[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Thu Jul 3 21:20:04 MDT 2014


The branch, master has been updated
       via  f371032 s4-winbind: Use winbindd in the AD DC by default
       via  af7f887 winbindd: Use a remote RPC server when we are an RODC when needed
       via  da3a798 selftest: Use s4 RPC servers in the s4member environment
       via  0b77cd9 s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd
       via  5d069a0 selftest: Make the wbinfo userinfo tests work properly with the qualified name
       via  95a55df winbindd: Allow the AD-DC to call getdcname
       via  a0105b8 secrets: Ensure we store the secureChannelType when written to secrets.ldb
      from  0c97b7e torture4: Make raw.lock.multilock fail after 20 seconds

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f3710320cef475ebac561882c8fdaf8e51c8b7c3
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue May 20 10:15:31 2014 +1200

    s4-winbind: Use winbindd in the AD DC by default
    
    (Including changes to knownfail to match the new winbindd in use in each environment)
    
    Change-Id: I9e08086eba98e95e05a99afef28315e2857aae56
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Fri Jul  4 05:19:54 CEST 2014 on sn-devel-104

commit af7f88721a21fbe33cec2bc277f65a736f6cb9cc
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon May 26 11:58:38 2014 +1200

    winbindd: Use a remote RPC server when we are an RODC when needed
    
    This allows us to operate against the local cache where possible, but
    to forward some operations to the read-write DC.
    
    Andrew Bartlett
    
    Change-Id: Idc78ae379a402969381758919fcede17568f094e
    Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Nadezhda Ivanova <nivanova at samba.org>

commit da3a79831afbd1b85592be36eb47de375e575643
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue May 20 11:10:22 2014 +1200

    selftest: Use s4 RPC servers in the s4member environment
    
    Change-Id: I645669d551d7bb988c69da7b3805e3056ab1e8c8
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Nadezhda Ivanova <nivanova at samba.org>

commit 0b77cd969c54e4efa6faff507834c183958ec23c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jun 30 12:04:03 2014 +1200

    s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd
    
    This changes the auth code in winbindd to use this as a flag, and to
    therefore contact the RW DC.
    
    Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Nadezhda Ivanova <nivanova at samba.org>

commit 5d069a04fc843512b6a703691d81c4c1d28ef744
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Jun 30 14:58:21 2014 +1200

    selftest: Make the wbinfo userinfo tests work properly with the qualified name
    
    This eliminates a knownfail.
    
    Change-Id: I7331a4e62ef8c1f2a9999a78865023ae19beeaca
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Nadezhda Ivanova <nivanova at samba.org>

commit 95a55df021b3f112a18c64a5f5897182ae8b7df8
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Jun 30 14:23:58 2014 +1200

    winbindd: Allow the AD-DC to call getdcname
    
    This is particularly useful for RODC and eliminates a knownfail.
    
    Change-Id: Ia5089761dcabb1620eadd530dbc9b05580cddd1f
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Nadezhda Ivanova <nivanova at samba.org>

commit a0105b84b85094375ab92c9e6ca4c9e0a2a531f5
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon May 26 11:58:38 2014 +1200

    secrets: Ensure we store the secureChannelType when written to secrets.ldb
    
    This will allow winbindd to know when we are an RODC
    without needing to dig into sam.ldb.
    
    Change-Id: Ibdfa37fe6269305ccc5db42479f4a8db5eea53f3
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Nadezhda Ivanova <nivanova at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/common_auth.h                                |    2 +-
 docs-xml/smbdotconf/base/serverservices.xml       |    2 +-
 lib/param/loadparm.c                              |    2 +-
 selftest/knownfail                                |   46 +++++----------------
 selftest/target/Samba4.pm                         |   34 +++++++++++-----
 source3/auth/auth.c                               |    7 +++
 source3/include/secrets.h                         |    1 +
 source3/param/loadparm.c                          |    2 +-
 source3/passdb/machine_account_secrets.c          |   26 +++++++++---
 source3/winbindd/wb_dsgetdcname.c                 |   22 +++++++---
 source3/winbindd/winbindd.h                       |    1 +
 source3/winbindd/winbindd_cache.c                 |    3 +-
 source3/winbindd/winbindd_cm.c                    |   33 +++++++++------
 source3/winbindd/winbindd_msrpc.c                 |   20 +++++-----
 source3/winbindd/winbindd_pam.c                   |   26 +++++++++---
 source3/winbindd/winbindd_proto.h                 |    3 +-
 source3/winbindd/winbindd_util.c                  |   37 ++++++++++++++--
 source4/auth/ntlm/auth.c                          |   10 +++-
 source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c |    1 +
 source4/selftest/tests.py                         |    2 +-
 20 files changed, 176 insertions(+), 104 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/common_auth.h b/auth/common_auth.h
index d9bde01..d1a775d 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -26,7 +26,7 @@
 #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
 #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT   0x04 /* don't check unix account status */
 #define USER_INFO_INTERACTIVE_LOGON         0x08 /* Interactive logon */
-#define USER_INFO_LOCAL_SAM_ONLY            0x10 /* Only authenticate against the local SAM */
+#define USER_INFO_LOCAL_SAM_ONLY            0x10 /* Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
 #define USER_INFO_INFO3_AND_NO_AUTHZ        0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
 
