add check for NT_STATUS_NOT_IMPLEMENTED in auth check so that

map to guest = bad user works again when "trustdomain" is listed
as last auth method.

Also clean up some more DC location calls.
(This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06)

3 files changed, 50 insertions, 36 deletions

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 891f47486b..25b856cd57 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -244,10 +244,22 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 		return NT_STATUS_LOGON_FAILURE;
 
 	for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
+		NTSTATUS result;
+		
 		mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, 
 					    user_info->domain.str, user_info->smb_name.str);
 
-		nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
+		result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
+
+		/* check if the module did anything */
+		if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
+			DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
+			talloc_destroy(mem_ctx);
+			continue;
+		}
+
+		nt_status = result;
+
 		if (NT_STATUS_IS_OK(nt_status)) {
 			DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n", 
 				  auth_method->name, user_info->smb_name.str));
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index df19a274fb..84453ac3b5 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -401,11 +401,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
 					auth_serversupplied_info **server_info)
 {
 	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
-	char *password_server;
 	unsigned char trust_passwd[16];
 	time_t last_change_time;
 	const char *domain = lp_workgroup();
 	uint32 sec_channel_type = 0;
+	fstring dc_name;
+	struct in_addr dc_ip;
 
 	if (!user_info || !server_info || !auth_context) {
 		DEBUG(1,("check_ntdomain_security: Critical variables not present.  Failing.\n"));
@@ -443,17 +444,15 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
 		}
 	}
 
-	/*
-	 * Treat each name in the 'password server =' line as a potential
-	 * PDC/BDC. Contact each in turn and try and authenticate.
-	 */
-
-	password_server = lp_passwordserver();
-
+	if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) {
+		DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n",
+			user_info->domain.str));
+		return NT_STATUS_NO_LOGON_SERVERS;
+	}
+	
 	nt_status = domain_client_validate(mem_ctx, user_info, domain,
 					   (uchar *)auth_context->challenge.data, 
-					   server_info, 
-					   password_server, global_myname(), sec_channel_type,trust_passwd, last_change_time);
+					   server_info, dc_name, global_myname(), sec_channel_type,trust_passwd, last_change_time);
 	return nt_status;
 }
 
@@ -485,6 +484,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
 	char *trust_password;
 	time_t last_change_time;
 	DOM_SID sid;
+	fstring dc_name;
+	struct in_addr dc_ip;
 
 	if (!user_info || !server_info || !auth_context) {
 		DEBUG(1,("check_trustdomain_security: Critical variables not present.  Failing.\n"));
@@ -509,9 +510,15 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
 
 	if(strequal(lp_workgroup(), (user_info->domain.str))) {
 		DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n"));
-		return NT_STATUS_LOGON_FAILURE;
+		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 
+	/* no point is bothering if this is not a trusted domain */
+	/* this return makes "map to guest = bad user" work again */
+	
+	if ( !is_trusted_domain( user_info->domain.str ) )
+		return NT_STATUS_NO_SUCH_USER;
+
 	/*
 	 * Get the trusted account password for the trusted domain
 	 * No need to become_root() as secrets_init() is done at startup.
@@ -537,11 +544,17 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
 	}
 #endif
 
+	if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) {
+		DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n",
+			user_info->domain.str));
+		return NT_STATUS_NO_LOGON_SERVERS;
+	}
+	
 	nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str,
 					   (uchar *)auth_context->challenge.data, 
-					   server_info, "*" /* Do a lookup */, 
-					   lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time);
-	
+					   server_info, dc_name, lp_workgroup(), 
+					   SEC_CHAN_DOMAIN, trust_md4_password, last_change_time);
+
 	return nt_status;
 }
 
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 7d0f44f1d1..fe4900f9f4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -204,32 +204,22 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
 	DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
 	      client_domain, smb_name, wksta_name));
 	
-	if (lp_allow_trusted_domains() && *client_domain) {
-
-		/* the client could have given us a workstation name
-		   or other crap for the workgroup - we really need a
-		   way of telling if this domain name is one of our
-		   trusted domain names 
-
-		   Also don't allow "" as a domain, fixes a Win9X bug 
+	/* don't allow "" as a domain, fixes a Win9X bug 
 		   where it doens't supply a domain for logon script
-		   'net use' commands.
-
-		   Finally, we do this by looking up a cache of trusted domains!
-		*/
+	   'net use' commands.*/
 
+	if ( *client_domain )
 		domain = client_domain;
+	else
+		domain = lp_workgroup();
 
-		if (is_trusted_domain(domain)) {
-			return make_user_info(user_info, smb_name, internal_username,
-			                      client_domain, domain, wksta_name,
-			                      lm_pwd, nt_pwd, plaintext, ntlmssp_flags,
-			                      encrypted);
-		}
+	/* do what win2k does.  Always map unknown domains to our own
+	   and let the "passdb backend" handle unknown users */
 
-	} else {
+	if ( !is_trusted_domain(domain) )
 		domain = lp_workgroup();
-	}
+	
+	/* we know that it is a trusted domain (and we are allowing them) or it is our domain */
 	
 	return make_user_info(user_info, 
 			      smb_name, internal_username,
@@ -238,7 +228,6 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
 			      lm_pwd, nt_pwd,
 			      plaintext, 
 			      ntlmssp_flags, encrypted);
-	
 }
 
 /****************************************************************************