CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
[samba.git] / source3 / winbindd / winbindd_cm.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon connection manager
5
6    Copyright (C) Tim Potter                2001
7    Copyright (C) Andrew Bartlett           2002
8    Copyright (C) Gerald (Jerry) Carter     2003-2005.
9    Copyright (C) Volker Lendecke           2004-2005
10    Copyright (C) Jeremy Allison            2006
11
12    This program is free software; you can redistribute it and/or modify
13    it under the terms of the GNU General Public License as published by
14    the Free Software Foundation; either version 3 of the License, or
15    (at your option) any later version.
16
17    This program is distributed in the hope that it will be useful,
18    but WITHOUT ANY WARRANTY; without even the implied warranty of
19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20    GNU General Public License for more details.
21
22    You should have received a copy of the GNU General Public License
23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27    We need to manage connections to domain controllers without having to
28    mess up the main winbindd code with other issues.  The aim of the
29    connection manager is to:
30
31        - make connections to domain controllers and cache them
32        - re-establish connections when networks or servers go down
33        - centralise the policy on connection timeouts, domain controller
34          selection etc
35        - manage re-entrancy for when winbindd becomes able to handle
36          multiple outstanding rpc requests
37
38    Why not have connection management as part of the rpc layer like tng?
39    Good question.  This code may morph into libsmb/rpc_cache.c or something
40    like that but at the moment it's simply staying as part of winbind.  I
41    think the TNG architecture of forcing every user of the rpc layer to use
42    the connection caching system is a bad idea.  It should be an optional
43    method of using the routines.
44
45    The TNG design is quite good but I disagree with some aspects of the
46    implementation. -tpot
47
48  */
49
50 /*
51    TODO:
52
53      - I'm pretty annoyed by all the make_nmb_name() stuff.  It should be
54        moved down into another function.
55
56      - Take care when destroying cli_structs as they can be shared between
57        various sam handles.
58
59  */
60
61 #include "includes.h"
62 #include "winbindd.h"
63 #include "../libcli/auth/libcli_auth.h"
64 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
65 #include "rpc_client/cli_pipe.h"
66 #include "rpc_client/cli_netlogon.h"
67 #include "../librpc/gen_ndr/ndr_samr_c.h"
68 #include "../librpc/gen_ndr/ndr_lsa_c.h"
69 #include "rpc_client/cli_lsarpc.h"
70 #include "../librpc/gen_ndr/ndr_dssetup_c.h"
71 #include "libads/sitename_cache.h"
72 #include "libsmb/libsmb.h"
73 #include "libsmb/clidgram.h"
74 #include "ads.h"
75 #include "secrets.h"
76 #include "../libcli/security/security.h"
77 #include "passdb.h"
78 #include "messages.h"
79 #include "auth/gensec/gensec.h"
80 #include "../libcli/smb/smbXcli_base.h"
81 #include "libcli/auth/netlogon_creds_cli.h"
82 #include "auth.h"
83 #include "rpc_server/rpc_ncacn_np.h"
84 #include "auth/credentials/credentials.h"
85 #include "lib/param/param.h"
86
87 #undef DBGC_CLASS
88 #define DBGC_CLASS DBGC_WINBIND
89
90 struct dc_name_ip {
91         fstring name;
92         struct sockaddr_storage ss;
93 };
94
95 extern struct winbindd_methods reconnect_methods;
96 extern bool override_logfile;
97
98 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc);
99 static void set_dc_type_and_flags( struct winbindd_domain *domain );
100 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain );
101 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
102                     struct dc_name_ip **dcs, int *num_dcs);
103
104 /****************************************************************
105  Child failed to find DC's. Reschedule check.
106 ****************************************************************/
107
108 static void msg_failed_to_go_online(struct messaging_context *msg,
109                                     void *private_data,
110                                     uint32_t msg_type,
111                                     struct server_id server_id,
112                                     DATA_BLOB *data)
113 {
114         struct winbindd_domain *domain;
115         const char *domainname = (const char *)data->data;
116
117         if (data->data == NULL || data->length == 0) {
118                 return;
119         }
120
121         DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
122
123         for (domain = domain_list(); domain; domain = domain->next) {
124                 if (domain->internal) {
125                         continue;
126                 }
127
128                 if (strequal(domain->name, domainname)) {
129                         if (domain->online) {
130                                 /* We're already online, ignore. */
131                                 DEBUG(5,("msg_fail_to_go_online: domain %s "
132                                         "already online.\n", domainname));
133                                 continue;
134                         }
135
136                         /* Reschedule the online check. */
137                         set_domain_offline(domain);
138                         break;
