sync'ing up for 3.0alpha20 release

(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)

13 files changed, 183 insertions, 130 deletions

diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 29ceca4e79..f95caefb4c 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -11,11 +11,6 @@
 
 #include "pam_winbind.h"
 
-/* prototypes from common.c */
-void init_request(struct winbindd_request *req,int rq_type);
-int write_sock(void *buffer, int count);
-int read_reply(struct winbindd_response *response);
-
 /* data tokens */
 
 #define MAX_PASSWD_TRIES	3
@@ -99,24 +94,30 @@ static int _make_remark(pam_handle_t * pamh, int type, const char *text)
 	return retval;
 }
 
-static int winbind_request(enum winbindd_cmd req_type,
-                           struct winbindd_request *request,
-                           struct winbindd_response *response)
+static int pam_winbind_request(enum winbindd_cmd req_type,
+			       struct winbindd_request *request,
+			       struct winbindd_response *response)
 {
+
 	/* Fill in request and send down pipe */
 	init_request(request, req_type);
 	
 	if (write_sock(request, sizeof(*request)) == -1) {
 		_pam_log(LOG_ERR, "write to socket failed!");
+		close_sock();
 		return PAM_SERVICE_ERR;
 	}
 	
 	/* Wait for reply */
 	if (read_reply(response) == -1) {
 		_pam_log(LOG_ERR, "read from socket failed!");
+		close_sock();
 		return PAM_SERVICE_ERR;
 	}
 
+	/* We are done with the socket - close it and avoid mischeif */
+	close_sock();
+
 	/* Copy reply data from socket */
 	if (response->result != WINBINDD_OK) {
 		if (response->data.auth.pam_error != PAM_SUCCESS) {
@@ -148,7 +149,7 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl)
 	strncpy(request.data.auth.pass, pass, 
                 sizeof(request.data.auth.pass)-1);
 	
-        retval = winbind_request(WINBINDD_PAM_AUTH, &request, &response);
+        retval = pam_winbind_request(WINBINDD_PAM_AUTH, &request, &response);
 
 	switch (retval) {
 	case PAM_AUTH_ERR:
@@ -217,7 +218,7 @@ static int winbind_chauthtok_request(const char *user, const char *oldpass,
             request.data.chauthtok.newpass[0] = '\0';
         }
 	
-        return winbind_request(WINBINDD_PAM_CHAUTHTOK, &request, &response);
+        return pam_winbind_request(WINBINDD_PAM_CHAUTHTOK, &request, &response);
 }
 
 /*
diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h
index 9897249e16..fae635d806 100644
--- a/source3/nsswitch/pam_winbind.h
+++ b/source3/nsswitch/pam_winbind.h
@@ -90,5 +90,4 @@ do {                             \
 #define on(x, y) (x & y)
 #define off(x, y) (!(x & y))
 
-#include "winbind_nss_config.h"
-#include "winbindd_nss.h"
+#include "winbind_client.h"
diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c
index 9bc9faafb5..51792f63fe 100644
--- a/source3/nsswitch/wb_common.c
+++ b/source3/nsswitch/wb_common.c
@@ -5,6 +5,8 @@
 
    Copyright (C) Tim Potter 2000
    Copyright (C) Andrew Tridgell 2000
+   Copyright (C) Andrew Bartlett 2002
+   
    
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Library General Public
@@ -75,7 +77,7 @@ void init_response(struct winbindd_response *response)
 
 /* Close established socket */
 
-static void close_sock(void)
+void close_sock(void)
 {
 	if (winbindd_fd != -1) {
 		close(winbindd_fd);
@@ -83,14 +85,75 @@ static void close_sock(void)
 	}
 }
 
