From 7544b0c77382e300da0e2daf2b325527a23e6ddc Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Fri, 5 Sep 2003 17:57:45 +0000
Subject: fixes for ads domain membership when only the realm is defined in
 smb.conf

Fixes to ensure we work with disable netbios = yes
(This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
---
 source3/nsswitch/winbindd_ads.c  |  6 ++++--
 source3/nsswitch/winbindd_cm.c   | 12 +++++++++++
 source3/nsswitch/winbindd_misc.c | 16 +++++++++++++--
 source3/nsswitch/winbindd_util.c | 35 ++++++++++++++++++++++----------
 source3/utils/net_ads.c          | 43 ++++++++++++++++++++++++++++++++++++++--
 5 files changed, 95 insertions(+), 17 deletions(-)

diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 41dffc3ab6..7c360bf156 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -945,6 +945,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
 	struct cli_state	*cli = NULL;
 				/* i think we only need our forest and downlevel trusted domains */
 	uint32			flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND;
+	char 			*contact_domain_name;
 
 	DEBUG(3,("ads: trusted_domains\n"));
 
@@ -953,9 +954,10 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
 	*names       = NULL;
 	*dom_sids    = NULL;
 		
-	if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(domain->name, PI_NETLOGON, &cli)) ) {
+	contact_domain_name = *domain->alt_name ? domain->alt_name : domain->name;
+	if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(contact_domain_name, PI_NETLOGON, &cli)) ) {
 		DEBUG(5, ("trusted_domains: Could not open a connection to %s for PIPE_NETLOGON (%s)\n", 
-			  domain->name, nt_errstr(result)));
+			  contact_domain_name, nt_errstr(result)));
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 	
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index d3d178df67..8513a46f8f 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -573,6 +573,7 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
 	struct winbindd_cm_conn *conn;
 	fstring lock_name;
 	BOOL got_mutex;
+	struct winbindd_domain *wb_domain = NULL;
 
 	if (!cli)
 		return NT_STATUS_INVALID_PARAMETER;
@@ -614,6 +615,17 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
 	if ( sec_channel_type == SEC_CHAN_DOMAIN )
 		fstr_sprintf(conn->cli->mach_acct, "%s$", lp_workgroup());
 			
+	/* we need the short form of the domain name for the schanel
+	   rpc bind.  What if we fail?  I don't think we should ever get 
+	   a request for a domain name not in our list but I'm not bailing 
+	   out if we do since I'm not 10% certain about this   --jerry */
+	   
+	if ( (wb_domain = find_domain_from_name( domain )) != NULL ) {
+		DEBUG(5,("cm_get_netlogon_cli: Using short for of domain name [%s] for netlogon rpc bind\n",
+			wb_domain->name));
+		fstrcpy( conn->cli->domain, wb_domain->name);
+	}
+	
 	result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd);
 	
 	if (got_mutex)
diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c
index c12fe4517e..88fbb5ee00 100644
--- a/source3/nsswitch/winbindd_misc.c
+++ b/source3/nsswitch/winbindd_misc.c
@@ -35,6 +35,8 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
         int num_retries = 0;
         struct cli_state *cli;
 	uint32 sec_channel_type;
+	const char *contact_domain_name = NULL;
+	
 	DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid));
 
 	/* Get trust account password */
@@ -46,11 +48,21 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
 		goto done;
 	}
 
+
+	/* use the realm name if appropriate and possible */
+	
+	if ( lp_security() == SEC_ADS )
+		contact_domain_name = lp_realm();
+	
+	if ( !contact_domain_name || !*contact_domain_name )
+		contact_domain_name = lp_workgroup();
+		
         /* This call does a cli_nt_setup_creds() which implicitly checks
            the trust account password. */
-
 	/* Don't shut this down - it belongs to the connection cache code */
-        result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, sec_channel_type, True, &cli);
+	
+        result = cm_get_netlogon_cli(contact_domain_name,
+		trust_passwd, sec_channel_type, True, &cli);
 
         if (!NT_STATUS_IS_OK(result)) {
                 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 63e91670e9..25de4eff71 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -81,6 +81,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
 {
 	struct winbindd_domain *domain;
 	char *contact_name;
+	const char *alternative_name = NULL;
+	
+	/* ignore alt_name if we are not in an AD domain */
+	
+	if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
+		alternative_name = alt_name;
+	}
         
