summaryrefslogtreecommitdiff
path: root/source3/nsswitch
diff options
context:
space:
mode:
Diffstat (limited to 'source3/nsswitch')
-rw-r--r--source3/nsswitch/winbindd_cache.c6
-rw-r--r--source3/nsswitch/winbindd_cm.c46
2 files changed, 41 insertions, 11 deletions
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index 877fa2d995..bbd98a620f 100644
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -363,6 +363,12 @@ static void refresh_sequence_number(struct winbindd_domain *domain, BOOL force)
if ( NT_STATUS_IS_OK(status) )
goto done;
+ /* important! make sure that we know if this is a native
+ mode domain or not */
+
+ if ( !domain->initialized )
+ set_dc_type_and_flags( domain );
+
status = domain->backend->sequence_number(domain, &domain->sequence_number);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index eda962088d..04f87fc1a2 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -117,21 +117,40 @@ static void cm_get_ipc_userpass(char **username, char **domain, char **password)
/*
setup for schannel on any pipes opened on this connection
*/
-static NTSTATUS setup_schannel(struct cli_state *cli)
+static NTSTATUS setup_schannel( struct cli_state *cli, const char *domain )
{
NTSTATUS ret;
uchar trust_password[16];
uint32 sec_channel_type;
+ DOM_SID sid;
+ time_t lct;
- if (!secrets_fetch_trust_account_password(lp_workgroup(),
- trust_password,
- NULL, &sec_channel_type)) {
- return NT_STATUS_UNSUCCESSFUL;
+ /* use the domain trust password if we're on a DC
+ and this is not our domain */
+
+ if ( IS_DC && !strequal(domain, lp_workgroup()) ) {
+ char *pass = NULL;
+
+ if ( !secrets_fetch_trusted_domain_password( domain,
+ &pass, &sid, &lct) )
+ {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ sec_channel_type = SEC_CHAN_DOMAIN;
+ E_md4hash(pass, trust_password);
+ SAFE_FREE( pass );
+
+ } else {
+ if (!secrets_fetch_trust_account_password(lp_workgroup(),
+ trust_password, NULL, &sec_channel_type))
+ {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
}
ret = cli_nt_setup_netsec(cli, sec_channel_type,
- AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN,
- trust_password);
+ AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, trust_password);
return ret;
}
@@ -216,7 +235,8 @@ static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const i
/* Initialise SMB connection */
fstrcpy(new_conn->pipe_name, get_pipe_name_from_index(pipe_index));
-/* grab stored passwords */
+ /* grab stored passwords */
+
machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(), lp_realm()) == -1) {
@@ -335,9 +355,13 @@ static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const i
/* try and use schannel if possible, but continue anyway if it
failed. This allows existing setups to continue working,
while solving the win2003 '100 user' limit for systems that
- are joined properly */
- if (NT_STATUS_IS_OK(result) && (domain->primary)) {
- NTSTATUS status = setup_schannel(new_conn->cli);
+ are joined properly.
+
+ Only do this for our own domain or perhaps a trusted domain
+ if we are on a Samba DC */
+
+ if (NT_STATUS_IS_OK(result) && (domain->primary || IS_DC) ) {
+ NTSTATUS status = setup_schannel( new_conn->cli, domain->name );
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3,("schannel refused - continuing without schannel (%s)\n",
nt_errstr(status)));