669a43e5ac35e771b6d081180ef4f7711a110c40
[samba.git] / source3 / winbindd / winbindd_cm.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon connection manager
5
6    Copyright (C) Tim Potter                2001
7    Copyright (C) Andrew Bartlett           2002
8    Copyright (C) Gerald (Jerry) Carter     2003-2005.
9    Copyright (C) Volker Lendecke           2004-2005
10    Copyright (C) Jeremy Allison            2006
11
12    This program is free software; you can redistribute it and/or modify
13    it under the terms of the GNU General Public License as published by
14    the Free Software Foundation; either version 3 of the License, or
15    (at your option) any later version.
16
17    This program is distributed in the hope that it will be useful,
18    but WITHOUT ANY WARRANTY; without even the implied warranty of
19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20    GNU General Public License for more details.
21
22    You should have received a copy of the GNU General Public License
23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27    We need to manage connections to domain controllers without having to
28    mess up the main winbindd code with other issues.  The aim of the
29    connection manager is to:
30
31        - make connections to domain controllers and cache them
32        - re-establish connections when networks or servers go down
33        - centralise the policy on connection timeouts, domain controller
34          selection etc
35        - manage re-entrancy for when winbindd becomes able to handle
36          multiple outstanding rpc requests
37
38    Why not have connection management as part of the rpc layer like tng?
39    Good question.  This code may morph into libsmb/rpc_cache.c or something
40    like that but at the moment it's simply staying as part of winbind.  I
41    think the TNG architecture of forcing every user of the rpc layer to use
42    the connection caching system is a bad idea.  It should be an optional
43    method of using the routines.
44
45    The TNG design is quite good but I disagree with some aspects of the
46    implementation. -tpot
47
48  */
49
50 /*
51    TODO:
52
53      - I'm pretty annoyed by all the make_nmb_name() stuff.  It should be
54        moved down into another function.
55
56      - Take care when destroying cli_structs as they can be shared between
57        various sam handles.
58
59  */
60
61 #include "includes.h"
62 #include "winbindd.h"
63 #include "../libcli/auth/libcli_auth.h"
64 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
65 #include "rpc_client/cli_pipe.h"
66 #include "rpc_client/cli_netlogon.h"
67 #include "../librpc/gen_ndr/ndr_samr_c.h"
68 #include "../librpc/gen_ndr/ndr_lsa_c.h"
69 #include "rpc_client/cli_lsarpc.h"
70 #include "../librpc/gen_ndr/ndr_dssetup_c.h"
71 #include "libads/sitename_cache.h"
72 #include "libsmb/libsmb.h"
73 #include "libsmb/clidgram.h"
74 #include "ads.h"
75 #include "secrets.h"
76 #include "../libcli/security/security.h"
77 #include "passdb.h"
78 #include "messages.h"
79 #include "auth/gensec/gensec.h"
80 #include "../libcli/smb/smbXcli_base.h"
81 #include "lib/param/loadparm.h"
82 #include "libcli/auth/netlogon_creds_cli.h"
83
84 #undef DBGC_CLASS
85 #define DBGC_CLASS DBGC_WINBIND
86
87 struct dc_name_ip {
88         fstring name;
89         struct sockaddr_storage ss;
90 };
91
92 extern struct winbindd_methods reconnect_methods;
93 extern bool override_logfile;
94
95 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
96 static void set_dc_type_and_flags( struct winbindd_domain *domain );
97 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
98                     struct dc_name_ip **dcs, int *num_dcs);
99
100 /****************************************************************
101  Child failed to find DC's. Reschedule check.
102 ****************************************************************/
103
104 static void msg_failed_to_go_online(struct messaging_context *msg,
105                                     void *private_data,
106                                     uint32_t msg_type,
107                                     struct server_id server_id,
108                                     DATA_BLOB *data)
109 {
110         struct winbindd_domain *domain;
111         const char *domainname = (const char *)data->data;
112
113         if (data->data == NULL || data->length == 0) {
114                 return;
115         }
116
117         DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
118
119         for (domain = domain_list(); domain; domain = domain->next) {
120                 if (domain->internal) {
121                         continue;
122                 }
123
124                 if (strequal(domain->name, domainname)) {
125                         if (domain->online) {
126                                 /* We're already online, ignore. */
127                                 DEBUG(5,("msg_fail_to_go_online: domain %s "
128                                         "already online.\n", domainname));
129                                 continue;
130                         }
131
132                         /* Reschedule the online check. */
133                         set_domain_offline(domain);
134                         break;
135                 }
136         }
137 }
138
139 /****************************************************************
140  Actually cause a reconnect from a message.
141 ****************************************************************/
142
143 static void msg_try_to_go_online(struct messaging_context *msg,
144                                  void *private_data,
145                                  uint32_t msg_type,
146                                  struct server_id server_id,
147                                  DATA_BLOB *data)
148 {
149         struct winbindd_domain *domain;
150         const char *domainname = (const char *)data->data;
151
152         if (data->data == NULL || data->length == 0) {
153                 return;
154         }
155
156         DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
157
158         for (domain = domain_list(); domain; domain = domain->next) {
159                 if (domain->internal) {
160                         continue;
161                 }
162
163                 if (strequal(domain->name, domainname)) {
164
165                         if (domain->online) {
166                                 /* We're already online, ignore. */
167                                 DEBUG(5,("msg_try_to_go_online: domain %s "
168                                         "already online.\n", domainname));
169                                 continue;
170                         }
171
172                         /* This call takes care of setting the online
173                            flag to true if we connected, or re-adding
174                            the offline handler if false. Bypasses online
175                            check so always does network calls. */
176
177                         init_dc_connection_network(domain);
178                         break;
179                 }
180         }
181 }
182
183 /****************************************************************
184  Fork a child to try and contact a DC. Do this as contacting a
185  DC requires blocking lookups and we don't want to block our
186  parent.
187 ****************************************************************/
188
189 static bool fork_child_dc_connect(struct winbindd_domain *domain)
190 {
191         struct dc_name_ip *dcs = NULL;
192         int num_dcs = 0;
193         TALLOC_CTX *mem_ctx = NULL;
194         pid_t parent_pid = getpid();
195         char *lfile = NULL;
196         NTSTATUS status;
197
198         if (domain->dc_probe_pid != (pid_t)-1) {
199                 /*
200                  * We might already have a DC probe
201                  * child working, check.
202                  */
203                 if (process_exists_by_pid(domain->dc_probe_pid)) {
204                         DEBUG(10,("fork_child_dc_connect: pid %u already "
205                                 "checking for DC's.\n",
206                                 (unsigned int)domain->dc_probe_pid));
207                         return true;
208                 }
209                 domain->dc_probe_pid = (pid_t)-1;
210         }
211
212         domain->dc_probe_pid = fork();
213
214         if (domain->dc_probe_pid == (pid_t)-1) {
215                 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
216                 return False;
217         }
218
219         if (domain->dc_probe_pid != (pid_t)0) {
220                 /* Parent */
221                 messaging_register(winbind_messaging_context(), NULL,
222                                    MSG_WINBIND_TRY_TO_GO_ONLINE,
223                                    msg_try_to_go_online);
224                 messaging_register(winbind_messaging_context(), NULL,
225                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
226                                    msg_failed_to_go_online);
227                 return True;
228         }
229
230         /* Child. */
231
232         /* Leave messages blocked - we will never process one. */
233
234         if (!override_logfile) {
235                 if (asprintf(&lfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) == -1) {
236                         DEBUG(0, ("fork_child_dc_connect: out of memory.\n"));
237                         _exit(1);
238                 }
239         }
240
241         status = winbindd_reinit_after_fork(NULL, lfile);
242         if (!NT_STATUS_IS_OK(status)) {
243                 DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n",
244                           nt_errstr(status)));
245                 messaging_send_buf(winbind_messaging_context(),
246                                    pid_to_procid(parent_pid),
247                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
248                                    (const uint8_t *)domain->name,
249                                    strlen(domain->name)+1);
250                 _exit(1);
251         }
252         SAFE_FREE(lfile);
253
254         mem_ctx = talloc_init("fork_child_dc_connect");
255         if (!mem_ctx) {
256                 DEBUG(0,("talloc_init failed.\n"));
257                 messaging_send_buf(winbind_messaging_context(),
258                                    pid_to_procid(parent_pid),
259                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
260                                    (const uint8_t *)domain->name,
261                                    strlen(domain->name)+1);
262                 _exit(1);
263         }
264
265         if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
266                 /* Still offline ? Can't find DC's. */
267                 messaging_send_buf(winbind_messaging_context(),
268                                    pid_to_procid(parent_pid),
269                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
270                                    (const uint8_t *)domain->name,
271                                    strlen(domain->name)+1);
272                 _exit(0);
273         }
274
275         /* We got a DC. Send a message to our parent to get it to
276            try and do the same. */
277
278         messaging_send_buf(winbind_messaging_context(),
279                            pid_to_procid(parent_pid),
280                            MSG_WINBIND_TRY_TO_GO_ONLINE,
281                            (const uint8_t *)domain->name,
282                            strlen(domain->name)+1);
283         _exit(0);
284 }
285
286 /****************************************************************
287  Handler triggered if we're offline to try and detect a DC.
288 ****************************************************************/
289
290 static void check_domain_online_handler(struct tevent_context *ctx,
291                                         struct tevent_timer *te,
292                                         struct timeval now,
293                                         void *private_data)
294 {
295         struct winbindd_domain *domain =
296                 (struct winbindd_domain *)private_data;
297
298         DEBUG(10,("check_domain_online_handler: called for domain "
299                   "%s (online = %s)\n", domain->name, 
300                   domain->online ? "True" : "False" ));
301
302         TALLOC_FREE(domain->check_online_event);
303
304         /* Are we still in "startup" mode ? */
305
306         if (domain->startup && (time_mono(NULL) > domain->startup_time + 30)) {
307                 /* No longer in "startup" mode. */
308                 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
309                         domain->name ));
310                 domain->startup = False;
311         }
312
313         /* We've been told to stay offline, so stay
314            that way. */
315
316         if (get_global_winbindd_state_offline()) {
317                 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
318                         domain->name ));
319                 return;
320         }
321
322         /* Fork a child to test if it can contact a DC. 
323            If it can then send ourselves a message to
324            cause a reconnect. */
325
326         fork_child_dc_connect(domain);
327 }
328
329 /****************************************************************
330  If we're still offline setup the timeout check.
331 ****************************************************************/
332
333 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
334 {
335         int wbr = lp_winbind_reconnect_delay();
336
337         if (domain->startup) {
338                 domain->check_online_timeout = 10;
339         } else if (domain->check_online_timeout < wbr) {
340                 domain->check_online_timeout = wbr;
341         }
342 }
343
344 void winbind_msg_domain_offline(struct messaging_context *msg_ctx,
345                                 void *private_data,
346                                 uint32_t msg_type,
347                                 struct server_id server_id,
348                                 DATA_BLOB *data)
349 {
350         const char *domain_name = (const char *)data->data;
351         struct winbindd_domain *domain;
352
353         domain = find_domain_from_name_noinit(domain_name);
354         if (domain == NULL) {
355                 return;
356         }
357
358         domain->online = false;
359
360         DEBUG(10, ("Domain %s is marked as offline now.\n",
361                    domain_name));
362 }
363
364 void winbind_msg_domain_online(struct messaging_context *msg_ctx,
365                                 void *private_data,
366                                 uint32_t msg_type,
367                                 struct server_id server_id,
368                                 DATA_BLOB *data)
369 {
370         const char *domain_name = (const char *)data->data;
371         struct winbindd_domain *domain;
372
373         domain = find_domain_from_name_noinit(domain_name);
374         if (domain == NULL) {
375                 return;
376         }
377
378         domain->online = true;
379
380         DEBUG(10, ("Domain %s is marked as online now.\n",
381                    domain_name));
382 }
383
384 /****************************************************************
385  Set domain offline and also add handler to put us back online
386  if we detect a DC.
