[SCM] Samba Shared Repository - branch v3-2-test updated -
initial-v3-2-unstable-633-g537b126
Michael Adam
obnox at samba.org
Thu Dec 13 09:17:58 GMT 2007
The branch, v3-2-test has been updated
via 537b12647e25adcb7da3581f18d2e9feca1caf0c (commit)
via e180bbd45452435e981192028a0ad90078c04236 (commit)
via 481f18b20d6d5ee12c62120a3559bb16cc98e465 (commit)
via 18c66a364e0ddc4960769871ca190944f7fe5c44 (commit)
via e77c4022cfbb868e608edcb06b676658b0e201ad (commit)
via b2e12365b56f24586a7dfcb845f4de51f0b0e7d5 (commit)
via 0cde7ac9cb39a0026a38ccf66dbecefc12931074 (commit)
via 4562342eb84e6fdcec15d8b7ae83aa146aabe2b7 (commit)
via 91da12b751b3168dc40049f3e90c10d840393efc (commit)
via 6ced4a7f88798dc449a667d63bc29bf6c569291f (commit)
via cdc60d8ae8c0ef804206b20b451e9557f97d4439 (commit)
via 164bfb25d7b5cfeffeb4d81958b7629a11ca5d5e (commit)
via 4788fe392427901f6b1c505e3a743136ac8a91ca (commit)
from dd320c0924ce393a89b1cab020fd5cffc5b80380 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit 537b12647e25adcb7da3581f18d2e9feca1caf0c
Author: Michael Adam <obnox at samba.org>
Date: Wed Nov 28 02:15:37 2007 +0100
Add flags for correctly implementing lsa_lookup_name levels.
(Prepare fix for Bug #4801.)
Michael
commit e180bbd45452435e981192028a0ad90078c04236
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 16:34:39 2007 +0100
Make cm_connect_sam() try harder to connect autheticated.
Even if the session setup was anonymous, try and collect
trust creds with get_trust_creds() and use these before
falling back to schannel.
This is the first attempt to fix interdomain trusts.
(get password policy and stuff)
Michael
commit 481f18b20d6d5ee12c62120a3559bb16cc98e465
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 16:32:38 2007 +0100
Refactor out assembling of trust creds (pw, account name, principal).
Michael
commit 18c66a364e0ddc4960769871ca190944f7fe5c44
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 15:39:36 2007 +0100
Streamline and fix logic of cm_prepare_connection().
Do not attempt to do a session setup when in a trusted domain
situation (this gives STATUS_NOLOGON_TRUSTED_DOMAIN_ACCOUNT).
Use get_trust_pw_clear to get machine trust account.
Only call this when the results is really used.
Use the proper domain and account name for session setup.
Michael
commit e77c4022cfbb868e608edcb06b676658b0e201ad
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 14:36:11 2007 +0100
Refactoring out get_schannel_session_key logic.
Refactor the actual retrieval of the session key through the
established netlogon pipe out of get_schannel_session_key()
and get_schannel_session_key_auth_ntlmssp() into a new
function get_schannel_session_key_common().
(To avoid code duplication.)
Michael
commit b2e12365b56f24586a7dfcb845f4de51f0b0e7d5
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 14:12:49 2007 +0100
Pass NULL instead of unneeded &sid: pdb_get_trusteddom_pw() checks.
Michael
commit 0cde7ac9cb39a0026a38ccf66dbecefc12931074
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 14:07:32 2007 +0100
Rename get_trust_pw() to get_trust_pw_hash().
Michael
commit 4562342eb84e6fdcec15d8b7ae83aa146aabe2b7
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 13:59:54 2007 +0100
Export logic of get_trust_pw() to new function get_trust_pw_clear().
get_trust_pw() just now computes the md4 hash of the result of
get_trust_pw_clear() if that was successful. As a last resort,
in the non-trusted-domain-situation, get_trust_pw() now tries to
directly obtain the hashed version of the password out of secrets.tdb.
