diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-02-22 19:18:04 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2017-02-28 09:38:24 +0100 |
commit | ad3da42c92b2c16f836087364b19ef350ec26424 (patch) | |
tree | c225b35923285ae9f664fd07eb40a322cfbbaf88 | |
parent | 36da5cc94355173dfa9e69ee685deb42e0ea2086 (diff) | |
download | samba-ad3da42c92b2c16f836087364b19ef350ec26424.tar.gz |
s3:winbindd: fix the valid usage anonymous smb authentication
If we are in a situation where we don't have credentials to contact the
remote domain or against an NT4 with the following settings:
workgroup = NT4DOM
security = domain
require strong key = no
client use spnego = no
client ipc signing = auto
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(similar to commit c97a29bdfdc0020ec0113073580da56f2d35edc1)
-rw-r--r-- | source3/winbindd/winbindd_cm.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index bbc5ae54b60..6669dc2e4e0 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1096,6 +1096,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, } } + if (cli_credentials_is_anonymous(creds)) { + goto anon_fallback; + } + krb5_state = cli_credentials_get_kerberos_state(creds); machine_krb5_principal = cli_credentials_get_principal(creds, @@ -1167,10 +1171,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE)) { - if (cli_credentials_is_anonymous(creds)) { - goto done; - } - if (!cm_is_ipc_credentials(creds)) { goto ipc_fallback; } @@ -1196,7 +1196,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, } if (cli_credentials_is_anonymous(creds)) { - TALLOC_FREE(creds); goto anon_fallback; } @@ -1243,6 +1242,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, goto done; anon_fallback: + TALLOC_FREE(creds); if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) { goto done; |