The branch, v3-2-stable has been updated
via 36a91915699905fb27a98cf7938684e51c590df0 (commit)
via 8387ea05aaf3785b2152ba7a7e82b1934ad899ec (commit)
via 473ae1fa45ed7b0f522e42267fbbb59a54235742 (commit)
via f6f4bdf4f820476079840ef48a4c11cdfab2612b (commit)
via 5f1cefec31885c0443af77963255b4ba12ed3f81 (commit)
via 8a785dce882d36d9a8acdf53ffa0f3bf3a791c26 (commit)
via 22423921d6d811c86bb9daa3dbdc0932aa7b613a (commit)
via c76d0b42d3e88e57bbc53ead1a69e944bf798629 (commit)
via 917b72adea00309ed653c2c82261bd29f6d38dcf (commit)
via 3326b48dfd7720e7362e0207e7960627f5229d1d (commit)
via a73f5c089f3bff1a400a02a1bae77dd33040e5c7 (commit)
from 43f277a7dd06b800bd15f0b92a8f916e25f1370d (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-stable
- Log -----------------------------------------------------------------
commit 36a91915699905fb27a98cf7938684e51c590df0
Author: Karolin Seeger <[EMAIL PROTECTED]>
Date: Mon Jun 9 10:55:16 2008 +0200
WHATSNEW: Update changes since 3.2.0rc1.
Karolin
(cherry picked from commit 3b8c9ae9826705edd7a3852a9c0ffd0e632094c4)
commit 8387ea05aaf3785b2152ba7a7e82b1934ad899ec
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Thu Jun 5 19:04:31 2008 +0200
netdomjoin-gui: enable NetGetJoinInformation() call after successfull
joining.
Now that libnetjoin reloads configuration after joining, we can rely on the
NetGetJoinInformation() output and use it for displaying the new domain
name and
type.
Guenther
(cherry picked from commit cc1b8de2632e87002cac86838f2a77ab9771ce2c)
commit 473ae1fa45ed7b0f522e42267fbbb59a54235742
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Thu Jun 5 19:02:09 2008 +0200
netdomjoin-gui: fix more gtk runtime warnings.
Guenther
(cherry picked from commit 521ea68719524eeef827875e018bb8cba2a92e87)
commit f6f4bdf4f820476079840ef48a4c11cdfab2612b
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Thu Jun 5 01:11:23 2008 +0200
netdomjoin-gui: disable annoying "reboot now" dialog.
Guenther
(cherry picked from commit 8f0c5f1bedaae7a86ca671cdb2ba798079ec1d84)
commit 5f1cefec31885c0443af77963255b4ba12ed3f81
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Tue Jun 3 15:19:46 2008 +0200
netdomjoin-gui: some minor fixes + hunting down typecast bugs.
Guenther
(cherry picked from commit 0fa6c8c6a3efd026154e8af54ba73b3d3de1affa)
commit 8a785dce882d36d9a8acdf53ffa0f3bf3a791c26
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date: Sun Jun 8 14:19:16 2008 -0700
Bugfix noticed by Herb. On using the again: tag as a
goto target we were not reinitializing the array counts.
From Herb:
This is in the file nsswitch/winbindd_cm.c (samba-3.0.30) line 1236
We have a label again: where we keep trying to find the name of the DC
from the list of IPs returned by get_dcs. If we fail to figure out the
name we do a goto again at the end of the function. The problem is we
don't reset the num_dcs, num_addrs, etc and free the memory in the
various arrays. This seems wrong to me. I have a winbindd core where
I have 9 IPs returned for the DCs but at the time of the crash num_dcs
is 87 and if I look through the array dcs it keeps repeating entries
from the same group of 9
Jerry, Volker and Guenther please check.
Jeremy.
(cherry picked from commit 0b2062a499c69c86cc03130542aaf3e92265b65d)
commit 22423921d6d811c86bb9daa3dbdc0932aa7b613a
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Fri Jun 6 15:59:52 2008 +0200
pam_winbind: fix pam_sm_chauthtok for storing modified cached creds.
