From cdc60d8ae8c0ef804206b20b451e9557f97d4439 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Tue, 11 Dec 2007 12:47:28 +0100
Subject: [PATCH] Streamline logic in cm_connect_netlogon()

by retrieving trust password only, when it will be used.

Michael
---
 source/winbindd/winbindd_cm.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 0a96e04052c..d5c8b9955f2 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -2219,10 +2219,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		return NT_STATUS_OK;
 	}
 
-	if ((IS_DC || domain->primary) && !get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-	}
-
 	netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
 						 &result);
 	if (netlogon_pipe == NULL) {
@@ -2234,11 +2230,16 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		neg_flags &= ~NETLOGON_NEG_SCHANNEL;		
 		goto no_schannel;
 	}
-	
+
 	if (lp_client_schannel() != False) {
 		neg_flags |= NETLOGON_NEG_SCHANNEL;
 	}
 
+	if (!get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
+		cli_rpc_pipe_close(netlogon_pipe);
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	}
+
 	/* if we are a DC and this is a trusted domain, then we need to use our
 	   domain name in the net_req_auth2() request */
 
-- 
2.34.1