summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald W. Carter <jerry@samba.org>2008-01-25 12:21:14 -0600
committerGerald W. Carter <jerry@samba.org>2008-01-25 12:29:47 -0600
commit235deb1b66ccfb4a264010e8ffe11a3a3682ac0d (patch)
tree07e2753bfc5b7ca00cb0d6e941d3fd8ae8066a1e
parentfda9247770577a98606c91973f98a7e53123a40c (diff)
downloadsamba-235deb1b66ccfb4a264010e8ffe11a3a3682ac0d.tar.gz
samba-235deb1b66ccfb4a264010e8ffe11a3a3682ac0d.tar.bz2
samba-235deb1b66ccfb4a264010e8ffe11a3a3682ac0d.zip
Always trust the domain flags in the wcache trusted domain cache.
Use the flags stored in the tdb when determining if a domain can be contacted. The tdb should be considered authoratative anyways unless you know the flags in the winbindd_domain are correct (such as when first enumerating trusts). Original suggestion and patch from Steven Danneman <steven.danneman@isilon.com>. Manually rewritten by me for 3.2. (This used to be commit f53658a20de07a29abbe2e90917b328d00fc0024)
-rw-r--r--source3/winbindd/winbindd_util.c46
1 files changed, 33 insertions, 13 deletions
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index d16b7423a1..f6bb5750ea 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1386,36 +1386,56 @@ void ws_name_return( char *name, char replace )
/*********************************************************************
********************************************************************/
-bool winbindd_can_contact_domain( struct winbindd_domain *domain )
+bool winbindd_can_contact_domain(struct winbindd_domain *domain)
{
+ struct winbindd_tdc_domain *tdc = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+ bool ret = false;
+
/* We can contact the domain if it is our primary domain */
- if ( domain->primary )
- return True;
+ if (domain->primary) {
+ return true;
+ }
- /* Can always contact a domain that is in out forest */
+ /* Trust the TDC cache and not the winbindd_domain flags */
- if ( domain->domain_flags & DS_DOMAIN_IN_FOREST )
- return True;
+ if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
+ DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
+ domain->name));
+ return false;
+ }
+
+ /* Can always contact a domain that is in out forest */
+ if (tdc->trust_flags & DS_DOMAIN_IN_FOREST) {
+ ret = true;
+ goto done;
+ }
+
/*
* On a _member_ server, we cannot contact the domain if it
* is running AD and we have no inbound trust.
*/
- if ( !IS_DC &&
+ if (!IS_DC &&
domain->active_directory &&
- ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) )
+ ((tdc->trust_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND))
{
- DEBUG(10, ("Domain is an AD domain and we have no inbound "
- "trust.\n"));
- return False;
+ DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
+ "and we have no inbound trust.\n", domain->name));
+ goto done;
}
-
+
/* Assume everything else is ok (probably not true but what
can you do?) */
+
+ ret = true;
+
+done:
+ talloc_destroy(frame);
- return True;
+ return ret;
}
/*********************************************************************