+/* Make sure socket handle isn't stdin, stdout or stderr */
+#define RECURSION_LIMIT 3
+
+static int make_nonstd_fd_internals(int fd, int limit /* Recursion limiter */) 
+{
+	int new_fd;
+	if (fd >= 0 && fd <= 2) {
+#ifdef F_DUPFD 
+		if ((new_fd = fcntl(fd, F_DUPFD, 3)) == -1) {
+			return -1;
+		}
+		/* Parinoia */
+		if (new_fd < 3) {
+			close(new_fd);
+			return -1;
+		}
+		close(fd);
+		return new_fd;
+#else
+		if (limit <= 0)
+			return -1;
+		
+		new_fd = dup(fd);
+		if (new_fd == -1) 
+			return -1;
+
+		/* use the program stack to hold our list of FDs to close */
+		new_fd = make_nonstd_fd_internals(new_fd, limit - 1);
+		close(fd);
+		return new_fd;
+#endif
+	}
+	return fd;
+}
+
+static int make_safe_fd(int fd) 
+{
+	int result, flags;
+	int new_fd = make_nonstd_fd_internals(fd, RECURSION_LIMIT);
+	if (new_fd == -1) {
+		close(fd);
+		return -1;
+	}
+	/* Socket should be closed on exec() */
+	
+#ifdef FD_CLOEXEC
+	result = flags = fcntl(new_fd, F_GETFD, 0);
+	if (flags >= 0) {
+		flags |= FD_CLOEXEC;
+		result = fcntl( new_fd, F_SETFD, flags );
+	}
+	if (result < 0) {
+		close(new_fd);
+		return -1;
+	}
+#endif
+	return new_fd;
+}
+
 /* Connect to winbindd socket */
 
 int winbind_open_pipe_sock(void)
 {
+#ifdef HAVE_UNIXSOCKET
 	struct sockaddr_un sunaddr;
 	static pid_t our_pid;
 	struct stat st;
 	pstring path;
+	int fd;
 	
 	if (our_pid != getpid()) {
 		close_sock();
@@ -144,9 +207,13 @@ int winbind_open_pipe_sock(void)
 	
 	/* Connect to socket */
 	
-	if ((winbindd_fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
+	if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
 		return -1;
 	}
+
+	if ((winbindd_fd = make_safe_fd( fd)) == -1) {
+		return winbindd_fd;
+	}
 	
 	if (connect(winbindd_fd, (struct sockaddr *)&sunaddr, 
 		    sizeof(sunaddr)) == -1) {
@@ -155,6 +222,9 @@ int winbind_open_pipe_sock(void)
 	}
         
 	return winbindd_fd;
+#else
+	return -1;
+#endif /* HAVE_UNIXSOCKET */
 }
 
 /* Write data to winbindd socket */
@@ -366,8 +436,8 @@ NSS_STATUS winbindd_get_response(struct winbindd_response *response)
 /* Handle simple types of requests */
 
 NSS_STATUS winbindd_request(int req_type, 
-				 struct winbindd_request *request,
-				 struct winbindd_response *response)
+			    struct winbindd_request *request,
+			    struct winbindd_response *response)
 {
 	NSS_STATUS status;
 
diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 4d36acc51b..875df231dc 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -28,11 +28,7 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
-/* Prototypes from common.h */
-
-NSS_STATUS winbindd_request(int req_type, 
-			    struct winbindd_request *request,
-			    struct winbindd_response *response);
+extern int winbindd_fd;
 
 static char winbind_separator(void)
 {
@@ -450,9 +446,10 @@ static BOOL wbinfo_auth(char *username)
         d_printf("plaintext password authentication %s\n", 
                (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
 
-	d_printf("error code was %s (0x%x)\n", 
-		 response.data.auth.nt_status_string, 
-		 response.data.auth.nt_status);
+	if (response.data.auth.nt_status)
+		d_printf("error code was %s (0x%x)\n", 
+			 response.data.auth.nt_status_string, 
+			 response.data.auth.nt_status);
 
         return result == NSS_STATUS_SUCCESS;
 }
@@ -504,9 +501,10 @@ static BOOL wbinfo_auth_crap(char *username)
         d_printf("challenge/response password authentication %s\n", 
                (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
 
-	d_printf("error code was %s (0x%x)\n", 
-	       response.data.auth.nt_status_string, 
-	       response.data.auth.nt_status);
+	if (response.data.auth.nt_status)
+		d_printf("error code was %s (0x%x)\n", 
+			 response.data.auth.nt_status_string, 
+			 response.data.auth.nt_status);
 
         return result == NSS_STATUS_SUCCESS;
 }
@@ -608,43 +606,17 @@ static BOOL wbinfo_set_auth_user(char *username)
 static BOOL wbinfo_ping(void)
 {
         NSS_STATUS result;
-	
+
 	result = winbindd_request(WINBINDD_PING, NULL, NULL);
 
