1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s3:winbindd: make use of the "winbind sealed pipes" option for all connections

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2013-10-17 19:31:58 +02:00
parent 1d69fdddd5
commit 225982e1cb
2 changed files with 20 additions and 3 deletions

View File

@ -25,6 +25,7 @@
#include "nsswitch/winbind_struct_protocol.h" #include "nsswitch/winbind_struct_protocol.h"
#include "nsswitch/libwbclient/wbclient.h" #include "nsswitch/libwbclient/wbclient.h"
#include "librpc/gen_ndr/dcerpc.h"
#include "librpc/gen_ndr/wbint.h" #include "librpc/gen_ndr/wbint.h"
#include "talloc_dict.h" #include "talloc_dict.h"
@ -105,6 +106,8 @@ struct getpwent_user {
struct winbindd_cm_conn { struct winbindd_cm_conn {
struct cli_state *cli; struct cli_state *cli;
enum dcerpc_AuthLevel auth_level;
struct rpc_pipe_client *samr_pipe; struct rpc_pipe_client *samr_pipe;
struct policy_handle sam_connect_handle, sam_domain_handle; struct policy_handle sam_connect_handle, sam_domain_handle;

View File

@ -1724,6 +1724,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
} }
if (NT_STATUS_IS_OK(result)) { if (NT_STATUS_IS_OK(result)) {
bool seal_pipes = true;
winbindd_set_locator_kdc_envs(domain); winbindd_set_locator_kdc_envs(domain);
@ -1743,6 +1744,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
*/ */
store_current_dc_in_gencache(domain->name, domain->dcname, store_current_dc_in_gencache(domain->name, domain->dcname,
new_conn->cli); new_conn->cli);
seal_pipes = lp_winbind_sealed_pipes();
seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
domain->name,
seal_pipes);
if (seal_pipes) {
new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
} else {
new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
}
} else { } else {
/* Ensure we setup the retry handler. */ /* Ensure we setup the retry handler. */
set_domain_offline(domain); set_domain_offline(domain);
@ -1815,6 +1827,8 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
} }
} }
conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
if (conn->cli) { if (conn->cli) {
cli_shutdown(conn->cli); cli_shutdown(conn->cli);
} }
@ -2365,7 +2379,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
&ndr_table_samr, &ndr_table_samr,
NCACN_NP, NCACN_NP,
GENSEC_OID_NTLMSSP, GENSEC_OID_NTLMSSP,
DCERPC_AUTH_LEVEL_PRIVACY, conn->auth_level,
smbXcli_conn_remote_name(conn->cli->conn), smbXcli_conn_remote_name(conn->cli->conn),
domain_name, domain_name,
machine_account, machine_account,
@ -2536,7 +2550,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
if (conn->lsa_pipe_tcp && if (conn->lsa_pipe_tcp &&
conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP && conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY && conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
rpccli_is_connected(conn->lsa_pipe_tcp)) { rpccli_is_connected(conn->lsa_pipe_tcp)) {
goto done; goto done;
} }
@ -2604,7 +2618,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
result = cli_rpc_pipe_open_spnego result = cli_rpc_pipe_open_spnego
(conn->cli, &ndr_table_lsarpc, NCACN_NP, (conn->cli, &ndr_table_lsarpc, NCACN_NP,
GENSEC_OID_NTLMSSP, GENSEC_OID_NTLMSSP,
DCERPC_AUTH_LEVEL_PRIVACY, conn->auth_level,
smbXcli_conn_remote_name(conn->cli->conn), smbXcli_conn_remote_name(conn->cli->conn),
conn->cli->domain, conn->cli->user_name, conn->cli->password, conn->cli->domain, conn->cli->user_name, conn->cli->password,
&conn->lsa_pipe); &conn->lsa_pipe);