[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-test-1679-gf53658a

Gerald W. Carter Fri, 25 Jan 2008 10:38:32 -0800

The branch, v3-2-test has been updated
       via  f53658a20de07a29abbe2e90917b328d00fc0024 (commit)
       via  8b063a414149bdf401a8f854d55ed7dc6f94cb60 (commit)
      from  95e0fb452bda4c81b26e3dec4953bbba37940467 (commit)


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test


- Log -----------------------------------------------------------------
commit f53658a20de07a29abbe2e90917b328d00fc0024
Author: Gerald W. Carter <[EMAIL PROTECTED]>
Date:   Fri Jan 25 12:21:14 2008 -0600

    Always trust the domain flags in the wcache trusted domain cache.
    
    Use the flags stored in the tdb when determining if a domain can
    be contacted.  The tdb should be considered authoratative anyways unless
    you know the flags in the winbindd_domain are correct (such as when
    first enumerating trusts).
    
    Original suggestion and patch from Steven Danneman <[EMAIL PROTECTED]>.
    Manually rewritten by me for 3.2.

commit 8b063a414149bdf401a8f854d55ed7dc6f94cb60
Author: Gerald W. Carter <[EMAIL PROTECTED]>
Date:   Fri Jan 25 12:18:05 2008 -0600

    Use the correct domain name when looking up the trust password.
    
    On a DC, we always use the domain name given.  On a domain member,
    we use lp_workgroup().  This fixes a bug supporting trusted domains.

-----------------------------------------------------------------------

Summary of changes:
 source/winbindd/winbindd_cm.c   |   16 ++++++++++++-
 source/winbindd/winbindd_util.c |   46 ++++++++++++++++++++++++++++-----------
 2 files changed, 48 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 0c5fa0e..9491007 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -679,8 +679,22 @@ static NTSTATUS get_trust_creds(const struct 
winbindd_domain *domain,
                                char **machine_krb5_principal)
 {
        const char *account_name;
+       const char *name = NULL;
+       
+       /* If we are a DC and this is not our own domain */
+
+       if (IS_DC) {
+               name = domain->name;
+       } else {
+               struct winbindd_domain *our_domain = find_our_domain();
 
-       if (!get_trust_pw_clear(domain->name, machine_password,
+               if (!our_domain)
+                       return NT_STATUS_INVALID_SERVER_STATE;          
+               
+               name = our_domain->name;                
+       }       
+       
+       if (!get_trust_pw_clear(name, machine_password,
                                &account_name, NULL))
        {
                return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
diff --git a/source/winbindd/winbindd_util.c b/source/winbindd/winbindd_util.c
index d16b742..f6bb575 100644
--- a/source/winbindd/winbindd_util.c
+++ b/source/winbindd/winbindd_util.c
@@ -1386,36 +1386,56 @@ void ws_name_return( char *name, char replace )
 /*********************************************************************
  ********************************************************************/
 
-bool winbindd_can_contact_domain( struct winbindd_domain *domain )
+bool winbindd_can_contact_domain(struct winbindd_domain *domain)
 {
+       struct winbindd_tdc_domain *tdc = NULL;
+       TALLOC_CTX *frame = talloc_stackframe();
+       bool ret = false;
+
        /* We can contact the domain if it is our primary domain */
 
-       if ( domain->primary )
-               return True;
+       if (domain->primary) {
+               return true;
+       }
 
-       /* Can always contact a domain that is in out forest */
+       /* Trust the TDC cache and not the winbindd_domain flags */
 
-       if ( domain->domain_flags & DS_DOMAIN_IN_FOREST )
-               return True;    
+       if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
+               DEBUG(10,("winbindd_can_contact_domain: %s not found in 
cache\n",
+                         domain->name));
+               return false;
+       }
+
+       /* Can always contact a domain that is in out forest */
 
+       if (tdc->trust_flags & DS_DOMAIN_IN_FOREST) {
+               ret = true;
+               goto done;
+       }
+       
        /*
         * On a _member_ server, we cannot contact the domain if it
         * is running AD and we have no inbound trust.
         */
 
-       if ( !IS_DC &&
+       if (!IS_DC && 
             domain->active_directory &&
-            ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != 
DS_DOMAIN_DIRECT_INBOUND) ) 
+           ((tdc->trust_flags&DS_DOMAIN_DIRECT_INBOUND) != 
DS_DOMAIN_DIRECT_INBOUND))
        {
-               DEBUG(10, ("Domain is an AD domain and we have no inbound "
-                          "trust.\n"));
-               return False;
+               DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
+                          "and we have no inbound trust.\n", domain->name));
+               goto done;
        }
-       
+
        /* Assume everything else is ok (probably not true but what
           can you do?) */
+
+       ret = true;     
+
+done:  
+       talloc_destroy(frame);
        
-       return True;    
+       return ret;     
 }
 
 /*********************************************************************


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-test-1679-gf53658a

Reply via email to