Fix a segv in winbindd caused by trying to free an fstring.

[samba.git] / source3 / winbindd / winbindd_cm.c

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 4ff9fce96fd477d29fd756b09925d3569c07620c..6c5633c2b2c90caee983192e7dc55e3f0e133129 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -66,15 +66,15 @@
 
 struct dc_name_ip {
        fstring name;
-       struct in_addr ip;
+       struct sockaddr_storage ss;
 };
 
 extern struct winbindd_methods reconnect_methods;
-extern BOOL override_logfile;
+extern bool override_logfile;
 
 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
 static void set_dc_type_and_flags( struct winbindd_domain *domain );
-static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
+static bool get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
                    struct dc_name_ip **dcs, int *num_dcs);
 
 /****************************************************************
@@ -166,7 +166,7 @@ static void msg_try_to_go_online(struct messaging_context *msg,
  parent.
 ****************************************************************/
 
-static BOOL fork_child_dc_connect(struct winbindd_domain *domain)
+static bool fork_child_dc_connect(struct winbindd_domain *domain)
 {
        struct dc_name_ip *dcs = NULL;
        int num_dcs = 0;
@@ -208,10 +208,12 @@ static BOOL fork_child_dc_connect(struct winbindd_domain *domain)
        close_conns_after_fork();
 
        if (!override_logfile) {
-               pstring logfile;
-               pstr_sprintf(logfile, "%s/log.winbindd-dc-connect", dyn_LOGFILEBASE);
-               lp_set_logfile(logfile);
-               reopen_logs();
+               char *logfile;
+               if (asprintf(&logfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) > 0) {
+                       lp_set_logfile(logfile);
+                       SAFE_FREE(logfile);
+                       reopen_logs();
+               }
        }
 
        mem_ctx = talloc_init("fork_child_dc_connect");
@@ -558,8 +560,9 @@ static void cm_get_ipc_userpass(char **username, char **domain, char **password)
        }
 }
 
-static BOOL get_dc_name_via_netlogon(const struct winbindd_domain *domain,
-                                    fstring dcname, struct in_addr *dc_ip)
+static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain,
+                                    fstring dcname,
+                                    struct sockaddr_storage *dc_ss)
 {
        struct winbindd_domain *our_domain = NULL;
        struct rpc_pipe_client *netlogon_pipe = NULL;
@@ -625,13 +628,47 @@ static BOOL get_dc_name_via_netlogon(const struct winbindd_domain *domain,
 
        DEBUG(10, ("rpccli_netlogon_getanydcname returned %s\n", dcname));
 
-       if (!resolve_name(dcname, dc_ip, 0x20)) {
+       if (!resolve_name(dcname, dc_ss, 0x20)) {
                return False;
        }
 
        return True;
 }
 
+/**
+ * Helper function to assemble trust password and account name
+ */
+static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
+                               char **machine_password,
+                               char **machine_account,
+                               char **machine_krb5_principal)
+{
+       const char *account_name;
+
+       if (!get_trust_pw_clear(domain->name, machine_password,
+                               &account_name, NULL))
+       {
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+       }
+
+       if ((machine_account != NULL) &&
+           (asprintf(machine_account, "%s$", account_name) == -1))
+       {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       /* this is at least correct when domain is our domain,
+        * which is the only case, when this is currently used: */
+       if ((machine_krb5_principal != NULL) &&
+           (asprintf(machine_krb5_principal, "%s$@%s", account_name,
+                     domain->alt_name) == -1))
+       {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       return NT_STATUS_OK;
+}
+
 /************************************************************************
  Given a fd with a just-connected TCP connection to a DC, open a connection
  to the pipe.
@@ -641,12 +678,16 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                                      const int sockfd,
                                      const char *controller,
                                      struct cli_state **cli,
-                                     BOOL *retry)
+                                     bool *retry)
 {
-       char *machine_password, *machine_krb5_principal, *machine_account;
-       char *ipc_username, *ipc_domain, *ipc_password;
+       char *machine_password = NULL;
+       char *machine_krb5_principal = NULL;
+       char *machine_account = NULL;
+       char *ipc_username = NULL;
+       char *ipc_domain = NULL;
+       char *ipc_password = NULL;
 
