Winbind merges from HEAD:

 - fix winbindd_pam bugs
 - give a better error message for unauthorized access to auth_crap
 - show this message in wbinfo
 - fix spelling: privilaged -> privileged
   ** This changes the location of the winbindd privileged pipe **
   (thanks to tpot)

Andrew Bartlett
(This used to be commit 92c2a33483cc9ddd1dd627224192a3023f8caff8)

6 files changed, 32 insertions, 17 deletions

diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 4f621e7008..16644cd484 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -447,9 +447,10 @@ static BOOL wbinfo_auth(char *username)
                (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
 
 	if (response.data.auth.nt_status)
-		d_printf("error code was %s (0x%x)\n", 
+		d_printf("error code was %s (0x%x)\nerror messsage was: %s\n", 
 			 response.data.auth.nt_status_string, 
-			 response.data.auth.nt_status);
+			 response.data.auth.nt_status,
+			 response.data.auth.error_string);
 
         return result == NSS_STATUS_SUCCESS;
 }
@@ -502,9 +503,10 @@ static BOOL wbinfo_auth_crap(char *username)
                (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
 
 	if (response.data.auth.nt_status)
-		d_printf("error code was %s (0x%x)\n", 
+		d_printf("error code was %s (0x%x)\nerror messsage was: %s\n", 
 			 response.data.auth.nt_status_string, 
-			 response.data.auth.nt_status);
+			 response.data.auth.nt_status,
+			 response.data.auth.error_string);
 
         return result == NSS_STATUS_SUCCESS;
 }
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index 3b91f2d6af..4b557e2078 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -312,7 +312,7 @@ static void process_request(struct winbindd_cli_state *state)
 
 /* Process a new connection by adding it to the client connection list */
 
-static void new_connection(int listen_sock, BOOL privilaged)
+static void new_connection(int listen_sock, BOOL privileged)
 {
 	struct sockaddr_un sunaddr;
 	struct winbindd_cli_state *state;
@@ -343,7 +343,7 @@ static void new_connection(int listen_sock, BOOL privilaged)
 
 	state->last_access = time(NULL);	
 
-	state->privilaged = privilaged;
+	state->privileged = privileged;
 
 	/* Add to connection list */
 	
@@ -664,7 +664,7 @@ static void process_loop(void)
 						break;
 					}
 				}
-				/* new, non-privilaged connection */
+				/* new, non-privileged connection */
 				new_connection(listen_sock, False);
 			}
             
@@ -678,7 +678,7 @@ static void process_loop(void)
 						break;
 					}
 				}
-				/* new, privilaged connection */
+				/* new, privileged connection */
 				new_connection(listen_priv_sock, True);
 			}
             
diff --git a/source3/nsswitch/winbindd.h b/source3/nsswitch/winbindd.h
index f6b0e73543..ad0d6fbc3b 100644
--- a/source3/nsswitch/winbindd.h
+++ b/source3/nsswitch/winbindd.h
@@ -42,7 +42,7 @@ struct winbindd_cli_state {
 	BOOL finished;                            /* Can delete from list */
 	BOOL write_extra_data;                    /* Write extra_data field */
 	time_t last_access;                       /* Time of last access (read or write) */
-	BOOL privilaged;                           /* Is the client 'privilaged' */
+	BOOL privileged;                           /* Is the client 'privileged' */
 
 	struct winbindd_request request;          /* Request from client */
 	struct winbindd_response response;        /* Respose to client */
diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c
index 3b44d029c0..52889e85d4 100644
--- a/source3/nsswitch/winbindd_misc.c
+++ b/source3/nsswitch/winbindd_misc.c
@@ -239,7 +239,7 @@ enum winbindd_result winbindd_netbios_name(struct winbindd_cli_state *state)
 enum winbindd_result winbindd_priv_pipe_dir(struct winbindd_cli_state *state)
 {
 
-	DEBUG(3, ("[%5d]: request location of privilaged pipe\n", state->pid));
+	DEBUG(3, ("[%5d]: request location of privileged pipe\n", state->pid));
 	
 	state->response.extra_data = strdup(get_winbind_priv_pipe_dir());
 	if (!state->response.extra_data)
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 88f4a11f87..cc1b144063 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -30,7 +30,7 @@
 
 #define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */
 #define WINBINDD_SOCKET_DIR  "/tmp/.winbindd"  /* Name of PF_UNIX dir */
-#define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privilaged" /* name of subdirectory of lp_lockdir() to hold the 'privilaged' pipe */
+#define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lockdir() to hold the 'privileged' pipe */
 #define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
 #define WINBINDD_DONT_ENV    "_NO_WINBINDD"
 
@@ -105,7 +105,7 @@ enum winbindd_cmd {
 	WINBINDD_NETBIOS_NAME,       /* The netbios name of the server */
 	/* Placeholder for end of cmd list */
 
-	/* find the location of our privilaged pipe */
+	/* find the location of our privileged pipe */
 	WINBINDD_PRIV_PIPE_DIR,
 
 	WINBINDD_NUM_CMDS
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index d408a8b3ae..e49a95f4b8 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -140,7 +140,12 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
         
 	uni_group_cache_store_netlogon(mem_ctx, &info3);
 done:
-
+	
+	/* give us a more useful (more correct?) error code */
+	if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
+		result = NT_STATUS_NO_LOGON_SERVERS;
+	}
+	
 	state->response.data.auth.nt_status = NT_STATUS_V(result);
 	fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
 	fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
@@ -174,8 +179,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 
 	DATA_BLOB lm_resp, nt_resp;
 
-	if (!state->privilaged) {
-		DEBUG(2, ("winbindd_pam_auth_crap: non-privilaged access denied!\n"));
+	if (!state->privileged) {
+		DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access denied!\n"));
+		/* send a better message than ACCESS_DENIED */
+		push_utf8_fstring(state->response.data.auth.error_string, "winbind client not authorized to use winbindd_pam_auth_crap");
 		result =  NT_STATUS_ACCESS_DENIED;
 		goto done;
 	}
@@ -282,15 +289,21 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 			memcpy(state->response.data.auth.nt_session_key, info3.user_sess_key, sizeof(state->response.data.auth.nt_session_key) /* 16 */);
 		}
 		if (state->request.data.auth_crap.flags & WINBIND_PAM_LMKEY) {
-			memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.nt_session_key) /* 16 */);
+			memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
 		}
 	}
 
 done:
 
+	/* give us a more useful (more correct?) error code */
+	if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
+		result = NT_STATUS_NO_LOGON_SERVERS;
+	}
+	
 	state->response.data.auth.nt_status = NT_STATUS_V(result);
 	push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
-	push_utf8_fstring(state->response.data.auth.error_string, nt_errstr(result));
+	if (!*state->response.data.auth.error_string) 
+		push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
 	state->response.data.auth.pam_error = nt_status_to_pam(result);
 
 	DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,