Thanks to Bo Yang for pointing this out.
Guenther
(cherry picked from commit 516a067016955938988ab37c777102a14b41e100)
commit c76d0b42d3e88e57bbc53ead1a69e944bf798629
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Thu Jun 5 19:00:05 2008 +0200
libnetjoin: add libnet_join_rollback().
This is required now if the join verify failed and we already
modified the local configuration.
Guenther
(cherry picked from commit 2870fe50af5163e30330f5a3ef21d0b7eea85ee5)
commit 917b72adea00309ed653c2c82261bd29f6d38dcf
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Thu Jun 5 18:58:27 2008 +0200
libnetjoin: First store configuration and then verify the join.
Jerry, this fixes the issues while joining with "config backend = registry".
Guenther
(cherry picked from commit b3d47f099286778252c6df6bf2c1fee0c4e26560)
commit 3326b48dfd7720e7362e0207e7960627f5229d1d
Author: Gerald W. Carter <[EMAIL PROTECTED]>
Date: Fri May 23 15:19:58 2008 -0500
Manually port Steven Dannenman fix for using the correct machine domain when
looking up trust credentials in our tdb.
commit fd0ae47046d37ec8297396a2733209c4d999ea91
Author: Steven Danneman <[EMAIL PROTECTED]>
Date: Thu May 8 13:34:49 2008 -0700
Use machine account and machine password from our domain when
contacting trusted domains.
(cherry picked from commit 69b37ae60757075a0712149c5f97f17ee22c2e41)
(cherry picked from commit 8a64988fc45aff15359caf16f28ff1712bbe6d5f)
commit a73f5c089f3bff1a400a02a1bae77dd33040e5c7
Author: Gerald W. Carter <[EMAIL PROTECTED]>
Date: Fri May 23 16:01:45 2008 -0500
Manually merge Steven Danneman's patch for SPNEGO auth to a trusted
Win2008 domain (merged from v3-0-test).
commit 8dc4e979776aae0ecaa74b51dc1eac78a7631405
Author: Steven Danneman <[EMAIL PROTECTED]>
Date: Wed May 7 13:34:26 2008 -0700
spnego SPN fix when contacting trusted domains
cli_session_setup_spnego() was not taking into consideration the
situation
where we're connecting to a trusted domain, specifically one (like
W2K8)
which doesn't return a SPN in the NegTokenInit.
This caused two problems:
1) When guessing the SPN using
kerberos_get_default_realm_from_ccache() we
were always using our default realm, not the realm of the domain we're
connecting to.
2) When falling back on NTLMSSP for authentication we were passing
the name
of the domain we're connecting to for use in our credentials when we
should be
passing our own workgroup name.
The fix for both was to split the single "domain" parameter into
"user_domain" and "dest_realm" parameters. We use the "user_domain"
parameter to pass into the NTLM call, and we used "dest_realm" to
create an SPN
if none was returned in the NegTokenInit2 packet. If no "dest_realm"
is
provided we assume we're connecting to our own domain and use the
credentials
cache to build the SPN.
Since we have a reasonable guess at the SPN, I removed the check that
defaults
us directly to NTLM when negHint is empty.
(cherry picked from b78b14c88e8354aadf9ba7644bdb1c29245fe419)
(cherry picked from commit f1e6b40bbc8ce249e2f2a85a1d57ed6b8141e3bb)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 9 ++++
.../examples/netdomjoin-gui/netdomjoin-gui.c | 50 ++++++++++++++------
source/libnet/libnet_join.c | 46 ++++++++++++++++--
source/libsmb/cliconnect.c | 41 ++++++++--------
source/nsswitch/pam_winbind.c | 17 ++++++-
source/passdb/passdb.c | 6 +-
source/winbindd/winbindd_cm.c | 33 ++++++++++---
7 files changed, 151 insertions(+), 51 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f9c9586..c0272b1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -221,10 +221,19 @@ o Jeremy Allison <[EMAIL PROTECTED]>
* Make sure we take account of the large read/write SMB headers as
well as the buffer space when allocating cli buffers for large
read/write.
