#include "includes.h"
#include "winbindd.h"
+#include "lib/util_unixsids.h"
#include "secrets.h"
#include "../libcli/security/security.h"
#include "../libcli/auth/pam_errors.h"
#include "source4/lib/messaging/messaging.h"
#include "librpc/gen_ndr/ndr_lsa.h"
#include "auth/credentials/credentials.h"
+#include "libsmb/samlogon_cache.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
char *p;
struct winbindd_tdc_domain trust_params = {0};
ptrdiff_t extra_len;
+ bool within_forest = false;
+
+ /*
+ * Only when we enumerate our primary domain
+ * or our forest root domain, we should keep
+ * the NETR_TRUST_FLAG_IN_FOREST flag, in
+ * all other cases we need to clear it as the domain
+ * is not part of our forest.
+ */
+ if (state->domain->primary) {
+ within_forest = true;
+ } else if (domain_is_forest_root(state->domain)) {
+ within_forest = true;
+ }
res = wb_domain_request_recv(req, state, &response, &err);
if ((res == -1) || (response->result != WINBINDD_OK)) {
trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
+ if (!within_forest) {
+ trust_params.trust_flags &= ~NETR_TRUST_FLAG_IN_FOREST;
+ }
+
+ if (!state->domain->primary) {
+ trust_params.trust_flags &= ~NETR_TRUST_FLAG_PRIMARY;
+ }
+
/*
* We always call add_trusted_domain() cause on an existing
* domain structure, it will update the SID if necessary.
return NULL;
}
-struct winbindd_domain *find_root_domain(void)
-{
- struct winbindd_domain *ours = find_our_domain();
-
- if (ours->forest_name == NULL) {
- return NULL;
- }
-
- return find_domain_from_name( ours->forest_name );
-}
-
-struct winbindd_domain *find_builtin_domain(void)
-{
- struct winbindd_domain *domain;
-
- domain = find_domain_from_sid(&global_sid_Builtin);
- if (domain == NULL) {
- smb_panic("Could not find BUILTIN domain");
- }
-
- return domain;
-}
-
/* Find the appropriate domain to lookup a name or SID */
struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
{
- /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
+ DBG_DEBUG("SID [%s]\n", sid_string_dbg(sid));
+
+ /*
+ * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled
+ * by our passdb.
+ */
if ( sid_check_is_in_unix_groups(sid) ||
sid_check_is_unix_groups(sid) ||
sid_check_is_in_unix_users(sid) ||
- sid_check_is_unix_users(sid) )
+ sid_check_is_unix_users(sid) ||
+ sid_check_is_wellknown_domain(sid, NULL) ||
+ sid_check_is_in_wellknown_domain(sid) )
{
return find_domain_from_sid(get_global_sam_sid());
}
* one to contact the external DC's. On member servers the internal
* domains are different: These are part of the local SAM. */
- DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
-
if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
DEBUG(10, ("calling find_domain_from_sid\n"));
return find_domain_from_sid(sid);
return _num_clients;
}
-NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
+NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
const struct dom_sid *user_sid,
uint32_t *p_num_groups, struct dom_sid **user_sids)
{
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
- if (info3->base.groups.count == 0) {
- TALLOC_FREE(info3);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
/*
* Before bug #7843 the "Domain Local" groups were added with a
* lookupuseraliases call, but this isn't done anymore for our domain
DEBUG(1, ("Could not parse sid %s\n", p));
return false;
}
- if ((q == NULL) || (q[0] != '\n')) {
+ if (q[0] != '\n') {
DEBUG(1, ("Got invalid sidstr: %s\n", p));
return false;
}