r21633: First real fix from me found during the bug hunt.

ads_cached_connection() does not call get_dc_name()
before ads_connect() and therefore does not setup
the environment to look at krb5.conf.DOMAIN file
before sending the TGT request.  The failure I'm seeing
occurs ni a multi-DC domain where we get back preuath
failed after we just joined the domain.
(This used to be commit 256f36dce3e3a39798b2ad38fa3123669d670597)

1 files changed, 8 insertions, 0 deletions

diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 9c8f23b1cf..9d965675c0 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -40,6 +40,8 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 {
 	ADS_STRUCT *ads;
 	ADS_STATUS status;
+	fstring dc_name;
+	struct in_addr dc_ip;	
 
 	DEBUG(10,("ads_cached_connection\n"));
 
@@ -114,6 +116,12 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 
 	ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
 
+	/* Setup the server affinity cache.  We don't reaally care
+	   about the name.  Just setup affinity and the KRB5_CONFIG 
+	   file. */
+
+	get_dc_name( "", ads->auth.realm, dc_name, &dc_ip );
+	
 	status = ads_connect(ads);
 	if (!ADS_ERR_OK(status) || !ads->config.realm) {
 		DEBUG(1,("ads_connect for domain %s failed: %s\n",