+ * Fix tag as a goto target we were not reinitializing the array counts.
+
+
+o Steven Danneman <[EMAIL PROTECTED]>
+ * BUG 5451: Fix for using the correct machine domain when looking up trust
+ credentials in our tdb.
+ * Fix spnego SPN when contacting trusted domains.
o Günther Deschner <[EMAIL PROTECTED]>
* BUG 5285: Fix libcap header mismatch.
+ * Fix pam_sm_chauthtok for storing modified cached creds.
+ * Fix joining issue in setups with "config backend = registry".
o Björn Jacke <[EMAIL PROTECTED]>
diff --git a/source/lib/netapi/examples/netdomjoin-gui/netdomjoin-gui.c
b/source/lib/netapi/examples/netdomjoin-gui/netdomjoin-gui.c
index df81937..418b9c8 100644
--- a/source/lib/netapi/examples/netdomjoin-gui/netdomjoin-gui.c
+++ b/source/lib/netapi/examples/netdomjoin-gui/netdomjoin-gui.c
@@ -113,7 +113,10 @@ static void callback_do_close(GtkWidget *widget,
{
debug("callback_do_close called\n");
- gtk_widget_destroy(data);
+ if (data) {
+ gtk_widget_destroy(GTK_WIDGET(data));
+ data = NULL;
+ }
}
static void callback_do_freeauth(GtkWidget *widget,
@@ -127,7 +130,8 @@ static void callback_do_freeauth(GtkWidget *widget,
SAFE_FREE(state->password);
if (state->window_creds_prompt) {
- gtk_widget_destroy(state->window_creds_prompt);
+ gtk_widget_destroy(GTK_WIDGET(state->window_creds_prompt));
+ state->window_creds_prompt = NULL;
}
}
@@ -141,8 +145,14 @@ static void callback_do_freeauth_and_close(GtkWidget
*widget,
SAFE_FREE(state->account);
SAFE_FREE(state->password);
- gtk_widget_destroy(state->window_creds_prompt);
- gtk_widget_destroy(state->window_do_change);
+ if (state->window_creds_prompt) {
+ gtk_widget_destroy(GTK_WIDGET(state->window_creds_prompt));
+ state->window_creds_prompt = NULL;
+ }
+ if (state->window_do_change) {
+ gtk_widget_destroy(GTK_WIDGET(state->window_do_change));
+ state->window_do_change = NULL;
+ }
}
static void free_join_state(struct join_state *s)
@@ -201,8 +211,10 @@ static void callback_apply_description_change(GtkWidget
*widget,
static void callback_do_exit(GtkWidget *widget,
gpointer data)
{
+#if 0
GtkWidget *dialog;
gint result;
+#endif
struct join_state *state = (struct join_state *)data;
if (!state->settings_changed) {
@@ -210,6 +222,7 @@ static void callback_do_exit(GtkWidget *widget,
return;
}
+#if 0
dialog = gtk_message_dialog_new(GTK_WINDOW(state->window_main),
GTK_DIALOG_DESTROY_WITH_PARENT,
GTK_MESSAGE_QUESTION,
@@ -225,8 +238,14 @@ static void callback_do_exit(GtkWidget *widget,
default:
break;
}
- gtk_widget_destroy(dialog);
- gtk_widget_destroy(state->window_main);
+ if (dialog) {
+ gtk_widget_destroy(GTK_WIDGET(dialog));
+ }
+#endif
+ if (state->window_main) {
+ gtk_widget_destroy(GTK_WIDGET(state->window_main));
+ state->window_main = NULL;
+ }
do_cleanup(state);
exit(0);
}
@@ -257,7 +276,7 @@ static void callback_do_reboot(GtkWidget *widget,
gtk_widget_show(dialog);
#else
gtk_dialog_run(GTK_DIALOG(dialog));
- gtk_widget_destroy(dialog);
+ gtk_widget_destroy(GTK_WIDGET(dialog));
#endif
gtk_label_set_text(GTK_LABEL(state->label_reboot),
@@ -278,12 +297,12 @@ static void callback_do_reboot(GtkWidget *widget,
}
debug("got new status: %s\n", buffer);
-#if 0
+
SAFE_FREE(state->name_buffer_new);
state->name_buffer_new = strdup(buffer);
- SAFE_FREE(buffer);
state->name_type_new = type;
-#endif
+ state->name_buffer_initial = strdup(buffer);
+ state->name_type_initial = type;
NetApiBufferFree((void *)buffer);
gtk_label_set_text(GTK_LABEL(state->label_current_name_buffer),
