From d57c84d2e1ebf8ac8d15b4223ee39615d8c5c85e Mon Sep 17 00:00:00 2001
From: Lin Liu <Lin.Liu01@cloud.com>
Date: Thu, 11 Jun 2026 08:58:44 +0000
Subject: [PATCH] CA-428461: make trusted-domain attribute enrichment
 best-effort

Fold Wbinfo.kdc_of_domain (wbinfo --getdcname) into the same match as
Ldap.query_user in query_subject_information_user, so a DC-location or
LDAP query failure falls back to default_account instead of aborting
subject creation via let*. Fixes subject-add for one-way trusted-domain
users when getdcname cannot locate the trusted DC; attributes are
refreshed later by update_all_subjects.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Lin Liu <Lin.Liu01@cloud.com>
---
 ocaml/xapi/extauth_plugin_ADwinbind.ml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ocaml/xapi/extauth_plugin_ADwinbind.ml b/ocaml/xapi/extauth_plugin_ADwinbind.ml
index dd947ca795..95f9f3fa2f 100644
--- a/ocaml/xapi/extauth_plugin_ADwinbind.ml
+++ b/ocaml/xapi/extauth_plugin_ADwinbind.ml
@@ -1623,9 +1623,11 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
              information" ;
           Ok default_account
       | Some domain -> (
-          let* dc = Wbinfo.kdc_of_domain domain in
           let timeout = !Xapi_globs.winbind_ldap_query_subject_timeout in
-          match Ldap.query_user sid domain_netbios dc ~timeout with
+          match
+            let* dc = Wbinfo.kdc_of_domain domain in
+            Ldap.query_user sid domain_netbios dc ~timeout
+          with
           | Ok user ->
               Ok user
           | _ ->