struct dc_name_ip {
fstring name;
- struct in_addr ip;
+ struct sockaddr_storage ss;
};
extern struct winbindd_methods reconnect_methods;
-extern BOOL override_logfile;
+extern bool override_logfile;
static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
static void set_dc_type_and_flags( struct winbindd_domain *domain );
-static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
+static bool get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
struct dc_name_ip **dcs, int *num_dcs);
/****************************************************************
parent.
****************************************************************/
-static BOOL fork_child_dc_connect(struct winbindd_domain *domain)
+static bool fork_child_dc_connect(struct winbindd_domain *domain)
{
struct dc_name_ip *dcs = NULL;
int num_dcs = 0;
close_conns_after_fork();
if (!override_logfile) {
- pstring logfile;
- pstr_sprintf(logfile, "%s/log.winbindd-dc-connect", dyn_LOGFILEBASE);
- lp_set_logfile(logfile);
- reopen_logs();
+ char *logfile;
+ if (asprintf(&logfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) > 0) {
+ lp_set_logfile(logfile);
+ SAFE_FREE(logfile);
+ reopen_logs();
+ }
}
mem_ctx = talloc_init("fork_child_dc_connect");
}
}
-static BOOL get_dc_name_via_netlogon(const struct winbindd_domain *domain,
- fstring dcname, struct in_addr *dc_ip)
+static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain,
+ fstring dcname,
+ struct sockaddr_storage *dc_ss)
{
struct winbindd_domain *our_domain = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
DEBUG(10, ("rpccli_netlogon_getanydcname returned %s\n", dcname));
- if (!resolve_name(dcname, dc_ip, 0x20)) {
+ if (!resolve_name(dcname, dc_ss, 0x20)) {
return False;
}
return True;
}
+/**
+ * Helper function to assemble trust password and account name
+ */
+static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
+ char **machine_password,
+ char **machine_account,
+ char **machine_krb5_principal)
+{
+ const char *account_name;
+
+ if (!get_trust_pw_clear(domain->name, machine_password,
+ &account_name, NULL))
+ {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ if ((machine_account != NULL) &&
+ (asprintf(machine_account, "%s$", account_name) == -1))
+ {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* this is at least correct when domain is our domain,
+ * which is the only case, when this is currently used: */
+ if ((machine_krb5_principal != NULL) &&
+ (asprintf(machine_krb5_principal, "%s$@%s", account_name,
+ domain->alt_name) == -1))
+ {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
/************************************************************************
Given a fd with a just-connected TCP connection to a DC, open a connection
to the pipe.
const int sockfd,
const char *controller,
struct cli_state **cli,
- BOOL *retry)
+ bool *retry)
{
- char *machine_password, *machine_krb5_principal, *machine_account;
- char *ipc_username, *ipc_domain, *ipc_password;
+ char *machine_password = NULL;
+ char *machine_krb5_principal = NULL;
+ char *machine_account = NULL;
+ char *ipc_username = NULL;
+ char *ipc_domain = NULL;
+ char *ipc_password = NULL;
- BOOL got_mutex;
+ bool got_mutex;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
controller, domain->name ));
- machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL,
- NULL);
-
- if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
- SAFE_FREE(machine_password);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(),
- lp_realm()) == -1) {
- SAFE_FREE(machine_account);
- SAFE_FREE(machine_password);
- return NT_STATUS_NO_MEMORY;
- }
-
- cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
-
*retry = True;
got_mutex = secrets_named_mutex(controller,
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
-
- if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) {
+
+ if (!is_trusted_domain_situation(domain->name) &&
+ (*cli)->protocol >= PROTOCOL_NT1 &&
+ (*cli)->capabilities & CAP_EXTENDED_SECURITY)
+ {
ADS_STATUS ads_status;
+ result = get_trust_creds(domain, &machine_password,
+ &machine_account,
+ &machine_krb5_principal);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
if (lp_security() == SEC_ADS) {
/* Try a krb5 session */
