s3-winbindd: Use correct realm for trusted domains in idmap child

When authenticating users in a trusted domain, the idmap_ad module
always connects to a local DC instead of one in the trusted domain.

Fix this by passing the correct realm to connect to.

Also Comment parameters passed to ads_cached_connection_connect

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit c203c722e7e22f9146f2ecf6f42452c0e82042e4)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10826
Using SFU id mapping fails for users from a trusted domain

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 4c2638900ffa1cb609e7c932147ca27ef9e5d7e4..e47613eadacdcd5299eecaf750789402c3c342c2 100644 (file)
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -187,8 +187,15 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
                }
        }
 
-       status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
-                                              password, realm, 0);
+       status = ads_cached_connection_connect(
+               adsp,                   /* Returns ads struct. */
+               wb_dom->alt_name,       /* realm to connect to. */
+               dom_name,               /* 'workgroup' name for ads_init */
+               ldap_server,            /* DNS name to connect to. */
+               password,               /* password for auth realm. */
+               realm,                  /* realm used for krb5 ticket. */
+               0);                     /* renewable ticket time. */
+
        SAFE_FREE(realm);
 
        return status;