problem with domain joins and pdb_ldap (patch included)

Peter H. Ganten ganten at univention.de
Wed Mar 19 02:36:16 GMT 2003 

Hello, 

I think, I have found the following problem with 3.0alpha22 and CVS
HEAD:

- a machine account is created in the unix database (here ldap and
pam_ldap/nss_ldap).

- In smb.conf "passdb backend = ldapsam unixsam" is used.

- A W2K machine (with the account's name) joins the domain. 

- during joining, w2k searches for the account, finds it, asks for the
account flags and gets ACB_WSTRUST (from pdb_fill_sam_pw), which is
fine, sets the password of the machine accounts and tells us, it has
joined the domain. pdb_ldap adds sambaAccount and the passwords to the
directory object (but not acctFlags).

- After reboot, w2k says it can't find the domain or the credentials of
the machine account are wrong, because pdb_ldap returns ACB_NORMAL in
the account flags, which will make get_md4pw fail. 

- ironicly: when you join the domain again, it will work, because now
pdb_ldap returns ACB_NORMAL and W2K changes that, so that it will be
written to the directory.

The attached patch does the same in pdb_ldap.c what is done in
pdb_fill_sam_pw: return ACB_WSTRUST, if there is a "$" at the end of the
account name. 

Any feedback is welcome.

Greetings

Peter

-- 
Peter H. Ganten <ganten at univention.de>
univention_ GmbH
-------------- next part --------------
--- ../samba-3.0alpha22.orig/source/passdb/pdb_ldap.c	2003-02-01 17:39:00.000000000 +0100
+++ source/passdb/pdb_ldap.c	2003-03-19 03:23:24.000000000 +0100
@@ -1167,15 +1167,20 @@
 	}
 
 	if (!get_single_attribute (ldap_state->ldap_struct, entry, "acctFlags", temp)) {
-		acct_ctrl |= ACB_NORMAL;
+		if (username[strlen(username)-1] != '$') {
+			acct_ctrl |= ACB_NORMAL;
+		}
+		else {
+			acct_ctrl |= ACB_WSTRUST;
+			DEBUG(10,("setting machine trust account flag for %s\n", username));
+		}
 	} else {
 		acct_ctrl = pdb_decode_acct_ctrl(temp);
 
 		if (acct_ctrl == 0)
 			acct_ctrl |= ACB_NORMAL;
-
-		pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
 	}
+	pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
 
 	pdb_set_hours_len(sampass, hours_len, PDB_SET);
 	pdb_set_logon_divs(sampass, logon_divs, PDB_SET);

More information about the samba-technical mailing list