7 files changed, 90 insertions, 21 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index be26aa9cbec..c2dbee4e85a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,21 +1,24 @@
                    =================================
                    Release Notes for Samba 3.0.23rc3
-                              Jun XX, 2006
+                              Jun 23, 2006
                    =================================
 
-This is the third release candidate of the 3.0.23 code base and is 
-provided for testing purposes only.  While close to the final stable 
-release, this snapshot is *not* intended for production servers. 
-Your testing and feedback is greatly appreciated.
+This is the third release candidate of the 3.0.23 code base 
+and is provided for community testing purposes.  If all goes 
+well, we hope that this will become the production 3.0.23 
+release.  Your testing and feedback is greatly appreciated.
 
-We would like to thank the developers of Klocwork for their analysis 
-of the Samba source tree.  This release candidate includes fixes 
-for over three dozen defects reported by the Klocwork code analyzer.
+We would like to thank the developers of Klocwork for their 
+analysis of the Samba source tree.  This release candidate 
+includes fixes for over 170 defects reported by the Klocwork 
+code analyzer.
 
 Common issues addressed in 3.0.23rc3 include:
 
-   o Many more warnings from the Klocwork code analyzer.
+   o Warnings from the Klocwork code analyzer.
    o Various portability bugs on AIX, Solaris, and True64.
+   o Authorization problems when managing services.
+   o Problems joining Windows clients to a Samba/LDAP domain.
 
 
 ######################################################################
@@ -64,6 +67,8 @@ o   Guenther Deschner <gd@samba.org>
     * Add "rpc shell" to the usage text for the net command.
     * Winbindd user aliases lookup fixes for large domains.
     * Fix memleak in the CLDAP processing code.
+    * Enable AD features in winbindd's PAM support only when 
+      communicating with an AD domain controller.
 
 
 o   Bjoern Jacke <samba@j3e.de>.
@@ -91,6 +96,7 @@ o   Jason Mader <jason@ncac.gwu.edu>
 o   James Peach <jpeach@sgi.com>
     * Ensure smbclient always prompts on standard output when in
       interactive mode.
+    * BUG 3801, 3805: Fix MIPSPro compiler warnings on IRIX.
 
 
 o   Andreas Schwab
diff --git a/source/Makefile.in b/source/Makefile.in
index 136f597af3d..dbff21a2c85 100644
--- a/source/Makefile.in
+++ b/source/Makefile.in
@@ -517,9 +517,6 @@ RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \
 PAM_WINBIND_OBJ = nsswitch/pam_winbind.o $(WBCOMMON_OBJ) \
 		  lib/replace1.o $(SNPRINTF_OBJ) @BUILD_INIPARSER@
 
-PAM_WINBIND_PICOBJ = $(PAM_WINBIND_OBJ:.o=.@PICSUFFIX@)
-
-
 SMBW_OBJ1 = smbwrapper/smbw.o \
 		smbwrapper/smbw_dir.o smbwrapper/smbw_stat.o \
 		smbwrapper/realcalls.o smbwrapper/shared.o \
@@ -1217,7 +1214,7 @@ bin/winbindd@EXEEXT@: $(WINBINDD_OBJ) @BUILD_POPT@ bin/.dummy
 		$(LDAP_LIBS) $(KRB5LIBS) \
 		@SONAMEFLAG@`basename $@`@NSSSONAMEVERSIONSUFFIX@
 
-bin/pam_winbind.@SHLIBEXT@: $(PAM_WINBIND_PICOBJ) bin/.dummy
+bin/pam_winbind.@SHLIBEXT@: $(PAM_WINBIND_OBJ:.o=.@PICSUFFIX@) bin/.dummy
 	@echo "Linking shared library $@"
 	@$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_PICOBJ) \
 		@SONAMEFLAG@`basename $@` -lpam @INIPARSERLIBS@
diff --git a/source/configure.in b/source/configure.in
index 9dce9e0e2c9..d285647df37 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -554,7 +554,22 @@ AC_CANONICAL_SYSTEM
 
 dnl Add #include for broken IRIX header files
   case "$host_os" in
-	*irix6*) AC_ADD_INCLUDE(<standards.h>)
+	*irix6*)
+		AC_ADD_INCLUDE(<standards.h>)
+		if test x"$ac_cv_prog_gcc" != x"yes" ; then
+			dnl Fix sensible defaults for MIPSPro compilers. The
+			dnl error numbers are valid for the 7.3 compilers,
+			dnl hopefully also valid for the 7.4 series.
+			dnl
+			dnl Bugzilla 3801. Force an error on warning 1035
+			dnl so we don't incorrectly detect stdint.h. This
+			dnl warning is emitted for #error directives.
+			CFLAGS="$CFLAGS -diag_error 1035"
+			dnl 1209: Controlling expression is constant
+			dnl 1174: Function foo declared but never referenced
+			dnl 3201: Parameter foo was never referenced
+			CFLAGS="$CFLAGS -woff 1209,1174,3201"
+		fi
 	;;
 esac
 
