7 files changed, 102 insertions, 35 deletions
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index 43ac83a99a8..8110a02a685 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -48,7 +48,7 @@ static int _pam_parse(int argc, const char **argv, dictionary **d)
 	int ctrl = 0;
 	const char *config_file = NULL;
 
-	if (d == NULL || *d == NULL) {
+	if (d == NULL) {
 		goto config_from_pam;
 	}
 
diff --git a/source/nsswitch/wbinfo.c b/source/nsswitch/wbinfo.c
index c004b842f4f..69d7a1069f9 100644
--- a/source/nsswitch/wbinfo.c
+++ b/source/nsswitch/wbinfo.c
@@ -332,6 +332,14 @@ static BOOL wbinfo_list_domains(BOOL list_all_domains)
 	return True;
 }
 
+/* List own domain */
+
+static BOOL wbinfo_list_own_domain(void)
+{
+	d_printf("%s\n", get_winbind_domain());
+
+	return True;
+}
 
 /* show sequence numbers */
 static BOOL wbinfo_show_sequence(const char *domain)
@@ -1080,7 +1088,8 @@ enum {
 	OPT_ALLOCATE_UID,
 	OPT_ALLOCATE_GID,
 	OPT_SEPARATOR,
-	OPT_LIST_ALL_DOMAINS
+	OPT_LIST_ALL_DOMAINS,
+	OPT_LIST_OWN_DOMAIN
 };
 
 int main(int argc, char **argv)
@@ -1116,6 +1125,7 @@ int main(int argc, char **argv)
 		{ "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" },
 		{ "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" },
 		{ "all-domains", 0, POPT_ARG_NONE, 0, OPT_LIST_ALL_DOMAINS, "List all domains (trusted and own domain)" },
+		{ "own-domain", 0, POPT_ARG_NONE, 0, OPT_LIST_OWN_DOMAIN, "List own domain" },
 		{ "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE, "Show sequence numbers of all domains" },
 		{ "domain-info", 'D', POPT_ARG_STRING, &string_arg, 'D', "Show most of the info we have about the domain" },
 		{ "user-info", 'i', POPT_ARG_STRING, &string_arg, 'i', "Get user info", "USER" },
@@ -1396,6 +1406,12 @@ int main(int argc, char **argv)
 			if (!wbinfo_list_domains(True)) {
 				goto done;
 			}
+			break;
+		case OPT_LIST_OWN_DOMAIN:
+			if (!wbinfo_list_own_domain()) {
+				goto done;
+			}
+			break;
 		/* generic configuration options */
 		case OPT_DOMAIN_NAME:
 			break;
diff --git a/source/nsswitch/winbindd_ads.c b/source/nsswitch/winbindd_ads.c
index 8259fd7cd36..f777b2ae18b 100644
--- a/source/nsswitch/winbindd_ads.c
+++ b/source/nsswitch/winbindd_ads.c
@@ -1042,7 +1042,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
 	struct ds_domain_trust	*domains = NULL;
 	int			count = 0;
 	int			i;
-	uint32			flags = DS_DOMAIN_DIRECT_OUTBOUND;
+	uint32			flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND;
 	struct rpc_pipe_client *cli;
 
 	DEBUG(3,("ads: trusted_domains\n"));
diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index c9e970c13cd..b24ed842de3 100644
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -177,7 +177,6 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 	char *ipc_username, *ipc_domain, *ipc_password;
 
 	BOOL got_mutex;
-	BOOL add_failed_connection = True;
 
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 
@@ -233,6 +232,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 	    (peeraddr_in->sin_family != PF_INET))
 	{
 		DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
+		result = NT_STATUS_UNSUCCESSFUL;
 		goto done;
 	}
 
