diff options
author | Gerald Carter <jerry@samba.org> | 2006-08-22 22:53:08 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:38:46 -0500 |
commit | 975b15949013f86ffa43675537183b20f3519ed2 (patch) | |
tree | 190bd943a4f4105de27822967194a21028af9a1f /source3/nsswitch/winbindd_pam.c | |
parent | 21e35f8e73a5d63e17486b286827a06a6029afbe (diff) | |
download | samba-975b15949013f86ffa43675537183b20f3519ed2.tar.gz samba-975b15949013f86ffa43675537183b20f3519ed2.tar.bz2 samba-975b15949013f86ffa43675537183b20f3519ed2.zip |
r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from AD DC
* Merge patches from SLES10 to make sure we talk to the correct
winbindd process when performing pam_auth (and pull the password policy info).
(This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
Diffstat (limited to 'source3/nsswitch/winbindd_pam.c')
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 47 |
1 files changed, 9 insertions, 38 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 8931b1373e..c93f4c98b6 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -6,7 +6,7 @@ Copyright (C) Andrew Tridgell 2000 Copyright (C) Tim Potter 2001 Copyright (C) Andrew Bartlett 2001-2002 - Copyright (C) Guenther Deschner 2005-2006 + Copyright (C) Guenther Deschner 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -222,44 +222,18 @@ struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state, return NULL; } - if (strequal(domain_name, lp_workgroup())) { - return find_our_domain(); - } - -#ifdef HAVE_ADS - - /* when trying to login using krb5 with a trusted domain account, we - * need to make sure that our and the remote domain are AD */ - - if ((state->request.flags & WBFLAG_PAM_KRB5) && - (lp_security() == SEC_ADS)) { - - struct winbindd_domain *our_domain = find_our_domain(); - - if (!our_domain->active_directory) { - DEBUG(3,("find_auth_domain: out domain is not AD\n")); - return NULL; - } - - if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) { - return NULL; - } - - /* do we already know it's AD ? */ - if (domain->active_directory) { + /* we can auth against trusted domains */ + if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) { + domain = find_domain_from_name_noinit(domain_name); + if (domain == NULL) { + DEBUG(3, ("Authentication for domain [%s] skipped " + "as it is not a trusted domain\n", + domain_name)); + } else { return domain; } - - set_dc_type_and_flags(domain); - - if (!domain->active_directory) { - DEBUG(3,("find_auth_domain: remote domain is not AD\n")); - return NULL; } - return domain; - } -#endif return find_our_domain(); } @@ -1306,15 +1280,12 @@ process_result: } - /* this is required to provide password expiry warning */ - if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) { result = fillup_password_policy(domain, state); if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result))); goto done; } - } } |