From 88c72fceb1c86752c52651bdea5b116806dd92c5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 15 Jun 2013 23:01:44 +1000
Subject: s4-winbind: Add special case for BUILTIN domain

This should mean that lookups for the BUILTIN domain cause less trouble
then they have in the past, because they will no longer go via the
trusted domain handler.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 20 15:30:00 CEST 2013 on sn-devel-104
---
 source4/winbind/wb_dom_info.c    |  5 +++--
 source4/winbind/wb_init_domain.c | 38 ++++++++++++++++++++------------------
 source4/winbind/wb_sid2domain.c  | 14 ++++++++++++++
 3 files changed, 37 insertions(+), 20 deletions(-)

(limited to 'source4/winbind')

diff --git a/source4/winbind/wb_dom_info.c b/source4/winbind/wb_dom_info.c
index e2b5defa52..8c08c73a8f 100644
--- a/source4/winbind/wb_dom_info.c
+++ b/source4/winbind/wb_dom_info.c
@@ -67,9 +67,10 @@ struct composite_context *wb_get_dom_info_send(TALLOC_CTX *mem_ctx,
 	state->info->sid = dom_sid_dup(state->info, sid);
 	if (state->info->sid == NULL) goto failed;
 
-	if ((lpcfg_server_role(service->task->lp_ctx) != ROLE_DOMAIN_MEMBER) &&
+	if (dom_sid_equal(sid, &global_sid_Builtin) || 
+	    ((lpcfg_server_role(service->task->lp_ctx) != ROLE_DOMAIN_MEMBER) &&
 	    dom_sid_equal(sid, service->primary_sid) &&
-	    service->sec_channel_type != SEC_CHAN_RODC) {
+	     service->sec_channel_type != SEC_CHAN_RODC)) {
 		struct interface *ifaces = NULL;
 
 		load_interface_list(state, service->task->lp_ctx, &ifaces);
diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c
index 70dbaa9ce8..db5eb1d3b6 100644
--- a/source4/winbind/wb_init_domain.c
+++ b/source4/winbind/wb_init_domain.c
@@ -369,24 +369,26 @@ static void init_domain_recv_queryinfo(struct tevent_req *subreq)
 	state->ctx->status = state->queryinfo.out.result;
 	if (!composite_is_ok(state->ctx)) return;
 
-	dominfo = &(*state->queryinfo.out.info)->account_domain;
-
-	if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
-		DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
-			  state->domain->info->name,
-			  dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
-			  dominfo->name.string));
-		composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
-		return;
-	}
-
-	if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
-		DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
-			  dom_sid_string(state, state->domain->info->sid),
-			  dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
-			  dom_sid_string(state, dominfo->sid)));
-		composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
-		return;
+	if (!dom_sid_equal(state->domain->info->sid, &global_sid_Builtin)) {
+		dominfo = &(*state->queryinfo.out.info)->account_domain;
+		
+		if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
+			DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
+				  state->domain->info->name,
+				  dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
+				  dominfo->name.string));
+			composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
+			return;
+		}
+		
+		if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
+			DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
+				  dom_sid_string(state, state->domain->info->sid),
+				  dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
+				  dom_sid_string(state, dominfo->sid)));
+			composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
+			return;
+		}
 	}
 
 	state->domain->samr_binding = init_domain_binding(state, &ndr_table_samr);
diff --git a/source4/winbind/wb_sid2domain.c b/source4/winbind/wb_sid2domain.c
index 637fe1d8af..172a6d0a09 100644
--- a/source4/winbind/wb_sid2domain.c
+++ b/source4/winbind/wb_sid2domain.c
@@ -98,6 +98,20 @@ static struct tevent_req *_wb_sid2domain_send(TALLOC_CTX *mem_ctx,
 		return req;
 	}
 
+	if (dom_sid_equal(&global_sid_Builtin, sid) ||
+	    dom_sid_in_domain(&global_sid_Builtin, sid)) {
+		ctx = wb_get_dom_info_send(state, service,
+					   "BUILTIN", NULL,
+					   &global_sid_Builtin);
+		if (tevent_req_nomem(ctx, req)) {
+			return tevent_req_post(req, ev);
+		}
+		ctx->async.fn = wb_sid2domain_recv_dom_info;
+		ctx->async.private_data = req;
+
+		return req;
+	}
+
 	ctx = wb_cmd_lookupsid_send(state, service, &state->sid);
 	if (tevent_req_nomem(ctx, req)) {
 		return tevent_req_post(req, ev);
-- 
cgit