summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/nsswitch/winbindd_cm.c34
-rw-r--r--source3/rpc_server/srv_pipe.c4
2 files changed, 36 insertions, 2 deletions
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index 29b856ec45..b2d6e861a3 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -111,6 +111,28 @@ static void cm_get_ipc_userpass(char **username, char **domain, char **password)
}
}
+/*
+ setup for schannel on any pipes opened on this connection
+*/
+static NTSTATUS setup_schannel(struct cli_state *cli)
+{
+ NTSTATUS ret;
+ uchar trust_password[16];
+ uint32 sec_channel_type;
+
+ if (!secrets_fetch_trust_account_password(lp_workgroup(),
+ trust_password,
+ NULL, &sec_channel_type)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ ret = cli_nt_setup_netsec(cli, sec_channel_type,
+ AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN,
+ trust_password);
+
+ return ret;
+}
+
/* Open a connction to the remote server, cache failures for 30 seconds */
static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const int pipe_index,
@@ -256,6 +278,18 @@ static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const i
break;
}
+ /* try and use schannel if possible, but continue anyway if it
+ failed. This allows existing setups to continue working,
+ while solving the win2003 '100 user' limit for systems that
+ are joined properly */
+ if (NT_STATUS_IS_OK(result)) {
+ NTSTATUS status = setup_schannel(new_conn->cli);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3,("schannel refused - continuing without schannel (%s)\n",
+ nt_errstr(status)));
+ }
+ }
+
SAFE_FREE(ipc_username);
SAFE_FREE(ipc_domain);
SAFE_FREE(ipc_password);
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index fa24efe589..8337c4e3c7 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -227,7 +227,7 @@ BOOL create_next_pdu(pipes_struct *p)
if (auth_seal || auth_verify) {
RPC_HDR_AUTH auth_info;
- init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL,
+ init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, auth_info.auth_level,
(auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
@@ -1106,7 +1106,7 @@ BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
re-used from the auth2 the client did before. */
p->dc = last_dcinfo;
- init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, RPC_HDR_AUTH_LEN, 1);
+ init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, auth_info.auth_level, RPC_HDR_AUTH_LEN, 1);
if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
goto err_exit;