[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-2610-g0a24c03

Michael Adam obnox at samba.org
Mon May 26 20:23:30 GMT 2008 

The branch, v3-3-test has been updated
       via  0a24c038b7bc6edef0021eb121a072cc7e8f9165 (commit)
       via  a5a51ca8e5971992d9b060d66201b808bd2b7a53 (commit)
       via  aa1b8287f44f47f23bd4158112d0a132df04426c (commit)
       via  5f197c659e9c8a573ba5032c7f90c816df45770c (commit)
       via  0b26bcd3becb869319bca48bbf244c18b6e8e3dd (commit)
       via  a284c8843528972904d142b573f1170a08c97751 (commit)
      from  1e883c88cb667a1485de8e8bbaebb43542f43065 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test


- Log -----------------------------------------------------------------
commit 0a24c038b7bc6edef0021eb121a072cc7e8f9165
Author: Michael Adam <obnox at samba.org>
Date:   Mon May 26 12:42:56 2008 +0200

    Remove unused function is_trusted_domain_situation().
    
    This combined check has been replaced by is_dc_trusted_domain_situation()
    which does not check for lp_allow_trusted_domains().
    
    Michael

commit a5a51ca8e5971992d9b060d66201b808bd2b7a53
Author: Michael Adam <obnox at samba.org>
Date:   Mon May 26 12:38:48 2008 +0200

    winbind: correctly omit check for trusted domain support in cm_prepare_connection
    
    when checking for a trusted domain situation.
    This is how it was meant to be:
    
    Otherwise, with a dc-trusted-domain situation but trusted domains disabled,
    we would attempt to do a session setup and fail (wouldn't even get a trust
    password).
    
    Michael

commit aa1b8287f44f47f23bd4158112d0a132df04426c
Author: Michael Adam <obnox at samba.org>
Date:   Mon May 26 12:31:44 2008 +0200

    passdb: check for is_dc_trusted_domain_situation() in get_trust_pw_hash().
    
    Before fetching legacy password hash, check for trusted domain situation,
    but also fail if trusted domain support is not enabled.
    
    Michael

commit 5f197c659e9c8a573ba5032c7f90c816df45770c
Author: Michael Adam <obnox at samba.org>
Date:   Mon May 26 12:22:53 2008 +0200

    passdb: add comment explaining logic in get_trust_pw_clear().
    
    Michael

commit 0b26bcd3becb869319bca48bbf244c18b6e8e3dd
Author: Michael Adam <obnox at samba.org>
Date:   Mon May 26 12:11:21 2008 +0200

    passdb: in get_trust_pw_clear() correctly fail if trusted domains not supported
    
    (but trusted domain situation was found)
    
    This completes the fix for bugs #5425 and #5451 by Steven Dannemann,
    in that now no special cases are left uncovered.
    
    Michael

commit a284c8843528972904d142b573f1170a08c97751
Author: Michael Adam <obnox at samba.org>
Date:   Mon May 26 12:05:21 2008 +0200

    Add function is_dc_trusted_domain_situation().
    
    This is like is_trusted_domain_situation() except that it does not
    check for lp_allow_trusted_domains().
    
    Michael

-----------------------------------------------------------------------

Summary of changes:
 source/include/proto.h        |    2 +-
 source/passdb/passdb.c        |   32 ++++++++++++++++++++++++--------
 source/winbindd/winbindd_cm.c |    2 +-
 3 files changed, 26 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/include/proto.h b/source/include/proto.h
index 3d72022..f85b667 100644
--- a/source/include/proto.h
+++ b/source/include/proto.h
@@ -6271,7 +6271,7 @@ bool pdb_copy_sam_account(struct samu *dst, struct samu *src );
 bool pdb_update_bad_password_count(struct samu *sampass, bool *updated);
 bool pdb_update_autolock_flag(struct samu *sampass, bool *updated);
 bool pdb_increment_bad_password_count(struct samu *sampass);
-bool is_trusted_domain_situation(const char *domain_name);
+bool is_dc_trusted_domain_situation(const char *domain_name);
 bool get_trust_pw_clear(const char *domain, char **ret_pwd,
 			const char **account_name, uint32 *channel);
 bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c
index e3a3d3c..a670b46 100644
--- a/source/passdb/passdb.c
+++ b/source/passdb/passdb.c
@@ -1517,11 +1517,9 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
 	return True;
 }
 
-bool is_trusted_domain_situation(const char *domain_name)
+bool is_dc_trusted_domain_situation(const char *domain_name)
 {
-	return IS_DC &&
-		lp_allow_trusted_domains() &&
-		!strequal(domain_name, lp_workgroup());
+	return IS_DC && !strequal(domain_name, lp_workgroup());
 }
 
 /*******************************************************************
@@ -1539,7 +1537,11 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd,
 	/* if we are a DC and this is not our domain, then lookup an account
 	 * for the domain trust */
 
-	if (is_trusted_domain_situation(domain)) {
+	if (is_dc_trusted_domain_situation(domain)) {
+		if (!lp_allow_trusted_domains()) {
+			return false;
+		}
+
 		if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
 					   &last_set_time))
 		{
@@ -1560,8 +1562,22 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd,
 		return true;
 	}
 
-	/* Here we are a domain member server.  We can only be a member
-	   of one domain so ignore the request domain and assume our own */
+	/*
+	 * Since we can only be member of one single domain, we are now
+	 * in a member situation:
+	 *
+	 *  -  Either we are a DC (selfjoined) and the domain is our
+	 *     own domain.
+	 *  -  Or we are on a member and the domain is our own or some
+	 *     other (potentially trusted) domain.
+	 *
+	 * In both cases, we can only get the machine account password
+	 * for our own domain to connect to our own dc. (For a member,
+	 * request to trusted domains are performed through our dc.)
+	 *
+	 * So we simply use our own domain name to retrieve the
+	 * machine account passowrd and ignore the request domain here.
+	 */
 
 	pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel);
 
@@ -1594,7 +1610,7 @@ bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
 		E_md4hash(pwd, ret_pwd);
 		SAFE_FREE(pwd);
 		return true;
-	} else if (is_trusted_domain_situation(domain)) {
+	} else if (is_dc_trusted_domain_situation(domain)) {
 		return false;
 	}
 
diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 2ee0fae..a1027ce 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -808,7 +808,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 		goto done;
 	}
 
-	if (!is_trusted_domain_situation(domain->name) &&
+	if (!is_dc_trusted_domain_situation(domain->name) &&
 	    (*cli)->protocol >= PROTOCOL_NT1 &&
 	    (*cli)->capabilities & CAP_EXTENDED_SECURITY)
 	{


-- 
Samba Shared Repository

More information about the samba-cvs mailing list