diff options
Diffstat (limited to 'source3/nsswitch')
-rw-r--r-- | source3/nsswitch/winbindd_ads.c | 6 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_cm.c | 12 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_misc.c | 16 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_util.c | 35 |
4 files changed, 54 insertions, 15 deletions
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index 41dffc3ab6..7c360bf156 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -945,6 +945,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, struct cli_state *cli = NULL; /* i think we only need our forest and downlevel trusted domains */ uint32 flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND; + char *contact_domain_name; DEBUG(3,("ads: trusted_domains\n")); @@ -953,9 +954,10 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, *names = NULL; *dom_sids = NULL; - if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(domain->name, PI_NETLOGON, &cli)) ) { + contact_domain_name = *domain->alt_name ? domain->alt_name : domain->name; + if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(contact_domain_name, PI_NETLOGON, &cli)) ) { DEBUG(5, ("trusted_domains: Could not open a connection to %s for PIPE_NETLOGON (%s)\n", - domain->name, nt_errstr(result))); + contact_domain_name, nt_errstr(result))); return NT_STATUS_UNSUCCESSFUL; } diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index d3d178df67..8513a46f8f 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -573,6 +573,7 @@ NTSTATUS cm_get_netlogon_cli(const char *domain, struct winbindd_cm_conn *conn; fstring lock_name; BOOL got_mutex; + struct winbindd_domain *wb_domain = NULL; if (!cli) return NT_STATUS_INVALID_PARAMETER; @@ -614,6 +615,17 @@ NTSTATUS cm_get_netlogon_cli(const char *domain, if ( sec_channel_type == SEC_CHAN_DOMAIN ) fstr_sprintf(conn->cli->mach_acct, "%s$", lp_workgroup()); + /* we need the short form of the domain name for the schanel + rpc bind. What if we fail? I don't think we should ever get + a request for a domain name not in our list but I'm not bailing + out if we do since I'm not 10% certain about this --jerry */ + + if ( (wb_domain = find_domain_from_name( domain )) != NULL ) { + DEBUG(5,("cm_get_netlogon_cli: Using short for of domain name [%s] for netlogon rpc bind\n", + wb_domain->name)); + fstrcpy( conn->cli->domain, wb_domain->name); + } + result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd); if (got_mutex) diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c index c12fe4517e..88fbb5ee00 100644 --- a/source3/nsswitch/winbindd_misc.c +++ b/source3/nsswitch/winbindd_misc.c @@ -35,6 +35,8 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat int num_retries = 0; struct cli_state *cli; uint32 sec_channel_type; + const char *contact_domain_name = NULL; + DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid)); /* Get trust account password */ @@ -46,11 +48,21 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat goto done; } + + /* use the realm name if appropriate and possible */ + + if ( lp_security() == SEC_ADS ) + contact_domain_name = lp_realm(); + + if ( !contact_domain_name || !*contact_domain_name ) + contact_domain_name = lp_workgroup(); + /* This call does a cli_nt_setup_creds() which implicitly checks the trust account password. */ - /* Don't shut this down - it belongs to the connection cache code */ - result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, sec_channel_type, True, &cli); + + result = cm_get_netlogon_cli(contact_domain_name, + trust_passwd, sec_channel_type, True, &cli); if (!NT_STATUS_IS_OK(result)) { DEBUG(3, ("could not open handle to NETLOGON pipe\n")); diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index 63e91670e9..25de4eff71 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -81,6 +81,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const { struct winbindd_domain *domain; char *contact_name; + const char *alternative_name = NULL; + + /* ignore alt_name if we are not in an AD domain */ + + if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) { + alternative_name = alt_name; + } /* We can't call domain_list() as this function is called from init_domain_list() and we'll get stuck in a loop. */ @@ -89,9 +96,9 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const strcasecmp(domain_name, domain->alt_name) == 0) { return domain; } - if (alt_name && *alt_name) { - if (strcasecmp(alt_name, domain->name) == 0 || - strcasecmp(alt_name, domain->alt_name) == 0) { + if (alternative_name && *alternative_name) { + if (strcasecmp(alternative_name, domain->name) == 0 || + strcasecmp(alternative_name, domain->alt_name) == 0) { return domain; } } @@ -108,13 +115,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const ZERO_STRUCTP(domain); /* prioritise the short name */ - if (strchr_m(domain_name, '.') && alt_name && *alt_name) { - fstrcpy(domain->name, alt_name); + if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) { + fstrcpy(domain->name, alternative_name); fstrcpy(domain->alt_name, domain_name); } else { fstrcpy(domain->name, domain_name); - if (alt_name) { - fstrcpy(domain->alt_name, alt_name); + if (alternative_name) { + fstrcpy(domain->alt_name, alternative_name); } } @@ -261,17 +268,23 @@ BOOL init_domain_list(void) /* Add ourselves as the first entry */ - domain = add_trusted_domain( lp_workgroup(), NULL, &cache_methods, NULL); + domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL); + + /* get any alternate name for the primary domain */ + + cache_methods.alternate_name(domain); + + /* now we have the correct netbios (short) domain name */ + if ( *domain->name ) + set_global_myworkgroup( domain->name ); + if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) { DEBUG(1, ("Could not fetch sid for our domain %s\n", domain->name)); return False; } - /* get any alternate name for the primary domain */ - cache_methods.alternate_name(domain); - /* do an initial scan for trusted domains */ add_trusted_domains(domain); |