-       BOOL got_mutex;
+       bool got_mutex;
 
        NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 
@@ -658,23 +699,6 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
        DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
                controller, domain->name ));
 
-       machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL,
-                                                         NULL);
-       
-       if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
-               SAFE_FREE(machine_password);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(),
-                    lp_realm()) == -1) {
-               SAFE_FREE(machine_account);
-               SAFE_FREE(machine_password);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
-
        *retry = True;
 
        got_mutex = secrets_named_mutex(controller,
@@ -731,10 +755,20 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                result = NT_STATUS_UNSUCCESSFUL;
                goto done;
        }
-                       
-       if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) {
+
+       if (!is_trusted_domain_situation(domain->name) &&
+           (*cli)->protocol >= PROTOCOL_NT1 &&
+           (*cli)->capabilities & CAP_EXTENDED_SECURITY)
+       {
                ADS_STATUS ads_status;
 
+               result = get_trust_creds(domain, &machine_password,
+                                        &machine_account,
+                                        &machine_krb5_principal);
+               if (!NT_STATUS_IS_OK(result)) {
+                       goto done;
+               }
+
                if (lp_security() == SEC_ADS) {
 
                        /* Try a krb5 session */
@@ -749,7 +783,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                        ads_status = cli_session_setup_spnego(*cli,
                                                              machine_krb5_principal, 
                                                              machine_password, 
-                                                             lp_workgroup());
+                                                             domain->name);
 
                        if (!ADS_ERR_OK(ads_status)) {
                                DEBUG(4,("failed kerberos session setup with %s\n",
@@ -759,7 +793,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                        result = ads_ntstatus(ads_status);
                        if (NT_STATUS_IS_OK(result)) {
                                /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
-                               cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+                               cli_init_creds(*cli, machine_account, domain->name, machine_password);
                                goto session_setup_done;
                        }
                }
@@ -769,12 +803,12 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
                DEBUG(5, ("connecting to %s from %s with username "
                          "[%s]\\[%s]\n",  controller, global_myname(),
-                         lp_workgroup(), machine_account));
+                         domain->name, machine_account));
 
                ads_status = cli_session_setup_spnego(*cli,
                                                      machine_account, 
                                                      machine_password, 
-                                                     lp_workgroup());
+                                                     domain->name);
                if (!ADS_ERR_OK(ads_status)) {
                        DEBUG(4, ("authenticated session setup failed with %s\n",
                                ads_errstr(ads_status)));
@@ -783,15 +817,17 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                result = ads_ntstatus(ads_status);
                if (NT_STATUS_IS_OK(result)) {
                        /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
-                       cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+                       cli_init_creds(*cli, machine_account, domain->name, machine_password);
                        goto session_setup_done;
                }
        }
 
-       /* Fall back to non-kerberos session setup */
+       /* Fall back to non-kerberos session setup with auth_user */
 
        (*cli)->use_kerberos = False;
 
+       cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
+
        if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
            (strlen(ipc_username) > 0)) {
 
@@ -890,8 +926,8 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
        return result;
 }
 
-static BOOL add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
-                             const char *dcname, struct in_addr ip,
+static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
+                             const char *dcname, struct sockaddr_storage *pss,
                              struct dc_name_ip **dcs, int *num)
 {
        if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
@@ -905,25 +941,24 @@ static BOOL add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
                return False;
 
        fstrcpy((*dcs)[*num].name, dcname);
-       (*dcs)[*num].ip = ip;
+       (*dcs)[*num].ss = *pss;
        *num += 1;
        return True;
 }
 
-static BOOL add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
-                                 struct in_addr ip, uint16 port,
-                                 struct sockaddr_in **addrs, int *num)
+static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
+                                 struct sockaddr_storage *pss, uint16 port,
+                                 struct sockaddr_storage **addrs, int *num)
 {
-       *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_in, (*num)+1);
+       *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
 
        if (*addrs == NULL) {
                *num = 0;
                return False;
        }
 
-       (*addrs)[*num].sin_family = PF_INET;
-       putip((char *)&((*addrs)[*num].sin_addr), (char *)&ip);
-       (*addrs)[*num].sin_port = htons(port);
+       (*addrs)[*num] = *pss;
+       set_sockaddr_port(&(*addrs)[*num], port);
 
