[SCM] Samba Shared Repository - branch v3-2-test updated -
initial-v3-2-test-1679-gf53658a
Gerald W. Carter
jerry at samba.org
Fri Jan 25 18:38:32 GMT 2008
The branch, v3-2-test has been updated
via f53658a20de07a29abbe2e90917b328d00fc0024 (commit)
via 8b063a414149bdf401a8f854d55ed7dc6f94cb60 (commit)
from 95e0fb452bda4c81b26e3dec4953bbba37940467 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit f53658a20de07a29abbe2e90917b328d00fc0024
Author: Gerald W. Carter <jerry at samba.org>
Date: Fri Jan 25 12:21:14 2008 -0600
Always trust the domain flags in the wcache trusted domain cache.
Use the flags stored in the tdb when determining if a domain can
be contacted. The tdb should be considered authoratative anyways unless
you know the flags in the winbindd_domain are correct (such as when
first enumerating trusts).
Original suggestion and patch from Steven Danneman <steven.danneman at isilon.com>.
Manually rewritten by me for 3.2.
commit 8b063a414149bdf401a8f854d55ed7dc6f94cb60
Author: Gerald W. Carter <jerry at samba.org>
Date: Fri Jan 25 12:18:05 2008 -0600
Use the correct domain name when looking up the trust password.
On a DC, we always use the domain name given. On a domain member,
we use lp_workgroup(). This fixes a bug supporting trusted domains.
-----------------------------------------------------------------------
Summary of changes:
source/winbindd/winbindd_cm.c | 16 ++++++++++++-
source/winbindd/winbindd_util.c | 46 ++++++++++++++++++++++++++++-----------
2 files changed, 48 insertions(+), 14 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 0c5fa0e..9491007 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -679,8 +679,22 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
char **machine_krb5_principal)
{
const char *account_name;
+ const char *name = NULL;
+
+ /* If we are a DC and this is not our own domain */
+
+ if (IS_DC) {
+ name = domain->name;
+ } else {
+ struct winbindd_domain *our_domain = find_our_domain();
- if (!get_trust_pw_clear(domain->name, machine_password,
+ if (!our_domain)
+ return NT_STATUS_INVALID_SERVER_STATE;
+
+ name = our_domain->name;
+ }
+
+ if (!get_trust_pw_clear(name, machine_password,
&account_name, NULL))
{
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
diff --git a/source/winbindd/winbindd_util.c b/source/winbindd/winbindd_util.c
index d16b742..f6bb575 100644
--- a/source/winbindd/winbindd_util.c
+++ b/source/winbindd/winbindd_util.c
@@ -1386,36 +1386,56 @@ void ws_name_return( char *name, char replace )
/*********************************************************************
********************************************************************/
-bool winbindd_can_contact_domain( struct winbindd_domain *domain )
+bool winbindd_can_contact_domain(struct winbindd_domain *domain)
{
+ struct winbindd_tdc_domain *tdc = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+ bool ret = false;
+
/* We can contact the domain if it is our primary domain */
- if ( domain->primary )
- return True;
+ if (domain->primary) {
+ return true;
+ }
- /* Can always contact a domain that is in out forest */
+ /* Trust the TDC cache and not the winbindd_domain flags */
- if ( domain->domain_flags & DS_DOMAIN_IN_FOREST )
- return True;
+ if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
+ DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
+ domain->name));
+ return false;
+ }
+
+ /* Can always contact a domain that is in out forest */
+ if (tdc->trust_flags & DS_DOMAIN_IN_FOREST) {
+ ret = true;
+ goto done;
+ }
+
/*
* On a _member_ server, we cannot contact the domain if it
* is running AD and we have no inbound trust.
*/
- if ( !IS_DC &&
+ if (!IS_DC &&
domain->active_directory &&
- ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) )
+ ((tdc->trust_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND))
{
- DEBUG(10, ("Domain is an AD domain and we have no inbound "
- "trust.\n"));
- return False;
+ DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
+ "and we have no inbound trust.\n", domain->name));
+ goto done;
}
-
+
/* Assume everything else is ok (probably not true but what
can you do?) */
+
+ ret = true;
+
+done:
+ talloc_destroy(frame);
- return True;
+ return ret;
}
/*********************************************************************
--
Samba Shared Repository
More information about the samba-cvs
mailing list