6 files changed, 77 insertions, 144 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 09e8f5e722..71e9ab0428 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -334,52 +334,6 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context)
 	return NT_STATUS_OK;
 }
 
-BOOL load_auth_module(struct auth_context *auth_context, 
-		      const char *module, auth_methods **ret) 
-{
-	static BOOL initialised_static_modules = False;
-
-	struct auth_init_function_entry *entry;
-	char *module_name = smb_xstrdup(module);
-	char *module_params = NULL;
-	char *p;
-	BOOL good = False;
-
-	/* Initialise static modules if not done so yet */
-	if(!initialised_static_modules) {
-		static_init_auth;
-		initialised_static_modules = True;
-	}
-	
-	DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n",
-		 module));
-	
-	p = strchr(module_name, ':');
-	if (p) {
-		*p = 0;
-		module_params = p+1;
-		trim_string(module_params, " ", " ");
-	}
-	
-	trim_string(module_name, " ", " ");
-	
-	entry = auth_find_backend_entry(module_name);
-	
-	if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && 
-	   !(entry = auth_find_backend_entry(module_name))) {
-		DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name));
-	} else if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) {
-		DEBUG(0,("load_auth_module: auth method %s did not correctly init\n",
-			 module));
-	} else {
-		DEBUG(5,("load_auth_module: auth method %s has a valid init\n",
-			 module));
-		good = True;
-	}
-	SAFE_FREE(module_name);
-	return good;
-}
-
 /***************************************************************************
  Make a auth_info struct for the auth subsystem
 ***************************************************************************/
@@ -390,6 +344,7 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context,
 	auth_methods *t = NULL;
 	auth_methods *tmp;
 	NTSTATUS nt_status;
+	static BOOL initialised_static_modules = False;
 
 	if (!text_list) {
 		DEBUG(2,("make_auth_context_text_list: No auth method list!?\n"));
@@ -399,10 +354,44 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context,
 	if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context)))
 		return nt_status;
 
+	/* Initialise static modules if not done so yet */
+	if(!initialised_static_modules) {
+		static_init_auth;
+		initialised_static_modules = True;
+	}
+	
 	for (;*text_list; text_list++) { 
-		if (load_auth_module(*auth_context, *text_list, &t)) {
-		    DLIST_ADD_END(list, t, tmp);
-		}
+			struct auth_init_function_entry *entry;
+			char *module_name = smb_xstrdup(*text_list);
+			char *module_params = NULL;
+			char *p;
+
+			DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n",
+				 *text_list));
+
+			p = strchr(module_name, ':');
+			if (p) {
+				*p = 0;
+				module_params = p+1;
+				trim_string(module_params, " ", " ");
+			}
+
+			trim_string(module_name, " ", " ");
+
+			entry = auth_find_backend_entry(module_name);
+
+			if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && 
+			   !(entry = auth_find_backend_entry(module_name))) {
+				DEBUG(0,("make_auth_context_text_list: can't find auth method %s!\n", module_name));
+			} else if (!NT_STATUS_IS_OK(entry->init(*auth_context, module_params, &t))) {
+				DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n",
+							*text_list));
+			} else {
+				DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n",
+							*text_list));
+				DLIST_ADD_END(list, t, tmp);
+			}
+			SAFE_FREE(module_name);
 	}
 	
 	(*auth_context)->auth_method_list = list;
@@ -428,7 +417,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
 		{
 		case SEC_DOMAIN:
 			DEBUG(5,("Making default auth method list for security=domain\n"));
-			auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL);
+			auth_method_list = str_list_make("guest sam winbind ntdomain", NULL);
 			break;
 		case SEC_SERVER:
 			DEBUG(5,("Making default auth method list for security=server\n"));
@@ -454,7 +443,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
 			break;
 		case SEC_ADS:
 			DEBUG(5,("Making default auth method list for security=ADS\n"));
-			auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL);
+			auth_method_list = str_list_make("guest sam winbind ntdomain", NULL);
 			break;
 		default:
 			DEBUG(5,("Unknown auth method!\n"));
diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c
index 5d72898006..509a4afba9 100644
--- a/source3/auth/auth_builtin.c
+++ b/source3/auth/auth_builtin.c
@@ -50,7 +50,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context,
 