        *num += 1;
        return True;
@@ -934,15 +969,21 @@ static void mailslot_name(struct in_addr dc_ip, fstring name)
        fstr_sprintf(name, "\\MAILSLOT\\NET\\GETDC%X", dc_ip.s_addr);
 }
 
-static BOOL send_getdc_request(struct in_addr dc_ip,
+static bool send_getdc_request(struct sockaddr_storage *dc_ss,
                               const char *domain_name,
                               const DOM_SID *sid)
 {
-       pstring outbuf;
+       char outbuf[1024];
+       struct in_addr dc_ip;
        char *p;
        fstring my_acct_name;
        fstring my_mailslot;
 
+       if (dc_ss->ss_family != AF_INET) {
+               return false;
+       }
+
+       dc_ip = ((struct sockaddr_in *)dc_ss)->sin_addr;
        mailslot_name(dc_ip, my_mailslot);
 
        memset(outbuf, '\0', sizeof(outbuf));
@@ -958,13 +999,23 @@ static BOOL send_getdc_request(struct in_addr dc_ip,
        SIVAL(p, 0, 0); /* The sender's token ... */
        p += 2;
 
-       p += dos_PutUniCode(p, global_myname(), sizeof(pstring), True);
+       p += dos_PutUniCode(p, global_myname(),
+                       sizeof(outbuf) - PTR_DIFF(p, outbuf), True);
        fstr_sprintf(my_acct_name, "%s$", global_myname());
-       p += dos_PutUniCode(p, my_acct_name, sizeof(pstring), True);
+       p += dos_PutUniCode(p, my_acct_name,
+                       sizeof(outbuf) - PTR_DIFF(p, outbuf), True);
+
+       if (strlen(my_mailslot)+1 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) {
+               return false;
+       }
 
        memcpy(p, my_mailslot, strlen(my_mailslot)+1);
        p += strlen(my_mailslot)+1;
 
+       if (sizeof(outbuf) - PTR_DIFF(p, outbuf) < 8) {
+               return false;
+       }
+
        SIVAL(p, 0, 0x80);
        p+=4;
 
@@ -972,8 +1023,15 @@ static BOOL send_getdc_request(struct in_addr dc_ip,
        p+=4;
 
        p = ALIGN4(p, outbuf);
+       if (PTR_DIFF(p, outbuf) > sizeof(outbuf)) {
+               return false;
+       }
 
        sid_linearize(p, sid_size(sid), sid);
+       if (sid_size(sid) + 8 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) {
+               return false;
+       }
+
        p += sid_size(sid);
 
        SIVAL(p, 0, 1);
@@ -985,10 +1043,10 @@ static BOOL send_getdc_request(struct in_addr dc_ip,
                                 False, "\\MAILSLOT\\NET\\NTLOGON", 0,
                                 outbuf, PTR_DIFF(p, outbuf),
                                 global_myname(), 0, domain_name, 0x1c,
-                                dc_ip);
+                                dc_ss);
 }
 
-static BOOL receive_getdc_response(struct in_addr dc_ip,
+static bool receive_getdc_response(struct sockaddr_storage *dc_ss,
                                   const char *domain_name,
                                   fstring dc_name)
 {
@@ -997,7 +1055,12 @@ static BOOL receive_getdc_response(struct in_addr dc_ip,
        char *buf, *p;
        fstring dcname, user, domain;
        int len;
+       struct in_addr dc_ip;
 
+       if (dc_ss->ss_family != AF_INET) {
+               return false;
+       }
+       dc_ip = ((struct sockaddr_in *)dc_ss)->sin_addr;
        mailslot_name(dc_ip, my_mailslot);
 
        packet = receive_unexpected(DGRAM_PACKET, 0, my_mailslot);
@@ -1060,11 +1123,13 @@ static BOOL receive_getdc_response(struct in_addr dc_ip,
  convert an ip to a name
 *******************************************************************/
 
-static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip, fstring name )
+static bool dcip_to_name(const struct winbindd_domain *domain,
+               struct sockaddr_storage *pss,
+               fstring name )
 {
        struct ip_service ip_list;
 
