This fixes a number of ADS problems, particularly with netbiosless

setups.

- split up the ads structure into logical pieces. This makes it much
  easier to keep things like the authentication realm and the server
  realm separate (they can be different).

- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)

- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0

- completely rewrote the code for finding the LDAP server. Now try DNS
  methods first, and try all DNS servers returned from the SRV DNS
  query, sorted by closeness to our interfaces (using the same sort code
  as we use in replies from WINS servers). This allows us to cope with
  ADS DCs that are down, and ensures we don't pick one that is on the
  other side of the country unless absolutely necessary.

- recognise dnsRecords as binary when displaying them

- cope with the realm not being configured in smb.conf (work it out
  from the LDAP server)

- look at the trustDirection when looking up trusted domains and don't
  include trusts that trust our domains but we don't trust
  theirs.

- use LDAP to query the alternate (netbios) name for a realm, and make
  sure that both and long and short forms of the name are accepted by
  winbindd. Use the short form by default for listing users/groups.

- rescan the list of trusted domains every 5 minutes in case new trust
  relationships are added while winbindd is running

- include transient trust relationships (ie. C trusts B, B trusts A,
  so C trusts A) in winbindd.

- don't do a gratuituous node status lookup when finding an ADS DC (we
  don't need it and it could fail)

- remove unused sid_to_distinguished_name function

- make sure we find the allternate name of our primary domain when
  operating with a netbiosless ADS DC (using LDAP to do the lookup)

- fixed the rpc trusted domain enumeration to support up to approx
  2000 trusted domains (the old limit was 3)

- use the IP for the remote_machine (%m) macro when the client doesn't
  supply us with a name via a netbios session request (eg. port 445)

- if the client uses SPNEGO then use the machine name from the SPNEGO
  auth packet for remote_machine (%m) macro

- add new 'net ads workgroup' command to find the netbios workgroup
  name for a realm
(This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)

1 files changed, 77 insertions, 41 deletions

diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index b927380af8..daa3abb340 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -74,19 +74,17 @@ void free_domain_list(void)
 }
 
 /* Add a trusted domain to our list of domains */
-
-static struct winbindd_domain *add_trusted_domain(char *domain_name,
-						  struct winbindd_methods *methods)
+static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
+						  struct winbindd_methods *methods,
+						  DOM_SID *sid)
 {
 	struct winbindd_domain *domain;
         
 	/* We can't call domain_list() as this function is called from
 	   init_domain_list() and we'll get stuck in a loop. */
-
 	for (domain = _domain_list; domain; domain = domain->next) {
-		if (strcmp(domain_name, domain->name) == 0) {
-			DEBUG(3, ("domain %s already in domain list\n", 
-				  domain_name));
+		if (strcmp(domain_name, domain->name) == 0 ||
+		    strcmp(domain_name, domain->alt_name) == 0) {
 			return domain;
 		}
 	}
@@ -101,40 +99,95 @@ static struct winbindd_domain *add_trusted_domain(char *domain_name,
         
 	ZERO_STRUCTP(domain);
 
+	/* prioritise the short name */
+	if (strchr_m(domain_name, '.') && alt_name && *alt_name) {
+		fstrcpy(domain->name, alt_name);
+		fstrcpy(domain->alt_name, domain_name);
+	} else {
 	fstrcpy(domain->name, domain_name);
+		if (alt_name) {
+			fstrcpy(domain->alt_name, alt_name);
+		}
+	}
+
         domain->methods = methods;
 	domain->sequence_number = DOM_SEQUENCE_NONE;
 	domain->last_seq_check = 0;
+	if (sid) {
+		sid_copy(&domain->sid, sid);
+	}
 
 	/* Link to domain list */
-        
 	DLIST_ADD(_domain_list, domain);
         
+	DEBUG(1,("Added domain %s %s %s\n", 
+		 domain->name, domain->alt_name,
+		 sid?sid_string_static(&domain->sid):""));
+        
 	return domain;
 }
 