139                 }
140         }
141 }
142
143 /****************************************************************
144  Actually cause a reconnect from a message.
145 ****************************************************************/
146
147 static void msg_try_to_go_online(struct messaging_context *msg,
148                                  void *private_data,
149                                  uint32_t msg_type,
150                                  struct server_id server_id,
151                                  DATA_BLOB *data)
152 {
153         struct winbindd_domain *domain;
154         const char *domainname = (const char *)data->data;
155
156         if (data->data == NULL || data->length == 0) {
157                 return;
158         }
159
160         DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
161
162         for (domain = domain_list(); domain; domain = domain->next) {
163                 if (domain->internal) {
164                         continue;
165                 }
166
167                 if (strequal(domain->name, domainname)) {
168
169                         if (domain->online) {
170                                 /* We're already online, ignore. */
171                                 DEBUG(5,("msg_try_to_go_online: domain %s "
172                                         "already online.\n", domainname));
173                                 continue;
174                         }
175
176                         /* This call takes care of setting the online
177                            flag to true if we connected, or re-adding
178                            the offline handler if false. Bypasses online
179                            check so always does network calls. */
180
181                         init_dc_connection_network(domain, true);
182                         break;
183                 }
184         }
185 }
186
187 /****************************************************************
188  Fork a child to try and contact a DC. Do this as contacting a
189  DC requires blocking lookups and we don't want to block our
190  parent.
191 ****************************************************************/
192
193 static bool fork_child_dc_connect(struct winbindd_domain *domain)
194 {
195         struct dc_name_ip *dcs = NULL;
196         int num_dcs = 0;
197         TALLOC_CTX *mem_ctx = NULL;
198         pid_t parent_pid = getpid();
199         char *lfile = NULL;
200         NTSTATUS status;
201
202         if (domain->dc_probe_pid != (pid_t)-1) {
203                 /*
204                  * We might already have a DC probe
205                  * child working, check.
206                  */
207                 if (process_exists_by_pid(domain->dc_probe_pid)) {
208                         DEBUG(10,("fork_child_dc_connect: pid %u already "
209                                 "checking for DC's.\n",
210                                 (unsigned int)domain->dc_probe_pid));
211                         return true;
212                 }
213                 domain->dc_probe_pid = (pid_t)-1;
214         }
215
216         domain->dc_probe_pid = fork();
217
218         if (domain->dc_probe_pid == (pid_t)-1) {
219                 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
220                 return False;
221         }
222
223         if (domain->dc_probe_pid != (pid_t)0) {
224                 /* Parent */
225                 messaging_register(winbind_messaging_context(), NULL,
226                                    MSG_WINBIND_TRY_TO_GO_ONLINE,
227                                    msg_try_to_go_online);
228                 messaging_register(winbind_messaging_context(), NULL,
229                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
230                                    msg_failed_to_go_online);
231                 return True;
232         }
233
234         /* Child. */
235
236         /* Leave messages blocked - we will never process one. */
237
238         if (!override_logfile) {
239                 if (asprintf(&lfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) == -1) {
240                         DEBUG(0, ("fork_child_dc_connect: out of memory.\n"));
241                         _exit(1);
242                 }
243         }
244
245         status = winbindd_reinit_after_fork(NULL, lfile);
246         if (!NT_STATUS_IS_OK(status)) {
247                 DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n",
248                           nt_errstr(status)));
249                 messaging_send_buf(winbind_messaging_context(),
250                                    pid_to_procid(parent_pid),
251                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
252                                    (const uint8_t *)domain->name,
253                                    strlen(domain->name)+1);
254                 _exit(1);
255         }
256         SAFE_FREE(lfile);
257
258         mem_ctx = talloc_init("fork_child_dc_connect");
259         if (!mem_ctx) {
260                 DEBUG(0,("talloc_init failed.\n"));
261                 messaging_send_buf(winbind_messaging_context(),
262                                    pid_to_procid(parent_pid),
263                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
264                                    (const uint8_t *)domain->name,
265                                    strlen(domain->name)+1);
266                 _exit(1);
267         }
268
269         if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
270                 /* Still offline ? Can't find DC's. */
271                 messaging_send_buf(winbind_messaging_context(),
272                                    pid_to_procid(parent_pid),
273                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
274                                    (const uint8_t *)domain->name,
275                                    strlen(domain->name)+1);
276                 _exit(0);
277         }
278
279         /* We got a DC. Send a message to our parent to get it to
280            try and do the same. */
281
282         messaging_send_buf(winbind_messaging_context(),
283                            pid_to_procid(parent_pid),
284                            MSG_WINBIND_TRY_TO_GO_ONLINE,
285                            (const uint8_t *)domain->name,
286                            strlen(domain->name)+1);
287         _exit(0);
