s3:winbindd: make use of the "winbind sealed pipes" option for all connections

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index 72eb3ec3dc04222072c284fcef4813d366162a8d..afde6857f0a5b8d98bb6b5a7c520024161e3e617 100644 (file)
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -25,6 +25,7 @@
 
 #include "nsswitch/winbind_struct_protocol.h"
 #include "nsswitch/libwbclient/wbclient.h"
+#include "librpc/gen_ndr/dcerpc.h"
 #include "librpc/gen_ndr/wbint.h"
 
 #include "talloc_dict.h"
@@ -105,6 +106,8 @@ struct getpwent_user {
 struct winbindd_cm_conn {
        struct cli_state *cli;
 
+       enum dcerpc_AuthLevel auth_level;
+
        struct rpc_pipe_client *samr_pipe;
        struct policy_handle sam_connect_handle, sam_domain_handle;
 

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index edb2c7bac48eb8dda60a55a32df996466ff23245..5d920d0a78215aca04c20b15706bfef23ceb557f 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1724,6 +1724,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
        }
 
        if (NT_STATUS_IS_OK(result)) {
+               bool seal_pipes = true;
 
                winbindd_set_locator_kdc_envs(domain);
 
@@ -1743,6 +1744,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
                 */
                store_current_dc_in_gencache(domain->name, domain->dcname,
                                             new_conn->cli);
+
+               seal_pipes = lp_winbind_sealed_pipes();
+               seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+                                         domain->name,
+                                         seal_pipes);
+
+               if (seal_pipes) {
+                       new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+               } else {
+                       new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+               }
        } else {
                /* Ensure we setup the retry handler. */
                set_domain_offline(domain);
@@ -1815,6 +1827,8 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
                }
        }
 
+       conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+
        if (conn->cli) {
                cli_shutdown(conn->cli);
        }
@@ -2365,7 +2379,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
                                          &ndr_table_samr,
                                          NCACN_NP,
                                          GENSEC_OID_NTLMSSP,
-                                         DCERPC_AUTH_LEVEL_PRIVACY,
+                                         conn->auth_level,
                                          smbXcli_conn_remote_name(conn->cli->conn),
                                          domain_name,
                                          machine_account,
@@ -2536,7 +2550,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
 
        if (conn->lsa_pipe_tcp &&
            conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
-           conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
+           conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
            rpccli_is_connected(conn->lsa_pipe_tcp)) {
                goto done;
        }
@@ -2604,7 +2618,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
        result = cli_rpc_pipe_open_spnego
                (conn->cli, &ndr_table_lsarpc, NCACN_NP,
                 GENSEC_OID_NTLMSSP,
-                DCERPC_AUTH_LEVEL_PRIVACY,
+                conn->auth_level,
                 smbXcli_conn_remote_name(conn->cli->conn),
                 conn->cli->domain, conn->cli->user_name, conn->cli->password,
                 &conn->lsa_pipe);