387 ****************************************************************/
388
389 void set_domain_offline(struct winbindd_domain *domain)
390 {
391         pid_t parent_pid = getppid();
392
393         DEBUG(10,("set_domain_offline: called for domain %s\n",
394                 domain->name ));
395
396         TALLOC_FREE(domain->check_online_event);
397
398         if (domain->internal) {
399                 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
400                         domain->name ));
401                 return;
402         }
403
404         domain->online = False;
405
406         /* Offline domains are always initialized. They're
407            re-initialized when they go back online. */
408
409         domain->initialized = True;
410
411         /* We only add the timeout handler that checks and
412            allows us to go back online when we've not
413            been told to remain offline. */
414
415         if (get_global_winbindd_state_offline()) {
416                 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
417                         domain->name ));
418                 return;
419         }
420
421         /* If we're in startup mode, check again in 10 seconds, not in
422            lp_winbind_reconnect_delay() seconds (which is 30 seconds by default). */
423
424         calc_new_online_timeout_check(domain);
425
426         domain->check_online_event = tevent_add_timer(winbind_event_context(),
427                                                 NULL,
428                                                 timeval_current_ofs(domain->check_online_timeout,0),
429                                                 check_domain_online_handler,
430                                                 domain);
431
432         /* The above *has* to succeed for winbindd to work. */
433         if (!domain->check_online_event) {
434                 smb_panic("set_domain_offline: failed to add online handler");
435         }
436
437         DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
438                 domain->name ));
439
440         /* Send a message to the parent that the domain is offline. */
441         if (parent_pid > 1 && !domain->internal) {
442                 messaging_send_buf(winbind_messaging_context(),
443                                    pid_to_procid(parent_pid),
444                                    MSG_WINBIND_DOMAIN_OFFLINE,
445                                    (uint8 *)domain->name,
446                                    strlen(domain->name) + 1);
447         }
448
449         /* Send an offline message to the idmap child when our
450            primary domain goes offline */
451
452         if ( domain->primary ) {
453                 struct winbindd_child *idmap = idmap_child();
454
455                 if ( idmap->pid != 0 ) {
456                         messaging_send_buf(winbind_messaging_context(),
457                                            pid_to_procid(idmap->pid), 
458                                            MSG_WINBIND_OFFLINE, 
459                                            (const uint8_t *)domain->name,
460                                            strlen(domain->name)+1);
461                 }                       
462         }
463
464         return; 
465 }
466
467 /****************************************************************
468  Set domain online - if allowed.
469 ****************************************************************/
470
471 static void set_domain_online(struct winbindd_domain *domain)
472 {
473         pid_t parent_pid = getppid();
474
475         DEBUG(10,("set_domain_online: called for domain %s\n",
476                 domain->name ));
477
478         if (domain->internal) {
479                 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
480                         domain->name ));
481                 return;
482         }
483
484         if (get_global_winbindd_state_offline()) {
485                 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
486                         domain->name ));
487                 return;
488         }
489
490         winbindd_set_locator_kdc_envs(domain);
491
492         /* If we are waiting to get a krb5 ticket, trigger immediately. */
493         ccache_regain_all_now();
494
495         /* Ok, we're out of any startup mode now... */
496         domain->startup = False;
497
498         if (domain->online == False) {
499                 /* We were offline - now we're online. We default to
500                    using the MS-RPC backend if we started offline,
501                    and if we're going online for the first time we
502                    should really re-initialize the backends and the
503                    checks to see if we're talking to an AD or NT domain.
504                 */
505
506                 domain->initialized = False;
507
508                 /* 'reconnect_methods' is the MS-RPC backend. */
509                 if (domain->backend == &reconnect_methods) {
510                         domain->backend = NULL;
511                 }
512         }
513
514         /* Ensure we have no online timeout checks. */
515         domain->check_online_timeout = 0;
516         TALLOC_FREE(domain->check_online_event);
517
518         /* Ensure we ignore any pending child messages. */
519         messaging_deregister(winbind_messaging_context(),
520                              MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
521         messaging_deregister(winbind_messaging_context(),
522                              MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
523
524         domain->online = True;
525
526         /* Send a message to the parent that the domain is online. */
527         if (parent_pid > 1 && !domain->internal) {
528                 messaging_send_buf(winbind_messaging_context(),
529                                    pid_to_procid(parent_pid),
530                                    MSG_WINBIND_DOMAIN_ONLINE,
531                                    (uint8 *)domain->name,
532                                    strlen(domain->name) + 1);
533         }
534
535         /* Send an online message to the idmap child when our
536            primary domain comes online */
537
538         if ( domain->primary ) {
539                 struct winbindd_child *idmap = idmap_child();
540
541                 if ( idmap->pid != 0 ) {
542                         messaging_send_buf(winbind_messaging_context(),
543                                            pid_to_procid(idmap->pid), 
544                                            MSG_WINBIND_ONLINE, 
545                                            (const uint8_t *)domain->name,
546                                            strlen(domain->name)+1);
547                 }                       
548         }
549
550         return; 
551 }
552
553 /****************************************************************
554  Requested to set a domain online.
555 ****************************************************************/
556
557 void set_domain_online_request(struct winbindd_domain *domain)
558 {
559         struct timeval tev;
560
561         DEBUG(10,("set_domain_online_request: called for domain %s\n",
562                 domain->name ));
563
564         if (get_global_winbindd_state_offline()) {
565                 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
566                         domain->name ));
567                 return;
568         }
569
570         if (domain->internal) {
571                 DEBUG(10, ("set_domain_online_request: Internal domains are "
572                            "always online\n"));
573                 return;
574         }
575
576         /* We've been told it's safe to go online and
577            try and connect to a DC. But I don't believe it
578            because network manager seems to lie.
579            Wait at least 5 seconds. Heuristics suck... */
580
581
582         GetTimeOfDay(&tev);
583
584         /* Go into "startup" mode again. */
585         domain->startup_time = time_mono(NULL);
586         domain->startup = True;
587
588         tev.tv_sec += 5;
589
590         if (!domain->check_online_event) {
591                 /* If we've come from being globally offline we
592                    don't have a check online event handler set.
593                    We need to add one now we're trying to go
594                    back online. */
595
596                 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
597                         domain->name ));
598         }
599
600         TALLOC_FREE(domain->check_online_event);
601
602         domain->check_online_event = tevent_add_timer(winbind_event_context(),
603                                                      NULL,
604                                                      tev,
605                                                      check_domain_online_handler,
606                                                      domain);
607
608         /* The above *has* to succeed for winbindd to work. */
609         if (!domain->check_online_event) {
610                 smb_panic("set_domain_online_request: failed to add online handler");
611         }
612 }
613
614 /****************************************************************
615  Add -ve connection cache entries for domain and realm.
616 ****************************************************************/
617
618 static void winbind_add_failed_connection_entry(
619         const struct winbindd_domain *domain,
620         const char *server,
621         NTSTATUS result)
622 {
623         add_failed_connection_entry(domain->name, server, result);
624         /* If this was the saf name for the last thing we talked to,
625            remove it. */
626         saf_delete(domain->name);
627         if (domain->alt_name != NULL) {
628                 add_failed_connection_entry(domain->alt_name, server, result);
629                 saf_delete(domain->alt_name);
630         }
631         winbindd_unset_locator_kdc_env(domain);
632 }
633
634 /* Choose between anonymous or authenticated connections.  We need to use
635    an authenticated connection if DCs have the RestrictAnonymous registry
636    entry set > 0, or the "Additional restrictions for anonymous
637    connections" set in the win2k Local Security Policy. 
638
639    Caller to free() result in domain, username, password
640 */
641
642 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
643 {
644         *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
645         *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
646         *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
647
648         if (*username && **username) {
649
650                 if (!*domain || !**domain)
651                         *domain = smb_xstrdup(lp_workgroup());
652
653                 if (!*password || !**password)
654                         *password = smb_xstrdup("");
655
656                 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n", 
657                           *domain, *username));
658
659         } else {
660                 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
661                 *username = smb_xstrdup("");
662                 *domain = smb_xstrdup("");
663                 *password = smb_xstrdup("");
664         }
665 }
666
667 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
668                                      fstring dcname,
669                                      struct sockaddr_storage *dc_ss)
670 {
671         struct winbindd_domain *our_domain = NULL;
672         struct rpc_pipe_client *netlogon_pipe = NULL;
673         NTSTATUS result;
674         WERROR werr;
675         TALLOC_CTX *mem_ctx;
676         unsigned int orig_timeout;
677         const char *tmp = NULL;
678         const char *p;
679         struct dcerpc_binding_handle *b;
680
681         /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
682          * moment.... */
683
684         if (IS_DC) {
685                 return False;
686         }
687
688         if (domain->primary) {
689                 return False;
690         }
691
692         our_domain = find_our_domain();
693
694         if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
695                 return False;
696         }
697
698         result = cm_connect_netlogon(our_domain, &netlogon_pipe);
699         if (!NT_STATUS_IS_OK(result)) {
700                 talloc_destroy(mem_ctx);
701                 return False;
702         }
703
704         b = netlogon_pipe->binding_handle;
705
706         /* This call can take a long time - allow the server to time out.
