From: Andrew Bartlett Date: Wed, 14 Dec 2011 22:57:56 +0000 (+1100) Subject: s3-winbindd Only use SamLogonEx when we can get unencrypted session keys X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c119cd8868fc7e2eb08b09f7092519007fd83bf6;p=thirdparty%2Fsamba.git s3-winbindd Only use SamLogonEx when we can get unencrypted session keys This ensures that we have some check on the session keys being returned as the RC4 cipher is not checksumed. The check comes from the fact that the credentials chain is tied to the netlgon session key, and so if the credentials check passes then the netlogon session key will be correct, and so the user session key will be correctly decrypted. Andrew Bartlett Signed-off-by: Matthieu Patou s3: If we can't do validation 6 or sam_logon_ex use sam_logon only --- diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 26fdc5a409a..b0b8e40417c 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1365,7 +1365,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, domain->can_do_validation6 = false; } - logon_fn = contact_domain->can_do_samlogon_ex + logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6) ? rpccli_netlogon_sam_network_logon_ex : rpccli_netlogon_sam_network_logon; @@ -1989,7 +1989,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, domain->can_do_validation6 = false; } - logon_fn = contact_domain->can_do_samlogon_ex + logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6) ? rpccli_netlogon_sam_network_logon_ex : rpccli_netlogon_sam_network_logon;