s3-winbindd: Allow DNS resolution of trusted domains if DNS name is avaliable

Signed-off-by: Günther Deschner <gd@samba.org>

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index c08530e81957460da7fec0eb6e8542b8abf5e839..0639be1fb545f8cda86a849329f829cc5e70b05b 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1286,10 +1286,17 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
                iplist_size = 0;
         }
 
-       /* Try standard netbios queries if no ADS */
+       /* Try standard netbios queries if no ADS and fall back to DNS queries
+        * if alt_name is available */
        if (*num_dcs == 0) {
                get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
-                      False);
+                      false);
+               if (iplist_size == 0) {
+                       if (domain->alt_name != NULL) {
+                               get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
+                                      &iplist_size, true);
+                       }
+               }
 
                for ( i=0; i<iplist_size; i++ ) {
                        char addr[INET6_ADDRSTRLEN];

diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
index 8a11cb24207222907eb0f6512e809e2e554eb2ea..a580b796c353f15d1c3b02f77ebd25e20eb9ca86 100644 (file)
--- a/source3/winbindd/winbindd_rpc.c
+++ b/source3/winbindd/winbindd_rpc.c
@@ -972,29 +972,44 @@ NTSTATUS rpc_trusted_domains(TALLOC_CTX *mem_ctx,
 
        do {
                struct lsa_DomainList dom_list;
+               struct lsa_DomainListEx dom_list_ex;
+               bool has_ex = false;
                uint32_t i;
 
                /*
                 * We don't run into deadlocks here, cause winbind_off() is
                 * called in the main function.
                 */
-               status = dcerpc_lsa_EnumTrustDom(b,
-                                                mem_ctx,
-                                                lsa_policy,
-                                                &enum_ctx,
-                                                &dom_list,
-                                                (uint32_t) -1,
-                                                &result);
-               if (!NT_STATUS_IS_OK(status)) {
-                       return status;
-               }
-               if (!NT_STATUS_IS_OK(result)) {
-                       if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
-                               return result;
+               status = dcerpc_lsa_EnumTrustedDomainsEx(b,
+                                                        mem_ctx,
+                                                        lsa_policy,
+                                                        &enum_ctx,
+                                                        &dom_list_ex,
+                                                        (uint32_t) -1,
+                                                        &result);
+               if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result) &&
+                   dom_list_ex.count > 0) {
+                       count += dom_list_ex.count;
+                       has_ex = true;
+               } else {
+                       status = dcerpc_lsa_EnumTrustDom(b,
+                                                        mem_ctx,
+                                                        lsa_policy,
+                                                        &enum_ctx,
+                                                        &dom_list,
+                                                        (uint32_t) -1,
+                                                        &result);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               return status;
+                       }
+                       if (!NT_STATUS_IS_OK(result)) {
+                               if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
+                                       return result;
+                               }
                        }
-               }
 
-               count += dom_list.count;
+                       count += dom_list.count;
+               }
 
                array = talloc_realloc(mem_ctx,
                                       array,
@@ -1004,21 +1019,32 @@ NTSTATUS rpc_trusted_domains(TALLOC_CTX *mem_ctx,
                        return NT_STATUS_NO_MEMORY;
                }
 
-               for (i = 0; i < dom_list.count; i++) {
+               for (i = 0; i < count; i++) {
                        struct netr_DomainTrust *trust = &array[i];
                        struct dom_sid *sid;
 
                        ZERO_STRUCTP(trust);
 
-                       trust->netbios_name = talloc_move(array,
-                                                         &dom_list.domains[i].name.string);
-                       trust->dns_name = NULL;
-
                        sid = talloc(array, struct dom_sid);
                        if (sid == NULL) {
                                return NT_STATUS_NO_MEMORY;
                        }
-                       sid_copy(sid, dom_list.domains[i].sid);
+
+                       if (has_ex) {
+                               trust->netbios_name = talloc_move(array,
+                                                                 &dom_list_ex.domains[i].netbios_name.string);
+                               trust->dns_name = talloc_move(array,
+                                                             &dom_list_ex.domains[i].domain_name.string);
+
+                               sid_copy(sid, dom_list_ex.domains[i].sid);
+                       } else {
+                               trust->netbios_name = talloc_move(array,
+                                                                 &dom_list.domains[i].name.string);
+                               trust->dns_name = NULL;
+
+                               sid_copy(sid, dom_list.domains[i].sid);
+                       }
+
                        trust->sid = sid;
                }
        } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index c36ae0bb0ac2abae38a8197e7bae28b1237556ed..25ef750075d791b6f519e4495836aa3aa35d9919 100644 (file)
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -108,9 +108,9 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
                }
        }
 
-       /* ignore alt_name if we are not in an AD domain */
+       /* use alt_name if available to allow DNS lookups */
 
-       if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
+       if (alt_name && *alt_name) {
                alternative_name = alt_name;
        }