s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel.

This is an important fix as the following could and is happening:

* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3

* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)

* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for
decryption

Guenther

1 files changed, 13 insertions, 7 deletions

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 0ca8513f81..958daf794e 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2267,6 +2267,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
 			    struct rpc_pipe_client **cli)
 {
 	struct winbindd_cm_conn *conn;
+	struct netlogon_creds_CredentialState *creds;
 	NTSTATUS status;
 
 	DEBUG(10,("cm_connect_lsa_tcp\n"));
@@ -2287,14 +2288,19 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
 
 	TALLOC_FREE(conn->lsa_pipe_tcp);
 
-	status = cli_rpc_pipe_open_schannel(conn->cli,
-					    &ndr_table_lsarpc.syntax_id,
-					    NCACN_IP_TCP,
-					    DCERPC_AUTH_LEVEL_PRIVACY,
-					    domain->name,
-					    &conn->lsa_pipe_tcp);
+	if (!cm_get_schannel_creds(domain, &creds)) {
+		goto done;
+	}
+
+	status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
+						     &ndr_table_lsarpc.syntax_id,
+						     NCACN_IP_TCP,
+						     DCERPC_AUTH_LEVEL_PRIVACY,
+						     domain->name,
+						     &creds,
+						     &conn->lsa_pipe_tcp);
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n",
+		DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
 			nt_errstr(status)));
 		goto done;
 	}