[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-475-g2e24f7c

[Gerald Carter]

The branch, v3-2-test has been updated
       via  2e24f7c0243c67a00102c11258cfa6f61caf499f (commit)
       via  4de4949e3bfcfb2169c329f19cb76936d9043d50 (commit)
      from  0d617f639a3c9c52e4327aed4bd02d9e8e7312a2 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test


- Log -----------------------------------------------------------------
commit 2e24f7c0243c67a00102c11258cfa6f61caf499f
Author: Gerald W. Carter <jerry at samba.org>
Date:   Thu Mar 27 11:57:26 2008 -0500

    Only add WBFLAG_PAM_CONTACT_TRUSTDOM when performing a krb5 auth request.
    
    NTLM logons must go against our DC.

commit 4de4949e3bfcfb2169c329f19cb76936d9043d50
Author: Gerald W. Carter <jerry at samba.org>
Date:   Thu Mar 27 11:56:29 2008 -0500

    Don't fill password policy structure for any domain other than our own.
    
    The samr connects will fail.  This is not independent of the CONTACT_TRUSTDOM
    flag neede by krb5 logins.

-----------------------------------------------------------------------

Summary of changes:
 source/nsswitch/pam_winbind.c  |   10 +++++++---
 source/winbindd/winbindd_pam.c |   18 +++++++++++++++---
 2 files changed, 22 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index 81f5227..d2aea66 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -1200,9 +1200,13 @@ static int winbind_auth_request(pam_handle_t * pamh,
 	request.data.auth.krb5_cc_type[0] = '\0';
 	request.data.auth.uid = -1;
 
-	request.flags = WBFLAG_PAM_INFO3_TEXT |
-			WBFLAG_PAM_GET_PWD_POLICY |
-			WBFLAG_PAM_CONTACT_TRUSTDOM;
+	request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY;
+
+	/* Krb5 auth always has to go against the KDC of the user's realm */
+
+	if (ctrl & WINBIND_KRB5_AUTH) {
+		request.flags |= WBFLAG_PAM_CONTACT_TRUSTDOM;
+	}
 
 	if (ctrl & (WINBIND_KRB5_AUTH|WINBIND_CACHED_LOGIN)) {
 		struct passwd *pwd = NULL;
diff --git a/source/winbindd/winbindd_pam.c b/source/winbindd/winbindd_pam.c
index 63127cb..3b13a92 100644
--- a/source/winbindd/winbindd_pam.c
+++ b/source/winbindd/winbindd_pam.c
@@ -1638,12 +1638,24 @@ process_result:
 
 
 		if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
-			result = fillup_password_policy(domain, state);
-
+			struct winbindd_domain *our_domain = find_our_domain();
+			
+			/* This is not entiurely correct I believe, but it is 
+			   consistent.  Only apply the password policy settings
+			   too warn users for our own domain.  Cannot obtain these 
+			   from trusted DCs all the  time so don't do it at all. 
+			   -- jerry */
+
+			result = NT_STATUS_NOT_SUPPORTED;			
+			if (our_domain == domain ) {
+a				result = fillup_password_policy(our_domain, state);
+			}
+			
 			if (!NT_STATUS_IS_OK(result) 
 			    && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ) 
 			{
-				DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
+				DEBUG(10,("Failed to get password policies for domain %s: %s\n", 
+					  domain->name, nt_errstr(result)));
 				goto done;
 			}
 		}


-- 
Samba Shared Repository