winbindd of a Samba PDC is broken in current SAMBA_3_0

[Andrew Bartlett]

On Tue, Aug 19, 2003 at 10:31:14PM -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> We know about it and are working on it.  Beware if you cvs update.

Proposed fix attached - this broke all NT4-like DCs (including Samba).

Andrew Bartlett
-------------- next part --------------
Index: nsswitch/winbindd_cm.c
===================================================================
RCS file: /home/cvs/samba/source/nsswitch/winbindd_cm.c,v
retrieving revision 1.31.2.40
diff -u -r1.31.2.40 winbindd_cm.c
--- nsswitch/winbindd_cm.c	19 Aug 2003 22:47:10 -0000	1.31.2.40
+++ nsswitch/winbindd_cm.c	20 Aug 2003 04:01:26 -0000
@@ -121,6 +121,7 @@
 	struct in_addr dc_ip;
 	int i;
 	BOOL retry = True;
+	BOOL got_login = False;
 
 	ZERO_STRUCT(dc_ip);
 
@@ -163,64 +164,81 @@
 					      CLI_FULL_CONNECTION_USE_KERBEROS, 
 					      &retry);
 
-		if (NT_STATUS_IS_OK(result)) {
-			if ((lp_security() == SEC_ADS) 
-				&& (new_conn->cli->protocol >= PROTOCOL_NT1 && new_conn->cli->capabilities & CAP_EXTENDED_SECURITY)) {
-				new_conn->cli->use_kerberos = True;
-				DEBUG(5, ("connecting to %s from %s with kerberos principal [%s]\n", 
-					  new_conn->controller, global_myname(), machine_krb5_principal));
-
-				if (!cli_session_setup_spnego(new_conn->cli, machine_krb5_principal, 
-							      machine_password, 
-							      domain)) {
-					result = cli_nt_error(new_conn->cli);
-					DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
-					if (NT_STATUS_IS_OK(result)) 
-						result = NT_STATUS_UNSUCCESSFUL;
-				}
+		if (!NT_STATUS_IS_OK(result)) 
+			break;
+
+		retry = False;
+		got_login = False;
+
+		if ((lp_security() == SEC_ADS) 
+		    && (new_conn->cli->protocol >= PROTOCOL_NT1 && new_conn->cli->capabilities & CAP_EXTENDED_SECURITY)) {
+			new_conn->cli->use_kerberos = True;
+			DEBUG(5, ("connecting to %s from %s with kerberos principal [%s]\n", 
+				  new_conn->controller, global_myname(), machine_krb5_principal));
+			
+			if (!cli_session_setup_spnego(new_conn->cli, machine_krb5_principal, 
+						      machine_password, 
+						      domain)) {
+				result = cli_nt_error(new_conn->cli);
+				DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
+				if (NT_STATUS_IS_OK(result)) 
+					result = NT_STATUS_UNSUCCESSFUL;
+			} else {
+				got_login = True;	
+				result = NT_STATUS_OK;
 			}
-			new_conn->cli->use_kerberos = False;
-			if (!NT_STATUS_IS_OK(result) 
-			    && new_conn->cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {	
-				DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n", 
-					  new_conn->controller, global_myname(), ipc_domain, ipc_username));
-
-				if (!cli_session_setup(new_conn->cli, ipc_username, 
-						       ipc_password, strlen(ipc_password)+1, 
-						       ipc_password, strlen(ipc_password)+1, 
-						       domain)) {
-					result = cli_nt_error(new_conn->cli);
-					DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
-					if (NT_STATUS_IS_OK(result)) 
-						result = NT_STATUS_UNSUCCESSFUL;
-				}
+		}
+
+		new_conn->cli->use_kerberos = False;
+		if ((!got_login) 
+			&& new_conn->cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {	
+			DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n", 
+				  new_conn->controller, global_myname(), ipc_domain, ipc_username));
+			
+			if (!cli_session_setup(new_conn->cli, ipc_username, 
+					       ipc_password, strlen(ipc_password)+1, 
+					       ipc_password, strlen(ipc_password)+1, 
+					       domain)) {
+				result = cli_nt_error(new_conn->cli);
+				DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
+				if (NT_STATUS_IS_OK(result)) 
+					result = NT_STATUS_UNSUCCESSFUL;
+			} else {
+				got_login = True;	
+				result = NT_STATUS_OK;
 			}
-			if (!NT_STATUS_IS_OK(result)) {	
-				if (!cli_session_setup(new_conn->cli, "", NULL, 0, 
-						       NULL, 0, 
-						       "")) {
-					result = cli_nt_error(new_conn->cli);
-					DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
-					if (NT_STATUS_IS_OK(result)) 
-						result = NT_STATUS_UNSUCCESSFUL;
-				} 
-				
+		}
+
+		/* guest fallback */
+		if (!got_login) {	
+			if (!cli_session_setup(new_conn->cli, "", NULL, 0, 
+					       NULL, 0, 
+					       "")) {
+				result = cli_nt_error(new_conn->cli);
+				DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
+				if (NT_STATUS_IS_OK(result)) 
+					result = NT_STATUS_UNSUCCESSFUL;
+			} else {
+				got_login = True;
+				result = NT_STATUS_OK;
 			}
-			if (NT_STATUS_IS_OK(result) && !cli_send_tconX(new_conn->cli, "IPC$", "IPC",
-								       "", 0)) {
+			
+		}
+		if (got_login) {
+			if (!cli_send_tconX(new_conn->cli, "IPC$", "IPC",
+					    "", 0)) {
 				result = cli_nt_error(new_conn->cli);
 				DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
 				cli_shutdown(new_conn->cli);
 				if (NT_STATUS_IS_OK(result)) {
 					result = NT_STATUS_UNSUCCESSFUL;
 				}
+			} else {
+				/* sucess - we got the IPC$ open */
+				struct ntuser_creds creds;
+				init_creds(&creds, ipc_username, ipc_domain, ipc_password);
+				cli_init_creds(new_conn->cli, &creds);
 			}
-		}
-
-		if (NT_STATUS_IS_OK(result)) {
-			struct ntuser_creds creds;
-			init_creds(&creds, ipc_username, ipc_domain, ipc_password);
-			cli_init_creds(new_conn->cli, &creds);
 		}
 
 		if (got_mutex)