Let get_trust_pw() determine the machine_account_name to use.

Up to now each caller used its own logic.

This eliminates code paths where there was a special treatment
of the following situation: the domain given is not our workgroup
(i.e. our own domain) and we are not a DC (i.e. it is not a typical
trusted domain situation). In situation the given domain name was
previously used as the machine account name, resulting in an account
name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me.
get_trust_pw would not have obtained a password in this situation
anyways.

I hope I have not missed an important point here!

Michael
(This used to be commit 6ced4a7f88798dc449a667d63bc29bf6c569291f)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 7cddabbbbd0dc67ca050119b17717a2007fd3455..b428723a0614c68f83aa715b1918761585dc8447 100644 (file)
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -127,8 +127,11 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
                uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
                uint32 sec_chan_type = 0;
                unsigned char machine_pwd[16];
+               const char *account_name;
 
-               if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+               if (!get_trust_pw(domain, machine_pwd, &account_name,
+                                 &sec_chan_type))
+               {
                        DEBUG(0, ("connect_to_domain_password_server: could not fetch "
                        "trust account password for domain '%s'\n",
                                domain));
@@ -142,7 +145,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
                                        dc_name, /* server name */
                                        domain, /* domain */
                                        global_myname(), /* client name */
-                                       global_myname(), /* machine account name */
+                                       account_name, /* machine account name */
                                        machine_pwd,
                                        sec_chan_type,
                                        &neg_flags);

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 2a4d4c4a0ad6bd40387a0d4701bd900669e888e7..f9b972da9b0db9dff4a757e03fe27e9eb932e891 100644 (file)
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -1523,10 +1523,12 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
 
 
 /*******************************************************************
- Wrapper around retrieving the trust account password
+ Wrapper around retrieving the trust account password.
+ appropriate account name is stored in account_name.
 *******************************************************************/
 
-bool get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
+bool get_trust_pw(const char *domain, uint8 ret_pwd[16],
+                 const char **account_name, uint32 *channel)
 {
        DOM_SID sid;
        char *pwd;
@@ -1550,6 +1552,10 @@ bool get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
                E_md4hash(pwd, ret_pwd);
                SAFE_FREE(pwd);
 
+               if (account_name != NULL) {
+                       *account_name = lp_workgroup();
+               }
+
                return True;
        }
 
@@ -1558,7 +1564,13 @@ bool get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
 
        if (secrets_fetch_trust_account_password(domain, ret_pwd,
                                                &last_set_time, channel))
+       {
+               if (account_name != NULL) {
+                       *account_name = global_myname();
+               }
+
                return True;
+       }
 
        DEBUG(5, ("get_trust_pw: could not fetch trust account "
                "password for domain %s\n", domain));

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 37558a7ff0085287b8b536009d4bb527f9b147d7..bf019c89a1859234b50de156b9caac9848928cef 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2436,7 +2436,7 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
        struct rpc_pipe_client *netlogon_pipe = NULL;
        uint32 sec_chan_type = 0;
        unsigned char machine_pwd[16];
-       fstring machine_account;
+       const char *machine_account;
 
        netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
        if (!netlogon_pipe) {
@@ -2444,7 +2444,8 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
        }
 
        /* Get the machine account credentials from secrets.tdb. */
-       if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+       if (!get_trust_pw(domain, machine_pwd, &machine_account, &sec_chan_type))
+       {
                DEBUG(0, ("get_schannel_session_key: could not fetch "
                        "trust account password for domain '%s'\n",
                        domain));
@@ -2453,20 +2454,6 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
                return NULL;
        }
 
-       /* A DC should use DOMAIN$ as its account name.
-          A member server can only use it's machine name since it
-          does not have an account in a trusted domain.
-
-          We don't check the domain against lp_workgroup() here since
-          'net ads join' has to continue to work with only the realm
-          specified in smb.conf.  -- jerry */
-
-        if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
-               fstrcpy( machine_account, lp_workgroup() );
-        } else {
-               fstrcpy(machine_account, global_myname());
-        }
-
        *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
                                        cli->desthost, /* server name */
                                        domain,        /* domain */
@@ -2562,7 +2549,7 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
        struct rpc_pipe_client *netlogon_pipe = NULL;
        uint32 sec_chan_type = 0;
        unsigned char machine_pwd[16];
-       fstring machine_account;
+       const char *machine_account;
 
        netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
        if (!netlogon_pipe) {
@@ -2570,7 +2557,8 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
        }
 
        /* Get the machine account credentials from secrets.tdb. */
-       if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+       if (!get_trust_pw(domain, machine_pwd, &machine_account, &sec_chan_type))
+       {
                DEBUG(0, ("get_schannel_session_key_auth_ntlmssp: could not fetch "
                        "trust account password for domain '%s'\n",
                        domain));
@@ -2579,20 +2567,6 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
                return NULL;
        }
 
-        /* if we are a DC and this is a trusted domain, then we need to use our
-           domain name in the net_req_auth2() request */
-
-        if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
-               fstrcpy( machine_account, lp_workgroup() );
-        } else {
-                /* Hmmm. Is this correct for trusted domains when we're a member server ? JRA. */
-                if (strequal(domain, lp_workgroup())) {
-                        fstrcpy(machine_account, global_myname());
-                } else {
-                        fstrcpy(machine_account, domain);
-                }
-        }
-
        *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
                                        cli->desthost,     /* server name */
                                        domain,            /* domain */

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index d5c8b9955f23bbba3a438acc7c1b2f657eb3fc61..adb9d11edca875ae12192c22c7df6f10f292bae0 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2235,27 +2235,11 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                neg_flags |= NETLOGON_NEG_SCHANNEL;
        }
 
-       if (!get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
-               cli_rpc_pipe_close(netlogon_pipe);
-               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-       }
-
-       /* if we are a DC and this is a trusted domain, then we need to use our
-          domain name in the net_req_auth2() request */
-
-       if ( IS_DC
-               && !strequal(domain->name, lp_workgroup())
-               && lp_allow_trusted_domains() ) 
+       if (!get_trust_pw(domain->name, mach_pwd, &account_name,
+                         &sec_chan_type))
        {
-               account_name = lp_workgroup();
-       } else {
-               account_name = domain->primary ?
-                       global_myname() : domain->name;
-       }
-
-       if (account_name == NULL) {
                cli_rpc_pipe_close(netlogon_pipe);
-               return NT_STATUS_NO_MEMORY;
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
        }
 
        result = rpccli_netlogon_setup_creds(