X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=source3%2Fwinbindd%2Fwinbindd_cm.c;h=3a9780ebedb87c97e24ff6846b0204e4ac534e06;hb=e2cd3257141bd4a88cda1fff5bde9df60b253a97;hp=05e9692faf45e23a6573ee1261d24c82dd5c0c1f;hpb=b9701a0a79dd15dd6f53075638fba9a2a3d92e19;p=samba.git

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 05e9692faf4..3a9780ebedb 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2578,6 +2578,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  anonymous:
 
 	/* Finally fall back to anonymous. */
+	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+		status = NT_STATUS_DOWNGRADE_DETECTED;
+		DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
+			  "without connection level security, "
+			  "must set 'winbind sealed pipes = false' and "
+			  "'require strong key = false' to proceed: %s\n",
+			  domain->name, nt_errstr(status)));
+		goto done;
+	}
 	status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
 					  &conn->samr_pipe);
 
@@ -2802,6 +2811,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 
  anonymous:
 
+	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+		result = NT_STATUS_DOWNGRADE_DETECTED;
+		DEBUG(1, ("Unwilling to make LSA connection to domain %s"
+			  "without connection level security, "
+			  "must set 'winbind sealed pipes = false' and "
+			  "'require strong key = false' to proceed: %s\n",
+			  domain->name, nt_errstr(result)));
+		goto done;
+	}
+
 	result = cli_rpc_pipe_open_noauth(conn->cli,
 					  &ndr_table_lsarpc,
 					  &conn->lsa_pipe);
@@ -2959,6 +2978,16 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 
  no_schannel:
 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+			result = NT_STATUS_DOWNGRADE_DETECTED;
+			DEBUG(1, ("Unwilling to make connection to domain %s"
+				  "without connection level security, "
+				  "must set 'winbind sealed pipes = false' and "
+				  "'require strong key = false' to proceed: %s\n",
+				  domain->name, nt_errstr(result)));
+			invalidate_cm_connection(conn);
+			return result;
+		}
 		result = cli_rpc_pipe_open_noauth(conn->cli,
 					&ndr_table_netlogon,
 					&conn->netlogon_pipe);