[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Mon Aug 9 08:38:47 MDT 2010
The branch, master has been updated
via be39641... s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel.
from 46bcb62... s4-rpc_server: Fixed the build of the dcerpc_server library.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit be396411a4e1f3a174f8a44b6c062d834135e70a
Author: Günther Deschner <gd at samba.org>
Date: Mon Aug 9 14:31:24 2010 +0200
s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel.
This is an important fix as the following could and is happening:
* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3
* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)
* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for
decryption
Guenther
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd_cm.c | 20 +++++++++++++-------
1 files changed, 13 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 0ca8513..958daf7 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2267,6 +2267,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
struct rpc_pipe_client **cli)
{
struct winbindd_cm_conn *conn;
+ struct netlogon_creds_CredentialState *creds;
NTSTATUS status;
DEBUG(10,("cm_connect_lsa_tcp\n"));
@@ -2287,14 +2288,19 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
TALLOC_FREE(conn->lsa_pipe_tcp);
- status = cli_rpc_pipe_open_schannel(conn->cli,
- &ndr_table_lsarpc.syntax_id,
- NCACN_IP_TCP,
- DCERPC_AUTH_LEVEL_PRIVACY,
- domain->name,
- &conn->lsa_pipe_tcp);
+ if (!cm_get_schannel_creds(domain, &creds)) {
+ goto done;
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
+ &ndr_table_lsarpc.syntax_id,
+ NCACN_IP_TCP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ domain->name,
+ &creds,
+ &conn->lsa_pipe_tcp);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n",
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
nt_errstr(status)));
goto done;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list