[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-test-1679-gf53658a

Gerald W. Carter jerry at samba.org
Fri Jan 25 18:38:32 GMT 2008 

The branch, v3-2-test has been updated
       via  f53658a20de07a29abbe2e90917b328d00fc0024 (commit)
       via  8b063a414149bdf401a8f854d55ed7dc6f94cb60 (commit)
      from  95e0fb452bda4c81b26e3dec4953bbba37940467 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test


- Log -----------------------------------------------------------------
commit f53658a20de07a29abbe2e90917b328d00fc0024
Author: Gerald W. Carter <jerry at samba.org>
Date:   Fri Jan 25 12:21:14 2008 -0600

    Always trust the domain flags in the wcache trusted domain cache.
    
    Use the flags stored in the tdb when determining if a domain can
    be contacted.  The tdb should be considered authoratative anyways unless
    you know the flags in the winbindd_domain are correct (such as when
    first enumerating trusts).
    
    Original suggestion and patch from Steven Danneman <steven.danneman at isilon.com>.
    Manually rewritten by me for 3.2.

commit 8b063a414149bdf401a8f854d55ed7dc6f94cb60
Author: Gerald W. Carter <jerry at samba.org>
Date:   Fri Jan 25 12:18:05 2008 -0600

    Use the correct domain name when looking up the trust password.
    
    On a DC, we always use the domain name given.  On a domain member,
    we use lp_workgroup().  This fixes a bug supporting trusted domains.

-----------------------------------------------------------------------

Summary of changes:
 source/winbindd/winbindd_cm.c   |   16 ++++++++++++-
 source/winbindd/winbindd_util.c |   46 ++++++++++++++++++++++++++++-----------
 2 files changed, 48 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 0c5fa0e..9491007 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -679,8 +679,22 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
 				char **machine_krb5_principal)
 {
 	const char *account_name;
+	const char *name = NULL;
+	
+	/* If we are a DC and this is not our own domain */
+
+	if (IS_DC) {
+		name = domain->name;
+	} else {
+		struct winbindd_domain *our_domain = find_our_domain();
 
-	if (!get_trust_pw_clear(domain->name, machine_password,
+		if (!our_domain)
+			return NT_STATUS_INVALID_SERVER_STATE;		
+		
+		name = our_domain->name;		
+	}	
+	
+	if (!get_trust_pw_clear(name, machine_password,
 				&account_name, NULL))
 	{
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
diff --git a/source/winbindd/winbindd_util.c b/source/winbindd/winbindd_util.c
index d16b742..f6bb575 100644
--- a/source/winbindd/winbindd_util.c
+++ b/source/winbindd/winbindd_util.c
@@ -1386,36 +1386,56 @@ void ws_name_return( char *name, char replace )
 /*********************************************************************
  ********************************************************************/
 
-bool winbindd_can_contact_domain( struct winbindd_domain *domain )
+bool winbindd_can_contact_domain(struct winbindd_domain *domain)
 {
+	struct winbindd_tdc_domain *tdc = NULL;
+	TALLOC_CTX *frame = talloc_stackframe();
+	bool ret = false;
+
 	/* We can contact the domain if it is our primary domain */
 
-	if ( domain->primary )
-		return True;
+	if (domain->primary) {
+		return true;
+	}
 
-	/* Can always contact a domain that is in out forest */
+	/* Trust the TDC cache and not the winbindd_domain flags */
 
-	if ( domain->domain_flags & DS_DOMAIN_IN_FOREST )
-		return True;	
+	if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
+		DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
+			  domain->name));
+		return false;
+	}
+
+	/* Can always contact a domain that is in out forest */
 
+	if (tdc->trust_flags & DS_DOMAIN_IN_FOREST) {
+		ret = true;
+		goto done;
+	}
+	
 	/*
 	 * On a _member_ server, we cannot contact the domain if it
 	 * is running AD and we have no inbound trust.
 	 */
 
-	if ( !IS_DC &&
+	if (!IS_DC && 
 	     domain->active_directory &&
-	     ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) ) 
+	    ((tdc->trust_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND))
 	{
-		DEBUG(10, ("Domain is an AD domain and we have no inbound "
-			   "trust.\n"));
-		return False;
+		DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
+			   "and we have no inbound trust.\n", domain->name));
+		goto done;
 	}
-	
+
 	/* Assume everything else is ok (probably not true but what
 	   can you do?) */
+
+	ret = true;	
+
+done:	
+	talloc_destroy(frame);
 	
-	return True;	
+	return ret;	
 }
 
 /*********************************************************************


-- 
Samba Shared Repository

More information about the samba-cvs mailing list