This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS

domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.

The routines used for this behaviour have been upgraded to modern Samba
codeing standards.

This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.

This is in line with existing behaviour for native mode domains, and for
our primary domain.

As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values.  These changes move more routines to ADS_STATUS to return
kerberos errors.

Also found when valgrinding the setup, fix a few memory leaks.

While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.

Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)

1 files changed, 48 insertions, 40 deletions

diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
index 3b1f5478c6a..eaf3109381e 100644
--- a/source3/rpc_client/cli_lsarpc.c
+++ b/source3/rpc_client/cli_lsarpc.c
@@ -443,7 +443,7 @@ NTSTATUS cli_lsa_lookup_names(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 
 NTSTATUS cli_lsa_query_info_policy(struct cli_state *cli, TALLOC_CTX *mem_ctx,
                                    POLICY_HND *pol, uint16 info_class, 
-                                   fstring domain_name, DOM_SID *domain_sid)
+                                   char **domain_name, DOM_SID **domain_sid)
 {
 	prs_struct qbuf, rbuf;
 	LSA_Q_QUERY_INFO q;
@@ -481,39 +481,40 @@ NTSTATUS cli_lsa_query_info_policy(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 
 	/* Return output parameters */
 
-	ZERO_STRUCTP(domain_sid);
-	domain_name[0] = '\0';
-
 	switch (info_class) {
 
 	case 3:
-		if (r.dom.id3.buffer_dom_name != 0) {
-			unistr2_to_ascii(domain_name,
-					 &r.dom.id3.
-					 uni_domain_name,
-					 sizeof (fstring) - 1);
+		if (domain_name && (r.dom.id3.buffer_dom_name != 0)) {
+			*domain_name = unistr2_tdup(mem_ctx, 
+						   &r.dom.id3.
+						   uni_domain_name);
 		}
 
-		if (r.dom.id3.buffer_dom_sid != 0) {
-			*domain_sid = r.dom.id3.dom_sid.sid;
+		if (domain_sid && (r.dom.id3.buffer_dom_sid != 0)) {
+			*domain_sid = talloc(mem_ctx, sizeof(**domain_sid));
+			if (*domain_sid) {
+				sid_copy(*domain_sid, &r.dom.id3.dom_sid.sid);
+			}
 		}
 
 		break;
 
 	case 5:
 		
-		if (r.dom.id5.buffer_dom_name != 0) {
-			unistr2_to_ascii(domain_name, &r.dom.id5.
-					 uni_domain_name,
-					 sizeof (fstring) - 1);
+		if (domain_name && (r.dom.id5.buffer_dom_name != 0)) {
+			*domain_name = unistr2_tdup(mem_ctx, 
+						   &r.dom.id5.
+						   uni_domain_name);
 		}
 			
-		if (r.dom.id5.buffer_dom_sid != 0) {
-			*domain_sid = r.dom.id5.dom_sid.sid;
+		if (domain_sid && (r.dom.id5.buffer_dom_sid != 0)) {
+			*domain_sid = talloc(mem_ctx, sizeof(**domain_sid));
+			if (*domain_sid) {
+				sid_copy(*domain_sid, &r.dom.id5.dom_sid.sid);
+			}
 		}
-
 		break;
-		
+			
 	default:
 		DEBUG(3, ("unknown info class %d\n", info_class));
 		break;		      
@@ -536,9 +537,9 @@ NTSTATUS cli_lsa_query_info_policy(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 
 NTSTATUS cli_lsa_query_info_policy2(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 				    POLICY_HND *pol, uint16 info_class, 
-				    fstring domain_name, fstring dns_name,
-				    fstring forest_name, GUID *domain_guid,
-				    DOM_SID *domain_sid)
+				    char **domain_name, char **dns_name,
+				    char **forest_name, GUID **domain_guid,
+				    DOM_SID **domain_sid)
 {
 	prs_struct qbuf, rbuf;
 	LSA_Q_QUERY_INFO2 q;
@@ -579,30 +580,37 @@ NTSTATUS cli_lsa_query_info_policy2(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 
 	/* Return output parameters */
 
-	ZERO_STRUCTP(domain_sid);
 	ZERO_STRUCTP(domain_guid);
-	domain_name[0] = '\0';
 
-	if (r.info.dns_dom_info.hdr_nb_dom_name.buffer) {
-		unistr2_to_ascii(domain_name,
-				 &r.info.dns_dom_info.uni_nb_dom_name,
-				 sizeof(fstring) - 1);
+	if (domain_name && r.info.dns_dom_info.hdr_nb_dom_name.buffer) {
+		*domain_name = unistr2_tdup(mem_ctx, 
+					    &r.info.dns_dom_info
+					    .uni_nb_dom_name);
 	}
-	if (r.info.dns_dom_info.hdr_dns_dom_name.buffer) {
-		unistr2_to_ascii(dns_name,
-				 &r.info.dns_dom_info.uni_dns_dom_name,
-				 sizeof(fstring) - 1);
+	if (dns_name && r.info.dns_dom_info.hdr_dns_dom_name.buffer) {
+		*dns_name = unistr2_tdup(mem_ctx, 
+					 &r.info.dns_dom_info
+					 .uni_dns_dom_name);
 	}
-	if (r.info.dns_dom_info.hdr_forest_name.buffer) {
-		unistr2_to_ascii(forest_name,
-				 &r.info.dns_dom_info.uni_forest_name,
-				 sizeof(fstring) - 1);
+	if (forest_name && r.info.dns_dom_info.hdr_forest_name.buffer) {
+		*forest_name = unistr2_tdup(mem_ctx, 
+					    &r.info.dns_dom_info
+					    .uni_forest_name);
 	}
 	
-	memcpy(domain_guid, &r.info.dns_dom_info.dom_guid, sizeof(GUID));
-
-	if (r.info.dns_dom_info.ptr_dom_sid != 0) {
-		*domain_sid = r.info.dns_dom_info.dom_sid.sid;
+	if (domain_guid) {
+		*domain_guid = talloc(mem_ctx, sizeof(**domain_guid));
+		memcpy(*domain_guid, 
+		       &r.info.dns_dom_info.dom_guid, 
+		       sizeof(GUID));
+	}
+
+	if (domain_sid && r.info.dns_dom_info.ptr_dom_sid != 0) {
+		*domain_sid = talloc(mem_ctx, sizeof(**domain_sid));
+		if (*domain_sid) {
+			sid_copy(*domain_sid, 
+				 &r.info.dns_dom_info.dom_sid.sid);
+		}
 	}
 	
  done: