diff options
| author | Jeremy Allison <jra@samba.org> | 2005-09-16 16:20:23 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2005-09-16 16:20:23 +0000 |
| commit | 97c924cd67a6a81534e23f3caee696ade911d15d (patch) | |
| tree | 6e2c4280fc7ccdfa0a79f90606e49bdf11c714da /source/nsswitch/winbindd_pam.c | |
| parent | 3664ce344d71d1af2aa5d6c8117eeaa26a2ab64e (diff) | |
| download | samba-97c924cd67a6a81534e23f3caee696ade911d15d.tar.gz samba-97c924cd67a6a81534e23f3caee696ade911d15d.tar.xz samba-97c924cd67a6a81534e23f3caee696ade911d15d.zip | |
r10268: Fix for bug #3095 - winbindd checking credentials.
Jeremy.
Diffstat (limited to 'source/nsswitch/winbindd_pam.c')
| -rw-r--r-- | source/nsswitch/winbindd_pam.c | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c index 64969a6cf42..a0712144eeb 100644 --- a/source/nsswitch/winbindd_pam.c +++ b/source/nsswitch/winbindd_pam.c @@ -404,12 +404,15 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, } while ( (attempts < 2) && retry ); - if (NT_STATUS_IS_OK(result) && - (!clnt_deal_with_creds(session_key, credentials, - &ret_creds))) { - DEBUG(3, ("DC %s sent wrong credentials\n", - pipe_cli->cli->srv_name_slash)); - result = NT_STATUS_ACCESS_DENIED; + /* Only check creds if we got a connection. */ + if (contact_domain->conn.cli && + !(NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || + NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) { + if (!clnt_deal_with_creds(session_key, credentials, &ret_creds)) { + DEBUG(3, ("DC %s sent wrong credentials\n", + pipe_cli->cli->srv_name_slash)); + result = NT_STATUS_ACCESS_DENIED; + } } if (NT_STATUS_IS_OK(result)) { @@ -709,12 +712,15 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, } while ( (attempts < 2) && retry ); - if (NT_STATUS_IS_OK(result) && - (!clnt_deal_with_creds(session_key, credentials, - &ret_creds))) { - DEBUG(3, ("DC %s sent wrong credentials\n", - pipe_cli->cli->srv_name_slash)); - result = NT_STATUS_ACCESS_DENIED; + /* Only check creds if we got a connection. */ + if (contact_domain->conn.cli && + !(NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || + (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) { + if (!clnt_deal_with_creds(session_key, credentials, &ret_creds)) { + DEBUG(3, ("DC %s sent wrong credentials\n", + pipe_cli->cli->srv_name_slash)); + result = NT_STATUS_ACCESS_DENIED; + } } if (NT_STATUS_IS_OK(result)) { |