From 4b5257b5b09d2490b2f4dc48e2181fde2a67cb5f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 8 Aug 2003 23:53:13 +0000 Subject: fix 2 bugs: 1) don't ask trusted DC's for a list of trusted domains. This causes us to treat non-transitive ones as if they were transitive. Not needed anyways 2) Fix dc lookup bug where we would always try to use DNS to resolve the DC's for a domain (even if it was a trusted NT4 domain). (This used to be commit 4d3acce5066d3adf53ee8fbaa627c42523b3cbc3) --- source3/libsmb/namequery_dc.c | 16 +++++++++-- source3/nsswitch/winbindd.c | 8 +++++- source3/nsswitch/winbindd_util.c | 61 +++++++++++++++++++--------------------- 3 files changed, 49 insertions(+), 36 deletions(-) (limited to 'source3') diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c index c9d45a7acc..a596f00ddb 100644 --- a/source3/libsmb/namequery_dc.c +++ b/source3/libsmb/namequery_dc.c @@ -161,18 +161,28 @@ BOOL get_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out) { struct in_addr dc_ip; BOOL ret; + BOOL our_domain = False; zero_ip(&dc_ip); ret = False; - if (lp_security() == SEC_ADS) + + if ( strequal(lp_workgroup(), domain) || strequal(lp_realm(), domain) ) + our_domain = True; + + /* always try to obey what the admin specified in smb.conf. + If it is not our domain, assume that domain names with periods + in them are realm names */ + + if ( (our_domain && lp_security()==SEC_ADS) || strchr_m(domain, '.') ) { ret = ads_dc_name(domain, &dc_ip, srv_name); - + } + if (!ret) { /* fall back on rpc methods if the ADS methods fail */ ret = rpc_dc_name(domain, srv_name, &dc_ip); } - + *ip_out = dc_ip; return ret; diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index 8345fa11d0..313161f5fa 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -570,9 +570,15 @@ static void process_loop(void) message_dispatch(); - /* rescan the trusted domains list. This must be done +#if 0 + /* not needed any more since we use a single RPC to + get transitive trusts --jerry + + rescan the trusted domains list. This must be done regularly to cope with transitive trusts */ + rescan_trusted_domains(False); +#endif /* Free up temporary memory */ diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index a810e503a0..79588477ba 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -80,6 +80,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const DOM_SID *sid) { struct winbindd_domain *domain; + char *contact_name; /* We can't call domain_list() as this function is called from init_domain_list() and we'll get stuck in a loop. */ @@ -125,10 +126,12 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const sid_copy(&domain->sid, sid); } - /* see if this is a native mode win2k domain */ + /* see if this is a native mode win2k domain (use realm name if possible) */ - domain->native_mode = cm_check_for_native_mode_win2k( domain_name ); - DEBUG(3,("add_trusted_domain: %s is a %s mode domain\n", domain_name, + contact_name = *domain->alt_name ? domain->alt_name : domain->name; + domain->native_mode = cm_check_for_native_mode_win2k( contact_name ); + + DEBUG(3,("add_trusted_domain: %s is a %s mode domain\n", contact_name, domain->native_mode ? "native" : "mixed (or NT4)" )); /* Link to domain list */ @@ -145,53 +148,45 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const /* rescan our domains looking for new trusted domains */ -void rescan_trusted_domains(BOOL force) +void add_trusted_domains( struct winbindd_domain *domain ) { - struct winbindd_domain *domain; TALLOC_CTX *mem_ctx; - static time_t last_scan; - time_t t = time(NULL); + NTSTATUS result; + time_t t; + char **names; + char **alt_names; + int num_domains = 0; + DOM_SID *dom_sids, null_sid; + int i; + struct winbindd_domain *new_domain; /* trusted domains might be disabled */ if (!lp_allow_trusted_domains()) { return; } - /* Only rescan every few minutes but force if necessary */ - - if (((unsigned)(t - last_scan) < WINBINDD_RESCAN_FREQ) && !force) - return; - - last_scan = t; - DEBUG(1, ("scanning trusted domain list\n")); if (!(mem_ctx = talloc_init("init_domain_list"))) return; + + ZERO_STRUCTP(&null_sid); - for (domain = _domain_list; domain; domain = domain->next) { - NTSTATUS result; - char **names; - char **alt_names; - int num_domains = 0; - DOM_SID *dom_sids, null_sid; - int i; - struct winbindd_domain *new_domain; + t = time(NULL); + + /* ask the DC what domains it trusts */ + + result = domain->methods->trusted_domains(domain, mem_ctx, &num_domains, + &names, &alt_names, &dom_sids); - ZERO_STRUCTP(&null_sid); - - result = domain->methods->trusted_domains(domain, mem_ctx, &num_domains, - &names, &alt_names, &dom_sids); - if (!NT_STATUS_IS_OK(result)) { - continue; - } + if ( NT_STATUS_IS_OK(result) ) { /* Add each domain to the trusted domain list */ for(i = 0; i < num_domains; i++) { DEBUG(10,("Found domain %s\n", names[i])); add_trusted_domain(names[i], alt_names?alt_names[i]:NULL, - domain->methods, &dom_sids[i]); + domain->methods, &dom_sids[i]); /* if the SID was empty, we better set it now */ @@ -212,7 +207,7 @@ void rescan_trusted_domains(BOOL force) result = domain->methods->domain_sid( new_domain, &new_domain->sid ); if ( NT_STATUS_IS_OK(result) ) - sid_copy( &dom_sids[i], &domain->sid ); + sid_copy( &dom_sids[i], &new_domain->sid ); } /* store trusted domain in the cache */ @@ -234,7 +229,9 @@ BOOL init_domain_list(void) free_domain_list(); /* Add ourselves as the first entry */ + domain = add_trusted_domain( lp_workgroup(), NULL, &cache_methods, NULL); + if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) { DEBUG(1, ("Could not fetch sid for our domain %s\n", domain->name)); @@ -245,7 +242,7 @@ BOOL init_domain_list(void) cache_methods.alternate_name(domain); /* do an initial scan for trusted domains */ - rescan_trusted_domains(True); + add_trusted_domains(domain); return True; } -- cgit