added trusted realm support to ADS authentication

the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
(This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)

1 files changed, 10 insertions, 5 deletions

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 4c26bda4db..60c9cd30e5 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -107,14 +107,18 @@ static int reply_spnego_kerberos(connection_struct *conn,
 
 	*p = 0;
 	if (strcasecmp(p+1, ads->realm) != 0) {
-		DEBUG(3,("Ticket for incorrect realm %s\n", p+1));
-		ads_destroy(&ads);
-		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+		DEBUG(3,("Ticket for foreign realm %s@%s\n", client, p+1));
+		if (!lp_allow_trusted_domains()) {
+			return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+		}
+		/* this gives a fully qualified user name (ie. with full realm).
+		   that leads to very long usernames, but what else can we do? */
+		asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client);
+	} else {
+		user = strdup(client);
 	}
 	ads_destroy(&ads);
 
-	user = client;
-
 	/* the password is good - let them in */
 	pw = smb_getpwnam(user,False);
 	if (!pw) {
@@ -129,6 +133,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
 	
 	sess_vuid = register_vuid(server_info, user);
 
+	free(user);
 	free_server_info(&server_info);
 
 	if (sess_vuid == -1) {