From 0382d3c26b004ff4f850e6d683fccc3c55f77641 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 6 Mar 2006 20:18:18 +0000 Subject: r13895: As agreed upon with gd on the phone, remove WBFLAG_PAM_CONTACT_TRUSTDOM. This can not work for NTLM auth, where we only have a workstation account for our own domain. For the PAM Kerberos login we need to find a better way to do this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf. Volker (This used to be commit bf7c608147bcbbedd89b3dcd24a929ea3e601bc8) --- source3/nsswitch/pam_winbind.c | 6 +++--- source3/nsswitch/winbindd_pam.c | 12 ------------ 2 files changed, 3 insertions(+), 15 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index 35f0efbcbd..df5fc11d3e 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -321,7 +321,7 @@ static int winbind_auth_request(pam_handle_t * pamh, request.data.auth.krb5_cc_type[0] = '\0'; request.data.auth.uid = -1; - request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM; + request.flags = WBFLAG_PAM_INFO3_TEXT; if (ctrl & WINBIND_KRB5_AUTH) { @@ -498,7 +498,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh, } if (ctrl & WINBIND_KRB5_AUTH) { - request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM; + request.flags = WBFLAG_PAM_KRB5; } ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_CHAUTHTOK, &request, &response, user); @@ -1098,7 +1098,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags, } request.data.logoff.uid = pwd->pw_uid; - request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM; + request.flags = WBFLAG_PAM_KRB5; return pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_LOGOFF, &request, &response, user); } diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index aa759af09a..dc8a5c47d9 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -221,18 +221,6 @@ static struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state return NULL; } - /* we can auth against trusted domains */ - if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) { - domain = find_domain_from_name_noinit(domain_name); - if (domain == NULL) { - DEBUG(3, ("Authentication for domain [%s] skipped " - "as it is not a trusted domain\n", - domain_name)); - } else { - return domain; - } - } - return find_our_domain(); } -- cgit