s3:libsmb: get rid of cli_state_capabilities

[mat/samba.git] / source3 / winbindd / winbindd_cm.c

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 85630502734a0ca872f51ca1c20c1eb70b59a418..d190bb39a168c0aa39c48f4a9c03fed7668fd562 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -76,6 +76,8 @@
 #include "../libcli/security/security.h"
 #include "passdb.h"
 #include "messages.h"
+#include "auth/gensec/gensec.h"
+#include "../libcli/smb/smbXcli_base.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
@@ -187,7 +189,7 @@ static bool fork_child_dc_connect(struct winbindd_domain *domain)
        struct dc_name_ip *dcs = NULL;
        int num_dcs = 0;
        TALLOC_CTX *mem_ctx = NULL;
-       pid_t parent_pid = sys_getpid();
+       pid_t parent_pid = getpid();
        char *lfile = NULL;
        NTSTATUS status;
 
@@ -205,7 +207,7 @@ static bool fork_child_dc_connect(struct winbindd_domain *domain)
                domain->dc_probe_pid = (pid_t)-1;
        }
 
-       domain->dc_probe_pid = sys_fork();
+       domain->dc_probe_pid = fork();
 
        if (domain->dc_probe_pid == (pid_t)-1) {
                DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
@@ -781,6 +783,8 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                                      struct cli_state **cli,
                                      bool *retry)
 {
+       bool try_spnego = false;
+       bool try_ipc_auth = false;
        char *machine_password = NULL;
        char *machine_krb5_principal = NULL;
        char *machine_account = NULL;
@@ -823,17 +827,21 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
        cli_set_timeout(*cli, 10000); /* 10 seconds */
 
-       result = cli_negprot(*cli, PROTOCOL_NT1);
+       result = cli_negprot(*cli, PROTOCOL_SMB2_02);
 
        if (!NT_STATUS_IS_OK(result)) {
                DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
                goto done;
        }
 
-       if (!is_dc_trusted_domain_situation(domain->name) &&
-           cli_state_protocol(*cli) >= PROTOCOL_NT1 &&
-           cli_state_capabilities(*cli) & CAP_EXTENDED_SECURITY)
-       {
+       if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
+           smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
+               try_spnego = true;
+       } else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
+               try_spnego = true;
+       }
+
+       if (!is_dc_trusted_domain_situation(domain->name) && try_spnego) {
                result = get_trust_creds(domain, &machine_password,
                                         &machine_account,
                                         &machine_krb5_principal);
@@ -911,8 +919,15 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
        cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
 
        sec_mode = cli_state_security_mode(*cli);
-       if (((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
-           (strlen(ipc_username) > 0)) {
+
+       try_ipc_auth = false;
+       if (try_spnego) {
+               try_ipc_auth = true;
+       } else if (sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
+               try_ipc_auth = true;
+       }
+
+       if (try_ipc_auth && (strlen(ipc_username) > 0)) {
 
                /* Only try authenticated if we have a username */
 
@@ -1144,10 +1159,11 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
                }
 
                ads_destroy( &ads );
+               return false;
        }
 #endif
 
-       status = nbt_getdc(winbind_messaging_context(), pss, domain->name,
+       status = nbt_getdc(winbind_messaging_context(), 10, pss, domain->name,
                           &domain->sid, nt_version, mem_ctx, &nt_version,
                           &dc_name, NULL);
        if (NT_STATUS_IS_OK(status)) {
@@ -1330,7 +1346,7 @@ static bool find_new_dc(TALLOC_CTX *mem_ctx,
                                    &dcnames, &num_dcnames)) {
                        return False;
                }
-               if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 445,
+               if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, TCP_SMB_PORT,
                                      &addrs, &num_addrs)) {
                        return False;
                }
@@ -1409,7 +1425,7 @@ static void store_current_dc_in_gencache(const char *domain_name,
        }
 
        print_sockaddr(addr, sizeof(addr),
-                      cli_state_remote_sockaddr(cli));
+                      smbXcli_conn_remote_sockaddr(cli->conn));
 
        key = current_dc_key(talloc_tos(), domain_name);
        if (key == NULL) {
@@ -1881,6 +1897,8 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
                                 "running active directory.\n", domain->name, 
                                 domain->active_directory ? "" : "NOT "));
 
+                       domain->can_do_ncacn_ip_tcp = domain->active_directory;
+                       domain->can_do_validation6 = domain->active_directory;
 
                        domain->initialized = True;
 
@@ -2189,14 +2207,16 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 
        /* We have an authenticated connection. Use a NTLMSSP SPNEGO
           authenticated SAMR pipe with sign & seal. */
-       status = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli,
-                                                 &ndr_table_samr.syntax_id,
-                                                 NCACN_NP,
-                                                 DCERPC_AUTH_LEVEL_PRIVACY,
-                                                 domain_name,
-                                                 machine_account,
-                                                 machine_password,
-                                                 &conn->samr_pipe);
+       status = cli_rpc_pipe_open_spnego(conn->cli,
+                                         &ndr_table_samr,
+                                         NCACN_NP,
+                                         GENSEC_OID_NTLMSSP,
+                                         DCERPC_AUTH_LEVEL_PRIVACY,
+                                         smbXcli_conn_remote_name(conn->cli->conn),
+                                         domain_name,
+                                         machine_account,
+                                         machine_password,
+                                         &conn->samr_pipe);
 
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
@@ -2427,9 +2447,11 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 
        /* We have an authenticated connection. Use a NTLMSSP SPNEGO
         * authenticated LSA pipe with sign & seal. */
-       result = cli_rpc_pipe_open_spnego_ntlmssp
-               (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
+       result = cli_rpc_pipe_open_spnego
+               (conn->cli, &ndr_table_lsarpc, NCACN_NP,
+                GENSEC_OID_NTLMSSP,
                 DCERPC_AUTH_LEVEL_PRIVACY,
+                smbXcli_conn_remote_name(conn->cli->conn),
                 conn->cli->domain, conn->cli->user_name, conn->cli->password,
                 &conn->lsa_pipe);
 
@@ -2700,7 +2722,7 @@ void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
                }
 
                print_sockaddr(sockaddr, sizeof(sockaddr),
-                              cli_state_local_sockaddr(domain->conn.cli));
+                              smbXcli_conn_local_sockaddr(domain->conn.cli->conn));
 
                if (strequal(sockaddr, addr)) {
                        cli_state_disconnect(domain->conn.cli);