* rename samstrict auth method to sam

* rename original sam auth method to sam_ignoredomain
* remove samstrict_dc auth method (now covered by 'sam')
* fix wbinfo -a '...' and getent passwd bugs when running
  winbindd on a samba PDC (reported by Volker)
(This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)

3 files changed, 94 insertions, 79 deletions

diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 265297ca08..70c8de6ee9 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -5,6 +5,7 @@
 
    Copyright (C) Tim Potter 2000
    Copyright (C) Jeremy Allison 2001.
+   Copyright (C) Gerald (Jerry) Carter 2003.
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -216,9 +217,7 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
 	/* don't handle our own domain if we are a DC.  This code handles cases where
 	   the account doesn't exist anywhere and gets passed on down the NSS layer */
 
-	if ( ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role()==ROLE_DOMAIN_BDC)) &&
-		strequal(name_domain, lp_workgroup()) ) 
-	{
+	if ( IS_DC_FOR_DOMAIN(domain->name) ) {
 		DEBUG(7,("winbindd_getgrnam: rejecting getpwnam() for %s\\%s since I am on the PDC for this domain\n", 
 			name_domain, name_group));
 		return WINBINDD_ERROR;
@@ -370,6 +369,12 @@ enum winbindd_result winbindd_setgrent(struct winbindd_cli_state *state)
 	for (domain = domain_list(); domain != NULL; domain = domain->next) {
 		struct getent_state *domain_state;
 		
+		
+		/* don't add our domaina if we are a PDC */
+		
+		if ( IS_DC_FOR_DOMAIN(domain->name) )
+			continue;
+						
 		/* Create a state record for this domain */
 		
 		if ((domain_state = (struct getent_state *)
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index a3b0849721..3099944301 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -1,4 +1,4 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
 
    Winbind daemon - pam auth funcions
@@ -53,7 +53,61 @@ static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
-/* Return a password structure from a username.  */
+/*******************************************************************
+ wrapper around retreiving the trsut account password 
+*******************************************************************/
+
+static BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16],
+                          time_t *pass_last_set_time, uint32 *channel)
+{
+	DOM_SID sid;
+	char *pwd;
+
+	if ( lp_server_role()==ROLE_DOMAIN_MEMBER || strequal(domain, lp_workgroup()) ) 
+	{
+		/*
+		 * Get the machine account password for the domain to contact.
+		 * This is either our own domain for a workstation, or possibly
+		 * any domain for a PDC with trusted domains.
+		 */
+
+		if ( !secrets_fetch_trust_account_password (domain, ret_pwd,
+			pass_last_set_time, channel) ) 
+		{
+			DEBUG(0, ("get_trust_pw: could not fetch trust account "
+				  "password for my domain %s\n", domain));
+			return False;
+		}
+		
+		return True;
+	}
+	else if ( lp_allow_trusted_domains() ) 
+	{
+		/* if we are not a domain member, then we must be a DC and 
+		   this must be a trusted domain */
+
+		if ( !secrets_fetch_trusted_domain_password(domain, &pwd, &sid, 
+			pass_last_set_time) ) 
+		{
+			DEBUG(0, ("get_trust_pw: could not fetch trust account "
+				  "password for trusted domain %s\n", domain));
+			return False;
+		}
+		
+		*channel = SEC_CHAN_DOMAIN;
+		E_md4hash(pwd, ret_pwd);
+		SAFE_FREE(pwd);
+
+		return True;
+	}
+	
+	/* Failure */
+	return False;
+}
+
+/**********************************************************************
+ Authenticate a user with a clear test password
+**********************************************************************/
 
 enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) 
 {
@@ -70,6 +124,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 	DATA_BLOB nt_resp;
 	DOM_CRED ret_creds;
 	int attempts = 0;
+	unsigned char local_lm_response[24];
+	unsigned char local_nt_response[24];
 
 	/* Ensure null termination */
 	state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
@@ -95,38 +151,29 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 		goto done;
 	}
 
-	{
-		unsigned char local_lm_response[24];
-		unsigned char local_nt_response[24];
-		
-		generate_random_buffer(chal, 8, False);
-		SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
+	/* do password magic */
+	
+	generate_random_buffer(chal, 8, False);
+	SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
 		
-		SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
+	SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
 
-		lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
-		nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
-	}
+	lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
+	nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
 	
-	/*
-	 * Get the machine account password for our primary domain
-	 */
-
-	if (!secrets_fetch_trust_account_password(
-                lp_workgroup(), trust_passwd, &last_change_time,
-		&sec_channel_type)) {
-		DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
-                          "password for domain %s\n", lp_workgroup()));
+	if ( !get_trust_pw(name_domain, trust_passwd, &last_change_time, &sec_channel_type) ) {
 		result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 		goto done;
 	}
 
