summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-09-05 17:57:45 +0000
committerGerald Carter <jerry@samba.org>2003-09-05 17:57:45 +0000
commit7544b0c77382e300da0e2daf2b325527a23e6ddc (patch)
tree954ee42d9b9e822868cef6e297fa4dc828f21598
parentcadff241823b9c2a239f5a5686629c280d2c2a48 (diff)
downloadsamba-7544b0c77382e300da0e2daf2b325527a23e6ddc.tar.gz
samba-7544b0c77382e300da0e2daf2b325527a23e6ddc.tar.bz2
samba-7544b0c77382e300da0e2daf2b325527a23e6ddc.zip
fixes for ads domain membership when only the realm is defined in
smb.conf Fixes to ensure we work with disable netbios = yes (This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
-rw-r--r--source3/nsswitch/winbindd_ads.c6
-rw-r--r--source3/nsswitch/winbindd_cm.c12
-rw-r--r--source3/nsswitch/winbindd_misc.c16
-rw-r--r--source3/nsswitch/winbindd_util.c35
-rw-r--r--source3/utils/net_ads.c43
5 files changed, 95 insertions, 17 deletions
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 41dffc3ab6..7c360bf156 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -945,6 +945,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
struct cli_state *cli = NULL;
/* i think we only need our forest and downlevel trusted domains */
uint32 flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND;
+ char *contact_domain_name;
DEBUG(3,("ads: trusted_domains\n"));
@@ -953,9 +954,10 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
*names = NULL;
*dom_sids = NULL;
- if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(domain->name, PI_NETLOGON, &cli)) ) {
+ contact_domain_name = *domain->alt_name ? domain->alt_name : domain->name;
+ if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(contact_domain_name, PI_NETLOGON, &cli)) ) {
DEBUG(5, ("trusted_domains: Could not open a connection to %s for PIPE_NETLOGON (%s)\n",
- domain->name, nt_errstr(result)));
+ contact_domain_name, nt_errstr(result)));
return NT_STATUS_UNSUCCESSFUL;
}
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index d3d178df67..8513a46f8f 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -573,6 +573,7 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
struct winbindd_cm_conn *conn;
fstring lock_name;
BOOL got_mutex;
+ struct winbindd_domain *wb_domain = NULL;
if (!cli)
return NT_STATUS_INVALID_PARAMETER;
@@ -614,6 +615,17 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
if ( sec_channel_type == SEC_CHAN_DOMAIN )
fstr_sprintf(conn->cli->mach_acct, "%s$", lp_workgroup());
+ /* we need the short form of the domain name for the schanel
+ rpc bind. What if we fail? I don't think we should ever get
+ a request for a domain name not in our list but I'm not bailing
+ out if we do since I'm not 10% certain about this --jerry */
+
+ if ( (wb_domain = find_domain_from_name( domain )) != NULL ) {
+ DEBUG(5,("cm_get_netlogon_cli: Using short for of domain name [%s] for netlogon rpc bind\n",
+ wb_domain->name));
+ fstrcpy( conn->cli->domain, wb_domain->name);
+ }
+
result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd);
if (got_mutex)
diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c
index c12fe4517e..88fbb5ee00 100644
--- a/source3/nsswitch/winbindd_misc.c
+++ b/source3/nsswitch/winbindd_misc.c
@@ -35,6 +35,8 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
int num_retries = 0;
struct cli_state *cli;
uint32 sec_channel_type;
+ const char *contact_domain_name = NULL;
+
DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid));
/* Get trust account password */
@@ -46,11 +48,21 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
goto done;
}
+
+ /* use the realm name if appropriate and possible */
+
+ if ( lp_security() == SEC_ADS )
+ contact_domain_name = lp_realm();
+
+ if ( !contact_domain_name || !*contact_domain_name )
+ contact_domain_name = lp_workgroup();
+
/* This call does a cli_nt_setup_creds() which implicitly checks
the trust account password. */
-
/* Don't shut this down - it belongs to the connection cache code */
- result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, sec_channel_type, True, &cli);
+
+ result = cm_get_netlogon_cli(contact_domain_name,
+ trust_passwd, sec_channel_type, True, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 63e91670e9..25de4eff71 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -81,6 +81,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
