3 files changed, 24 insertions, 7 deletions

diff --git a/source4/winbind/wb_connect_lsa.c b/source4/winbind/wb_connect_lsa.c
index 76f75eb0a4..1c9cb5f39a 100644
--- a/source4/winbind/wb_connect_lsa.c
+++ b/source4/winbind/wb_connect_lsa.c
@@ -95,24 +95,32 @@ static void init_lsa_recv_pipe(struct composite_context *ctx)
 	switch (state->auth_type) {
 	case DCERPC_AUTH_TYPE_NONE:
 		ctx = dcerpc_bind_auth_none_send(state, state->lsa_pipe,
-										 &dcerpc_table_lsarpc);
+						 &dcerpc_table_lsarpc);
 		composite_continue(state->ctx, ctx, init_lsa_recv_anon_bind,
 				   state);
 		break;
 	case DCERPC_AUTH_TYPE_NTLMSSP:
 	case DCERPC_AUTH_TYPE_SCHANNEL:
+	{
+		uint8_t auth_type;
+		if (lp_winbind_sealed_pipes()) {
+			auth_type = DCERPC_AUTH_LEVEL_PRIVACY;
+		} else {
+			auth_type = DCERPC_AUTH_LEVEL_INTEGRITY;
+		}
 		if (state->creds == NULL) {
 			composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
 			return;
 		}
-		state->lsa_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL);
 		ctx = dcerpc_bind_auth_send(state, state->lsa_pipe,
-									&dcerpc_table_lsarpc,
+					    &dcerpc_table_lsarpc,
 					    state->creds, state->auth_type,
+					    auth_type,
 					    NULL);
 		composite_continue(state->ctx, ctx, init_lsa_recv_auth_bind,
 				   state);
 		break;
+	}
 	default:
 		composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
 	}
diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c
index e3b9c82310..1817785508 100644
--- a/source4/winbind/wb_connect_sam.c
+++ b/source4/winbind/wb_connect_sam.c
@@ -102,24 +102,32 @@ static void connect_samr_recv_pipe(struct composite_context *ctx)
 	switch (state->auth_type) {
 	case DCERPC_AUTH_TYPE_NONE:
 		ctx = dcerpc_bind_auth_none_send(state, state->samr_pipe,
-										 &dcerpc_table_samr);
+						 &dcerpc_table_samr);
 		composite_continue(state->ctx, ctx,
 				   connect_samr_recv_anon_bind, state);
 		break;
 	case DCERPC_AUTH_TYPE_NTLMSSP:
 	case DCERPC_AUTH_TYPE_SCHANNEL:
+	{
+		uint8_t auth_type;
+		if (lp_winbind_sealed_pipes()) {
+			auth_type = DCERPC_AUTH_LEVEL_PRIVACY;
+		} else {
+			auth_type = DCERPC_AUTH_LEVEL_INTEGRITY;
+		}
 		if (state->creds == NULL) {
 			composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
 			return;
 		}
-		state->samr_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL);
 		ctx = dcerpc_bind_auth_send(state, state->samr_pipe,
-									&dcerpc_table_samr,
+					    &dcerpc_table_samr,
 					    state->creds, state->auth_type,
+					    auth_type,
 					    NULL);
 		composite_continue(state->ctx, ctx,
 				   connect_samr_recv_auth_bind, state);
 		break;
+	}
 	default:
 		composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
 	}
diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c
index c9d99ff0b9..b10b5458ba 100644
--- a/source4/winbind/wb_init_domain.c
+++ b/source4/winbind/wb_init_domain.c
@@ -205,9 +205,10 @@ static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
 	state->domain->netlogon_pipe->conn->flags |=
 		(DCERPC_SIGN | DCERPC_SEAL);
 	ctx = dcerpc_bind_auth_send(state, state->domain->netlogon_pipe,
-								&dcerpc_table_netlogon,
+				    &dcerpc_table_netlogon,
 				    state->domain->schannel_creds,
 				    DCERPC_AUTH_TYPE_SCHANNEL,
+				    DCERPC_AUTH_LEVEL_PRIVACY,
 				    NULL);
 	composite_continue(state->ctx, ctx, init_domain_recv_schannel, state);
 }