Attachment 3313 Details for Bug 5451 – combined diff

[patch] combined diff

combined-diff (text/plain), 3.62 KB, created by Michael Adam on 2008-05-26 15:29:59 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Michael Adam

Created: 2008-05-26 15:29:59 UTC

Size: 3.62 KB

patch

obsolete

> source/include/proto.h        |    2 +-
> source/passdb/passdb.c        |   32 ++++++++++++++++++++++++--------
> source/winbindd/winbindd_cm.c |    2 +-
> 3 files changed, 26 insertions(+), 10 deletions(-)
>
>diff --git a/source/include/proto.h b/source/include/proto.h
>index 3d72022..f85b667 100644
>--- a/source/include/proto.h
>+++ b/source/include/proto.h
>@@ -6271,7 +6271,7 @@ bool pdb_copy_sam_account(struct samu *dst, struct samu *src );
> bool pdb_update_bad_password_count(struct samu *sampass, bool *updated);
> bool pdb_update_autolock_flag(struct samu *sampass, bool *updated);
> bool pdb_increment_bad_password_count(struct samu *sampass);
>-bool is_trusted_domain_situation(const char *domain_name);
>+bool is_dc_trusted_domain_situation(const char *domain_name);
> bool get_trust_pw_clear(const char *domain, char **ret_pwd,
> 			const char **account_name, uint32 *channel);
> bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
>diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c
>index e3a3d3c..a670b46 100644
>--- a/source/passdb/passdb.c
>+++ b/source/passdb/passdb.c
>@@ -1517,11 +1517,9 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
> 	return True;
> }
> 
>-bool is_trusted_domain_situation(const char *domain_name)
>+bool is_dc_trusted_domain_situation(const char *domain_name)
> {
>-	return IS_DC &&
>-		lp_allow_trusted_domains() &&
>-		!strequal(domain_name, lp_workgroup());
>+	return IS_DC && !strequal(domain_name, lp_workgroup());
> }
> 
> /*******************************************************************
>@@ -1539,7 +1537,11 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd,
> 	/* if we are a DC and this is not our domain, then lookup an account
> 	 * for the domain trust */
> 
>-	if (is_trusted_domain_situation(domain)) {
>+	if (is_dc_trusted_domain_situation(domain)) {
>+		if (!lp_allow_trusted_domains()) {
>+			return false;
>+		}
>+
> 		if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
> 					   &last_set_time))
> 		{
>@@ -1560,8 +1562,22 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd,
> 		return true;
> 	}
> 
>-	/* Here we are a domain member server.  We can only be a member
>-	   of one domain so ignore the request domain and assume our own */
>+	/*
>+	 * Since we can only be member of one single domain, we are now
>+	 * in a member situation:
>+	 *
>+	 *  -  Either we are a DC (selfjoined) and the domain is our
>+	 *     own domain.
>+	 *  -  Or we are on a member and the domain is our own or some
>+	 *     other (potentially trusted) domain.
>+	 *
>+	 * In both cases, we can only get the machine account password
>+	 * for our own domain to connect to our own dc. (For a member,
>+	 * request to trusted domains are performed through our dc.)
>+	 *
>+	 * So we simply use our own domain name to retrieve the
>+	 * machine account passowrd and ignore the request domain here.
>+	 */
> 
> 	pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel);
> 
>@@ -1594,7 +1610,7 @@ bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
> 		E_md4hash(pwd, ret_pwd);
> 		SAFE_FREE(pwd);
> 		return true;
>-	} else if (is_trusted_domain_situation(domain)) {
>+	} else if (is_dc_trusted_domain_situation(domain)) {
> 		return false;
> 	}
> 
>diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
>index 2ee0fae..a1027ce 100644
>--- a/source/winbindd/winbindd_cm.c
>+++ b/source/winbindd/winbindd_cm.c
>@@ -808,7 +808,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
> 		goto done;
> 	}
> 
>-	if (!is_trusted_domain_situation(domain->name) &&
>+	if (!is_dc_trusted_domain_situation(domain->name) &&
> 	    (*cli)->protocol >= PROTOCOL_NT1 &&
> 	    (*cli)->capabilities & CAP_EXTENDED_SECURITY)
> 	{

Actions: View

Attachments on bug 5451: 3281 | 3313