[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Oct 7 19:37:02 MDT 2014
The branch, master has been updated
via 6f97237 s3-rpc_client: Migrate to cli_rpc_pipe_open_generic_auth and remove cli_rpc_pipe_open_spnego
via 8166eca s3-rpc_client: Adapt cli_rpc_pipe_open_generic_auth to use enum credentials_kerberos_state
via 74dcde5 s3-rpc_client: Adapt cli_rpc_pipe_open_spnego to use enum credentials_kerberos_state
via 14f6256 s3-winbindd: Allow winbindd to connect over SMB2 to servers
via 91d6f60 s3-winbindd: Pass the whole winbindd_domain to invalidate_cm_connection()
via 3783f49 tests: Pass the test context as lp_ctx for messaging tests
from 3e2d419 libcli/smb: remove unused SMB2_TF_ALGORITHM define
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6f97237edb5f0a54546f39b500afca2b5c1fd9c9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 22 20:47:57 2014 -0700
s3-rpc_client: Migrate to cli_rpc_pipe_open_generic_auth and remove cli_rpc_pipe_open_spnego
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Oct 8 03:36:52 CEST 2014 on sn-devel-104
commit 8166ecaaa06a7febc9697ca4f97a3d61aa02d5c1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 22 20:33:43 2014 -0700
s3-rpc_client: Adapt cli_rpc_pipe_open_generic_auth to use enum credentials_kerberos_state
This allows us to pass this value in directly from the cli_credentials structure in winbindd, once we merge this with cli_rpc_pipe_open_spnego().
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 74dcde5347066016ae55f5575ac61061d1f5f7af
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 22 20:28:01 2014 -0700
s3-rpc_client: Adapt cli_rpc_pipe_open_spnego to use enum credentials_kerberos_state
This allows us to pass this value in directly from the cli_credentials
structure in winbindd.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 14f6256c515ff4af4f478f947ad89b7edc8743cf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 23 14:08:10 2014 -0700
s3-winbindd: Allow winbindd to connect over SMB2 to servers
This allows SMB signing to work against many more DCs, and so improves network security.
The default for "client max protocol" remains NT1 in the rest of the code.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 91d6f603b196d1f10500dff312d614d8d46cb846
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 23 10:35:21 2014 -0700
s3-winbindd: Pass the whole winbindd_domain to invalidate_cm_connection()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3783f49abd77887f32bc2d95be50468ac1f5f81b
Author: Matthieu Patou <mat at matws.net>
Date: Mon Oct 6 16:44:16 2014 -0700
tests: Pass the test context as lp_ctx for messaging tests
Change-Id: I1acf5c42b21465a8c45549039f0054414b8f31d1
Signed-off-by: Matthieu Patou <mat at matws.net>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/protocol/clientmaxprotocol.xml | 9 ++-
lib/param/loadparm.c | 11 +++-
lib/param/param_table.c | 3 +-
libcli/smb/smb_constants.h | 3 +-
python/samba/tests/messaging.py | 3 +-
source3/include/proto.h | 2 +
source3/libsmb/passchange.c | 1 +
source3/param/loadparm.c | 20 ++++++-
source3/rpc_client/cli_pipe.c | 64 +-------------------
source3/rpc_client/cli_pipe.h | 13 +----
source3/rpcclient/rpcclient.c | 23 ++-----
source3/utils/net_rpc.c | 1 +
source3/winbindd/winbindd_cache.c | 2 +-
source3/winbindd/winbindd_cm.c | 47 ++++++++-------
source3/winbindd/winbindd_dual.c | 2 +-
source3/winbindd/winbindd_dual_srv.c | 4 +-
source3/winbindd/winbindd_msrpc.c | 4 +-
source3/winbindd/winbindd_pam.c | 8 +-
