problem with domain joins and pdb_ldap (patch included)
Peter H. Ganten
ganten at univention.de
Wed Mar 19 02:36:16 GMT 2003
Hello,
I think, I have found the following problem with 3.0alpha22 and CVS
HEAD:
- a machine account is created in the unix database (here ldap and
pam_ldap/nss_ldap).
- In smb.conf "passdb backend = ldapsam unixsam" is used.
- A W2K machine (with the account's name) joins the domain.
- during joining, w2k searches for the account, finds it, asks for the
account flags and gets ACB_WSTRUST (from pdb_fill_sam_pw), which is
fine, sets the password of the machine accounts and tells us, it has
joined the domain. pdb_ldap adds sambaAccount and the passwords to the
directory object (but not acctFlags).
- After reboot, w2k says it can't find the domain or the credentials of
the machine account are wrong, because pdb_ldap returns ACB_NORMAL in
the account flags, which will make get_md4pw fail.
- ironicly: when you join the domain again, it will work, because now
pdb_ldap returns ACB_NORMAL and W2K changes that, so that it will be
written to the directory.
The attached patch does the same in pdb_ldap.c what is done in
pdb_fill_sam_pw: return ACB_WSTRUST, if there is a "$" at the end of the
account name.
Any feedback is welcome.
Greetings
Peter
--
Peter H. Ganten <ganten at univention.de>
univention_ GmbH
-------------- next part --------------
--- ../samba-3.0alpha22.orig/source/passdb/pdb_ldap.c 2003-02-01 17:39:00.000000000 +0100
+++ source/passdb/pdb_ldap.c 2003-03-19 03:23:24.000000000 +0100
@@ -1167,15 +1167,20 @@
}
if (!get_single_attribute (ldap_state->ldap_struct, entry, "acctFlags", temp)) {
- acct_ctrl |= ACB_NORMAL;
+ if (username[strlen(username)-1] != '$') {
+ acct_ctrl |= ACB_NORMAL;
+ }
+ else {
+ acct_ctrl |= ACB_WSTRUST;
+ DEBUG(10,("setting machine trust account flag for %s\n", username));
+ }
} else {
acct_ctrl = pdb_decode_acct_ctrl(temp);
if (acct_ctrl == 0)
acct_ctrl |= ACB_NORMAL;
-
- pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
}
+ pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
pdb_set_hours_len(sampass, hours_len, PDB_SET);
pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
More information about the samba-technical
mailing list