summaryrefslogtreecommitdiff
path: root/source3/nsswitch
diff options
context:
space:
mode:
Diffstat (limited to 'source3/nsswitch')
-rw-r--r--source3/nsswitch/winbindd_ads.c6
-rw-r--r--source3/nsswitch/winbindd_cm.c12
-rw-r--r--source3/nsswitch/winbindd_misc.c16
-rw-r--r--source3/nsswitch/winbindd_util.c35
4 files changed, 54 insertions, 15 deletions
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 41dffc3ab6..7c360bf156 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -945,6 +945,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
struct cli_state *cli = NULL;
/* i think we only need our forest and downlevel trusted domains */
uint32 flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND;
+ char *contact_domain_name;
DEBUG(3,("ads: trusted_domains\n"));
@@ -953,9 +954,10 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
*names = NULL;
*dom_sids = NULL;
- if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(domain->name, PI_NETLOGON, &cli)) ) {
+ contact_domain_name = *domain->alt_name ? domain->alt_name : domain->name;
+ if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(contact_domain_name, PI_NETLOGON, &cli)) ) {
DEBUG(5, ("trusted_domains: Could not open a connection to %s for PIPE_NETLOGON (%s)\n",
- domain->name, nt_errstr(result)));
+ contact_domain_name, nt_errstr(result)));
return NT_STATUS_UNSUCCESSFUL;
}
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index d3d178df67..8513a46f8f 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -573,6 +573,7 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
struct winbindd_cm_conn *conn;
fstring lock_name;
BOOL got_mutex;
+ struct winbindd_domain *wb_domain = NULL;
if (!cli)
return NT_STATUS_INVALID_PARAMETER;
@@ -614,6 +615,17 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
if ( sec_channel_type == SEC_CHAN_DOMAIN )
fstr_sprintf(conn->cli->mach_acct, "%s$", lp_workgroup());
+ /* we need the short form of the domain name for the schanel
+ rpc bind. What if we fail? I don't think we should ever get
+ a request for a domain name not in our list but I'm not bailing
+ out if we do since I'm not 10% certain about this --jerry */
+
+ if ( (wb_domain = find_domain_from_name( domain )) != NULL ) {
+ DEBUG(5,("cm_get_netlogon_cli: Using short for of domain name [%s] for netlogon rpc bind\n",
+ wb_domain->name));
+ fstrcpy( conn->cli->domain, wb_domain->name);
+ }
+
result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd);
if (got_mutex)
diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c
index c12fe4517e..88fbb5ee00 100644
--- a/source3/nsswitch/winbindd_misc.c
+++ b/source3/nsswitch/winbindd_misc.c
@@ -35,6 +35,8 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
int num_retries = 0;
struct cli_state *cli;
uint32 sec_channel_type;
+ const char *contact_domain_name = NULL;
+
DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid));
/* Get trust account password */
@@ -46,11 +48,21 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
goto done;
}
+
+ /* use the realm name if appropriate and possible */
+
+ if ( lp_security() == SEC_ADS )
+ contact_domain_name = lp_realm();
+
+ if ( !contact_domain_name || !*contact_domain_name )
+ contact_domain_name = lp_workgroup();
+
/* This call does a cli_nt_setup_creds() which implicitly checks
the trust account password. */
-
/* Don't shut this down - it belongs to the connection cache code */
- result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, sec_channel_type, True, &cli);
+
+ result = cm_get_netlogon_cli(contact_domain_name,
+ trust_passwd, sec_channel_type, True, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 63e91670e9..25de4eff71 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -81,6 +81,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
{
struct winbindd_domain *domain;
char *contact_name;
+ const char *alternative_name = NULL;
+
+ /* ignore alt_name if we are not in an AD domain */
+
+ if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
+ alternative_name = alt_name;
+ }
/* We can't call domain_list() as this function is called from
init_domain_list() and we'll get stuck in a loop. */
@@ -89,9 +96,9 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
strcasecmp(domain_name, domain->alt_name) == 0) {
return domain;
}
- if (alt_name && *alt_name) {
- if (strcasecmp(alt_name, domain->name) == 0 ||
- strcasecmp(alt_name, domain->alt_name) == 0) {
+ if (alternative_name && *alternative_name) {
+ if (strcasecmp(alternative_name, domain->name) == 0 ||
+ strcasecmp(alternative_name, domain->alt_name) == 0) {
return domain;
}
}
@@ -108,13 +115,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
ZERO_STRUCTP(domain);
/* prioritise the short name */
- if (strchr_m(domain_name, '.') && alt_name && *alt_name) {
- fstrcpy(domain->name, alt_name);
+ if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
+ fstrcpy(domain->name, alternative_name);
fstrcpy(domain->alt_name, domain_name);
} else {
fstrcpy(domain->name, domain_name);
- if (alt_name) {
- fstrcpy(domain->alt_name, alt_name);
+ if (alternative_name) {
+ fstrcpy(domain->alt_name, alternative_name);
}
}
@@ -261,17 +268,23 @@ BOOL init_domain_list(void)
/* Add ourselves as the first entry */
- domain = add_trusted_domain( lp_workgroup(), NULL, &cache_methods, NULL);
+ domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL);
+
+ /* get any alternate name for the primary domain */
+
+ cache_methods.alternate_name(domain);
+
+ /* now we have the correct netbios (short) domain name */
+ if ( *domain->name )
+ set_global_myworkgroup( domain->name );
+
if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
DEBUG(1, ("Could not fetch sid for our domain %s\n",
domain->name));
return False;
}
- /* get any alternate name for the primary domain */
- cache_methods.alternate_name(domain);
-
/* do an initial scan for trusted domains */
add_trusted_domains(domain);