707            35 seconds should do it. */
708
709         orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
710
711         if (our_domain->active_directory) {
712                 struct netr_DsRGetDCNameInfo *domain_info = NULL;
713
714                 result = dcerpc_netr_DsRGetDCName(b,
715                                                   mem_ctx,
716                                                   our_domain->dcname,
717                                                   domain->name,
718                                                   NULL,
719                                                   NULL,
720                                                   DS_RETURN_DNS_NAME,
721                                                   &domain_info,
722                                                   &werr);
723                 if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
724                         tmp = talloc_strdup(
725                                 mem_ctx, domain_info->dc_unc);
726                         if (tmp == NULL) {
727                                 DEBUG(0, ("talloc_strdup failed\n"));
728                                 talloc_destroy(mem_ctx);
729                                 return false;
730                         }
731                         if (domain->alt_name == NULL) {
732                                 domain->alt_name = talloc_strdup(domain,
733                                                                  domain_info->domain_name);
734                                 if (domain->alt_name == NULL) {
735                                         DEBUG(0, ("talloc_strdup failed\n"));
736                                         talloc_destroy(mem_ctx);
737                                         return false;
738                                 }
739                         }
740                         if (domain->forest_name == NULL) {
741                                 domain->forest_name = talloc_strdup(domain,
742                                                                     domain_info->forest_name);
743                                 if (domain->forest_name == NULL) {
744                                         DEBUG(0, ("talloc_strdup failed\n"));
745                                         talloc_destroy(mem_ctx);
746                                         return false;
747                                 }
748                         }
749                 }
750         } else {
751                 result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
752                                                   our_domain->dcname,
753                                                   domain->name,
754                                                   &tmp,
755                                                   &werr);
756         }
757
758         /* And restore our original timeout. */
759         rpccli_set_timeout(netlogon_pipe, orig_timeout);
760
761         if (!NT_STATUS_IS_OK(result)) {
762                 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
763                         nt_errstr(result)));
764                 talloc_destroy(mem_ctx);
765                 return false;
766         }
767
768         if (!W_ERROR_IS_OK(werr)) {
769                 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
770                            win_errstr(werr)));
771                 talloc_destroy(mem_ctx);
772                 return false;
773         }
774
775         /* dcerpc_netr_GetAnyDCName gives us a name with \\ */
776         p = strip_hostname(tmp);
777
778         fstrcpy(dcname, p);
779
780         talloc_destroy(mem_ctx);
781
782         DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
783
784         if (!resolve_name(dcname, dc_ss, 0x20, true)) {
785                 return False;
786         }
787
788         return True;
789 }
790
791 /**
792  * Helper function to assemble trust password and account name
793  */
794 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
795                                 char **machine_password,
796                                 char **machine_account,
797                                 char **machine_krb5_principal)
798 {
799         const char *account_name;
800         const char *name = NULL;
801
802         /* If we are a DC and this is not our own domain */
803
804         if (IS_DC) {
805                 name = domain->name;
806         } else {
807                 struct winbindd_domain *our_domain = find_our_domain();
808
809                 if (!our_domain)
810                         return NT_STATUS_INVALID_SERVER_STATE;          
811
812                 name = our_domain->name;                
813         }       
814
815         if (!get_trust_pw_clear(name, machine_password,
816                                 &account_name, NULL))
817         {
818                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
819         }
820
821         if ((machine_account != NULL) &&
822             (asprintf(machine_account, "%s$", account_name) == -1))
823         {
824                 return NT_STATUS_NO_MEMORY;
825         }
826
827         /* For now assume our machine account only exists in our domain */
828
829         if (machine_krb5_principal != NULL)
830         {
831                 struct winbindd_domain *our_domain = find_our_domain();
832
833                 if (!our_domain) {
834                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;                       
835                 }
836
837                 if (asprintf(machine_krb5_principal, "%s$@%s",
838                              account_name, our_domain->alt_name) == -1)
839                 {
840                         return NT_STATUS_NO_MEMORY;
841                 }
842
843                 if (!strupper_m(*machine_krb5_principal)) {
844                         SAFE_FREE(*machine_krb5_principal);
845                         return NT_STATUS_INVALID_PARAMETER;
846                 }
847         }
848
849         return NT_STATUS_OK;
850 }
851
852 /************************************************************************
853  Given a fd with a just-connected TCP connection to a DC, open a connection
854  to the pipe.
855 ************************************************************************/
856
857 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
858                                       const int sockfd,
859                                       const char *controller,
860                                       struct cli_state **cli,
861                                       bool *retry)
862 {
863         bool try_spnego = false;
864         bool try_ipc_auth = false;
865         char *machine_password = NULL;
866         char *machine_krb5_principal = NULL;
867         char *machine_account = NULL;
868         char *ipc_username = NULL;
869         char *ipc_domain = NULL;
870         char *ipc_password = NULL;
871         int flags = 0;
872         uint16_t sec_mode = 0;
873
874         struct named_mutex *mutex;
875
876         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
877
878         DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
879                 controller, domain->name ));
880
881         *retry = True;
882
883         mutex = grab_named_mutex(talloc_tos(), controller,
884                                  WINBIND_SERVER_MUTEX_WAIT_TIME);
885         if (mutex == NULL) {
886                 close(sockfd);
887                 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
888                          controller));
889                 result = NT_STATUS_POSSIBLE_DEADLOCK;
890                 goto done;
891         }
892
893         flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
894
895         *cli = cli_state_create(NULL, sockfd,
896                                 controller, domain->alt_name,
897                                 SMB_SIGNING_DEFAULT, flags);
898         if (*cli == NULL) {
899                 close(sockfd);
900                 DEBUG(1, ("Could not cli_initialize\n"));
901                 result = NT_STATUS_NO_MEMORY;
902                 goto done;
903         }
904
905         cli_set_timeout(*cli, 10000); /* 10 seconds */
906
907         result = smbXcli_negprot((*cli)->conn, (*cli)->timeout,
908                                  lp_client_min_protocol(),
909                                  lp_client_max_protocol());
910
911         if (!NT_STATUS_IS_OK(result)) {
912                 DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
913                 goto done;
914         }
915
916         if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
917             smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
918                 try_spnego = true;
919         } else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
920                 try_spnego = true;
921         }
922
923         if (!is_dc_trusted_domain_situation(domain->name) && try_spnego) {
924                 result = get_trust_creds(domain, &machine_password,
925                                          &machine_account,
926                                          &machine_krb5_principal);
927                 if (!NT_STATUS_IS_OK(result)) {
928                         goto anon_fallback;
929                 }
930
931                 if (lp_security() == SEC_ADS) {
932
933                         /* Try a krb5 session */
934
935                         (*cli)->use_kerberos = True;
936                         DEBUG(5, ("connecting to %s from %s with kerberos principal "
937                                   "[%s] and realm [%s]\n", controller, lp_netbios_name(),
938                                   machine_krb5_principal, domain->alt_name));
939
940                         winbindd_set_locator_kdc_envs(domain);
941
942                         result = cli_session_setup(*cli,
943                                                    machine_krb5_principal,
944                                                    machine_password,
945                                                    strlen(machine_password)+1,
946                                                    machine_password,
947                                                    strlen(machine_password)+1,
948                                                    lp_workgroup());
949
950                         if (!NT_STATUS_IS_OK(result)) {
951                                 DEBUG(4,("failed kerberos session setup with %s\n",
952                                         nt_errstr(result)));
953                         }
954
955                         if (NT_STATUS_IS_OK(result)) {
956                                 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
957                                 result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
958                                 if (!NT_STATUS_IS_OK(result)) {
959                                         goto done;
960                                 }
961                                 goto session_setup_done;
962                         }
963                 }
964
965                 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
966                 (*cli)->use_kerberos = False;
967
968                 DEBUG(5, ("connecting to %s from %s with username "
969                           "[%s]\\[%s]\n",  controller, lp_netbios_name(),
970                           lp_workgroup(), machine_account));
971
972                 result = cli_session_setup(*cli,
973                                            machine_account,
974                                            machine_password,
975                                            strlen(machine_password)+1,
976                                            machine_password,
977                                            strlen(machine_password)+1,
978                                            lp_workgroup());
979                 if (!NT_STATUS_IS_OK(result)) {
980                         DEBUG(4, ("authenticated session setup failed with %s\n",
981                                 nt_errstr(result)));
982                 }
983
984                 if (NT_STATUS_IS_OK(result)) {
985                         /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
986                         result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
987                         if (!NT_STATUS_IS_OK(result)) {
988                                 goto done;
989                         }
990                         goto session_setup_done;
991                 }
992         }
993
994         /* Fall back to non-kerberos session setup with auth_user */
995
996         (*cli)->use_kerberos = False;
997
998         cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
999
1000         sec_mode = smb1cli_conn_server_security_mode((*cli)->conn);
1001
1002         try_ipc_auth = false;
1003         if (try_spnego) {
1004                 try_ipc_auth = true;
1005         } else if (sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
1006                 try_ipc_auth = true;
1007         }
1008
1009         if (try_ipc_auth && (strlen(ipc_username) > 0)) {
1010
1011                 /* Only try authenticated if we have a username */
1012
1013                 DEBUG(5, ("connecting to %s from %s with username "
1014                           "[%s]\\[%s]\n",  controller, lp_netbios_name(),
1015                           ipc_domain, ipc_username));
1016
1017                 if (NT_STATUS_IS_OK(cli_session_setup(
1018                                             *cli, ipc_username,
1019                                             ipc_password, strlen(ipc_password)+1,
1020                                             ipc_password, strlen(ipc_password)+1,
1021                                             ipc_domain))) {
1022                         /* Successful logon with given username. */
1023                         result = cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
1024                         if (!NT_STATUS_IS_OK(result)) {
1025                                 goto done;
1026                         }
1027                         goto session_setup_done;
1028                 } else {
1029                         DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
1030                                 ipc_domain, ipc_username ));
1031                 }
1032         }
1033
1034  anon_fallback:
1035
1036         /* Fall back to anonymous connection, this might fail later */
1037         DEBUG(10,("cm_prepare_connection: falling back to anonymous "
1038                 "connection for DC %s\n",
1039                 controller ));
1040
1041         result = cli_session_setup(*cli, "", NULL, 0, NULL, 0, "");
1042         if (NT_STATUS_IS_OK(result)) {
1043                 DEBUG(5, ("Connected anonymously\n"));
1044                 result = cli_init_creds(*cli, "", "", "");
1045                 if (!NT_STATUS_IS_OK(result)) {
1046                         goto done;
1047                 }
1048                 goto session_setup_done;
1049         }
1050
1051         /* We can't session setup */
1052         goto done;
1053
1054  session_setup_done:
1055
1056         /*
1057          * This should be a short term hack until
1058          * dynamic re-authentication is implemented.
1059          *
1060          * See Bug 9175 - winbindd doesn't recover from
1061          * NT_STATUS_NETWORK_SESSION_EXPIRED
1062          */
1063         if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
1064                 smbXcli_session_set_disconnect_expired((*cli)->smb2.session);
1065         }
1066
1067         /* cache the server name for later connections */
1068
1069         saf_store(domain->name, controller);
1070         if (domain->alt_name && (*cli)->use_kerberos) {
1071                 saf_store(domain->alt_name, controller);
1072         }
1073
1074         winbindd_set_locator_kdc_envs(domain);
1075
1076         result = cli_tree_connect(*cli, "IPC$", "IPC", "", 0);
1077
1078         if (!NT_STATUS_IS_OK(result)) {
1079                 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
1080                 goto done;
1081         }
1082
1083         TALLOC_FREE(mutex);
1084         *retry = False;
1085
1086         /* set the domain if empty; needed for schannel connections */
1087         if ( !(*cli)->domain[0] ) {
1088                 result = cli_set_domain((*cli), domain->name);
1089                 if (!NT_STATUS_IS_OK(result)) {
1090                         SAFE_FREE(ipc_username);
1091                         SAFE_FREE(ipc_domain);
1092                         SAFE_FREE(ipc_password);
1093                         return result;
1094                 }
1095         }
1096
1097         result = NT_STATUS_OK;
1098
1099  done:
1100         TALLOC_FREE(mutex);
1101         SAFE_FREE(machine_account);
1102         SAFE_FREE(machine_password);
1103         SAFE_FREE(machine_krb5_principal);
1104         SAFE_FREE(ipc_username);
1105         SAFE_FREE(ipc_domain);
1106         SAFE_FREE(ipc_password);
1107
1108         if (!NT_STATUS_IS_OK(result)) {
1109                 winbind_add_failed_connection_entry(domain, controller, result);
1110                 if ((*cli) != NULL) {
1111                         cli_shutdown(*cli);
1112                         *cli = NULL;
1113                 }
1114         }
1115
1116         return result;
1117 }
1118
1119 /*******************************************************************
1120  Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
1121  array.