source3/winbindd/winbindd_proto.h | 2 +-
19 files changed, 91 insertions(+), 131 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
index d541425..9321d3f 100644
--- a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
+++ b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
@@ -2,6 +2,7 @@
context="G"
type="enum"
developer="1"
+ function="_client_max_protocol"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>The value of the parameter (a string) is the highest
@@ -74,11 +75,15 @@
<para>Normally this option should not be set as the automatic
negotiation phase in the SMB protocol takes care of choosing
the appropriate protocol.</para>
+
+ <para>The value <constant>default</constant> refers to the default protocol in each
+ part of the code, currently <constant>NT1</constant> in the client tools and
+ <constant>SMB3_02</constant> in winbindd.</para>
</description>
<related>server max protocol</related>
-<related>client mn protocol</related>
+<related>client min protocol</related>
-<value type="default">NT1</value>
+<value type="default">default</value>
<value type="example">LANMAN1</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 5543f79..d1e36df 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2480,7 +2480,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "server min protocol", "LANMAN1");
lpcfg_do_global_parameter(lp_ctx, "server max protocol", "SMB3");
lpcfg_do_global_parameter(lp_ctx, "client min protocol", "CORE");
- lpcfg_do_global_parameter(lp_ctx, "client max protocol", "NT1");
+ lpcfg_do_global_parameter(lp_ctx, "client max protocol", "default");
lpcfg_do_global_parameter(lp_ctx, "security", "AUTO");
lpcfg_do_global_parameter(lp_ctx, "EncryptPasswords", "True");
lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True");
@@ -3154,6 +3154,15 @@ int lpcfg_security(struct loadparm_context *lp_ctx)
lpcfg__security(lp_ctx));
}
+int lpcfg_client_max_protocol(struct loadparm_context *lp_ctx)
+{
+ int client_max_protocol = lpcfg__client_max_protocol(lp_ctx);
+ if (client_max_protocol == PROTOCOL_DEFAULT) {
+ return PROTOCOL_NT1;
+ }
+ return client_max_protocol;
+}
+
bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
{
bool allowed = true;
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index bdc6b85..15ffa8c 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -38,6 +38,7 @@
#endif
static const struct enum_list enum_protocol[] = {
+ {PROTOCOL_DEFAULT, "default"}, /* the caller decides what this means */
{PROTOCOL_SMB2_10, "SMB2"}, /* for now keep PROTOCOL_SMB2_10 */
{PROTOCOL_SMB3_00, "SMB3"}, /* for now keep PROTOCOL_SMB3_00 */
{PROTOCOL_SMB3_10, "SMB3_10"},
@@ -1387,7 +1388,7 @@ struct parm_struct parm_table[] = {
.label = "client max protocol",
.type = P_ENUM,
.p_class = P_GLOBAL,
- .offset = GLOBAL_VAR(client_max_protocol),
+ .offset = GLOBAL_VAR(_client_max_protocol),
.special = NULL,
.enum_list = enum_protocol,
.flags = FLAG_ADVANCED,
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index ea82677..f2c880c 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -76,7 +76,8 @@
/* protocol types. It assumes that higher protocols include lower protocols
as subsets. */
enum protocol_types {
- PROTOCOL_NONE,
+ PROTOCOL_DEFAULT=-1,
+ PROTOCOL_NONE=0,
PROTOCOL_CORE,
PROTOCOL_COREPLUS,
PROTOCOL_LANMAN1,
diff --git a/python/samba/tests/messaging.py b/python/samba/tests/messaging.py
index f0cd368..5d32d60 100644
--- a/python/samba/tests/messaging.py
+++ b/python/samba/tests/messaging.py
@@ -18,7 +18,7 @@
#
"""Tests for samba.messaging."""