@@ -388,10 +407,13 @@ static void callback_do_storeauth(GtkWidget *widget,
SAFE_FREE(state->account);
SAFE_FREE(state->password);
- callback_return_username(state->entry_account, state);
- callback_return_password(state->entry_password, state);
+ callback_return_username(state->entry_account, (gpointer)state);
+ callback_return_password(state->entry_password, (gpointer)state);
- gtk_widget_destroy(state->window_creds_prompt);
+ if (state->window_creds_prompt) {
+ gtk_widget_destroy(GTK_WIDGET(state->window_creds_prompt));
+ state->window_creds_prompt = NULL;
+ }
}
static void callback_continue(GtkWidget *widget,
@@ -1537,7 +1559,7 @@ static int init_join_state(struct join_state **state)
{
struct join_state *s;
- s = malloc(sizeof(struct join_state));
+ s = (struct join_state *)malloc(sizeof(struct join_state));
if (!s) {
return -1;
}
diff --git a/source/libnet/libnet_join.c b/source/libnet/libnet_join.c
index a69ccea..b19d90b 100644
--- a/source/libnet/libnet_join.c
+++ b/source/libnet/libnet_join.c
@@ -1332,6 +1332,8 @@ static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
return werr;
}
+ lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
+
r->out.modified_config = true;
r->out.result = werr;
@@ -1358,6 +1360,8 @@ static WERROR libnet_unjoin_config(struct
libnet_UnjoinCtx *r)
return werr;
}
+ lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
+
r->out.modified_config = true;
r->out.result = werr;
@@ -1728,6 +1732,35 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
/****************************************************************
****************************************************************/
+WERROR libnet_join_rollback(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+{
+ WERROR werr;
+ struct libnet_UnjoinCtx *u = NULL;
+
+ werr = libnet_init_UnjoinCtx(mem_ctx, &u);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ u->in.debug = r->in.debug;
+ u->in.dc_name = r->in.dc_name;
+ u->in.domain_name = r->in.domain_name;
+ u->in.admin_account = r->in.admin_account;
+ u->in.admin_password = r->in.admin_password;
+ u->in.modify_config = r->in.modify_config;
+ u->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
+ WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
+
+ werr = libnet_Unjoin(mem_ctx, u);
+ TALLOC_FREE(u);
+
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
WERROR libnet_Join(TALLOC_CTX *mem_ctx,
struct libnet_JoinCtx *r)
{
@@ -1747,17 +1780,20 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx,
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
-
- werr = libnet_join_post_verify(mem_ctx, r);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
- }
}
werr = libnet_join_post_processing(mem_ctx, r);
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
+
+ if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
+ werr = libnet_join_post_verify(mem_ctx, r);
+ if (!W_ERROR_IS_OK(werr)) {
+ libnet_join_rollback(mem_ctx, r);
+ }
+ }
+
done:
r->out.result = werr;
diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c
index 0f17571..632d910 100644
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@@ -785,12 +785,16 @@ static NTSTATUS cli_session_setup_ntlmssp(struct
cli_state *cli, const char *use
/****************************************************************************
Do a spnego encrypted session setup.
+
+ user_domain: The shortname of the domain the user/machine is a member of.
+ dest_realm: The realm we're connecting to, if NULL we use our default realm.