 /* Guest modules initialisation */
 
-static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) 
+NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) 
 {
 	if (!make_auth_methods(auth_context, auth_method))
 		return NT_STATUS_NO_MEMORY;
@@ -60,7 +60,6 @@ static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *o
 	return NT_STATUS_OK;
 }
 
-#ifdef DEVELOPER
 /** 
  * Return an error based on username
  *
@@ -102,7 +101,7 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_
 
 /** Module initialisation function */
 
-static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
+NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
 {
 	if (!make_auth_methods(auth_context, auth_method))
 		return NT_STATUS_NO_MEMORY;
@@ -151,7 +150,7 @@ static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_contex
 
 /** Module initailisation function */
 
-static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
+NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
 {
 	if (!make_auth_methods(auth_context, auth_method))
 		return NT_STATUS_NO_MEMORY;
@@ -161,7 +160,6 @@ static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, con
 	(*auth_method)->name = "fixed_challenge";
 	return NT_STATUS_OK;
 }
-#endif /* DEVELOPER */
 
 int auth_builtin_init(void)
 {
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index db5f7d82b0..24a5bb562c 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -175,11 +175,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
 				     &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry);
 
 	if (!NT_STATUS_IS_OK(result)) {
-		/* map to something more useful */
-		if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
-			result = NT_STATUS_NO_LOGON_SERVERS;
-		}
-
 		release_server_mutex();
 		return result;
 	}
@@ -277,7 +272,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli,
 	struct in_addr dc_ip;
 	fstring srv_name;
 
-	if (!rpc_find_dc(domain, srv_name, &dc_ip)) {
+	if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) {
 		DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup()));
 		return NT_STATUS_NO_LOGON_SERVERS;
 	}
@@ -352,11 +347,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
                          "Error was %s.\n", user_info->smb_name.str,
                          user_info->domain.str, cli->srv_name_slash, 
                          nt_errstr(nt_status)));
-
-		/* map to something more useful */
-		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) {
-			nt_status = NT_STATUS_NO_LOGON_SERVERS;
-		}
 	} else {
 		nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, 
 						   user_info->smb_name.str, domain, server_info, &info3);
@@ -405,7 +395,6 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
 	unsigned char trust_passwd[16];
 	time_t last_change_time;
 	const char *domain = lp_workgroup();
-	uint32 sec_channel_type = 0;
 
 	if (!user_info || !server_info || !auth_context) {
 		DEBUG(1,("check_ntdomain_security: Critical variables not present.  Failing.\n"));
@@ -428,7 +417,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
 	 * No need to become_root() as secrets_init() is done at startup.
 	 */
 
-	if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time, &sec_channel_type))
+	if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time))
 	{
 		DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain '%s'\n", domain));
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
@@ -453,7 +442,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
 	nt_status = domain_client_validate(mem_ctx, user_info, domain,
 					   (uchar *)auth_context->challenge.data, 
 					   server_info, 
-					   password_server, global_myname(), sec_channel_type,trust_passwd, last_change_time);
+					   password_server, global_myname(), SEC_CHAN_WKSTA, trust_passwd, last_change_time);
 	return nt_status;
 }
 
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index aa399f33e2..1fc8aa51bb 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -500,8 +500,6 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
 	   unless it is one of our aliases. */
 	
 	if (!is_myname(user_info->domain.str)) {
-		DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n",
-			user_info->domain.str,user_info->internal_username.str));
 		return NT_STATUS_NO_SUCH_USER;
 	}
 	
@@ -520,52 +518,8 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para
 	return NT_STATUS_OK;
 }
 
