This patch does a number of things, mostly smaller than they look :-)

In particuar, it moves the domain_client_validate stuff out of
auth_domain.c to somwhere where they (I hope) they can be shared
with winbind better.  (This may need some work)

The main purpose of this patch was however to improve some of the
internal documentation and to correctly place become_root()/unbecome_root()
calls within the code.

Finally this patch moves some more of auth.c into other files, auth_unix.c
in this case.

Andrew Bartlett
(This used to be commit ea1c547ac880def29f150de2172c95213509350e)

1 files changed, 14 insertions, 1 deletions

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 558f418d94..4dc08c6086 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -55,6 +55,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 	BOOL result;
 	fstring name_domain, name_user;
 	int passlen;
+	unsigned char trust_passwd[16];
+	time_t last_change_time;
 
 	unsigned char local_lm_response[24];
 	unsigned char local_nt_response[24];
@@ -113,12 +115,23 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 		return WINBINDD_ERROR;
 	}
 	
+	/*
+	 * Get the machine account password for our primary domain
+	 */
+
+	if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time))
+	{
+		DEBUG(0, ("winbindd_pam_auth: could not fetch trust account password for domain %s\n", lp_workgroup()));
+		return WINBINDD_ERROR;
+	}
+
 	/* So domain_client_validate() actually opens a new connection
 	   for each authentication performed.  This can theoretically
 	   be optimised to use an already open IPC$ connection. */
 
 	result = (domain_client_validate(&user_info, &server_info,
-					server_state.controller) == NT_STATUS_NOPROBLEMO);
+					 server_state.controller, trust_passwd,
+					 last_change_time) == NT_STATUS_NOPROBLEMO);
 
 	return result ? WINBINDD_OK : WINBINDD_ERROR;
 }