****************************************************************************/
ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
- const char *pass, const char *domain)
+ const char *pass, const char *user_domain,
+ const char * dest_realm)
{
- char *principal;
+ char *principal = NULL;
char *OIDs[ASN1_MAX_OIDS];
int i;
bool got_kerberos_mechanism = False;
@@ -813,8 +817,10 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli,
const char *user,
/* there is 16 bytes of GUID before the real spnego packet starts */
blob = data_blob(cli->secblob.data+16, cli->secblob.length-16);
- /* the server sent us the first part of the SPNEGO exchange in the
negprot
- reply */
+ /* The server sent us the first part of the SPNEGO exchange in the
+ * negprot reply. It is WRONG to depend on the principal sent in the
+ * negprot reply, but right now we do it. If we don't receive one,
+ * we try to best guess, then fall back to NTLM. */
if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
data_blob_free(&blob);
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
@@ -833,18 +839,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli,
const char *user,
DEBUG(3,("got principal=%s\n", principal ? principal : "<null>"));
- if (got_kerberos_mechanism && (principal == NULL)) {
- /*
- * It is WRONG to depend on the principal sent in the negprot
- * reply, but right now we do it. So for safety (don't
- * segfault later) disable Kerberos when no principal was
- * sent. -- VL
- */
- DEBUG(1, ("Kerberos mech was offered, but no principal was "
- "sent, disabling Kerberos\n"));
- cli->use_kerberos = False;
- }
-
fstrcpy(cli->user_name, user);
#ifdef HAVE_KRB5
@@ -897,7 +891,12 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli,
const char *user,
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
- realm = kerberos_get_default_realm_from_ccache();
+ if (dest_realm) {
+ realm = SMB_STRDUP(dest_realm);
+ strupper_m(realm);
+ } else {
+ realm =
kerberos_get_default_realm_from_ccache();
+ }
if (realm && *realm) {
if (asprintf(&principal, "[EMAIL PROTECTED]",
machine, realm) < 0) {
@@ -914,7 +913,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli,
const char *user,
}
if (principal) {
- rc = cli_session_setup_kerberos(cli, principal, domain);
+ rc = cli_session_setup_kerberos(cli, principal,
+ dest_realm);
if (ADS_ERR_OK(rc) || !cli->fallback_after_kerberos) {
SAFE_FREE(principal);
return rc;
@@ -939,7 +939,7 @@ ntlmssp:
account[PTR_DIFF(p,user)] = '\0';
}
- return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, account, pass,
domain));
+ return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, account, pass,
user_domain));
}
/****************************************************************************
@@ -1031,7 +1031,8 @@ NTSTATUS cli_session_setup(struct cli_state *cli,
/* if the server supports extended security then use SPNEGO */
if (cli->capabilities & CAP_EXTENDED_SECURITY) {
- ADS_STATUS status = cli_session_setup_spnego(cli, user, pass,
workgroup);
+ ADS_STATUS status = cli_session_setup_spnego(cli, user, pass,
+ workgroup, NULL);
if (!ADS_ERR_OK(status)) {
DEBUG(3, ("SPNEGO login failed: %s\n",
ads_errstr(status)));
return ads_ntstatus(status);
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index 47e0e3c..7288d7a 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -2417,6 +2417,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
{
unsigned int lctrl;
int ret;
+ bool cached_login = false;
/* <DO NOT free() THESE> */
const char *user;
@@ -2439,7 +2440,9 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
_PAM_LOG_FUNCTION_ENTER("pam_sm_chauthtok", ctx);
- /* clearing offline bit for the auth in the password change */
+ cached_login = (ctx->ctrl & WINBIND_CACHED_LOGIN);
+
+ /* clearing offline bit for auth */
ctx->ctrl &= ~WINBIND_CACHED_LOGIN;
/*
