[SCM] Samba Shared Repository - branch v3-6-test updated
Karolin Seeger
kseeger at samba.org
Tue Mar 20 14:35:44 MDT 2012
The branch, v3-6-test has been updated
via 8852ad6 s3-winbindd Only use SamLogonEx when we can get unencrypted session keys
from 2815036 Fix bug #8797 - Samba does not correctly handle DENY ACEs when privileges apply. Signed-off-by: Jeremy Allison <jra at samba.org> (cherry picked from commit 9aafc490db58017133bbd7a7f49264ee0d48f0ff)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 8852ad6bd77b44e9dd71de3994869f5603964ef7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 15 10:00:36 2011 +1100
s3-winbindd Only use SamLogonEx when we can get unencrypted session keys
This ensures that we have some check on the session keys being returned
as the RC4 cipher is not checksumed.
The check comes from the fact that the credentials chain is tied to
the session key, and so if the credentials check passes then the
netlogon session key will be correct, and so the user session key
will be correctly decrypted.
Andrew Bartlett
Part of a fix for bug #8599 (WINBINDD_PAM_AUTH_CRAP returns invalid user session
key).
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd_pam.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 9801f53..4c078df 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1233,7 +1233,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
domain->can_do_validation6 = false;
}
- if (domain->can_do_samlogon_ex) {
+ if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
result = rpccli_netlogon_sam_network_logon_ex(
netlogon_pipe,
mem_ctx,
@@ -1243,7 +1243,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
domainname, /* target domain */
workstation, /* workstation */
chal,
- domain->can_do_validation6 ? 6 : 3,
+ 6,
lm_response,
nt_response,
info3);
--
Samba Shared Repository
More information about the samba-cvs
mailing list