Michael
commit 91da12b751b3168dc40049f3e90c10d840393efc
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 14:02:45 2007 +0100
Refactor the lagacy part of secrets_fetch_trust_account_password() out
into a new function secrets_fetch_trust_account_password_legacy() that
does only try to obtain the hashed version of the machine password directly
from secrets.tdb.
Michael
commit 6ced4a7f88798dc449a667d63bc29bf6c569291f
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 13:05:44 2007 +0100
Let get_trust_pw() determine the machine_account_name to use.
Up to now each caller used its own logic.
This eliminates code paths where there was a special treatment
of the following situation: the domain given is not our workgroup
(i.e. our own domain) and we are not a DC (i.e. it is not a typical
trusted domain situation). In situation the given domain name was
previously used as the machine account name, resulting in an account
name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me.
get_trust_pw would not have obtained a password in this situation
anyways.
I hope I have not missed an important point here!
Michael
commit cdc60d8ae8c0ef804206b20b451e9557f97d4439
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 12:47:28 2007 +0100
Streamline logic in cm_connect_netlogon()
by retrieving trust password only, when it will be used.
Michael
commit 164bfb25d7b5cfeffeb4d81958b7629a11ca5d5e
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 08:52:20 2007 +0100
In cm_prepare_connection(), only get auth user creds if we need to.
Michael
commit 4788fe392427901f6b1c505e3a743136ac8a91ca
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 10 23:53:55 2007 +0100
Remove two unneeded functions.
secrets_store_trust_account_password() and trust_password_delete()
are the write access functions to the SECRETS/$MACHINE.ACC/domain keys
in secrets.tdb, the md4 hashed machine passwords. These are not used
any more: Current code always writes the clear text password.
Michael
-----------------------------------------------------------------------
Summary of changes:
source/auth/auth_domain.c | 7 ++-
source/include/smb.h | 10 +++-
source/passdb/passdb.c | 85 +++++++++++++++++++-----
source/passdb/secrets.c | 67 +++++++++----------
source/rpc_client/cli_pipe.c | 126 ++++++++++++-----------------------
source/winbindd/winbindd_cm.c | 145 +++++++++++++++++++++++++----------------
6 files changed, 248 insertions(+), 192 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/auth/auth_domain.c b/source/auth/auth_domain.c
index 7cddabb..b2c8717 100644
--- a/source/auth/auth_domain.c
+++ b/source/auth/auth_domain.c
@@ -127,8 +127,11 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
uint32 sec_chan_type = 0;
unsigned char machine_pwd[16];
+ const char *account_name;
- if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+ if (!get_trust_pw_hash(domain, machine_pwd, &account_name,
+ &sec_chan_type))
+ {
DEBUG(0, ("connect_to_domain_password_server: could not fetch "
"trust account password for domain '%s'\n",
domain));
@@ -142,7 +145,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
dc_name, /* server name */
domain, /* domain */
global_myname(), /* client name */
- global_myname(), /* machine account name */
+ account_name, /* machine account name */
machine_pwd,
sec_chan_type,
&neg_flags);
diff --git a/source/include/smb.h b/source/include/smb.h
index d58c124..a725ae1 100644
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -242,6 +242,7 @@ typedef uint64_t NTTIME;
#define SID_MAX_SIZE ((size_t)(8+(MAXSUBAUTHS*4)))
+#define LOOKUP_NAME_NONE 0x00000000
#define LOOKUP_NAME_ISOLATED 0x00000001 /* Look up unqualified names */
#define LOOKUP_NAME_REMOTE 0x00000002 /* Ask others */
#define LOOKUP_NAME_GROUP 0x00000004 /* (unused) This is a NASTY hack for
@@ -250,7 +251,14 @@ typedef uint64_t NTTIME;
#define LOOKUP_NAME_EXPLICIT 0x00000008 /* Only include
explicitly mapped names and not
the Unix {User,Group} domain */
-#define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE)
+#define LOOKUP_NAME_BUILTIN 0x00000010 /* builtin names */
+#define LOOKUP_NAME_WKN 0x00000020 /* well known names */
+#define LOOKUP_NAME_DOMAIN 0x00000040 /* only lookup own domain */
+#define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED\
+ |LOOKUP_NAME_REMOTE\
+ |LOOKUP_NAME_BUILTIN\
+ |LOOKUP_NAME_WKN\
+ |LOOKUP_NAME_DOMAIN)
/**
* @brief Security Identifier
diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c
index 2a4d4c4..c4248bb 100644
--- a/source/passdb/passdb.c
+++ b/source/passdb/passdb.c
@@ -1521,46 +1521,99 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
return True;
}
+bool is_trusted_domain_situation(const char *domain_name)
+{
+ return IS_DC &&
+ lp_allow_trusted_domains() &&
+ !strequal(domain_name, lp_workgroup());
+}
/*******************************************************************
- Wrapper around retrieving the trust account password
+ Wrapper around retrieving the clear text trust account password.
