r22710: Support one-way trusts.

* Rely on the fact that name2sid will work for any name
  in a trusted domain will work against our primary domain
  (even in the absense of an incoming trust path)

* Only logons will reliably work and the idmap backend
  is responsible for being able to manage id's without contacting
  the trusted domain

* "getent passwd" and "getent group" for trusted users and groups
  will work but we cannot get the group membership of a user in any
  fashion without the user first logging on (via NTLM or krb5)
  and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)

1 files changed, 6 insertions, 0 deletions

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 97c1ac4b9c..eb2da870c3 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -312,6 +312,12 @@ static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 	SAM_UNK_INFO_1 password_policy;
 
+	if ( !winbindd_can_contact_domain( domain ) ) {
+		DEBUG(5,("fillup_password_policy: No inbound trust to "
+			 "contact domain %s\n", domain->name));		
+		return NT_STATUS_NOT_SUPPORTED;
+	}	
+
 	methods = domain->methods;
 
 	status = methods->password_policy(domain, state->mem_ctx, &password_policy);