winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts.

author Stefan Metzmacher <metze@samba.org>

Mon, 15 Jan 2018 12:02:04 +0000 (13:02 +0100)

committer Ralph Boehme <slow@samba.org>

Tue, 23 Jan 2018 12:40:35 +0000 (13:40 +0100)
author Stefan Metzmacher <metze@samba.org>
Mon, 15 Jan 2018 12:02:04 +0000 (13:02 +0100)
committer Ralph Boehme <slow@samba.org>
Tue, 23 Jan 2018 12:40:35 +0000 (13:40 +0100)
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c

index bc27a39c08f9dc6f28a418d82aa36c37ca48edfe..8cd872dcee89914c2b5e989af591a4e5f650ba3f 100644 (file)
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -983,6 +983,24 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
         return status;
  }
  
+static enum lsa_LookupNamesLevel winbindd_lookup_level(
+       struct winbindd_domain *domain)
+{
+       enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
+
+       if (domain->secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
+               /* TODO: is there more logic required? */
+               level = LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2;
+       } else if (domain->secure_channel_type == SEC_CHAN_DOMAIN) {
+               /* TODO: is this correct? */
+               level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
+       } else if (domain->rodc) {
+               level = LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC;
+       }
+
+       return level;
+}
+
  NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
                               struct winbindd_domain *domain,
                               uint32_t num_sids,
@@ -1013,6 +1031,8 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
                 use_lookupsids3 = true;
         }
  
+       level = winbindd_lookup_level(domain);
+
         /*
          * This call can take a long time
          * allow the server to time out.
@@ -1076,6 +1096,7 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
         unsigned int orig_timeout = 0;
         bool use_lookupnames4 = false;
         bool retried = false;
+       enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
  
   connect:
         status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
@@ -1089,6 +1110,8 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
                 use_lookupnames4 = true;
         }
  
+       level = winbindd_lookup_level(domain);
+
         /*
          * This call can take a long time
          * allow the server to time out.
@@ -1102,7 +1125,7 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
                                                  num_names,
                                                  (const char **) names,
                                                  domains,
-                                                1,
+                                                level,
                                                  sids,
                                                  types,
                                                  use_lookupnames4,
author	Stefan Metzmacher <metze@samba.org>
	Mon, 15 Jan 2018 12:02:04 +0000 (13:02 +0100)
committer	Ralph Boehme <slow@samba.org>
	Tue, 23 Jan 2018 12:40:35 +0000 (13:40 +0100)