[SCM] Samba Shared Repository - branch v3-3-test updated -
release-3-2-0pre2-2610-g0a24c03
Michael Adam
obnox at samba.org
Mon May 26 20:23:30 GMT 2008
The branch, v3-3-test has been updated
via 0a24c038b7bc6edef0021eb121a072cc7e8f9165 (commit)
via a5a51ca8e5971992d9b060d66201b808bd2b7a53 (commit)
via aa1b8287f44f47f23bd4158112d0a132df04426c (commit)
via 5f197c659e9c8a573ba5032c7f90c816df45770c (commit)
via 0b26bcd3becb869319bca48bbf244c18b6e8e3dd (commit)
via a284c8843528972904d142b573f1170a08c97751 (commit)
from 1e883c88cb667a1485de8e8bbaebb43542f43065 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test
- Log -----------------------------------------------------------------
commit 0a24c038b7bc6edef0021eb121a072cc7e8f9165
Author: Michael Adam <obnox at samba.org>
Date: Mon May 26 12:42:56 2008 +0200
Remove unused function is_trusted_domain_situation().
This combined check has been replaced by is_dc_trusted_domain_situation()
which does not check for lp_allow_trusted_domains().
Michael
commit a5a51ca8e5971992d9b060d66201b808bd2b7a53
Author: Michael Adam <obnox at samba.org>
Date: Mon May 26 12:38:48 2008 +0200
winbind: correctly omit check for trusted domain support in cm_prepare_connection
when checking for a trusted domain situation.
This is how it was meant to be:
Otherwise, with a dc-trusted-domain situation but trusted domains disabled,
we would attempt to do a session setup and fail (wouldn't even get a trust
password).
Michael
commit aa1b8287f44f47f23bd4158112d0a132df04426c
Author: Michael Adam <obnox at samba.org>
Date: Mon May 26 12:31:44 2008 +0200
passdb: check for is_dc_trusted_domain_situation() in get_trust_pw_hash().
Before fetching legacy password hash, check for trusted domain situation,
but also fail if trusted domain support is not enabled.
Michael
commit 5f197c659e9c8a573ba5032c7f90c816df45770c
Author: Michael Adam <obnox at samba.org>
Date: Mon May 26 12:22:53 2008 +0200
passdb: add comment explaining logic in get_trust_pw_clear().
Michael
commit 0b26bcd3becb869319bca48bbf244c18b6e8e3dd
Author: Michael Adam <obnox at samba.org>
Date: Mon May 26 12:11:21 2008 +0200
passdb: in get_trust_pw_clear() correctly fail if trusted domains not supported
(but trusted domain situation was found)
This completes the fix for bugs #5425 and #5451 by Steven Dannemann,
in that now no special cases are left uncovered.
Michael
commit a284c8843528972904d142b573f1170a08c97751
Author: Michael Adam <obnox at samba.org>
Date: Mon May 26 12:05:21 2008 +0200
Add function is_dc_trusted_domain_situation().
This is like is_trusted_domain_situation() except that it does not
check for lp_allow_trusted_domains().
Michael
-----------------------------------------------------------------------
Summary of changes:
source/include/proto.h | 2 +-
source/passdb/passdb.c | 32 ++++++++++++++++++++++++--------
source/winbindd/winbindd_cm.c | 2 +-
3 files changed, 26 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/include/proto.h b/source/include/proto.h
index 3d72022..f85b667 100644
--- a/source/include/proto.h
+++ b/source/include/proto.h
@@ -6271,7 +6271,7 @@ bool pdb_copy_sam_account(struct samu *dst, struct samu *src );
bool pdb_update_bad_password_count(struct samu *sampass, bool *updated);
bool pdb_update_autolock_flag(struct samu *sampass, bool *updated);
bool pdb_increment_bad_password_count(struct samu *sampass);
-bool is_trusted_domain_situation(const char *domain_name);
+bool is_dc_trusted_domain_situation(const char *domain_name);
bool get_trust_pw_clear(const char *domain, char **ret_pwd,
const char **account_name, uint32 *channel);
bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c
index e3a3d3c..a670b46 100644
--- a/source/passdb/passdb.c
+++ b/source/passdb/passdb.c
@@ -1517,11 +1517,9 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
return True;
}
-bool is_trusted_domain_situation(const char *domain_name)
+bool is_dc_trusted_domain_situation(const char *domain_name)
{
- return IS_DC &&
- lp_allow_trusted_domains() &&
- !strequal(domain_name, lp_workgroup());
+ return IS_DC && !strequal(domain_name, lp_workgroup());
}
/*******************************************************************
@@ -1539,7 +1537,11 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd,
/* if we are a DC and this is not our domain, then lookup an account
* for the domain trust */
- if (is_trusted_domain_situation(domain)) {
+ if (is_dc_trusted_domain_situation(domain)) {
+ if (!lp_allow_trusted_domains()) {
+ return false;
+ }
+
if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
&last_set_time))
{
@@ -1560,8 +1562,22 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd,
return true;
}
- /* Here we are a domain member server. We can only be a member
- of one domain so ignore the request domain and assume our own */
+ /*
+ * Since we can only be member of one single domain, we are now
+ * in a member situation:
+ *
+ * - Either we are a DC (selfjoined) and the domain is our
+ * own domain.
+ * - Or we are on a member and the domain is our own or some
+ * other (potentially trusted) domain.
+ *
+ * In both cases, we can only get the machine account password
+ * for our own domain to connect to our own dc. (For a member,
+ * request to trusted domains are performed through our dc.)
+ *
+ * So we simply use our own domain name to retrieve the
+ * machine account passowrd and ignore the request domain here.
+ */
pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel);
@@ -1594,7 +1610,7 @@ bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
E_md4hash(pwd, ret_pwd);
SAFE_FREE(pwd);
return true;
- } else if (is_trusted_domain_situation(domain)) {
+ } else if (is_dc_trusted_domain_situation(domain)) {
return false;
}
diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 2ee0fae..a1027ce 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -808,7 +808,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
goto done;
}
- if (!is_trusted_domain_situation(domain->name) &&
+ if (!is_dc_trusted_domain_situation(domain->name) &&
(*cli)->protocol >= PROTOCOL_NT1 &&
(*cli)->capabilities & CAP_EXTENDED_SECURITY)
{
--
Samba Shared Repository
More information about the samba-cvs
mailing list