s3-winbindd Only use SamLogonEx when we can get unencrypted session keys

This ensures that we have some check on the session keys being returned
as the RC4 cipher is not checksumed.

The check comes from the fact that the credentials chain is tied to
the session key, and so if the credentials check passes then the
netlogon session key will be correct, and so the user session key
will be correctly decrypted.

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Mar 19 21:31:46 CET 2012 on sn-devel-104

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index b7aec20534c0952b049f45284d39e0688bec3a24..6757f3611e777a42b6c769866e13316c51dabb19 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1246,7 +1246,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
                        domain->can_do_validation6 = false;
                }
 
-               if (domain->can_do_samlogon_ex) {
+               if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
                        result = rpccli_netlogon_sam_network_logon_ex(
                                        netlogon_pipe,
                                        mem_ctx,
@@ -1256,7 +1256,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
                                        domainname,     /* target domain */
                                        workstation,    /* workstation */
                                        chal,
-                                       domain->can_do_validation6 ? 6 : 3,
+                                       6,
                                        lm_response,
                                        nt_response,
                                        info3);