X-Git-Url: http://git.samba.org/samba.git/?p=kai%2Fsamba.git;a=blobdiff_plain;f=source3%2Fwinbindd%2Fwinbindd_cm.c;fp=source3%2Fwinbindd%2Fwinbindd_cm.c;h=4188b5e6edba62f61ec5135d89b06e2a8c783788;hp=edd50d12bc1a89f9820b68f1f3876a71ec2bc337;hb=34ffa6175bca1cee755e454c14683b7c826dd6c7;hpb=b3a3c50eb8ebfe2cc1fa602cb9680e4aa3f083cd

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index edd50d12bc1..4188b5e6edb 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -782,6 +782,8 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 				      struct cli_state **cli,
 				      bool *retry)
 {
+	bool try_spnego = false;
+	bool try_ipc_auth = false;
 	char *machine_password = NULL;
 	char *machine_krb5_principal = NULL;
 	char *machine_account = NULL;
@@ -824,17 +826,21 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
 	cli_set_timeout(*cli, 10000); /* 10 seconds */
 
-	result = cli_negprot(*cli, PROTOCOL_NT1);
+	result = cli_negprot(*cli, PROTOCOL_SMB2_02);
 
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
 		goto done;
 	}
 
-	if (!is_dc_trusted_domain_situation(domain->name) &&
-	    cli_state_protocol(*cli) >= PROTOCOL_NT1 &&
-	    cli_state_capabilities(*cli) & CAP_EXTENDED_SECURITY)
-	{
+	if (cli_state_protocol(*cli) >= PROTOCOL_NT1 &&
+	    cli_state_capabilities(*cli) & CAP_EXTENDED_SECURITY) {
+		try_spnego = true;
+	} else if (cli_state_protocol(*cli) >= PROTOCOL_SMB2_02) {
+		try_spnego = true;
+	}
+
+	if (!is_dc_trusted_domain_situation(domain->name) && try_spnego) {
 		result = get_trust_creds(domain, &machine_password,
 					 &machine_account,
 					 &machine_krb5_principal);
@@ -912,8 +918,15 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 	cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
 
 	sec_mode = cli_state_security_mode(*cli);
-	if (((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
-	    (strlen(ipc_username) > 0)) {
+
+	try_ipc_auth = false;
+	if (try_spnego) {
+		try_ipc_auth = true;
+	} else if (sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
+		try_ipc_auth = true;
+	}
+
+	if (try_ipc_auth && (strlen(ipc_username) > 0)) {
 
 		/* Only try authenticated if we have a username */