 	/* Display response */
 
-        d_printf("'ping' to winbindd %s\n", 
-               (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
+        d_printf("'ping' to winbindd %s on fd %d\n", 
+               (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed", winbindd_fd);
 
         return result == NSS_STATUS_SUCCESS;
 }
 
-/* Print program usage */
-
-static void usage(void)
-{
-	d_printf("Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm "
-               "| -[aA] user%%password\n");
-	d_printf("\t-u\t\t\tlists all domain users\n");
-	d_printf("\t-g\t\t\tlists all domain groups\n");
-	d_printf("\t-n name\t\t\tconverts name to sid\n");
-	d_printf("\t-s sid\t\t\tconverts sid to name\n");
-	d_printf("\t-N name\t\t\tconverts NetBIOS name to IP (WINS)\n");
-	d_printf("\t-I name\t\t\tconverts IP address to NetBIOS name (WINS)\n");
-	d_printf("\t-U uid\t\t\tconverts uid to sid\n");
-	d_printf("\t-G gid\t\t\tconverts gid to sid\n");
-	d_printf("\t-S sid\t\t\tconverts sid to uid\n");
-	d_printf("\t-Y sid\t\t\tconverts sid to gid\n");
-	d_printf("\t-t\t\t\tcheck shared secret\n");
-	d_printf("\t-m\t\t\tlist trusted domains\n");
-	d_printf("\t-r user\t\t\tget user groups\n");
-	d_printf("\t-a user%%password\tauthenticate user\n");
- 	d_printf("\t-A user%%password\tstore user and password used by winbindd (root only)\n");
-	d_printf("\t-p\t\t\t'ping' winbindd to see if it is alive\n");
-	d_printf("\t--sequence\t\tshow sequence numbers of all domains\n");
-	d_printf("\t--set-auth-user DOMAIN\\user%%password\tset password for restrict anonymous\n");
-}
-
 /* Main program */
 
 enum {
@@ -664,28 +636,28 @@ int main(int argc, char **argv)
 	int result = 1;
 
 	struct poptOption long_options[] = {
+		POPT_AUTOHELP
 
 		/* longName, shortName, argInfo, argPtr, value, descrip, 
 		   argDesc */
 
-		{ "help", 'h', POPT_ARG_NONE, 0, 'h' },
-		{ "domain-users", 'u', POPT_ARG_NONE, 0, 'u' },
-		{ "domain-groups", 'g', POPT_ARG_NONE, 0, 'g' },
-		{ "WINS-by-name", 'N', POPT_ARG_STRING, &string_arg, 'N' },
-		{ "WINS-by-ip", 'I', POPT_ARG_STRING, &string_arg, 'I' },
-		{ "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n' },
-		{ "sid-to-name", 's', POPT_ARG_STRING, &string_arg, 's' },
-		{ "uid-to-sid", 'U', POPT_ARG_INT, &int_arg, 'U' },
-		{ "gid-to-sid", 'G', POPT_ARG_INT, &int_arg, 'G' },
-		{ "sid-to-uid", 'S', POPT_ARG_STRING, &string_arg, 'S' },
-		{ "sid-to-gid", 'Y', POPT_ARG_STRING, &string_arg, 'Y' },
-		{ "check-secret", 't', POPT_ARG_NONE, 0, 't' },
-		{ "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm' },
-		{ "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE },
-		{ "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r' },
- 		{ "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a' },
-		{ "set-auth-user", 'A', POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER },
-		{ "ping", 'p', POPT_ARG_NONE, 0, 'p' },
+		{ "domain-users", 'u', POPT_ARG_NONE, 0, 'u', "Lists all domain users"},
+		{ "domain-groups", 'g', POPT_ARG_NONE, 0, 'g', "Lists all domain groups" },
+		{ "WINS-by-name", 'N', POPT_ARG_STRING, &string_arg, 'N', "Converts NetBIOS name to IP (WINS)" },
+		{ "WINS-by-ip", 'I', POPT_ARG_STRING, &string_arg, 'I', "Converts IP address to NetBIOS name (WINS)" },
+		{ "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n', "Converts name to sid" },
+		{ "sid-to-name", 's', POPT_ARG_STRING, &string_arg, 's', "Converts sid to name" },
+		{ "uid-to-sid", 'U', POPT_ARG_INT, &int_arg, 'U', "Converts uid to sid" },
+		{ "gid-to-sid", 'G', POPT_ARG_INT, &int_arg, 'G', "Converts gid to sid" },
+		{ "sid-to-uid", 'S', POPT_ARG_STRING, &string_arg, 'S', "Converts sid to uid" },
+		{ "sid-to-gid", 'Y', POPT_ARG_STRING, &string_arg, 'Y', "Converts sid to gid" },
+		{ "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" },
+		{ "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" },
+		{ "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE, "show sequence numbers of all domains" },
+		{ "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r', "Get user groups" },
+ 		{ "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a', "authenticate user", "user%password" },
+		{ "set-auth-user", 'A', POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER, "Store user and password used by winbindd (root only)", "user%password" },
+		{ "ping", 'p', POPT_ARG_NONE, 0, 'p', "'ping' winbindd to see if it is alive" },
 		{ 0, 0, 0, 0 }
 	};
 