ads_status = cli_session_setup_spnego(*cli,
machine_krb5_principal,
machine_password,
- lp_workgroup());
+ domain->name);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("failed kerberos session setup with %s\n",
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+ cli_init_creds(*cli, machine_account, domain->name, machine_password);
goto session_setup_done;
}
}
DEBUG(5, ("connecting to %s from %s with username "
"[%s]\\[%s]\n", controller, global_myname(),
- lp_workgroup(), machine_account));
+ domain->name, machine_account));
ads_status = cli_session_setup_spnego(*cli,
machine_account,
machine_password,
- lp_workgroup());
+ domain->name);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4, ("authenticated session setup failed with %s\n",
ads_errstr(ads_status)));
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+ cli_init_creds(*cli, machine_account, domain->name, machine_password);
goto session_setup_done;
}
}
- /* Fall back to non-kerberos session setup */
+ /* Fall back to non-kerberos session setup with auth_user */
(*cli)->use_kerberos = False;
+ cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
+
if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
(strlen(ipc_username) > 0)) {
return result;
}
-static BOOL add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
- const char *dcname, struct in_addr ip,
+static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
+ const char *dcname, struct sockaddr_storage *pss,
struct dc_name_ip **dcs, int *num)
{
if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
return False;
fstrcpy((*dcs)[*num].name, dcname);
- (*dcs)[*num].ip = ip;
+ (*dcs)[*num].ss = *pss;
*num += 1;
return True;
}
-static BOOL add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
- struct in_addr ip, uint16 port,
- struct sockaddr_in **addrs, int *num)
+static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
+ struct sockaddr_storage *pss, uint16 port,
+ struct sockaddr_storage **addrs, int *num)
{
- *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_in, (*num)+1);
+ *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
if (*addrs == NULL) {
*num = 0;
return False;
}
- (*addrs)[*num].sin_family = PF_INET;
- putip((char *)&((*addrs)[*num].sin_addr), (char *)&ip);
- (*addrs)[*num].sin_port = htons(port);
+ (*addrs)[*num] = *pss;
+ set_sockaddr_port(&(*addrs)[*num], port);
*num += 1;
return True;
fstr_sprintf(name, "\\MAILSLOT\\NET\\GETDC%X", dc_ip.s_addr);
}
-static BOOL send_getdc_request(struct in_addr dc_ip,
+static bool send_getdc_request(struct sockaddr_storage *dc_ss,
const char *domain_name,
const DOM_SID *sid)
{
- pstring outbuf;
+ char outbuf[1024];
+ struct in_addr dc_ip;
char *p;
fstring my_acct_name;
fstring my_mailslot;
+ if (dc_ss->ss_family != AF_INET) {
+ return false;
+ }
+
+ dc_ip = ((struct sockaddr_in *)dc_ss)->sin_addr;
mailslot_name(dc_ip, my_mailslot);
memset(outbuf, '\0', sizeof(outbuf));
SIVAL(p, 0, 0); /* The sender's token ... */
p += 2;
- p += dos_PutUniCode(p, global_myname(), sizeof(pstring), True);
+ p += dos_PutUniCode(p, global_myname(),
+ sizeof(outbuf) - PTR_DIFF(p, outbuf), True);
fstr_sprintf(my_acct_name, "%s$", global_myname());
- p += dos_PutUniCode(p, my_acct_name, sizeof(pstring), True);
+ p += dos_PutUniCode(p, my_acct_name,
+ sizeof(outbuf) - PTR_DIFF(p, outbuf), True);
+
+ if (strlen(my_mailslot)+1 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) {
+ return false;
+ }
memcpy(p, my_mailslot, strlen(my_mailslot)+1);
p += strlen(my_mailslot)+1;
+ if (sizeof(outbuf) - PTR_DIFF(p, outbuf) < 8) {
+ return false;
+ }
+
SIVAL(p, 0, 0x80);
p+=4;
p+=4;
p = ALIGN4(p, outbuf);
+ if (PTR_DIFF(p, outbuf) > sizeof(outbuf)) {
+ return false;
+ }
sid_linearize(p, sid_size(sid), sid);
+ if (sid_size(sid) + 8 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) {
+ return false;
+ }
+
p += sid_size(sid);
SIVAL(p, 0, 1);
False, "\\MAILSLOT\\NET\\NTLOGON", 0,
outbuf, PTR_DIFF(p, outbuf),
global_myname(), 0, domain_name, 0x1c,
- dc_ip);
+ dc_ss);
}
-static BOOL receive_getdc_response(struct in_addr dc_ip,
+static bool receive_getdc_response(struct sockaddr_storage *dc_ss,
const char *domain_name,
fstring dc_name)
{
char *buf, *p;
fstring dcname, user, domain;
int len;
