From be396411a4e1f3a174f8a44b6c062d834135e70a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 9 Aug 2010 14:31:24 +0200 Subject: s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel. This is an important fix as the following could and is happening: * winbind authenticates a user via schannel secured netlogon samlogonex call, current secure channel cred state is stored in winbind state, winbind sucessfully decrypts session key from the info3 * winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the secure channel on the dc) * subsequent samlogonex calls use the new secure channel creds on the dc to encrypt info3 session key, while winbind tries to use old schannel creds for decryption Guenther --- source3/winbindd/winbindd_cm.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 0ca8513f81..958daf794e 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2267,6 +2267,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, struct rpc_pipe_client **cli) { struct winbindd_cm_conn *conn; + struct netlogon_creds_CredentialState *creds; NTSTATUS status; DEBUG(10,("cm_connect_lsa_tcp\n")); @@ -2287,14 +2288,19 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, TALLOC_FREE(conn->lsa_pipe_tcp); - status = cli_rpc_pipe_open_schannel(conn->cli, - &ndr_table_lsarpc.syntax_id, - NCACN_IP_TCP, - DCERPC_AUTH_LEVEL_PRIVACY, - domain->name, - &conn->lsa_pipe_tcp); + if (!cm_get_schannel_creds(domain, &creds)) { + goto done; + } + + status = cli_rpc_pipe_open_schannel_with_key(conn->cli, + &ndr_table_lsarpc.syntax_id, + NCACN_IP_TCP, + DCERPC_AUTH_LEVEL_PRIVACY, + domain->name, + &creds, + &conn->lsa_pipe_tcp); if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n", + DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n", nt_errstr(status))); goto done; } -- cgit