diff options
| author | Tim Potter <tpot@samba.org> | 2002-02-21 01:40:06 +0000 |
|---|---|---|
| committer | Tim Potter <tpot@samba.org> | 2002-02-21 01:40:06 +0000 |
| commit | ea6fde0b7b986f029e2b314568ac6a102cfa33c7 (patch) | |
| tree | 659c51da40dba662c731613f19d938f68c1e5184 | |
| parent | d8a66f20e0fd2335afcdf5ee3848be757738c7b7 (diff) | |
| download | samba-ea6fde0b7b986f029e2b314568ac6a102cfa33c7.tar.gz samba-ea6fde0b7b986f029e2b314568ac6a102cfa33c7.tar.xz samba-ea6fde0b7b986f029e2b314568ac6a102cfa33c7.zip | |
Check that the domain controllers returned by a WINS server are actually
DCs for the domain they advertise to be. Silly? Yes but I have log files
of a Microsoft WINS server sending the wrong result! Winbindd gets really
stuck when it latches onto a domain controller for a different domain.
Previously this check was slightly lower down in the call chain so wasn't
being made all the time. CR#334
| -rw-r--r-- | source/libsmb/clidomain.c | 33 |
1 files changed, 15 insertions, 18 deletions
diff --git a/source/libsmb/clidomain.c b/source/libsmb/clidomain.c index 75066942bf1..23b9ae566da 100644 --- a/source/libsmb/clidomain.c +++ b/source/libsmb/clidomain.c @@ -269,7 +269,7 @@ extern pstring global_myname; BOOL attempt_connect_dc(char *domain, struct in_addr dest_ip) { - fstring remote_machine; + fstring remote_machine, remote_domain; struct cli_state cli; uint16 fnum; @@ -292,6 +292,20 @@ BOOL attempt_connect_dc(char *domain, struct in_addr dest_ip) return False; } + /* Check that this DC is actually a controller for the domain we + are interested in by looking up the #1c name. */ + + if (name_status_find(domain, 0x1c, 0x1c, dest_ip, remote_domain)) { + if (!strequal(remote_domain, domain)) { + DEBUG(1, ("attempt_connect_dc: %s not a member of domain %s, rather %s\n", remote_machine, domain, remote_domain)); + return False; + } + } else { + DEBUG(1, ("attempt_connect_dc(): could not look up %s#1c\n", + remote_machine)); + return False; + } + /* This is the wrong place for this check I think. The correct place should be in the code that decides to use this server for authentication rather than attempting to connect to it to @@ -533,23 +547,6 @@ BOOL get_any_dc_name(char *domain, fstring srv_name) continue; } - /* Check that this DC is actually a member of the - domain we are interested in */ - - if (name_status_find(domain, 0x1c, 0x1c, dest_ip, the_domain)) { - if (!strequal(the_domain, domain)) { - DEBUG(1, ("get_any_dc_name(): dc %s not a member of domain %s (%s)\n", - remote_machine, domain, the_domain)); - connected_ok = False; - continue; - } - } else { - DEBUG(1, ("get_any_dc_name(): %s not a dc\n", - remote_machine)); - connected_ok = False; - continue; - } - connected_ok = attempt_connect_dc(domain, dest_ip); } } |