* cleanup more DC name resolution issues in check_*domain_security()

* is_trusted_domain() is broken without winbind.  Still working on this.
* get_global_sam_name() should return the workgroup name unless we
  are a standalone server (verified by volker)
* Get_Pwnam() should always fall back to the username (minus domain name)
  even if it is not our workgroup so that TRUSTEDOMAIN\user can logon
  if 'user' exists in the local list of accounts (on domain members w/o
  winbind)

Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0
domain member not running winbindd.

notes: make_user_info_map() is slightly broken now due to the
fact that is_trusted_domain() only works with winbindd.  disabled
checks temporarily until I can sort this out.
(This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)

1 files changed, 8 insertions, 3 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 1538fc50a1..30510c1bfa 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -216,6 +216,9 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
 	/* do what win2k does.  Always map unknown domains to our own
 	   and let the "passdb backend" handle unknown users */
 
+	/* FIXME!!!! grr...this is a broken check currently since is_trusted_domain()
+	   is useless without winbindd   --jerry */
+
 	if ( !is_trusted_domain(domain) ) 
 		domain = get_global_sam_name();
 	
@@ -869,10 +872,12 @@ static NTSTATUS fill_sam_account(const char *domain,
 
 	passwd = Get_Pwnam(dom_user);
 
-	if ( (passwd == NULL) && is_myworkgroup(domain) ) {
-		/* For our own domain also try unqualified */
+	/* if the lookup for DOMAIN\username failed, try again 
+	   with just 'username'.  This is need for accessing the server
+	   as a trust user that actually maps to a local account */
+
+	if ( !passwd ) 
 		passwd = Get_Pwnam(username);
-	}
 
 	if (passwd == NULL)
 		return NT_STATUS_NO_SUCH_USER;