From 05eb7b52cd7ebcb5bfc873e388c745f8e958c994 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 16 Dec 2014 15:57:49 +0000
Subject: [PATCH] s3:pdb_samba_dsdb: use SEC_CHAN_DNS_DOMAIN in
 pdb_samba_dsdb_get_trusteddom_creds()

If both ends have a dns domain, we can use SEC_CHAN_DNS_DOMAIN in order to match
a Windows DC.

For kerberos we still need to use MY_NETBIOS_DOMAIN$@REMOTE_REALM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/passdb/pdb_samba_dsdb.c | 39 ++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 6 deletions(-)

diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index 638a4a290f1..bbedd88523e 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -2296,8 +2296,10 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
 	bool ok;
 	const char *my_netbios_name = NULL;
 	const char *my_netbios_domain = NULL;
+	const char *my_dns_domain = NULL;
 	const char *netbios_domain = NULL;
 	char *account_name = NULL;
+	char *principal_name = NULL;
 	const char *dns_domain = NULL;
 
 	status = sam_get_results_trust(state->ldb, tmp_ctx, domain,
@@ -2389,6 +2391,7 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
 
 	my_netbios_name = lpcfg_netbios_name(state->lp_ctx);
 	my_netbios_domain = lpcfg_workgroup(state->lp_ctx);
+	my_dns_domain = lpcfg_dnsdomain(state->lp_ctx);
 
 	creds = cli_credentials_init(tmp_ctx);
 	if (creds == NULL) {
@@ -2413,12 +2416,27 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DOMAIN);
-
-	account_name = talloc_asprintf(tmp_ctx, "%s$", my_netbios_domain);
-	if (account_name == NULL) {
-		TALLOC_FREE(tmp_ctx);
-		return NT_STATUS_NO_MEMORY;
+	if (my_dns_domain != NULL && dns_domain != NULL) {
+		cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DNS_DOMAIN);
+		account_name = talloc_asprintf(tmp_ctx, "%s.", my_dns_domain);
+		if (account_name == NULL) {
+			TALLOC_FREE(tmp_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
+		principal_name = talloc_asprintf(tmp_ctx, "%s$@%s", my_netbios_domain,
+						 cli_credentials_get_realm(creds));
+		if (principal_name == NULL) {
+			TALLOC_FREE(tmp_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
+	} else {
+		cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DOMAIN);
+		account_name = talloc_asprintf(tmp_ctx, "%s$", my_netbios_domain);
+		if (account_name == NULL) {
+			TALLOC_FREE(tmp_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
+		principal_name = NULL;
 	}
 
 	ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
@@ -2427,6 +2445,15 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	if (principal_name != NULL) {
+		ok = cli_credentials_set_principal(creds, principal_name,
+						   CRED_SPECIFIED);
+		if (!ok) {
+			TALLOC_FREE(tmp_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
 	if (password_nt.length == 16) {
 		struct samr_Password nt_hash;
 
-- 
2.34.1