Here's the code to make winbindd work on a Samba DC

to handle domain trusts.  Jeremy and I talked about this
and it's going in as working code.  It keeps winbind clean
and solves the trust problem with minimal changes.

To summarize, there are 2 basic cases where the deadlock would
occur.  (1) lookuping up secondary groups for a user, and
(2) get[gr|pw]nam() calls that fall through the NSS layer because
they don't exist anywhere.

o To handle case #1, we bypass winbindd in sys_getgrouplist() unless
  the username includes the 'winbind separator'.

o Case #2 is handled by adding checks in winbindd to return failure
  if we are a DC and the domain matches our own.

This code has been tested using basic share connections, domain
logons, and with pam_winbind (both with and without 'winbind
use default domain').  The 'trustdomain' auth module should work
as well if an admin wants to manually create UNIX users for
acounts in the trusted domains.

Other misc fixes:

  * we need to fix check_ntlm_password() to be able to determine
    if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD,
    etc...).  I worked around my specific situation, but this needs to be
    fixed.  the winbindd auth module was causing delays.
  * fix named server mutex deadlock between trust domain auth module
    and winbindd looking up a uid
  * make sure SAM_ACCOUNT gets stored in the server_info struct for the
    _net_sam_logon() reply.

Configuration details:

The recommended method for supporting trusts is to use winbind.
The gets us around some of the server mutex issues as well.

  * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf
  * create domain trusts like normal
  * join winbind on the pdc to the Samba domain using 'net rpc join'
  * add normal parameters to smb.conf for winbind
  * set 'auth method = guest sam winbind'
  * start smbd, nmbd, & winbindd

Problems that remain:

  * join a Windows 2k/XP box to a Samba domain.
  * create a 2-way trust between the Samba domain
    and an NT domain
  * logon to the windows client as a user from theh trusted
    domain
  * try to browse server in the trusted domain (or other
    workstations).  an NT client seems to work ok, but 2k
    and XP either prompt for passwords or fail with errors.

apparanently this never got tested since no one has ever been
able to logon as a trusted user to a Samba domain from a Windows
client.
(This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)

9 files changed, 108 insertions, 28 deletions

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 25b856cd57..c50fc1a9b7 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -269,9 +269,15 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 		}
 
 		talloc_destroy(mem_ctx);
-
-		if (NT_STATUS_IS_OK(nt_status))
-			break;
+		
+		/* this sucks.  Somehow we have to know if an authentication module is 
+		   authoritative for a user.  Fixme!!!  --jerry */
+		
+		if ( NT_STATUS_IS_OK(nt_status) || 
+			NT_STATUS_V(nt_status) == NT_STATUS_V(NT_STATUS_WRONG_PASSWORD) )
+		{
+				break;			
+		}
 	}
 
 	if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 84453ac3b5..39ec864f75 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -346,6 +346,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 						   user_info->lm_resp, user_info->nt_resp, 
 						   &info3);
         
+	release_server_mutex();
+
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0,("domain_client_validate: unable to validate password "
                          "for user %s in domain %s to Domain controller %s. "
@@ -386,7 +388,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 	cli_nt_session_close(cli);
 	cli_ulogoff(cli);
 	cli_shutdown(cli);
-	release_server_mutex();
 	return nt_status;
 }
 
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index fe4900f9f4..71fdb0050b 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1031,15 +1031,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	/* now that we have a SAM_ACCOUNT that looks real, make a server_info
-	   to wrap it in, and use pass it on down */
-
 	if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
 		DEBUG(4, ("make_server_info failed!\n"));
 		pdb_free_sam(&sam_account);
 		return nt_status;
 	}
 
+	/* save this here to _net_sam_logon() doesn't fail (it assumes a 
+	   valid SAM_ACCOUNT) */
+		   
+	(*server_info)->sam_account = sam_account;
+
 	/* Fill in the unix info we found on the way */
 
 	(*server_info)->sam_fill_level = SAM_FILL_ALL;
diff --git a/source3/lib/system_smbd.c b/source3/lib/system_smbd.c
index 3ae0a6395e..ca78031660 100644
--- a/source3/lib/system_smbd.c
+++ b/source3/lib/system_smbd.c
@@ -107,13 +107,31 @@ static int getgrouplist_internals(const char *user, gid_t gid, gid_t *groups, in
 
 int sys_getgrouplist(const char *user, gid_t gid, gid_t *groups, int *grpcnt)
 {
+	char *p;
+	int retval;
+
+	DEBUG(10,("sys_getgrouplist: user [%s]\n", user));
+	
+	/* see if we should disable winbindd lookups for local users */
+	if ( (p = strchr(user, *lp_winbind_separator())) == NULL ) {
+		if ( setenv(WINBINDD_DONT_ENV, "1", True) == -1 )
+			DEBUG(0,("sys_getgroup_list: Insufficient environment space for %s\n",
+				WINBINDD_DONT_ENV));
+		else
+			DEBUG(10,("sys_getgrouplist(): disabled winbindd for group lookup [user == %s]\n",
+				user));
+	}
+
 #ifdef HAVE_GETGROUPLIST
-	return getgrouplist(user, gid, groups, grpcnt);
+	retval = getgrouplist(user, gid, groups, grpcnt);
 #else
-	int retval;
 	become_root();
 	retval = getgrouplist_internals(user, gid, groups, grpcnt);
 	unbecome_root();
-	return retval;
 #endif
+
+	/* allow winbindd lookups */
+	unsetenv( WINBINDD_DONT_ENV );
+	
+	return retval;
 }
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index 9f5bf3f11a..0cb0f0cb99 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -559,6 +559,9 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
 	if (!(got_mutex = secrets_named_mutex(lock_name, WINBIND_SERVER_MUTEX_WAIT_TIME))) {
 		DEBUG(0,("cm_get_netlogon_cli: mutex grab failed for %s\n", conn->controller));
 	}
+	
+	if ( sec_channel_type == SEC_CHAN_DOMAIN )
+		snprintf(conn->cli->mach_acct, sizeof(conn->cli->mach_acct) - 1, "%s$", lp_workgroup());
 			
 	result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd);
 	
