r22709: we can only use tschannel when commectcing to our primary (might need some...
authorGerald Carter <jerry@samba.org>
Sun, 6 May 2007 19:48:13 +0000 (19:48 +0000)
committerMichael Adam <obnox@samba.org>
Wed, 19 Dec 2007 17:19:06 +0000 (18:19 +0100)
source/nsswitch/winbindd_cm.c

index 7918e5d..1f137a0 100644 (file)
@@ -1975,7 +1975,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                return NT_STATUS_OK;
        }
 
-       if (!get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
+       if (domain->primary && !get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
                return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
        }
 
@@ -1985,6 +1985,12 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                return result;
        }
 
+       if ( !domain->primary ) {
+               /* Clear the schannel request bit and drop down */
+               neg_flags &= ~NETLOGON_NEG_SCHANNEL;            
+               goto no_schannel;
+       }
+       
        if (lp_client_schannel() != False) {
                neg_flags |= NETLOGON_NEG_SCHANNEL;
        }
@@ -2029,6 +2035,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                return NT_STATUS_ACCESS_DENIED;
        }
 
+ no_schannel:
        if ((lp_client_schannel() == False) ||
                        ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
                /* We're done - just keep the existing connection to NETLOGON