@@ -246,6 +246,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 		if (!cli_session_request(*cli, &calling, &called)) {
 			DEBUG(8, ("cli_session_request failed for %s\n",
 				  controller));
+			result = NT_STATUS_UNSUCCESSFUL;
 			goto done;
 		}
 	}
@@ -254,10 +255,9 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
 	if (!cli_negprot(*cli)) {
 		DEBUG(1, ("cli_negprot failed\n"));
-		cli_shutdown(*cli);
+		result = NT_STATUS_UNSUCCESSFUL;
 		goto done;
 	}
-
 			
 	if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) {
 		ADS_STATUS ads_status;
@@ -371,8 +371,6 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 		if (NT_STATUS_IS_OK(result))
 			result = NT_STATUS_UNSUCCESSFUL;
 
-		cli_shutdown(*cli);
-		*cli = NULL;
 		goto done;
 	}
 
@@ -386,7 +384,6 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 	}
 
 	result = NT_STATUS_OK;
-	add_failed_connection = False;
 
  done:
 	if (got_mutex) {
@@ -400,8 +397,12 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 	SAFE_FREE(ipc_domain);
 	SAFE_FREE(ipc_password);
 
-	if (add_failed_connection) {
+	if (!NT_STATUS_IS_OK(result)) {
 		add_failed_connection_entry(domain->name, controller, result);
+		if ((*cli) != NULL) {
+			cli_shutdown(*cli);
+			*cli = NULL;
+		}
 	}
 
 	return result;
@@ -579,7 +580,7 @@ static BOOL receive_getdc_response(struct in_addr dc_ip,
  convert an ip to a name
 *******************************************************************/
 
-static void dcip_to_name( const char *domainname, const char *realm, 
+static BOOL dcip_to_name( const char *domainname, const char *realm, 
                           const DOM_SID *sid, struct in_addr ip, fstring name )
 {
 	struct ip_service ip_list;
@@ -595,7 +596,7 @@ static void dcip_to_name( const char *domainname, const char *realm,
 		for (i=0; i<5; i++) {
 			if (receive_getdc_response(ip, domainname, name)) {
 				namecache_store(name, 0x20, 1, &ip_list);
-				return;
+				return True;
 			}
 			smb_msleep(500);
 		}
@@ -605,13 +606,9 @@ static void dcip_to_name( const char *domainname, const char *realm,
 
 	if ( name_status_find(domainname, 0x1c, 0x20, ip, name) ) {
 		namecache_store(name, 0x20, 1, &ip_list);
-		return;
+		return True;
 	}
 
-	/* backup in case the netbios stuff fails */
-
-	fstrcpy( name, inet_ntoa(ip) );
-
 #ifdef WITH_ADS
 	/* for active directory servers, try to get the ldap server name.
 	   None of these failure should be considered critical for now */
@@ -625,17 +622,18 @@ static void dcip_to_name( const char *domainname, const char *realm,
 
 		if ( !ads_try_connect( ads, inet_ntoa(ip) ) )  {
 			ads_destroy( &ads );
-			return;
+			return False;
 		}
 
 		fstrcpy(name, ads->config.ldap_server_name);
 		namecache_store(name, 0x20, 1, &ip_list);
 
 		ads_destroy( &ads );
+		return True;
 	}
 #endif
 
-	return;
+	return False;
 }
 
 /*******************************************************************
@@ -705,6 +703,7 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
 
 	int i, fd_index;
 
+ again:
 	if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
 		return False;
 
@@ -735,15 +734,22 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
 
 	*addr = addrs[fd_index];
 
-	/* if we have no name on the server or just an IP address for 
-	   the name, now try to get the name */
-
-	if ( is_ipaddress(dcnames[fd_index]) || *dcnames[fd_index] == '\0' )
-		dcip_to_name( domain->name, domain->alt_name, &domain->sid, addr->sin_addr, dcname );
-	else
+	if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
+		/* Ok, we've got a name for the DC */
 		fstrcpy(dcname, dcnames[fd_index]);
+		return True;
+	}
 