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index e4b0e78e2e..265297ca08 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -213,6 +213,17 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
 	if (!parse_domain_user(tmp, name_domain, name_group))
 		return WINBINDD_ERROR;
 
+	/* don't handle our own domain if we are a DC.  This code handles cases where
+	   the account doesn't exist anywhere and gets passed on down the NSS layer */
+
+	if ( ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role()==ROLE_DOMAIN_BDC)) &&
+		strequal(name_domain, lp_workgroup()) ) 
+	{
+		DEBUG(7,("winbindd_getgrnam: rejecting getpwnam() for %s\\%s since I am on the PDC for this domain\n", 
+			name_domain, name_group));
+		return WINBINDD_ERROR;
+	}	
+	
 	/* Get info for the domain */
 
 	if ((domain = find_domain_from_name(name_domain)) == NULL) {
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 7b93015b5d..a3b0849721 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -235,11 +235,52 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 
 	DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid,
 		  domain, user));
+		  
+	/* check our role as a domain member first */
+	if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
+		if ( !lp_allow_trusted_domains() && !strequal(domain, lp_workgroup()) ) {
+			DEBUG(5,("winbindd_pam_auth_crap: failing autghentication becuase of disallowed trust domains\n"));
+			result = NT_STATUS_LOGON_FAILURE;
+			goto done;
+		}
+		
+		contact_domain = domain;
 
-	if (lp_allow_trusted_domains() && (state->request.data.auth_crap.flags & WINBIND_PAM_CONTACT_TRUSTDOM)) {
+		/*
+		 * Get the machine account password for the domain to contact.
+		 * This is either our own domain for a workstation, or possibly
+		 * any domain for a PDC with trusted domains.
+		 */
+
+		if (!secrets_fetch_trust_account_password (contact_domain,
+							   trust_passwd,
+							   &last_change_time,
+							   &sec_channel_type)) {
+			DEBUG(0, ("winbindd_pam_auth_crap: could not fetch trust account "
+				  "password for domain %s\n", contact_domain));
+			result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+			goto done;
+		}
+	}
+	else if ( lp_allow_trusted_domains() ) {
+		/* if we are not a domain member, then we must be a DC.  Must never 
+		   see a logon for our domain */
+		DOM_SID sid;
+		char *pwd;
 		contact_domain = domain;
-	} else {
-		contact_domain = lp_workgroup();
+
+		if (!secrets_fetch_trusted_domain_password (contact_domain,
+							    &pwd, &sid,
+							    &last_change_time)) {
+			DEBUG(0, ("winbindd_pam_auth_crap: could not fetch trust account "
+				  "password for domain %s\n", contact_domain));
+			result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+			goto done;
+		}
+		sec_channel_type = SEC_CHAN_DOMAIN;
+		E_md4hash(pwd, trust_passwd);
+		SAFE_FREE(pwd);
+
 	}
 
 	if (*state->request.data.auth_crap.workstation) {
@@ -264,21 +305,6 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 	lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
 	nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
 	
-	/*
-	 * Get the machine account password for the domain to contact.
-	 * This is either our own domain for a workstation, or possibly
-	 * any domain for a PDC with trusted domains.
-	 */
-
-	if (!secrets_fetch_trust_account_password (
-                contact_domain, trust_passwd, &last_change_time,
-		&sec_channel_type)) {
-		DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
-                          "password for domain %s\n", contact_domain));
-		result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-		goto done;
-	}
-
 	do {
 		ZERO_STRUCT(info3);
 		ZERO_STRUCT(ret_creds);
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c
index ccfddc83ba..518f335f27 100644
--- a/source3/nsswitch/winbindd_user.c
+++ b/source3/nsswitch/winbindd_user.c
@@ -115,6 +115,17 @@ enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state)
 			       name_user))
 		return WINBINDD_ERROR;
 	
+	/* don't handle our own domain if we are a DC.  This code handles cases where
+	   the account doesn't exist anywhere and gets passed on down the NSS layer */
+
+	if ( ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role()==ROLE_DOMAIN_BDC)) &&
+		strequal(name_domain, lp_workgroup()) ) 
+	{
+		DEBUG(7,("winbindd_getpwnam: rejecting getpwnam() for %s\\%s since I am on the PDC for this domain\n", 
+			name_domain, name_user));
+		return WINBINDD_ERROR;
+	}	
+	
 	if ((domain = find_domain_from_name(name_domain)) == NULL) {
 		DEBUG(5, ("no such domain: %s\n", name_domain));
 		return WINBINDD_ERROR;
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index aa573b8154..738ededde1 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -644,7 +644,9 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
 							 p->dc.sess_key)) {
 			status = NT_STATUS_NO_MEMORY;
 		} else {
+			become_root();
 			status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
+			unbecome_root();
 		}
 
 		(auth_context->free)(&auth_context);