modified domain_client_validate to take trust account name / type. this

is to pass DOMAIN_NAME$ and SEC_CHAN_DOMAIN instead of WKSTA_NAME$ and
SEC_CHAN_WKSTA.

modified check_domain_security to determine if domain name is own domain,
and to use wksta trust account if so, otherwise check "trusting domains"
parameter and use inter-domain trust account if so, otherwise return
False.
(This used to be commit 97ec74e1fa99d773812d2df402251fafb76b181c)

7 files changed, 108 insertions, 15 deletions

diff --git a/source3/include/proto.h b/source3/include/proto.h
index e56cfbee48..f83485d455 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -624,6 +624,7 @@ void string_free(char **s);
 BOOL string_set(char **dest,const char *src);
 void string_sub(char *s,const char *pattern,const char *insert);
 void all_string_sub(char *s,const char *pattern,const char *insert);
+void split_at_first_component(char *path, char *front, char sep, char *back);
 void split_at_last_component(char *path, char *front, char sep, char *back);
 char *bit_field_to_str(uint32 type, struct field_info *bs);
 char *enum_field_to_str(uint32 type, struct field_info *bs, BOOL first_default);
@@ -4027,7 +4028,8 @@ struct cli_state *server_cryptkey(void);
 BOOL server_validate(char *user, char *domain, 
 		     char *pass, int passlen,
 		     char *ntpass, int ntpasslen);
-BOOL domain_client_validate( char *user, char *domain, 
+BOOL domain_client_validate( char *user, char *domain, char *server_list,
+				char *acct_name, uint16 acct_type,
                              char *smb_apasswd, int smb_apasslen, 
                              char *smb_ntpasswd, int smb_ntpasslen);
 
diff --git a/source3/lib/sids.c b/source3/lib/sids.c
index 052c05cb01..c18734c705 100644
--- a/source3/lib/sids.c
+++ b/source3/lib/sids.c
@@ -139,7 +139,8 @@ BOOL get_member_domain_sid(void)
 		}
 	}
 
-	return get_domain_sids(NULL, &global_member_sid, lp_passwordserver());
+	return get_domain_sids(global_myname, NULL,
+	                       &global_member_sid, lp_passwordserver());
 }
 
 
diff --git a/source3/lib/util_pwdb.c b/source3/lib/util_pwdb.c
index f27cce8fba..d80ec5f689 100644
--- a/source3/lib/util_pwdb.c
+++ b/source3/lib/util_pwdb.c
@@ -634,7 +634,8 @@ BOOL pwdb_initialise(BOOL is_server)
 		{
 			srvs = lp_passwordserver();
 		}
-		if (!get_domain_sids(&global_member_sid, &global_sam_sid, srvs))
+		if (!get_domain_sids(global_myname, &global_member_sid,
+		                      &global_sam_sid, srvs))
 		{
 			return False;
 		}
diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c
index 43e3224df4..a25043df78 100644
--- a/source3/lib/util_str.c
+++ b/source3/lib/util_str.c
@@ -1066,6 +1066,38 @@ void all_string_sub(char *s,const char *pattern,const char *insert)
 /****************************************************************************
  splits out the front and back at a separator.
 ****************************************************************************/
+void split_at_first_component(char *path, char *front, char sep, char *back)
+{
+	char *p = strchr(path, sep);
+
+	if (p != NULL)
+	{
+		*p = 0;
+	}
+	if (front != NULL)
+	{
+		pstrcpy(front, path);
+	}
+	if (p != NULL)
+	{
+		if (back != NULL)
+		{
+			pstrcpy(back, p+1);
+		}
+		*p = sep;
+	}
+	else
+	{
+		if (back != NULL)
+		{
+			back[0] = 0;
+		}
+	}
+}
+
+/****************************************************************************
+ splits out the front and back at a separator.
+****************************************************************************/
 void split_at_last_component(char *path, char *front, char sep, char *back)
 {
 	char *p = strrchr(path, sep);
@@ -1084,7 +1116,7 @@ void split_at_last_component(char *path, char *front, char sep, char *back)
 		{
 			pstrcpy(back, p+1);
 		}
-		*p = '\\';
+		*p = sep;
 	}
 	else
 	{
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index a21b598238..3d31db7fb5 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -626,6 +626,7 @@ BOOL check_oem_password(char *user,
 	uchar new_p16[16];
 	uchar unenc_old_pw[16];
 	char no_pw[2];
+	uint32 len;
 
 	BOOL nt_pass_set = (ntdata != NULL && nthash != NULL);
 
@@ -682,7 +683,7 @@ BOOL check_oem_password(char *user,
 	 */
 	SamOEMhash( (uchar *)lmdata, (uchar *)smbpw->smb_passwd, True);
 
-	if (!decode_pw_buffer(lmdata, new_passwd, new_passwd_size, nt_pass_set))
+	if (!decode_pw_buffer(lmdata, new_passwd, new_passwd_size, &len))
 	{
 		return False;
 	}
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 1612b8264f..f74cc49eca 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -1095,7 +1095,8 @@ use this machine as the password server.\n"));
  key from the workstation trust account password.
 ************************************************************************/
 
