Even if the connection don't support schannel we must set the credential
otherwise when we will try to use them it will be segfault.
Connection from winbindd process connected to the non primary domain
(ie. that is to say all the domain but the one where samba joined) do
not use schannel and are therefore affected by this.
Any user on the same box where winbindd is running can crash the server
by running wbinfo --krb5auth=SUBDOMAIN\foo, only SUBDOMAIN has to be
valid any non existing users (ie. foo) will cause winbindd to crash. I
have no idea what you could gain from the crash at least it's a local
DOS at worst you can maybe gain root access.
Found-by: Ravindra Channabasapa <ravindra@juniper.net>
Signed-off-by: Matthieu Patou <mat@matws.net>
neg_flags |= NETLOGON_NEG_SCHANNEL;
}
+ no_schannel:
if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
&sec_chan_type))
{
return NT_STATUS_ACCESS_DENIED;
}
- no_schannel:
if ((lp_client_schannel() == False) ||
((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
/*