@@ -708,17 +680,17 @@ int main(int argc, char **argv)
 
 	load_interfaces();
 
+	/* Parse options */
+
+	pc = poptGetContext("wbinfo", argc, (const char **)argv, long_options, 0);
+
 	/* Parse command line options */
 
 	if (argc == 1) {
-		usage();
+		poptPrintHelp(pc, stderr, 0);
 		return 1;
 	}
 
-	/* Parse options */
-
-	pc = poptGetContext("wbinfo", argc, (const char **)argv, long_options, 0);
-
 	while((opt = poptGetNextOpt(pc)) != -1) {
 		if (got_command) {
 			d_fprintf(stderr, "No more than one command may be specified at once.\n");
@@ -734,10 +706,6 @@ int main(int argc, char **argv)
 
 	while((opt = poptGetNextOpt(pc)) != -1) {
 		switch (opt) {
-		case 'h':
-			usage();
-			result = 0;
-			goto done;
 		case 'u':
 			if (!print_domain_users()) {
 				d_printf("Error looking up domain users\n");
@@ -859,7 +827,7 @@ int main(int argc, char **argv)
 			break;
 		default:
 			d_fprintf(stderr, "Invalid option\n");
-			usage();
+			poptPrintHelp(pc, stderr, 0);
 			goto done;
 		}
 	}
diff --git a/source3/nsswitch/winbind_nss.c b/source3/nsswitch/winbind_nss.c
index 594b5fbadb..0b4c0ce1d0 100644
--- a/source3/nsswitch/winbind_nss.c
+++ b/source3/nsswitch/winbind_nss.c
@@ -21,8 +21,7 @@
    Boston, MA  02111-1307, USA.   
 */
 
-#include "winbind_nss_config.h"
-#include "winbindd_nss.h"
+#include "winbind_client.h"
 
 #ifdef HAVE_NS_API_H
 #undef VOLATILE
@@ -37,17 +36,6 @@
 
 extern int winbindd_fd;
 
-void init_request(struct winbindd_request *req,int rq_type);
-NSS_STATUS winbindd_send_request(int req_type,
-				 struct winbindd_request *request);
-NSS_STATUS winbindd_get_response(struct winbindd_response *response);
-NSS_STATUS winbindd_request(int req_type, 
-				 struct winbindd_request *request,
-				 struct winbindd_response *response);
-int winbind_open_pipe_sock(void);
-int write_sock(void *buffer, int count);
-int read_reply(struct winbindd_response *response);
-void free_response(struct winbindd_response *response);
 
 #ifdef HAVE_NS_API_H
 /* IRIX version */
diff --git a/source3/nsswitch/winbind_nss_config.h b/source3/nsswitch/winbind_nss_config.h
index b9c738211e..d9a9b8aaae 100644
--- a/source3/nsswitch/winbind_nss_config.h
+++ b/source3/nsswitch/winbind_nss_config.h
@@ -38,6 +38,10 @@
 #include <unistd.h>
 #endif
 
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
 #endif
@@ -58,6 +62,14 @@
 #include <string.h>
 #endif
 
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#else
+#ifdef HAVE_SYS_FCNTL_H
+#include <sys/fcntl.h>
+#endif
+#endif
+
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <errno.h>
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index 256c0203c0..bb4a1b78ec 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -628,8 +628,8 @@ static void process_loop(int accept_sock)
 
 					if (state->read_buf_len >= sizeof(uint32)
 					    && *(uint32 *) &state->request != sizeof(state->request)) {
-						DEBUG(0,("process_loop: Invalid request size (%d) send, should be (%d)\n",
-								*(uint32 *) &state->request, sizeof(state->request)));
+						DEBUG(0,("process_loop: Invalid request size from pid %d: %d bytes sent, should be %d\n",
+								state->request.pid, *(uint32 *) &state->request, sizeof(state->request)));
 
 						remove_client(state);
 						break;
@@ -858,6 +858,7 @@ static void usage(void)
 		pidfile_create("winbindd");
 	}
 