-       ip_list.ip = ip;
+       ip_list.ss = *pss;
        ip_list.port = 0;
 
 #ifdef WITH_ADS
@@ -1073,11 +1138,14 @@ static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip
 
        if (lp_security() == SEC_ADS) {
                ADS_STRUCT *ads;
+               char addr[INET6_ADDRSTRLEN];
+
+               print_sockaddr(addr, sizeof(addr), pss);
 
                ads = ads_init(domain->alt_name, domain->name, NULL);
                ads->auth.flags |= ADS_AUTH_NO_BIND;
 
-               if (ads_try_connect( ads, inet_ntoa(ip) ) )  {
+               if (ads_try_connect(ads, addr)) {
                        /* We got a cldap packet. */
                        fstrcpy(name, ads->config.ldap_server_name);
                        namecache_store(name, 0x20, 1, &ip_list);
@@ -1095,7 +1163,7 @@ static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip
                                        create_local_private_krb5_conf_for_domain(domain->alt_name,
                                                                        domain->name,
                                                                        sitename,
-                                                                       ip);
+                                                                       pss);
 
                                        SAFE_FREE(sitename);
                                } else {
@@ -1103,7 +1171,7 @@ static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip
                                        create_local_private_krb5_conf_for_domain(domain->alt_name,
                                                                        domain->name,
                                                                        NULL,
-                                                                       ip);
+                                                                       pss);
                                }
                                winbindd_set_locator_kdc_envs(domain);
 
@@ -1121,12 +1189,12 @@ static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip
 #endif
 
        /* try GETDC requests next */
-       
-       if (send_getdc_request(ip, domain->name, &domain->sid)) {
+
+       if (send_getdc_request(pss, domain->name, &domain->sid)) {
                int i;
                smb_msleep(100);
                for (i=0; i<5; i++) {
-                       if (receive_getdc_response(ip, domain->name, name)) {
+                       if (receive_getdc_response(pss, domain->name, name)) {
                                namecache_store(name, 0x20, 1, &ip_list);
                                return True;
                        }
@@ -1136,7 +1204,7 @@ static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip
 
        /* try node status request */
 
-       if ( name_status_find(domain->name, 0x1c, 0x20, ip, name) ) {
+       if ( name_status_find(domain->name, 0x1c, 0x20, pss, name) ) {
                namecache_store(name, 0x20, 1, &ip_list);
                return True;
        }
@@ -1148,25 +1216,27 @@ static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip
  the dcs[]  with results.
 *******************************************************************/
 
-static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
+static bool get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
                    struct dc_name_ip **dcs, int *num_dcs)
 {
        fstring dcname;
-       struct  in_addr ip;
+       struct  sockaddr_storage ss;
        struct  ip_service *ip_list = NULL;
        int     iplist_size = 0;
        int     i;
-       BOOL    is_our_domain;
+       bool    is_our_domain;
        enum security_types sec = (enum security_types)lp_security();
 
        is_our_domain = strequal(domain->name, lp_workgroup());
 
-       if ( !is_our_domain 
-               && get_dc_name_via_netlogon(domain, dcname, &ip) 
-               && add_one_dc_unique(mem_ctx, domain->name, dcname, ip, dcs, num_dcs) )
+       if ( !is_our_domain
+               && get_dc_name_via_netlogon(domain, dcname, &ss)
+               && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, num_dcs) )
        {
+               char addr[INET6_ADDRSTRLEN];
+               print_sockaddr(addr, sizeof(addr), &ss);
                DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
-                          dcname, inet_ntoa(ip)));
+                          dcname, addr));
                return True;
        }
 
@@ -1182,7 +1252,7 @@ static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
                   We deliberately don't care about the
                   return here. */
 
-               get_dc_name(domain->name, domain->alt_name, dcname, &ip);
+               get_dc_name(domain->name, domain->alt_name, dcname, &ss);
 
                sitename = sitename_fetch(domain->alt_name);
                if (sitename) {
@@ -1191,8 +1261,15 @@ static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
                        get_sorted_dc_list(domain->alt_name, sitename, &ip_list, &iplist_size, True);
 
