6c80ac25fc
resolves: #1326453 - CVE-2015-5370 resolves: #1326453 - CVE-2016-2110 resolves: #1326453 - CVE-2016-2111 resolves: #1326453 - CVE-2016-2112 resolves: #1326453 - CVE-2016-2113 resolves: #1326453 - CVE-2016-2114 resolves: #1326453 - CVE-2016-2115 resolves: #1326453 - CVE-2016-2118 Guenther
61 lines
2.5 KiB
Diff
61 lines
2.5 KiB
Diff
From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Tue, 12 Apr 2016 09:36:12 +0300
|
|
Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
|
|
domains DCs
|
|
|
|
Allow cm_connect_netlogon() to talk to trusted domains' DCs when
|
|
running in a domain member configuration.
|
|
|
|
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
|
---
|
|
source3/winbindd/winbindd_cm.c | 15 +++++++++------
|
|
1 file changed, 9 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
|
|
index 63175e5..1ef3d17 100644
|
|
--- a/source3/winbindd/winbindd_cm.c
|
|
+++ b/source3/winbindd/winbindd_cm.c
|
|
@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
|
|
anonymous:
|
|
|
|
/* Finally fall back to anonymous. */
|
|
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
|
|
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
|
|
+ (IS_DC || domain->primary)) {
|
|
status = NT_STATUS_DOWNGRADE_DETECTED;
|
|
- DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
|
|
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
|
|
"without connection level security, "
|
|
"must set 'winbind sealed pipes = false' and "
|
|
"'require strong key = false' to proceed: %s\n",
|
|
@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
|
|
|
|
anonymous:
|
|
|
|
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
|
|
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
|
|
+ (IS_DC || domain->primary)) {
|
|
result = NT_STATUS_DOWNGRADE_DETECTED;
|
|
- DEBUG(1, ("Unwilling to make LSA connection to domain %s"
|
|
+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
|
|
"without connection level security, "
|
|
"must set 'winbind sealed pipes = false' and "
|
|
"'require strong key = false' to proceed: %s\n",
|
|
@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
|
|
|
|
no_schannel:
|
|
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
|
|
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
|
|
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
|
|
+ (IS_DC || domain->primary)) {
|
|
result = NT_STATUS_DOWNGRADE_DETECTED;
|
|
- DEBUG(1, ("Unwilling to make connection to domain %s"
|
|
+ DEBUG(1, ("Unwilling to make connection to domain %s "
|
|
"without connection level security, "
|
|
"must set 'winbind sealed pipes = false' and "
|
|
"'require strong key = false' to proceed: %s\n",
|
|
--
|
|
2.5.5
|
|
|