diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2011-12-15 09:57:56 +1100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2012-06-30 14:02:47 +0200 |
| commit | 6e3863bcf179a72f1217d85af55a52b60cf1ba4f (patch) | |
| tree | 30c6772d9fc2f8eb3e288d39829d804e5111f2fb | |
| parent | 2f2236661c0353f6dc1aedf70eb99c9c2be202b5 (diff) | |
| download | samba-6e3863bcf179a72f1217d85af55a52b60cf1ba4f.tar.gz | |
s3-winbindd Only use SamLogonEx when we can get unencrypted session keys
This ensures that we have some check on the session keys being returned
as the RC4 cipher is not checksumed.
The check comes from the fact that the credentials chain is tied to
the netlgon session key, and so if the credentials check passes then
the netlogon session key will be correct, and so the user session key
will be correctly decrypted.
Andrew Bartlett
Signed-off-by: Matthieu Patou <mat@matws.net>
s3: If we can't do validation 6 or sam_logon_ex use sam_logon only
(cherry picked from commit c119cd8868fc7e2eb08b09f7092519007fd83bf6)
| -rw-r--r-- | source3/winbindd/winbindd_pam.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index a8afa009095..c8910d6a437 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1365,7 +1365,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, domain->can_do_validation6 = false; } - logon_fn = contact_domain->can_do_samlogon_ex + logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6) ? rpccli_netlogon_sam_network_logon_ex : rpccli_netlogon_sam_network_logon; @@ -1991,7 +1991,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, domain->can_do_validation6 = false; } - logon_fn = contact_domain->can_do_samlogon_ex + logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6) ? rpccli_netlogon_sam_network_logon_ex : rpccli_netlogon_sam_network_logon; |