diff options
Diffstat (limited to 'source/nsswitch/winbindd_pam.c')
-rw-r--r-- | source/nsswitch/winbindd_pam.c | 51 |
1 files changed, 48 insertions, 3 deletions
diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c index 3ae7692c127..1eb2659905b 100644 --- a/source/nsswitch/winbindd_pam.c +++ b/source/nsswitch/winbindd_pam.c @@ -6,7 +6,7 @@ Copyright (C) Andrew Tridgell 2000 Copyright (C) Tim Potter 2001 Copyright (C) Andrew Bartlett 2001-2002 - Copyright (C) Guenther Deschner 2005 + Copyright (C) Guenther Deschner 2005-2006 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -221,6 +221,44 @@ static struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state return NULL; } + if (strequal(domain_name, lp_workgroup())) { + return find_our_domain(); + } + +#ifdef HAVE_ADS + + /* when trying to login using krb5 with a trusted domain account, we + * need to make sure that our and the remote domain are AD */ + + if ((state->request.flags & WBFLAG_PAM_KRB5) && + (lp_security() == SEC_ADS)) { + + struct winbindd_domain *our_domain = find_our_domain(); + + if (!our_domain->active_directory) { + DEBUG(3,("find_auth_domain: out domain is not AD\n")); + return NULL; + } + + if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) { + return NULL; + } + + /* do we already know it's AD ? */ + if (domain->active_directory) { + return domain; + } + + set_dc_type_and_flags(domain); + + if (!domain->active_directory) { + DEBUG(3,("find_auth_domain: remote domain is not AD\n")); + return NULL; + } + + return domain; + } +#endif return find_our_domain(); } @@ -897,13 +935,20 @@ NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, } } - set_dc_type_and_flags(contact_domain); + if (contact_domain->initialized && + contact_domain->active_directory) { + goto try_login; + } + + if (!contact_domain->initialized) { + set_dc_type_and_flags(contact_domain); + } if (!contact_domain->active_directory) { DEBUG(3,("krb5 auth requested but domain is not Active Directory\n")); return NT_STATUS_INVALID_LOGON_TYPE; } - +try_login: result = winbindd_raw_kerberos_login(contact_domain, state, info3); done: return result; |