s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Dec 20 12:15:09 CET 2018 on sn-devel-144

(cherry picked from commit 63dc60767eb13d8fc09ed4bc44faa538581b18f1)

Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Wed Jan  9 15:55:39 CET 2019 on sn-devel-144

diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 0f5d684ff18ada0cf6db4c9b7ba1e5721a1e0e5f..93b832265cfa81367ac608923c480168ef20b2ed 100644 (file)
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -22,6 +22,7 @@
 
 #include "includes.h"
 #include "auth.h"
+#include "passdb.h"
 #include "nsswitch/libwbclient/wbclient.h"
 
 #undef DBGC_CLASS
@@ -110,7 +111,37 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
        }
 
        if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
-               return NT_STATUS_NO_LOGON_SERVERS;
+               struct pdb_trusted_domain **domains = NULL;
+               uint32_t num_domains = 0;
+               NTSTATUS status;
+
+               if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
+                       status = NT_STATUS_NO_LOGON_SERVERS;
+                       DBG_ERR("winbindd not running - "
+                               "but required as domain member: %s\n",
+                               nt_errstr(status));
+                       return status;
+               }
+
+               status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains);
+               if (!NT_STATUS_IS_OK(status)) {
+                       DBG_ERR("pdb_enum_trusted_domains() failed - %s\n",
+                               nt_errstr(status));
+                       return status;
+               }
+               TALLOC_FREE(domains);
+
+               if (num_domains == 0) {
+                       DBG_DEBUG("winbindd not running - ignoring without "
+                                 "trusted domains\n");
+                       return NT_STATUS_NOT_IMPLEMENTED;
+               }
+
+               status = NT_STATUS_NO_LOGON_SERVERS;
+               DBG_ERR("winbindd not running - "
+                       "but required as DC with trusts: %s\n",
+                       nt_errstr(status));
+               return status;
        }
 
        if (wbc_status == WBC_ERR_AUTH_ERROR) {