+ appropriate account name is stored in account_name.
+ Caller must free password, but not account_name.
*******************************************************************/
-bool get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
+bool get_trust_pw_clear(const char *domain, char **ret_pwd,
+ const char **account_name, uint32 *channel)
{
- DOM_SID sid;
char *pwd;
time_t last_set_time;
/* if we are a DC and this is not our domain, then lookup an account
- for the domain trust */
+ * for the domain trust */
- if (IS_DC && !strequal(domain, lp_workgroup()) &&
- lp_allow_trusted_domains())
- {
- if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time))
+ if (is_trusted_domain_situation(domain)) {
+ if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
+ &last_set_time))
{
DEBUG(0, ("get_trust_pw: could not fetch trust "
"account password for trusted domain %s\n",
domain));
- return False;
+ return false;
}
*channel = SEC_CHAN_DOMAIN;
- E_md4hash(pwd, ret_pwd);
- SAFE_FREE(pwd);
- return True;
+ if (account_name != NULL) {
+ *account_name = lp_workgroup();
+ }
+
+ return true;
}
/* Just get the account for the requested domain. In the future this
* might also cover to be member of more than one domain. */
- if (secrets_fetch_trust_account_password(domain, ret_pwd,
- &last_set_time, channel))
- return True;
+ pwd = secrets_fetch_machine_password(domain, &last_set_time, channel);
+
+ if (pwd != NULL) {
+ *ret_pwd = pwd;
+ if (account_name != NULL) {
+ *account_name = global_myname();
+ }
+
+ return true;
+ }
+
+ DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
+ "account password for domain %s\n", domain));
+ return false;
+}
+
+/*******************************************************************
+ Wrapper around retrieving the trust account password.
+ appropriate account name is stored in account_name.
+*******************************************************************/
+
+bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
+ const char **account_name, uint32 *channel)
+{
+ char *pwd = NULL;
+ time_t last_set_time;
+
+ if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
+ E_md4hash(pwd, ret_pwd);
+ SAFE_FREE(pwd);
+ return true;
+ } else if (is_trusted_domain_situation(domain)) {
+ return false;
+ }
+
+ /* as a fallback, try to get the hashed pwd directly from the tdb... */
+
+ if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
+ &last_set_time,
+ channel))
+ {
+ if (account_name != NULL) {
+ *account_name = global_myname();
+ }
+
+ return true;
+ }
- DEBUG(5, ("get_trust_pw: could not fetch trust account "
+ DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
"password for domain %s\n", domain));
return False;
}
diff --git a/source/passdb/secrets.c b/source/passdb/secrets.c
index a4cb766..fde7fc0 100644
--- a/source/passdb/secrets.c
+++ b/source/passdb/secrets.c
@@ -284,27 +284,19 @@ uint32 get_default_sec_channel(void)
/************************************************************************
Routine to get the trust account password for a domain.
+ This only tries to get the legacy hashed version of the password.
The user of this function must have locked the trust password file using
the above secrets_lock_trust_account_password().
