Streamline and fix logic of cm_prepare_connection().

Do not attempt to do a session setup when in a trusted domain
situation (this gives STATUS_NOLOGON_TRUSTED_DOMAIN_ACCOUNT).

Use get_trust_pw_clear to get machine trust account.
Only call this when the results is really used.
Use the proper domain and account name for session setup.

Michael
(This used to be commit 18c66a364e0ddc4960769871ca190944f7fe5c44)

1 files changed, 37 insertions, 25 deletions

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index d8040d79ac..00d9092dc3 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -646,8 +646,13 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 				      struct cli_state **cli,
 				      bool *retry)
 {
-	char *machine_password, *machine_krb5_principal, *machine_account;
-	char *ipc_username, *ipc_domain, *ipc_password;
+	char *machine_password = NULL;
+	char *machine_krb5_principal = NULL;
+	char *machine_account = NULL;
+	const char *account_name = NULL;
+	char *ipc_username = NULL;
+	char *ipc_domain = NULL;
+	char *ipc_password = NULL;
 
 	bool got_mutex;
 
@@ -661,21 +666,6 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 	DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
 		controller, domain->name ));
 
-	machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL,
-							  NULL);
-	
-	if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
-		SAFE_FREE(machine_password);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(),
-		     lp_realm()) == -1) {
-		SAFE_FREE(machine_account);
-		SAFE_FREE(machine_password);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	*retry = True;
 
 	got_mutex = secrets_named_mutex(controller,
@@ -732,10 +722,32 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 		result = NT_STATUS_UNSUCCESSFUL;
 		goto done;
 	}
-			
-	if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) {
+
+	if (!is_trusted_domain_situation(domain->name) &&
+	    (*cli)->protocol >= PROTOCOL_NT1 &&
+	    (*cli)->capabilities & CAP_EXTENDED_SECURITY)
+	{
 		ADS_STATUS ads_status;
 
+		if (!get_trust_pw_clear(domain->name, &machine_password,
+					&account_name, NULL))
+		{
+			result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+			goto done;
+		}
+
+		if (asprintf(&machine_account, "%s$", account_name) == -1) {
+			result = NT_STATUS_NO_MEMORY;
+			goto done;
+		}
+
+		if (asprintf(&machine_krb5_principal, "%s$@%s", account_name,
+			     lp_realm()) == -1)
+		{
+			result = NT_STATUS_NO_MEMORY;
+			goto done;
+		}
+
 		if (lp_security() == SEC_ADS) {
 
 			/* Try a krb5 session */
@@ -750,7 +762,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 			ads_status = cli_session_setup_spnego(*cli,
 							      machine_krb5_principal, 
 							      machine_password, 
-							      lp_workgroup());
+							      domain->name);
 
 			if (!ADS_ERR_OK(ads_status)) {
 				DEBUG(4,("failed kerberos session setup with %s\n",
@@ -760,7 +772,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 			result = ads_ntstatus(ads_status);
 			if (NT_STATUS_IS_OK(result)) {
 				/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
-				cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+				cli_init_creds(*cli, machine_account, domain->name, machine_password);
 				goto session_setup_done;
 			}
 		}
@@ -770,12 +782,12 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
 		DEBUG(5, ("connecting to %s from %s with username "
 			  "[%s]\\[%s]\n",  controller, global_myname(),
-			  lp_workgroup(), machine_account));
+			  domain->name, machine_account));
 
 		ads_status = cli_session_setup_spnego(*cli,
 						      machine_account, 
 						      machine_password, 
-						      lp_workgroup());
+						      domain->name);
 		if (!ADS_ERR_OK(ads_status)) {
 			DEBUG(4, ("authenticated session setup failed with %s\n",
 				ads_errstr(ads_status)));
@@ -784,12 +796,12 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 		result = ads_ntstatus(ads_status);
 		if (NT_STATUS_IS_OK(result)) {
 			/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
-			cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+			cli_init_creds(*cli, machine_account, domain->name, machine_password);
 			goto session_setup_done;
 		}
 	}
 
-	/* Fall back to non-kerberos session setup */
+	/* Fall back to non-kerberos session setup with auth_user */
 
 	(*cli)->use_kerberos = False;