s3:winbindd: let cm_connect_lsa() require schannel also for direct trusts

This means as domain member we require it also for our primary domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 6a3a857d5435668ef803730816ebc84d6599200a..fe634feb4c4c8790b2051c27038ba014b6602dc4 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2927,6 +2927,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
        const struct sockaddr_storage *remote_sockaddr = NULL;
        bool sealed_pipes = true;
        bool strong_key = true;
+       bool require_schannel = false;
 
 retry:
        result = init_dc_connection_rpc(domain, false);
@@ -2941,10 +2942,14 @@ retry:
 
        TALLOC_FREE(conn->lsa_pipe);
 
-       if (IS_DC) {
+       if (IS_DC ||
+           domain->secure_channel_type != SEC_CHAN_NULL)
+       {
                /*
-                * Make sure we only use schannel as AD DC.
+                * Make sure we only use schannel as DC
+                * or with a direct trust
                 */
+               require_schannel = true;
                goto schannel;
        }
 
@@ -3071,9 +3076,10 @@ retry:
                goto done;
        }
 
-       if (IS_DC) {
+       if (require_schannel) {
                /*
-                * Make sure we only use schannel as AD DC.
+                * Make sure we only use schannel as DC
+                * or with a direct trust
                 */
                goto done;
        }
@@ -3085,9 +3091,10 @@ retry:
 
  anonymous:
 
-       if (IS_DC) {
+       if (require_schannel) {
                /*
-                * Make sure we only use schannel as AD DC.
+                * Make sure we only use schannel as DC
+                * or with a direct trust
                 */
                goto done;
        }