Use machine account and machine password from our domain when

contacting trusted domains.

diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index 91c8c461e85c1006d133819cee8fefcb16de93ab..646c8ab5745035c879c4b1cf8b632b9a2f4fe20b 100644 (file)
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -607,12 +607,12 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
                return NT_STATUS_NO_MEMORY;
        }
 
-       /* this is at least correct when domain is our domain,
-        * which is the only case, when this is currently used: */
+       /* For now assume our machine account only exists in our domain */
+
        if (machine_krb5_principal != NULL)
        {
                if (asprintf(machine_krb5_principal, "%s$@%s",
-                            account_name, domain->alt_name) == -1)
+                            account_name, lp_realm()) == -1)
                {
                        return NT_STATUS_NO_MEMORY;
                }

diff --git a/source/passdb/secrets.c b/source/passdb/secrets.c
index cd6c751979a6e462b471a09dce249f5f6011afb5..21fdbcabd509d729750c4972d3aeccb449172f54 100644 (file)
--- a/source/passdb/secrets.c
+++ b/source/passdb/secrets.c
@@ -702,10 +702,11 @@ BOOL get_trust_pw_clear(const char *domain, char **ret_pwd,
                return True;
        }
 
-       /* Just get the account for the requested domain. In the future this
-        * might also cover to be member of more than one domain. */
+       /* Here we are a domain member server.  We can only be a member
+          of one domain so ignore the request domain and assume our own */
 
-       pwd = secrets_fetch_machine_password(domain, &last_set_time, channel);
+       pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, 
+                                            channel);
 
        if (pwd != NULL) {
                *ret_pwd = pwd;