                        for ( i=0; i<iplist_size; i++ ) {
-                               add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
-                                                       ip_list[i].ip, dcs, num_dcs);
+                               char addr[INET6_ADDRSTRLEN];
+                               print_sockaddr(addr, sizeof(addr),
+                                               &ip_list[i].ss);
+                               add_one_dc_unique(mem_ctx,
+                                               domain->name,
+                                               addr,
+                                               &ip_list[i].ss,
+                                               dcs,
+                                               num_dcs);
                        }
 
                        SAFE_FREE(ip_list);
@@ -1204,8 +1281,15 @@ static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
                get_sorted_dc_list(domain->alt_name, NULL, &ip_list, &iplist_size, True);
 
                for ( i=0; i<iplist_size; i++ ) {
-                       add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
-                                               ip_list[i].ip, dcs, num_dcs);
+                       char addr[INET6_ADDRSTRLEN];
+                       print_sockaddr(addr, sizeof(addr),
+                                       &ip_list[i].ss);
+                       add_one_dc_unique(mem_ctx,
+                                       domain->name,
+                                       addr,
+                                       &ip_list[i].ss,
+                                       dcs,
+                                       num_dcs);
                }
         }
 
@@ -1222,8 +1306,11 @@ static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
           the ip now in to make the failed connection cache work */
 
        for ( i=0; i<iplist_size; i++ ) {
-               add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip), 
-                       ip_list[i].ip, dcs, num_dcs);
+               char addr[INET6_ADDRSTRLEN];
+               print_sockaddr(addr, sizeof(addr),
+                               &ip_list[i].ss);
+               add_one_dc_unique(mem_ctx, domain->name, addr,
+                       &ip_list[i].ss, dcs, num_dcs);
        }
 
        SAFE_FREE( ip_list );
@@ -1231,9 +1318,9 @@ static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
        return True;
 }
 
-static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
+static bool find_new_dc(TALLOC_CTX *mem_ctx,
                        const struct winbindd_domain *domain,
-                       fstring dcname, struct sockaddr_in *addr, int *fd)
+                       fstring dcname, struct sockaddr_storage *pss, int *fd)
 {
        struct dc_name_ip *dcs = NULL;
        int num_dcs = 0;
@@ -1241,7 +1328,7 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
        const char **dcnames = NULL;
        int num_dcnames = 0;
 
-       struct sockaddr_in *addrs = NULL;
+       struct sockaddr_storage *addrs = NULL;
        int num_addrs = 0;
 
        int i, fd_index;
@@ -1256,7 +1343,7 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
                                    &dcnames, &num_dcnames)) {
                        return False;
                }
-               if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 445,
+               if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 445,
                                      &addrs, &num_addrs)) {
                        return False;
                }
@@ -1265,7 +1352,7 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
                                    &dcnames, &num_dcnames)) {
                        return False;
                }
-               if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 139,
+               if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 139,
                                      &addrs, &num_addrs)) {
                        return False;
                }
@@ -1278,28 +1365,29 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
                return False;
 
        /* 5 second timeout. */
-       if ( !open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) 
-       {
+       if (!open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) {
                for (i=0; i<num_dcs; i++) {
+                       char ab[INET6_ADDRSTRLEN];
+                       print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
                        DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
                                "domain %s address %s. Error was %s\n",
-                               domain->name, inet_ntoa(dcs[i].ip), strerror(errno) ));
+                               domain->name, ab, strerror(errno) ));
                        winbind_add_failed_connection_entry(domain,
                                dcs[i].name, NT_STATUS_UNSUCCESSFUL);
                }
                return False;
        }
 
-       *addr = addrs[fd_index];
+       *pss = addrs[fd_index];
 
-       if (*dcnames[fd_index] != '\0' && !is_ipaddress_v4(dcnames[fd_index])) {
+       if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
                /* Ok, we've got a name for the DC */
                fstrcpy(dcname, dcnames[fd_index]);
                return True;
        }
 
        /* Try to figure out the name */
-       if (dcip_to_name( domain, addr->sin_addr, dcname )) {
+       if (dcip_to_name(domain, pss, dcname)) {
                return True;
        }
 
@@ -1336,12 +1424,15 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
                        saf_servername, domain->name ));
 