 	/* We can't call domain_list() as this function is called from
 	   init_domain_list() and we'll get stuck in a loop. */
@@ -89,9 +96,9 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
 		    strcasecmp(domain_name, domain->alt_name) == 0) {
 			return domain;
 		}
-		if (alt_name && *alt_name) {
-			if (strcasecmp(alt_name, domain->name) == 0 ||
-			    strcasecmp(alt_name, domain->alt_name) == 0) {
+		if (alternative_name && *alternative_name) {
+			if (strcasecmp(alternative_name, domain->name) == 0 ||
+			    strcasecmp(alternative_name, domain->alt_name) == 0) {
 				return domain;
 			}
 		}
@@ -108,13 +115,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
 	ZERO_STRUCTP(domain);
 
 	/* prioritise the short name */
-	if (strchr_m(domain_name, '.') && alt_name && *alt_name) {
-		fstrcpy(domain->name, alt_name);
+	if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
+		fstrcpy(domain->name, alternative_name);
 		fstrcpy(domain->alt_name, domain_name);
 	} else {
 		fstrcpy(domain->name, domain_name);
-		if (alt_name) {
-			fstrcpy(domain->alt_name, alt_name);
+		if (alternative_name) {
+			fstrcpy(domain->alt_name, alternative_name);
 		}
 	}
 
@@ -261,17 +268,23 @@ BOOL init_domain_list(void)
 
 	/* Add ourselves as the first entry */
 	
-	domain = add_trusted_domain( lp_workgroup(), NULL, &cache_methods, NULL);
+	domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL);
+	
+	/* get any alternate name for the primary domain */
+	
+	cache_methods.alternate_name(domain);
+	
+	/* now we have the correct netbios (short) domain name */
 	
+	if ( *domain->name )
+		set_global_myworkgroup( domain->name );
+		
 	if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
 		DEBUG(1, ("Could not fetch sid for our domain %s\n",
 			  domain->name));
 		return False;
 	}
 
-	/* get any alternate name for the primary domain */
-	cache_methods.alternate_name(domain);
-
 	/* do an initial scan for trusted domains */
 	add_trusted_domains(domain);
 
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 0e909a6087..3b955742d8 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -656,6 +656,8 @@ int net_ads_join(int argc, const char **argv)
 	char *ou_str;
 	uint32 sec_channel_type = SEC_CHAN_WKSTA;
 	uint32 account_type = UF_WORKSTATION_TRUST_ACCOUNT;
+	char *short_domain_name = NULL;
+	TALLOC_CTX *ctx = NULL;
 
 	if (argc > 0) org_unit = argv[0];
 
@@ -720,7 +722,33 @@ int net_ads_join(int argc, const char **argv)
 		d_printf("ads_set_machine_password: %s\n", ads_errstr(rc));
 		return -1;
 	}
-
+	
+	/* make sure we get the right workgroup */
+	
+	if ( !(ctx = talloc_init("net ads join")) ) {
+		d_printf("talloc_init() failed!\n");
+		return -1;
+	}
+	
+	rc = ads_workgroup_name(ads, ctx, &short_domain_name);
+	if ( ADS_ERR_OK(rc) ) {
+		if ( !strequal(lp_workgroup(), short_domain_name) ) {
+			d_printf("The workgroup in smb.conf does not match the short\n");
+			d_printf("domain name obtained from the server.\n");
+			d_printf("Using the name [%s] from the server.\n", short_domain_name);
+			d_printf("You should set \"workgroup = %s\" in smb.conf.\n", short_domain_name);
+		}
+	}
+	else
+		short_domain_name = lp_workgroup();
+	
+	d_printf("Using short domain name -- %s\n", short_domain_name);
+	
+	/*  HACK ALRET!  Store the sid and password under bother the lp_workgroup() 
+	    value from smb.conf and the string returned from the server.  The former is
+	    neede to bootstrap winbindd's first connection to the DC to get the real 
+	    short domain name   --jerry */
+	    
 	if (!secrets_store_domain_sid(lp_workgroup(), &dom_sid)) {
 		DEBUG(1,("Failed to save domain sid\n"));
 		return -1;
@@ -731,11 +759,22 @@ int net_ads_join(int argc, const char **argv)
 		return -1;
 	}
 
+	if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) {
+		DEBUG(1,("Failed to save domain sid\n"));
+		return -1;
+	}
+
+	if (!secrets_store_machine_password(password, short_domain_name, sec_channel_type)) {
+		DEBUG(1,("Failed to save machine password\n"));
+		return -1;
+	}
+	
 	d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm);
 
 	SAFE_FREE(password);
 	SAFE_FREE(machine_account);
-
+	if ( ctx )
+		talloc_destroy(ctx);
 	return 0;
 }
 
-- 
cgit