From 0a4f742f0ac7846b4f104f1749095162883038cd Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Thu, 27 Mar 2008 11:57:26 -0500 Subject: Only add WBFLAG_PAM_CONTACT_TRUSTDOM when performing a krb5 auth request. NTLM logons must go against our DC. (This used to be commit 2e24f7c0243c67a00102c11258cfa6f61caf499f) --- source3/nsswitch/pam_winbind.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'source3') diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index 81f5227410..d2aea66bcc 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -1200,9 +1200,13 @@ static int winbind_auth_request(pam_handle_t * pamh, request.data.auth.krb5_cc_type[0] = '\0'; request.data.auth.uid = -1; - request.flags = WBFLAG_PAM_INFO3_TEXT | - WBFLAG_PAM_GET_PWD_POLICY | - WBFLAG_PAM_CONTACT_TRUSTDOM; + request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY; + + /* Krb5 auth always has to go against the KDC of the user's realm */ + + if (ctrl & WINBIND_KRB5_AUTH) { + request.flags |= WBFLAG_PAM_CONTACT_TRUSTDOM; + } if (ctrl & (WINBIND_KRB5_AUTH|WINBIND_CACHED_LOGIN)) { struct passwd *pwd = NULL; -- cgit