From: Ralph Boehme Date: Mon, 27 Nov 2017 14:28:38 +0000 (+0100) Subject: winbindd: restore SEC_CHAN_NULL fallback in cm_connect_netlogon_transport X-Git-Tag: talloc-2.1.11~333 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8e0bdc97100578d85f58633bcdf64b7cfb4c216;p=thirdparty%2Fsamba.git winbindd: restore SEC_CHAN_NULL fallback in cm_connect_netlogon_transport This partially reverts commit d7e31d9f4d9ce7395e458ac341dd83ac06255a20 "winbindd: Use rpccli_connect_netlogon" and restores handling of SEC_CHAN_NULL. Without this we fail to enumerate domains in trusted forests so users from any child-domain (or tree-root) in the trusted forest can't login via eg SMB. This is a temporary hack that will go away once we get rid of the trusted domain list. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index f88c704c014..16836bd05b5 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -3214,6 +3214,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, struct messaging_context *msg_ctx = server_messaging_context(); struct winbindd_cm_conn *conn; NTSTATUS result; + enum netr_SchannelType sec_chan_type; struct cli_credentials *creds = NULL; *cli = NULL; @@ -3241,6 +3242,41 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } + if (cli_credentials_is_anonymous(creds)) { + DBG_WARNING("get_trust_credential only gave anonymous for %s, " + "unable to make get NETLOGON credentials\n", + domain->name); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + sec_chan_type = cli_credentials_get_secure_channel_type(creds); + if (sec_chan_type == SEC_CHAN_NULL) { + if (transport == NCACN_IP_TCP) { + DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL " + "for %s, deny NCACN_IP_TCP and let the " + "caller fallback to NCACN_NP.\n", + domain->name); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, " + "fallback to noauth on NCACN_NP.\n", + domain->name); + + result = cli_rpc_pipe_open_noauth_transport( + conn->cli, + transport, + &ndr_table_netlogon, + &conn->netlogon_pipe); + if (!NT_STATUS_IS_OK(result)) { + invalidate_cm_connection(domain); + return result; + } + + *cli = conn->netlogon_pipe; + return NT_STATUS_OK; + } + result = rpccli_create_netlogon_creds_ctx(creds, domain->dcname, msg_ctx,