[PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child

Jeremy Allison jra at samba.org
Thu Aug 28 11:04:42 MDT 2014


On Wed, Aug 27, 2014 at 10:28:15AM -0700, Christof Schmitt wrote:
> Is anybody available to review this change? The same issue is also
> present in 4.1, so this should also get backported once the patch is in
> master.

Can you explain why this patch is explicitly overriding
the logic just above ? I would like to understand that
before I +1 this.

Above it has:

--------------------------------------------------------------------
        if (IS_DC) {
                realm = SMB_STRDUP(wb_dom->alt_name);
        } else {
                struct winbindd_domain *our_domain = wb_dom;

                /* always give preference to the alt_name in our
                   primary domain if possible */

                if (!wb_dom->primary) {
                        our_domain = find_our_domain();
                }

                if (our_domain->alt_name != NULL) {
                        realm = SMB_STRDUP(our_domain->alt_name);
                } else {
                        realm = SMB_STRDUP(lp_realm());
                }
        }
--------------------------------------------------------------------

So in the NOT-DC case it explicitly tries to use
the alt_name in our primary domain if possible.

Essentially your patch is making every case the "IS_DC" case.

Why is that right ? (Genuinely curious here).

Jeremy

> On Fri, Aug 22, 2014 at 09:38:37AM -0700, Christof Schmitt wrote:
> > The attached patch fixes a problem when using the idmap_ad module to
> > query SFU attributes for users from a trusted domain.
> > 
> > Christof
> 
> > From 37b94887cc6207e5f03b41660bfe34870073528f Mon Sep 17 00:00:00 2001
> > From: Christof Schmitt <cs at samba.org>
> > Date: Fri, 22 Aug 2014 09:15:59 -0700
> > Subject: [PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child
> > 
> > When authenticating users in a trusted domain, the idmap_ad module
> > always connects to a local DC instead of one in the trusted domain.
> > 
> > Fix this by passing the correct realm to connect to.
> > 
> > Signed-off-by: Christof Schmitt <cs at samba.org>
> > ---
> >  source3/winbindd/winbindd_ads.c |    4 ++--
> >  1 files changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> > index a869ff5..1b9dadb 100644
> > --- a/source3/winbindd/winbindd_ads.c
> > +++ b/source3/winbindd/winbindd_ads.c
> > @@ -188,8 +188,8 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
> >  		}
> >  	}
> >  
> > -	status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
> > -					       password, realm, 0);
> > +	status = ads_cached_connection_connect(adsp, wb_dom->alt_name, dom_name,
> > +					       ldap_server, password, realm, 0);
> >  	SAFE_FREE(realm);
> >  	TALLOC_FREE(ldap_server);
> >  
> > -- 
> > 1.7.1
> > 


More information about the samba-technical mailing list