                /* convert an ip address to a name */
-               if ( is_ipaddress_v4( saf_servername ) ) {
+               if (is_ipaddress( saf_servername ) ) {
                        fstring saf_name;
-                       struct in_addr ip;
+                       struct sockaddr_storage ss;
 
-                       ip = *interpret_addr2( saf_servername );
-                       if (dcip_to_name( domain, ip, saf_name )) {
+                       if (!interpret_string_addr(&ss, saf_servername,
+                                               AI_NUMERICHOST)) {
+                               return NT_STATUS_UNSUCCESSFUL;
+                       }
+                       if (dcip_to_name( domain, &ss, saf_name )) {
                                fstrcpy( domain->dcname, saf_name );
                        } else {
                                winbind_add_failed_connection_entry(
@@ -1356,9 +1447,8 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
        }
 
        for (retries = 0; retries < 3; retries++) {
-
                int fd = -1;
-               BOOL retry = False;
+               bool retry = False;
 
                result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
 
@@ -1367,18 +1457,18 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
 
                if (*domain->dcname 
                        && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
-                       && (resolve_name(domain->dcname, &domain->dcaddr.sin_addr, 0x20)))
+                       && (resolve_name(domain->dcname, &domain->dcaddr, 0x20)))
                {
-                       struct sockaddr_in *addrs = NULL;
+                       struct sockaddr_storage *addrs = NULL;
                        int num_addrs = 0;
                        int dummy = 0;
 
-                       if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 445, &addrs, &num_addrs)) {
+                       if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 445, &addrs, &num_addrs)) {
                                set_domain_offline(domain);
                                talloc_destroy(mem_ctx);
                                return NT_STATUS_NO_MEMORY;
                        }
-                       if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 139, &addrs, &num_addrs)) {
+                       if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 139, &addrs, &num_addrs)) {
                                set_domain_offline(domain);
                                talloc_destroy(mem_ctx);
                                return NT_STATUS_NO_MEMORY;
@@ -1492,7 +1582,7 @@ void close_conns_after_fork(void)
        }
 }
 
-static BOOL connection_ok(struct winbindd_domain *domain)
+static bool connection_ok(struct winbindd_domain *domain)
 {
        if (domain->conn.cli == NULL) {
                DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
@@ -1566,7 +1656,7 @@ NTSTATUS init_dc_connection(struct winbindd_domain *domain)
  Set the trust flags (direction and forest location) for a domain
 ******************************************************************************/
 
-static BOOL set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
+static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
 {
        struct winbindd_domain *our_domain;
        NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
@@ -1689,6 +1779,13 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
                return;
        }
 
+       mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
+                             domain->name);
+       if (!mem_ctx) {
+               DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
+               return;
+       }
+
        DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
 
        cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC_DS,
@@ -1706,7 +1803,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
                goto no_lsarpc_ds;
        }
 
-       result = rpccli_ds_getprimarydominfo(cli, cli->cli->mem_ctx,
+       result = rpccli_ds_getprimarydominfo(cli, mem_ctx,
                                             DsRolePrimaryDomainInfoBasic,
                                             &ctr);
        cli_rpc_pipe_close(cli);
@@ -1725,6 +1822,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
                        goto no_lsarpc_ds;
                }
 
+               TALLOC_FREE(mem_ctx);
                return;
        }
        
@@ -1743,14 +1841,7 @@ no_lsarpc_ds:
                          "PI_LSARPC on domain %s: (%s)\n",
                          domain->name, nt_errstr(result)));
                cli_rpc_pipe_close(cli);
-               return;
-       }
-
-       mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
-                             domain->name);
-       if (!mem_ctx) {
-               DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
-               cli_rpc_pipe_close(cli);
+               TALLOC_FREE(mem_ctx);
                return;
        }
 
@@ -1811,8 +1902,8 @@ done:
                  domain->name, domain->active_directory ? "" : "NOT "));
 
        cli_rpc_pipe_close(cli);
-       
-       talloc_destroy(mem_ctx);
+
+       TALLOC_FREE(mem_ctx);
 
        domain->initialized = True;
 }
@@ -1848,7 +1939,7 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
 /**********************************************************************
 ***********************************************************************/
 
