auth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon

If some needs the old behavior for a while, the deprecated
"auth methods = guest sam winbind:trustdomain" option can be used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 28d0955c327abe8d9f21be5532084e130d39c072..916c524cb689dbc4c84325c4f927faaceac2e92c 100644 (file)
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -559,7 +559,36 @@ NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
 NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
                                         struct auth_context **auth_context)
 {
-       return make_auth_context_subsystem(mem_ctx, auth_context);
+       const char *methods = NULL;
+       NTSTATUS nt_status;
+
+       /*
+        * We do the lp_auth_methods check before
+        * the lp_server_role check in order to
+        * backward compatible. The "auth methods" option
+        * is deprecated now, so this will go away in a future
+        * release.
+        */
+       if (lp_auth_methods()) {
+               DBG_INFO("Using specified auth order for netlogon\n");
+               nt_status = make_auth_context_text_list(
+                       mem_ctx, auth_context,
+                       discard_const_p(char *, lp_auth_methods()));
+               return nt_status;
+       }
+
+       switch (lp_server_role()) {
+       case ROLE_DOMAIN_BDC:
+       case ROLE_DOMAIN_PDC:
+               methods = "sam_netlogon3 winbind:trustdomain";
+               break;
+
+       default:
+               DBG_ERR("Invalid server role!\n");
+               return NT_STATUS_INVALID_SERVER_STATE;
+       }
+
+       return make_auth_context_specific(mem_ctx, auth_context, methods);
 }
 
 NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,