The branch, master has been updated via be39641... s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel. from 46bcb62... s4-rpc_server: Fixed the build of the dcerpc_server library.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit be396411a4e1f3a174f8a44b6c062d834135e70a Author: Günther Deschner <g...@samba.org> Date: Mon Aug 9 14:31:24 2010 +0200 s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel. This is an important fix as the following could and is happening: * winbind authenticates a user via schannel secured netlogon samlogonex call, current secure channel cred state is stored in winbind state, winbind sucessfully decrypts session key from the info3 * winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the secure channel on the dc) * subsequent samlogonex calls use the new secure channel creds on the dc to encrypt info3 session key, while winbind tries to use old schannel creds for decryption Guenther ----------------------------------------------------------------------- Summary of changes: source3/winbindd/winbindd_cm.c | 20 +++++++++++++------- 1 files changed, 13 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 0ca8513..958daf7 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2267,6 +2267,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, struct rpc_pipe_client **cli) { struct winbindd_cm_conn *conn; + struct netlogon_creds_CredentialState *creds; NTSTATUS status; DEBUG(10,("cm_connect_lsa_tcp\n")); @@ -2287,14 +2288,19 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, TALLOC_FREE(conn->lsa_pipe_tcp); - status = cli_rpc_pipe_open_schannel(conn->cli, - &ndr_table_lsarpc.syntax_id, - NCACN_IP_TCP, - DCERPC_AUTH_LEVEL_PRIVACY, - domain->name, - &conn->lsa_pipe_tcp); + if (!cm_get_schannel_creds(domain, &creds)) { + goto done; + } + + status = cli_rpc_pipe_open_schannel_with_key(conn->cli, + &ndr_table_lsarpc.syntax_id, + NCACN_IP_TCP, + DCERPC_AUTH_LEVEL_PRIVACY, + domain->name, + &creds, + &conn->lsa_pipe_tcp); if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n", + DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n", nt_errstr(status))); goto done; } -- Samba Shared Repository