diff options
author | Gerald Carter <jerry@samba.org> | 2007-05-06 20:16:12 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:21:49 -0500 |
commit | 391a72f3dfc061d6d97752c7e8691f80b4990ba8 (patch) | |
tree | f9d596fb1fe072365f192fdf20751fd277731c1d /source3/nsswitch/winbindd_util.c | |
parent | 044f1b4a993cd7711fd9721a73cf9e2f9c90f5a5 (diff) | |
download | samba-391a72f3dfc061d6d97752c7e8691f80b4990ba8.tar.gz samba-391a72f3dfc061d6d97752c7e8691f80b4990ba8.tar.bz2 samba-391a72f3dfc061d6d97752c7e8691f80b4990ba8.zip |
r22710: Support one-way trusts.
* Rely on the fact that name2sid will work for any name
in a trusted domain will work against our primary domain
(even in the absense of an incoming trust path)
* Only logons will reliably work and the idmap backend
is responsible for being able to manage id's without contacting
the trusted domain
* "getent passwd" and "getent group" for trusted users and groups
will work but we cannot get the group membership of a user in any
fashion without the user first logging on (via NTLM or krb5)
and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
Diffstat (limited to 'source3/nsswitch/winbindd_util.c')
-rw-r--r-- | source3/nsswitch/winbindd_util.c | 43 |
1 files changed, 40 insertions, 3 deletions
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index d58fffd0db..231e11ae45 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -554,11 +554,11 @@ enum winbindd_result init_child_connection(struct winbindd_domain *domain, state->continuation = continuation; state->private_data = private_data; - if (IS_DC || domain->primary) { + if (IS_DC || domain->primary || domain->internal ) { /* The primary domain has to find the DC name itself */ request->cmd = WINBINDD_INIT_CONNECTION; fstrcpy(request->domain_name, domain->name); - request->data.init_conn.is_primary = True; + request->data.init_conn.is_primary = domain->internal ? False : True; fstrcpy(request->data.init_conn.dcname, ""); async_request(mem_ctx, &domain->child, request, response, init_child_recv, state); @@ -572,7 +572,6 @@ enum winbindd_result init_child_connection(struct winbindd_domain *domain, fstrcpy(request->domain_name, domain->name); request_domain = find_our_domain(); - async_domain_request(mem_ctx, request_domain, request, response, init_child_getdc_recv, state); return WINBINDD_PENDING; @@ -728,6 +727,44 @@ BOOL init_domain_list(void) return True; } +void check_domain_trusted( const char *name, const DOM_SID *user_sid ) +{ + struct winbindd_domain *domain; + DOM_SID dom_sid; + uint32 rid; + + domain = find_domain_from_name_noinit( name ); + if ( domain ) + return; + + sid_copy( &dom_sid, user_sid ); + if ( !sid_split_rid( &dom_sid, &rid ) ) + return; + + /* add the newly discovered trusted domain */ + + domain = add_trusted_domain( name, NULL, &cache_methods, + &dom_sid); + + if ( !domain ) + return; + + /* assume this is a trust from a one-way transitive + forest trust */ + + domain->active_directory = True; + domain->domain_flags = DS_DOMAIN_DIRECT_OUTBOUND; + domain->domain_type = DS_DOMAIN_TRUST_TYPE_UPLEVEL; + domain->internal = False; + domain->online = True; + + setup_domain_child(domain, &domain->child, NULL); + + wcache_tdc_add_domain( domain ); + + return; +} + /** * Given a domain name, return the struct winbindd domain info for it * |