288 }
289
290 /****************************************************************
291  Handler triggered if we're offline to try and detect a DC.
292 ****************************************************************/
293
294 static void check_domain_online_handler(struct tevent_context *ctx,
295                                         struct tevent_timer *te,
296                                         struct timeval now,
297                                         void *private_data)
298 {
299         struct winbindd_domain *domain =
300                 (struct winbindd_domain *)private_data;
301
302         DEBUG(10,("check_domain_online_handler: called for domain "
303                   "%s (online = %s)\n", domain->name, 
304                   domain->online ? "True" : "False" ));
305
306         TALLOC_FREE(domain->check_online_event);
307
308         /* Are we still in "startup" mode ? */
309
310         if (domain->startup && (time_mono(NULL) > domain->startup_time + 30)) {
311                 /* No longer in "startup" mode. */
312                 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
313                         domain->name ));
314                 domain->startup = False;
315         }
316
317         /* We've been told to stay offline, so stay
318            that way. */
319
320         if (get_global_winbindd_state_offline()) {
321                 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
322                         domain->name ));
323                 return;
324         }
325
326         /* Fork a child to test if it can contact a DC. 
327            If it can then send ourselves a message to
328            cause a reconnect. */
329
330         fork_child_dc_connect(domain);
331 }
332
333 /****************************************************************
334  If we're still offline setup the timeout check.
335 ****************************************************************/
336
337 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
338 {
339         int wbr = lp_winbind_reconnect_delay();
340
341         if (domain->startup) {
342                 domain->check_online_timeout = 10;
343         } else if (domain->check_online_timeout < wbr) {
344                 domain->check_online_timeout = wbr;
345         }
346 }
347
348 void winbind_msg_domain_offline(struct messaging_context *msg_ctx,
349                                 void *private_data,
350                                 uint32_t msg_type,
351                                 struct server_id server_id,
352                                 DATA_BLOB *data)
353 {
354         const char *domain_name = (const char *)data->data;
355         struct winbindd_domain *domain;
356
357         domain = find_domain_from_name_noinit(domain_name);
358         if (domain == NULL) {
359                 return;
360         }
361
362         domain->online = false;
363
364         DEBUG(10, ("Domain %s is marked as offline now.\n",
365                    domain_name));
366 }
367
368 void winbind_msg_domain_online(struct messaging_context *msg_ctx,
369                                 void *private_data,
370                                 uint32_t msg_type,
371                                 struct server_id server_id,
372                                 DATA_BLOB *data)
373 {
374         const char *domain_name = (const char *)data->data;
375         struct winbindd_domain *domain;
376
377         domain = find_domain_from_name_noinit(domain_name);
378         if (domain == NULL) {
379                 return;
380         }
381
382         domain->online = true;
383
384         DEBUG(10, ("Domain %s is marked as online now.\n",
385                    domain_name));
386 }
387
388 /****************************************************************
389  Set domain offline and also add handler to put us back online
390  if we detect a DC.