-/* Look up global info for the winbind daemon */
 
+/*
+  rescan our domains looking for new trusted domains
+ */
+void rescan_trusted_domains(void)
+{
+	struct winbindd_domain *domain;
+	TALLOC_CTX *mem_ctx;
+	static time_t last_scan;
+	time_t t = time(NULL);
+
+	/* ony rescan every few minutes */
+	if ((unsigned)(t - last_scan) < WINBINDD_RESCAN_FREQ) {
+		return;
+	}
+	last_scan = time(NULL);
+	
+	DEBUG(1, ("scanning trusted domain list\n"));
+
+	if (!(mem_ctx = talloc_init_named("init_domain_list")))
+		return;
+
+	for (domain = _domain_list; domain; domain = domain->next) {
+		NTSTATUS result;
+		char **names;
+		char **alt_names;
+		int num_domains = 0;
+		DOM_SID *dom_sids;
+		int i;
+
+		result = domain->methods->trusted_domains(domain, mem_ctx, &num_domains,
+							  &names, &alt_names, &dom_sids);
+		if (!NT_STATUS_IS_OK(result)) {
+			continue;
+		}
+
+		/* Add each domain to the trusted domain list. Each domain inherits
+		   the access methods of its parent */
+		for(i = 0; i < num_domains; i++) {
+			DEBUG(10,("Found domain %s\n", names[i]));
+			add_trusted_domain(names[i], 
+					   alt_names?alt_names[i]:NULL, 
+					   domain->methods, &dom_sids[i]);
+		}
+	}
+
+	talloc_destroy(mem_ctx);
+}
+
+/* Look up global info for the winbind daemon */
 BOOL init_domain_list(void)
 {
 	NTSTATUS result;
-	TALLOC_CTX *mem_ctx;
 	extern struct winbindd_methods cache_methods;
 	struct winbindd_domain *domain;
-	DOM_SID *dom_sids;
-	char **names;
-	uint32 num_domains = 0;
-
-	if (!(mem_ctx = talloc_init_named("init_domain_list")))
-		return False;
 
 	/* Free existing list */
-
 	free_domain_list();
 
 	/* Add ourselves as the first entry */
-
-	domain = add_trusted_domain(lp_workgroup(), &cache_methods);
+	domain = add_trusted_domain(lp_workgroup(), NULL, &cache_methods, NULL);
 
 	/* Now we *must* get the domain sid for our primary domain. Go into
 	   a holding pattern until that is available */
@@ -147,29 +200,12 @@ BOOL init_domain_list(void)
 		result = cache_methods.domain_sid(domain, &domain->sid);
 	}
        
-	DEBUG(1,("Added domain %s (%s)\n", 
-		 domain->name, 
-		 sid_string_static(&domain->sid)));
-
-	DEBUG(1, ("getting trusted domain list\n"));
+	/* get any alternate name for the primary domain */
+	cache_methods.alternate_name(domain);
 
-	result = cache_methods.trusted_domains(domain, mem_ctx, &num_domains,
-					       &names, &dom_sids);
+	/* do an initial scan for trusted domains */
+	rescan_trusted_domains();
 
-	/* Add each domain to the trusted domain list */
-	if (NT_STATUS_IS_OK(result)) {
-		int i;
-		for(i = 0; i < num_domains; i++) {
-			domain = add_trusted_domain(names[i], &cache_methods);
-			if (!domain) continue;
-			sid_copy(&domain->sid, &dom_sids[i]);
-			DEBUG(1,("Added domain %s (%s)\n", 
-				 domain->name, 
-				 sid_string_static(&domain->sid)));
-		}
-	}
-
-	talloc_destroy(mem_ctx);
 	return True;
 }
 
@@ -184,7 +220,7 @@ struct winbindd_domain *find_domain_from_name(const char *domain_name)
 
 	for (domain = domain_list(); domain != NULL; domain = domain->next) {
 		if (strequal(domain_name, domain->name) ||
-		    strequal(domain_name, domain->full_name))
+		    (domain->alt_name[0] && strequal(domain_name, domain->alt_name)))
 			return domain;
 	}