svn commit: samba r10429 - in trunk/source/nsswitch: .
jra at samba.org
jra at samba.org
Thu Sep 22 18:46:56 GMT 2005
Author: jra
Date: 2005-09-22 18:46:55 +0000 (Thu, 22 Sep 2005)
New Revision: 10429
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10429
Log:
Added Volker's fix for LSA pipes. winbindd should now work
with just a machine a/c password to do secure RPC.
Jeremy.
Modified:
trunk/source/nsswitch/winbindd_cm.c
Changeset:
Modified: trunk/source/nsswitch/winbindd_cm.c
===================================================================
--- trunk/source/nsswitch/winbindd_cm.c 2005-09-22 18:41:17 UTC (rev 10428)
+++ trunk/source/nsswitch/winbindd_cm.c 2005-09-22 18:46:55 UTC (rev 10429)
@@ -1162,22 +1162,72 @@
conn = &domain->conn;
if (conn->lsa_pipe == NULL) {
+ fstring conn_pwd;
+ pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
+ if (conn->cli->user_name[0] && conn->cli->domain[0] &&
+ conn_pwd[0]) {
+ /* We have an authenticated connection. Use
+ a NTLMSSP SPNEGO authenticated LSA pipe with
+ sign & seal. */
+ conn->lsa_pipe =
+ cli_rpc_pipe_open_spnego_ntlmssp(conn->cli,
+ PI_LSARPC,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ conn->cli->domain,
+ conn->cli->user_name,
+ conn_pwd,
+ &result);
+ if (conn->lsa_pipe == NULL) {
+ DEBUG(10,("cm_connect_lsa: failed to connect "
+ "to LSA pipe for domain %s using "
+ "NTLMSSP authenticated pipe: user "
+ "%s\\%s. Error was %s\n",
+ domain->name, conn->cli->domain,
+ conn->cli->user_name,
+ nt_errstr(result)));
+ } else {
+ DEBUG(10,("cm_connect_lsa: connected to LSA "
+ "pipe for domain %s using NTLMSSP "
+ "authenticated pipe: user %s\\%s\n",
+ domain->name, conn->cli->domain,
+ conn->cli->user_name ));
+ }
+ }
+
#ifndef DISABLE_SCHANNEL_WIN2K3_SP1
- struct dcinfo *p_dcinfo;
+ /* Fall back to schannel if it's a W2K pre-SP1 box. */
+ if (conn->lsa_pipe == NULL) {
+ struct dcinfo *p_dcinfo;
- if (cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
- conn->lsa_pipe =
- cli_rpc_pipe_open_schannel_with_key(conn->cli,
- PI_LSARPC,
- PIPE_AUTH_LEVEL_PRIVACY,
- domain->name,
- p_dcinfo,
- &result);
- } else
+ if (cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
+ conn->lsa_pipe =
+ cli_rpc_pipe_open_schannel_with_key(conn->cli,
+ PI_LSARPC,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ domain->name,
+ p_dcinfo,
+ &result);
+ }
+ if (conn->lsa_pipe == NULL) {
+ DEBUG(10,("cm_connect_lsa: failed to connect "
+ "to LSA pipe for domain %s using "
+ "schannel authenticated. Error "
+ "was %s\n", domain->name,
+ nt_errstr(result) ));
+ } else {
+ DEBUG(10,("cm_connect_lsa: connected to LSA "
+ "pipe for domain %s using schannel.\n",
+ domain->name ));
+ }
+ }
#endif /* DISABLE_SCHANNEL_WIN2K3_SP1 */
+
+ /* Finally fall back to anonymous. */
+ if (conn->lsa_pipe == NULL) {
conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli,
PI_LSARPC,
&result);
+ }
if (conn->lsa_pipe == NULL) {
result = NT_STATUS_PIPE_NOT_AVAILABLE;
More information about the samba-cvs
mailing list