winbindd: restore SEC_CHAN_NULL fallback in cm_connect_netlogon_transport

This partially reverts commit d7e31d9f4d9ce7395e458ac341dd83ac06255a20
"winbindd: Use rpccli_connect_netlogon" and restores handling of SEC_CHAN_NULL.

Without this we fail to enumerate domains in trusted forests so users
from any child-domain (or tree-root) in the trusted forest can't login
via eg SMB.

This is a temporary hack that will go away once we get rid of the trusted domain
list.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index f88c704c014815afc16df667540c6ac3efd85b44..16836bd05b52a79c5b5bc589deaf2aa09ab8d7af 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3214,6 +3214,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
        struct messaging_context *msg_ctx = server_messaging_context();
        struct winbindd_cm_conn *conn;
        NTSTATUS result;
+       enum netr_SchannelType sec_chan_type;
        struct cli_credentials *creds = NULL;
 
        *cli = NULL;
@@ -3241,6 +3242,41 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
                return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
        }
 
+       if (cli_credentials_is_anonymous(creds)) {
+               DBG_WARNING("get_trust_credential only gave anonymous for %s, "
+                           "unable to make get NETLOGON credentials\n",
+                           domain->name);
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+       }
+
+       sec_chan_type = cli_credentials_get_secure_channel_type(creds);
+       if (sec_chan_type == SEC_CHAN_NULL) {
+               if (transport == NCACN_IP_TCP) {
+                       DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
+                                  "for %s, deny NCACN_IP_TCP and let the "
+                                  "caller fallback to NCACN_NP.\n",
+                                  domain->name);
+                       return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+               }
+
+               DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+                          "fallback to noauth on NCACN_NP.\n",
+                          domain->name);
+
+               result = cli_rpc_pipe_open_noauth_transport(
+                       conn->cli,
+                       transport,
+                       &ndr_table_netlogon,
+                       &conn->netlogon_pipe);
+               if (!NT_STATUS_IS_OK(result)) {
+                       invalidate_cm_connection(domain);
+                       return result;
+               }
+
+               *cli = conn->netlogon_pipe;
+               return NT_STATUS_OK;
+       }
+
        result = rpccli_create_netlogon_creds_ctx(creds,
                                                  domain->dcname,
                                                  msg_ctx,