************************************************************************/
-bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
- time_t *pass_last_set_time,
- uint32 *channel)
+bool secrets_fetch_trust_account_password_legacy(const char *domain,
+ uint8 ret_pwd[16],
+ time_t *pass_last_set_time,
+ uint32 *channel)
{
struct machine_acct_pass *pass;
- char *plaintext;
size_t size = 0;
- plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
- channel);
- if (plaintext) {
- DEBUG(4,("Using cleartext machine password\n"));
- E_md4hash(plaintext, ret_pwd);
- SAFE_FREE(plaintext);
- return True;
- }
-
if (!(pass = (struct machine_acct_pass *)secrets_fetch(
trust_keystr(domain), &size))) {
DEBUG(5, ("secrets_fetch failed!\n"));
@@ -337,6 +329,32 @@ bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
return True;
}
+/************************************************************************
+ Routine to get the trust account password for a domain.
+ The user of this function must have locked the trust password file using
+ the above secrets_lock_trust_account_password().
+************************************************************************/
+
+bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
+ time_t *pass_last_set_time,
+ uint32 *channel)
+{
+ char *plaintext;
+
+ plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
+ channel);
+ if (plaintext) {
+ DEBUG(4,("Using cleartext machine password\n"));
+ E_md4hash(plaintext, ret_pwd);
+ SAFE_FREE(plaintext);
+ return True;
+ }
+
+ return secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
+ pass_last_set_time,
+ channel);
+}
+
/**
* Pack SID passed by pointer
*
@@ -558,20 +576,6 @@ bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
return True;
}
-/************************************************************************
- Routine to set the trust account password for a domain.
-************************************************************************/
-
-bool secrets_store_trust_account_password(const char *domain, uint8 new_pwd[16])
-{
- struct machine_acct_pass pass;
-
- pass.mod_time = time(NULL);
- memcpy(pass.hash, new_pwd, 16);
-
- return secrets_store(trust_keystr(domain), (void *)&pass, sizeof(pass));
-}
-
/**
* Routine to store the password for trusted domain
*
@@ -722,15 +726,6 @@ char *secrets_fetch_machine_password(const char *domain,
}
/************************************************************************
- Routine to delete the machine trust account password file for a domain.
-************************************************************************/
-
-bool trust_password_delete(const char *domain)
-{
- return secrets_delete(trust_keystr(domain));
-}
-
-/************************************************************************
Routine to delete the password for trusted domain
************************************************************************/
diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c
index 37558a7..f61ea95 100644
--- a/source/rpc_client/cli_pipe.c
+++ b/source/rpc_client/cli_pipe.c
@@ -2424,49 +2424,29 @@ struct rpc_pipe_client *cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
}
/****************************************************************************
- Open a netlogon pipe and get the schannel session key.
- Now exposed to external callers.
+ Get a the schannel session key out of an already opened netlogon pipe.
****************************************************************************/
-
-struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
- const char *domain,
- uint32 *pneg_flags,
- NTSTATUS *perr)
+static bool get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
+ struct cli_state *cli,
+ const char *domain,
+ uint32 *pneg_flags,
+ NTSTATUS *perr)
{
- struct rpc_pipe_client *netlogon_pipe = NULL;
uint32 sec_chan_type = 0;
unsigned char machine_pwd[16];
- fstring machine_account;
-
- netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
- if (!netlogon_pipe) {
- return NULL;
- }
+ const char *machine_account;
/* Get the machine account credentials from secrets.tdb. */
- if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+ if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
+ &sec_chan_type))
+ {
DEBUG(0, ("get_schannel_session_key: could not fetch "
"trust account password for domain '%s'\n",
domain));
- cli_rpc_pipe_close(netlogon_pipe);
*perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- return NULL;
+ return false;
}
- /* A DC should use DOMAIN$ as its account name.
- A member server can only use it's machine name since it
- does not have an account in a trusted domain.
