summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2009-08-21 13:59:16 +0200
committerJeremy Allison <jra@samba.org>2009-08-21 12:41:31 -0700
commit6afb02cb53f47e0fd7e7df3935b067e7e1f8a9de (patch)
tree64c976d9003c7ab9ff5868b6d474d7e18f2ce0ea /source3/auth
parent9d824dc115c7096ea555b135d58091e8620495d9 (diff)
downloadsamba-6afb02cb53f47e0fd7e7df3935b067e7e1f8a9de.tar.gz
samba-6afb02cb53f47e0fd7e7df3935b067e7e1f8a9de.tar.bz2
samba-6afb02cb53f47e0fd7e7df3935b067e7e1f8a9de.zip
s3: fix bug #6650, authentication at member servers when winbindd is not running
Authentication of domain users on the member server fails when winbindd is not running. This is because the is_trusted_domain() check behaves differently when winbindd is running and when it isn't: Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also give a result for our own domain, this succeeds for the member server's own domain when winbindd is running. When winbindd is not running, is_trusted_domain() checks (and possibly updates) the trustdom cache, and this does the lsa_EnumTrustDom() rpc call to the DC which does not return its own domain. In case of winbindd not running, before 3.4, the domain part was _silently_ mapped to the workgroup in auth_util.c:make_user_info_map(), which effectively did nothing in the member case. But then the parameter "map untrusted to domain" was introduced and the mapping was made to the workstation name instead of the workgroup name by default unless "map untrusted to domain = yes". (Commits d8c54fddda2dba3cbc5fc13e93431b152813892e, 5cd4b7b7c03df6e896186d985b6858a06aa40b3f, and fbca26923915a70031f561b198cfe2cc0d9c3aa6) This was ok as long as winbindd was running, but with winbindd not running, these changes actually uncovered the above logic bug in the check. So the correct check is to treat the workgroup as trusted / or known in the member case. This is most easily achieved by not comparing the domain name against get_global_sam_name() which is the host name unless for a DC but against my_sam_name() which is the workgroup for a DC and for a member, too. (These names are not very intuitive...) I admit that this is a very long commit message for a one-liner, but this has needed some tracking down, and I think the change deserves some justification. Michael
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth_util.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index d53da7867c..1d25e22202 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -221,7 +221,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
* This also deals with the client passing in a "" domain */
if (!is_trusted_domain(domain) &&
- !strequal(domain, get_global_sam_name()) )
+ !strequal(domain, my_sam_name()))
{
if (lp_map_untrusted_to_domain())
domain = my_sam_name();