-
+import samba
from samba.messaging import Messaging
from samba.tests import TestCase
from samba.dcerpc.server_id import server_id
@@ -26,6 +26,7 @@ from samba.dcerpc.server_id import server_id
class MessagingTests(TestCase):
def get_context(self, *args, **kwargs):
+ kwargs['lp_ctx'] = samba.tests.env_loadparm()
return Messaging(*args, **kwargs)
def test_register(self):
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 70fa7f7..255948f 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -990,6 +990,8 @@ bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
const char *lp_idmap_backend(const char *domain_name);
const char *lp_idmap_default_backend (void);
int lp_security(void);
+int lp_client_max_protocol(void);
+int lp_winbindd_max_protocol(void);
int lp_smb2_max_credits(void);
int lp_cups_encrypt(void);
bool lp_widelinks(int );
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index 9736ada..8acd432 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -153,6 +153,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
result = cli_rpc_pipe_open_generic_auth(cli,
&ndr_table_samr,
NCACN_NP,
+ CRED_DONT_USE_KERBEROS,
DCERPC_AUTH_TYPE_NTLMSSP,
DCERPC_AUTH_LEVEL_PRIVACY,
remote_machine,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 5ab0de7..52ffbcc 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -642,7 +642,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.max_open_files = max_open_files();
Globals.server_max_protocol = PROTOCOL_SMB3_00;
Globals.server_min_protocol = PROTOCOL_LANMAN1;
- Globals.client_max_protocol = PROTOCOL_NT1;
+ Globals._client_max_protocol = PROTOCOL_DEFAULT;
Globals.client_min_protocol = PROTOCOL_CORE;
Globals._security = SEC_AUTO;
Globals.encrypt_passwords = true;
@@ -4335,6 +4335,24 @@ int lp_security(void)
lp__security());
}
+int lp_client_max_protocol(void)
+{
+ int client_max_protocol = lp__client_max_protocol();
+ if (client_max_protocol == PROTOCOL_DEFAULT) {
+ return PROTOCOL_NT1;
+ }
+ return client_max_protocol;
+}
+
+int lp_winbindd_max_protocol(void)
+{
+ int client_max_protocol = lp__client_max_protocol();
+ if (client_max_protocol == PROTOCOL_DEFAULT) {
+ return PROTOCOL_LATEST;
+ }
+ return client_max_protocol;
+}
+
struct loadparm_global * get_globals(void)
{
return &Globals;
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index dc07495..43ce719 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2945,6 +2945,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
const struct ndr_interface_table *table,
enum dcerpc_transport_t transport,
+ enum credentials_use_kerberos use_kerberos,
enum dcerpc_AuthType auth_type,
enum dcerpc_AuthLevel auth_level,
const char *server,
@@ -3093,69 +3094,6 @@ done:
return NT_STATUS_OK;
}
-NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
- const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
- const char *oid,
- enum dcerpc_AuthLevel auth_level,
- const char *server,
- const char *domain,
- const char *username,
- const char *password,
- struct rpc_pipe_client **presult)
-{
- struct rpc_pipe_client *result;
- struct pipe_auth_data *auth = NULL;
- const char *target_service = table->authservices->names[0];
-
- NTSTATUS status;
- enum credentials_use_kerberos use_kerberos;
-
- if (strcmp(oid, GENSEC_OID_KERBEROS5) == 0) {
- use_kerberos = CRED_MUST_USE_KERBEROS;
- } else if (strcmp(oid, GENSEC_OID_NTLMSSP) == 0) {
- use_kerberos = CRED_DONT_USE_KERBEROS;
- } else {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- status = cli_rpc_pipe_open(cli, transport, table, &result);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- status = rpccli_generic_bind_data(result,
- DCERPC_AUTH_TYPE_SPNEGO, auth_level,
- server, target_service,
