[SCM] Samba Shared Repository - branch v3-4-test updated - release-4-0-0alpha7-1225-gd4c82fc
Karolin Seeger
kseeger at samba.org
Mon Aug 24 00:39:27 MDT 2009
The branch, v3-4-test has been updated
via d4c82fcb106ba872a9987ae40e0fe2d58b7ef1bb (commit)
from ef891070288cd13aff7c730de7c1baf54dddb90f (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test
- Log -----------------------------------------------------------------
commit d4c82fcb106ba872a9987ae40e0fe2d58b7ef1bb
Author: Michael Adam <obnox at samba.org>
Date: Fri Aug 21 13:59:16 2009 +0200
s3: fix bug #6650, authentication at member servers when winbindd is not running
Authentication of domain users on the member server fails when winbindd
is not running. This is because the is_trusted_domain() check behaves
differently when winbindd is running and when it isn't:
Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also
give a result for our own domain, this succeeds for the member
server's own domain when winbindd is running. When winbindd is not
running, is_trusted_domain() checks (and possibly updates) the trustdom
cache, and this does the lsa_EnumTrustDom() rpc call to the DC which
does not return its own domain.
In case of winbindd not running, before 3.4, the domain part was _silently_
mapped to the workgroup in auth_util.c:make_user_info_map(),
which effectively did nothing in the member case.
But then the parameter "map untrusted to domain" was introduced
and the mapping was made to the workstation name instead of
the workgroup name by default unless "map untrusted to domain = yes".
(Commits
d8c54fddda2dba3cbc5fc13e93431b152813892e,
5cd4b7b7c03df6e896186d985b6858a06aa40b3f, and
fbca26923915a70031f561b198cfe2cc0d9c3aa6)
This was ok as long as winbindd was running, but with winbindd not running,
these changes actually uncovered the above logic bug in the check.
So the correct check is to treat the workgroup as trusted / or known
in the member case. This is most easily achieved by not comparing the
domain name against get_global_sam_name() which is the host name unless
for a DC but against my_sam_name() which is the workgroup for a DC and for
a member, too. (These names are not very intuitive...)
I admit that this is a very long commit message for a one-liner, but this has
needed some tracking down, and I think the change deserves some justification.
Michael
(cherry picked from commit 6afb02cb53f47e0fd7e7df3935b067e7e1f8a9de)
-----------------------------------------------------------------------
Summary of changes:
source3/auth/auth_util.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 4a8fc95..b743c12 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -218,7 +218,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
* This also deals with the client passing in a "" domain */
if (!is_trusted_domain(domain) &&
- !strequal(domain, get_global_sam_name()) )
+ !strequal(domain, my_sam_name()))
{
if (lp_map_untrusted_to_domain())
domain = my_sam_name();
--
Samba Shared Repository
More information about the samba-cvs
mailing list