From e5251ee188e948f37e76d4071d435496c5be27d7 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 27 Oct 2017 14:01:41 +0200 Subject: [PATCH] winbindd: Remove a misleading comment The reality is a bit more complex than this comment indicates. We should never suggest anywhere that we can connect to domains that we don't have a direct trust account to. For the member case, it's "our" domain, and for the DC case, it's the direct trusts. Everything else is pure luck. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Oct 28 00:31:58 CEST 2017 on sn-devel-144 --- source3/winbindd/winbindd_cache.c | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 93501e4073b..faea764cb5d 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -147,24 +147,6 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain) init_dc_connection(domain, false); } - /* - OK. Listen up because I'm only going to say this once. - We have the following scenarios to consider - (a) trusted AD domains on a Samba DC, - (b) trusted AD domains and we are joined to a non-kerberos domain - (c) trusted AD domains and we are joined to a kerberos (AD) domain - - For (a) we can always contact the trusted domain using krb5 - since we have the domain trust account password - - For (b) we can only use RPC since we have no way of - getting a krb5 ticket in our own domain - - For (c) we can always use krb5 since we have a kerberos trust - - --jerry - */ - #ifdef HAVE_ADS if (domain->backend == NULL) { struct winbindd_domain *our_domain = domain; -- 2.47.3