From cbb2ad1b1d3b388c6d4a4612338e9cc4eea351e1 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Sun, 6 May 2007 19:48:13 +0000
Subject: [PATCH] r22709: we can only use tschannel when commectcing to our
 primary (might need some fixing here for a Samba DC)

---
 source/nsswitch/winbindd_cm.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index 7918e5d03fd..1f137a0135b 100644
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -1975,7 +1975,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		return NT_STATUS_OK;
 	}
 
-	if (!get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
+	if (domain->primary && !get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
@@ -1985,6 +1985,12 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		return result;
 	}
 
+	if ( !domain->primary ) {
+		/* Clear the schannel request bit and drop down */
+		neg_flags &= ~NETLOGON_NEG_SCHANNEL;		
+		goto no_schannel;
+	}
+	
 	if (lp_client_schannel() != False) {
 		neg_flags |= NETLOGON_NEG_SCHANNEL;
 	}
@@ -2029,6 +2035,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+ no_schannel:
 	if ((lp_client_schannel() == False) ||
 			((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
 		/* We're done - just keep the existing connection to NETLOGON
-- 
2.11.4.GIT