From 351e749246a278b60a7e18c1eeafdc8ec70efea2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 25 Apr 2006 12:24:25 +0000 Subject: r15240: Correctly disallow unauthorized access when logging on with the kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176) --- source3/nsswitch/winbindd_cred_cache.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch/winbindd_cred_cache.c') diff --git a/source3/nsswitch/winbindd_cred_cache.c b/source3/nsswitch/winbindd_cred_cache.c index 4c539b9b23..eb39d1dafb 100644 --- a/source3/nsswitch/winbindd_cred_cache.c +++ b/source3/nsswitch/winbindd_cred_cache.c @@ -113,6 +113,7 @@ static void krb5_ticket_refresh_handler(struct timed_event *te, &entry->renew_until, entry->ccname, False, /* no PAC required anymore */ + True, WINBINDD_PAM_AUTH_KRB5_RENEW_TIME); seteuid(0); -- cgit