From 6f24893864b0f5103474fcf2848f78272d3346d4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Tue, 12 Apr 2016 09:36:12 +0300
Subject: [PATCH] s3-winbind: make sure domain member uses sealed connection to
 the dc

  Enforce sealed pipes to primary domain only if we are domain member and to any
  trusted domains' DC if we are DC of our own domain. Otherwise consider it
  a downgrade and reject such operation.

  This is implicit configuration to avoid changing every domain member
  configuration with

  winbind sealed pipes = false
  require strong key = false
  winbind sealed pipes: PRIMARY = true
  require strong key: PRIMARY = true

  BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
 source3/winbindd/winbindd_cm.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index ff0e081..4f4374c 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2851,7 +2851,8 @@ retry:
  anonymous:
 
 	/* Finally fall back to anonymous. */
-	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+	    (IS_DC || domain->primary)) {
 		status = NT_STATUS_DOWNGRADE_DETECTED;
 		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
 			  "without connection level security, "
@@ -3150,7 +3151,8 @@ retry:
 
  anonymous:
 
-	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+	    (IS_DC || domain->primary)) {
 		result = NT_STATUS_DOWNGRADE_DETECTED;
 		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
 			  "without connection level security, "
@@ -3324,7 +3326,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 	TALLOC_FREE(netlogon_creds);
 
 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+		if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+		    (IS_DC || domain->primary)) {
 			result = NT_STATUS_DOWNGRADE_DETECTED;
 			DEBUG(1, ("Unwilling to make connection to domain %s"
 				  "without connection level security, "
-- 
2.7.4