[SCM] Samba Shared Repository - branch v3-6-test updated

Karolin Seeger kseeger at samba.org
Tue Mar 20 14:35:44 MDT 2012 

The branch, v3-6-test has been updated
       via  8852ad6 s3-winbindd Only use SamLogonEx when we can get unencrypted session keys
      from  2815036 Fix bug #8797 - Samba does not correctly handle DENY ACEs when privileges apply. Signed-off-by: Jeremy Allison <jra at samba.org> (cherry picked from commit 9aafc490db58017133bbd7a7f49264ee0d48f0ff)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -----------------------------------------------------------------
commit 8852ad6bd77b44e9dd71de3994869f5603964ef7
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Dec 15 10:00:36 2011 +1100

    s3-winbindd Only use SamLogonEx when we can get unencrypted session keys
    
    This ensures that we have some check on the session keys being returned
    as the RC4 cipher is not checksumed.
    
    The check comes from the fact that the credentials chain is tied to
    the session key, and so if the credentials check passes then the
    netlogon session key will be correct, and so the user session key
    will be correctly decrypted.
    
    Andrew Bartlett
    
    Part of a fix for bug #8599 (WINBINDD_PAM_AUTH_CRAP returns invalid user session
    key).

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/winbindd_pam.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 9801f53..4c078df 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1233,7 +1233,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 			domain->can_do_validation6 = false;
 		}
 
-		if (domain->can_do_samlogon_ex) {
+		if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
 			result = rpccli_netlogon_sam_network_logon_ex(
 					netlogon_pipe,
 					mem_ctx,
@@ -1243,7 +1243,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 					domainname,	/* target domain */
 					workstation,	/* workstation */
 					chal,
-					domain->can_do_validation6 ? 6 : 3,
+					6,
 					lm_response,
 					nt_response,
 					info3);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list