From 261fb36286ae72a778463ca58c9d25445ddef00a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 15 Dec 2011 10:00:36 +1100 Subject: [PATCH] s3-winbindd Only use SamLogonEx when we can get unencrypted session keys This ensures that we have some check on the session keys being returned as the RC4 cipher is not checksumed. The check comes from the fact that the credentials chain is tied to the session key, and so if the credentials check passes then the netlogon session key will be correct, and so the user session key will be correctly decrypted. Andrew Bartlett --- source3/winbindd/winbindd_pam.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index bde16b1..4969a60 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1220,7 +1220,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, domain->can_do_validation6 = false; } - if (domain->can_do_samlogon_ex) { + if (domain->can_do_samlogon_ex && domain->can_do_validation6) { result = rpccli_netlogon_sam_network_logon_ex( netlogon_pipe, mem_ctx, @@ -1230,7 +1230,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, domainname, /* target domain */ workstation, /* workstation */ chal, - domain->can_do_validation6 ? 6 : 3, + 6, lm_response, nt_response, info3); -- 1.7.6.4