The Samba-Bugzilla – Attachment 3313 Details for
Bug 5451
get_trust_creds() returns incorrect credentials when connecting to a trusted domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
combined diff
combined-diff (text/plain), 3.62 KB, created by
Michael Adam
on 2008-05-26 15:29:59 UTC
(
hide
)
Description:
combined diff
Filename:
MIME Type:
Creator:
Michael Adam
Created:
2008-05-26 15:29:59 UTC
Size:
3.62 KB
patch
obsolete
> source/include/proto.h | 2 +- > source/passdb/passdb.c | 32 ++++++++++++++++++++++++-------- > source/winbindd/winbindd_cm.c | 2 +- > 3 files changed, 26 insertions(+), 10 deletions(-) > >diff --git a/source/include/proto.h b/source/include/proto.h >index 3d72022..f85b667 100644 >--- a/source/include/proto.h >+++ b/source/include/proto.h >@@ -6271,7 +6271,7 @@ bool pdb_copy_sam_account(struct samu *dst, struct samu *src ); > bool pdb_update_bad_password_count(struct samu *sampass, bool *updated); > bool pdb_update_autolock_flag(struct samu *sampass, bool *updated); > bool pdb_increment_bad_password_count(struct samu *sampass); >-bool is_trusted_domain_situation(const char *domain_name); >+bool is_dc_trusted_domain_situation(const char *domain_name); > bool get_trust_pw_clear(const char *domain, char **ret_pwd, > const char **account_name, uint32 *channel); > bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16], >diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c >index e3a3d3c..a670b46 100644 >--- a/source/passdb/passdb.c >+++ b/source/passdb/passdb.c >@@ -1517,11 +1517,9 @@ bool pdb_increment_bad_password_count(struct samu *sampass) > return True; > } > >-bool is_trusted_domain_situation(const char *domain_name) >+bool is_dc_trusted_domain_situation(const char *domain_name) > { >- return IS_DC && >- lp_allow_trusted_domains() && >- !strequal(domain_name, lp_workgroup()); >+ return IS_DC && !strequal(domain_name, lp_workgroup()); > } > > /******************************************************************* >@@ -1539,7 +1537,11 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd, > /* if we are a DC and this is not our domain, then lookup an account > * for the domain trust */ > >- if (is_trusted_domain_situation(domain)) { >+ if (is_dc_trusted_domain_situation(domain)) { >+ if (!lp_allow_trusted_domains()) { >+ return false; >+ } >+ > if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL, > &last_set_time)) > { >@@ -1560,8 +1562,22 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd, > return true; > } > >- /* Here we are a domain member server. We can only be a member >- of one domain so ignore the request domain and assume our own */ >+ /* >+ * Since we can only be member of one single domain, we are now >+ * in a member situation: >+ * >+ * - Either we are a DC (selfjoined) and the domain is our >+ * own domain. >+ * - Or we are on a member and the domain is our own or some >+ * other (potentially trusted) domain. >+ * >+ * In both cases, we can only get the machine account password >+ * for our own domain to connect to our own dc. (For a member, >+ * request to trusted domains are performed through our dc.) >+ * >+ * So we simply use our own domain name to retrieve the >+ * machine account passowrd and ignore the request domain here. >+ */ > > pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel); > >@@ -1594,7 +1610,7 @@ bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16], > E_md4hash(pwd, ret_pwd); > SAFE_FREE(pwd); > return true; >- } else if (is_trusted_domain_situation(domain)) { >+ } else if (is_dc_trusted_domain_situation(domain)) { > return false; > } > >diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c >index 2ee0fae..a1027ce 100644 >--- a/source/winbindd/winbindd_cm.c >+++ b/source/winbindd/winbindd_cm.c >@@ -808,7 +808,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain, > goto done; > } > >- if (!is_trusted_domain_situation(domain->name) && >+ if (!is_dc_trusted_domain_situation(domain->name) && > (*cli)->protocol >= PROTOCOL_NT1 && > (*cli)->capabilities & CAP_EXTENDED_SECURITY) > {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 5451
:
3281
| 3313