samba/sme10/samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch

From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 12 Apr 2016 09:36:12 +0300
Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
 domains DCs

  Allow cm_connect_netlogon() to talk to trusted domains' DCs when
  running in a domain member configuration.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
 source3/winbindd/winbindd_cm.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 63175e5..1ef3d17 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  anonymous:
 
        /* Finally fall back to anonymous. */
-       if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+       if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+           (IS_DC || domain->primary)) {
                status = NT_STATUS_DOWNGRADE_DETECTED;
-               DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
+               DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
                          "without connection level security, "
                          "must set 'winbind sealed pipes = false' and "
                          "'require strong key = false' to proceed: %s\n",
@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 
  anonymous:
 
-       if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+       if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+           (IS_DC || domain->primary)) {
                result = NT_STATUS_DOWNGRADE_DETECTED;
-               DEBUG(1, ("Unwilling to make LSA connection to domain %s"
+               DEBUG(1, ("Unwilling to make LSA connection to domain %s "
                          "without connection level security, "
                          "must set 'winbind sealed pipes = false' and "
                          "'require strong key = false' to proceed: %s\n",
@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 
  no_schannel:
        if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-               if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+               if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+                   (IS_DC || domain->primary)) {
                        result = NT_STATUS_DOWNGRADE_DETECTED;
-                       DEBUG(1, ("Unwilling to make connection to domain %s"
+                       DEBUG(1, ("Unwilling to make connection to domain %s "
                                  "without connection level security, "
                                  "must set 'winbind sealed pipes = false' and "
                                  "'require strong key = false' to proceed: %s\n",
-- 
2.5.5

1	From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001
2	From: Alexander Bokovoy <abokovoy@redhat.com>
3	Date: Tue, 12 Apr 2016 09:36:12 +0300
4	Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
5	domains DCs
6
7	Allow cm_connect_netlogon() to talk to trusted domains' DCs when
8	running in a domain member configuration.
9
10	Signed-off-by: Alexander Bokovoy <ab@samba.org>
11	---
12	source3/winbindd/winbindd_cm.c \| 15 +++++++++------
13	1 file changed, 9 insertions(+), 6 deletions(-)
14
15	diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
16	index 63175e5..1ef3d17 100644
17	--- a/source3/winbindd/winbindd_cm.c
18	+++ b/source3/winbindd/winbindd_cm.c
19	@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain domain, TALLOC_CTX mem_ctx,
20	anonymous:
21
22	/* Finally fall back to anonymous. */
23	- if (lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) {
24	+ if ((lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) &&
25	+ (IS_DC \|\| domain->primary)) {
26	status = NT_STATUS_DOWNGRADE_DETECTED;
27	- DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
28	+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
29	"without connection level security, "
30	"must set 'winbind sealed pipes = false' and "
31	"'require strong key = false' to proceed: %s\n",
32	@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain domain, TALLOC_CTX mem_ctx,
33
34	anonymous:
35
36	- if (lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) {
37	+ if ((lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) &&
38	+ (IS_DC \|\| domain->primary)) {
39	result = NT_STATUS_DOWNGRADE_DETECTED;
40	- DEBUG(1, ("Unwilling to make LSA connection to domain %s"
41	+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
42	"without connection level security, "
43	"must set 'winbind sealed pipes = false' and "
44	"'require strong key = false' to proceed: %s\n",
45	@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
46
47	no_schannel:
48	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
49	- if (lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) {
50	+ if ((lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) &&
51	+ (IS_DC \|\| domain->primary)) {
52	result = NT_STATUS_DOWNGRADE_DETECTED;
53	- DEBUG(1, ("Unwilling to make connection to domain %s"
54	+ DEBUG(1, ("Unwilling to make connection to domain %s "
55	"without connection level security, "
56	"must set 'winbind sealed pipes = false' and "
57	"'require strong key = false' to proceed: %s\n",
58	--
59	2.5.5
60