1122
1123  Keeps the list unique by not adding duplicate entries.
1124
1125  @param[in] mem_ctx talloc memory context to allocate from
1126  @param[in] domain_name domain of the DC
1127  @param[in] dcname name of the DC to add to the list
1128  @param[in] pss Internet address and port pair to add to the list
1129  @param[in,out] dcs array of dc_name_ip structures to add to
1130  @param[in,out] num_dcs number of dcs returned in the dcs array
1131  @return true if the list was added to, false otherwise
1132 *******************************************************************/
1133
1134 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1135                               const char *dcname, struct sockaddr_storage *pss,
1136                               struct dc_name_ip **dcs, int *num)
1137 {
1138         int i = 0;
1139
1140         if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1141                 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1142                 return False;
1143         }
1144
1145         /* Make sure there's no duplicates in the list */
1146         for (i=0; i<*num; i++)
1147                 if (sockaddr_equal(
1148                             (struct sockaddr *)(void *)&(*dcs)[i].ss,
1149                             (struct sockaddr *)(void *)pss))
1150                         return False;
1151
1152         *dcs = talloc_realloc(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1153
1154         if (*dcs == NULL)
1155                 return False;
1156
1157         fstrcpy((*dcs)[*num].name, dcname);
1158         (*dcs)[*num].ss = *pss;
1159         *num += 1;
1160         return True;
1161 }
1162
1163 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1164                                   struct sockaddr_storage *pss, uint16 port,
1165                                   struct sockaddr_storage **addrs, int *num)
1166 {
1167         *addrs = talloc_realloc(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1168
1169         if (*addrs == NULL) {
1170                 *num = 0;
1171                 return False;
1172         }
1173
1174         (*addrs)[*num] = *pss;
1175         set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
1176
1177         *num += 1;
1178         return True;
1179 }
1180
1181 /*******************************************************************
1182  convert an ip to a name
1183 *******************************************************************/
1184
1185 static bool dcip_to_name(TALLOC_CTX *mem_ctx,
1186                 const struct winbindd_domain *domain,
1187                 struct sockaddr_storage *pss,
1188                 char **name)
1189 {
1190         struct ip_service ip_list;
1191         uint32_t nt_version = NETLOGON_NT_VERSION_1;
1192         NTSTATUS status;
1193         const char *dc_name;
1194         fstring nbtname;
1195
1196         ip_list.ss = *pss;
1197         ip_list.port = 0;
1198
1199 #ifdef HAVE_ADS
1200         /* For active directory servers, try to get the ldap server name.
1201            None of these failures should be considered critical for now */
1202
1203         if (lp_security() == SEC_ADS) {
1204                 ADS_STRUCT *ads;
1205                 ADS_STATUS ads_status;
1206                 char addr[INET6_ADDRSTRLEN];
1207
1208                 print_sockaddr(addr, sizeof(addr), pss);
1209
1210                 ads = ads_init(domain->alt_name, domain->name, addr);
1211                 ads->auth.flags |= ADS_AUTH_NO_BIND;
1212
1213                 ads_status = ads_connect(ads);
1214                 if (ADS_ERR_OK(ads_status)) {
1215                         /* We got a cldap packet. */
1216                         *name = talloc_strdup(mem_ctx,
1217                                              ads->config.ldap_server_name);
1218                         if (*name == NULL) {
1219                                 return false;
1220                         }
1221                         namecache_store(*name, 0x20, 1, &ip_list);
1222
1223                         DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1224
1225                         if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1226                                 if (ads_closest_dc(ads)) {
1227                                         char *sitename = sitename_fetch(mem_ctx, ads->config.realm);
1228
1229                                         /* We're going to use this KDC for this realm/domain.
1230                                            If we are using sites, then force the krb5 libs
1231                                            to use this KDC. */
1232
1233                                         create_local_private_krb5_conf_for_domain(domain->alt_name,
1234                                                                         domain->name,
1235                                                                         sitename,
1236                                                                         pss,
1237                                                                         *name);
1238
1239                                         TALLOC_FREE(sitename);
1240                                 } else {
1241                                         /* use an off site KDC */
1242                                         create_local_private_krb5_conf_for_domain(domain->alt_name,
1243                                                                         domain->name,
1244                                                                         NULL,
1245                                                                         pss,
1246                                                                         *name);
1247                                 }
1248                                 winbindd_set_locator_kdc_envs(domain);
1249
1250                                 /* Ensure we contact this DC also. */
1251                                 saf_store(domain->name, *name);
1252                                 saf_store(domain->alt_name, *name);
1253                         }
1254
1255                         ads_destroy( &ads );
1256                         return True;
1257                 }
1258
1259                 ads_destroy( &ads );
1260                 return false;
1261         }
1262 #endif
1263
1264         status = nbt_getdc(winbind_messaging_context(), 10, pss, domain->name,
1265                            &domain->sid, nt_version, mem_ctx, &nt_version,
1266                            &dc_name, NULL);
1267         if (NT_STATUS_IS_OK(status)) {
1268                 *name = talloc_strdup(mem_ctx, dc_name);
1269                 if (*name == NULL) {
1270                         return false;
1271                 }
1272                 namecache_store(*name, 0x20, 1, &ip_list);
1273                 return True;
1274         }
1275
1276         /* try node status request */
1277
1278         if (name_status_find(domain->name, 0x1c, 0x20, pss, nbtname) ) {
1279                 namecache_store(nbtname, 0x20, 1, &ip_list);
1280
1281                 if (name != NULL) {
1282                         *name = talloc_strdup(mem_ctx, nbtname);
1283                         if (*name == NULL) {
1284                                 return false;
1285                         }
1286                 }
1287
1288                 return true;
1289         }
1290         return False;
1291 }
1292
1293 /*******************************************************************
1294  Retrieve a list of IP addresses for domain controllers.
1295
1296  The array is sorted in the preferred connection order.
1297
1298  @param[in] mem_ctx talloc memory context to allocate from
1299  @param[in] domain domain to retrieve DCs for
1300  @param[out] dcs array of dcs that will be returned
1301  @param[out] num_dcs number of dcs returned in the dcs array
1302  @return always true
1303 *******************************************************************/
1304
1305 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1306                     struct dc_name_ip **dcs, int *num_dcs)
1307 {
1308         fstring dcname;
1309         struct  sockaddr_storage ss;
1310         struct  ip_service *ip_list = NULL;
1311         int     iplist_size = 0;
1312         int     i;
1313         bool    is_our_domain;
1314         enum security_types sec = (enum security_types)lp_security();
1315
1316         is_our_domain = strequal(domain->name, lp_workgroup());
1317
1318         /* If not our domain, get the preferred DC, by asking our primary DC */
1319         if ( !is_our_domain
1320                 && get_dc_name_via_netlogon(domain, dcname, &ss)
1321                 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1322                        num_dcs) )
1323         {
1324                 char addr[INET6_ADDRSTRLEN];
1325                 print_sockaddr(addr, sizeof(addr), &ss);
1326                 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1327                            dcname, addr));
1328                 return True;
1329         }
1330
1331         if (sec == SEC_ADS) {
1332                 char *sitename = NULL;
1333
1334                 /* We need to make sure we know the local site before
1335                    doing any DNS queries, as this will restrict the
1336                    get_sorted_dc_list() call below to only fetching
1337                    DNS records for the correct site. */
1338
1339                 /* Find any DC to get the site record.
1340                    We deliberately don't care about the
1341                    return here. */
1342
1343                 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1344
1345                 sitename = sitename_fetch(mem_ctx, domain->alt_name);
1346                 if (sitename) {
1347
1348                         /* Do the site-specific AD dns lookup first. */
1349                         get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
1350                                &iplist_size, True);
1351
1352                         /* Add ips to the DC array.  We don't look up the name
1353                            of the DC in this function, but we fill in the char*
1354                            of the ip now to make the failed connection cache
1355                            work */
1356                         for ( i=0; i<iplist_size; i++ ) {
1357                                 char addr[INET6_ADDRSTRLEN];
1358                                 print_sockaddr(addr, sizeof(addr),
1359                                                 &ip_list[i].ss);
1360                                 add_one_dc_unique(mem_ctx,
1361                                                 domain->name,
1362                                                 addr,
1363                                                 &ip_list[i].ss,
1364                                                 dcs,
1365                                                 num_dcs);
1366                         }
1367
1368                         SAFE_FREE(ip_list);
1369                         TALLOC_FREE(sitename);
1370                         iplist_size = 0;
1371                 }
1372
1373                 /* Now we add DCs from the main AD DNS lookup. */
1374                 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1375                         &iplist_size, True);
1376
1377                 for ( i=0; i<iplist_size; i++ ) {
1378                         char addr[INET6_ADDRSTRLEN];
1379                         print_sockaddr(addr, sizeof(addr),
1380                                         &ip_list[i].ss);
1381                         add_one_dc_unique(mem_ctx,
1382                                         domain->name,
1383                                         addr,
1384                                         &ip_list[i].ss,
1385                                         dcs,
1386                                         num_dcs);
1387                 }
1388
1389                 SAFE_FREE(ip_list);
1390                 iplist_size = 0;
1391         }
1392
1393         /* Try standard netbios queries if no ADS and fall back to DNS queries
1394          * if alt_name is available */
1395         if (*num_dcs == 0) {
1396                 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
1397                        false);
1398                 if (iplist_size == 0) {
1399                         if (domain->alt_name != NULL) {
1400                                 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1401                                        &iplist_size, true);
1402                         }
1403                 }
1404
1405                 for ( i=0; i<iplist_size; i++ ) {
1406                         char addr[INET6_ADDRSTRLEN];
1407                         print_sockaddr(addr, sizeof(addr),
1408                                         &ip_list[i].ss);
1409                         add_one_dc_unique(mem_ctx,
1410                                         domain->name,
1411                                         addr,
1412                                         &ip_list[i].ss,
1413                                         dcs,
1414                                         num_dcs);
1415                 }
1416
1417                 SAFE_FREE(ip_list);
1418                 iplist_size = 0;
1419         }
1420
1421         return True;
