summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteven Danneman <steven.danneman@isilon.com>2008-03-25 16:50:58 -0700
committerGerald W. Carter <jerry@samba.org>2008-03-31 13:40:58 -0500
commit223071f01de8d85b594bab7c1f8514386da11281 (patch)
tree066a97b926a47406458842538bdba927700a2d06
parent0ad8a002ce90c7567952cf9923bae57136cff565 (diff)
downloadsamba-223071f01de8d85b594bab7c1f8514386da11281.tar.gz
samba-223071f01de8d85b594bab7c1f8514386da11281.tar.bz2
samba-223071f01de8d85b594bab7c1f8514386da11281.zip
Forest root trust flags won't overwrite child trust flags
* changed the behavior of winbind_ads.c:trusted_domains() to not overwrite existing trust information if we're joined to a child domain, and querying the forest root domain. Previously if we were joined to a child domain, we'd request all known trust information from this child domain (our primary domain) and store it in the tdc. We'd then request all trust information from our tree root (to get the forests we transitively trust) and overwrite the existing trust information we already had from the perspective of the tree root. * updated several comments and fixed typos (This used to be commit 6aac972d790ad5ca65096cb2e85e6819b60a5413)
-rw-r--r--source3/winbindd/winbindd_ads.c81
-rw-r--r--source3/winbindd/winbindd_util.c6
2 files changed, 54 insertions, 33 deletions
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 0900d56987..ae8ad9dd1a 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -1249,32 +1249,55 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
fstrcpy( d.alt_name, trusts.array[i].dns_name);
sid_copy( &d.sid, trusts.array[i].sid);
- /* This gets a little tricky. If we are
- following a transitive forest trust, then
- innerit the flags, type, and attrins from
- the domain we queried to make sure we don't
- record the view of the trust from the wrong
- side. Always view it from the side of our
- primary domain. --jerry */
- if ( domain->primary ||
- ((domain->domain_flags&fr_flags) == fr_flags) )
- {
- DEBUG(10,("trusted_domains(ads): Storing trust "
- "flags for domain %s\n", d.alt_name));
-
- /* Look this up in cache to make sure
- we have the current trust flags and
- attributes */
+ if ( domain->primary ) {
+ DEBUG(10,("trusted_domains(ads): Searching "
+ "trusted domain list of %s and storing "
+ "trust flags for domain %s\n",
+ domain->name, d.alt_name));
d.domain_flags = trusts.array[i].trust_flags;
d.domain_type = trusts.array[i].trust_type;
d.domain_trust_attribs = trusts.array[i].trust_attributes;
- } else {
- /* Look up the record in the cache */
- struct winbindd_tdc_domain *parent;
- DEBUG(10,("trusted_domains(ads): Inheriting trust "
- "flags for domain %s\n", d.alt_name));
+ wcache_tdc_add_domain( &d );
+ ret_count++;
+ } else if ( (domain->domain_flags&fr_flags) == fr_flags ) {
+ /* Check if we already have this record. If
+ * we are following our forest root that is not
+ * our primary domain, we want to keep trust
+ * flags from the perspective of our primary
+ * domain not our forest root. */
+ struct winbindd_tdc_domain *exist = NULL;
+
+ exist =
+ wcache_tdc_fetch_domain(NULL, trusts.array[i].netbios_name);
+ if (!exist) {
+ DEBUG(10,("trusted_domains(ads): Searching "
+ "trusted domain list of %s and storing "
+ "trust flags for domain %s\n",
+ domain->name, d.alt_name));
+ d.domain_flags = trusts.array[i].trust_flags;
+ d.domain_type = trusts.array[i].trust_type;
+ d.domain_trust_attribs = trusts.array[i].trust_attributes;
+
+ wcache_tdc_add_domain( &d );
+ ret_count++;
+ }
+ TALLOC_FREE(exist);
+ } else {
+ /* This gets a little tricky. If we are
+ following a transitive forest trust, then
+ innerit the flags, type, and attribs from
+ the domain we queried to make sure we don't
+ record the view of the trust from the wrong
+ side. Always view it from the side of our
+ primary domain. --jerry */
+ struct winbindd_tdc_domain *parent = NULL;
+
+ DEBUG(10,("trusted_domains(ads): Searching "
+ "trusted domain list of %s and inheriting "
+ "trust flags for domain %s\n",
+ domain->name, d.alt_name));
parent = wcache_tdc_fetch_domain(NULL, domain->name);
if (parent) {
@@ -1282,17 +1305,15 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
d.domain_type = parent->trust_type;
d.domain_trust_attribs = parent->trust_attribs;
} else {
- d.domain_flags = domain->domain_flags;
- d.domain_type = domain->domain_type;
- d.domain_trust_attribs = domain->domain_trust_attribs;
- }
+ d.domain_flags = domain->domain_flags;
+ d.domain_type = domain->domain_type;
+ d.domain_trust_attribs = domain->domain_trust_attribs;
+ }
TALLOC_FREE(parent);
+
+ wcache_tdc_add_domain( &d );
+ ret_count++;
}
-
- wcache_tdc_add_domain( &d );
-
- ret_count++;
-
}
*num_domains = ret_count;
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 038bafbe4e..641fd5a9f5 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -339,7 +339,7 @@ static void trustdom_recv(void *private_data, bool success)
*/
if ( state->primary ) {
- /* If this is our primary domain and we are not the in the
+ /* If this is our primary domain and we are not in the
forest root, we have to scan the root trusts first */
if ( !state->forest_root )
@@ -349,7 +349,7 @@ static void trustdom_recv(void *private_data, bool success)
} else if ( state->forest_root ) {
/* Once we have done root forest trust search, we can
- go on to search thing trusted forests */
+ go on to search the trusted forests */
rescan_forest_trusts();
}
@@ -419,7 +419,7 @@ static void rescan_forest_root_trusts( void )
}
/********************************************************************
- scan the transitive forest trists (not our own)
+ scan the transitive forest trusts (not our own)
********************************************************************/