diff options
author | Andrew Bartlett <abartlet@samba.org> | 2008-04-21 17:48:31 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2008-04-21 17:48:31 +0200 |
commit | 154f4837b3169ddf6c61f87b9d28c257f69d35bf (patch) | |
tree | 8622eb9ecd4a8796ab7516ae0e86f9320215c44c /source3/winbindd | |
parent | 937091161b82782d3578c80a6e56123c86050752 (diff) | |
download | samba-154f4837b3169ddf6c61f87b9d28c257f69d35bf.tar.gz samba-154f4837b3169ddf6c61f87b9d28c257f69d35bf.tar.bz2 samba-154f4837b3169ddf6c61f87b9d28c257f69d35bf.zip |
Add in a nice big comment explaining why SamLogonEx matters.
Andrew Bartlett
(This used to be commit 87232351b5e66728f8d602259961909e8c1dfcb6)
Diffstat (limited to 'source3/winbindd')
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index bc27f3db20..2de10a9f10 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1307,6 +1307,27 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, goto done; } + /* It is really important to try SamLogonEx here, + * because in a clustered environment, we want to use + * one machine account from multiple physical + * computers. + * + * With a normal SamLogon call, we must keep the + * credentials chain updated and intact between all + * users of the machine account (which would imply + * cross-node communication for every NTLM logon). + * + * (The credentials chain is not per NETLOGON pipe + * connection, but globally on the server/client pair + * by machine name). + * + * When using SamLogonEx, the credentials are not + * supplied, but the session key is implied by the + * wrapping SamLogon context. + * + * -- abartlet 21 April 2008 + */ + logon_fn = contact_domain->can_do_samlogon_ex ? rpccli_netlogon_sam_network_logon_ex : rpccli_netlogon_sam_network_logon; |