winbind: Keep "force_reauth" in invalidate_cm_connection
authorVolker Lendecke <vl@samba.org>
Wed, 28 Feb 2018 15:09:28 +0000 (15:09 +0000)
committerRalph Boehme <slow@samba.org>
Thu, 15 Mar 2018 14:46:09 +0000 (15:46 +0100)
Right now I don't see a way to actually force a re-serverauth
from the client side as long as an entry in netlogon_creds_cli.tdb
exists. cm_connect_netlogon goes through invalidate_cm_connection, and
this wipes our wish to force a reauthenticatoin. Keep this intact until
we actually did reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
source3/winbindd/winbindd_cm.c

index 0f6a0a9ba1fb4212498dc2a31d4641ad1d2b67a8..bf5a2b4d7b1c06b85c2af8728145451be66952e8 100644 (file)
@@ -2081,7 +2081,6 @@ void invalidate_cm_connection(struct winbindd_domain *domain)
        }
 
        conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
-       conn->netlogon_force_reauth = false;
        TALLOC_FREE(conn->netlogon_creds_ctx);
 
        if (conn->cli) {
@@ -3368,6 +3367,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
                conn->cli, transport,
                conn->netlogon_creds_ctx, conn->netlogon_force_reauth, creds,
                &conn->netlogon_pipe);
+       conn->netlogon_force_reauth = false;
        if (!NT_STATUS_IS_OK(result)) {
                DBG_DEBUG("rpccli_connect_netlogon failed: %s\n",
                          nt_errstr(result));