r16256: sync up to r16255 from SAMBA_3_0

1 files changed, 11 insertions, 8 deletions

diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c
index 11eb21df446..467e652ca99 100644
--- a/source/rpc_client/cli_pipe.c
+++ b/source/rpc_client/cli_pipe.c
@@ -2446,15 +2446,18 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
 		return NULL;
 	}
 
+	/* A DC should use DOMAIN$ as its account name.
+	   A member server can only use it's machine name since it
+	   does not have an account in a trusted domain.
+
+	   We don't check the domain against lp_workgroup() here since
+	   'net ads join' has to continue to work with only the realm
+	   specified in smb.conf.  -- jerry */
+
         if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
 		fstrcpy( machine_account, lp_workgroup() );
         } else {
-                /* Hmmm. Is this correct for trusted domains when we're a member server ? JRA. */
-                if (strequal(domain, lp_workgroup())) {
-                        fstrcpy(machine_account, global_myname());
-                } else {
-                        fstrcpy(machine_account, domain);
-                }
+		fstrcpy(machine_account, global_myname());
         }
 
 	*perr = rpccli_netlogon_setup_creds(netlogon_pipe,
@@ -2716,9 +2719,9 @@ struct rpc_pipe_client *cli_rpc_pipe_open_krb5(struct cli_state *cli,
 		return NULL;
 	}
 
-	/* Default service principal is "host/server@realm" */
+	/* Default service principal is "desthost$@realm" */
 	if (!service_princ) {
-		service_princ = talloc_asprintf(result->mem_ctx, "host/%s@%s",
+		service_princ = talloc_asprintf(result->mem_ctx, "%s$@%s",
 			cli->desthost, lp_realm() );
 		if (!service_princ) {
 			cli_rpc_pipe_close(result);