summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-04-21 17:48:31 +0200
committerAndrew Bartlett <abartlet@samba.org>2008-04-21 17:48:31 +0200
commit154f4837b3169ddf6c61f87b9d28c257f69d35bf (patch)
tree8622eb9ecd4a8796ab7516ae0e86f9320215c44c
parent937091161b82782d3578c80a6e56123c86050752 (diff)
downloadsamba-154f4837b3169ddf6c61f87b9d28c257f69d35bf.tar.gz
samba-154f4837b3169ddf6c61f87b9d28c257f69d35bf.tar.bz2
samba-154f4837b3169ddf6c61f87b9d28c257f69d35bf.zip
Add in a nice big comment explaining why SamLogonEx matters.
Andrew Bartlett (This used to be commit 87232351b5e66728f8d602259961909e8c1dfcb6)
-rw-r--r--source3/winbindd/winbindd_pam.c21
1 files changed, 21 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index bc27f3db20..2de10a9f10 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1307,6 +1307,27 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
goto done;
}
+ /* It is really important to try SamLogonEx here,
+ * because in a clustered environment, we want to use
+ * one machine account from multiple physical
+ * computers.
+ *
+ * With a normal SamLogon call, we must keep the
+ * credentials chain updated and intact between all
+ * users of the machine account (which would imply
+ * cross-node communication for every NTLM logon).
+ *
+ * (The credentials chain is not per NETLOGON pipe
+ * connection, but globally on the server/client pair
+ * by machine name).
+ *
+ * When using SamLogonEx, the credentials are not
+ * supplied, but the session key is implied by the
+ * wrapping SamLogon context.
+ *
+ * -- abartlet 21 April 2008
+ */
+
logon_fn = contact_domain->can_do_samlogon_ex
? rpccli_netlogon_sam_network_logon_ex
: rpccli_netlogon_sam_network_logon;