From 31c200b7225d5934d29021f74302ff563ff7ecc7 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 15 Dec 2011 09:57:56 +1100
Subject: [PATCH] s3-winbindd Only use SamLogonEx when we can get unencrypted
 session keys

This ensures that we have some check on the session keys being returned
as the RC4 cipher is not checksumed.

The check comes from the fact that the credentials chain is tied to
the netlgon session key, and so if the credentials check passes then
the netlogon session key will be correct, and so the user session key
will be correctly decrypted.

Andrew Bartlett
---
 source3/winbindd/winbindd_pam.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 5c56b87..72adcbf 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1365,7 +1365,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
 			domain->can_do_validation6 = false;
 		}
 
-		logon_fn = contact_domain->can_do_samlogon_ex
+		logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6)
 			? rpccli_netlogon_sam_network_logon_ex
 			: rpccli_netlogon_sam_network_logon;
 
-- 
1.7.6.4