mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s3:winbindd: make use of the "winbind sealed pipes" option for all connections
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
1d69fdddd5
commit
225982e1cb
@ -25,6 +25,7 @@
|
|||||||
|
|
||||||
#include "nsswitch/winbind_struct_protocol.h"
|
#include "nsswitch/winbind_struct_protocol.h"
|
||||||
#include "nsswitch/libwbclient/wbclient.h"
|
#include "nsswitch/libwbclient/wbclient.h"
|
||||||
|
#include "librpc/gen_ndr/dcerpc.h"
|
||||||
#include "librpc/gen_ndr/wbint.h"
|
#include "librpc/gen_ndr/wbint.h"
|
||||||
|
|
||||||
#include "talloc_dict.h"
|
#include "talloc_dict.h"
|
||||||
@ -105,6 +106,8 @@ struct getpwent_user {
|
|||||||
struct winbindd_cm_conn {
|
struct winbindd_cm_conn {
|
||||||
struct cli_state *cli;
|
struct cli_state *cli;
|
||||||
|
|
||||||
|
enum dcerpc_AuthLevel auth_level;
|
||||||
|
|
||||||
struct rpc_pipe_client *samr_pipe;
|
struct rpc_pipe_client *samr_pipe;
|
||||||
struct policy_handle sam_connect_handle, sam_domain_handle;
|
struct policy_handle sam_connect_handle, sam_domain_handle;
|
||||||
|
|
||||||
|
@ -1724,6 +1724,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (NT_STATUS_IS_OK(result)) {
|
if (NT_STATUS_IS_OK(result)) {
|
||||||
|
bool seal_pipes = true;
|
||||||
|
|
||||||
winbindd_set_locator_kdc_envs(domain);
|
winbindd_set_locator_kdc_envs(domain);
|
||||||
|
|
||||||
@ -1743,6 +1744,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
|
|||||||
*/
|
*/
|
||||||
store_current_dc_in_gencache(domain->name, domain->dcname,
|
store_current_dc_in_gencache(domain->name, domain->dcname,
|
||||||
new_conn->cli);
|
new_conn->cli);
|
||||||
|
|
||||||
|
seal_pipes = lp_winbind_sealed_pipes();
|
||||||
|
seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
|
||||||
|
domain->name,
|
||||||
|
seal_pipes);
|
||||||
|
|
||||||
|
if (seal_pipes) {
|
||||||
|
new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
|
||||||
|
} else {
|
||||||
|
new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
/* Ensure we setup the retry handler. */
|
/* Ensure we setup the retry handler. */
|
||||||
set_domain_offline(domain);
|
set_domain_offline(domain);
|
||||||
@ -1815,6 +1827,8 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
|
||||||
|
|
||||||
if (conn->cli) {
|
if (conn->cli) {
|
||||||
cli_shutdown(conn->cli);
|
cli_shutdown(conn->cli);
|
||||||
}
|
}
|
||||||
@ -2365,7 +2379,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
|
|||||||
&ndr_table_samr,
|
&ndr_table_samr,
|
||||||
NCACN_NP,
|
NCACN_NP,
|
||||||
GENSEC_OID_NTLMSSP,
|
GENSEC_OID_NTLMSSP,
|
||||||
DCERPC_AUTH_LEVEL_PRIVACY,
|
conn->auth_level,
|
||||||
smbXcli_conn_remote_name(conn->cli->conn),
|
smbXcli_conn_remote_name(conn->cli->conn),
|
||||||
domain_name,
|
domain_name,
|
||||||
machine_account,
|
machine_account,
|
||||||
@ -2536,7 +2550,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
|
|||||||
|
|
||||||
if (conn->lsa_pipe_tcp &&
|
if (conn->lsa_pipe_tcp &&
|
||||||
conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
|
conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
|
||||||
conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
|
conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
|
||||||
rpccli_is_connected(conn->lsa_pipe_tcp)) {
|
rpccli_is_connected(conn->lsa_pipe_tcp)) {
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
@ -2604,7 +2618,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
|
|||||||
result = cli_rpc_pipe_open_spnego
|
result = cli_rpc_pipe_open_spnego
|
||||||
(conn->cli, &ndr_table_lsarpc, NCACN_NP,
|
(conn->cli, &ndr_table_lsarpc, NCACN_NP,
|
||||||
GENSEC_OID_NTLMSSP,
|
GENSEC_OID_NTLMSSP,
|
||||||
DCERPC_AUTH_LEVEL_PRIVACY,
|
conn->auth_level,
|
||||||
smbXcli_conn_remote_name(conn->cli->conn),
|
smbXcli_conn_remote_name(conn->cli->conn),
|
||||||
conn->cli->domain, conn->cli->user_name, conn->cli->password,
|
conn->cli->domain, conn->cli->user_name, conn->cli->password,
|
||||||
&conn->lsa_pipe);
|
&conn->lsa_pipe);
|
||||||
|
Loading…
Reference in New Issue
Block a user