+
 #if HAVE_SETPGID
 	/*
 	 * If we're interactive we want to set our own process group for
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index b0b70178a4..4f91ed0f20 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -143,7 +143,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 		/* if we get ECONNREFUSED then it might be a NT4
                    server, fall back to MSRPC */
 		if (status.error_type == ADS_ERROR_SYSTEM &&
-		    status.rc == ECONNREFUSED) {
+		    status.err.rc == ECONNREFUSED) {
 			DEBUG(1,("Trying MSRPC methods\n"));
 			domain->methods = &msrpc_methods;
 		}
@@ -170,9 +170,9 @@ static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *si
 static enum SID_NAME_USE ads_atype_map(uint32 atype)
 {
 	switch (atype & 0xF0000000) {
-	case ATYPE_GROUP:
+	case ATYPE_GLOBAL_GROUP:
 		return SID_NAME_DOM_GRP;
-	case ATYPE_USER:
+	case ATYPE_ACCOUNT:
 		return SID_NAME_USER;
 	default:
 		DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
@@ -339,7 +339,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
 
 		if (!ads_pull_uint32(ads, msg, "sAMAccountType", 
 				     &account_type) ||
-		    !(account_type & ATYPE_GROUP)) continue;
+		    !(account_type & ATYPE_GLOBAL_GROUP)) continue;
 
 		name = pull_username(ads, mem_ctx, msg);
 		gecos = ads_pull_string(ads, mem_ctx, msg, "name");
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index 2dec9f0558..01f5569889 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -109,7 +109,7 @@ static BOOL cm_ads_find_dc(const char *domain, struct in_addr *dc_ip, fstring sr
 	}
 
 	/* we don't need to bind, just connect */
-	ads->auth.no_bind = 1;
+	ads->auth.flags |= ADS_AUTH_NO_BIND;
 
 	DEBUG(4,("cm_ads_find_dc: domain=%s\n", domain));
 
@@ -145,11 +145,16 @@ static BOOL cm_rpc_find_dc(const char *domain, struct in_addr *dc_ip, fstring sr
 
 	/* Lookup domain controller name. Try the real PDC first to avoid
 	   SAM sync delays */
-	if (!get_dc_list(True, domain, &ip_list, &count)) {
-		if (!get_dc_list(False, domain, &ip_list, &count)) {
-			DEBUG(3, ("Could not look up dc's for domain %s\n", domain));
-			return False;
-		}
+	if (get_dc_list(True, domain, &ip_list, &count) &&
+	    name_status_find(domain, 0x1c, 0x20, ip_list[0], srv_name)) {
+		*dc_ip = ip_list[0];
+		SAFE_FREE(ip_list);
+		return True;
+	}
+
+	if (!get_dc_list(False, domain, &ip_list, &count)) {
+		DEBUG(3, ("Could not look up dc's for domain %s\n", domain));
+		return False;
 	}
 
 	/* Pick a nice close server */
@@ -377,16 +382,6 @@ static NTSTATUS cm_open_connection(const char *domain,const char *pipe_name,
 	fstrcpy(new_conn->domain, domain);
 	fstrcpy(new_conn->pipe_name, pipe_name);
 	
-	/* Look for a domain controller for this domain.  Negative results
-	   are cached so don't bother applying the caching for this
-	   function just yet.  */
-
-	if (!cm_get_dc_name(domain, new_conn->controller, &dc_ip)) {
-		result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
-		add_failed_connection_entry(new_conn, result);
-		return result;
-	}
-		
 	/* Return false if we have tried to look up this domain and netbios
 	   name before and failed. */
 
@@ -418,6 +413,16 @@ static NTSTATUS cm_open_connection(const char *domain,const char *pipe_name,
 		return result;
 	}
 
+	/* Look for a domain controller for this domain.  Negative results
+	   are cached so don't bother applying the caching for this
+	   function just yet.  */
+
+	if (!cm_get_dc_name(domain, new_conn->controller, &dc_ip)) {
+		result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+		add_failed_connection_entry(new_conn, result);
+		return result;
+	}
+		
 	/* Initialise SMB connection */
 
 	cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
@@ -859,6 +864,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
 {
 	NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
 	struct winbindd_cm_conn *conn;
+	uint32 neg_flags = 0x000001ff;
 
 	if (!cli) {
 		return NT_STATUS_INVALID_PARAMETER;
@@ -870,8 +876,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
 		return result;
 	}
 	
