diff options
-rw-r--r-- | source3/libsmb/namequery_dc.c | 20 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_cm.c | 27 |
2 files changed, 31 insertions, 16 deletions
diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c index ceb8bbd7e6..375d39a5fd 100644 --- a/source3/libsmb/namequery_dc.c +++ b/source3/libsmb/namequery_dc.c @@ -25,6 +25,24 @@ #include "includes.h" +/********************************************************************** + Is this our primary domain ? +**********************************************************************/ + +#ifdef HAVE_KRB5 +static BOOL is_our_primary_domain(const char *domain) +{ + int role = lp_server_role(); + + if ((role == ROLE_DOMAIN_MEMBER) && strequal(lp_workgroup(), domain)) { + return True; + } else if (strequal(get_global_sam_name(), domain)) { + return True; + } + return False; +} +#endif + /************************************************************************** Find the name and IP address for a server in the realm/domain *************************************************************************/ @@ -79,7 +97,7 @@ static BOOL ads_dc_name(const char *domain, } #ifdef HAVE_KRB5 - if ((ads->config.flags & ADS_KDC) && ads_closest_dc(ads)) { + if (is_our_primary_domain(domain) && (ads->config.flags & ADS_KDC) && ads_closest_dc(ads)) { /* We're going to use this KDC for this realm/domain. If we are using sites, then force the krb5 libs to use this KDC. */ diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 2e6d6e644a..b2474c4664 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -1002,8 +1002,7 @@ static BOOL receive_getdc_response(struct in_addr dc_ip, convert an ip to a name *******************************************************************/ -static BOOL dcip_to_name( const char *domainname, const char *realm, - const DOM_SID *sid, struct in_addr ip, fstring name ) +static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip, fstring name ) { struct ip_service ip_list; @@ -1017,7 +1016,7 @@ static BOOL dcip_to_name( const char *domainname, const char *realm, if (lp_security() == SEC_ADS) { ADS_STRUCT *ads; - ads = ads_init(realm, domainname, NULL); + ads = ads_init(domain->alt_name, domain->name, NULL); ads->auth.flags |= ADS_AUTH_NO_BIND; if (ads_try_connect( ads, inet_ntoa(ip) ) ) { @@ -1027,18 +1026,18 @@ static BOOL dcip_to_name( const char *domainname, const char *realm, DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags)); - if ((ads->config.flags & ADS_KDC) && ads_closest_dc(ads)) { + if (domain->primary && (ads->config.flags & ADS_KDC) && ads_closest_dc(ads)) { /* We're going to use this KDC for this realm/domain. If we are using sites, then force the krb5 libs to use this KDC. */ - create_local_private_krb5_conf_for_domain(realm, - domainname, + create_local_private_krb5_conf_for_domain(domain->alt_name, + domain->name, ip); /* Ensure we contact this DC also. */ - saf_store( domainname, name); - saf_store( realm, name); + saf_store( domain->name, name); + saf_store( domain->alt_name, name); } ads_destroy( &ads ); @@ -1051,11 +1050,11 @@ static BOOL dcip_to_name( const char *domainname, const char *realm, /* try GETDC requests next */ - if (send_getdc_request(ip, domainname, sid)) { + if (send_getdc_request(ip, domain->name, &domain->sid)) { int i; smb_msleep(100); for (i=0; i<5; i++) { - if (receive_getdc_response(ip, domainname, name)) { + if (receive_getdc_response(ip, domain->name, name)) { namecache_store(name, 0x20, 1, &ip_list); return True; } @@ -1065,7 +1064,7 @@ static BOOL dcip_to_name( const char *domainname, const char *realm, /* try node status request */ - if ( name_status_find(domainname, 0x1c, 0x20, ip, name) ) { + if ( name_status_find(domain->name, 0x1c, 0x20, ip, name) ) { namecache_store(name, 0x20, 1, &ip_list); return True; } @@ -1203,8 +1202,7 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx, } /* Try to figure out the name */ - if (dcip_to_name( domain->name, domain->alt_name, &domain->sid, - addr->sin_addr, dcname )) { + if (dcip_to_name( domain, addr->sin_addr, dcname )) { return True; } @@ -1246,8 +1244,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain, struct in_addr ip; ip = *interpret_addr2( saf_servername ); - if (dcip_to_name( domain->name, domain->alt_name, - &domain->sid, ip, saf_name )) { + if (dcip_to_name( domain, ip, saf_name )) { fstrcpy( domain->dcname, saf_name ); } else { winbind_add_failed_connection_entry( |