There's a known bug in some Windows implementations of
DsEnumerateDomainTrusts() where domain SIDs are not returned for
transitively trusted domains within the same forest.
Jerry originally worked around this in the winbindd parent by checking
for S-0-0 and converting it to S-1-0 in
8b0fce0b. Guenter later moved
these checks into the child process in commit
3bdfcbac making the
initial patch unecessary.
I've removed it and added a clarifying comment to the child process.
If ever this SID is needed we could add an extra DsEnumerateDomainTrusts()
call in trusted_domains() as suggested by the Microsoft KB.
DEBUG(10,("trusted_domains: Skipping external trusted domain "
"%s because it is outside of our primary domain\n",
trusts.array[i].netbios_name));
- continue;
+ continue;
}
+ /* We must check that the SID of each trusted domain
+ * was returned to work around a bug in Windows:
+ * http://support.microsoft.com/kb/922832 */
+
(*names)[ret_count] = CONST_DISCARD(char *, trusts.array[i].netbios_name);
(*alt_names)[ret_count] = CONST_DISCARD(char *, trusts.array[i].dns_name);
if (trusts.array[i].sid) {
*q = '\0';
if (!string_to_sid(&sid, sidstr)) {
- /* Allow NULL sid for sibling domains */
- if ( strcmp(sidstr,"S-0-0") == 0) {
- sid_copy( &sid, &global_sid_NULL);
- } else {
- DEBUG(0, ("Got invalid trustdom response\n"));
- break;
- }
+ DEBUG(0, ("Got invalid trustdom response\n"));
+ break;
}
/* use the real alt_name if we have one, else pass in NULL */
git.samba.org / metze / samba / wip.git / commitdiff