summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-12-15 10:00:36 +1100
committerJeremy Allison <jra@samba.org>2012-03-19 21:31:46 +0100
commit0902392413dcbd8bedcb7c42d86497d671ba1e0f (patch)
treedf207e347b82d4c27c71af387d8896acdac011d5
parentee0e1ca5d8bbd03be5df23ecce504115e2e5012f (diff)
downloadsamba-0902392413dcbd8bedcb7c42d86497d671ba1e0f.tar.gz
samba-0902392413dcbd8bedcb7c42d86497d671ba1e0f.tar.bz2
samba-0902392413dcbd8bedcb7c42d86497d671ba1e0f.zip
s3-winbindd Only use SamLogonEx when we can get unencrypted session keys
This ensures that we have some check on the session keys being returned as the RC4 cipher is not checksumed. The check comes from the fact that the credentials chain is tied to the session key, and so if the credentials check passes then the netlogon session key will be correct, and so the user session key will be correctly decrypted. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Mon Mar 19 21:31:46 CET 2012 on sn-devel-104
-rw-r--r--source3/winbindd/winbindd_pam.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index b7aec20534..6757f3611e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1246,7 +1246,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
domain->can_do_validation6 = false;
}
- if (domain->can_do_samlogon_ex) {
+ if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
result = rpccli_netlogon_sam_network_logon_ex(
netlogon_pipe,
mem_ctx,
@@ -1256,7 +1256,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
domainname, /* target domain */
workstation, /* workstation */
chal,
- domain->can_do_validation6 ? 6 : 3,
+ 6,
lm_response,
nt_response,
info3);