winbind: Create local krb5.conf for idmap backend ad

Without this, it can happen that tldap will look at a possibly wrong
/etc/krb5.conf. I have not reliably reproduced this, because a
set_domain_online_request() in the idmap child might interfere with
this, so I could not write a comprehensive test for this. Manual
testing however fixes the issue that wbinfo --sid-to-uid can take ages
asking a potentially nonexisting KDC.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

source3/winbindd/idmap_ad.c

@@ -31,6 +31,8 @@
 #include "../libds/common/flags.h"
 #include "libcli/ldap/ldap_ndr.h"
 #include "libcli/security/dom_sid.h"
+#include "source3/libads/sitename_cache.h"
+#include "source3/libads/kerberos_proto.h"
 
 struct idmap_ad_schema_names;
 
@@ -323,6 +325,7 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 	struct loadparm_context *lp_ctx;
 	struct tldap_context *ld;
 	uint32_t gensec_features = gensec_features_from_ldap_sasl_wrapping();
+	char *sitename = NULL;
 	int fd;
 	NTSTATUS status;
 	bool ok;
@@ -353,6 +356,22 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
 	}
 
+	sitename = sitename_fetch(talloc_tos(), lp_realm());
+
+	/*
+	 * create_local_private_krb5_conf_for_domain() can deal with
+	 * sitename==NULL
+	 */
+
+	ok = create_local_private_krb5_conf_for_domain(
+		lp_realm(), lp_workgroup(), sitename, &dcaddr);
+	TALLOC_FREE(sitename);
+	if (!ok) {
+		DBG_DEBUG("Could not create private krb5.conf\n");
+		TALLOC_FREE(dcinfo);
+		return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+	}
+
 	status = open_socket_out(&dcaddr, 389, 10000, &fd);
 	if (!NT_STATUS_IS_OK(status)) {
 		DBG_DEBUG("open_socket_out failed: %s\n", nt_errstr(status));