From 8b7bf6d4d81cde099d78cd9cc03aa085cec672d4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 15 Jan 2018 12:06:50 +0100
Subject: [PATCH] winbindd: prepare find_lookup_domain_from_{name,sid}()
 transitive trusts on a DC

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 source3/winbindd/winbindd_util.c | 40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 876ee69a4b6..c190ad26ddf 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1488,15 +1488,31 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 		return find_domain_from_sid(get_global_sam_sid());
 	}
 
-	/* A DC can't ask the local smbd for remote SIDs, here winbindd is the
-	 * one to contact the external DC's. On member servers the internal
-	 * domains are different: These are part of the local SAM. */
+	/*
+	 * On member servers the internal domains are different: These are part
+	 * of the local SAM.
+	 */
 
-	if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
+	if (is_internal_domain(sid) || is_in_internal_domain(sid)) {
 		DEBUG(10, ("calling find_domain_from_sid\n"));
 		return find_domain_from_sid(sid);
 	}
 
+	if (IS_DC) {
+		struct winbindd_domain *domain = NULL;
+
+		domain = find_domain_from_sid_noinit(sid);
+		if (domain == NULL) {
+			return NULL;
+		}
+
+		if (domain->secure_channel_type != SEC_CHAN_NULL) {
+			return domain;
+		}
+
+		return domain->routing_domain;
+	}
+
 	/* On a member server a query for SID or name can always go to our
 	 * primary DC. */
 
@@ -1516,10 +1532,24 @@ struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
 		return find_domain_from_name_noinit( get_global_sam_name() );
 	}
 
-	if (IS_DC || strequal(domain_name, "BUILTIN") ||
+	if (strequal(domain_name, "BUILTIN") ||
 	    strequal(domain_name, get_global_sam_name()))
 		return find_domain_from_name_noinit(domain_name);
 
+	if (IS_DC) {
+		struct winbindd_domain *domain = NULL;
+
+		domain = find_domain_from_name_noinit(domain_name);
+		if (domain == NULL) {
+			return NULL;
+		}
+
+		if (domain->secure_channel_type != SEC_CHAN_NULL) {
+			return domain;
+		}
+
+		return domain->routing_domain;
+	}
 
 	return find_our_domain();
 }
-- 
2.11.4.GIT