r16255: Fix 'net ads join' when the workgroup is set incorrectly

in smb.conf.  This did work before the join rewrite.
Samba will have problems if you try to run any of the daemons
with an incorrect workgroup but it should not fail to join.

The summary is that a member server should always use it's
own machine name when setting up schannel since that is
the only account it has.  Thanks to Volker for the discussion.
(This used to be commit 95763b94f709fe1ad9e381dbc6b364c2f3759024)

1 files changed, 9 insertions, 6 deletions

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index d41c1ef12a..467e652ca9 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2446,15 +2446,18 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
 		return NULL;
 	}
 
+	/* A DC should use DOMAIN$ as its account name.
+	   A member server can only use it's machine name since it
+	   does not have an account in a trusted domain.
+
+	   We don't check the domain against lp_workgroup() here since
+	   'net ads join' has to continue to work with only the realm
+	   specified in smb.conf.  -- jerry */
+
         if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
 		fstrcpy( machine_account, lp_workgroup() );
         } else {
-                /* Hmmm. Is this correct for trusted domains when we're a member server ? JRA. */
-                if (strequal(domain, lp_workgroup())) {
-                        fstrcpy(machine_account, global_myname());
-                } else {
-                        fstrcpy(machine_account, domain);
-                }
+		fstrcpy(machine_account, global_myname());
         }
 
 	*perr = rpccli_netlogon_setup_creds(netlogon_pipe,