r17402: Added lookup_name_smbconf() to be called when looking

up names from smb.conf. If the name is unqualified it
causes the lookup to be done in WORKGROUP\name, then
"Unix [users|groups]"\name rather than searching the
domain. Should fix the problems with "force user"
selecting a domain user by preference.
Jeremy.
(This used to be commit 1e1fcb5eb2)

source3/auth/auth_util.c

@@ -1053,9 +1053,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	if (!lookup_name(tmp_ctx, username, LOOKUP_NAME_ALL,
+	if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
 			 NULL, NULL, &user_sid, &type)) {
-		DEBUG(1, ("lookup_name for %s failed\n", username));
+		DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
 		goto done;
 	}
 

source3/passdb/lookup_sid.c

@@ -378,6 +378,56 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 	return True;
 }
 
+/************************************************************************
+ Names from smb.conf can be unqualified. eg. valid users = foo
+ These names should never map to a remote name. Try lp_workgroup()\foo,
+ and then "Unix Users"\foo (or "Unix Groups"\foo).
+************************************************************************/
+
+BOOL lookup_name_smbconf(TALLOC_CTX *mem_ctx,
+		 const char *full_name, int flags,
+		 const char **ret_domain, const char **ret_name,
+		 DOM_SID *ret_sid, enum SID_NAME_USE *ret_type)
+{
+	char *qualified_name;
+
+	/* NB. No winbindd_separator here as lookup_name needs \\' */
+	if (strchr_m(full_name, '\\')) {
+		/* The name is already qualified with a domain. */
+		return lookup_name(mem_ctx, full_name, flags,
+				ret_domain, ret_name,
+				ret_sid, ret_type);
+	}
+
+	/* Try with our own domain name. */
+	qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
+				lp_workgroup(),
+				full_name );
+	if (!qualified_name) {
+		return False;
+	}
+
+	if (lookup_name(mem_ctx, qualified_name, flags,
+				ret_domain, ret_name,
+				ret_sid, ret_type)) {
+		return True;
+	}
+	
+	/* Finally try with "Unix Users" or "Unix Group" */
+	qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
+				flags & LOOKUP_NAME_GROUP ?
+					unix_groups_domain_name() :
+					unix_users_domain_name(),
+				full_name );
+	if (!qualified_name) {
+		return False;
+	}
+
+	return lookup_name(mem_ctx, qualified_name, flags,
+				ret_domain, ret_name,
+				ret_sid, ret_type);
+}
+
 static BOOL wb_lookup_rids(TALLOC_CTX *mem_ctx,
 			   const DOM_SID *domain_sid,
 			   int num_rids, uint32 *rids,

source3/smbd/service.c

@@ -446,10 +446,10 @@ static NTSTATUS find_forced_group(BOOL force_user,
 	groupname = talloc_string_sub(mem_ctx, groupname,
 				      "%S", lp_servicename(snum));
 
-	if (!lookup_name(mem_ctx, groupname,
+	if (!lookup_name_smbconf(mem_ctx, groupname,
 			 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
 			 NULL, NULL, &group_sid, &type)) {
-		DEBUG(10, ("lookup_name(%s) failed\n",
+		DEBUG(10, ("lookup_name_smbconf(%s) failed\n",
 			   groupname));
 		goto done;
 	}