diff options
author | Stefan Metzmacher <metze@samba.org> | 2014-12-16 15:57:49 +0000 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2014-12-19 13:15:13 +0100 |
commit | 05eb7b52cd7ebcb5bfc873e388c745f8e958c994 (patch) | |
tree | 4ed481f201af582da626d800fc48c23e01ceee5e | |
parent | 7387678ff518a394d9f837561987af0e90464d6c (diff) | |
download | samba-05eb7b52cd7ebcb5bfc873e388c745f8e958c994.tar.gz |
s3:pdb_samba_dsdb: use SEC_CHAN_DNS_DOMAIN in pdb_samba_dsdb_get_trusteddom_creds()
If both ends have a dns domain, we can use SEC_CHAN_DNS_DOMAIN in order to match
a Windows DC.
For kerberos we still need to use MY_NETBIOS_DOMAIN$@REMOTE_REALM.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source3/passdb/pdb_samba_dsdb.c | 39 |
1 files changed, 33 insertions, 6 deletions
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index 638a4a290f1..bbedd88523e 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -2296,8 +2296,10 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m, bool ok; const char *my_netbios_name = NULL; const char *my_netbios_domain = NULL; + const char *my_dns_domain = NULL; const char *netbios_domain = NULL; char *account_name = NULL; + char *principal_name = NULL; const char *dns_domain = NULL; status = sam_get_results_trust(state->ldb, tmp_ctx, domain, @@ -2389,6 +2391,7 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m, my_netbios_name = lpcfg_netbios_name(state->lp_ctx); my_netbios_domain = lpcfg_workgroup(state->lp_ctx); + my_dns_domain = lpcfg_dnsdomain(state->lp_ctx); creds = cli_credentials_init(tmp_ctx); if (creds == NULL) { @@ -2413,12 +2416,27 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m, return NT_STATUS_NO_MEMORY; } - cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DOMAIN); - - account_name = talloc_asprintf(tmp_ctx, "%s$", my_netbios_domain); - if (account_name == NULL) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; + if (my_dns_domain != NULL && dns_domain != NULL) { + cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DNS_DOMAIN); + account_name = talloc_asprintf(tmp_ctx, "%s.", my_dns_domain); + if (account_name == NULL) { + TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + principal_name = talloc_asprintf(tmp_ctx, "%s$@%s", my_netbios_domain, + cli_credentials_get_realm(creds)); + if (principal_name == NULL) { + TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + } else { + cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DOMAIN); + account_name = talloc_asprintf(tmp_ctx, "%s$", my_netbios_domain); + if (account_name == NULL) { + TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + principal_name = NULL; } ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED); @@ -2427,6 +2445,15 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m, return NT_STATUS_NO_MEMORY; } + if (principal_name != NULL) { + ok = cli_credentials_set_principal(creds, principal_name, + CRED_SPECIFIED); + if (!ok) { + TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + } + if (password_nt.length == 16) { struct samr_Password nt_hash; |