{
struct winbindd_domain *domain;
char *contact_name;
+ const char *alternative_name = NULL;
+
+ /* ignore alt_name if we are not in an AD domain */
+
+ if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
+ alternative_name = alt_name;
+ }
/* We can't call domain_list() as this function is called from
init_domain_list() and we'll get stuck in a loop. */
@@ -89,9 +96,9 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
strcasecmp(domain_name, domain->alt_name) == 0) {
return domain;
}
- if (alt_name && *alt_name) {
- if (strcasecmp(alt_name, domain->name) == 0 ||
- strcasecmp(alt_name, domain->alt_name) == 0) {
+ if (alternative_name && *alternative_name) {
+ if (strcasecmp(alternative_name, domain->name) == 0 ||
+ strcasecmp(alternative_name, domain->alt_name) == 0) {
return domain;
}
}
@@ -108,13 +115,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
ZERO_STRUCTP(domain);
/* prioritise the short name */
- if (strchr_m(domain_name, '.') && alt_name && *alt_name) {
- fstrcpy(domain->name, alt_name);
+ if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
+ fstrcpy(domain->name, alternative_name);
fstrcpy(domain->alt_name, domain_name);
} else {
fstrcpy(domain->name, domain_name);
- if (alt_name) {
- fstrcpy(domain->alt_name, alt_name);
+ if (alternative_name) {
+ fstrcpy(domain->alt_name, alternative_name);
}
}
@@ -261,17 +268,23 @@ BOOL init_domain_list(void)
/* Add ourselves as the first entry */
- domain = add_trusted_domain( lp_workgroup(), NULL, &cache_methods, NULL);
+ domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL);
+
+ /* get any alternate name for the primary domain */
+
+ cache_methods.alternate_name(domain);
+
+ /* now we have the correct netbios (short) domain name */
+ if ( *domain->name )
+ set_global_myworkgroup( domain->name );
+
if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
DEBUG(1, ("Could not fetch sid for our domain %s\n",
domain->name));
return False;
}
- /* get any alternate name for the primary domain */
- cache_methods.alternate_name(domain);
-
/* do an initial scan for trusted domains */
add_trusted_domains(domain);
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 0e909a6087..3b955742d8 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -656,6 +656,8 @@ int net_ads_join(int argc, const char **argv)
char *ou_str;
uint32 sec_channel_type = SEC_CHAN_WKSTA;
uint32 account_type = UF_WORKSTATION_TRUST_ACCOUNT;
+ char *short_domain_name = NULL;
+ TALLOC_CTX *ctx = NULL;
if (argc > 0) org_unit = argv[0];
@@ -720,7 +722,33 @@ int net_ads_join(int argc, const char **argv)
d_printf("ads_set_machine_password: %s\n", ads_errstr(rc));
return -1;
}
-
+
+ /* make sure we get the right workgroup */
+
+ if ( !(ctx = talloc_init("net ads join")) ) {
+ d_printf("talloc_init() failed!\n");
+ return -1;
+ }
+
+ rc = ads_workgroup_name(ads, ctx, &short_domain_name);
+ if ( ADS_ERR_OK(rc) ) {
+ if ( !strequal(lp_workgroup(), short_domain_name) ) {
+ d_printf("The workgroup in smb.conf does not match the short\n");
+ d_printf("domain name obtained from the server.\n");
+ d_printf("Using the name [%s] from the server.\n", short_domain_name);
+ d_printf("You should set \"workgroup = %s\" in smb.conf.\n", short_domain_name);
+ }
+ }
+ else
+ short_domain_name = lp_workgroup();
+
+ d_printf("Using short domain name -- %s\n", short_domain_name);
+
+ /* HACK ALRET! Store the sid and password under bother the lp_workgroup()
+ value from smb.conf and the string returned from the server. The former is
+ neede to bootstrap winbindd's first connection to the DC to get the real
+ short domain name --jerry */
+
if (!secrets_store_domain_sid(lp_workgroup(), &dom_sid)) {
DEBUG(1,("Failed to save domain sid\n"));
return -1;
@@ -731,11 +759,22 @@ int net_ads_join(int argc, const char **argv)
return -1;
}
+ if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) {
+ DEBUG(1,("Failed to save domain sid\n"));
+ return -1;
+ }
+
+ if (!secrets_store_machine_password(password, short_domain_name, sec_channel_type)) {
+ DEBUG(1,("Failed to save machine password\n"));
+ return -1;
+ }
+
d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm);
SAFE_FREE(password);
SAFE_FREE(machine_account);
-
+ if ( ctx )
+ talloc_destroy(ctx);
return 0;
}