The branch, v3-2-test has been updated
       via  87232351b5e66728f8d602259961909e8c1dfcb6 (commit)
      from  2d6a1c5da64195784b0b102edb268356a24d84b5 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test


- Log -----------------------------------------------------------------
commit 87232351b5e66728f8d602259961909e8c1dfcb6
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date:   Mon Apr 21 17:48:31 2008 +0200

    Add in a nice big comment explaining why SamLogonEx matters.
    
    Andrew Bartlett

-----------------------------------------------------------------------

Summary of changes:
 source/winbindd/winbindd_pam.c |   21 +++++++++++++++++++++
 1 files changed, 21 insertions(+), 0 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/winbindd/winbindd_pam.c b/source/winbindd/winbindd_pam.c
index bc27f3d..2de10a9 100644
--- a/source/winbindd/winbindd_pam.c
+++ b/source/winbindd/winbindd_pam.c
@@ -1307,6 +1307,27 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct 
winbindd_domain *domain,
                        goto done;
                }
 
+               /* It is really important to try SamLogonEx here,
+                * because in a clustered environment, we want to use
+                * one machine account from multiple physical
+                * computers.  
+                *
+                * With a normal SamLogon call, we must keep the
+                * credentials chain updated and intact between all
+                * users of the machine account (which would imply
+                * cross-node communication for every NTLM logon).
+                *
+                * (The credentials chain is not per NETLOGON pipe
+                * connection, but globally on the server/client pair
+                * by machine name).
+                *
+                * When using SamLogonEx, the credentials are not
+                * supplied, but the session key is implied by the
+                * wrapping SamLogon context.
+                * 
+                *  -- abartlet 21 April 2008
+                */
+
                logon_fn = contact_domain->can_do_samlogon_ex
                        ? rpccli_netlogon_sam_network_logon_ex
                        : rpccli_netlogon_sam_network_logon;


-- 
Samba Shared Repository

Reply via email to