fixes for ads domain membership when only the realm is defined in

smb.conf

Fixes to ensure we work with disable netbios = yes
(This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)

4 files changed, 54 insertions, 15 deletions

diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 41dffc3ab6..7c360bf156 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -945,6 +945,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
 	struct cli_state	*cli = NULL;
 				/* i think we only need our forest and downlevel trusted domains */
 	uint32			flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND;
+	char 			*contact_domain_name;
 
 	DEBUG(3,("ads: trusted_domains\n"));
 
@@ -953,9 +954,10 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
 	*names       = NULL;
 	*dom_sids    = NULL;
 		
-	if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(domain->name, PI_NETLOGON, &cli)) ) {
+	contact_domain_name = *domain->alt_name ? domain->alt_name : domain->name;
+	if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(contact_domain_name, PI_NETLOGON, &cli)) ) {
 		DEBUG(5, ("trusted_domains: Could not open a connection to %s for PIPE_NETLOGON (%s)\n", 
-			  domain->name, nt_errstr(result)));
+			  contact_domain_name, nt_errstr(result)));
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 	
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index d3d178df67..8513a46f8f 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -573,6 +573,7 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
 	struct winbindd_cm_conn *conn;
 	fstring lock_name;
 	BOOL got_mutex;
+	struct winbindd_domain *wb_domain = NULL;
 
 	if (!cli)
 		return NT_STATUS_INVALID_PARAMETER;
@@ -614,6 +615,17 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
 	if ( sec_channel_type == SEC_CHAN_DOMAIN )
 		fstr_sprintf(conn->cli->mach_acct, "%s$", lp_workgroup());
 			
+	/* we need the short form of the domain name for the schanel
+	   rpc bind.  What if we fail?  I don't think we should ever get 
+	   a request for a domain name not in our list but I'm not bailing 
+	   out if we do since I'm not 10% certain about this   --jerry */
+	   
+	if ( (wb_domain = find_domain_from_name( domain )) != NULL ) {
+		DEBUG(5,("cm_get_netlogon_cli: Using short for of domain name [%s] for netlogon rpc bind\n",
+			wb_domain->name));
+		fstrcpy( conn->cli->domain, wb_domain->name);
+	}
+	
 	result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd);
 	
 	if (got_mutex)
diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c
index c12fe4517e..88fbb5ee00 100644
--- a/source3/nsswitch/winbindd_misc.c
+++ b/source3/nsswitch/winbindd_misc.c
@@ -35,6 +35,8 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
         int num_retries = 0;
         struct cli_state *cli;
 	uint32 sec_channel_type;
+	const char *contact_domain_name = NULL;
+	
 	DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid));
 
 	/* Get trust account password */
@@ -46,11 +48,21 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
 		goto done;
 	}
 
+
+	/* use the realm name if appropriate and possible */
+	
+	if ( lp_security() == SEC_ADS )
+		contact_domain_name = lp_realm();
+	
+	if ( !contact_domain_name || !*contact_domain_name )
+		contact_domain_name = lp_workgroup();
+		
         /* This call does a cli_nt_setup_creds() which implicitly checks
            the trust account password. */
-
 	/* Don't shut this down - it belongs to the connection cache code */
-        result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, sec_channel_type, True, &cli);
+	
+        result = cm_get_netlogon_cli(contact_domain_name,
+		trust_passwd, sec_channel_type, True, &cli);
 
         if (!NT_STATUS_IS_OK(result)) {
                 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 63e91670e9..25de4eff71 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -81,6 +81,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
 {
 	struct winbindd_domain *domain;
 	char *contact_name;
+	const char *alternative_name = NULL;
+	
+	/* ignore alt_name if we are not in an AD domain */
+	
+	if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
+		alternative_name = alt_name;
+	}
         
 	/* We can't call domain_list() as this function is called from
 	   init_domain_list() and we'll get stuck in a loop. */
@@ -89,9 +96,9 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
 		    strcasecmp(domain_name, domain->alt_name) == 0) {
 			return domain;
 		}
-		if (alt_name && *alt_name) {
-			if (strcasecmp(alt_name, domain->name) == 0 ||
-			    strcasecmp(alt_name, domain->alt_name) == 0) {
+		if (alternative_name && *alternative_name) {
+			if (strcasecmp(alternative_name, domain->name) == 0 ||
+			    strcasecmp(alternative_name, domain->alt_name) == 0) {
 				return domain;
 			}
 		}
@@ -108,13 +115,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
 	ZERO_STRUCTP(domain);
 
 	/* prioritise the short name */
-	if (strchr_m(domain_name, '.') && alt_name && *alt_name) {
-		fstrcpy(domain->name, alt_name);
+	if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
+		fstrcpy(domain->name, alternative_name);
 		fstrcpy(domain->alt_name, domain_name);
 	} else {
 		fstrcpy(domain->name, domain_name);
-		if (alt_name) {
-			fstrcpy(domain->alt_name, alt_name);
+		if (alternative_name) {
+			fstrcpy(domain->alt_name, alternative_name);
 		}
 	}
 
@@ -261,17 +268,23 @@ BOOL init_domain_list(void)
 
 	/* Add ourselves as the first entry */
 	
-	domain = add_trusted_domain( lp_workgroup(), NULL, &cache_methods, NULL);
+	domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL);
+	
+	/* get any alternate name for the primary domain */
+	
+	cache_methods.alternate_name(domain);
+	
+	/* now we have the correct netbios (short) domain name */
 	
+	if ( *domain->name )
+		set_global_myworkgroup( domain->name );
+		
 	if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
 		DEBUG(1, ("Could not fetch sid for our domain %s\n",
 			  domain->name));
 		return False;
 	}
 
-	/* get any alternate name for the primary domain */
-	cache_methods.alternate_name(domain);
-
 	/* do an initial scan for trusted domains */
 	add_trusted_domains(domain);