1422 }
1423
1424 /*******************************************************************
1425  Find and make a connection to a DC in the given domain.
1426
1427  @param[in] mem_ctx talloc memory context to allocate from
1428  @param[in] domain domain to find a dc in
1429  @param[out] dcname NetBIOS or FQDN of DC that's connected to
1430  @param[out] pss DC Internet address and port
1431  @param[out] fd fd of the open socket connected to the newly found dc
1432  @return true when a DC connection is made, false otherwise
1433 *******************************************************************/
1434
1435 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1436                         struct winbindd_domain *domain,
1437                         char **dcname, struct sockaddr_storage *pss, int *fd)
1438 {
1439         struct dc_name_ip *dcs = NULL;
1440         int num_dcs = 0;
1441
1442         const char **dcnames = NULL;
1443         int num_dcnames = 0;
1444
1445         struct sockaddr_storage *addrs = NULL;
1446         int num_addrs = 0;
1447
1448         int i;
1449         size_t fd_index;
1450
1451         NTSTATUS status;
1452
1453         *fd = -1;
1454
1455  again:
1456         if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1457                 return False;
1458
1459         for (i=0; i<num_dcs; i++) {
1460
1461                 if (!add_string_to_array(mem_ctx, dcs[i].name,
1462                                     &dcnames, &num_dcnames)) {
1463                         return False;
1464                 }
1465                 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, TCP_SMB_PORT,
1466                                       &addrs, &num_addrs)) {
1467                         return False;
1468                 }
1469         }
1470
1471         if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1472                 return False;
1473
1474         if ((addrs == NULL) || (dcnames == NULL))
1475                 return False;
1476
1477         status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL,
1478                                      num_addrs, 0, 10, fd, &fd_index, NULL);
1479         if (!NT_STATUS_IS_OK(status)) {
1480                 for (i=0; i<num_dcs; i++) {
1481                         char ab[INET6_ADDRSTRLEN];
1482                         print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1483                         DEBUG(10, ("find_new_dc: smbsock_any_connect failed for "
1484                                 "domain %s address %s. Error was %s\n",
1485                                    domain->name, ab, nt_errstr(status) ));
1486                         winbind_add_failed_connection_entry(domain,
1487                                 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1488                 }
1489                 return False;
1490         }
1491
1492         *pss = addrs[fd_index];
1493
1494         if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1495                 /* Ok, we've got a name for the DC */
1496                 *dcname = talloc_strdup(mem_ctx, dcnames[fd_index]);
1497                 if (*dcname == NULL) {
1498                         return false;
1499                 }
1500                 return true;
1501         }
1502
1503         /* Try to figure out the name */
1504         if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
1505                 return True;
1506         }
1507
1508         /* We can not continue without the DC's name */
1509         winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1510                                     NT_STATUS_UNSUCCESSFUL);
1511
1512         /* Throw away all arrays as we're doing this again. */
1513         TALLOC_FREE(dcs);
1514         num_dcs = 0;
1515
1516         TALLOC_FREE(dcnames);
1517         num_dcnames = 0;
1518
1519         TALLOC_FREE(addrs);
1520         num_addrs = 0;
1521
1522         close(*fd);
1523         *fd = -1;
1524
1525         goto again;
1526 }
1527
1528 static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name)
1529 {
1530         return talloc_asprintf_strupper_m(mem_ctx, "CURRENT_DCNAME/%s",
1531                                           domain_name);
1532 }
1533
1534 static void store_current_dc_in_gencache(const char *domain_name,
1535                                          const char *dc_name,
1536                                          struct cli_state *cli)
1537 {
1538         char addr[INET6_ADDRSTRLEN];
1539         char *key = NULL;
1540         char *value = NULL;
1541
1542         if (!cli_state_is_connected(cli)) {
1543                 return;
1544         }
1545
1546         print_sockaddr(addr, sizeof(addr),
1547                        smbXcli_conn_remote_sockaddr(cli->conn));
1548
1549         key = current_dc_key(talloc_tos(), domain_name);
1550         if (key == NULL) {
1551                 goto done;
1552         }
1553
1554         value = talloc_asprintf(talloc_tos(), "%s %s", addr, dc_name);
1555         if (value == NULL) {
1556                 goto done;
1557         }
1558
1559         gencache_set(key, value, 0x7fffffff);
1560 done:
1561         TALLOC_FREE(value);
1562         TALLOC_FREE(key);
1563 }
1564
1565 bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx,
1566                                     const char *domain_name,
1567                                     char **p_dc_name, char **p_dc_ip)
1568 {
1569         char *key, *p;
1570         char *value = NULL;
1571         bool ret = false;
1572         char *dc_name = NULL;
1573         char *dc_ip = NULL;
1574
1575         key = current_dc_key(talloc_tos(), domain_name);
1576         if (key == NULL) {
1577                 goto done;
1578         }
1579         if (!gencache_get(key, mem_ctx, &value, NULL)) {
1580                 goto done;
1581         }
1582         p = strchr(value, ' ');
1583         if (p == NULL) {
1584                 goto done;
1585         }
1586         dc_ip = talloc_strndup(mem_ctx, value, p - value);
1587         if (dc_ip == NULL) {
1588                 goto done;
1589         }
1590         dc_name = talloc_strdup(mem_ctx, p+1);
1591         if (dc_name == NULL) {
1592                 goto done;
1593         }
1594
1595         if (p_dc_ip != NULL) {
1596                 *p_dc_ip = dc_ip;
1597                 dc_ip = NULL;
1598         }
1599         if (p_dc_name != NULL) {
1600                 *p_dc_name = dc_name;
1601                 dc_name = NULL;
1602         }
1603         ret = true;
1604 done:
1605         TALLOC_FREE(dc_name);
1606         TALLOC_FREE(dc_ip);
1607         TALLOC_FREE(key);
1608         TALLOC_FREE(value);
1609         return ret;
1610 }
1611
1612 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1613                                    struct winbindd_cm_conn *new_conn)
1614 {
1615         TALLOC_CTX *mem_ctx;
1616         NTSTATUS result;
1617         char *saf_servername;
1618         int retries;
1619
1620         if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1621                 set_domain_offline(domain);
1622                 return NT_STATUS_NO_MEMORY;
1623         }
1624
1625         saf_servername = saf_fetch(mem_ctx, domain->name );
1626
1627         /* we have to check the server affinity cache here since 
1628            later we select a DC based on response time and not preference */
1629
1630         /* Check the negative connection cache
1631            before talking to it. It going down may have
1632            triggered the reconnection. */
1633
1634         if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1635
1636                 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1637                         saf_servername, domain->name ));
1638
1639                 /* convert an ip address to a name */
1640                 if (is_ipaddress( saf_servername ) ) {
1641                         char *dcname = NULL;
1642                         struct sockaddr_storage ss;
1643
1644                         if (!interpret_string_addr(&ss, saf_servername,
1645                                                 AI_NUMERICHOST)) {
1646                                 TALLOC_FREE(mem_ctx);
1647                                 return NT_STATUS_UNSUCCESSFUL;
1648                         }
1649                         if (dcip_to_name(mem_ctx, domain, &ss, &dcname)) {
1650                                 domain->dcname = talloc_strdup(domain,
1651                                                                dcname);
1652                                 if (domain->dcname == NULL) {
1653                                         TALLOC_FREE(mem_ctx);
1654                                         return NT_STATUS_NO_MEMORY;
1655                                 }
1656                         } else {
1657                                 winbind_add_failed_connection_entry(
1658                                         domain, saf_servername,
1659                                         NT_STATUS_UNSUCCESSFUL);
1660                         }
1661                 } else {
1662                         domain->dcname = talloc_strdup(domain, saf_servername);
1663                         if (domain->dcname == NULL) {
1664                                 TALLOC_FREE(mem_ctx);
1665                                 return NT_STATUS_NO_MEMORY;
1666                         }
1667                 }
1668         }
1669
1670         for (retries = 0; retries < 3; retries++) {
1671                 int fd = -1;
1672                 bool retry = False;
1673                 char *dcname = NULL;
1674
1675                 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1676
1677                 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1678                         domain->dcname ? domain->dcname : "", domain->name ));
1679
1680                 if (domain->dcname != NULL
1681                         && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1682                         && (resolve_name(domain->dcname, &domain->dcaddr, 0x20, true)))
1683                 {
1684                         NTSTATUS status;
1685
1686                         status = smbsock_connect(&domain->dcaddr, 0,
1687                                                  NULL, -1, NULL, -1,
1688                                                  &fd, NULL, 10);
1689                         if (!NT_STATUS_IS_OK(status)) {
1690                                 fd = -1;
1691                         }
1692                 }
1693
1694                 if ((fd == -1) &&
1695                     !find_new_dc(mem_ctx, domain, &dcname, &domain->dcaddr, &fd))
1696                 {
1697                         /* This is the one place where we will
1698                            set the global winbindd offline state
1699                            to true, if a "WINBINDD_OFFLINE" entry
1700                            is found in the winbindd cache. */
1701                         set_global_winbindd_state_offline();
1702                         break;
1703                 }
1704                 if (dcname != NULL) {
1705                         talloc_free(domain->dcname);
1706
1707                         domain->dcname = talloc_move(domain, &dcname);
1708                         if (domain->dcname == NULL) {
1709                                 result = NT_STATUS_NO_MEMORY;
1710                                 break;
1711                         }
1712                 }
1713
1714                 new_conn->cli = NULL;
1715
1716                 result = cm_prepare_connection(domain, fd, domain->dcname,
1717                         &new_conn->cli, &retry);
1718                 if (!NT_STATUS_IS_OK(result)) {
1719                         /* Don't leak the smb connection socket */
1720                         close(fd);
1721                 }
1722
1723                 if (!retry)
1724                         break;
1725         }
1726
1727         if (NT_STATUS_IS_OK(result)) {
1728                 bool seal_pipes = true;
1729
1730                 winbindd_set_locator_kdc_envs(domain);
1731
1732                 if (domain->online == False) {
1733                         /* We're changing state from offline to online. */
1734                         set_global_winbindd_state_online();
1735                 }
1736                 set_domain_online(domain);
1737
1738                 /*
1739                  * Much as I hate global state, this seems to be the point
1740                  * where we can be certain that we have a proper connection to
1741                  * a DC. wbinfo --dc-info needs that information, store it in
1742                  * gencache with a looong timeout. This will need revisiting
1743                  * once we start to connect to multiple DCs, wbcDcInfo is
1744                  * already prepared for that.
1745                  */
1746                 store_current_dc_in_gencache(domain->name, domain->dcname,
1747                                              new_conn->cli);
1748
1749                 seal_pipes = lp_winbind_sealed_pipes();
1750                 seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
1751                                           domain->name,
1752                                           seal_pipes);
1753
1754                 if (seal_pipes) {
1755                         new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1756                 } else {
1757                         new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1758                 }
1759         } else {
1760                 /* Ensure we setup the retry handler. */
1761                 set_domain_offline(domain);
1762         }
1763
1764         talloc_destroy(mem_ctx);
1765         return result;
1766 }
1767
1768 /* Close down all open pipes on a connection. */
1769
1770 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1771 {
1772         NTSTATUS result;
1773
1774         /* We're closing down a possibly dead
1775            connection. Don't have impossibly long (10s) timeouts. */
1776
1777         if (conn->cli) {
1778                 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1779         }
1780
1781         if (conn->samr_pipe != NULL) {
1782                 if (is_valid_policy_hnd(&conn->sam_connect_handle)) {
1783                         dcerpc_samr_Close(conn->samr_pipe->binding_handle,
1784                                           talloc_tos(),
1785                                           &conn->sam_connect_handle,
1786                                           &result);
1787                 }
1788                 TALLOC_FREE(conn->samr_pipe);
1789                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1790                 if (conn->cli) {
1791                         cli_set_timeout(conn->cli, 500);
1792                 }
1793         }
1794
1795         if (conn->lsa_pipe != NULL) {
1796                 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1797                         dcerpc_lsa_Close(conn->lsa_pipe->binding_handle,
1798                                          talloc_tos(),
1799                                          &conn->lsa_policy,
1800                                          &result);
1801                 }
1802                 TALLOC_FREE(conn->lsa_pipe);
1803                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1804                 if (conn->cli) {
1805                         cli_set_timeout(conn->cli, 500);
1806                 }
1807         }
1808
1809         if (conn->lsa_pipe_tcp != NULL) {
1810                 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1811                         dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle,
1812                                          talloc_tos(),
1813                                          &conn->lsa_policy,
1814                                          &result);
1815                 }
1816                 TALLOC_FREE(conn->lsa_pipe_tcp);
1817                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1818                 if (conn->cli) {
1819                         cli_set_timeout(conn->cli, 500);
1820                 }
1821         }
1822
1823         if (conn->netlogon_pipe != NULL) {
1824                 TALLOC_FREE(conn->netlogon_pipe);
1825                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1826                 if (conn->cli) {
1827                         cli_set_timeout(conn->cli, 500);
1828                 }
1829         }
1830
1831         conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1832         conn->netlogon_force_reauth = false;
1833         conn->netlogon_flags = 0;
1834         TALLOC_FREE(conn->netlogon_creds);
1835
1836         if (conn->cli) {
1837                 cli_shutdown(conn->cli);
1838         }
1839
1840         conn->cli = NULL;
1841 }
1842
1843 void close_conns_after_fork(void)
1844 {
1845         struct winbindd_domain *domain;
1846         struct winbindd_cli_state *cli_state;
1847
1848         for (domain = domain_list(); domain; domain = domain->next) {
1849                 /*
1850                  * first close the low level SMB TCP connection
1851                  * so that we don't generate any SMBclose
1852                  * requests in invalidate_cm_connection()
1853                  */
1854                 if (cli_state_is_connected(domain->conn.cli)) {
1855                         smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
1856                 }
1857
1858                 invalidate_cm_connection(&domain->conn);
1859         }
1860
1861         for (cli_state = winbindd_client_list();
1862              cli_state != NULL;
1863              cli_state = cli_state->next) {
1864                 if (cli_state->sock >= 0) {
1865                         close(cli_state->sock);
1866                         cli_state->sock = -1;
1867                 }
1868         }
1869 }
1870
1871 static bool connection_ok(struct winbindd_domain *domain)
1872 {
1873         bool ok;
1874
1875         ok = cli_state_is_connected(domain->conn.cli);
1876         if (!ok) {
1877                 DEBUG(3, ("connection_ok: Connection to %s for domain %s is not connected\n",
1878                           domain->dcname, domain->name));
1879                 return False;
1880         }
1881
1882         if (domain->online == False) {
1883                 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1884                 return False;
1885         }
1886
1887         return True;
1888 }
1889
1890 /* Initialize a new connection up to the RPC BIND.