@@ -5397,7 +5412,7 @@ if test x"$INCLUDED_POPT" = x"yes"; then
     AC_MSG_RESULT(yes)
     BUILD_POPT='$(POPT_OBJS)'
 	POPTLIBS='$(POPT_OBJS)'
-    FLAGS1="-I$srcdir/popt"
+    FLAGS1="-I\$(srcdir)/popt"
 else
     AC_MSG_RESULT(no)
 	BUILD_POPT=""
@@ -5432,7 +5447,7 @@ if test x"$INCLUDED_INIPARSER" = x"yes"; then
     AC_MSG_RESULT(yes)
     BUILD_INIPARSER='$(INIPARSER_OBJ)'
 	INIPARSERLIBS=""
-    FLAGS1="$FLAGS1 -I$srcdir/iniparser/src"
+    FLAGS1="$FLAGS1 -I\$(srcdir)/iniparser/src"
 else
     AC_MSG_RESULT(no)
 	BUILD_INIPARSER=""
diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index ea4d8503c1b..c1276bd9612 100644
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -783,7 +783,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
 				fstrcpy( domain->dcname, saf_name );
 			} else {
 				add_failed_connection_entry(
-					domain->name, saf_name,
+					domain->name, saf_servername,
 					NT_STATUS_UNSUCCESSFUL);
 			}
 		} 
diff --git a/source/nsswitch/winbindd_dual.c b/source/nsswitch/winbindd_dual.c
index 3003a314c03..0cc35277b05 100644
--- a/source/nsswitch/winbindd_dual.c
+++ b/source/nsswitch/winbindd_dual.c
@@ -649,6 +649,10 @@ static void child_msg_onlinestatus(int msg_type, struct process_id src, void *bu
 	}
 	
 	message = collect_onlinestatus(mem_ctx);
+	if (message == NULL) {
+		talloc_destroy(mem_ctx);
+		return;
+	}
 
 	message_send_pid(*sender, MSG_WINBIND_ONLINESTATUS, 
 			 message, strlen(message) + 1, True);
@@ -730,7 +734,7 @@ static BOOL fork_domain_child(struct winbindd_child *child)
 		return False;
 	}
 
-	if (child->domain != NULL) {
+	if (child->domain != NULL && lp_winbind_offline_logon()) {
 		/* We might be in the idmap child...*/
 		child->lockout_policy_event = add_timed_event(
 			child->mem_ctx, timeval_zero(),
diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index 3ae7692c127..1eb2659905b 100644
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -6,7 +6,7 @@
    Copyright (C) Andrew Tridgell 2000
    Copyright (C) Tim Potter 2001
    Copyright (C) Andrew Bartlett 2001-2002
-   Copyright (C) Guenther Deschner 2005
+   Copyright (C) Guenther Deschner 2005-2006
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -221,6 +221,44 @@ static struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state
 		return NULL;
 	}
 
+	if (strequal(domain_name, lp_workgroup())) {
+		return find_our_domain();
+	}
+
+#ifdef HAVE_ADS
+
+	/* when trying to login using krb5 with a trusted domain account, we
+	 * need to make sure that our and the remote domain are AD */
+
+	if ((state->request.flags & WBFLAG_PAM_KRB5) &&
+	    (lp_security() == SEC_ADS)) {
+
+		struct winbindd_domain *our_domain = find_our_domain();
+
+		if (!our_domain->active_directory) {
+			DEBUG(3,("find_auth_domain: out domain is not AD\n"));
+			return NULL;
+		}
+		
+		if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) {
+			return NULL;
+		}
+
+		/* do we already know it's AD ? */
+		if (domain->active_directory) {
+			return domain;
+		} 
+
+		set_dc_type_and_flags(domain);
+
+		if (!domain->active_directory) {
+			DEBUG(3,("find_auth_domain: remote domain is not AD\n"));
+			return NULL;
+		}
+
+		return domain;
+	}
+#endif
 	return find_our_domain();
 }
 
@@ -897,13 +935,20 @@ NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
 		}
 	}
 
-	set_dc_type_and_flags(contact_domain);
+	if (contact_domain->initialized && 
+	    contact_domain->active_directory) {
+	    	goto try_login;
+	}
+
+	if (!contact_domain->initialized) {
+		set_dc_type_and_flags(contact_domain);
+	}
 
 	if (!contact_domain->active_directory) {
 		DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
 		return NT_STATUS_INVALID_LOGON_TYPE;
 	}
-
+try_login:
 	result = winbindd_raw_kerberos_login(contact_domain, state, info3);
 done:
 	return result;
diff --git a/source/popt/popt.c b/source/popt/popt.c
index e9c4c17de50..ce3687fb64e 100644
--- a/source/popt/popt.c
+++ b/source/popt/popt.c
@@ -927,7 +927,9 @@ int poptGetNextOpt(poptContext con)
 		    if ((opt->argInfo & POPT_ARG_MASK) == POPT_ARG_DOUBLE) {
 			*((double *) opt->arg) = aDouble;
 		    } else {
+#ifndef _ABS
 #define _ABS(a)	((((a) - 0.0) < DBL_EPSILON) ? -(a) : (a))
+#endif
 			if ((_ABS(aDouble) - FLT_MAX) > DBL_EPSILON)
 			    return POPT_ERROR_OVERFLOW;
 			if ((FLT_MIN - _ABS(aDouble)) > DBL_EPSILON)