diff options
author | Jeremy Allison <jra@samba.org> | 2000-12-19 23:57:48 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2000-12-19 23:57:48 +0000 |
commit | c25533de9918ed9b0c79fd039e11d1b79f513db0 (patch) | |
tree | 9014018fcc14c73cb7452a27adb823b358b561f4 | |
parent | 0f39895ab007a7300aed6c011c487593ee8c91f0 (diff) | |
download | samba-c25533de9918ed9b0c79fd039e11d1b79f513db0.tar.gz samba-c25533de9918ed9b0c79fd039e11d1b79f513db0.tar.xz samba-c25533de9918ed9b0c79fd039e11d1b79f513db0.zip |
Fixed bug found by Gerald. If a Samba server joins a domain and is set
to search for a DC to authenticate to using the "*" syntax than ensure
that for the first hour after the password change is searches for the
PDC using the 1B name not the 1C name as domain replication may not
have occured.
Jeremy.
-rw-r--r-- | source/include/proto.h | 2 | ||||
-rw-r--r-- | source/libsmb/namequery.c | 4 | ||||
-rw-r--r-- | source/rpc_client/cli_netlogon.c | 3 | ||||
-rw-r--r-- | source/smbd/password.c | 22 |
4 files changed, 23 insertions, 8 deletions
diff --git a/source/include/proto.h b/source/include/proto.h index d54f26dd0b5..168600a59f5 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -856,7 +856,7 @@ BOOL resolve_srv_name(const char* srv_name, fstring dest_host, struct in_addr *ip); BOOL find_master_ip(char *group, struct in_addr *master_ip); BOOL lookup_pdc_name(const char *srcname, const char *domain, struct in_addr *pdc_ip, char *ret_name); -BOOL get_dc_list(char *group, struct in_addr **ip_list, int *count); +BOOL get_dc_list(BOOL pdc_only, char *group, struct in_addr **ip_list, int *count); /*The following definitions come from libsmb/nmblib.c */ diff --git a/source/libsmb/namequery.c b/source/libsmb/namequery.c index a8cc2fcf3a2..fa90691a95c 100644 --- a/source/libsmb/namequery.c +++ b/source/libsmb/namequery.c @@ -1063,7 +1063,7 @@ NT GETDC call, UNICODE, NT domain SID and uncle tom cobbley and all... /******************************************************** Get the IP address list of the PDC/BDC's of a Domain. *********************************************************/ -BOOL get_dc_list(char *group, struct in_addr **ip_list, int *count) +BOOL get_dc_list(BOOL pdc_only, char *group, struct in_addr **ip_list, int *count) { - return internal_resolve_name(group, 0x1C, ip_list, count); + return internal_resolve_name(group, pdc_only ? 0x1B : 0x1C, ip_list, count); } diff --git a/source/rpc_client/cli_netlogon.c b/source/rpc_client/cli_netlogon.c index 63461c5023e..3e24e74a590 100644 --- a/source/rpc_client/cli_netlogon.c +++ b/source/rpc_client/cli_netlogon.c @@ -665,7 +665,8 @@ account password for domain %s.\n", domain)); int count = 0; int i; - if(!get_dc_list(domain, &ip_list, &count)) + /* Use the PDC *only* for this. */ + if(!get_dc_list(True, domain, &ip_list, &count)) continue; /* diff --git a/source/smbd/password.c b/source/smbd/password.c index 1924bf32177..c2bcac339e3 100644 --- a/source/smbd/password.c +++ b/source/smbd/password.c @@ -1344,14 +1344,27 @@ static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, un We have been asked to dynamcially determine the IP addresses of the PDC and BDC's for this DOMAIN, and query them in turn. ************************************************************************/ -static BOOL find_connect_pdc(struct cli_state *pcli, unsigned char *trust_passwd) +static BOOL find_connect_pdc(struct cli_state *pcli, unsigned char *trust_passwd, time_t last_change_time) { struct in_addr *ip_list = NULL; int count = 0; int i; BOOL connected_ok = False; + time_t time_now = time(NULL); + BOOL use_pdc_only = False; - if (!get_dc_list(lp_workgroup(), &ip_list, &count)) + /* + * If the time the machine password has changed + * was less than an hour ago then we need to contact + * the PDC only, as we cannot be sure domain replication + * has yet taken place. Bug found by Gerald (way to go + * Gerald !). JRA. + */ + + if (time_now - last_change_time < 3600) + use_pdc_only = True; + + if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) return False; /* @@ -1423,6 +1436,7 @@ BOOL domain_client_validate( char *user, char *domain, struct cli_state cli; uint32 smb_uid_low; BOOL connected_ok = False; + time_t last_change_time; if(user_exists != NULL) *user_exists = True; /* Only set false on a very specific error. */ @@ -1473,7 +1487,7 @@ BOOL domain_client_validate( char *user, char *domain, /* * Get the machine account password for our primary domain */ - if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, NULL)) + if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) { DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup())); return False; @@ -1501,7 +1515,7 @@ BOOL domain_client_validate( char *user, char *domain, while (!connected_ok && next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(strequal(remote_machine, "*")) { - connected_ok = find_connect_pdc(&cli, trust_passwd); + connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); } else { connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); } |