The branch, v3-2-test has been updated
via 87232351b5e66728f8d602259961909e8c1dfcb6 (commit)
from 2d6a1c5da64195784b0b102edb268356a24d84b5 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit 87232351b5e66728f8d602259961909e8c1dfcb6
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Mon Apr 21 17:48:31 2008 +0200
Add in a nice big comment explaining why SamLogonEx matters.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source/winbindd/winbindd_pam.c | 21 +++++++++++++++++++++
1 files changed, 21 insertions(+), 0 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/winbindd/winbindd_pam.c b/source/winbindd/winbindd_pam.c
index bc27f3d..2de10a9 100644
--- a/source/winbindd/winbindd_pam.c
+++ b/source/winbindd/winbindd_pam.c
@@ -1307,6 +1307,27 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct
winbindd_domain *domain,
goto done;
}
+ /* It is really important to try SamLogonEx here,
+ * because in a clustered environment, we want to use
+ * one machine account from multiple physical
+ * computers.
+ *
+ * With a normal SamLogon call, we must keep the
+ * credentials chain updated and intact between all
+ * users of the machine account (which would imply
+ * cross-node communication for every NTLM logon).
+ *
+ * (The credentials chain is not per NETLOGON pipe
+ * connection, but globally on the server/client pair
+ * by machine name).
+ *
+ * When using SamLogonEx, the credentials are not
+ * supplied, but the session key is implied by the
+ * wrapping SamLogon context.
+ *
+ * -- abartlet 21 April 2008
+ */
+
logon_fn = contact_domain->can_do_samlogon_ex
? rpccli_netlogon_sam_network_logon_ex
: rpccli_netlogon_sam_network_logon;
--
Samba Shared Repository