 enum auth_password_state {
diff --git a/docs-xml/smbdotconf/base/serverservices.xml b/docs-xml/smbdotconf/base/serverservices.xml
index 677ae6a..e02e29d 100644
--- a/docs-xml/smbdotconf/base/serverservices.xml
+++ b/docs-xml/smbdotconf/base/serverservices.xml
@@ -13,6 +13,6 @@
 		<constant>-</constant>.  </para>
 </description>
 
-<value type="default">s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns</value>
+<value type="default">s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns</value>
 <value type="example">-s3fs, +smb</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 5a0ef88..c8f34e7 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2214,7 +2214,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
 
 	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
-	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns");
+	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
 	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
 	/* the winbind method for domain controllers is for both RODC
 	   auth forwarding and for trusted domains */
diff --git a/selftest/knownfail b/selftest/knownfail
index deeb8fa..624a5ae 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -247,18 +247,6 @@
 ^samba.blackbox.wbinfo\(dc:local\).wbinfo -I against dc
 ^samba.blackbox.wbinfo\(dc:local\).wbinfo  --trusted-domains against dc
 ^samba.blackbox.wbinfo\(dc:local\).wbinfo --all-domains against dc
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -N against s4member
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -I against s4member
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo  --trusted-domains against s4member
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo --all-domains against s4member
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo -N against rodc
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo -I against rodc
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo  --trusted-domains against rodc
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo --all-domains against rodc
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo -N against promoted_dc
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo -I against promoted_dc
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo  --trusted-domains against promoted_dc
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo --all-domains against promoted_dc
 #
 # This makes less sense when not running against an AD DC
 #
@@ -273,18 +261,20 @@
 ^samba.wbinfo_simple.\(s4member:local\).--allocate-gid
 ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-uid
 ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-gid
-^samba.blackbox.wbinfo\(plugin_s4_dc:local\).wbinfo --getdcname against plugin_s4_dc\(plugin_s4_dc:local\)
 #
 # These do not work against winbindd in member mode for unknown reasons
 #
-^samba.wbinfo_simple.\(member:local\).--user-info
-^samba.wbinfo_simple.\(s3member:local\).--user-info
+^samba4.winbind.struct.domain_info\(s4member:local\)
+^samba4.winbind.struct.getdcname\(s4member:local\)
+^samba4.winbind.struct.lookup_name_sid\(s4member:local\)
+^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against s4member\(s4member:local\)
+^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against s4member\(s4member:local\)
 ^samba4.winbind.struct.getpwent\(plugin_s4_dc:local\)
+^samba.wbinfo_simple.\(s4member:local\).--user-groups
+^samba.nss.test using winbind\(s4member\)
 #
 # These just happen to fail for some reason (probably because they run against the s4 winbind)
 #
-^samba4.winbind.pac.pac\(s4member:local\)
-^samba4.winbind.struct.show_sequence\(s4member:local\)
 ^samba4.winbind.struct.getdcname\(s3member:local\)
 ^samba4.winbind.struct.lookup_name_sid\(s3member:local\)
 ^samba.wbinfo_simple.\(dc:local\).--all-domains.wbinfo\(dc:local\)
@@ -294,28 +284,12 @@
 ^samba.wbinfo_simple.\(dc:local\).--online-status --domain=SAMBADOMAIN.wbinfo\(dc:local\)
 ^samba.wbinfo_simple.\(dc:local\).--change-secret --domain=SAMBADOMAIN.wbinfo\(dc:local\)
 ^samba.wbinfo_simple.\(dc:local\).--online-status --domain=SAMBADOMAIN.wbinfo\(dc:local\)
-^samba.wbinfo_simple.\(s4member:local\).--all-domains.wbinfo\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--trusted-domains.wbinfo\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--online-status.wbinfo\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--online-status --domain=BUILTIN.wbinfo\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--online-status --domain=SAMBADOMAIN.wbinfo\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--change-secret --domain=SAMBADOMAIN.wbinfo\(s4member:local\)
-^samba.blackbox.wbinfo\(dc:local\).wbinfo -N against dc\(dc:local\)
 ^samba.blackbox.wbinfo\(dc:local\).wbinfo -I against dc\(dc:local\)
 ^samba.blackbox.wbinfo\(dc:local\).wbinfo  --trusted-domains against dc\(dc:local\)
 ^samba.blackbox.wbinfo\(dc:local\).wbinfo --all-domains against dc\(dc:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -N against s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -I against s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo  --trusted-domains against s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo --all-domains against s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo -N against rodc\(rodc:local\)
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo -I against rodc\(rodc:local\)
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo  --trusted-domains against rodc\(rodc:local\)
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo --all-domains against rodc\(rodc:local\)
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo -N against promoted_dc\(promoted_dc:local\)
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo -I against promoted_dc\(promoted_dc:local\)
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo  --trusted-domains against promoted_dc\(promoted_dc:local\)
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo --all-domains against promoted_dc\(promoted_dc:local\)
+#
+# These do not work against winbindd in member mode for unknown reasons
+#
 ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -U against s3member\(s3member:local\)
 ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -U check for sane mapping\(s3member:local\)
 ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G against s3member\(s3member:local\)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index c6e6ef9..412fbff 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -922,7 +922,20 @@ sub provision_s4member($$$)
 {
 	my ($self, $prefix, $dcvars) = @_;
 	print "PROVISIONING MEMBER...";
-
+	my $extra_smb_conf = "
+        passdb backend = samba_dsdb
+winbindd:use external pipes = true
+
+rpc_server:default = external
+rpc_server:svcctl = embedded
+rpc_server:srvsvc = embedded
+rpc_server:eventlog = embedded
+rpc_server:ntsvcs = embedded
+rpc_server:winreg = embedded
+rpc_server:spoolss = embedded
+rpc_daemon:spoolssd = embedded
+rpc_server:tcpip = no
+";
 	my $ret = $self->provision($prefix,
 				   "member server",
 				   "s4member",
@@ -931,7 +944,7 @@ sub provision_s4member($$$)
 				   "2008",
 				   "locMEMpass3",
 				   $dcvars->{SERVER_IP},
-				   "passdb backend = samba_dsdb", "", undef);
+				   $extra_smb_conf, "", undef);
 	unless ($ret) {
 		return undef;
 	}
@@ -1263,7 +1276,8 @@ sub provision_dc($$)
 	my ($self, $prefix) = @_;
 
