This changes the winbind protcol a bit:

It adds a 'ping' request, just to check winbind is in fact alive

It also changes winbindd_pam_auth_crap to take usernames and domain seperatly.

(backward incompatible change, needs merge to 2.2, but this is not yet released
code, so no workarounds)

Finally, it adds some debugs and fixes a few memory leaks (uses talloc to do
it).

Andrew Bartlett
(This used to be commit 6df29bfe335144a968f5367f624ef2b4cf9e69b0)

6 files changed, 84 insertions, 38 deletions

diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 9c012eb85d..56cccee3b8 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -31,6 +31,23 @@ NSS_STATUS winbindd_request(int req_type,
 			    struct winbindd_request *request,
 			    struct winbindd_response *response);
 
+/* Copy of parse_domain_user from winbindd_util.c.  Parse a string of the
+   form DOMAIN/user into a domain and a user */
+
+static BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
+{
+	char *p = strchr(domuser,*lp_winbind_separator());
+
+	if (!p)
+		return False;
+        
+	fstrcpy(user, p+1);
+	fstrcpy(domain, domuser);
+	domain[PTR_DIFF(p, domuser)] = 0;
+	strupper(domain);
+	return True;
+}
+
 /* List groups a user is a member of */
 
 static BOOL wbinfo_get_usergroups(char *user)
@@ -282,8 +299,10 @@ static BOOL wbinfo_auth(char *username)
 	 * Don't do the lookup if the name has no separator.
 	 */
  
-	if (!strchr(username, *lp_winbind_separator()))
+	if (!strchr(username, *lp_winbind_separator())) {
+		printf("no domain seperator (%s) in username - failing\n", lp_winbind_separator());
 		return False;
+	}
 
 	/* Send off request */
 
@@ -317,6 +336,8 @@ static BOOL wbinfo_auth_crap(char *username)
 	struct winbindd_request request;
 	struct winbindd_response response;
         NSS_STATUS result;
+        fstring name_user;
+        fstring name_domain;
         fstring pass;
         char *p;
 
@@ -324,8 +345,10 @@ static BOOL wbinfo_auth_crap(char *username)
 	 * Don't do the lookup if the name has no separator.
 	 */
  
-	if (!strchr(username, *lp_winbind_separator()))
+	if (!strchr(username, *lp_winbind_separator())) {
+		printf("no domain seperator (%s) in username - failing\n", lp_winbind_separator());
 		return False;
+	}
 
 	/* Send off request */
 
@@ -336,11 +359,14 @@ static BOOL wbinfo_auth_crap(char *username)
 
         if (p) {
                 *p = 0;
-                fstrcpy(request.data.auth_crap.user, username);
                 fstrcpy(pass, p + 1);
-                *p = '%';
-        } else
-                fstrcpy(request.data.auth_crap.user, username);
+	}
+		
+	parse_domain_user(username, name_domain, name_user);
+
+	fstrcpy(request.data.auth_crap.user, name_user);
+
+	fstrcpy(request.data.auth_crap.domain, name_domain);
 
 	generate_random_buffer(request.data.auth_crap.chal, 8, False);
         
@@ -447,6 +473,20 @@ static BOOL wbinfo_set_auth_user(char *username)
 	return True;
 }
 
+static BOOL wbinfo_ping(void)
+{
+        NSS_STATUS result;
+	
+	result = winbindd_request(WINBINDD_PING, NULL, NULL);
+
+	/* Display response */
+
+        printf("'ping' to winbindd %s\n", 
+               (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
+
+        return result == NSS_STATUS_SUCCESS;
+}
+
 /* Print program usage */
 
 static void usage(void)
@@ -465,6 +505,7 @@ static void usage(void)
 	printf("\t-m\t\t\tlist trusted domains\n");
 	printf("\t-r user\t\t\tget user groups\n");
 	printf("\t-a user%%password\tauthenticate user\n");
+	printf("\t-p 'ping' winbindd to see if it is alive\n");
 }
 
 /* Main program */
@@ -500,6 +541,7 @@ int main(int argc, char **argv)
 		{ "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r' },
  		{ "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a' },
 		{ "set-auth-user", 0, POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER },
+		{ "ping", 'p', POPT_ARG_NONE, 0, 'p' },
 		{ 0, 0, 0, 0 }
 	};
 
@@ -640,6 +682,14 @@ int main(int argc, char **argv)
                                 return 1;
                         break;
 		}
+                case 'p': {
+
+                        if (!wbinfo_ping()) {
+                                printf("could not ping winbindd!\n");
+                                return 1;
+			}
+                        break;
+		}
 		case OPT_SET_AUTH_USER:
 			if (!(wbinfo_set_auth_user(string_arg))) {
 				return 1;
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index 7da20d8b01..631b71961d 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -329,6 +329,7 @@ static struct dispatch_table dispatch_table[] = {
 	/* Miscellaneous */
 
 	{ WINBINDD_CHECK_MACHACC, winbindd_check_machine_acct, "CHECK_MACHACC" },
+	{ WINBINDD_PING, winbindd_ping, "PING" },
 
