Forest root trust flags won't overwrite child trust flags

* changed the behavior of winbind_ads.c:trusted_domains() to not overwrite
existing trust information if we're joined to a child domain, and querying the
forest root domain.  Previously if we were joined to a child domain, we'd
request all known trust information from this child domain (our primary domain)
and store it in the tdc.  We'd then request all trust information from our tree
root (to get the forests we transitively trust) and overwrite the existing trust
information we already had from the perspective of the tree root.

* updated several comments and fixed typos
(This used to be commit 6aac972d790ad5ca65096cb2e85e6819b60a5413)

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 0900d5698737ee535fb6babdd090b88713ae6c62..ae8ad9dd1a868edf2ebc7e62886d0a92597ff42c 100644 (file)
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -1249,32 +1249,55 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
                        fstrcpy( d.alt_name, trusts.array[i].dns_name);
                        sid_copy( &d.sid, trusts.array[i].sid);
 
                        fstrcpy( d.alt_name, trusts.array[i].dns_name);
                        sid_copy( &d.sid, trusts.array[i].sid);
 

-                       /* This gets a little tricky.  If we are
-                          following a transitive forest trust, then
-                          innerit the flags, type, and attrins from
-                          the domain we queried to make sure we don't
-                          record the view of the trust from the wrong
-                          side.  Always view it from the side of our
-                          primary domain.   --jerry */
-                       if ( domain->primary ||
-                            ((domain->domain_flags&fr_flags) == fr_flags) ) 
-                       {
-                               DEBUG(10,("trusted_domains(ads):  Storing trust "
-                                         "flags for domain %s\n", d.alt_name));
-
-                               /* Look this up in cache to make sure
-                                  we have the current trust flags and
-                                  attributes */
+                       if ( domain->primary ) {
+                               DEBUG(10,("trusted_domains(ads):  Searching "
+                                         "trusted domain list of %s and storing "
+                                         "trust flags for domain %s\n", 
+                                         domain->name, d.alt_name));

 
                                d.domain_flags = trusts.array[i].trust_flags;
                                d.domain_type = trusts.array[i].trust_type;
                                d.domain_trust_attribs = trusts.array[i].trust_attributes;
 
                                d.domain_flags = trusts.array[i].trust_flags;
                                d.domain_type = trusts.array[i].trust_type;
                                d.domain_trust_attribs = trusts.array[i].trust_attributes;

-                       } else {
-                               /* Look up the record in the cache */
-                               struct winbindd_tdc_domain *parent;

 
 

-                               DEBUG(10,("trusted_domains(ads):  Inheriting trust "
-                                         "flags for domain %s\n", d.alt_name));                                
+                               wcache_tdc_add_domain( &d );
+                               ret_count++;
+                       } else if ( (domain->domain_flags&fr_flags) == fr_flags ) {
+                               /* Check if we already have this record. If
+                                * we are following our forest root that is not
+                                * our primary domain, we want to keep trust
+                                * flags from the perspective of our primary
+                                * domain not our forest root. */
+                               struct winbindd_tdc_domain *exist = NULL;
+
+                               exist = 
+                                   wcache_tdc_fetch_domain(NULL, trusts.array[i].netbios_name);
+                               if (!exist) {
+                                       DEBUG(10,("trusted_domains(ads):  Searching "
+                                                 "trusted domain list of %s and storing "
+                                                 "trust flags for domain %s\n", 
+                                                 domain->name, d.alt_name));
+                                       d.domain_flags = trusts.array[i].trust_flags;
+                                       d.domain_type = trusts.array[i].trust_type;
+                                       d.domain_trust_attribs = trusts.array[i].trust_attributes;
+
+                                       wcache_tdc_add_domain( &d );
+                                       ret_count++;
+                               }
+                               TALLOC_FREE(exist);
+                       } else {
+                               /* This gets a little tricky.  If we are
+                                  following a transitive forest trust, then
+                                  innerit the flags, type, and attribs from
+                                  the domain we queried to make sure we don't
+                                  record the view of the trust from the wrong
+                                  side.  Always view it from the side of our
+                                  primary domain.   --jerry */
+                               struct winbindd_tdc_domain *parent = NULL;
+
+                               DEBUG(10,("trusted_domains(ads):  Searching "
+                                         "trusted domain list of %s and inheriting "
+                                         "trust flags for domain %s\n", 
+                                         domain->name, d.alt_name));

 
                                parent = wcache_tdc_fetch_domain(NULL, domain->name);
                                if (parent) {
 
                                parent = wcache_tdc_fetch_domain(NULL, domain->name);
                                if (parent) {


@@ -1282,17 +1305,15 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
                                        d.domain_type  = parent->trust_type;
                                        d.domain_trust_attribs = parent->trust_attribs;
                                } else {
                                        d.domain_type  = parent->trust_type;
                                        d.domain_trust_attribs = parent->trust_attribs;
                                } else {

-                               d.domain_flags = domain->domain_flags;                          
-                               d.domain_type  = domain->domain_type;
-                               d.domain_trust_attribs = domain->domain_trust_attribs;
-                       }
+                                       d.domain_flags = domain->domain_flags;
+                                       d.domain_type  = domain->domain_type;
+                                       d.domain_trust_attribs = domain->domain_trust_attribs;
+                               }

                                TALLOC_FREE(parent);
                                TALLOC_FREE(parent);

+                               
+                               wcache_tdc_add_domain( &d );
+                               ret_count++;

                        }
                        }

-
-                       wcache_tdc_add_domain( &d );
-
-                       ret_count++;
-

                }
 
                *num_domains = ret_count;       
                }
 
                *num_domains = ret_count;       

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 038bafbe4e6f43692f6cdb7f4d63a53c696481e5..641fd5a9f5112a48f53b676eb74e2591672c893f 100644 (file)
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -339,7 +339,7 @@ static void trustdom_recv(void *private_data, bool success)
        */
 
        if ( state->primary ) {
        */
 
        if ( state->primary ) {

-               /* If this is our primary domain and we are not the in the
+               /* If this is our primary domain and we are not in the

                   forest root, we have to scan the root trusts first */
 
                if ( !state->forest_root )
                   forest root, we have to scan the root trusts first */
 
                if ( !state->forest_root )


@@ -349,7 +349,7 @@ static void trustdom_recv(void *private_data, bool success)
 
        } else if ( state->forest_root ) {
                /* Once we have done root forest trust search, we can
 
        } else if ( state->forest_root ) {
                /* Once we have done root forest trust search, we can

-                  go on to search thing trusted forests */
+                  go on to search the trusted forests */

 
                rescan_forest_trusts();
        }
 
                rescan_forest_trusts();
        }


@@ -419,7 +419,7 @@ static void rescan_forest_root_trusts( void )
 }
 
 /********************************************************************
 }
 
 /********************************************************************

- scan the transitive forest trists (not our own)
+ scan the transitive forest trusts (not our own)

 ********************************************************************/
 
 
 ********************************************************************/