winbind: force the usage of schannel in cm_connect_lsa() as AD DC

This makes sure we only talk to direct trusts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 4229647dc4d135c9edf3146cce8fd0899ccea2b1..b6a54d0a12b880d3efa180195ff74121626db273 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2970,6 +2970,13 @@ retry:
 
        TALLOC_FREE(conn->lsa_pipe);
 
+       if (IS_AD_DC) {
+               /*
+                * Make sure we only use schannel as AD DC.
+                */
+               goto schannel;
+       }
+
        result = get_trust_credentials(domain, talloc_tos(), false, &creds);
        if (!NT_STATUS_IS_OK(result)) {
                DEBUG(10, ("cm_connect_lsa: No user available for "
@@ -3083,6 +3090,13 @@ retry:
                goto done;
        }
 
+       if (IS_AD_DC) {
+               /*
+                * Make sure we only use schannel as AD DC.
+                */
+               goto done;
+       }
+
        DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
                  "anonymous\n"));
 
@@ -3090,6 +3104,13 @@ retry:
 
  anonymous:
 
+       if (IS_AD_DC) {
+               /*
+                * Make sure we only use schannel as AD DC.
+                */
+               goto done;
+       }
+
        if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
                result = NT_STATUS_DOWNGRADE_DETECTED;
                DEBUG(1, ("Unwilling to make LSA connection to domain %s "