Gerald (Jerry) Carter jerry at samba.org
Fri Sep 8 11:59:25 GMT 2006

Hash: SHA1

Volker Lendecke wrote:
> Hi, Jerry!
> Günther yesterday notified me about lines 226ff in
> winbindd_pam.c:
>  if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
> I had removed already once, because for NTLM this is broken.
> It does make sense in case we do krb5 logon, but with NTLM
> this does just not work as for the trusted domain we don't
> have a workstation password. In the NTLM case we _always_
> have to contact our own domain.

Doh!  Yeah.  I see that now.  I'm pretty sure I tested
this....  BUt I don;'t see how it could have worked.

The old code applied the password policies for *our*
domain to trusted logins.  So what we have to do now
is to have the winbindd child for our domain rescan
its list of trusted domains so thatr it can contact a
DC in the trusted domains for policy settings.

btw....The SLES10 Samba rpms are broken then.  That
changes came directly from the patch tarball in the
3.0.22 SLES10 distro.  I was going to fix it my way
originally, but Jeremy said this had to be working ok
in their RPMs.  So we took the patch from there.

cheers, jerry
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba-technical mailing list