+ struct in_addr dc_ip;
+ if (dc_ss->ss_family != AF_INET) {
+ return false;
+ }
+ dc_ip = ((struct sockaddr_in *)dc_ss)->sin_addr;
mailslot_name(dc_ip, my_mailslot);
packet = receive_unexpected(DGRAM_PACKET, 0, my_mailslot);
convert an ip to a name
*******************************************************************/
-static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip, fstring name )
+static bool dcip_to_name(const struct winbindd_domain *domain,
+ struct sockaddr_storage *pss,
+ fstring name )
{
struct ip_service ip_list;
- ip_list.ip = ip;
+ ip_list.ss = *pss;
ip_list.port = 0;
#ifdef WITH_ADS
if (lp_security() == SEC_ADS) {
ADS_STRUCT *ads;
+ char addr[INET6_ADDRSTRLEN];
+
+ print_sockaddr(addr, sizeof(addr), pss);
ads = ads_init(domain->alt_name, domain->name, NULL);
ads->auth.flags |= ADS_AUTH_NO_BIND;
- if (ads_try_connect( ads, inet_ntoa(ip) ) ) {
+ if (ads_try_connect(ads, addr)) {
/* We got a cldap packet. */
fstrcpy(name, ads->config.ldap_server_name);
namecache_store(name, 0x20, 1, &ip_list);
create_local_private_krb5_conf_for_domain(domain->alt_name,
domain->name,
sitename,
- ip);
+ pss);
SAFE_FREE(sitename);
} else {
create_local_private_krb5_conf_for_domain(domain->alt_name,
domain->name,
NULL,
- ip);
+ pss);
}
winbindd_set_locator_kdc_envs(domain);
#endif
/* try GETDC requests next */
-
- if (send_getdc_request(ip, domain->name, &domain->sid)) {
+
+ if (send_getdc_request(pss, domain->name, &domain->sid)) {
int i;
smb_msleep(100);
for (i=0; i<5; i++) {
- if (receive_getdc_response(ip, domain->name, name)) {
+ if (receive_getdc_response(pss, domain->name, name)) {
namecache_store(name, 0x20, 1, &ip_list);
return True;
}
/* try node status request */
- if ( name_status_find(domain->name, 0x1c, 0x20, ip, name) ) {
+ if ( name_status_find(domain->name, 0x1c, 0x20, pss, name) ) {
namecache_store(name, 0x20, 1, &ip_list);
return True;
}
the dcs[] with results.
*******************************************************************/
-static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
+static bool get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
struct dc_name_ip **dcs, int *num_dcs)
{
fstring dcname;
- struct in_addr ip;
+ struct sockaddr_storage ss;
struct ip_service *ip_list = NULL;
int iplist_size = 0;
int i;
- BOOL is_our_domain;
+ bool is_our_domain;
enum security_types sec = (enum security_types)lp_security();
is_our_domain = strequal(domain->name, lp_workgroup());
- if ( !is_our_domain
- && get_dc_name_via_netlogon(domain, dcname, &ip)
- && add_one_dc_unique(mem_ctx, domain->name, dcname, ip, dcs, num_dcs) )
+ if ( !is_our_domain
+ && get_dc_name_via_netlogon(domain, dcname, &ss)
+ && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, num_dcs) )
{
+ char addr[INET6_ADDRSTRLEN];
+ print_sockaddr(addr, sizeof(addr), &ss);
DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
- dcname, inet_ntoa(ip)));
+ dcname, addr));
return True;
}
We deliberately don't care about the
return here. */
- get_dc_name(domain->name, domain->alt_name, dcname, &ip);
+ get_dc_name(domain->name, domain->alt_name, dcname, &ss);
sitename = sitename_fetch(domain->alt_name);
if (sitename) {
get_sorted_dc_list(domain->alt_name, sitename, &ip_list, &iplist_size, True);
for ( i=0; i<iplist_size; i++ ) {
- add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
- ip_list[i].ip, dcs, num_dcs);
+ char addr[INET6_ADDRSTRLEN];
+ print_sockaddr(addr, sizeof(addr),
+ &ip_list[i].ss);
+ add_one_dc_unique(mem_ctx,
+ domain->name,
+ addr,
+ &ip_list[i].ss,
+ dcs,
+ num_dcs);
}
SAFE_FREE(ip_list);
get_sorted_dc_list(domain->alt_name, NULL, &ip_list, &iplist_size, True);
for ( i=0; i<iplist_size; i++ ) {
- add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
- ip_list[i].ip, dcs, num_dcs);
+ char addr[INET6_ADDRSTRLEN];
+ print_sockaddr(addr, sizeof(addr),
+ &ip_list[i].ss);
+ add_one_dc_unique(mem_ctx,
+ domain->name,
+ addr,
+ &ip_list[i].ss,
+ dcs,
+ num_dcs);
}
}
the ip now in to make the failed connection cache work */
for ( i=0; i<iplist_size; i++ ) {
- add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
- ip_list[i].ip, dcs, num_dcs);
+ char addr[INET6_ADDRSTRLEN];
+ print_sockaddr(addr, sizeof(addr),
+ &ip_list[i].ss);
+ add_one_dc_unique(mem_ctx, domain->name, addr,