-static BOOL cm_get_schannel_dcinfo(struct winbindd_domain *domain,
+static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain,
                                   struct dcinfo **ppdc)
 {
        NTSTATUS result;
@@ -1877,6 +1968,9 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
        NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
        fstring conn_pwd;
        struct dcinfo *p_dcinfo;
+       char *machine_password = NULL;
+       char *machine_account = NULL;
+       char *domain_name = NULL;
 
        result = init_dc_connection(domain);
        if (!NT_STATUS_IS_OK(result)) {
@@ -1899,10 +1993,26 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
        pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
        if ((conn->cli->user_name[0] == '\0') ||
            (conn->cli->domain[0] == '\0') || 
-           (conn_pwd[0] == '\0')) {
-               DEBUG(10, ("cm_connect_sam: No no user available for "
-                          "domain %s, trying schannel\n", conn->cli->domain));
+           (conn_pwd[0] == '\0'))
+       {
+               result = get_trust_creds(domain, &machine_password,
+                                        &machine_account, NULL);
+               if (!NT_STATUS_IS_OK(result)) {
+                       DEBUG(10, ("cm_connect_sam: No no user available for "
+                                  "domain %s, trying schannel\n", conn->cli->domain));
+                       goto schannel;
+               }
+               domain_name = domain->name;
                goto schannel;
+       } else {
+               machine_password = SMB_STRDUP(conn_pwd);                
+               machine_account = SMB_STRDUP(conn->cli->user_name);
+               domain_name = conn->cli->domain;
+       }
+
+       if (!machine_password || !machine_account) {
+               result = NT_STATUS_NO_MEMORY;
+               goto done;
        }
 
        /* We have an authenticated connection. Use a NTLMSSP SPNEGO
@@ -1910,23 +2020,23 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
        conn->samr_pipe =
                cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
                                                 PIPE_AUTH_LEVEL_PRIVACY,
-                                                conn->cli->domain,
-                                                conn->cli->user_name,
-                                                conn_pwd, &result);
+                                                domain_name,
+                                                machine_account,
+                                                machine_password, &result);
 
        if (conn->samr_pipe == NULL) {
                DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
                          "pipe for domain %s using NTLMSSP "
                          "authenticated pipe: user %s\\%s. Error was "
-                         "%s\n", domain->name, conn->cli->domain,
-                         conn->cli->user_name, nt_errstr(result)));
+                         "%s\n", domain->name, domain_name,
+                         machine_account, nt_errstr(result)));
                goto schannel;
        }
 
        DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
                  "domain %s using NTLMSSP authenticated "
                  "pipe: user %s\\%s\n", domain->name,
-                 conn->cli->domain, conn->cli->user_name ));
+                 domain_name, machine_account));
 
        result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
                                     SEC_RIGHTS_MAXIMUM_ALLOWED,
@@ -2011,6 +2121,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 
        *cli = conn->samr_pipe;
        *sam_handle = conn->sam_domain_handle;
+       SAFE_FREE(machine_password);
+       SAFE_FREE(machine_account);
        return result;
 }
 
@@ -2161,10 +2273,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                return NT_STATUS_OK;
        }
 
-       if ((IS_DC || domain->primary) && !get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
-               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-       }
-
        netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
                                                 &result);
        if (netlogon_pipe == NULL) {
@@ -2176,27 +2284,16 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                neg_flags &= ~NETLOGON_NEG_SCHANNEL;            
                goto no_schannel;
        }
-       
+
        if (lp_client_schannel() != False) {
                neg_flags |= NETLOGON_NEG_SCHANNEL;
        }
 
-       /* if we are a DC and this is a trusted domain, then we need to use our
-          domain name in the net_req_auth2() request */
-
-       if ( IS_DC
-               && !strequal(domain->name, lp_workgroup())
-               && lp_allow_trusted_domains() ) 
+       if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
+                              &sec_chan_type))
        {
-               account_name = lp_workgroup();
-       } else {
-               account_name = domain->primary ?
-                       global_myname() : domain->name;
-       }
-
-       if (account_name == NULL) {
                cli_rpc_pipe_close(netlogon_pipe);
-               return NT_STATUS_NO_MEMORY;
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
        }
 
        result = rpccli_netlogon_setup_creds(