-
- We don't check the domain against lp_workgroup() here since
- 'net ads join' has to continue to work with only the realm
- specified in smb.conf. -- jerry */
-
- if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
- fstrcpy( machine_account, lp_workgroup() );
- } else {
- fstrcpy(machine_account, global_myname());
- }
-
*perr = rpccli_netlogon_setup_creds(netlogon_pipe,
cli->desthost, /* server name */
domain, /* domain */
@@ -2477,11 +2457,10 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
pneg_flags);
if (!NT_STATUS_IS_OK(*perr)) {
- DEBUG(3,("get_schannel_session_key: rpccli_netlogon_setup_creds "
+ DEBUG(3,("get_schannel_session_key_common: rpccli_netlogon_setup_creds "
"failed with result %s to server %s, domain %s, machine account %s.\n",
nt_errstr(*perr), cli->desthost, domain, machine_account ));
- cli_rpc_pipe_close(netlogon_pipe);
- return NULL;
+ return false;
}
if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
@@ -2489,6 +2468,34 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
cli->desthost));
cli_rpc_pipe_close(netlogon_pipe);
*perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
+ return false;
+ }
+
+ return true;
+}
+
+/****************************************************************************
+ Open a netlogon pipe and get the schannel session key.
+ Now exposed to external callers.
+ ****************************************************************************/
+
+
+struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
+ const char *domain,
+ uint32 *pneg_flags,
+ NTSTATUS *perr)
+{
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+
+ netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
+ if (!netlogon_pipe) {
+ return NULL;
+ }
+
+ if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
+ pneg_flags, perr))
+ {
+ cli_rpc_pipe_close(netlogon_pipe);
return NULL;
}
@@ -2560,61 +2567,16 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
NTSTATUS *perr)
{
struct rpc_pipe_client *netlogon_pipe = NULL;
- uint32 sec_chan_type = 0;
- unsigned char machine_pwd[16];
- fstring machine_account;
netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
if (!netlogon_pipe) {
return NULL;
}
- /* Get the machine account credentials from secrets.tdb. */
- if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
- DEBUG(0, ("get_schannel_session_key_auth_ntlmssp: could not fetch "
- "trust account password for domain '%s'\n",
- domain));
- cli_rpc_pipe_close(netlogon_pipe);
- *perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- return NULL;
- }
-
- /* if we are a DC and this is a trusted domain, then we need to use our
- domain name in the net_req_auth2() request */
-
- if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
- fstrcpy( machine_account, lp_workgroup() );
- } else {
- /* Hmmm. Is this correct for trusted domains when we're a member server ? JRA. */
- if (strequal(domain, lp_workgroup())) {
- fstrcpy(machine_account, global_myname());
- } else {
- fstrcpy(machine_account, domain);
- }
- }
-
- *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
- cli->desthost, /* server name */
- domain, /* domain */
- global_myname(), /* client name */
- machine_account, /* machine account name */
- machine_pwd,
- sec_chan_type,
- pneg_flags);
-
- if (!NT_STATUS_IS_OK(*perr)) {
- DEBUG(3,("get_schannel_session_key_auth_ntlmssp: rpccli_netlogon_setup_creds "
- "failed with result %s\n",
- nt_errstr(*perr) ));
- cli_rpc_pipe_close(netlogon_pipe);
- return NULL;
- }
-
- if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
- DEBUG(3, ("get_schannel_session_key_auth_ntlmssp: Server %s did not offer schannel\n",
- cli->desthost));
+ if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
+ pneg_flags, perr))
+ {
cli_rpc_pipe_close(netlogon_pipe);
- *perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
return NULL;
}
diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 3f65449..cb366a2 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -635,6 +635,40 @@ static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain,
return True;
}
+/**
+ * Helper function to assemble trust password and account name
+ */
+static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
+ char **machine_password,
+ char **machine_account,
+ char **machine_krb5_principal)
+{
+ const char *account_name;
+
+ if (!get_trust_pw_clear(domain->name, machine_password,
+ &account_name, NULL))
+ {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ if ((machine_account != NULL) &&
+ (asprintf(machine_account, "%s$", account_name) == -1))
+ {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* this is at least correct when domain is our domain,
+ * which is the only case, when this is currently used: */
+ if ((machine_krb5_principal != NULL) &&
+ (asprintf(machine_krb5_principal, "%s$@%s", account_name,
+ domain->alt_name) == -1))
+ {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
--
Samba Shared Repository
More information about the samba-cvs
mailing list