-	return True;
+	/* Try to figure out the name */
+	if (dcip_to_name( domain->name, domain->alt_name, &domain->sid,
+			  addr->sin_addr, dcname )) {
+		return True;
+	}
+
+	/* We can not continue without the DC's name */
+	add_failed_connection_entry(domain->name, dcs[fd_index].name,
+				    NT_STATUS_UNSUCCESSFUL);
+	goto again;
 }
 
 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
@@ -769,8 +775,14 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
 			struct in_addr ip;
 
 			ip = *interpret_addr2( saf_servername );
-			dcip_to_name( domain->name, domain->alt_name, &domain->sid, ip, saf_name );
-			fstrcpy( domain->dcname, saf_name );
+			if (dcip_to_name( domain->name, domain->alt_name,
+					  &domain->sid, ip, saf_name )) {
+				fstrcpy( domain->dcname, saf_name );
+			} else {
+				add_failed_connection_entry(
+					domain->name, saf_name,
+					NT_STATUS_UNSUCCESSFUL);
+			}
 		} 
 		else 
 		{
diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index b02ba8e36ca..3ae7692c127 100644
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -512,7 +512,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 	}
 	strlower_m(client_princ);
 
-	local_service = talloc_asprintf(state->mem_ctx, "HOST/%s@%s", client_princ, lp_realm());
+	local_service = talloc_asprintf(state->mem_ctx, "%s$@%s", client_princ, lp_realm());
 	if (local_service == NULL) {
 		DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n"));
 		result = NT_STATUS_NO_MEMORY;
@@ -552,9 +552,6 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 		goto failed;
 	}
 
-	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", 
-		local_service));
-
 	if (!pac_data) {
 		DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n"));
 		result = NT_STATUS_INVALID_PARAMETER;
@@ -568,6 +565,9 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 		goto failed;
 	}
 
+	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", 
+		local_service));
+
 
 	/* last step: 
 	 * put results together */
diff --git a/source/nsswitch/winbindd_passdb.c b/source/nsswitch/winbindd_passdb.c
index 2aaed1acefb..b949ea08085 100644
--- a/source/nsswitch/winbindd_passdb.c
+++ b/source/nsswitch/winbindd_passdb.c
@@ -443,8 +443,47 @@ static NTSTATUS password_policy(struct winbindd_domain *domain,
 				TALLOC_CTX *mem_ctx,
 				SAM_UNK_INFO_1 *policy)
 {
-	/* actually we have that */
-	return NT_STATUS_NOT_IMPLEMENTED;
+	uint32 min_pass_len,pass_hist,password_properties;
+	time_t u_expire, u_min_age;
+	NTTIME nt_expire, nt_min_age;
+	uint32 account_policy_temp;
+
+	if ((policy = TALLOC_ZERO_P(mem_ctx, SAM_UNK_INFO_1)) == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	min_pass_len = account_policy_temp;
+
+	if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	pass_hist = account_policy_temp;
+
+	if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	password_properties = account_policy_temp;
+	
+	if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	u_expire = account_policy_temp;
+
+	if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	u_min_age = account_policy_temp;
+
+	unix_to_nt_time_abs(&nt_expire, u_expire);
+	unix_to_nt_time_abs(&nt_min_age, u_min_age);
+
+	init_unk_info1(policy, (uint16)min_pass_len, (uint16)pass_hist, 
+	               password_properties, nt_expire, nt_min_age);
+
+	return NT_STATUS_OK;
 }
 
 /* get a list of trusted domains */
diff --git a/source/nsswitch/winbindd_util.c b/source/nsswitch/winbindd_util.c
index 5caf48942b0..928e78a05fe 100644
--- a/source/nsswitch/winbindd_util.c
+++ b/source/nsswitch/winbindd_util.c
@@ -162,7 +162,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
 	domain->sequence_number = DOM_SEQUENCE_NONE;
 	domain->last_seq_check = 0;
 	domain->initialized = False;
-	domain->online = False;
+	domain->online = is_internal_domain(sid);
 	if (sid) {
 		sid_copy(&domain->sid, sid);
 	}