Always trust the domain flags in the wcache trusted domain cache.

Use the flags stored in the tdb when determining if a domain can
be contacted.  The tdb should be considered authoratative anyways unless
you know the flags in the winbindd_domain are correct (such as when
first enumerating trusts).

Original suggestion and patch from Steven Danneman <steven.danneman@isilon.com>.
Manually rewritten by me for 3.2.
(This used to be commit f53658a20de07a29abbe2e90917b328d00fc0024)

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index d16b7423a176d96e692b5245063ea8ee2ca094e4..f6bb5750ea8721e8dcb80f21bb4249b227b12fbc 100644 (file)
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1386,36 +1386,56 @@ void ws_name_return( char *name, char replace )
 /*********************************************************************
  ********************************************************************/
 
-bool winbindd_can_contact_domain( struct winbindd_domain *domain )
+bool winbindd_can_contact_domain(struct winbindd_domain *domain)
 {
+       struct winbindd_tdc_domain *tdc = NULL;
+       TALLOC_CTX *frame = talloc_stackframe();
+       bool ret = false;
+
        /* We can contact the domain if it is our primary domain */
 
-       if ( domain->primary )
-               return True;
+       if (domain->primary) {
+               return true;
+       }
 
-       /* Can always contact a domain that is in out forest */
+       /* Trust the TDC cache and not the winbindd_domain flags */
 
-       if ( domain->domain_flags & DS_DOMAIN_IN_FOREST )
-               return True;    
+       if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
+               DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
+                         domain->name));
+               return false;
+       }
+
+       /* Can always contact a domain that is in out forest */
 
+       if (tdc->trust_flags & DS_DOMAIN_IN_FOREST) {
+               ret = true;
+               goto done;
+       }
+       
        /*
         * On a _member_ server, we cannot contact the domain if it
         * is running AD and we have no inbound trust.
         */
 
-       if ( !IS_DC &&
+       if (!IS_DC && 
             domain->active_directory &&
-            ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) ) 
+           ((tdc->trust_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND))
        {
-               DEBUG(10, ("Domain is an AD domain and we have no inbound "
-                          "trust.\n"));
-               return False;
+               DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
+                          "and we have no inbound trust.\n", domain->name));
+               goto done;
        }
-       
+
        /* Assume everything else is ok (probably not true but what
           can you do?) */
+
+       ret = true;     
+
+done:  
+       talloc_destroy(frame);
        
-       return True;    
+       return ret;     
 }
 
 /*********************************************************************