+ &ip_list[i].ss, dcs, num_dcs);
}
SAFE_FREE( ip_list );
return True;
}
-static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
+static bool find_new_dc(TALLOC_CTX *mem_ctx,
const struct winbindd_domain *domain,
- fstring dcname, struct sockaddr_in *addr, int *fd)
+ fstring dcname, struct sockaddr_storage *pss, int *fd)
{
struct dc_name_ip *dcs = NULL;
int num_dcs = 0;
const char **dcnames = NULL;
int num_dcnames = 0;
- struct sockaddr_in *addrs = NULL;
+ struct sockaddr_storage *addrs = NULL;
int num_addrs = 0;
int i, fd_index;
&dcnames, &num_dcnames)) {
return False;
}
- if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 445,
+ if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 445,
&addrs, &num_addrs)) {
return False;
}
&dcnames, &num_dcnames)) {
return False;
}
- if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 139,
+ if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 139,
&addrs, &num_addrs)) {
return False;
}
return False;
/* 5 second timeout. */
- if ( !open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) )
- {
+ if (!open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) {
for (i=0; i<num_dcs; i++) {
+ char ab[INET6_ADDRSTRLEN];
+ print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
"domain %s address %s. Error was %s\n",
- domain->name, inet_ntoa(dcs[i].ip), strerror(errno) ));
+ domain->name, ab, strerror(errno) ));
winbind_add_failed_connection_entry(domain,
dcs[i].name, NT_STATUS_UNSUCCESSFUL);
}
return False;
}
- *addr = addrs[fd_index];
+ *pss = addrs[fd_index];
- if (*dcnames[fd_index] != '\0' && !is_ipaddress_v4(dcnames[fd_index])) {
+ if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
/* Ok, we've got a name for the DC */
fstrcpy(dcname, dcnames[fd_index]);
return True;
}
/* Try to figure out the name */
- if (dcip_to_name( domain, addr->sin_addr, dcname )) {
+ if (dcip_to_name(domain, pss, dcname)) {
return True;
}
saf_servername, domain->name ));
/* convert an ip address to a name */
- if ( is_ipaddress_v4( saf_servername ) ) {
+ if (is_ipaddress( saf_servername ) ) {
fstring saf_name;
- struct in_addr ip;
+ struct sockaddr_storage ss;
- ip = *interpret_addr2( saf_servername );
- if (dcip_to_name( domain, ip, saf_name )) {
+ if (!interpret_string_addr(&ss, saf_servername,
+ AI_NUMERICHOST)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (dcip_to_name( domain, &ss, saf_name )) {
fstrcpy( domain->dcname, saf_name );
} else {
winbind_add_failed_connection_entry(
}
for (retries = 0; retries < 3; retries++) {
-
int fd = -1;
- BOOL retry = False;
+ bool retry = False;
result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
if (*domain->dcname
&& NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
- && (resolve_name(domain->dcname, &domain->dcaddr.sin_addr, 0x20)))
+ && (resolve_name(domain->dcname, &domain->dcaddr, 0x20)))
{
- struct sockaddr_in *addrs = NULL;
+ struct sockaddr_storage *addrs = NULL;
int num_addrs = 0;
int dummy = 0;
- if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 445, &addrs, &num_addrs)) {
+ if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 445, &addrs, &num_addrs)) {
set_domain_offline(domain);
talloc_destroy(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
- if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 139, &addrs, &num_addrs)) {
+ if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 139, &addrs, &num_addrs)) {
set_domain_offline(domain);
talloc_destroy(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
}
-static BOOL connection_ok(struct winbindd_domain *domain)
+static bool connection_ok(struct winbindd_domain *domain)
{
if (domain->conn.cli == NULL) {
DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
Set the trust flags (direction and forest location) for a domain
******************************************************************************/
-static BOOL set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
+static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
{
struct winbindd_domain *our_domain;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
return;
}
+ mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
+ domain->name);
+ if (!mem_ctx) {
+ DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