- domain, username, password,
- use_kerberos, NULL,
- &auth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
- nt_errstr(status)));
- goto err;
- }
-
- status = rpc_pipe_bind(result, auth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("cli_rpc_pipe_open_spnego: cli_rpc_pipe_bind failed with error %s\n",
- nt_errstr(status) ));
- goto err;
- }
-
- DEBUG(10,("cli_rpc_pipe_open_spnego: opened pipe %s to "
- "machine %s.\n", table->name,
- result->desthost));
-
- *presult = result;
- return NT_STATUS_OK;
-
- err:
-
- TALLOC_FREE(result);
- return status;
-}
-
NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *cli,
DATA_BLOB *session_key)
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 533e752..34e79d1 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -24,6 +24,7 @@
#define _CLI_PIPE_H
#include "rpc_client/rpc_client.h"
+#include "auth/credentials/credentials.h"
/* The following definitions come from rpc_client/cli_pipe.c */
@@ -74,6 +75,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
const struct ndr_interface_table *table,
enum dcerpc_transport_t transport,
+ enum credentials_use_kerberos use_kerberos,
enum dcerpc_AuthType auth_type,
enum dcerpc_AuthLevel auth_level,
const char *server,
@@ -82,17 +84,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
const char *password,
struct rpc_pipe_client **presult);
-NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
- const struct ndr_interface_table *table,
- enum dcerpc_transport_t transport,
- const char *oid,
- enum dcerpc_AuthLevel auth_level,
- const char *server,
- const char *domain,
- const char *username,
- const char *password,
- struct rpc_pipe_client **presult);
-
NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
const struct ndr_interface_table *table,
enum dcerpc_transport_t transport,
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index ac7576f..7b190c1 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -693,6 +693,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
/* Open pipe */
if ((cmd_entry->table != NULL) && (cmd_entry->rpc_pipe == NULL)) {
+ enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
switch (pipe_default_auth_type) {
case DCERPC_AUTH_TYPE_NONE:
ntresult = cli_rpc_pipe_open_noauth_transport(
@@ -701,36 +702,24 @@ static NTSTATUS do_cmd(struct cli_state *cli,
&cmd_entry->rpc_pipe);
break;
case DCERPC_AUTH_TYPE_SPNEGO:
- {
- /* won't happen, but if it does it will fail in cli_rpc_pipe_open_spnego() eventually */
- const char *oid = "INVALID";
switch (pipe_default_auth_spnego_type) {
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- oid = GENSEC_OID_NTLMSSP;
+ use_kerberos = CRED_DONT_USE_KERBEROS;
break;
case PIPE_AUTH_TYPE_SPNEGO_KRB5:
- oid = GENSEC_OID_KERBEROS5;
+ use_kerberos = CRED_MUST_USE_KERBEROS;
break;
case PIPE_AUTH_TYPE_SPNEGO_NONE:
+ use_kerberos = CRED_AUTO_USE_KERBEROS;
break;
}
- ntresult = cli_rpc_pipe_open_spnego(
- cli, cmd_entry->table,
- default_transport,
- oid,
- pipe_default_auth_level,
- smbXcli_conn_remote_name(cli->conn),
- get_cmdline_auth_info_domain(auth_info),
- get_cmdline_auth_info_username(auth_info),
- get_cmdline_auth_info_password(auth_info),
- &cmd_entry->rpc_pipe);
- break;
- }
+ /* Fall through */
case DCERPC_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_KRB5:
ntresult = cli_rpc_pipe_open_generic_auth(
cli, cmd_entry->table,
default_transport,
+ use_kerberos,
pipe_default_auth_type,
pipe_default_auth_level,
smbXcli_conn_remote_name(cli->conn),
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index b5c4d0b..bf659a8 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -208,6 +208,7 @@ int run_rpc_command(struct net_context *c,
cli, table,
(conn_flags & NET_FLAGS_TCP) ?
