The branch, v3-2-test has been updated via f53658a20de07a29abbe2e90917b328d00fc0024 (commit) via 8b063a414149bdf401a8f854d55ed7dc6f94cb60 (commit) from 95e0fb452bda4c81b26e3dec4953bbba37940467 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log ----------------------------------------------------------------- commit f53658a20de07a29abbe2e90917b328d00fc0024 Author: Gerald W. Carter <[EMAIL PROTECTED]> Date: Fri Jan 25 12:21:14 2008 -0600 Always trust the domain flags in the wcache trusted domain cache. Use the flags stored in the tdb when determining if a domain can be contacted. The tdb should be considered authoratative anyways unless you know the flags in the winbindd_domain are correct (such as when first enumerating trusts). Original suggestion and patch from Steven Danneman <[EMAIL PROTECTED]>. Manually rewritten by me for 3.2. commit 8b063a414149bdf401a8f854d55ed7dc6f94cb60 Author: Gerald W. Carter <[EMAIL PROTECTED]> Date: Fri Jan 25 12:18:05 2008 -0600 Use the correct domain name when looking up the trust password. On a DC, we always use the domain name given. On a domain member, we use lp_workgroup(). This fixes a bug supporting trusted domains. ----------------------------------------------------------------------- Summary of changes: source/winbindd/winbindd_cm.c | 16 ++++++++++++- source/winbindd/winbindd_util.c | 46 ++++++++++++++++++++++++++++----------- 2 files changed, 48 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c index 0c5fa0e..9491007 100644 --- a/source/winbindd/winbindd_cm.c +++ b/source/winbindd/winbindd_cm.c @@ -679,8 +679,22 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain, char **machine_krb5_principal) { const char *account_name; + const char *name = NULL; + + /* If we are a DC and this is not our own domain */ + + if (IS_DC) { + name = domain->name; + } else { + struct winbindd_domain *our_domain = find_our_domain(); - if (!get_trust_pw_clear(domain->name, machine_password, + if (!our_domain) + return NT_STATUS_INVALID_SERVER_STATE; + + name = our_domain->name; + } + + if (!get_trust_pw_clear(name, machine_password, &account_name, NULL)) { return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; diff --git a/source/winbindd/winbindd_util.c b/source/winbindd/winbindd_util.c index d16b742..f6bb575 100644 --- a/source/winbindd/winbindd_util.c +++ b/source/winbindd/winbindd_util.c @@ -1386,36 +1386,56 @@ void ws_name_return( char *name, char replace ) /********************************************************************* ********************************************************************/ -bool winbindd_can_contact_domain( struct winbindd_domain *domain ) +bool winbindd_can_contact_domain(struct winbindd_domain *domain) { + struct winbindd_tdc_domain *tdc = NULL; + TALLOC_CTX *frame = talloc_stackframe(); + bool ret = false; + /* We can contact the domain if it is our primary domain */ - if ( domain->primary ) - return True; + if (domain->primary) { + return true; + } - /* Can always contact a domain that is in out forest */ + /* Trust the TDC cache and not the winbindd_domain flags */ - if ( domain->domain_flags & DS_DOMAIN_IN_FOREST ) - return True; + if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) { + DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n", + domain->name)); + return false; + } + + /* Can always contact a domain that is in out forest */ + if (tdc->trust_flags & DS_DOMAIN_IN_FOREST) { + ret = true; + goto done; + } + /* * On a _member_ server, we cannot contact the domain if it * is running AD and we have no inbound trust. */ - if ( !IS_DC && + if (!IS_DC && domain->active_directory && - ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) ) + ((tdc->trust_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND)) { - DEBUG(10, ("Domain is an AD domain and we have no inbound " - "trust.\n")); - return False; + DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain " + "and we have no inbound trust.\n", domain->name)); + goto done; } - + /* Assume everything else is ok (probably not true but what can you do?) */ + + ret = true; + +done: + talloc_destroy(frame); - return True; + return ret; } /********************************************************************* -- Samba Shared Repository