From 9c169e9e42b58e7b6c4b37f57d4649daea7593e5 Mon Sep 17 00:00:00 2001
From: "Gerald W. Carter" <jerry@samba.org>
Date: Thu, 27 Mar 2008 11:56:29 -0500
Subject: Don't fill password policy structure for any domain other than our
 own.

The samr connects will fail.  This is not independent of the CONTACT_TRUSTDOM
flag neede by krb5 logins.
(This used to be commit 4de4949e3bfcfb2169c329f19cb76936d9043d50)
---
 source3/winbindd/winbindd_pam.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 63127cbfcd..3b13a9269a 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1638,12 +1638,24 @@ process_result:
 
 
 		if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
-			result = fillup_password_policy(domain, state);
-
+			struct winbindd_domain *our_domain = find_our_domain();
+			
+			/* This is not entiurely correct I believe, but it is 
+			   consistent.  Only apply the password policy settings
+			   too warn users for our own domain.  Cannot obtain these 
+			   from trusted DCs all the  time so don't do it at all. 
+			   -- jerry */
+
+			result = NT_STATUS_NOT_SUPPORTED;			
+			if (our_domain == domain ) {
+a				result = fillup_password_policy(our_domain, state);
+			}
+			
 			if (!NT_STATUS_IS_OK(result) 
 			    && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ) 
 			{
-				DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
+				DEBUG(10,("Failed to get password policies for domain %s: %s\n", 
+					  domain->name, nt_errstr(result)));
 				goto done;
 			}
 		}
-- 
cgit