samba/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
Günther Deschner fe4e88c4d2 Update to Samba 4.4.2, fix badlock security bug
resolves: #1326453 - CVE-2015-5370
resolves: #1326453 - CVE-2016-2110
resolves: #1326453 - CVE-2016-2111
resolves: #1326453 - CVE-2016-2112
resolves: #1326453 - CVE-2016-2113
resolves: #1326453 - CVE-2016-2114
resolves: #1326453 - CVE-2016-2115
resolves: #1326453 - CVE-2016-2118

Guenther
2016-04-12 19:34:47 +02:00

60 lines
2.3 KiB
Diff

From afb52fd865448042ddda6b660df159f93f344b93 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 12 Apr 2016 09:36:12 +0300
Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
domains DCs
Allow cm_connect_netlogon() to talk to trusted domains' DCs when
running in a domain member configuration.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
source3/winbindd/winbindd_cm.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 45e3fad..6f5a042 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2851,9 +2851,10 @@ retry:
anonymous:
/* Finally fall back to anonymous. */
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+ (IS_DC || domain->primary)) {
status = NT_STATUS_DOWNGRADE_DETECTED;
- DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
"without connection level security, "
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
@@ -3150,7 +3151,8 @@ retry:
anonymous:
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+ (IS_DC || domain->primary)) {
result = NT_STATUS_DOWNGRADE_DETECTED;
DEBUG(1, ("Unwilling to make LSA connection to domain %s "
"without connection level security, "
@@ -3324,9 +3326,10 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
TALLOC_FREE(netlogon_creds);
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+ (IS_DC || domain->primary)) {
result = NT_STATUS_DOWNGRADE_DETECTED;
- DEBUG(1, ("Unwilling to make connection to domain %s"
+ DEBUG(1, ("Unwilling to make connection to domain %s "
"without connection level security, "
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
--
2.5.5