 	print "PROVISIONING DC...";
-        my $extra_conf_options = "netbios aliases = localDC1-a";
+        my $extra_conf_options = "netbios aliases = localDC1-a
+        server services = +winbind -winbindd";
 	my $ret = $self->provision($prefix,
 				   "domain controller",
 				   "localdc",
@@ -1315,8 +1329,7 @@ sub provision_fl2003dc($$)
 	my ($self, $prefix) = @_;
 
 	print "PROVISIONING DC...";
-        my $extra_conf_options = "allow dns updates = nonsecure and secure
-                                  server services = +winbindd -winbind";
+        my $extra_conf_options = "allow dns updates = nonsecure and secure";
 	my $ret = $self->provision($prefix,
 				   "domain controller",
 				   "dc6",
@@ -1514,8 +1527,6 @@ sub provision_plugin_s4_dc($$)
 	queue resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queueresume %p
 	lpq cache time = 0
 	print notify backchannel = yes
-
-        server services = +winbindd -winbind
 ";
 
 	my $extra_smbconf_shares = "
@@ -1590,6 +1601,7 @@ sub provision_chgdcpass($$)
 	print "PROVISIONING CHGDCPASS...";
 	my $extra_provision_options = undef;
 	push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
+	my $extra_conf_options = "server services = +winbind -winbindd";
 	my $ret = $self->provision($prefix,
 				   "domain controller",
 				   "chgdcpass",
@@ -1597,7 +1609,7 @@ sub provision_chgdcpass($$)
 				   "chgdcpassword.samba.example.com",
 				   "2008",
 				   "chgDCpass1",
-				   undef, "", "",
+				   undef, $extra_conf_options, "",
 				   $extra_provision_options);
 
 	return undef unless(defined $ret);
@@ -1606,8 +1618,10 @@ sub provision_chgdcpass($$)
 		return undef;
 	}
 	