NCACN_IP_TCP : NCACN_NP,
+ CRED_DONT_USE_KERBEROS,
DCERPC_AUTH_TYPE_NTLMSSP,
DCERPC_AUTH_LEVEL_PRIVACY,
smbXcli_conn_remote_name(cli->conn),
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 06b29de..b303ae9 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1521,7 +1521,7 @@ do_query:
if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) {
DEBUG(3, ("query_user_list: flushing "
"connection cache\n"));
- invalidate_cm_connection(&domain->conn);
+ invalidate_cm_connection(domain);
}
if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index fd414b8..96c4577 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -936,7 +936,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
result = smbXcli_negprot((*cli)->conn, (*cli)->timeout,
lp_client_min_protocol(),
- lp_client_max_protocol());
+ lp_winbindd_max_protocol());
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
@@ -1836,9 +1836,10 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
/* Close down all open pipes on a connection. */
-void invalidate_cm_connection(struct winbindd_cm_conn *conn)
+void invalidate_cm_connection(struct winbindd_domain *domain)
{
NTSTATUS result;
+ struct winbindd_cm_conn *conn = &domain->conn;
/* We're closing down a possibly dead
connection. Don't have impossibly long (10s) timeouts. */
@@ -1924,7 +1925,7 @@ void close_conns_after_fork(void)
smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
}
- invalidate_cm_connection(&domain->conn);
+ invalidate_cm_connection(domain);
}
for (cli_state = winbindd_client_list();
@@ -1980,7 +1981,7 @@ static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool
return NT_STATUS_OK;
}
- invalidate_cm_connection(&domain->conn);
+ invalidate_cm_connection(domain);
if (!domain->primary && !domain->initialized) {
/*
@@ -2566,16 +2567,17 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
/* We have an authenticated connection. Use a NTLMSSP SPNEGO
authenticated SAMR pipe with sign & seal. */
- status = cli_rpc_pipe_open_spnego(conn->cli,
- &ndr_table_samr,
- NCACN_NP,
- GENSEC_OID_NTLMSSP,
- conn->auth_level,
- smbXcli_conn_remote_name(conn->cli->conn),
- domain_name,
- machine_account,
- machine_password,
- &conn->samr_pipe);
+ status = cli_rpc_pipe_open_generic_auth(conn->cli,
+ &ndr_table_samr,
+ NCACN_NP,
+ CRED_DONT_USE_KERBEROS,
+ DCERPC_AUTH_TYPE_SPNEGO,
+ conn->auth_level,
+ smbXcli_conn_remote_name(conn->cli->conn),
+ domain_name,
+ machine_account,
+ machine_password,
+ &conn->samr_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
@@ -2715,7 +2717,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
ZERO_STRUCT(conn->sam_domain_handle);
return status;
} else if (!NT_STATUS_IS_OK(status)) {
- invalidate_cm_connection(conn);
+ invalidate_cm_connection(domain);
return status;
}
@@ -2813,9 +2815,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
/* We have an authenticated connection. Use a NTLMSSP SPNEGO
* authenticated LSA pipe with sign & seal. */
- result = cli_rpc_pipe_open_spnego
+ result = cli_rpc_pipe_open_generic_auth
(conn->cli, &ndr_table_lsarpc, NCACN_NP,
- GENSEC_OID_NTLMSSP,
+ CRED_DONT_USE_KERBEROS,
+ DCERPC_AUTH_TYPE_SPNEGO,
conn->auth_level,
smbXcli_conn_remote_name(conn->cli->conn),
conn->cli->domain, conn->cli->user_name, conn->cli->password,
@@ -2908,7 +2911,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
&conn->lsa_policy);
done:
if (!NT_STATUS_IS_OK(result)) {
- invalidate_cm_connection(conn);
+ invalidate_cm_connection(domain);
return result;
}
@@ -2933,7 +2936,7 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
- invalidate_cm_connection(&domain->conn);
+ invalidate_cm_connection(domain);
status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
}
if (NT_STATUS_IS_OK(status)) {
@@ -3060,14 +3063,14 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
domain->name, nt_errstr(result)));
- invalidate_cm_connection(conn);
+ invalidate_cm_connection(domain);
return result;
}
result = cli_rpc_pipe_open_noauth(conn->cli,
&ndr_table_netlogon,
&conn->netlogon_pipe);
if (!NT_STATUS_IS_OK(result)) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list