1891    Bypass online status check so always does network calls. */
1892
1893 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1894 {
1895         NTSTATUS result;
1896
1897         /* Internal connections never use the network. */
1898         if (domain->internal) {
1899                 domain->initialized = True;
1900                 return NT_STATUS_OK;
1901         }
1902
1903         if (connection_ok(domain)) {
1904                 if (!domain->initialized) {
1905                         set_dc_type_and_flags(domain);
1906                 }
1907                 return NT_STATUS_OK;
1908         }
1909
1910         invalidate_cm_connection(&domain->conn);
1911
1912         result = cm_open_connection(domain, &domain->conn);
1913
1914         if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1915                 set_dc_type_and_flags(domain);
1916         }
1917
1918         return result;
1919 }
1920
1921 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1922 {
1923         if (domain->internal) {
1924                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1925         }
1926
1927         if (domain->initialized && !domain->online) {
1928                 /* We check for online status elsewhere. */
1929                 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1930         }
1931
1932         return init_dc_connection_network(domain);
1933 }
1934
1935 static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain)
1936 {
1937         NTSTATUS status;
1938
1939         status = init_dc_connection(domain);
1940         if (!NT_STATUS_IS_OK(status)) {
1941                 return status;
1942         }
1943
1944         if (!domain->internal && domain->conn.cli == NULL) {
1945                 /* happens for trusted domains without inbound trust */
1946                 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
1947         }
1948
1949         return NT_STATUS_OK;
1950 }
1951
1952 /******************************************************************************
1953  Set the trust flags (direction and forest location) for a domain
1954 ******************************************************************************/
1955
1956 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1957 {
1958         struct winbindd_domain *our_domain;
1959         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1960         WERROR werr;
1961         struct netr_DomainTrustList trusts;
1962         int i;
1963         uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
1964                         NETR_TRUST_FLAG_OUTBOUND |
1965                         NETR_TRUST_FLAG_INBOUND);
1966         struct rpc_pipe_client *cli;
1967         TALLOC_CTX *mem_ctx = NULL;
1968         struct dcerpc_binding_handle *b;
1969
1970         DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1971
1972         /* Our primary domain doesn't need to worry about trust flags.
1973            Force it to go through the network setup */
1974         if ( domain->primary ) {                
1975                 return False;           
1976         }
1977
1978         our_domain = find_our_domain();
1979
1980         if ( !connection_ok(our_domain) ) {
1981                 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));           
1982                 return False;
1983         }
1984
1985         /* This won't work unless our domain is AD */
1986
1987         if ( !our_domain->active_directory ) {
1988                 return False;
1989         }
1990
1991         /* Use DsEnumerateDomainTrusts to get us the trust direction
1992            and type */
1993
1994         result = cm_connect_netlogon(our_domain, &cli);
1995
1996         if (!NT_STATUS_IS_OK(result)) {
1997                 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1998                           "a connection to %s for PIPE_NETLOGON (%s)\n", 
1999                           domain->name, nt_errstr(result)));
2000                 return False;
2001         }
2002
2003         b = cli->binding_handle;
2004
2005         if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
2006                 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
2007                 return False;
2008         }       
2009
2010         result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
2011                                                       cli->desthost,
2012                                                       flags,
2013                                                       &trusts,
2014                                                       &werr);
2015         if (!NT_STATUS_IS_OK(result)) {
2016                 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2017                         "failed to query trusted domain list: %s\n",
2018                         nt_errstr(result)));
2019                 talloc_destroy(mem_ctx);
2020                 return false;
2021         }
2022         if (!W_ERROR_IS_OK(werr)) {
2023                 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2024                         "failed to query trusted domain list: %s\n",
2025                         win_errstr(werr)));
2026                 talloc_destroy(mem_ctx);
2027                 return false;
2028         }
2029
2030         /* Now find the domain name and get the flags */
2031
2032         for ( i=0; i<trusts.count; i++ ) {
2033                 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
2034                         domain->domain_flags          = trusts.array[i].trust_flags;
2035                         domain->domain_type           = trusts.array[i].trust_type;
2036                         domain->domain_trust_attribs  = trusts.array[i].trust_attributes;
2037
2038                         if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL )
2039                                 domain->active_directory = True;
2040
2041                         /* This flag is only set if the domain is *our* 
2042                            primary domain and the primary domain is in
2043                            native mode */
2044
2045                         domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
2046
2047                         DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
2048                                   "native mode.\n", domain->name, 
2049                                   domain->native_mode ? "" : "NOT "));
2050
2051                         DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
2052                                  "running active directory.\n", domain->name, 
2053                                  domain->active_directory ? "" : "NOT "));
2054
2055                         domain->can_do_ncacn_ip_tcp = domain->active_directory;
2056
2057                         domain->initialized = True;
2058
2059                         break;
2060                 }               
2061         }
2062
2063         talloc_destroy( mem_ctx );
2064
2065         return domain->initialized;     
2066 }
2067
2068 /******************************************************************************
2069  We can 'sense' certain things about the DC by it's replies to certain
2070  questions.
2071
2072  This tells us if this particular remote server is Active Directory, and if it
2073  is native mode.
2074 ******************************************************************************/
2075
2076 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
2077 {
2078         NTSTATUS status, result;
2079         WERROR werr;
2080         TALLOC_CTX              *mem_ctx = NULL;
2081         struct rpc_pipe_client  *cli = NULL;
2082         struct policy_handle pol;
2083         union dssetup_DsRoleInfo info;
2084         union lsa_PolicyInformation *lsa_info = NULL;
2085
2086         if (!connection_ok(domain)) {
2087                 return;
2088         }
2089
2090         mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
2091                               domain->name);
2092         if (!mem_ctx) {
2093                 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
2094                 return;
2095         }
2096
2097         DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
2098
2099         status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2100                                           &ndr_table_dssetup,
2101                                           &cli);
2102
2103         if (!NT_STATUS_IS_OK(status)) {
2104                 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2105                           "PI_DSSETUP on domain %s: (%s)\n",
2106                           domain->name, nt_errstr(status)));
2107
2108                 /* if this is just a non-AD domain we need to continue
2109                  * identifying so that we can in the end return with
2110                  * domain->initialized = True - gd */
2111
2112                 goto no_dssetup;
2113         }
2114
2115         status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
2116                                                                   DS_ROLE_BASIC_INFORMATION,
2117                                                                   &info,
2118                                                                   &werr);
2119         TALLOC_FREE(cli);
2120
2121         if (NT_STATUS_IS_OK(status)) {
2122                 result = werror_to_ntstatus(werr);
2123         }
2124         if (!NT_STATUS_IS_OK(status)) {
2125                 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
2126                           "on domain %s failed: (%s)\n",
2127                           domain->name, nt_errstr(status)));
2128
2129                 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
2130                  * every opcode on the DSSETUP pipe, continue with
2131                  * no_dssetup mode here as well to get domain->initialized
2132                  * set - gd */
2133
2134                 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
2135                         goto no_dssetup;
2136                 }
2137
2138                 TALLOC_FREE(mem_ctx);
2139                 return;
2140         }
2141
2142         if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
2143             !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
2144                 domain->native_mode = True;
2145         } else {
2146                 domain->native_mode = False;
2147         }
2148
2149 no_dssetup:
2150         status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2151                                           &ndr_table_lsarpc, &cli);
2152
2153         if (!NT_STATUS_IS_OK(status)) {
2154                 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2155                           "PI_LSARPC on domain %s: (%s)\n",
2156                           domain->name, nt_errstr(status)));
2157                 TALLOC_FREE(cli);
2158                 TALLOC_FREE(mem_ctx);
2159                 return;
2160         }
2161
2162         status = rpccli_lsa_open_policy2(cli, mem_ctx, True,
2163                                          SEC_FLAG_MAXIMUM_ALLOWED, &pol);
2164
2165         if (NT_STATUS_IS_OK(status)) {
2166                 /* This particular query is exactly what Win2k clients use 
2167                    to determine that the DC is active directory */
2168                 status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx,
2169                                                      &pol,
2170                                                      LSA_POLICY_INFO_DNS,
2171                                                      &lsa_info,
2172                                                      &result);
2173         }
2174
2175         if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2176                 domain->active_directory = True;
2177
2178                 if (lsa_info->dns.name.string) {
2179                         talloc_free(domain->name);
2180                         domain->name = talloc_strdup(domain,
2181                                                      lsa_info->dns.name.string);
2182                         if (domain->name == NULL) {
2183                                 goto done;
2184                         }
2185                 }
2186
2187                 if (lsa_info->dns.dns_domain.string) {
2188                         talloc_free(domain->alt_name);
2189                         domain->alt_name =
2190                                 talloc_strdup(domain,
2191                                               lsa_info->dns.dns_domain.string);
2192                         if (domain->alt_name == NULL) {
2193                                 goto done;
2194                         }
2195                 }
2196
2197                 /* See if we can set some domain trust flags about
2198                    ourself */
2199
2200                 if (lsa_info->dns.dns_forest.string) {
2201                         talloc_free(domain->forest_name);
2202                         domain->forest_name =
2203                                 talloc_strdup(domain,
2204                                               lsa_info->dns.dns_forest.string);
2205                         if (domain->forest_name == NULL) {
2206                                 goto done;
2207                         }
2208
2209                         if (strequal(domain->forest_name, domain->alt_name)) {
2210                                 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
2211                         }
2212                 }
2213
2214                 if (lsa_info->dns.sid) {
2215                         sid_copy(&domain->sid, lsa_info->dns.sid);
2216                 }
2217         } else {
2218                 domain->active_directory = False;
2219
2220                 status = rpccli_lsa_open_policy(cli, mem_ctx, True,
2221                                                 SEC_FLAG_MAXIMUM_ALLOWED,
2222                                                 &pol);
2223
2224                 if (!NT_STATUS_IS_OK(status)) {
2225                         goto done;
2226                 }
2227
2228                 status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx,
2229                                                     &pol,
2230                                                     LSA_POLICY_INFO_ACCOUNT_DOMAIN,
2231                                                     &lsa_info,
2232                                                     &result);
2233                 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2234
2235                         if (lsa_info->account_domain.name.string) {
2236                                 talloc_free(domain->name);
2237                                 domain->name =
2238                                         talloc_strdup(domain,
2239                                                       lsa_info->account_domain.name.string);
2240                         }
2241
2242                         if (lsa_info->account_domain.sid) {
2243                                 sid_copy(&domain->sid, lsa_info->account_domain.sid);
2244                         }
2245                 }
2246         }
2247 done:
2248
2249         DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
2250                   domain->name, domain->native_mode ? "" : "NOT "));
2251
2252         DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
2253                   domain->name, domain->active_directory ? "" : "NOT "));
2254
2255         domain->can_do_ncacn_ip_tcp = domain->active_directory;
2256
2257         TALLOC_FREE(cli);
2258
2259         TALLOC_FREE(mem_ctx);
2260
2261         domain->initialized = True;
