r991: Allow winbindd to use the domain trust account password

for setting up an schannel connection.  This solves the problem
of a Samba DC running winbind, trusting a native mode AD domain,
and needing to enumerate AD users via wbinfo -u.
(This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)

2 files changed, 41 insertions, 11 deletions

diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index 877fa2d995..bbd98a620f 100644
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -363,6 +363,12 @@ static void refresh_sequence_number(struct winbindd_domain *domain, BOOL force)
 	if ( NT_STATUS_IS_OK(status) )
 		goto done;	
 
+	/* important! make sure that we know if this is a native 
+	   mode domain or not */
+
+	if ( !domain->initialized )
+		set_dc_type_and_flags( domain );
+
 	status = domain->backend->sequence_number(domain, &domain->sequence_number);
 
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index eda962088d..04f87fc1a2 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -117,21 +117,40 @@ static void cm_get_ipc_userpass(char **username, char **domain, char **password)
 /*
   setup for schannel on any pipes opened on this connection
 */
-static NTSTATUS setup_schannel(struct cli_state *cli)
+static NTSTATUS setup_schannel( struct cli_state *cli, const char *domain )
 {
 	NTSTATUS ret;
 	uchar trust_password[16];
 	uint32 sec_channel_type;
+	DOM_SID sid;
+	time_t lct;
 
-	if (!secrets_fetch_trust_account_password(lp_workgroup(),
-						  trust_password,
-						  NULL, &sec_channel_type)) {
-		return NT_STATUS_UNSUCCESSFUL;
+	/* use the domain trust password if we're on a DC 
+	   and this is not our domain */
+	
+	if ( IS_DC && !strequal(domain, lp_workgroup()) ) {
+		char *pass = NULL;
+		
+		if ( !secrets_fetch_trusted_domain_password( domain, 
+			&pass, &sid, &lct) )
+		{
+			return NT_STATUS_UNSUCCESSFUL;
+		}	
+
+		sec_channel_type = SEC_CHAN_DOMAIN;
+		E_md4hash(pass, trust_password);
+		SAFE_FREE( pass );
+		
+	} else {
+		if (!secrets_fetch_trust_account_password(lp_workgroup(),
+			trust_password, NULL, &sec_channel_type)) 
+		{
+			return NT_STATUS_UNSUCCESSFUL;
+		}
 	}
 
 	ret = cli_nt_setup_netsec(cli, sec_channel_type, 
-				  AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, 
-				  trust_password);
+		AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, trust_password);
 
 	return ret;
 }
@@ -216,7 +235,8 @@ static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const i
 	/* Initialise SMB connection */
 	fstrcpy(new_conn->pipe_name, get_pipe_name_from_index(pipe_index));
 
-/* grab stored passwords */
+	/* grab stored passwords */
+	
 	machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
 	
 	if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(), lp_realm()) == -1) {
@@ -335,9 +355,13 @@ static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const i
 	/* try and use schannel if possible, but continue anyway if it
 	   failed. This allows existing setups to continue working,
 	   while solving the win2003 '100 user' limit for systems that
-	   are joined properly */
-	if (NT_STATUS_IS_OK(result) && (domain->primary)) {
-		NTSTATUS status = setup_schannel(new_conn->cli);
+	   are joined properly.
+	
+	   Only do this for our own domain or perhaps a trusted domain
+	   if we are on a Samba DC */
+
+	if (NT_STATUS_IS_OK(result) && (domain->primary || IS_DC) ) {
+		NTSTATUS status = setup_schannel( new_conn->cli, domain->name );
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(3,("schannel refused - continuing without schannel (%s)\n", 
 				 nt_errstr(status)));