-	# Remove secrets.tdb from this environment to test that we still start up
-	# on systems without the new matching secrets.tdb records
+	# Remove secrets.tdb from this environment to test that we
+	# still start up on systems without the new matching
+	# secrets.tdb records.  For this reason we don't run winbindd
+	# in this environment
 	unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
 		warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
 		return undef;
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 6d1192e..00261f7 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -232,6 +232,13 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
 		if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
 			DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
 			TALLOC_FREE(tmp_ctx);
+			if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) {
+				/* we don't expose the NT_STATUS_NOT_IMPLEMENTED
+				 * internals, except when the caller is only probing
+				 * one method, as they may do the fallback 
+				 */
+				nt_status = result;
+			}
 			continue;
 		}
 
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 1eeb24c..16162e1 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -130,6 +130,7 @@ bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const
 				   const char *realm,
 				   const char *salting_principal, uint32_t supported_enc_types,
 				   const struct dom_sid *domain_sid, uint32_t last_change_time,
+				   uint32_t secure_channel,
 				   bool delete_join);
 
 /* The following definitions come from passdb/secrets_lsa.c  */
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 4814d25..6e64482 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -969,7 +969,7 @@ static void init_globals(bool reinit_globals)
 
 	string_set(Globals.ctx, &Globals.ncalrpc_dir, get_dyn_NCALRPCDIR());
 
-	Globals.server_services = (const char **)str_list_make_v3(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns", NULL);
+	Globals.server_services = (const char **)str_list_make_v3(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
 
 	Globals.dcerpc_endpoint_servers = (const char **)str_list_make_v3(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
 
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 4e35a72..37ee9bc 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -482,11 +482,13 @@ bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const
 				   const char *realm,
 				   const char *salting_principal, uint32_t supported_enc_types,
 				   const struct dom_sid *domain_sid, uint32_t last_change_time,
+				   uint32_t secure_channel_type,
 				   bool delete_join)
 {
 	bool ret;
 	uint8_t last_change_time_store[4];
 	TALLOC_CTX *frame = talloc_stackframe();
+	uint8_t sec_channel_bytes[4];
 	void *value;
 
 	if (delete_join) {
@@ -516,13 +518,23 @@ bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const
 		return ret;
 	}
 
-	/* We delete this and instead have the read code fall back to
-	 * a default based on server role, as our caller can't specify
-	 * this with any more certainty */
-	value = secrets_fetch(machine_sec_channel_type_keystr(domain), NULL);
-	if (value) {
-		SAFE_FREE(value);
-		ret = secrets_delete(machine_sec_channel_type_keystr(domain));
+	if (secure_channel_type == 0) {
+		/* We delete this and instead have the read code fall back to
+		 * a default based on server role, as our caller can't specify
+		 * this with any more certainty */
+		value = secrets_fetch(machine_sec_channel_type_keystr(domain), NULL);
+		if (value) {
+			SAFE_FREE(value);
+			ret = secrets_delete(machine_sec_channel_type_keystr(domain));
+			if (!ret) {
+				TALLOC_FREE(frame);
+				return ret;
+			}
+		}
+	} else {
+		SIVAL(&sec_channel_bytes, 0, secure_channel_type);
+		ret = secrets_store(machine_sec_channel_type_keystr(domain), 
+				    &sec_channel_bytes, sizeof(sec_channel_bytes));
 		if (!ret) {
 			TALLOC_FREE(frame);
 			return ret;
diff --git a/source3/winbindd/wb_dsgetdcname.c b/source3/winbindd/wb_dsgetdcname.c
index bc952cd..db6cde9 100644
--- a/source3/winbindd/wb_dsgetdcname.c
+++ b/source3/winbindd/wb_dsgetdcname.c
@@ -45,18 +45,28 @@ struct tevent_req *wb_dsgetdcname_send(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
-	if (strequal(domain_name, "BUILTIN")
-	    || strequal(domain_name, get_global_sam_name())) {
+	if (strequal(domain_name, "BUILTIN")) {
 		/*
-		 * Two options here: Give back our own address, or say there's
-		 * nobody around. Right now opting for the latter, one measure
-		 * to prevent the loopback connects. This might change if
-		 * needed.
+		 * This makes no sense
 		 */
 		tevent_req_nterror(req, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND);
 		return tevent_req_post(req, ev);
 	}
 
