diff options
-rw-r--r-- | source3/nsswitch/winbindd_ads.c | 6 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_cm.c | 12 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_misc.c | 16 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_util.c | 35 | ||||
-rw-r--r-- | source3/utils/net_ads.c | 43 |
5 files changed, 95 insertions, 17 deletions
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index 41dffc3ab6..7c360bf156 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -945,6 +945,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, struct cli_state *cli = NULL; /* i think we only need our forest and downlevel trusted domains */ uint32 flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND; + char *contact_domain_name; DEBUG(3,("ads: trusted_domains\n")); @@ -953,9 +954,10 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, *names = NULL; *dom_sids = NULL; - if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(domain->name, PI_NETLOGON, &cli)) ) { + contact_domain_name = *domain->alt_name ? domain->alt_name : domain->name; + if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(contact_domain_name, PI_NETLOGON, &cli)) ) { DEBUG(5, ("trusted_domains: Could not open a connection to %s for PIPE_NETLOGON (%s)\n", - domain->name, nt_errstr(result))); + contact_domain_name, nt_errstr(result))); return NT_STATUS_UNSUCCESSFUL; } diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index d3d178df67..8513a46f8f 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -573,6 +573,7 @@ NTSTATUS cm_get_netlogon_cli(const char *domain, struct winbindd_cm_conn *conn; fstring lock_name; BOOL got_mutex; + struct winbindd_domain *wb_domain = NULL; if (!cli) return NT_STATUS_INVALID_PARAMETER; @@ -614,6 +615,17 @@ NTSTATUS cm_get_netlogon_cli(const char *domain, if ( sec_channel_type == SEC_CHAN_DOMAIN ) fstr_sprintf(conn->cli->mach_acct, "%s$", lp_workgroup()); + /* we need the short form of the domain name for the schanel + rpc bind. What if we fail? I don't think we should ever get + a request for a domain name not in our list but I'm not bailing + out if we do since I'm not 10% certain about this --jerry */ + + if ( (wb_domain = find_domain_from_name( domain )) != NULL ) { + DEBUG(5,("cm_get_netlogon_cli: Using short for of domain name [%s] for netlogon rpc bind\n", + wb_domain->name)); + fstrcpy( conn->cli->domain, wb_domain->name); + } + result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd); if (got_mutex) diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c index c12fe4517e..88fbb5ee00 100644 --- a/source3/nsswitch/winbindd_misc.c +++ b/source3/nsswitch/winbindd_misc.c @@ -35,6 +35,8 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat int num_retries = 0; struct cli_state *cli; uint32 sec_channel_type; + const char *contact_domain_name = NULL; + DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid)); /* Get trust account password */ @@ -46,11 +48,21 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat goto done; } + + /* use the realm name if appropriate and possible */ + + if ( lp_security() == SEC_ADS ) + contact_domain_name = lp_realm(); + + if ( !contact_domain_name || !*contact_domain_name ) + contact_domain_name = lp_workgroup(); + /* This call does a cli_nt_setup_creds() which implicitly checks the trust account password. */ - /* Don't shut this down - it belongs to the connection cache code */ - result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, sec_channel_type, True, &cli); + + result = cm_get_netlogon_cli(contact_domain_name, + trust_passwd, sec_channel_type, True, &cli); if (!NT_STATUS_IS_OK(result)) { DEBUG(3, ("could not open handle to NETLOGON pipe\n")); diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index 63e91670e9..25de4eff71 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -81,6 +81,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const { struct winbindd_domain *domain; char *contact_name; + const char *alternative_name = NULL; + + /* ignore alt_name if we are not in an AD domain */ + + if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) { + alternative_name = alt_name; + } /* We can't call domain_list() as this function is called from init_domain_list() and we'll get stuck in a loop. */ @@ -89,9 +96,9 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const strcasecmp(domain_name, domain->alt_name) == 0) { return domain; } - if (alt_name && *alt_name) { - if (strcasecmp(alt_name, domain->name) == 0 || - strcasecmp(alt_name, domain->alt_name) == 0) { + if (alternative_name && *alternative_name) { + if (strcasecmp(alternative_name, domain->name) == 0 || + strcasecmp(alternative_name, domain->alt_name) == 0) { return domain; } } @@ -108,13 +115,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const ZERO_STRUCTP(domain); /* prioritise the short name */ - if (strchr_m(domain_name, '.') && alt_name && *alt_name) { - fstrcpy(domain->name, alt_name); + if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) { + fstrcpy(domain->name, alternative_name); fstrcpy(domain->alt_name, domain_name); } else { fstrcpy(domain->name, domain_name); - if (alt_name) { - fstrcpy(domain->alt_name, alt_name); + if (alternative_name) { + fstrcpy(domain->alt_name, alternative_name); } } @@ -261,17 +268,23 @@ BOOL init_domain_list(void) /* Add ourselves as the first entry */ - domain = add_trusted_domain( lp_workgroup(), NULL, &cache_methods, NULL); + domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL); + + /* get any alternate name for the primary domain */ + + cache_methods.alternate_name(domain); + + /* now we have the correct netbios (short) domain name */ + if ( *domain->name ) + set_global_myworkgroup( domain->name ); + if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) { DEBUG(1, ("Could not fetch sid for our domain %s\n", domain->name)); return False; } - /* get any alternate name for the primary domain */ - cache_methods.alternate_name(domain); - /* do an initial scan for trusted domains */ add_trusted_domains(domain); diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 0e909a6087..3b955742d8 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -656,6 +656,8 @@ int net_ads_join(int argc, const char **argv) char *ou_str; uint32 sec_channel_type = SEC_CHAN_WKSTA; uint32 account_type = UF_WORKSTATION_TRUST_ACCOUNT; + char *short_domain_name = NULL; + TALLOC_CTX *ctx = NULL; if (argc > 0) org_unit = argv[0]; @@ -720,7 +722,33 @@ int net_ads_join(int argc, const char **argv) d_printf("ads_set_machine_password: %s\n", ads_errstr(rc)); return -1; } - + + /* make sure we get the right workgroup */ + + if ( !(ctx = talloc_init("net ads join")) ) { + d_printf("talloc_init() failed!\n"); + return -1; + } + + rc = ads_workgroup_name(ads, ctx, &short_domain_name); + if ( ADS_ERR_OK(rc) ) { + if ( !strequal(lp_workgroup(), short_domain_name) ) { + d_printf("The workgroup in smb.conf does not match the short\n"); + d_printf("domain name obtained from the server.\n"); + d_printf("Using the name [%s] from the server.\n", short_domain_name); + d_printf("You should set \"workgroup = %s\" in smb.conf.\n", short_domain_name); + } + } + else + short_domain_name = lp_workgroup(); + + d_printf("Using short domain name -- %s\n", short_domain_name); + + /* HACK ALRET! Store the sid and password under bother the lp_workgroup() + value from smb.conf and the string returned from the server. The former is + neede to bootstrap winbindd's first connection to the DC to get the real + short domain name --jerry */ + if (!secrets_store_domain_sid(lp_workgroup(), &dom_sid)) { DEBUG(1,("Failed to save domain sid\n")); return -1; @@ -731,11 +759,22 @@ int net_ads_join(int argc, const char **argv) return -1; } + if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) { + DEBUG(1,("Failed to save domain sid\n")); + return -1; + } + + if (!secrets_store_machine_password(password, short_domain_name, sec_channel_type)) { + DEBUG(1,("Failed to save machine password\n")); + return -1; + } + d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm); SAFE_FREE(password); SAFE_FREE(machine_account); - + if ( ctx ) + talloc_destroy(ctx); return 0; } |