Revert "s3-winbind: Fix schannel connections against trusted domain DCs"

This reverts commit d2379caa77fe02264323d69fee1bcad33f1bfeee.

This change doesn't solve the real problem, it just
causes useless network traffic and the following error:

rpccli_setup_netlogon_creds failed for W2012R2-L6, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT

While the old logic caused NT_STATUS_CANT_ACCESS_DOMAIN_INFO (without
network traffic) instead of the NT_STATUS_NO_TRUST_SAM_ACCOUNT.

A better fix will follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 41a00764af4e6084a57b5f99ea038632a6e54da8..fc403e2c0126292b079b482b45de3798c4f21156 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -903,7 +903,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
        struct cli_credentials *creds;
        NTSTATUS status;
        bool force_machine_account = false;
-       bool ok;
 
        /* If we are a DC and this is not our own domain */
 
@@ -948,13 +947,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
                                                   CRED_DONT_USE_KERBEROS);
        }
 
-       /*
-        * When we contact our own domain and get a list of the trusted domain
-        * we have the information if we are able to contact the DC with
-        * with our machine account password.
-        */
-       ok = winbindd_can_contact_domain(domain);
-       if (!ok) {
+       if (creds_domain != domain) {
                /*
                 * We can only use schannel against a direct trust
                 */
@@ -3246,8 +3239,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
        sec_chan_type = cli_credentials_get_secure_channel_type(creds);
        if (sec_chan_type == SEC_CHAN_NULL) {
-               DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
-                           domain->name);
                return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
        }
 
@@ -3287,11 +3278,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
        conn->netlogon_flags = netlogon_creds->negotiate_flags;
        TALLOC_FREE(netlogon_creds);
 
-       /*
-        * FIXME: Document in which case we are not able to contact
-        * a DC without schannel. Which information do we try to get
-        * from this DC?
-        */
        if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
                if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
                        result = NT_STATUS_DOWNGRADE_DETECTED;