From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 8 Dec 2018 22:25:40 +0000 (+0100)
Subject: s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts
X-Git-Tag: samba-4.8.9~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfad63624ceffc2daa63e16411f6d64309ffc76e;p=thirdparty%2Fsamba.git

s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Dec 20 12:15:09 CET 2018 on sn-devel-144

(cherry picked from commit 63dc60767eb13d8fc09ed4bc44faa538581b18f1)

Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Wed Jan  9 15:55:39 CET 2019 on sn-devel-144
---

diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 0f5d684ff18..93b832265cf 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -22,6 +22,7 @@
 
 #include "includes.h"
 #include "auth.h"
+#include "passdb.h"
 #include "nsswitch/libwbclient/wbclient.h"
 
 #undef DBGC_CLASS
@@ -110,7 +111,37 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 	}
 
 	if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
-		return NT_STATUS_NO_LOGON_SERVERS;
+		struct pdb_trusted_domain **domains = NULL;
+		uint32_t num_domains = 0;
+		NTSTATUS status;
+
+		if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
+			status = NT_STATUS_NO_LOGON_SERVERS;
+			DBG_ERR("winbindd not running - "
+				"but required as domain member: %s\n",
+				nt_errstr(status));
+			return status;
+		}
+
+		status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains);
+		if (!NT_STATUS_IS_OK(status)) {
+			DBG_ERR("pdb_enum_trusted_domains() failed - %s\n",
+				nt_errstr(status));
+			return status;
+		}
+		TALLOC_FREE(domains);
+
+		if (num_domains == 0) {
+			DBG_DEBUG("winbindd not running - ignoring without "
+				  "trusted domains\n");
+			return NT_STATUS_NOT_IMPLEMENTED;
+		}
+
+		status = NT_STATUS_NO_LOGON_SERVERS;
+		DBG_ERR("winbindd not running - "
+			"but required as DC with trusts: %s\n",
+			nt_errstr(status));
+		return status;
 	}
 
 	if (wbc_status == WBC_ERR_AUTH_ERROR) {