Author: jerry Date: 2007-03-01 14:44:25 +0000 (Thu, 01 Mar 2007) New Revision: 21633
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21633 Log: First real fix from me found during the bug hunt. ads_cached_connection() does not call get_dc_name() before ads_connect() and therefore does not setup the environment to look at krb5.conf.DOMAIN file before sending the TGT request. The failure I'm seeing occurs ni a multi-DC domain where we get back preuath failed after we just joined the domain. Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c branches/SAMBA_3_0_25/source/nsswitch/winbindd_ads.c Changeset: Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c =================================================================== --- branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c 2007-03-01 14:34:06 UTC (rev 21632) +++ branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c 2007-03-01 14:44:25 UTC (rev 21633) @@ -40,6 +40,8 @@ { ADS_STRUCT *ads; ADS_STATUS status; + fstring dc_name; + struct in_addr dc_ip; DEBUG(10,("ads_cached_connection\n")); @@ -114,6 +116,12 @@ ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME; + /* Setup the server affinity cache. We don't reaally care + about the name. Just setup affinity and the KRB5_CONFIG + file. */ + + get_dc_name( "", ads->auth.realm, dc_name, &dc_ip ); + status = ads_connect(ads); if (!ADS_ERR_OK(status) || !ads->config.realm) { DEBUG(1,("ads_connect for domain %s failed: %s\n", Modified: branches/SAMBA_3_0_25/source/nsswitch/winbindd_ads.c =================================================================== --- branches/SAMBA_3_0_25/source/nsswitch/winbindd_ads.c 2007-03-01 14:34:06 UTC (rev 21632) +++ branches/SAMBA_3_0_25/source/nsswitch/winbindd_ads.c 2007-03-01 14:44:25 UTC (rev 21633) @@ -40,6 +40,8 @@ { ADS_STRUCT *ads; ADS_STATUS status; + fstring dc_name; + struct in_addr dc_ip; DEBUG(10,("ads_cached_connection\n")); @@ -114,6 +116,12 @@ ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME; + /* Setup the server affinity cache. We don't reaally care + about the name. Just setup affinity and the KRB5_CONFIG + file. */ + + get_dc_name( "", ads->auth.realm, dc_name, &dc_ip ); + status = ads_connect(ads); if (!ADS_ERR_OK(status) || !ads->config.realm) { DEBUG(1,("ads_connect for domain %s failed: %s\n",