@@ -2595,6 +2598,15 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
_pam_get_data(pamh, PAM_WINBIND_PWD_LAST_SET,
&pwdlastset_update);
+ /*
+ * if cached creds were enabled, make sure to set the
+ * WINBIND_CACHED_LOGIN bit here in order to have winbindd
+ * update the cached creds storage - gd
+ */
+ if (cached_login) {
+ ctx->ctrl |= WINBIND_CACHED_LOGIN;
+ }
+
ret = winbind_chauthtok_request(ctx, user, pass_old,
pass_new, pwdlastset_update);
if (ret) {
@@ -2614,6 +2626,9 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
cctype = get_krb5_cc_type_from_config(ctx);
warn_pwd_expire = get_warn_pwd_expire_from_config(ctx);
+ /* clearing offline bit for auth */
+ ctx->ctrl &= ~WINBIND_CACHED_LOGIN;
+
ret = winbind_auth_request(ctx, user, pass_new,
member, cctype, 0, &response,
NULL, &username_ret);
diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c
index 46dab15..e3a3d3c 100644
--- a/source/passdb/passdb.c
+++ b/source/passdb/passdb.c
@@ -1560,10 +1560,10 @@ bool get_trust_pw_clear(const char *domain, char
**ret_pwd,
return true;
}
- /* Just get the account for the requested domain. In the future this
- * might also cover to be member of more than one domain. */
+ /* Here we are a domain member server. We can only be a member
+ of one domain so ignore the request domain and assume our own */
- pwd = secrets_fetch_machine_password(domain, &last_set_time, channel);
+ pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time,
channel);
if (pwd != NULL) {
*ret_pwd = pwd;
diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 74cd5db..9bfe1de 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -706,12 +706,12 @@ static NTSTATUS get_trust_creds(const struct
winbindd_domain *domain,
return NT_STATUS_NO_MEMORY;
}
- /* this is at least correct when domain is our domain,
- * which is the only case, when this is currently used: */
+ /* For now assume our machine account only exists in our domain */
+
if (machine_krb5_principal != NULL)
{
if (asprintf(machine_krb5_principal, "[EMAIL PROTECTED]",
- account_name, domain->alt_name) == -1)
+ account_name, lp_realm()) == -1)
{
return NT_STATUS_NO_MEMORY;
}
@@ -827,14 +827,15 @@ static NTSTATUS cm_prepare_connection(const struct
winbindd_domain *domain,
(*cli)->use_kerberos = True;
DEBUG(5, ("connecting to %s from %s with kerberos
principal "
- "[%s]\n", controller, global_myname(),
- machine_krb5_principal));
+ "[%s] and realm [%s]\n", controller,
global_myname(),
+ machine_krb5_principal, domain->alt_name));
winbindd_set_locator_kdc_envs(domain);
ads_status = cli_session_setup_spnego(*cli,
machine_krb5_principal,
- machine_password,
+ machine_password,
+ lp_workgroup(),
domain->name);
if (!ADS_ERR_OK(ads_status)) {
@@ -855,12 +856,13 @@ static NTSTATUS cm_prepare_connection(const struct
winbindd_domain *domain,
DEBUG(5, ("connecting to %s from %s with username "
"[%s]\\[%s]\n", controller, global_myname(),
- domain->name, machine_account));
+ lp_workgroup(), machine_account));
ads_status = cli_session_setup_spnego(*cli,
machine_account,
machine_password,
- domain->name);
+ lp_workgroup(),
+ NULL);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4, ("authenticated session setup failed with
%s\n",
ads_errstr(ads_status)));
@@ -1249,6 +1251,8 @@ static bool find_new_dc(TALLOC_CTX *mem_ctx,
int i, fd_index;
+ *fd = -1;
+
again:
if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
return False;
@@ -1310,6 +1314,19 @@ static bool find_new_dc(TALLOC_CTX *mem_ctx,
/* We can not continue without the DC's name */
winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
NT_STATUS_UNSUCCESSFUL);
+
+ /* Throw away all arrays as we're doing this again. */
+ TALLOC_FREE(dcs);
+ num_dcs = 0;
+
+ TALLOC_FREE(dcnames);
+ num_dcnames = 0;
+
+ TALLOC_FREE(addrs);
+ num_addrs = 0;
+
+ *fd = -1;
+
goto again;
}
--
Samba Shared Repository
