r13895: As agreed upon with gd on the phone, remove WBFLAG_PAM_CONTACT_TRUSTDOM....

can not work for NTLM auth, where we only have a workstation account for our
own domain. For the PAM Kerberos login we need to find a better way to do
this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf.

Volker

diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index 35f0efbcbdfa6e52a043c4eff02b721474dc880c..df5fc11d3e97ece2be24a75d444629333599b08f 100644 (file)
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -321,7 +321,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
        request.data.auth.krb5_cc_type[0] = '\0';
        request.data.auth.uid = -1;
        
-       request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM;
+       request.flags = WBFLAG_PAM_INFO3_TEXT;
 
        if (ctrl & WINBIND_KRB5_AUTH) {
 
@@ -498,7 +498,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh,
        }
 
        if (ctrl & WINBIND_KRB5_AUTH) {
-               request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM;
+               request.flags = WBFLAG_PAM_KRB5;
        }
 
        ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_CHAUTHTOK, &request, &response, user);
@@ -1098,7 +1098,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
                }
                request.data.logoff.uid = pwd->pw_uid;
 
-               request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM;
+               request.flags = WBFLAG_PAM_KRB5;
 
                return pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_LOGOFF, &request, &response, user);
        }

diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index aa759af09aa36e50b579e3351cf9df7c1e4a1a2f..dc8a5c47d99d9529379e2f9106f1c3d3a1f6216e 100644 (file)
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -221,18 +221,6 @@ static struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state
                return NULL;
        }
 
-       /* we can auth against trusted domains */
-       if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
-               domain = find_domain_from_name_noinit(domain_name);
-               if (domain == NULL) {
-                       DEBUG(3, ("Authentication for domain [%s] skipped " 
-                                 "as it is not a trusted domain\n", 
-                                 domain_name));
-               } else {
-                       return domain;
-               }
-       }
-
        return find_our_domain();
 }