[PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child

Christof Schmitt cs at samba.org
Thu Aug 28 13:35:14 MDT 2014

On Thu, Aug 28, 2014 at 10:04:42AM -0700, Jeremy Allison wrote:
> On Wed, Aug 27, 2014 at 10:28:15AM -0700, Christof Schmitt wrote:
> > Is anybody available to review this change? The same issue is also
> > present in 4.1, so this should also get backported once the patch is in
> > master.
> Can you explain why this patch is explicitly overriding
> the logic just above ? I would like to understand that
> before I +1 this.
> Above it has:
> --------------------------------------------------------------------
>         if (IS_DC) {
>                 realm = SMB_STRDUP(wb_dom->alt_name);
>         } else {
>                 struct winbindd_domain *our_domain = wb_dom;
>                 /* always give preference to the alt_name in our
>                    primary domain if possible */
>                 if (!wb_dom->primary) {
>                         our_domain = find_our_domain();
>                 }
>                 if (our_domain->alt_name != NULL) {
>                         realm = SMB_STRDUP(our_domain->alt_name);
>                 } else {
>                         realm = SMB_STRDUP(lp_realm());
>                 }
>         }
> --------------------------------------------------------------------
> So in the NOT-DC case it explicitly tries to use
> the alt_name in our primary domain if possible.
> Essentially your patch is making every case the "IS_DC" case.
> Why is that right ? (Genuinely curious here).

It took also me a bit to figure this out, so any feedback is valuable.

ads_cached_connection_connect takes two realm parameters (in the
second and sixth position). The one in the second position is used for
ads_init() and identifies the realm of the domain controller we want to
connect to. The parameter in the sixth position identifies our local
realm that is used for obtaining a kerberos ticket (and our auth realm
is the local domain).

The logic after "if (IS_DC)" obtains the realm of the local/primary
domain, so that is correct for the parameter in the sixth position. It
should not be used for identifying the realm of the DC we want to
connect to, since that can also be a trusted domain.

This is not entirely obvious, and it was also me who introduced this
problem. Maybe using better names for the variables and parameters would help
here (e.g. auth_realm, target_realm), but i would like to get this
problem addressed first.


More information about the samba-technical mailing list