diff options
| author | Günther Deschner <gd@samba.org> | 2010-08-09 14:31:24 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2011-01-13 17:58:50 +0100 |
| commit | 4447ae9ccd9091776cd2fbed955e856073f253eb (patch) | |
| tree | 268a7d99f3ce0b53cc3879042fb81bf6732b820d | |
| parent | 0c10994635b9f19154c2df7d9db9728cf5157b81 (diff) | |
| download | samba-4447ae9ccd9091776cd2fbed955e856073f253eb.tar.gz | |
s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel.
This is an important fix as the following could and is happening:
* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3
* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)
* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for
decryption
Guenther
(cherry picked from commit be396411a4e1f3a174f8a44b6c062d834135e70a)
(cherry picked from commit e647f5b5409502ec329e24f09202b036cfb357ae)
| -rw-r--r-- | source3/winbindd/winbindd_cm.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 3b34a3275a8..1b6c03aeed1 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2217,6 +2217,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, struct rpc_pipe_client **cli) { struct winbindd_cm_conn *conn; + struct dcinfo *dcinfo; NTSTATUS status; DEBUG(10,("cm_connect_lsa_tcp\n")); @@ -2237,14 +2238,19 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, TALLOC_FREE(conn->lsa_pipe_tcp); - status = cli_rpc_pipe_open_schannel(conn->cli, - &ndr_table_lsarpc.syntax_id, - NCACN_IP_TCP, - PIPE_AUTH_LEVEL_PRIVACY, - domain->name, - &conn->lsa_pipe_tcp); + if (!cm_get_schannel_dcinfo(domain, &dcinfo)) { + goto done; + } + + status = cli_rpc_pipe_open_schannel_with_key(conn->cli, + &ndr_table_lsarpc.syntax_id, + NCACN_IP_TCP, + PIPE_AUTH_LEVEL_PRIVACY, + domain->name, + dcinfo, + &conn->lsa_pipe_tcp); if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n", + DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n", nt_errstr(status))); goto done; } |