			"'require strong key = false' to proceed: %s\n",
32			@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain domain, TALLOC_CTX mem_ctx,
33
34			anonymous:
35
36			- if (lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) {
37			+ if ((lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) &&
38			+ (IS_DC \|\| domain->primary)) {
39			result = NT_STATUS_DOWNGRADE_DETECTED;
40			- DEBUG(1, ("Unwilling to make LSA connection to domain %s"
41			+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
42			"without connection level security, "
43			"must set 'winbind sealed pipes = false' and "
44			"'require strong key = false' to proceed: %s\n",
45			@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
46
47			no_schannel:
48			if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
49			- if (lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) {
50			+ if ((lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) &&
51			+ (IS_DC \|\| domain->primary)) {
52			result = NT_STATUS_DOWNGRADE_DETECTED;
53			- DEBUG(1, ("Unwilling to make connection to domain %s"
54			+ DEBUG(1, ("Unwilling to make connection to domain %s "
55			"without connection level security, "
56			"must set 'winbind sealed pipes = false' and "
57			"'require strong key = false' to proceed: %s\n",
58			--
59			2.5.5
60