From 263092d3541a2d33e3ac8ddc5088e66aa9d1ccfb Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Tue, 11 Dec 2007 12:47:28 +0100
Subject: [PATCH] Streamline logic in cm_connect_netlogon()

by retrieving trust password only, when it will be used.

Michael
---
 source/nsswitch/winbindd_cm.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index ddfb3071cd8..bf8bdb1a718 100644
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -1975,10 +1975,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		return NT_STATUS_OK;
 	}
 
-	if ((IS_DC || domain->primary) && !get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-	}
-
 	netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
 						 &result);
 	if (netlogon_pipe == NULL) {
@@ -1990,11 +1986,16 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		neg_flags &= ~NETLOGON_NEG_SCHANNEL;		
 		goto no_schannel;
 	}
-	
+
 	if (lp_client_schannel() != False) {
 		neg_flags |= NETLOGON_NEG_SCHANNEL;
 	}
 
+	if (!get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
+		cli_rpc_pipe_close(netlogon_pipe);
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	}
+
 	/* if we are a DC and this is a trusted domain, then we need to use our
 	   domain name in the net_req_auth2() request */
 
-- 
2.11.4.GIT