r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from AD DC

* Merge patches from SLES10 to make sure we talk to the correct
  winbindd process when performing pam_auth (and pull the password policy info).
(This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)

source3/include/includes.h

@@ -671,6 +671,14 @@ typedef int socklen_t;
 #endif	/* don't lie.  If we don't have it, then don't use it */
 #endif
 
+#if !defined(int64)
+#if (SIZEOF_LONG == 8)
+#define int64 long
+#elif (SIZEOF_LONG_LONG == 8)
+#define int64 long long
+#endif	/* don't lie.  If we don't have it, then don't use it */
+#endif
+
 
 /*
  * Types for devices, inodes and offsets.

source3/nsswitch/pam_winbind.c

@@ -366,7 +366,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
 	request.data.auth.krb5_cc_type[0] = '\0';
 	request.data.auth.uid = -1;
 	
-	request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY;
+	request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM;
 
 	if (ctrl & WINBIND_KRB5_AUTH) {
 
@@ -564,7 +564,7 @@ static int winbind_chauthtok_request(pam_handle_t * pamh,
 	}
 
 	if (ctrl & WINBIND_KRB5_AUTH) {
-		request.flags = WBFLAG_PAM_KRB5;
+		request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM;
 	}
 
 	ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_CHAUTHTOK, &request, &response, user);
@@ -1150,7 +1150,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags,
 		}
 		request.data.logoff.uid = pwd->pw_uid;
 
-		request.flags = WBFLAG_PAM_KRB5;
+		request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM;
 
 	        retval = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_LOGOFF, &request, &response, user);
 	}
@@ -1391,7 +1391,7 @@ struct pam_module _pam_winbind_modstruct = {
  * Copyright (c) Tim Potter       <tpot@samba.org>     2000
  * Copyright (c) Andrew Bartlettt <abartlet@samba.org> 2002
  * Copyright (c) Guenther Deschner <gd@samba.org>      2005-2006
- * Copyright (c) Jan Rêkorajski 1999.
+ * Copyright (c) Jan Rêkorajski 1999.
  * Copyright (c) Andrew G. Morgan 1996-8.
  * Copyright (c) Alex O. Yuriev, 1996.
  * Copyright (c) Cristian Gafton 1996.

source3/nsswitch/winbind_nss_config.h

@@ -24,12 +24,12 @@
 #ifndef _WINBIND_NSS_CONFIG_H
 #define _WINBIND_NSS_CONFIG_H
 
-/* shutup the compiler warnings due to krb5.h on i
-   64-bit sles9 */
+/* shutup the compiler warnings due to krb5.h on 64-bit sles9 */
 #ifdef SIZEOF_LONG
 #undef SIZEOF_LONG
 #endif
 
+
 /* Include header files from data in config.h file */
 
 #ifndef NO_CONFIG_H
@@ -137,6 +137,15 @@ typedef int BOOL;
 #endif  /* don't lie.  If we don't have it, then don't use it */
 #endif
 
+#if !defined(int64)
+#if (SIZEOF_LONG == 8)
+#define int64 long
+#elif (SIZEOF_LONG_LONG == 8)
+#define int64 long long
+#endif  /* don't lie.  If we don't have it, then don't use it */
+#endif
+
+
 
 /* zero a structure */
 #ifndef ZERO_STRUCT

source3/nsswitch/winbindd_nss.h

@@ -42,8 +42,8 @@
    between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2.
    The easiest way to do this is to always use 8byte values for time_t. */
 
-#if defined(uint64)
-#  define SMB_TIME_T uint64
+#if defined(int64)
+#  define SMB_TIME_T int64
 #else
 #  define SMB_TIME_T time_t
 #endif
@@ -198,7 +198,7 @@ typedef struct winbindd_gr {
 #define WBFLAG_PAM_KRB5			0x1000
 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5	0x2000
 #define WBFLAG_PAM_CACHED_LOGIN		0x4000
-#define WBFLAG_PAM_GET_PWD_POLICY	0x8000
+#define WBFLAG_PAM_GET_PWD_POLICY	0x8000	/* not used */
 
 #define WINBINDD_MAX_EXTRA_DATA (128*1024)
 

source3/nsswitch/winbindd_pam.c

@@ -6,7 +6,7 @@
    Copyright (C) Andrew Tridgell 2000
    Copyright (C) Tim Potter 2001
    Copyright (C) Andrew Bartlett 2001-2002
-   Copyright (C) Guenther Deschner 2005-2006
+   Copyright (C) Guenther Deschner 2005
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -222,44 +222,18 @@ struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
 		return NULL;
 	}
 
-	if (strequal(domain_name, lp_workgroup())) {
-		return find_our_domain();
-	}
-
-#ifdef HAVE_ADS
-
-	/* when trying to login using krb5 with a trusted domain account, we
-	 * need to make sure that our and the remote domain are AD */
-
-	if ((state->request.flags & WBFLAG_PAM_KRB5) &&
-	    (lp_security() == SEC_ADS)) {
-
-		struct winbindd_domain *our_domain = find_our_domain();
-
-		if (!our_domain->active_directory) {
-			DEBUG(3,("find_auth_domain: out domain is not AD\n"));
-			return NULL;
-		}
-		
-		if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) {
-			return NULL;
-		}
-
-		/* do we already know it's AD ? */
-		if (domain->active_directory) {
+	/* we can auth against trusted domains */
+	if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
+		domain = find_domain_from_name_noinit(domain_name);
+		if (domain == NULL) {
+			DEBUG(3, ("Authentication for domain [%s] skipped " 
+				  "as it is not a trusted domain\n", 
+				  domain_name));
+		} else {
 			return domain;
 		} 
-
-		set_dc_type_and_flags(domain);
-
-		if (!domain->active_directory) {
-			DEBUG(3,("find_auth_domain: remote domain is not AD\n"));
-			return NULL;
 		}
 
-		return domain;
-	}
-#endif
 	return find_our_domain();
 }
 
@@ -1306,15 +1280,12 @@ process_result:
 
 		}
 
-		/* this is required to provide password expiry warning */ 
-		if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
 			result = fillup_password_policy(domain, state);
 
 			if (!NT_STATUS_IS_OK(result)) {
 				DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
 				goto done;
 			}
-		}
 	
 	}