From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 27 Sep 2024 10:21:53 +0000 (+0200)
Subject: s3:winbindd: let cm_connect_lsa() require schannel also for direct trusts
X-Git-Tag: tdb-1.4.13~1031
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2fd86025152ea3d96fffdec4945b324139bea4b;p=thirdparty%2Fsamba.git

s3:winbindd: let cm_connect_lsa() require schannel also for direct trusts

This means as domain member we require it also for our primary domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 6a3a857d543..fe634feb4c4 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2927,6 +2927,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	const struct sockaddr_storage *remote_sockaddr = NULL;
 	bool sealed_pipes = true;
 	bool strong_key = true;
+	bool require_schannel = false;
 
 retry:
 	result = init_dc_connection_rpc(domain, false);
@@ -2941,10 +2942,14 @@ retry:
 
 	TALLOC_FREE(conn->lsa_pipe);
 
-	if (IS_DC) {
+	if (IS_DC ||
+	    domain->secure_channel_type != SEC_CHAN_NULL)
+	{
 		/*
-		 * Make sure we only use schannel as AD DC.
+		 * Make sure we only use schannel as DC
+		 * or with a direct trust
 		 */
+		require_schannel = true;
 		goto schannel;
 	}
 
@@ -3071,9 +3076,10 @@ retry:
 		goto done;
 	}
 
-	if (IS_DC) {
+	if (require_schannel) {
 		/*
-		 * Make sure we only use schannel as AD DC.
+		 * Make sure we only use schannel as DC
+		 * or with a direct trust
 		 */
 		goto done;
 	}
@@ -3085,9 +3091,10 @@ retry:
 
  anonymous:
 
-	if (IS_DC) {
+	if (require_schannel) {
 		/*
-		 * Make sure we only use schannel as AD DC.
+		 * Make sure we only use schannel as DC
+		 * or with a direct trust
 		 */
 		goto done;
 	}