+	if (strequal(domain_name, get_global_sam_name())) {
+		int role = lp_server_role();
+		if ( role != ROLE_ACTIVE_DIRECTORY_DC ) {
+			/*
+			 * Two options here: Give back our own address, or say there's
+			 * nobody around. Right now opting for the latter, one measure
+			 * to prevent the loopback connects. This might change if
+			 * needed.
+			 */
+			tevent_req_nterror(req, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND);
+			return tevent_req_post(req, ev);
+		}
+	}
+
 	if (IS_DC) {
 		/*
 		 * We have to figure out the DC ourselves
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index 07c87db..5b98928 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -164,6 +164,7 @@ struct winbindd_domain {
 	bool active_directory;                 /* is this a win2k active directory ? */
 	bool primary;                          /* is this our primary domain ? */
 	bool internal;                         /* BUILTIN and member SAM */
+	bool rodc;                             /* Are we an RODC for this AD domain? (do some operations locally) */
 	bool online;			       /* is this domain available ? */
 	time_t startup_time;		       /* When we set "startup" true. monotonic clock */
 	bool startup;                          /* are we in the first 30 seconds after startup_time ? */
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index dfad8f5..bfd78da 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -132,7 +132,8 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain)
 	}
 
 	if ( !domain->initialized ) {
-		init_dc_connection( domain );
+		/* We do not need a connection to an RW DC for cache operation */
+		init_dc_connection(domain, false);
 	}
 
 	/* 
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index a8ace52..05205a7 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -94,7 +94,7 @@ struct dc_name_ip {
 extern struct winbindd_methods reconnect_methods;
 extern bool override_logfile;
 
-static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
+static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc);
 static void set_dc_type_and_flags( struct winbindd_domain *domain );
 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
 		    struct dc_name_ip **dcs, int *num_dcs);
@@ -176,7 +176,7 @@ static void msg_try_to_go_online(struct messaging_context *msg,
 			   the offline handler if false. Bypasses online
 			   check so always does network calls. */
 
-			init_dc_connection_network(domain);
+			init_dc_connection_network(domain, true);
 			break;
 		}
 	}
@@ -1931,9 +1931,13 @@ static bool connection_ok(struct winbindd_domain *domain)
 /* Initialize a new connection up to the RPC BIND.
    Bypass online status check so always does network calls. */
 
-static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
+static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc)
 {
 	NTSTATUS result;
+	bool skip_connection = domain->internal;
+	if (need_rw_dc && domain->rodc) {
+		skip_connection = false;
+	}
 
 	/* Internal connections never use the network. */
 	if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
@@ -1941,7 +1945,7 @@ static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
 	}
 
 	/* Still ask the internal LSA and SAMR server about the local domain */
-	if (domain->internal || connection_ok(domain)) {
+	if (skip_connection || connection_ok(domain)) {
 		if (!domain->initialized) {
 			set_dc_type_and_flags(domain);
 		}
@@ -1959,7 +1963,7 @@ static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
 	return result;
 }
 
-NTSTATUS init_dc_connection(struct winbindd_domain *domain)
+NTSTATUS init_dc_connection(struct winbindd_domain *domain, bool need_rw_dc)
 {
 	if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
@@ -1970,14 +1974,14 @@ NTSTATUS init_dc_connection(struct winbindd_domain *domain)
 		return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
 	}
 
-	return init_dc_connection_network(domain);
+	return init_dc_connection_network(domain, need_rw_dc);
 }
 
-static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain)
+static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain, bool need_rw_dc)
 {
 	NTSTATUS status;
 
-	status = init_dc_connection(domain);
+	status = init_dc_connection(domain, need_rw_dc);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -2382,6 +2386,7 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
 }
 
 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+			bool need_rw_dc,
 			struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
 {
 	struct winbindd_cm_conn *conn;
@@ -2392,10 +2397,12 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	const char *domain_name = NULL;
 
 	if (sid_check_is_our_sam(&domain->sid)) {
-		return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
+		if (domain->rodc == false || need_rw_dc == false) {
+			return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
+		}
 	}
 
-	status = init_dc_connection_rpc(domain);
+	status = init_dc_connection_rpc(domain, need_rw_dc);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -2605,7 +2612,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
 
 	DEBUG(10,("cm_connect_lsa_tcp\n"));
 
-	status = init_dc_connection_rpc(domain);
+	status = init_dc_connection_rpc(domain, false);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -2656,7 +2663,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	struct netlogon_creds_cli_context *p_creds;
 
-	result = init_dc_connection_rpc(domain);
+	result = init_dc_connection_rpc(domain, false);
 	if (!NT_STATUS_IS_OK(result))
 		return result;
 
@@ -2829,7 +2836,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 
 	*cli = NULL;
 
-	result = init_dc_connection_rpc(domain);
+	result = init_dc_connection_rpc(domain, true);
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
 	}
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index 426d64c..9aef7cc 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -76,7 +76,7 @@ static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
 		goto done;
 	}


-- 
Samba Shared Repository


More information about the samba-cvs mailing list