* rename samstrict auth method to sam

* rename original sam auth method to sam_ignoredomain
* remove samstrict_dc auth method (now covered by 'sam')
* fix wbinfo -a '...' and getent passwd bugs when running
  winbindd on a samba PDC (reported by Volker)

2 files changed, 31 insertions, 58 deletions

diff --git a/source/auth/auth_sam.c b/source/auth/auth_sam.c
index 161376616b1..1690e4d5e12 100644
--- a/source/auth/auth_sam.c
+++ b/source/auth/auth_sam.c
@@ -4,6 +4,7 @@
    Copyright (C) Andrew Tridgell              1992-2000
    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
    Copyright (C) Andrew Bartlett              2001
+   Copyright (C) Gerald Carter                2003
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -470,14 +471,14 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
 }
 
 /* module initialisation */
-static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
+static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
 {
 	if (!make_auth_methods(auth_context, auth_method)) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	(*auth_method)->auth = check_sam_security;	
-	(*auth_method)->name = "sam";
+	(*auth_method)->name = "sam_ignoredomain";
 	return NT_STATUS_OK;
 }
 
@@ -492,83 +493,55 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
 					 const auth_usersupplied_info *user_info, 
 					 auth_serversupplied_info **server_info)
 {
+	BOOL is_local_name, is_my_domain;
 
 	if (!user_info || !auth_context) {
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
-	/* If we are a domain member, we must not 
-	   attempt to check the password locally,
-	   unless it is one of our aliases. */
+	is_local_name = is_myname(user_info->domain.str);
+	is_my_domain  = strequal(user_info->domain.str, lp_workgroup());
+
+	/* check whether or not we service this domain/workgroup name */
 	
-	if (!is_myname(user_info->domain.str)) {
-		DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n",
-			user_info->domain.str,user_info->internal_username.str));
-		return NT_STATUS_NO_SUCH_USER;
+	switch ( lp_server_role() ) {
+		case ROLE_STANDALONE:
+		case ROLE_DOMAIN_MEMBER:
+			if ( !is_local_name ) {
+				DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
+					user_info->domain.str, (lp_server_role() == ROLE_DOMAIN_MEMBER 
+					? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
+				return NT_STATUS_NOT_IMPLEMENTED;
+			}
+		case ROLE_DOMAIN_PDC:
+		case ROLE_DOMAIN_BDC:
+			if ( !is_local_name && !is_my_domain ) {
+				DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
+					user_info->domain.str));
+				return NT_STATUS_NOT_IMPLEMENTED;
+			}
+		default: /* name is ok */
+			break;
 	}
 	
 	return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
 }
 
 /* module initialisation */
-static NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
+static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
 {
 	if (!make_auth_methods(auth_context, auth_method)) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	(*auth_method)->auth = check_samstrict_security;
-	(*auth_method)->name = "samstrict";
-	return NT_STATUS_OK;
-}
-
-/****************************************************************************
-Check SAM security (above) but with a few extra checks if we're a DC.
-****************************************************************************/
-
-static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
-					 void *my_private_data, 
-					 TALLOC_CTX *mem_ctx,
-					 const auth_usersupplied_info *user_info, 
-					 auth_serversupplied_info **server_info)
-{
-
-	if (!user_info || !auth_context) {
-		return NT_STATUS_LOGON_FAILURE;
-	}
-
-	/* If we are a PDC we must not check the password here 
-	   unless it is one of our aliases, empty
-	   or equal to our domain name.  Other names may be
-	   Trusted domains.
-	*/
-
-	if ((!is_myworkgroup(user_info->domain.str))&&
-		(!is_myname(user_info->domain.str))) {
-		DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n",
-			user_info->domain.str,user_info->internal_username.str));
-		return NT_STATUS_NO_SUCH_USER;
-	}		
-
-	return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
-}
-
-/* module initialisation */
-static NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
-{
-	if (!make_auth_methods(auth_context, auth_method)) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	(*auth_method)->auth = check_samstrict_dc_security;
-	(*auth_method)->name = "samstrict_dc";
+	(*auth_method)->name = "sam";
 	return NT_STATUS_OK;
 }
 
 NTSTATUS auth_sam_init(void)
 {
-	smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict_dc", auth_init_samstrict_dc);
-	smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict);
 	smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam);
+	smb_register_auth(AUTH_INTERFACE_VERSION, "sam_ignoredomain", auth_init_sam_ignoredomain);
 	return NT_STATUS_OK;
 }
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index 71fdb0050be..1538fc50a1b 100644
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -216,8 +216,8 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
 	/* do what win2k does.  Always map unknown domains to our own
 	   and let the "passdb backend" handle unknown users */
 
-	if ( !is_trusted_domain(domain) )
-		domain = lp_workgroup();
+	if ( !is_trusted_domain(domain) ) 
+		domain = get_global_sam_name();
 	
 	/* we know that it is a trusted domain (and we are allowing them) or it is our domain */