The Samba-Bugzilla – Attachment 7377 Details for
Bug 8599
WINBINDD_PAM_AUTH_CRAP returns invalid user session key
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Rework on Andrew's proposal
0001-s3-winbindd-Only-use-SamLogonEx-when-we-can-get-unen.patch (text/plain), 1.71 KB, created by
Matthieu Patou
on 2012-03-12 05:18:07 UTC
(
hide
)
Description:
Rework on Andrew's proposal
Filename:
MIME Type:
Creator:
Matthieu Patou
Created:
2012-03-12 05:18:07 UTC
Size:
1.71 KB
patch
obsolete
>From d0990e00e9076a8036d52f3477a26351a09df95d Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 15 Dec 2011 09:57:56 +1100 >Subject: [PATCH] s3-winbindd Only use SamLogonEx when we can get unencrypted session keys > >This ensures that we have some check on the session keys being returned >as the RC4 cipher is not checksumed. > >The check comes from the fact that the credentials chain is tied to >the netlgon session key, and so if the credentials check passes then >the netlogon session key will be correct, and so the user session key >will be correctly decrypted. > >Andrew Bartlett > >Signed-off-by: Matthieu Patou <mat@matws.net> > >s3: If we can't do validation 6 or sam_logon_ex use sam_logon only >--- > source3/winbindd/winbindd_pam.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 26fdc5a..b0b8e40 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -1365,7 +1365,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, > domain->can_do_validation6 = false; > } > >- logon_fn = contact_domain->can_do_samlogon_ex >+ logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6) > ? rpccli_netlogon_sam_network_logon_ex > : rpccli_netlogon_sam_network_logon; > >@@ -1989,7 +1989,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, > domain->can_do_validation6 = false; > } > >- logon_fn = contact_domain->can_do_samlogon_ex >+ logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6) > ? rpccli_netlogon_sam_network_logon_ex > : rpccli_netlogon_sam_network_logon; > >-- >1.7.0.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7377">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
ab
:
review+
Actions:
View
Attachments on
bug 8599
:
7081
|
7082
|
7083
|
7183
|
7184
|
7280
|
7281
|
7282
|
7283
|
7284
|
7285
|
7325
|
7367
| 7377