diff options
author | Gerald W. Carter <jerry@samba.org> | 2008-01-25 12:21:14 -0600 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-01-25 12:29:47 -0600 |
commit | 235deb1b66ccfb4a264010e8ffe11a3a3682ac0d (patch) | |
tree | 07e2753bfc5b7ca00cb0d6e941d3fd8ae8066a1e | |
parent | fda9247770577a98606c91973f98a7e53123a40c (diff) | |
download | samba-235deb1b66ccfb4a264010e8ffe11a3a3682ac0d.tar.gz samba-235deb1b66ccfb4a264010e8ffe11a3a3682ac0d.tar.bz2 samba-235deb1b66ccfb4a264010e8ffe11a3a3682ac0d.zip |
Always trust the domain flags in the wcache trusted domain cache.
Use the flags stored in the tdb when determining if a domain can
be contacted. The tdb should be considered authoratative anyways unless
you know the flags in the winbindd_domain are correct (such as when
first enumerating trusts).
Original suggestion and patch from Steven Danneman <steven.danneman@isilon.com>.
Manually rewritten by me for 3.2.
(This used to be commit f53658a20de07a29abbe2e90917b328d00fc0024)
-rw-r--r-- | source3/winbindd/winbindd_util.c | 46 |
1 files changed, 33 insertions, 13 deletions
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index d16b7423a1..f6bb5750ea 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1386,36 +1386,56 @@ void ws_name_return( char *name, char replace ) /********************************************************************* ********************************************************************/ -bool winbindd_can_contact_domain( struct winbindd_domain *domain ) +bool winbindd_can_contact_domain(struct winbindd_domain *domain) { + struct winbindd_tdc_domain *tdc = NULL; + TALLOC_CTX *frame = talloc_stackframe(); + bool ret = false; + /* We can contact the domain if it is our primary domain */ - if ( domain->primary ) - return True; + if (domain->primary) { + return true; + } - /* Can always contact a domain that is in out forest */ + /* Trust the TDC cache and not the winbindd_domain flags */ - if ( domain->domain_flags & DS_DOMAIN_IN_FOREST ) - return True; + if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) { + DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n", + domain->name)); + return false; + } + + /* Can always contact a domain that is in out forest */ + if (tdc->trust_flags & DS_DOMAIN_IN_FOREST) { + ret = true; + goto done; + } + /* * On a _member_ server, we cannot contact the domain if it * is running AD and we have no inbound trust. */ - if ( !IS_DC && + if (!IS_DC && domain->active_directory && - ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) ) + ((tdc->trust_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND)) { - DEBUG(10, ("Domain is an AD domain and we have no inbound " - "trust.\n")); - return False; + DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain " + "and we have no inbound trust.\n", domain->name)); + goto done; } - + /* Assume everything else is ok (probably not true but what can you do?) */ + + ret = true; + +done: + talloc_destroy(frame); - return True; + return ret; } /********************************************************************* |