From f79e40072a963fd3b9698fa26c4e4dc135ab8c3e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 7 Apr 2004 12:42:03 +0000 Subject: r115: finally checking in tridge's winbindd_schannel patch for connections (This used to be commit 1fae60ab20c5cbe396dc8af1c8c9a98d5683fdf4) --- source3/nsswitch/winbindd_cm.c | 34 ++++++++++++++++++++++++++++++++++ source3/rpc_server/srv_pipe.c | 4 ++-- 2 files changed, 36 insertions(+), 2 deletions(-) (limited to 'source3') diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 29b856ec45..b2d6e861a3 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -111,6 +111,28 @@ static void cm_get_ipc_userpass(char **username, char **domain, char **password) } } +/* + setup for schannel on any pipes opened on this connection +*/ +static NTSTATUS setup_schannel(struct cli_state *cli) +{ + NTSTATUS ret; + uchar trust_password[16]; + uint32 sec_channel_type; + + if (!secrets_fetch_trust_account_password(lp_workgroup(), + trust_password, + NULL, &sec_channel_type)) { + return NT_STATUS_UNSUCCESSFUL; + } + + ret = cli_nt_setup_netsec(cli, sec_channel_type, + AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, + trust_password); + + return ret; +} + /* Open a connction to the remote server, cache failures for 30 seconds */ static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const int pipe_index, @@ -256,6 +278,18 @@ static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const i break; } + /* try and use schannel if possible, but continue anyway if it + failed. This allows existing setups to continue working, + while solving the win2003 '100 user' limit for systems that + are joined properly */ + if (NT_STATUS_IS_OK(result)) { + NTSTATUS status = setup_schannel(new_conn->cli); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3,("schannel refused - continuing without schannel (%s)\n", + nt_errstr(status))); + } + } + SAFE_FREE(ipc_username); SAFE_FREE(ipc_domain); SAFE_FREE(ipc_password); diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index fa24efe589..8337c4e3c7 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -227,7 +227,7 @@ BOOL create_next_pdu(pipes_struct *p) if (auth_seal || auth_verify) { RPC_HDR_AUTH auth_info; - init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, + init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, auth_info.auth_level, (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0)); if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) { DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n")); @@ -1106,7 +1106,7 @@ BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p) re-used from the auth2 the client did before. */ p->dc = last_dcinfo; - init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, RPC_HDR_AUTH_LEN, 1); + init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, auth_info.auth_level, RPC_HDR_AUTH_LEN, 1); if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) { DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n")); goto err_exit; -- cgit