- added initial support for trusted domains in winbindd_ads

- gss error code patch from a.bokovoy@sam-solutions.net
- better sid dumping in ads_dump
- fixed help in wbinfo
(This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)

4 files changed, 81 insertions, 18 deletions

diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 82d483611f..9c012eb85d 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -486,7 +486,7 @@ int main(int argc, char **argv)
 	struct poptOption long_options[] = {
 
 		/* longName, shortName, argInfo, argPtr, value, descrip, argDesc */
-
+		{ "help", 'h', POPT_ARG_NONE, 0, 'h' },
 		{ "domain-users", 'u', POPT_ARG_NONE, 0, 'u' },
 		{ "domain-groups", 'g', POPT_ARG_NONE, 0, 'g' },
 		{ "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n' },
@@ -548,6 +548,9 @@ int main(int argc, char **argv)
 
 	while((opt = poptGetNextOpt(pc)) != -1) {
 		switch (opt) {
+		case 'h':
+			usage();
+			exit(0);
 		case 'u':
 			if (!print_domain_users()) {
 				printf("Error looking up domain users\n");
@@ -644,6 +647,7 @@ int main(int argc, char **argv)
 			break;
 		default:
 			fprintf(stderr, "Invalid option\n");
+			usage();
 			return 1;
 		}
 	}
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index e52f448a63..4ce0894ab3 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -24,6 +24,9 @@
 
 #ifdef HAVE_ADS
 
+/* the realm of our primary LDAP server */
+static char *primary_realm;
+
 
 /*
   a wrapper around ldap_search_s that retries depending on the error code
@@ -33,7 +36,8 @@ int ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
 			const char *exp,
 			const char **attrs, void **res)
 {
-	int rc = -1, rc2;
+	int rc = -1;
+	ADS_RETURN_CODE rc2;
 	int count = 3;
 
 	if (!ads->ld &&
@@ -59,9 +63,15 @@ int ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
 		}
 		ads->ld = NULL;
 		rc2 = ads_connect(ads);
-		if (rc2) {
-			DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n", ads_errstr(rc)));
-			return rc2;
+		if (rc2.rc) {
+		    DEBUG(1,("ads_search_retry: failed to reconnect:\n"));
+		    if(rc2.error_type) 
+			ads_display_status("", rc2.rc, rc2.minor_status);
+		    else 
+			DEBUG(1,("LDAP error: %s\n", ads_errstr(rc2.rc)));
+		    
+		    ads_destroy(&ads);
+		    return rc2.rc;
 		}
 	}
 	DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(rc)));
@@ -92,8 +102,9 @@ int ads_search_retry_dn(ADS_STRUCT *ads, void **res,
 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 {
 	ADS_STRUCT *ads;
-	int rc;
+	ADS_RETURN_CODE rc;
 	char *ccache;
+	struct in_addr server_ip;
 
 	if (domain->private) {
 		return (ADS_STRUCT *)domain->private;
@@ -104,7 +115,12 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 	SETENV("KRB5CCNAME", ccache, 1);
 	unlink(ccache);
 
-	ads = ads_init(NULL, NULL, NULL, NULL);
+	if (!resolve_name(domain->name, &server_ip, 0x1b)) {
+		DEBUG(1,("Can't find PDC for domain %s\n", domain->name));
+		return NULL;
+	}
+
+	ads = ads_init(primary_realm, inet_ntoa(server_ip), NULL, NULL);
 	if (!ads) {
 		DEBUG(1,("ads_init for domain %s failed\n", domain->name));
 		return NULL;
@@ -115,12 +131,22 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 	ads->password = secrets_fetch_machine_password();
 
 	rc = ads_connect(ads);
-	if (rc) {
-		DEBUG(1,("ads_connect for domain %s failed: %s\n", domain->name, ads_errstr(rc)));
+	if (rc.rc) {
+		DEBUG(1,("ads_connect for domain %s failed:\n", domain->name));
+		if(rc.error_type) 
+		    ads_display_status("", rc.rc, rc.minor_status);
+		else 
+		    DEBUG(1,("LDAP error: %s\n", ads_errstr(rc.rc)));
+		    
 		ads_destroy(&ads);
 		return NULL;
 	}
 