-BOOL domain_client_validate( char *user, char *domain, 
+BOOL domain_client_validate( char *user, char *domain, char *server_list,
+				char *acct_name, uint16 acct_type,
                              char *smb_apasswd, int smb_apasslen, 
                              char *smb_ntpasswd, int smb_ntpasslen)
 {
@@ -1108,6 +1109,10 @@ BOOL domain_client_validate( char *user, char *domain,
 	NET_USER_INFO_3 info3;
 	struct cli_state cli;
 	uint32 smb_uid_low;
+	fstring trust_acct;
+
+	fstrcpy(trust_acct, acct_name);
+	fstrcat(trust_acct, "$");
 
 	/* 
 	* Check that the requested domain is not our own machine name.
@@ -1126,7 +1131,7 @@ BOOL domain_client_validate( char *user, char *domain,
 	*/
 
 	if(((smb_apasslen  != 24) && (smb_apasslen  != 0)) || 
-	   ((smb_ntpasslen != 24) && (smb_ntpasslen != 0)))
+	   ((smb_ntpasslen <= 24) && (smb_ntpasslen != 0)))
 	{
 		/*
 		 * Not encrypted - do so.
@@ -1158,7 +1163,7 @@ BOOL domain_client_validate( char *user, char *domain,
 	/*
 	 * Get the workstation trust account password.
 	 */
-	if (!trust_get_passwd( trust_passwd, global_myworkgroup, global_myname))
+	if (!trust_get_passwd( trust_passwd, domain, acct_name))
 	{
 		return False;
 	}
@@ -1171,7 +1176,7 @@ BOOL domain_client_validate( char *user, char *domain,
 	 * see if they were valid.
 	 */
 
-	if (!cli_connect_serverlist(&cli, lp_passwordserver()))
+	if (!cli_connect_serverlist(&cli, server_list))
 	{
 		DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
 		return False;
@@ -1192,7 +1197,7 @@ BOOL domain_client_validate( char *user, char *domain,
 	}
 
 	if(cli_nt_setup_creds(&cli, nt_pipe_fnum,
-	   cli.mach_acct, global_myname, trust_passwd, SEC_CHAN_WKSTA) != 0x0)
+	   trust_acct, global_myname, trust_passwd, acct_type) != 0x0)
 	{
 		DEBUG(0,("domain_client_validate: unable to setup the PDC credentials to machine \
 		%s. Error was : %s.\n", cli.desthost, cli_errstr(&cli)));
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 0c4fb2003c..79b24a986c 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -39,6 +39,7 @@ extern BOOL case_preserve;
 extern BOOL short_case_preserve;
 extern pstring sesssetup_user;
 extern fstring global_myworkgroup;
+extern fstring global_myname;
 extern int Client;
 extern int global_oplock_break;
 uint32 global_client_caps = 0;
@@ -501,12 +502,62 @@ static BOOL check_domain_security(char *orig_user, char *domain,
                                   char *smb_apasswd, int smb_apasslen,
                                   char *smb_ntpasswd, int smb_ntpasslen)
 {
-  if(lp_security() != SEC_DOMAIN)
-    return False;
+	fstring acct_name;
+	uint16 acct_type = 0;
+
+	char *server_list = NULL;
+	pstring srv_list;
+	char *trusted_list = lp_trusted_domains();
+
+	if (lp_security() == SEC_SHARE || lp_security() == SEC_SERVER)
+	{
+		return False;
+	}
+		
+	if (lp_security() == SEC_DOMAIN)
+	{
+		fstrcpy(acct_name, global_myname);
+		acct_type = SEC_CHAN_WKSTA;
+		if (strequal(lp_workgroup(), domain))
+		{
+			DEBUG(10,("local domain server list: %s\n", server_list));
+			pstrcpy(srv_list, lp_passwordserver());
+			server_list = srv_list;
+		}
+	}
+
+	if (server_list == NULL)
+	{
+		pstring tmp;
+		if (next_token(&trusted_list, tmp, NULL, sizeof(tmp)))
+		{
+			do
+			{
+				fstring trust_dom;
+				split_at_first_component(tmp, trust_dom, '=', srv_list);
+
+				if (strequal(domain, trust_dom))
+				{
+					DEBUG(10,("trusted domain server list: %s\n", server_list));
+					fstrcpy(acct_name, global_myworkgroup);
+					acct_type = SEC_CHAN_DOMAIN;
+					server_list = srv_list;
+					break;
+				}
+
+			} while (next_token(NULL, tmp, NULL, sizeof(tmp)));
+		}
+	}
+
+	if (server_list == NULL)
+	{
+		return False;
+	}
 
-  return domain_client_validate(orig_user, domain,
-                                smb_apasswd, smb_apasslen,
-                                smb_ntpasswd, smb_ntpasslen);
+	return domain_client_validate(orig_user, domain, server_list,
+	                        acct_name, acct_type,
+	                        smb_apasswd, smb_apasslen,
+	                        smb_ntpasswd, smb_ntpasslen);
 }
 
 /****************************************************************************