[PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child

Jeremy Allison jra at samba.org
Thu Aug 28 15:00:00 MDT 2014

On Thu, Aug 28, 2014 at 12:35:14PM -0700, Christof Schmitt wrote:
> It took also me a bit to figure this out, so any feedback is valuable.
> ads_cached_connection_connect takes two realm parameters (in the
> second and sixth position). The one in the second position is used for
> ads_init() and identifies the realm of the domain controller we want to
> connect to. The parameter in the sixth position identifies our local
> realm that is used for obtaining a kerberos ticket (and our auth realm
> is the local domain).
> The logic after "if (IS_DC)" obtains the realm of the local/primary
> domain, so that is correct for the parameter in the sixth position. It
> should not be used for identifying the realm of the DC we want to
> connect to, since that can also be a trusted domain.
> This is not entirely obvious, and it was also me who introduced this
> problem. Maybe using better names for the variables and parameters would help
> here (e.g. auth_realm, target_realm), but i would like to get this
> problem addressed first.

Thanks a *LOT* for the explaination - makes sense to me, thanks.

Given that - how about the following version of the patch.
Might help make the code a bit more self-documenting ? If
you're happy with it, feel free to push with my 'Reviewed-by'.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-winbindd-Use-correct-realm-for-trusted-domains-in.patch
Type: text/x-diff
Size: 1457 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140828/ad138a2c/attachment.patch>

More information about the samba-technical mailing list