Let get_trust_pw() determine the machine_account_name to use.

Up to now each caller used its own logic.

This eliminates code paths where there was a special treatment
of the following situation: the domain given is not our workgroup
(i.e. our own domain) and we are not a DC (i.e. it is not a typical
trusted domain situation). In situation the given domain name was
previously used as the machine account name, resulting in an account
name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me.
get_trust_pw would not have obtained a password in this situation
anyways.

I hope I have not missed an important point here!

Michael

diff --git a/source/auth/auth_domain.c b/source/auth/auth_domain.c
index a32677d037074f190f56365e776f2c5a47ca5dac..455eb1fa3bdf6a6205fd4d216ec4936e5c989d15 100644 (file)
--- a/source/auth/auth_domain.c
+++ b/source/auth/auth_domain.c
@@ -128,8 +128,11 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
                uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
                uint32 sec_chan_type = 0;
                unsigned char machine_pwd[16];
+               const char *account_name;
 
-               if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+               if (!get_trust_pw(domain, machine_pwd, &account_name,
+                                 &sec_chan_type))
+               {
                        DEBUG(0, ("connect_to_domain_password_server: could not fetch "
                        "trust account password for domain '%s'\n",
                                domain));
@@ -143,7 +146,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
                                        dc_name, /* server name */
                                        domain, /* domain */
                                        global_myname(), /* client name */
-                                       global_myname(), /* machine account name */
+                                       account_name, /* machine account name */
                                        machine_pwd,
                                        sec_chan_type,
                                        &neg_flags);

diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index bf8bdb1a718812991ccc0c13836de0a4306a3afb..ceedac1bd4d5852f21d2979ae77cd6f7ee1a69f4 100644 (file)
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -1991,27 +1991,11 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                neg_flags |= NETLOGON_NEG_SCHANNEL;
        }
 
-       if (!get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
-               cli_rpc_pipe_close(netlogon_pipe);
-               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-       }
-
-       /* if we are a DC and this is a trusted domain, then we need to use our
-          domain name in the net_req_auth2() request */
-
-       if ( IS_DC
-               && !strequal(domain->name, lp_workgroup())
-               && lp_allow_trusted_domains() ) 
+       if (!get_trust_pw(domain->name, mach_pwd, &account_name,
+                         &sec_chan_type))
        {
-               account_name = lp_workgroup();
-       } else {
-               account_name = domain->primary ?
-                       global_myname() : domain->name;
-       }
-
-       if (account_name == NULL) {
                cli_rpc_pipe_close(netlogon_pipe);
-               return NT_STATUS_NO_MEMORY;
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
        }
 
        result = rpccli_netlogon_setup_creds(

diff --git a/source/passdb/secrets.c b/source/passdb/secrets.c
index a611a3ef042eb03b93305fa24f494e16fd2cb9ff..44d164e7b333499d7fe49b36cb028eda105d6a7c 100644 (file)
--- a/source/passdb/secrets.c
+++ b/source/passdb/secrets.c
@@ -642,10 +642,12 @@ char *secrets_fetch_machine_password(const char *domain,
 }
 
 /*******************************************************************
- Wrapper around retrieving the trust account password
+ Wrapper around retrieving the trust account password.
+ appropriate account name is stored in account_name.
 *******************************************************************/
 
-BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
+BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16],
+                 const char **account_name, uint32 *channel)
 {
        DOM_SID sid;
        char *pwd;
@@ -667,6 +669,10 @@ BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
                E_md4hash(pwd, ret_pwd);
                SAFE_FREE(pwd);
 
+               if (account_name != NULL) {
+                       *account_name = lp_workgroup();
+               }
+
                return True;
        }
 
@@ -675,7 +681,13 @@ BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
 
        if (secrets_fetch_trust_account_password(domain, ret_pwd,
                                                &last_set_time, channel))
+       {
+               if (account_name != NULL) {
+                       *account_name = global_myname();
+               }
+
                return True;
+       }
 
        DEBUG(5, ("get_trust_pw: could not fetch trust account "
                "password for domain %s\n", domain));

diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c
index 61f5ee51bd0acf4b08aeb042788eadf1644098b4..07c08f1a557a275aa258757e63f778dfeb0f5836 100644 (file)
--- a/source/rpc_client/cli_pipe.c
+++ b/source/rpc_client/cli_pipe.c
@@ -2435,7 +2435,7 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
        struct rpc_pipe_client *netlogon_pipe = NULL;
        uint32 sec_chan_type = 0;
        unsigned char machine_pwd[16];
-       fstring machine_account;
+       const char *machine_account;
 
        netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
        if (!netlogon_pipe) {
@@ -2443,7 +2443,8 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
        }
 
        /* Get the machine account credentials from secrets.tdb. */
-       if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+       if (!get_trust_pw(domain, machine_pwd, &machine_account, &sec_chan_type))
+       {
                DEBUG(0, ("get_schannel_session_key: could not fetch "
                        "trust account password for domain '%s'\n",
                        domain));
@@ -2452,20 +2453,6 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
                return NULL;
        }
 
-       /* A DC should use DOMAIN$ as its account name.
-          A member server can only use it's machine name since it
-          does not have an account in a trusted domain.
-
-          We don't check the domain against lp_workgroup() here since
-          'net ads join' has to continue to work with only the realm
-          specified in smb.conf.  -- jerry */
-
-        if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
-               fstrcpy( machine_account, lp_workgroup() );
-        } else {
-               fstrcpy(machine_account, global_myname());
-        }
-
        *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
                                        cli->desthost, /* server name */
                                        domain,        /* domain */
@@ -2561,7 +2548,7 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
        struct rpc_pipe_client *netlogon_pipe = NULL;
        uint32 sec_chan_type = 0;
        unsigned char machine_pwd[16];
-       fstring machine_account;
+       const char *machine_account;
 
        netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
        if (!netlogon_pipe) {
@@ -2569,7 +2556,8 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
        }
 
        /* Get the machine account credentials from secrets.tdb. */
-       if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+       if (!get_trust_pw(domain, machine_pwd, &machine_account, &sec_chan_type))
+       {
                DEBUG(0, ("get_schannel_session_key_auth_ntlmssp: could not fetch "
                        "trust account password for domain '%s'\n",
                        domain));
@@ -2578,20 +2566,6 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
                return NULL;
        }
 
-        /* if we are a DC and this is a trusted domain, then we need to use our
-           domain name in the net_req_auth2() request */
-
-        if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
-               fstrcpy( machine_account, lp_workgroup() );
-        } else {
-                /* Hmmm. Is this correct for trusted domains when we're a member server ? JRA. */
-                if (strequal(domain, lp_workgroup())) {
-                        fstrcpy(machine_account, global_myname());
-                } else {
-                        fstrcpy(machine_account, domain);
-                }
-        }
-
        *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
                                        cli->desthost,     /* server name */
                                        domain,            /* domain */