s3:winbindd: fix the valid usage anonymous smb authentication

If we are in a situation where we don't have credentials to contact the
remote domain or against an NT4 with the following settings:

  workgroup = NT4DOM
  security = domain
  require strong key = no
  client use spnego = no
  client ipc signing = auto

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 751641909505fcbf07e60b4b21f70e5827c6e9d5..3a9ad1091c3e3316e12596f658de85678eb81f85 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1107,6 +1107,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
                  machine_domain, machine_account,
                  machine_principal, machine_realm));
 
+       if (cli_credentials_is_anonymous(creds)) {
+               goto anon_fallback;
+       }
+
        winbindd_set_locator_kdc_envs(domain);
 
        result = cli_session_setup_creds(*cli, creds);
@@ -1125,10 +1129,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
            || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
            || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
        {
-               if (cli_credentials_is_anonymous(creds)) {
-                       goto done;
-               }
-
                if (!cm_is_ipc_credentials(creds)) {
                        goto ipc_fallback;
                }