source/include/proto.h | 2 +- source/passdb/passdb.c | 32 ++++++++++++++++++++++++-------- source/winbindd/winbindd_cm.c | 2 +- 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/source/include/proto.h b/source/include/proto.h index 3d72022..f85b667 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -6271,7 +6271,7 @@ bool pdb_copy_sam_account(struct samu *dst, struct samu *src ); bool pdb_update_bad_password_count(struct samu *sampass, bool *updated); bool pdb_update_autolock_flag(struct samu *sampass, bool *updated); bool pdb_increment_bad_password_count(struct samu *sampass); -bool is_trusted_domain_situation(const char *domain_name); +bool is_dc_trusted_domain_situation(const char *domain_name); bool get_trust_pw_clear(const char *domain, char **ret_pwd, const char **account_name, uint32 *channel); bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16], diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c index e3a3d3c..a670b46 100644 --- a/source/passdb/passdb.c +++ b/source/passdb/passdb.c @@ -1517,11 +1517,9 @@ bool pdb_increment_bad_password_count(struct samu *sampass) return True; } -bool is_trusted_domain_situation(const char *domain_name) +bool is_dc_trusted_domain_situation(const char *domain_name) { - return IS_DC && - lp_allow_trusted_domains() && - !strequal(domain_name, lp_workgroup()); + return IS_DC && !strequal(domain_name, lp_workgroup()); } /******************************************************************* @@ -1539,7 +1537,11 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd, /* if we are a DC and this is not our domain, then lookup an account * for the domain trust */ - if (is_trusted_domain_situation(domain)) { + if (is_dc_trusted_domain_situation(domain)) { + if (!lp_allow_trusted_domains()) { + return false; + } + if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL, &last_set_time)) { @@ -1560,8 +1562,22 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd, return true; } - /* Here we are a domain member server. We can only be a member - of one domain so ignore the request domain and assume our own */ + /* + * Since we can only be member of one single domain, we are now + * in a member situation: + * + * - Either we are a DC (selfjoined) and the domain is our + * own domain. + * - Or we are on a member and the domain is our own or some + * other (potentially trusted) domain. + * + * In both cases, we can only get the machine account password + * for our own domain to connect to our own dc. (For a member, + * request to trusted domains are performed through our dc.) + * + * So we simply use our own domain name to retrieve the + * machine account passowrd and ignore the request domain here. + */ pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel); @@ -1594,7 +1610,7 @@ bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16], E_md4hash(pwd, ret_pwd); SAFE_FREE(pwd); return true; - } else if (is_trusted_domain_situation(domain)) { + } else if (is_dc_trusted_domain_situation(domain)) { return false; } diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c index 2ee0fae..a1027ce 100644 --- a/source/winbindd/winbindd_cm.c +++ b/source/winbindd/winbindd_cm.c @@ -808,7 +808,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain, goto done; } - if (!is_trusted_domain_situation(domain->name) && + if (!is_dc_trusted_domain_situation(domain->name) && (*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) {