 	/* End of list */
 
diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c
index 2718a75385..2cfea9bbb6 100644
--- a/source3/nsswitch/winbindd_misc.c
+++ b/source3/nsswitch/winbindd_misc.c
@@ -31,18 +31,9 @@ extern pstring global_myname;
 static BOOL _get_trust_account_password(char *domain, unsigned char *ret_pwd, 
 					time_t *pass_last_set_time)
 {
-	struct machine_acct_pass *pass;
-	size_t size;
-
-	if (!(pass = secrets_fetch(trust_keystr(domain), &size)) ||
-	    size != sizeof(*pass)) 
+	if (!secrets_fetch_trust_account_password(domain, ret_pwd, pass_last_set_time)) {
                 return False;
-        
-	if (pass_last_set_time) 
-                *pass_last_set_time = pass->mod_time;
-
-	memcpy(ret_pwd, pass->hash, 16);
-	SAFE_FREE(pass);
+	}
 
 	return True;
 }
@@ -150,3 +141,11 @@ enum winbindd_result winbindd_list_trusted_domains(struct winbindd_cli_state
 
 	return WINBINDD_OK;
 }
+
+enum winbindd_result winbindd_ping(struct winbindd_cli_state
+						   *state)
+{
+	DEBUG(3, ("[%5d]: ping\n", state->pid));
+
+	return WINBINDD_OK;
+}
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 07c67dd558..4d836a21cf 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -83,6 +83,7 @@ enum winbindd_cmd {
 	/* Miscellaneous other stuff */
 
 	WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
+	WINBINDD_PING,              /* Just tell me winbind is running */
 
 	/* Placeholder for end of cmd list */
 
@@ -107,6 +108,7 @@ struct winbindd_request {
                 struct {
                         unsigned char chal[8];
                         fstring user;
+                        fstring domain;
                         fstring lm_resp;
                         uint16 lm_resp_len;
                         fstring nt_resp;
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index f168ce9e35..87086586ec 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -53,10 +53,12 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 	}
 
 	/* Parse domain and username */
-
+	
 	if (!parse_domain_user(state->request.data.auth.user, name_domain, 
-                          name_user))
+			       name_user)) {
+		DEBUG(5,("no domain seperator (%s) in username (%s) - failing fauth\n", lp_winbind_separator(), state->request.data.auth.user));
 		return WINBINDD_ERROR;
+	}
 
 	passlen = strlen(state->request.data.auth.pass);
 		
@@ -71,8 +73,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 		
 		SMBNTencrypt((const uchar *)state->request.data.auth.pass, chal, local_nt_response);
 
-		lm_resp = data_blob(local_lm_response, sizeof(local_lm_response));
-		nt_resp = data_blob(local_nt_response, sizeof(local_nt_response));
+		lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
+		nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
 	}
 	
 	/*
@@ -106,8 +108,6 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 						&info3);
         
 done:
-	data_blob_free(&lm_resp);
-	data_blob_free(&nt_resp);
 
 	cli_shutdown(cli);
 
@@ -115,13 +115,12 @@ done:
 	
 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }
-
+	
 /* Challenge Response Authentication Protocol */
 
 enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) 
 {
 	NTSTATUS result;
-	fstring name_domain, name_user;
 	unsigned char trust_passwd[16];
 	time_t last_change_time;
         NET_USER_INFO_3 info3;
@@ -132,23 +131,16 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 
 	extern pstring global_myname;
 
-	DEBUG(3, ("[%5d]: pam auth crap %s\n", state->pid,
-		  state->request.data.auth_crap.user));
+	DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid,
+		  state->request.data.auth_crap.user, state->request.data.auth_crap.user));
 
-	if (!(mem_ctx = talloc_init_named("winbind pam auth for %s", state->request.data.auth.user))) {
+	if (!(mem_ctx = talloc_init_named("winbind pam auth crap for %s", state->request.data.auth.user))) {
 		DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
 		return WINBINDD_ERROR;
 	}
 
-	/* Parse domain and username */
-	if (!parse_domain_user(state->request.data.auth_crap.user, name_domain, 
-			       name_user))
-		return WINBINDD_ERROR;
-	
-	
-	
-	lm_resp = data_blob(state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
-	nt_resp = data_blob(state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
+	lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
+	nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
 	
 	/*
 	 * Get the machine account password for our primary domain
@@ -171,7 +163,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
         }
 
 	result = cli_netlogon_sam_network_logon(cli, mem_ctx,
-						name_user, name_domain, 
+						state->request.data.auth_crap.user, state->request.data.auth_crap.domain, 
 						global_myname, state->request.data.auth_crap.chal, 
 						lm_resp, nt_resp, 
 						&info3);
diff --git a/source3/nsswitch/winbindd_proto.h b/source3/nsswitch/winbindd_proto.h
index ac72768ea4..bedd5a0352 100644
--- a/source3/nsswitch/winbindd_proto.h
+++ b/source3/nsswitch/winbindd_proto.h
@@ -68,6 +68,8 @@ void winbindd_idmap_status(void);
 enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *state);
 enum winbindd_result winbindd_list_trusted_domains(struct winbindd_cli_state
 						   *state);
+enum winbindd_result winbindd_ping(struct winbindd_cli_state
+						   *state);
 
 /* The following definitions come from nsswitch/winbindd_pam.c  */