1 |
vip-ire |
1.1 |
From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: Alexander Bokovoy <abokovoy@redhat.com> |
3 |
|
|
Date: Tue, 12 Apr 2016 09:36:12 +0300 |
4 |
|
|
Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted |
5 |
|
|
domains DCs |
6 |
|
|
|
7 |
|
|
Allow cm_connect_netlogon() to talk to trusted domains' DCs when |
8 |
|
|
running in a domain member configuration. |
9 |
|
|
|
10 |
|
|
Signed-off-by: Alexander Bokovoy <ab@samba.org> |
11 |
|
|
--- |
12 |
|
|
source3/winbindd/winbindd_cm.c | 15 +++++++++------ |
13 |
|
|
1 file changed, 9 insertions(+), 6 deletions(-) |
14 |
|
|
|
15 |
|
|
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c |
16 |
|
|
index 63175e5..1ef3d17 100644 |
17 |
|
|
--- a/source3/winbindd/winbindd_cm.c |
18 |
|
|
+++ b/source3/winbindd/winbindd_cm.c |
19 |
|
|
@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, |
20 |
|
|
anonymous: |
21 |
|
|
|
22 |
|
|
/* Finally fall back to anonymous. */ |
23 |
|
|
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { |
24 |
|
|
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && |
25 |
|
|
+ (IS_DC || domain->primary)) { |
26 |
|
|
status = NT_STATUS_DOWNGRADE_DETECTED; |
27 |
|
|
- DEBUG(1, ("Unwilling to make SAMR connection to domain %s" |
28 |
|
|
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s " |
29 |
|
|
"without connection level security, " |
30 |
|
|
"must set 'winbind sealed pipes = false' and " |
31 |
|
|
"'require strong key = false' to proceed: %s\n", |
32 |
|
|
@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, |
33 |
|
|
|
34 |
|
|
anonymous: |
35 |
|
|
|
36 |
|
|
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { |
37 |
|
|
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && |
38 |
|
|
+ (IS_DC || domain->primary)) { |
39 |
|
|
result = NT_STATUS_DOWNGRADE_DETECTED; |
40 |
|
|
- DEBUG(1, ("Unwilling to make LSA connection to domain %s" |
41 |
|
|
+ DEBUG(1, ("Unwilling to make LSA connection to domain %s " |
42 |
|
|
"without connection level security, " |
43 |
|
|
"must set 'winbind sealed pipes = false' and " |
44 |
|
|
"'require strong key = false' to proceed: %s\n", |
45 |
|
|
@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, |
46 |
|
|
|
47 |
|
|
no_schannel: |
48 |
|
|
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { |
49 |
|
|
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { |
50 |
|
|
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && |
51 |
|
|
+ (IS_DC || domain->primary)) { |
52 |
|
|
result = NT_STATUS_DOWNGRADE_DETECTED; |
53 |
|
|
- DEBUG(1, ("Unwilling to make connection to domain %s" |
54 |
|
|
+ DEBUG(1, ("Unwilling to make connection to domain %s " |
55 |
|
|
"without connection level security, " |
56 |
|
|
"must set 'winbind sealed pipes = false' and " |
57 |
|
|
"'require strong key = false' to proceed: %s\n", |
58 |
|
|
-- |
59 |
|
|
2.5.5 |
60 |
|
|
|