From af333fbf94b6767e0583bcb2e4de7a20077061f3 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 12 Jun 2015 11:54:21 +1200
Subject: [PATCH 1/3] winbindd: Use pdb_get_domain_info() to get exactly the
 local domain info when we are an AD DC

This also triggers pdb_samba_dsdb_init_secrets(), to force the
correct SID into secrets.tdb.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991
---
 source3/winbindd/winbindd_util.c | 11 +++++++++--
 source4/selftest/tests.py        |  2 +-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 021f5ca..631bf9c 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -722,10 +722,17 @@ bool init_domain_list(void)
 		enum netr_SchannelType sec_chan_type;
 		const char *account_name;
 		struct samr_Password current_nt_hash;
+		struct pdb_domain_info *pdb_domain_info;
 		bool ok;
 
-		domain = add_trusted_domain(get_global_sam_name(), lp_dnsdomain(),
-					    &cache_methods, get_global_sam_sid());
+		pdb_domain_info = pdb_get_domain_info(talloc_tos());
+		if (pdb_domain_info == NULL) {
+			DEBUG(0, ("Failed to fetch our own, local AD domain info from sam.ldb\n"));
+			return false;
+		}
+		domain = add_trusted_domain(pdb_domain_info->name, pdb_domain_info->dns_domain,
+					    &cache_methods, &pdb_domain_info->sid);
+		TALLOC_FREE(pdb_domain_info);
 		if (domain == NULL) {
 			DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n"));
 			return false;
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 2ce01a1..b938e78 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -383,7 +383,7 @@ for env in ["nt4_dc", "fl2003dc"]:
     for t in winbind_wbclient_tests:
         plansmbtorture4testsuite(t, "%s:local" % env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD')
 
-for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_dc_ntvfs", "ad_member", "s4member"]:
+for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_dc_ntvfs", "ad_member", "s4member", "chgdcpass"]:
     tests = ["--ping", "--separator",
              "--own-domain",
              "--all-domains",
-- 
2.1.4


From 8889f10a91e80786b130548267dc21a26c77b360 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 12 Jun 2015 11:57:07 +1200
Subject: [PATCH 2/3] winbindd: Sync secrets.ldb into secrets.tdb on startup

This ensures that the domain SID and machine account password are written into
secrets.tdb if the secrets.tdb file was either never written or was deleted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/winbindd/winbindd_util.c | 41 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 631bf9c..417ea69 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -29,6 +29,7 @@
 #include "passdb.h"
 #include "source4/lib/messaging/messaging.h"
 #include "librpc/gen_ndr/ndr_lsa.h"
+#include "auth/credentials/credentials.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
@@ -746,13 +747,47 @@ bool init_domain_list(void)
 				       &account_name,
 				       &sec_chan_type);
 		if (!ok) {
-			DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n"));
-			return false;
+			/* If get_trust_pw_hash() fails, then try and fetch the password from the more recent of secrets.{ldb,tdb} using the pdb_get_trust_credentials() */
+			struct cli_credentials *creds;
+			NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name, NULL, domain, &creds);
+			if (!NT_STATUS_IS_OK(can_migrate)) {
+				DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use, both from secrets.tdb and secrets.ldb: %s\n", nt_errstr(can_migrate)));
+				return false;
+			}
+
+			/* NOTE: It is very unlikely we end up
+			 * here if there is an oldpass,
+			 * because a new password is created
+			 * at classicupgrade, so this is not a
+			 * concern. */
+			ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
+							    NULL /* oldpass */,
+							    cli_credentials_get_domain(creds),
+							    cli_credentials_get_realm(creds),
+							    cli_credentials_get_salt_principal(creds),
+							    0, /* Supported enc types, unused */
+							    &domain->sid,
+							    cli_credentials_get_password_last_changed_time(creds),
+							    cli_credentials_get_secure_channel_type(creds),
+							    false /* do_delete: Do not delete */);
+			TALLOC_FREE(creds);
+			if (ok == false) {
+				DEBUG(0, ("Failed to write our our own, local AD domain join password for winbindd's internal use into secrets.tdb\n"));
+				return false;
+			}
+			ok = get_trust_pw_hash(domain->name,
+					       current_nt_hash.hash,
+					       &account_name,
+					       &sec_chan_type);
+			if (ok == false) {
+				DEBUG(0, ("Failed to re-fetch our own, local AD domain join password for winbindd's internal use from secrets.tdb: %s\n", nt_errstr(can_migrate)));
+				return false;
+			}
 		}
 		if (sec_chan_type == SEC_CHAN_RODC) {
 			domain->rodc = true;
 		}
-
+		
 	} else {
 		(void)add_trusted_domain(get_global_sam_name(), NULL,
 					 &cache_methods, get_global_sam_sid());
-- 
2.1.4


From ecf8d1a635e91dcf7ba0a417440a64d14bcebcdd Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 11 Jun 2015 17:19:38 +1200
Subject: [PATCH 3/3] selftest: Change chgdcpass environment to use winbindd

This allows us to test that winbindd starts up without secrets.tdb, as happens after
a classicupgrade.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991
---
 selftest/knownfail        | 4 ++--
 selftest/target/Samba4.pm | 6 ++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index 26aed77..1c86f85 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -257,8 +257,8 @@
 ^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--allocate-gid
 ^samba.wbinfo_simple.\(s4member:local\).--allocate-uid
 ^samba.wbinfo_simple.\(s4member:local\).--allocate-gid
-^samba.wbinfo_simple.\(ad_dc:local\).--allocate-uid
-^samba.wbinfo_simple.\(ad_dc:local\).--allocate-gid
+^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid
+^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid
 #
 # These do not work against winbindd in member mode for unknown reasons
 #
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 3a5b409..ef6b07a 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1799,7 +1799,6 @@ sub provision_chgdcpass($$)
 	print "PROVISIONING CHGDCPASS...";
 	my $extra_provision_options = undef;
 	push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
-	my $extra_conf_options = "server services = +winbind -winbindd";
 	my $ret = $self->provision($prefix,
 				   "domain controller",
 				   "chgdcpass",
@@ -1809,7 +1808,7 @@ sub provision_chgdcpass($$)
 				   "chgDCpass1",
 				   undef,
 				   undef,
-				   $extra_conf_options,
+				   "",
 				   "",
 				   $extra_provision_options);
 
@@ -1821,8 +1820,7 @@ sub provision_chgdcpass($$)
 	
 	# Remove secrets.tdb from this environment to test that we
 	# still start up on systems without the new matching
-	# secrets.tdb records.  For this reason we don't run winbindd
-	# in this environment
+	# secrets.tdb records.  
 	unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
 		warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
 		return undef;
-- 
2.1.4