+	/* remember our primary realm for trusted domain support */
+	if (!primary_realm) {
+		primary_realm = strdup(ads->realm);
+	}
+
 	domain->private = (void *)ads;
 	return ads;
 }
@@ -546,7 +572,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 	}
 
 	if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
-		DEBUG(1,("No primary group for rid=%d !?\n", user_rid));
+		DEBUG(1,("%s: No primary group for rid=%d !?\n", domain->name, user_rid));
 		goto done;
 	}
 
@@ -666,8 +692,19 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
 				char ***names,
 				DOM_SID **dom_sids)
 {
+	ADS_STRUCT *ads = NULL;
+
 	*num_domains = 0;
-	return NT_STATUS_NOT_IMPLEMENTED;
+	*names = NULL;
+
+	ads = ads_cached_connection(domain);
+	if (!ads) return NT_STATUS_UNSUCCESSFUL;
+
+	if (!ads_trusted_domains(ads, mem_ctx, num_domains, names, dom_sids)) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	return NT_STATUS_OK;
 }
 
 /* find the domain sid for a domain */
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index 32f9f0d69f..847ec9e541 100644
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -462,8 +462,10 @@ do_cached:
 	return status;
 
 do_query:
+	*num_entries = 0;
+	*info = NULL;
+
 	if (wcache_server_down(domain)) {
-		*num_entries = 0;
 		return NT_STATUS_SERVER_DISABLED;
 	}
 
@@ -533,8 +535,10 @@ do_cached:
 	return status;
 
 do_query:
+	*num_entries = 0;
+	*info = NULL;
+
 	if (wcache_server_down(domain)) {
-		*num_entries = 0;
 		return NT_STATUS_SERVER_DISABLED;
 	}
 
@@ -580,6 +584,8 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain,
 	return status;
 
 do_query:
+	ZERO_STRUCTP(sid);
+
 	if (wcache_server_down(domain)) {
 		return NT_STATUS_SERVER_DISABLED;
 	}
@@ -619,6 +625,8 @@ static NTSTATUS sid_to_name(struct winbindd_domain *domain,
 	return status;
 
 do_query:
+	*name = NULL;
+
 	if (wcache_server_down(domain)) {
 		return NT_STATUS_SERVER_DISABLED;
 	}
@@ -656,9 +664,12 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 	return status;
 
 do_query:
+	ZERO_STRUCTP(info);
+
 	if (wcache_server_down(domain)) {
 		return NT_STATUS_SERVER_DISABLED;
 	}
+	
 	status = cache->backend->query_user(domain, mem_ctx, user_rid, info);
 
 	/* and save it */
@@ -701,8 +712,10 @@ do_cached:
 	return status;
 
 do_query:
+	(*num_groups) = 0;
+	(*user_gids) = NULL;
+
 	if (wcache_server_down(domain)) {
-		(*num_groups) = 0;
 		return NT_STATUS_SERVER_DISABLED;
 	}
 	status = cache->backend->lookup_usergroups(domain, mem_ctx, user_rid, num_groups, user_gids);
@@ -763,8 +776,13 @@ do_cached:
 	return status;
 
 do_query:
+	(*num_names) = 0;
+	(*rid_mem) = NULL;
+	(*names) = NULL;
+	(*name_types) = NULL;
+	
+
 	if (wcache_server_down(domain)) {
-		(*num_names) = 0;
 		return NT_STATUS_SERVER_DISABLED;
 	}
 	status = cache->backend->lookup_groupmem(domain, mem_ctx, group_rid, num_names, 
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 608749b39d..f760b635d6 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -98,10 +98,7 @@ static struct winbindd_domain *add_trusted_domain(char *domain_name,
 		}
 	}
         
-	DEBUG(1, ("adding domain %s\n", domain_name));
-        
 	/* Create new domain entry */
-        
 	if ((domain = (struct winbindd_domain *)malloc(sizeof(*domain))) == NULL)
 		return NULL;
 
@@ -146,6 +143,10 @@ BOOL get_domain_info(void)
 			 domain->name));
 		result = cache_methods.domain_sid(domain, &domain->sid);
 	}
+       
+	DEBUG(1,("Added domain %s (%s)\n", 
+		 domain->name, 
+		 sid_string_static(&domain->sid)));
 
 	DEBUG(1, ("getting trusted domain list\n"));
 
@@ -160,6 +161,9 @@ BOOL get_domain_info(void)
 			if (domain) {
 				sid_copy(&domain->sid, &dom_sids[i]);
 			}
+			DEBUG(1,("Added domain %s (%s)\n", 
+				 domain->name, 
+				 sid_string_static(&domain->sid)));
 		}
 	}