+	/* check authentication loop */
+
 	do {
 		ZERO_STRUCT(info3);
 		ZERO_STRUCT(ret_creds);
 	
 		/* Don't shut this down - it belongs to the connection cache code */
-		result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, 
+		result = cm_get_netlogon_cli(name_domain, trust_passwd, 
 					     sec_channel_type, False, &cli);
 
 		if (!NT_STATUS_IS_OK(result)) {
@@ -173,8 +220,10 @@ done:
 	
 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }
-	
-/* Challenge Response Authentication Protocol */
+
+/**********************************************************************
+ Challenge Response Authentication Protocol 
+**********************************************************************/
 
 enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) 
 {
@@ -187,7 +236,6 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 	TALLOC_CTX *mem_ctx = NULL;
 	char *user = NULL;
 	const char *domain = NULL;
-	const char *contact_domain;
 	const char *workstation;
 	DOM_CRED ret_creds;
 	int attempts = 0;
@@ -235,52 +283,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 
 	DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid,
 		  domain, user));
-		  
-	/* check our role as a domain member first */
-	if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
-		if ( !lp_allow_trusted_domains() && !strequal(domain, lp_workgroup()) ) {
-			DEBUG(5,("winbindd_pam_auth_crap: failing autghentication becuase of disallowed trust domains\n"));
-			result = NT_STATUS_LOGON_FAILURE;
-			goto done;
-		}
-		
-		contact_domain = domain;
-
-		/*
-		 * Get the machine account password for the domain to contact.
-		 * This is either our own domain for a workstation, or possibly
-		 * any domain for a PDC with trusted domains.
-		 */
-
-		if (!secrets_fetch_trust_account_password (contact_domain,
-							   trust_passwd,
-							   &last_change_time,
-							   &sec_channel_type)) {
-			DEBUG(0, ("winbindd_pam_auth_crap: could not fetch trust account "
-				  "password for domain %s\n", contact_domain));
-			result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-			goto done;
-		}
-	}
-	else if ( lp_allow_trusted_domains() ) {
-		/* if we are not a domain member, then we must be a DC.  Must never 
-		   see a logon for our domain */
-		DOM_SID sid;
-		char *pwd;
-		contact_domain = domain;
-
-		if (!secrets_fetch_trusted_domain_password (contact_domain,
-							    &pwd, &sid,
-							    &last_change_time)) {
-			DEBUG(0, ("winbindd_pam_auth_crap: could not fetch trust account "
-				  "password for domain %s\n", contact_domain));
-			result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-			goto done;
-		}
-		sec_channel_type = SEC_CHAN_DOMAIN;
-		E_md4hash(pwd, trust_passwd);
-		SAFE_FREE(pwd);
-
+	   
+	if ( !get_trust_pw(domain, trust_passwd, &last_change_time, &sec_channel_type) ) {
+		result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		goto done;
 	}
 
 	if (*state->request.data.auth_crap.workstation) {
@@ -310,8 +316,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 		ZERO_STRUCT(ret_creds);
 
 		/* Don't shut this down - it belongs to the connection cache code */
-		result = cm_get_netlogon_cli(contact_domain, trust_passwd,
-					     sec_channel_type, False, &cli);
+		result = cm_get_netlogon_cli(domain, trust_passwd, sec_channel_type, False, &cli);
 
 		if (!NT_STATUS_IS_OK(result)) {
 			DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c
index 518f335f27..9d9360a6fa 100644
--- a/source3/nsswitch/winbindd_user.c
+++ b/source3/nsswitch/winbindd_user.c
@@ -5,6 +5,7 @@
 
    Copyright (C) Tim Potter 2000
    Copyright (C) Jeremy Allison 2001.
+   Copyright (C) Gerald (Jerry) Carter 2003.
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -118,9 +119,7 @@ enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state)
 	/* don't handle our own domain if we are a DC.  This code handles cases where
 	   the account doesn't exist anywhere and gets passed on down the NSS layer */
 
-	if ( ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role()==ROLE_DOMAIN_BDC)) &&
-		strequal(name_domain, lp_workgroup()) ) 
-	{
+	if ( IS_DC_FOR_DOMAIN(domain->name) ) {
 		DEBUG(7,("winbindd_getpwnam: rejecting getpwnam() for %s\\%s since I am on the PDC for this domain\n", 
 			name_domain, name_user));
 		return WINBINDD_ERROR;
@@ -296,6 +295,12 @@ enum winbindd_result winbindd_setpwent(struct winbindd_cli_state *state)
 	for(domain = domain_list(); domain != NULL; domain = domain->next) {
 		struct getent_state *domain_state;
                 
+		
+		/* don't add our domaina if we are a PDC */
+		
+		if ( IS_DC_FOR_DOMAIN( domain->name ) )
+			continue; 
+						
 		/* Create a state record for this domain */
                 
 		if ((domain_state = (struct getent_state *)