Author: jra Date: 2005-09-22 18:46:55 +0000 (Thu, 22 Sep 2005) New Revision: 10429
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10429 Log: Added Volker's fix for LSA pipes. winbindd should now work with just a machine a/c password to do secure RPC. Jeremy. Modified: trunk/source/nsswitch/winbindd_cm.c Changeset: Modified: trunk/source/nsswitch/winbindd_cm.c =================================================================== --- trunk/source/nsswitch/winbindd_cm.c 2005-09-22 18:41:17 UTC (rev 10428) +++ trunk/source/nsswitch/winbindd_cm.c 2005-09-22 18:46:55 UTC (rev 10429) @@ -1162,22 +1162,72 @@ conn = &domain->conn; if (conn->lsa_pipe == NULL) { + fstring conn_pwd; + pwd_get_cleartext(&conn->cli->pwd, conn_pwd); + if (conn->cli->user_name[0] && conn->cli->domain[0] && + conn_pwd[0]) { + /* We have an authenticated connection. Use + a NTLMSSP SPNEGO authenticated LSA pipe with + sign & seal. */ + conn->lsa_pipe = + cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, + PI_LSARPC, + PIPE_AUTH_LEVEL_PRIVACY, + conn->cli->domain, + conn->cli->user_name, + conn_pwd, + &result); + if (conn->lsa_pipe == NULL) { + DEBUG(10,("cm_connect_lsa: failed to connect " + "to LSA pipe for domain %s using " + "NTLMSSP authenticated pipe: user " + "%s\\%s. Error was %s\n", + domain->name, conn->cli->domain, + conn->cli->user_name, + nt_errstr(result))); + } else { + DEBUG(10,("cm_connect_lsa: connected to LSA " + "pipe for domain %s using NTLMSSP " + "authenticated pipe: user %s\\%s\n", + domain->name, conn->cli->domain, + conn->cli->user_name )); + } + } + #ifndef DISABLE_SCHANNEL_WIN2K3_SP1 - struct dcinfo *p_dcinfo; + /* Fall back to schannel if it's a W2K pre-SP1 box. */ + if (conn->lsa_pipe == NULL) { + struct dcinfo *p_dcinfo; - if (cm_get_schannel_dcinfo(domain, &p_dcinfo)) { - conn->lsa_pipe = - cli_rpc_pipe_open_schannel_with_key(conn->cli, - PI_LSARPC, - PIPE_AUTH_LEVEL_PRIVACY, - domain->name, - p_dcinfo, - &result); - } else + if (cm_get_schannel_dcinfo(domain, &p_dcinfo)) { + conn->lsa_pipe = + cli_rpc_pipe_open_schannel_with_key(conn->cli, + PI_LSARPC, + PIPE_AUTH_LEVEL_PRIVACY, + domain->name, + p_dcinfo, + &result); + } + if (conn->lsa_pipe == NULL) { + DEBUG(10,("cm_connect_lsa: failed to connect " + "to LSA pipe for domain %s using " + "schannel authenticated. Error " + "was %s\n", domain->name, + nt_errstr(result) )); + } else { + DEBUG(10,("cm_connect_lsa: connected to LSA " + "pipe for domain %s using schannel.\n", + domain->name )); + } + } #endif /* DISABLE_SCHANNEL_WIN2K3_SP1 */ + + /* Finally fall back to anonymous. */ + if (conn->lsa_pipe == NULL) { conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_LSARPC, &result); + } if (conn->lsa_pipe == NULL) { result = NT_STATUS_PIPE_NOT_AVAILABLE;