* cleanup more DC name resolution issues in check_*domain_security()

* is_trusted_domain() is broken without winbind.  Still working on this.
* get_global_sam_name() should return the workgroup name unless we
  are a standalone server (verified by volker)
* Get_Pwnam() should always fall back to the username (minus domain name)
  even if it is not our workgroup so that TRUSTEDOMAIN\user can logon
  if 'user' exists in the local list of accounts (on domain members w/o
  winbind)

Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0
domain member not running winbindd.

notes: make_user_info_map() is slightly broken now due to the
fact that is_trusted_domain() only works with winbindd.  disabled
checks temporarily until I can sort this out.
(This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)

1 files changed, 70 insertions, 1 deletions

diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
index fc383d9a6b..8bfb00b9ad 100644
--- a/source3/libsmb/namequery_dc.c
+++ b/source3/libsmb/namequery_dc.c
@@ -5,6 +5,7 @@
 
    Copyright (C) Tim Potter 2001
    Copyright (C) Andrew Bartlett 2002
+   Copyright (C) Gerald Carter 2003
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -24,12 +25,54 @@
 
 #include "includes.h"
 
+/**************************************************************************
+ Find the name and IP address for a server in he realm/domain
+ *************************************************************************/
+ 
+static BOOL ads_dc_name(const char *domain, struct in_addr *dc_ip, fstring srv_name)
+{
+	ADS_STRUCT *ads;
+	const char *realm = domain;
+
+	if (strcasecmp(realm, lp_workgroup()) == 0)
+		realm = lp_realm();
+
+	ads = ads_init(realm, domain, NULL);
+	if (!ads)
+		return False;
+
+	/* we don't need to bind, just connect */
+	ads->auth.flags |= ADS_AUTH_NO_BIND;
+
+	DEBUG(4,("ads_dc_name: domain=%s\n", domain));
+
+#ifdef HAVE_ADS
+	/* a full ads_connect() is actually overkill, as we don't srictly need
+	   to do the SASL auth in order to get the info we need, but libads
+	   doesn't offer a better way right now */
+	ads_connect(ads);
+#endif
+
+	if (!ads->config.realm)
+		return False;
+
+	fstrcpy(srv_name, ads->config.ldap_server_name);
+	strupper(srv_name);
+	*dc_ip = ads->ldap_ip;
+	ads_destroy(&ads);
+	
+	DEBUG(4,("ads_dc_name: using server='%s' IP=%s\n",
+		 srv_name, inet_ntoa(*dc_ip)));
+	
+	return True;
+}
+
 /****************************************************************************
  Utility function to return the name of a DC. The name is guaranteed to be 
  valid since we have already done a name_status_find on it 
  ***************************************************************************/
 
-BOOL rpc_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out)
+static BOOL rpc_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out)
 {
 	struct ip_service *ip_list = NULL;
 	struct in_addr dc_ip, exclude_ip;
@@ -109,3 +152,29 @@ BOOL rpc_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out)
 
 	return True;
 }
+
+/**********************************************************************
+ wrapper around ads and rpc methods of finds DC's
+**********************************************************************/
+
+BOOL get_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out)
+{
+	struct in_addr dc_ip;
+	BOOL ret;
+
+	zero_ip(&dc_ip);
+
+	ret = False;
+	if (lp_security() == SEC_ADS)
+		ret = ads_dc_name(domain, &dc_ip, srv_name);
+
+	if (!ret) {
+		/* fall back on rpc methods if the ADS methods fail */
+		ret = rpc_dc_name(domain, srv_name, &dc_ip);
+	}
+
+	*ip_out = dc_ip;
+
+	return ret;
+}
+