-	result = cli_nt_setup_creds(conn->cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ?
-					SEC_CHAN_WKSTA : SEC_CHAN_BDC, trust_passwd);
+	result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd, &neg_flags, 2);
 
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(0, ("error connecting to domain password server: %s\n",
@@ -884,8 +889,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
 			}
 			
 			/* Try again */
-			result = cli_nt_setup_creds(conn->cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ?
-							SEC_CHAN_WKSTA : SEC_CHAN_BDC, trust_passwd);
+			result = cli_nt_setup_creds( conn->cli, get_sec_chan(),trust_passwd, &neg_flags, 2);
 		}
 		
 		if (!NT_STATUS_IS_OK(result)) {
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 9eea94e7c0..368bf10cea 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -127,6 +127,9 @@ struct winbindd_request {
 		uid_t uid;           /* getpwuid, uid_to_sid */
 		gid_t gid;           /* getgrgid, gid_to_sid */
 		struct {
+			/* We deliberatedly don't split into domain/user to
+                           avoid having the client know what the separator
+                           character is. */	
 			fstring user;
 			fstring pass;
 		} auth;              /* pam_winbind auth module */
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index a8b508a49c..3e7a8ad971 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -147,7 +147,7 @@ done:
 	fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
 	state->response.data.auth.pam_error = nt_status_to_pam(result);
 
-	DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authenticaion for user %s returned %s (PAM: %d)\n", 
+	DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", 
 	      state->request.data.auth.user, 
 	      state->response.data.auth.nt_status_string,
 	      state->response.data.auth.pam_error));	      
@@ -183,7 +183,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 	/* Ensure null termination */
 	state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]='\0';
 
-	if (!(mem_ctx = talloc_init_named("winbind pam auth crap for (utf8) %s", state->request.data.auth.user))) {
+	if (!(mem_ctx = talloc_init_named("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) {
 		DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
 		result = NT_STATUS_NO_MEMORY;
 		goto done;
@@ -292,7 +292,7 @@ done:
 	state->response.data.auth.pam_error = nt_status_to_pam(result);
 
 	DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, 
-	      ("NTLM CRAP authenticaion for user [%s]\\[%s] returned %s (PAM: %d)\n", 
+	      ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n", 
 	       domain,
 	       user,
 	       state->response.data.auth.nt_status_string,
diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c
index 5ec34f663d..047280e21e 100644
--- a/source3/nsswitch/winbindd_rpc.c
+++ b/source3/nsswitch/winbindd_rpc.c
@@ -315,6 +315,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 	cli_samr_close(hnd->cli, mem_ctx, &user_pol);
 	got_user_pol = False;
 
+	user_info->user_rid = user_rid;
 	user_info->group_rid = ctr->info.id21->group_rid;
 	user_info->acct_name = unistr2_tdup(mem_ctx, 
 					    &ctr->info.id21->uni_user_name);
@@ -419,7 +420,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
         uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
         BOOL got_dom_pol = False, got_group_pol = False;
 
-	DEBUG(3,("rpc: lookup_groupmem rid=%u\n", group_rid));
+	DEBUG(10,("rpc: lookup_groupmem %s rid=%u\n", domain->name, group_rid));
 
 	*num_names = 0;
 
@@ -523,7 +524,7 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
 	BOOL got_dom_pol = False;
 	uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
 
-	DEBUG(3,("rpc: sequence_number\n"));
+	DEBUG(10,("rpc: fetch sequence_number for %s\n", domain->name));
 
 	*seq = DOM_SEQUENCE_NONE;
 
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index daa3abb340..2016c27881 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -83,10 +83,16 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
 	/* We can't call domain_list() as this function is called from
 	   init_domain_list() and we'll get stuck in a loop. */
 	for (domain = _domain_list; domain; domain = domain->next) {
-		if (strcmp(domain_name, domain->name) == 0 ||
-		    strcmp(domain_name, domain->alt_name) == 0) {
+		if (strcasecmp(domain_name, domain->name) == 0 ||
+		    strcasecmp(domain_name, domain->alt_name) == 0) {
 			return domain;
 		}
+		if (alt_name && *alt_name) {
+			if (strcasecmp(alt_name, domain->name) == 0 ||
+			    strcasecmp(alt_name, domain->alt_name) == 0) {
+				return domain;
+			}
+		}
 	}
         
 	/* Create new domain entry */