svn commit: samba r16480 - branches/SAMBA_3_0/source/nsswitch trunk/source/nsswitch

[gd at samba.org]

Author: gd
Date: 2006-06-23 01:17:33 +0000 (Fri, 23 Jun 2006)
New Revision: 16480

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=16480

Log:
(Ugly) workaround before the set_dc_type_flags & friends cleanup:

When trying to login using krb5 with a trusted domain account, we
need to make sure that our and the remote domain are AD.

Guenther

Modified:
   branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
   trunk/source/nsswitch/winbindd_pam.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-06-22 23:56:20 UTC (rev 16479)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-06-23 01:17:33 UTC (rev 16480)
@@ -6,7 +6,7 @@
    Copyright (C) Andrew Tridgell 2000
    Copyright (C) Tim Potter 2001
    Copyright (C) Andrew Bartlett 2001-2002
-   Copyright (C) Guenther Deschner 2005
+   Copyright (C) Guenther Deschner 2005-2006
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -221,6 +221,44 @@
 		return NULL;
 	}
 
+	if (strequal(domain_name, lp_workgroup())) {
+		return find_our_domain();
+	}
+
+#ifdef HAVE_ADS
+
+	/* when trying to login using krb5 with a trusted domain account, we
+	 * need to make sure that our and the remote domain are AD */
+
+	if ((state->request.flags & WBFLAG_PAM_KRB5) &&
+	    (lp_security() == SEC_ADS)) {
+
+		struct winbindd_domain *our_domain = find_our_domain();
+
+		if (!our_domain->active_directory) {
+			DEBUG(3,("find_auth_domain: out domain is not AD\n"));
+			return NULL;
+		}
+		
+		if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) {
+			return NULL;
+		}
+
+		/* do we already know it's AD ? */
+		if (domain->active_directory) {
+			return domain;
+		} 
+
+		set_dc_type_and_flags(domain);
+
+		if (!domain->active_directory) {
+			DEBUG(3,("find_auth_domain: remote domain is not AD\n"));
+			return NULL;
+		}
+
+		return domain;
+	}
+#endif
 	return find_our_domain();
 }
 

Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c	2006-06-22 23:56:20 UTC (rev 16479)
+++ trunk/source/nsswitch/winbindd_pam.c	2006-06-23 01:17:33 UTC (rev 16480)
@@ -6,7 +6,7 @@
    Copyright (C) Andrew Tridgell 2000
    Copyright (C) Tim Potter 2001
    Copyright (C) Andrew Bartlett 2001-2002
-   Copyright (C) Guenther Deschner 2005
+   Copyright (C) Guenther Deschner 2005-2006
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -221,6 +221,44 @@
 		return NULL;
 	}
 
+	if (strequal(domain_name, lp_workgroup())) {
+		return find_our_domain();
+	}
+
+#ifdef HAVE_ADS
+
+	/* when trying to login using krb5 with a trusted domain account, we
+	 * need to make sure that our and the remote domain are AD */
+
+	if ((state->request.flags & WBFLAG_PAM_KRB5) &&
+	    (lp_security() == SEC_ADS)) {
+
+		struct winbindd_domain *our_domain = find_our_domain();
+
+		if (!our_domain->active_directory) {
+			DEBUG(3,("find_auth_domain: out domain is not AD\n"));
+			return NULL;
+		}
+		
+		if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) {
+			return NULL;
+		}
+
+		/* do we already know it's AD ? */
+		if (domain->active_directory) {
+			return domain;
+		} 
+
+		set_dc_type_and_flags(domain);
+
+		if (!domain->active_directory) {
+			DEBUG(3,("find_auth_domain: remote domain is not AD\n"));
+			return NULL;
+		}
+
+		return domain;
+	}
+#endif
 	return find_our_domain();
 }