+ return;
+ }
+
DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC_DS,
goto no_lsarpc_ds;
}
- result = rpccli_ds_getprimarydominfo(cli, cli->cli->mem_ctx,
+ result = rpccli_ds_getprimarydominfo(cli, mem_ctx,
DsRolePrimaryDomainInfoBasic,
&ctr);
cli_rpc_pipe_close(cli);
goto no_lsarpc_ds;
}
+ TALLOC_FREE(mem_ctx);
return;
}
"PI_LSARPC on domain %s: (%s)\n",
domain->name, nt_errstr(result)));
cli_rpc_pipe_close(cli);
- return;
- }
-
- mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
- domain->name);
- if (!mem_ctx) {
- DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
- cli_rpc_pipe_close(cli);
+ TALLOC_FREE(mem_ctx);
return;
}
domain->name, domain->active_directory ? "" : "NOT "));
cli_rpc_pipe_close(cli);
-
- talloc_destroy(mem_ctx);
+
+ TALLOC_FREE(mem_ctx);
domain->initialized = True;
}
/**********************************************************************
***********************************************************************/
-static BOOL cm_get_schannel_dcinfo(struct winbindd_domain *domain,
+static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain,
struct dcinfo **ppdc)
{
NTSTATUS result;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
fstring conn_pwd;
struct dcinfo *p_dcinfo;
+ char *machine_password = NULL;
+ char *machine_account = NULL;
+ char *domain_name = NULL;
result = init_dc_connection(domain);
if (!NT_STATUS_IS_OK(result)) {
pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
if ((conn->cli->user_name[0] == '\0') ||
(conn->cli->domain[0] == '\0') ||
- (conn_pwd[0] == '\0')) {
- DEBUG(10, ("cm_connect_sam: No no user available for "
- "domain %s, trying schannel\n", conn->cli->domain));
+ (conn_pwd[0] == '\0'))
+ {
+ result = get_trust_creds(domain, &machine_password,
+ &machine_account, NULL);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10, ("cm_connect_sam: No no user available for "
+ "domain %s, trying schannel\n", conn->cli->domain));
+ goto schannel;
+ }
+ domain_name = domain->name;
goto schannel;
+ } else {
+ machine_password = SMB_STRDUP(conn_pwd);
+ machine_account = SMB_STRDUP(conn->cli->user_name);
+ domain_name = conn->cli->domain;
+ }
+
+ if (!machine_password || !machine_account) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
}
/* We have an authenticated connection. Use a NTLMSSP SPNEGO
conn->samr_pipe =
cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
PIPE_AUTH_LEVEL_PRIVACY,
- conn->cli->domain,
- conn->cli->user_name,
- conn_pwd, &result);
+ domain_name,
+ machine_account,
+ machine_password, &result);
if (conn->samr_pipe == NULL) {
DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
"pipe for domain %s using NTLMSSP "
"authenticated pipe: user %s\\%s. Error was "
- "%s\n", domain->name, conn->cli->domain,
- conn->cli->user_name, nt_errstr(result)));
+ "%s\n", domain->name, domain_name,
+ machine_account, nt_errstr(result)));
goto schannel;
}
DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
"domain %s using NTLMSSP authenticated "
"pipe: user %s\\%s\n", domain->name,
- conn->cli->domain, conn->cli->user_name ));
+ domain_name, machine_account));
result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
SEC_RIGHTS_MAXIMUM_ALLOWED,
*cli = conn->samr_pipe;
*sam_handle = conn->sam_domain_handle;
+ SAFE_FREE(machine_password);
+ SAFE_FREE(machine_account);
return result;
}
return NT_STATUS_OK;
}
- if ((IS_DC || domain->primary) && !get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
&result);
if (netlogon_pipe == NULL) {
neg_flags &= ~NETLOGON_NEG_SCHANNEL;
goto no_schannel;
}
-
+
if (lp_client_schannel() != False) {
neg_flags |= NETLOGON_NEG_SCHANNEL;
}
- /* if we are a DC and this is a trusted domain, then we need to use our
- domain name in the net_req_auth2() request */
-
- if ( IS_DC
- && !strequal(domain->name, lp_workgroup())
- && lp_allow_trusted_domains() )
+ if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
+ &sec_chan_type))
{
- account_name = lp_workgroup();
- } else {
- account_name = domain->primary ?
- global_myname() : domain->name;
- }
-
- if (account_name == NULL) {
cli_rpc_pipe_close(netlogon_pipe);
- return NT_STATUS_NO_MEMORY;
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
result = rpccli_netlogon_setup_creds(