-/****************************************************************************
-Check SAM security (above) but with a few extra checks if we're a DC.
-****************************************************************************/
-
-static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
-					 void *my_private_data, 
-					 TALLOC_CTX *mem_ctx,
-					 const auth_usersupplied_info *user_info, 
-					 auth_serversupplied_info **server_info)
-{
-
-	if (!user_info || !auth_context) {
-		return NT_STATUS_LOGON_FAILURE;
-	}
-
-	/* If we are a domain member, we must not 
-	   attempt to check the password locally,
-	   unless it is one of our aliases, empty
-	   or our domain if we are a logon server.*/
-	
-
-	if ((!is_myworkgroup(user_info->domain.str))&&
-		(!is_myname(user_info->domain.str))) {
-		DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n",
-			user_info->domain.str,user_info->internal_username.str));
-		return NT_STATUS_NO_SUCH_USER;
-	}		
-
-	return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
-}
-
-/* module initialisation */
-NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
-{
-	if (!make_auth_methods(auth_context, auth_method)) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	(*auth_method)->auth = check_samstrict_dc_security;
-	(*auth_method)->name = "samstrict_dc";
-	return NT_STATUS_OK;
-}
-
 int auth_sam_init(void)
 {
-	smb_register_auth("samstrict_dc", auth_init_samstrict_dc, AUTH_INTERFACE_VERSION);
 	smb_register_auth("samstrict", auth_init_samstrict, AUTH_INTERFACE_VERSION);
 	smb_register_auth("sam", auth_init_sam, AUTH_INTERFACE_VERSION);
 	return True;
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ddb833a0e5..d0f1fc1e34 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -219,18 +219,35 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
 		   where it doens't supply a domain for logon script
 		   'net use' commands.
 
-		   Finally, we do this by looking up a cache of trusted domains!
+		   The way I do it here is by checking if the fully
+		   qualified username exists. This is rather reliant
+		   on winbind, but until we have a better method this
+		   will have to do 
 		*/
 
 		domain = client_domain;
 
-		if (is_trusted_domain(domain)) {
-			return make_user_info(user_info, smb_name, internal_username,
-			                      client_domain, domain, wksta_name,
-			                      lm_pwd, nt_pwd, plaintext, ntlmssp_flags,
-			                      encrypted);
-		}
+		if ((smb_name) && (*smb_name)) { /* Don't do this for guests */
+			char *user = NULL;
+			if (asprintf(&user, "%s%s%s", 
+				 client_domain, lp_winbind_separator(), 
+				 smb_name) < 0) {
+				DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
+				return NT_STATUS_NO_MEMORY;
+			}
 
+			DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
+			
+			if (Get_Pwnam(user) == NULL) {
+				DEBUG(5, ("make_user_info_map: test for user %s failed\n", user));
+				domain = lp_workgroup();
+				DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n", 
+					  client_domain, domain));
+			} else {
+				DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain));
+			}
+			SAFE_FREE(user);
+		}
 	} else {
 		domain = lp_workgroup();
 	}
@@ -869,8 +886,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 
 	struct passwd *passwd;
 
-	unid_t u_id, g_id;
-	int u_type, g_type;
+	uid_t uid;
+	gid_t gid;
 
 	int n_lgroupSIDs;
 	DOM_SID *lgroupSIDs   = NULL;
@@ -907,11 +924,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 		domain = domain;
 	}
 
-	u_type = ID_USERID;
-	g_type = ID_GROUPID;
-	if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid))
-	    && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid))
-	    && ((passwd = getpwuid_alloc(u_id.uid)))) {
+	if (winbind_sid_to_uid(&uid, &user_sid) 
+	    && winbind_sid_to_gid(&gid, &group_sid) 
+	    && ((passwd = getpwuid_alloc(uid)))) {
 		nt_status = pdb_init_sam_pw(&sam_account, passwd);
 		passwd_free(&passwd);
 	} else {
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index df08b6440a..e2a292dd01 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -103,11 +103,6 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 	
 	result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response);
 
-	if (result == NSS_STATUS_UNAVAIL) {
-		struct auth_methods *auth_method = my_private_data;
-		return auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
-	}
-
 	nt_status = NT_STATUS(response.data.auth.nt_status);
 
 	if (result == NSS_STATUS_SUCCESS && response.extra_data) {
@@ -132,18 +127,11 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 /* module initialisation */
 NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
 {
+	if (!make_auth_methods(auth_context, auth_method))
+		return NT_STATUS_NO_MEMORY;
 
 	(*auth_method)->name = "winbind";
 	(*auth_method)->auth = check_winbind_security;
-
-	if (param && *param) {
-		/* we load the 'fallback' module - if winbind isn't here, call this
-		   module */
-		if (!load_auth_module(auth_context, param, &(*auth_method)->private_data)) {
-			return NT_STATUS_UNSUCCESSFUL;
-		}
-		
-	}
 	return NT_STATUS_OK;
 }