diff options
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 40 |
1 files changed, 39 insertions, 1 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 504c245c75..1eb2659905 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -6,7 +6,7 @@ Copyright (C) Andrew Tridgell 2000 Copyright (C) Tim Potter 2001 Copyright (C) Andrew Bartlett 2001-2002 - Copyright (C) Guenther Deschner 2005 + Copyright (C) Guenther Deschner 2005-2006 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -221,6 +221,44 @@ static struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state return NULL; } + if (strequal(domain_name, lp_workgroup())) { + return find_our_domain(); + } + +#ifdef HAVE_ADS + + /* when trying to login using krb5 with a trusted domain account, we + * need to make sure that our and the remote domain are AD */ + + if ((state->request.flags & WBFLAG_PAM_KRB5) && + (lp_security() == SEC_ADS)) { + + struct winbindd_domain *our_domain = find_our_domain(); + + if (!our_domain->active_directory) { + DEBUG(3,("find_auth_domain: out domain is not AD\n")); + return NULL; + } + + if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) { + return NULL; + } + + /* do we already know it's AD ? */ + if (domain->active_directory) { + return domain; + } + + set_dc_type_and_flags(domain); + + if (!domain->active_directory) { + DEBUG(3,("find_auth_domain: remote domain is not AD\n")); + return NULL; + } + + return domain; + } +#endif return find_our_domain(); } |