summaryrefslogtreecommitdiff
path: root/source3/libsmb
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-06-30 20:45:14 +0000
committerGerald Carter <jerry@samba.org>2003-06-30 20:45:14 +0000
commite359dbcedb53b03df79140c30ecfdfdbcb904595 (patch)
tree8d477ea151c844936e561822256321bff580c588 /source3/libsmb
parenta32ae05744e8e065bc4be56e93875c29182bb760 (diff)
downloadsamba-e359dbcedb53b03df79140c30ecfdfdbcb904595.tar.gz
samba-e359dbcedb53b03df79140c30ecfdfdbcb904595.tar.bz2
samba-e359dbcedb53b03df79140c30ecfdfdbcb904595.zip
* cleanup more DC name resolution issues in check_*domain_security()
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
Diffstat (limited to 'source3/libsmb')
-rw-r--r--source3/libsmb/namequery_dc.c71
-rw-r--r--source3/libsmb/trusts_util.c10
2 files changed, 79 insertions, 2 deletions
diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
index fc383d9a6b..8bfb00b9ad 100644
--- a/source3/libsmb/namequery_dc.c
+++ b/source3/libsmb/namequery_dc.c
@@ -5,6 +5,7 @@
Copyright (C) Tim Potter 2001
Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Gerald Carter 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -24,12 +25,54 @@
#include "includes.h"
+/**************************************************************************
+ Find the name and IP address for a server in he realm/domain
+ *************************************************************************/
+
+static BOOL ads_dc_name(const char *domain, struct in_addr *dc_ip, fstring srv_name)
+{
+ ADS_STRUCT *ads;
+ const char *realm = domain;
+
+ if (strcasecmp(realm, lp_workgroup()) == 0)
+ realm = lp_realm();
+
+ ads = ads_init(realm, domain, NULL);
+ if (!ads)
+ return False;
+
+ /* we don't need to bind, just connect */
+ ads->auth.flags |= ADS_AUTH_NO_BIND;
+
+ DEBUG(4,("ads_dc_name: domain=%s\n", domain));
+
+#ifdef HAVE_ADS
+ /* a full ads_connect() is actually overkill, as we don't srictly need
+ to do the SASL auth in order to get the info we need, but libads
+ doesn't offer a better way right now */
+ ads_connect(ads);
+#endif
+
+ if (!ads->config.realm)
+ return False;
+
+ fstrcpy(srv_name, ads->config.ldap_server_name);
+ strupper(srv_name);
+ *dc_ip = ads->ldap_ip;
+ ads_destroy(&ads);
+
+ DEBUG(4,("ads_dc_name: using server='%s' IP=%s\n",
+ srv_name, inet_ntoa(*dc_ip)));
+
+ return True;
+}
+
/****************************************************************************
Utility function to return the name of a DC. The name is guaranteed to be
valid since we have already done a name_status_find on it
***************************************************************************/
-BOOL rpc_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out)
+static BOOL rpc_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out)
{
struct ip_service *ip_list = NULL;
struct in_addr dc_ip, exclude_ip;
@@ -109,3 +152,29 @@ BOOL rpc_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out)
return True;
}
+
+/**********************************************************************
+ wrapper around ads and rpc methods of finds DC's
+**********************************************************************/
+
+BOOL get_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out)
+{
+ struct in_addr dc_ip;
+ BOOL ret;
+
+ zero_ip(&dc_ip);
+
+ ret = False;
+ if (lp_security() == SEC_ADS)
+ ret = ads_dc_name(domain, &dc_ip, srv_name);
+
+ if (!ret) {
+ /* fall back on rpc methods if the ADS methods fail */
+ ret = rpc_dc_name(domain, srv_name, &dc_ip);
+ }
+
+ *ip_out = dc_ip;
+
+ return ret;
+}
+
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index e0c5e79595..569b0521be 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -153,8 +153,16 @@ BOOL is_trusted_domain(const char* dom_name)
/*
* Query the trustdom_cache updated periodically. The only
* way for domain member server.
+ *
+ * Sure...it's all fun and games until someone gets hurt...
+ * This call cannot work without winbindd running since it
+ * is the only process updating the cache currently.
+ *
+ * FIXME!!! make this always true for now until I figure
+ * out what to do --jerry
*/
- if (trustdom_cache_fetch(dom_name, &trustdom_sid)) {
+
+ if (True || trustdom_cache_fetch(dom_name, &trustdom_sid)) {
return True;
}