2262 }
2263
2264 /**********************************************************************
2265  Set the domain_flags (trust attributes, domain operating modes, etc... 
2266 ***********************************************************************/
2267
2268 static void set_dc_type_and_flags( struct winbindd_domain *domain )
2269 {
2270         /* we always have to contact our primary domain */
2271
2272         if ( domain->primary ) {
2273                 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
2274                           "primary domain\n"));
2275                 set_dc_type_and_flags_connect( domain );
2276                 return;         
2277         }
2278
2279         /* Use our DC to get the information if possible */
2280
2281         if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
2282                 /* Otherwise, fallback to contacting the 
2283                    domain directly */
2284                 set_dc_type_and_flags_connect( domain );
2285         }
2286
2287         return;
2288 }
2289
2290
2291
2292 /**********************************************************************
2293 ***********************************************************************/
2294
2295 static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
2296                                    struct netlogon_creds_cli_context **ppdc)
2297 {
2298         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2299         struct rpc_pipe_client *netlogon_pipe;
2300
2301         *ppdc = NULL;
2302
2303         if ((!IS_DC) && (!domain->primary)) {
2304                 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2305         }
2306
2307         if (domain->conn.netlogon_creds != NULL) {
2308                 if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
2309                         return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2310                 }
2311                 *ppdc = domain->conn.netlogon_creds;
2312                 return NT_STATUS_OK;
2313         }
2314
2315         result = cm_connect_netlogon(domain, &netlogon_pipe);
2316         if (!NT_STATUS_IS_OK(result)) {
2317                 return result;
2318         }
2319
2320         if (domain->conn.netlogon_creds == NULL) {
2321                 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2322         }
2323
2324         if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
2325                 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2326         }
2327
2328         *ppdc = domain->conn.netlogon_creds;
2329         return NT_STATUS_OK;
2330 }
2331
2332 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2333                         struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
2334 {
2335         struct winbindd_cm_conn *conn;
2336         NTSTATUS status, result;
2337         struct netlogon_creds_cli_context *p_creds;
2338         char *machine_password = NULL;
2339         char *machine_account = NULL;
2340         const char *domain_name = NULL;
2341
2342         if (sid_check_is_our_sam(&domain->sid)) {
2343                 return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
2344         }
2345
2346         status = init_dc_connection_rpc(domain);
2347         if (!NT_STATUS_IS_OK(status)) {
2348                 return status;
2349         }
2350
2351         conn = &domain->conn;
2352
2353         if (rpccli_is_connected(conn->samr_pipe)) {
2354                 goto done;
2355         }
2356
2357         TALLOC_FREE(conn->samr_pipe);
2358
2359         /*
2360          * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
2361          * sign and sealed pipe using the machine account password by
2362          * preference. If we can't - try schannel, if that fails, try
2363          * anonymous.
2364          */
2365
2366         if ((conn->cli->user_name[0] == '\0') ||
2367             (conn->cli->domain[0] == '\0') || 
2368             (conn->cli->password == NULL || conn->cli->password[0] == '\0'))
2369         {
2370                 status = get_trust_creds(domain, &machine_password,
2371                                          &machine_account, NULL);
2372                 if (!NT_STATUS_IS_OK(status)) {
2373                         DEBUG(10, ("cm_connect_sam: No no user available for "
2374                                    "domain %s, trying schannel\n", conn->cli->domain));
2375                         goto schannel;
2376                 }
2377                 domain_name = domain->name;
2378         } else {
2379                 machine_password = SMB_STRDUP(conn->cli->password);
2380                 machine_account = SMB_STRDUP(conn->cli->user_name);
2381                 domain_name = conn->cli->domain;
2382         }
2383
2384         if (!machine_password || !machine_account) {
2385                 status = NT_STATUS_NO_MEMORY;
2386                 goto done;
2387         }
2388
2389         /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2390            authenticated SAMR pipe with sign & seal. */
2391         status = cli_rpc_pipe_open_spnego(conn->cli,
2392                                           &ndr_table_samr,
2393                                           NCACN_NP,
2394                                           GENSEC_OID_NTLMSSP,
2395                                           conn->auth_level,
2396                                           smbXcli_conn_remote_name(conn->cli->conn),
2397                                           domain_name,
2398                                           machine_account,
2399                                           machine_password,
2400                                           &conn->samr_pipe);
2401
2402         if (!NT_STATUS_IS_OK(status)) {
2403                 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2404                           "pipe for domain %s using NTLMSSP "
2405                           "authenticated pipe: user %s\\%s. Error was "
2406                           "%s\n", domain->name, domain_name,
2407                           machine_account, nt_errstr(status)));
2408                 goto schannel;
2409         }
2410
2411         DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2412                   "domain %s using NTLMSSP authenticated "
2413                   "pipe: user %s\\%s\n", domain->name,
2414                   domain_name, machine_account));
2415
2416         status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2417                                       conn->samr_pipe->desthost,
2418                                       SEC_FLAG_MAXIMUM_ALLOWED,
2419                                       &conn->sam_connect_handle,
2420                                       &result);
2421         if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2422                 goto open_domain;
2423         }
2424         if (NT_STATUS_IS_OK(status)) {
2425                 status = result;
2426         }
2427
2428         DEBUG(10,("cm_connect_sam: ntlmssp-sealed dcerpc_samr_Connect2 "
2429                   "failed for domain %s, error was %s. Trying schannel\n",
2430                   domain->name, nt_errstr(status) ));
2431         TALLOC_FREE(conn->samr_pipe);
2432
2433  schannel:
2434
2435         /* Fall back to schannel if it's a W2K pre-SP1 box. */
2436
2437         status = cm_get_schannel_creds(domain, &p_creds);
2438         if (!NT_STATUS_IS_OK(status)) {
2439                 /* If this call fails - conn->cli can now be NULL ! */
2440                 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2441                            "for domain %s (error %s), trying anon\n",
2442                         domain->name,
2443                         nt_errstr(status) ));
2444                 goto anonymous;
2445         }
2446         status = cli_rpc_pipe_open_schannel_with_key
2447                 (conn->cli, &ndr_table_samr, NCACN_NP,
2448                  domain->name, p_creds, &conn->samr_pipe);
2449
2450         if (!NT_STATUS_IS_OK(status)) {
2451                 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2452                           "domain %s using schannel. Error was %s\n",
2453                           domain->name, nt_errstr(status) ));
2454                 goto anonymous;
2455         }
2456         DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2457                   "schannel.\n", domain->name ));
2458
2459         status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2460                                       conn->samr_pipe->desthost,
2461                                       SEC_FLAG_MAXIMUM_ALLOWED,
2462                                       &conn->sam_connect_handle,
2463                                       &result);
2464         if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2465                 goto open_domain;
2466         }
2467         if (NT_STATUS_IS_OK(status)) {
2468                 status = result;
2469         }
2470         DEBUG(10,("cm_connect_sam: schannel-sealed dcerpc_samr_Connect2 failed "
2471                   "for domain %s, error was %s. Trying anonymous\n",
2472                   domain->name, nt_errstr(status) ));
2473         TALLOC_FREE(conn->samr_pipe);
2474
2475  anonymous:
2476
2477         /* Finally fall back to anonymous. */
2478         status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
2479                                           &conn->samr_pipe);
2480
2481         if (!NT_STATUS_IS_OK(status)) {
2482                 goto done;
2483         }
2484
2485         status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2486                                       conn->samr_pipe->desthost,
2487                                       SEC_FLAG_MAXIMUM_ALLOWED,
2488                                       &conn->sam_connect_handle,
2489                                       &result);
2490         if (!NT_STATUS_IS_OK(status)) {
2491                 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2492                           "for domain %s Error was %s\n",
2493                           domain->name, nt_errstr(status) ));
2494                 goto done;
2495         }
2496         if (!NT_STATUS_IS_OK(result)) {
2497                 status = result;
2498                 DEBUG(10,("cm_connect_sam: dcerpc_samr_Connect2 failed "
2499                           "for domain %s Error was %s\n",
2500                           domain->name, nt_errstr(result)));
2501                 goto done;
2502         }
2503
2504  open_domain:
2505         status = dcerpc_samr_OpenDomain(conn->samr_pipe->binding_handle,
2506                                         mem_ctx,
2507                                         &conn->sam_connect_handle,
2508                                         SEC_FLAG_MAXIMUM_ALLOWED,
2509                                         &domain->sid,
2510                                         &conn->sam_domain_handle,
2511                                         &result);
2512         if (!NT_STATUS_IS_OK(status)) {
2513                 goto done;
2514         }
2515
2516         status = result;
2517  done:
2518
2519         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
2520                 /*
2521                  * if we got access denied, we might just have no access rights
2522                  * to talk to the remote samr server server (e.g. when we are a
2523                  * PDC and we are connecting a w2k8 pdc via an interdomain
2524                  * trust). In that case do not invalidate the whole connection
2525                  * stack
2526                  */
2527                 TALLOC_FREE(conn->samr_pipe);
2528                 ZERO_STRUCT(conn->sam_domain_handle);
2529                 return status;
2530         } else if (!NT_STATUS_IS_OK(status)) {
2531                 invalidate_cm_connection(conn);
2532                 return status;
2533         }
2534
2535         *cli = conn->samr_pipe;
2536         *sam_handle = conn->sam_domain_handle;
2537         SAFE_FREE(machine_password);
2538         SAFE_FREE(machine_account);
2539         return status;
2540 }
2541
2542 /**********************************************************************
2543  open an schanneld ncacn_ip_tcp connection to LSA
2544 ***********************************************************************/
2545
2546 NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
2547                             TALLOC_CTX *mem_ctx,
2548                             struct rpc_pipe_client **cli)
2549 {
2550         struct winbindd_cm_conn *conn;
2551         struct netlogon_creds_cli_context *creds;
2552         NTSTATUS status;
2553
2554         DEBUG(10,("cm_connect_lsa_tcp\n"));
2555
2556         status = init_dc_connection_rpc(domain);
2557         if (!NT_STATUS_IS_OK(status)) {
2558                 return status;
2559         }
2560
2561         conn = &domain->conn;
2562
2563         if (conn->lsa_pipe_tcp &&
2564             conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
2565             conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
2566             rpccli_is_connected(conn->lsa_pipe_tcp)) {
2567                 goto done;
2568         }
2569
2570         TALLOC_FREE(conn->lsa_pipe_tcp);
2571
2572         status = cm_get_schannel_creds(domain, &creds);
2573         if (!NT_STATUS_IS_OK(status)) {
2574                 goto done;
2575         }
2576
2577         status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
2578                                                      &ndr_table_lsarpc,
2579                                                      NCACN_IP_TCP,
2580                                                      domain->name,
2581                                                      creds,
2582                                                      &conn->lsa_pipe_tcp);
2583         if (!NT_STATUS_IS_OK(status)) {
2584                 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
2585                         nt_errstr(status)));
2586                 goto done;
2587         }
2588
2589  done:
2590         if (!NT_STATUS_IS_OK(status)) {
2591                 TALLOC_FREE(conn->lsa_pipe_tcp);
2592                 return status;
2593         }
2594
2595         *cli = conn->lsa_pipe_tcp;
