diff options
author | Günther Deschner <gd@samba.org> | 2010-08-09 14:31:24 +0200 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2010-08-09 16:36:22 +0200 |
commit | be396411a4e1f3a174f8a44b6c062d834135e70a (patch) | |
tree | 40ecaded27765eb3b5a79f79e2868854465ee9cb | |
parent | 46bcb627803caa83c59f8ca9c1064e399000e64d (diff) | |
download | samba-be396411a4e1f3a174f8a44b6c062d834135e70a.tar.gz samba-be396411a4e1f3a174f8a44b6c062d834135e70a.tar.bz2 samba-be396411a4e1f3a174f8a44b6c062d834135e70a.zip |
s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel.
This is an important fix as the following could and is happening:
* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3
* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)
* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for
decryption
Guenther
-rw-r--r-- | source3/winbindd/winbindd_cm.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 0ca8513f81..958daf794e 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2267,6 +2267,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, struct rpc_pipe_client **cli) { struct winbindd_cm_conn *conn; + struct netlogon_creds_CredentialState *creds; NTSTATUS status; DEBUG(10,("cm_connect_lsa_tcp\n")); @@ -2287,14 +2288,19 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, TALLOC_FREE(conn->lsa_pipe_tcp); - status = cli_rpc_pipe_open_schannel(conn->cli, - &ndr_table_lsarpc.syntax_id, - NCACN_IP_TCP, - DCERPC_AUTH_LEVEL_PRIVACY, - domain->name, - &conn->lsa_pipe_tcp); + if (!cm_get_schannel_creds(domain, &creds)) { + goto done; + } + + status = cli_rpc_pipe_open_schannel_with_key(conn->cli, + &ndr_table_lsarpc.syntax_id, + NCACN_IP_TCP, + DCERPC_AUTH_LEVEL_PRIVACY, + domain->name, + &creds, + &conn->lsa_pipe_tcp); if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n", + DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n", nt_errstr(status))); goto done; } |