2596
2597         return status;
2598 }
2599
2600 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2601                         struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
2602 {
2603         struct winbindd_cm_conn *conn;
2604         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2605         struct netlogon_creds_cli_context *p_creds;
2606
2607         result = init_dc_connection_rpc(domain);
2608         if (!NT_STATUS_IS_OK(result))
2609                 return result;
2610
2611         conn = &domain->conn;
2612
2613         if (rpccli_is_connected(conn->lsa_pipe)) {
2614                 goto done;
2615         }
2616
2617         TALLOC_FREE(conn->lsa_pipe);
2618
2619         if ((conn->cli->user_name[0] == '\0') ||
2620             (conn->cli->domain[0] == '\0') || 
2621             (conn->cli->password == NULL || conn->cli->password[0] == '\0')) {
2622                 DEBUG(10, ("cm_connect_lsa: No no user available for "
2623                            "domain %s, trying schannel\n", conn->cli->domain));
2624                 goto schannel;
2625         }
2626
2627         /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2628          * authenticated LSA pipe with sign & seal. */
2629         result = cli_rpc_pipe_open_spnego
2630                 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
2631                  GENSEC_OID_NTLMSSP,
2632                  conn->auth_level,
2633                  smbXcli_conn_remote_name(conn->cli->conn),
2634                  conn->cli->domain, conn->cli->user_name, conn->cli->password,
2635                  &conn->lsa_pipe);
2636
2637         if (!NT_STATUS_IS_OK(result)) {
2638                 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2639                           "domain %s using NTLMSSP authenticated pipe: user "
2640                           "%s\\%s. Error was %s. Trying schannel.\n",
2641                           domain->name, conn->cli->domain,
2642                           conn->cli->user_name, nt_errstr(result)));
2643                 goto schannel;
2644         }
2645
2646         DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2647                   "NTLMSSP authenticated pipe: user %s\\%s\n",
2648                   domain->name, conn->cli->domain, conn->cli->user_name ));
2649
2650         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2651                                         SEC_FLAG_MAXIMUM_ALLOWED,
2652                                         &conn->lsa_policy);
2653         if (NT_STATUS_IS_OK(result)) {
2654                 goto done;
2655         }
2656
2657         DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2658                   "schannel\n"));
2659
2660         TALLOC_FREE(conn->lsa_pipe);
2661
2662  schannel:
2663
2664         /* Fall back to schannel if it's a W2K pre-SP1 box. */
2665
2666         result = cm_get_schannel_creds(domain, &p_creds);
2667         if (!NT_STATUS_IS_OK(result)) {
2668                 /* If this call fails - conn->cli can now be NULL ! */
2669                 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2670                            "for domain %s (error %s), trying anon\n",
2671                         domain->name,
2672                         nt_errstr(result) ));
2673                 goto anonymous;
2674         }
2675         result = cli_rpc_pipe_open_schannel_with_key
2676                 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
2677                  domain->name, p_creds, &conn->lsa_pipe);
2678
2679         if (!NT_STATUS_IS_OK(result)) {
2680                 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2681                           "domain %s using schannel. Error was %s\n",
2682                           domain->name, nt_errstr(result) ));
2683                 goto anonymous;
2684         }
2685         DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2686                   "schannel.\n", domain->name ));
2687
2688         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2689                                         SEC_FLAG_MAXIMUM_ALLOWED,
2690                                         &conn->lsa_policy);
2691         if (NT_STATUS_IS_OK(result)) {
2692                 goto done;
2693         }
2694
2695         DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2696                   "anonymous\n"));
2697
2698         TALLOC_FREE(conn->lsa_pipe);
2699
2700  anonymous:
2701
2702         result = cli_rpc_pipe_open_noauth(conn->cli,
2703                                           &ndr_table_lsarpc,
2704                                           &conn->lsa_pipe);
2705         if (!NT_STATUS_IS_OK(result)) {
2706                 goto done;
2707         }
2708
2709         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2710                                         SEC_FLAG_MAXIMUM_ALLOWED,
2711                                         &conn->lsa_policy);
2712  done:
2713         if (!NT_STATUS_IS_OK(result)) {
2714                 invalidate_cm_connection(conn);
2715                 return result;
2716         }
2717
2718         *cli = conn->lsa_pipe;
2719         *lsa_policy = conn->lsa_policy;
2720         return result;
2721 }
2722
2723 /****************************************************************************
2724 Open a LSA connection to a DC, suiteable for LSA lookup calls.
2725 ****************************************************************************/
2726
2727 NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
2728                          TALLOC_CTX *mem_ctx,
2729                          struct rpc_pipe_client **cli,
2730                          struct policy_handle *lsa_policy)
2731 {
2732         NTSTATUS status;
2733
2734         if (domain->can_do_ncacn_ip_tcp) {
2735                 status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
2736                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
2737                     NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
2738                     NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
2739                         invalidate_cm_connection(&domain->conn);
2740                         status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
2741                 }
2742                 if (NT_STATUS_IS_OK(status)) {
2743                         return status;
2744                 }
2745
2746                 /*
2747                  * we tried twice to connect via ncan_ip_tcp and schannel and
2748                  * failed - maybe it is a trusted domain we can't connect to ?
2749                  * do not try tcp next time - gd
2750                  */
2751                 domain->can_do_ncacn_ip_tcp = false;
2752         }
2753
2754         status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);
2755
2756         return status;
2757 }
2758
2759 /****************************************************************************
2760  Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2761  session key stored in conn->netlogon_pipe->dc->sess_key.
2762 ****************************************************************************/
2763
2764 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2765                              struct rpc_pipe_client **cli)
2766 {
2767         struct messaging_context *msg_ctx = winbind_messaging_context();
2768         struct winbindd_cm_conn *conn;
2769         NTSTATUS result;
2770         enum netr_SchannelType sec_chan_type;
2771         const char *_account_name;
2772         const char *account_name;
2773         struct samr_Password current_nt_hash;
2774         struct samr_Password *previous_nt_hash = NULL;
2775         struct netlogon_creds_CredentialState *creds = NULL;
2776         bool ok;
2777
2778         *cli = NULL;
2779
2780         result = init_dc_connection_rpc(domain);
2781         if (!NT_STATUS_IS_OK(result)) {
2782                 return result;
2783         }
2784
2785         conn = &domain->conn;
2786
2787         if (rpccli_is_connected(conn->netlogon_pipe)) {
2788                 *cli = conn->netlogon_pipe;
2789                 return NT_STATUS_OK;
2790         }
2791
2792         TALLOC_FREE(conn->netlogon_pipe);
2793         conn->netlogon_flags = 0;
2794         TALLOC_FREE(conn->netlogon_creds);
2795
2796         if ((!IS_DC) && (!domain->primary)) {
2797                 goto no_schannel;
2798         }
2799
2800         ok = get_trust_pw_hash(domain->name,
2801                                current_nt_hash.hash,
2802                                &_account_name,
2803                                &sec_chan_type);
2804         if (!ok) {
2805                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2806         }
2807
2808         account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
2809         if (account_name == NULL) {
2810                 return NT_STATUS_NO_MEMORY;
2811         }
2812
2813         result = rpccli_create_netlogon_creds(domain->dcname,
2814                                               domain->name,
2815                                               account_name,
2816                                               sec_chan_type,
2817                                               msg_ctx,
2818                                               domain,
2819                                               &conn->netlogon_creds);
2820         if (!NT_STATUS_IS_OK(result)) {
2821                 SAFE_FREE(previous_nt_hash);
2822                 return result;
2823         }
2824
2825         result = rpccli_setup_netlogon_creds(conn->cli,
2826                                              conn->netlogon_creds,
2827                                              conn->netlogon_force_reauth,
2828                                              current_nt_hash,
2829                                              previous_nt_hash);
2830         conn->netlogon_force_reauth = false;
2831         SAFE_FREE(previous_nt_hash);
2832         if (!NT_STATUS_IS_OK(result)) {
2833                 return result;
2834         }
2835
2836         result = netlogon_creds_cli_get(conn->netlogon_creds,
2837                                         talloc_tos(),
2838                                         &creds);
2839         if (!NT_STATUS_IS_OK(result)) {
2840                 return result;
2841         }
2842         conn->netlogon_flags = creds->negotiate_flags;
2843         TALLOC_FREE(creds);
2844
2845  no_schannel:
2846         if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
2847                 result = cli_rpc_pipe_open_noauth(conn->cli,
2848                                         &ndr_table_netlogon,
2849                                         &conn->netlogon_pipe);
2850                 if (!NT_STATUS_IS_OK(result)) {
2851                         invalidate_cm_connection(conn);
2852                         return result;
2853                 }
2854
2855                 *cli = conn->netlogon_pipe;
2856                 return NT_STATUS_OK;
2857         }
2858
2859         /* Using the credentials from the first pipe, open a signed and sealed
2860            second netlogon pipe. The session key is stored in the schannel
2861            part of the new pipe auth struct.
2862         */
2863
2864         result = cli_rpc_pipe_open_schannel_with_key(
2865                 conn->cli, &ndr_table_netlogon, NCACN_NP,
2866                 domain->name,
2867                 conn->netlogon_creds,
2868                 &conn->netlogon_pipe);
2869         if (!NT_STATUS_IS_OK(result)) {
2870                 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2871                           "was %s\n", nt_errstr(result)));
2872
2873                 invalidate_cm_connection(conn);
2874                 return result;
2875         }
2876
2877         *cli = conn->netlogon_pipe;
2878         return NT_STATUS_OK;
2879 }
2880
2881 void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
2882                             void *private_data,
2883                             uint32_t msg_type,
2884                             struct server_id server_id,
2885                             DATA_BLOB *data)
2886 {
2887         struct winbindd_domain *domain;
2888         char *freeit = NULL;
2889         char *addr;
2890
2891         if ((data == NULL)
2892             || (data->data == NULL)
2893             || (data->length == 0)
2894             || (data->data[data->length-1] != '\0')) {
2895                 DEBUG(1, ("invalid msg_ip_dropped message: not a valid "
2896                           "string\n"));
2897                 return;
2898         }
2899
2900         addr = (char *)data->data;
2901         DEBUG(10, ("IP %s dropped\n", addr));
2902
2903         if (!is_ipaddress(addr)) {
2904                 char *slash;
2905                 /*
2906                  * Some code sends us ip addresses with the /netmask
2907                  * suffix
2908                  */
2909                 slash = strchr(addr, '/');
2910                 if (slash == NULL) {
2911                         DEBUG(1, ("invalid msg_ip_dropped message: %s",
2912                                   addr));
2913                         return;
2914                 }
2915                 freeit = talloc_strndup(talloc_tos(), addr, slash-addr);
2916                 if (freeit == NULL) {
2917                         DEBUG(1, ("talloc failed\n"));
2918                         return;
2919                 }
2920                 addr = freeit;
2921                 DEBUG(10, ("Stripped /netmask to IP %s\n", addr));
2922         }
2923
2924         for (domain = domain_list(); domain != NULL; domain = domain->next) {
2925                 char sockaddr[INET6_ADDRSTRLEN];
2926
2927                 if (!cli_state_is_connected(domain->conn.cli)) {
2928                         continue;
2929                 }
2930
2931                 print_sockaddr(sockaddr, sizeof(sockaddr),
2932                                smbXcli_conn_local_sockaddr(domain->conn.cli->conn));
2933
2934                 if (strequal(sockaddr, addr)) {
2935                         smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
2936                 }
2937         }
2938         TALLOC_FREE(freeit);
2939 }