391 ****************************************************************/
392
393 void set_domain_offline(struct winbindd_domain *domain)
394 {
395         pid_t parent_pid = getppid();
396
397         DEBUG(10,("set_domain_offline: called for domain %s\n",
398                 domain->name ));
399
400         TALLOC_FREE(domain->check_online_event);
401
402         if (domain->internal) {
403                 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
404                         domain->name ));
405                 return;
406         }
407
408         domain->online = False;
409
410         /* Offline domains are always initialized. They're
411            re-initialized when they go back online. */
412
413         domain->initialized = True;
414
415         /* We only add the timeout handler that checks and
416            allows us to go back online when we've not
417            been told to remain offline. */
418
419         if (get_global_winbindd_state_offline()) {
420                 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
421                         domain->name ));
422                 return;
423         }
424
425         /* If we're in startup mode, check again in 10 seconds, not in
426            lp_winbind_reconnect_delay() seconds (which is 30 seconds by default). */
427
428         calc_new_online_timeout_check(domain);
429
430         domain->check_online_event = tevent_add_timer(winbind_event_context(),
431                                                 NULL,
432                                                 timeval_current_ofs(domain->check_online_timeout,0),
433                                                 check_domain_online_handler,
434                                                 domain);
435
436         /* The above *has* to succeed for winbindd to work. */
437         if (!domain->check_online_event) {
438                 smb_panic("set_domain_offline: failed to add online handler");
439         }
440
441         DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
442                 domain->name ));
443
444         /* Send a message to the parent that the domain is offline. */
445         if (parent_pid > 1 && !domain->internal) {
446                 messaging_send_buf(winbind_messaging_context(),
447                                    pid_to_procid(parent_pid),
448                                    MSG_WINBIND_DOMAIN_OFFLINE,
449                                    (uint8_t *)domain->name,
450                                    strlen(domain->name) + 1);
451         }
452
453         /* Send an offline message to the idmap child when our
454            primary domain goes offline */
455
456         if ( domain->primary ) {
457                 struct winbindd_child *idmap = idmap_child();
458
459                 if ( idmap->pid != 0 ) {
460                         messaging_send_buf(winbind_messaging_context(),
461                                            pid_to_procid(idmap->pid), 
462                                            MSG_WINBIND_OFFLINE, 
463                                            (const uint8_t *)domain->name,
464                                            strlen(domain->name)+1);
465                 }                       
466         }
467
468         return; 
469 }
470
471 /****************************************************************
472  Set domain online - if allowed.
473 ****************************************************************/
474
475 static void set_domain_online(struct winbindd_domain *domain)
476 {
477         pid_t parent_pid = getppid();
478
479         DEBUG(10,("set_domain_online: called for domain %s\n",
480                 domain->name ));
481
482         if (domain->internal) {
483                 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
484                         domain->name ));
485                 return;
486         }
487
488         if (get_global_winbindd_state_offline()) {
489                 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
490                         domain->name ));
491                 return;
492         }
493
494         winbindd_set_locator_kdc_envs(domain);
495
496         /* If we are waiting to get a krb5 ticket, trigger immediately. */
497         ccache_regain_all_now();
498
499         /* Ok, we're out of any startup mode now... */
500         domain->startup = False;
501
502         if (domain->online == False) {
503                 /* We were offline - now we're online. We default to
504                    using the MS-RPC backend if we started offline,
505                    and if we're going online for the first time we
506                    should really re-initialize the backends and the
507                    checks to see if we're talking to an AD or NT domain.
508                 */
509
510                 domain->initialized = False;
511
512                 /* 'reconnect_methods' is the MS-RPC backend. */
513                 if (domain->backend == &reconnect_methods) {
514                         domain->backend = NULL;
515                 }
516         }
517
518         /* Ensure we have no online timeout checks. */
519         domain->check_online_timeout = 0;
520         TALLOC_FREE(domain->check_online_event);
521
522         /* Ensure we ignore any pending child messages. */
523         messaging_deregister(winbind_messaging_context(),
524                              MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
525         messaging_deregister(winbind_messaging_context(),
526                              MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
527
528         domain->online = True;
529
530         /* Send a message to the parent that the domain is online. */
531         if (parent_pid > 1 && !domain->internal) {
532                 messaging_send_buf(winbind_messaging_context(),
533                                    pid_to_procid(parent_pid),
534                                    MSG_WINBIND_DOMAIN_ONLINE,
535                                    (uint8_t *)domain->name,
536                                    strlen(domain->name) + 1);
537         }
538
539         /* Send an online message to the idmap child when our
540            primary domain comes online */
541
542         if ( domain->primary ) {
543                 struct winbindd_child *idmap = idmap_child();
544
545                 if ( idmap->pid != 0 ) {
546                         messaging_send_buf(winbind_messaging_context(),
547                                            pid_to_procid(idmap->pid), 
548                                            MSG_WINBIND_ONLINE, 
549                                            (const uint8_t *)domain->name,
550                                            strlen(domain->name)+1);
551                 }                       
552         }
553
554         return; 
555 }
556
557 /****************************************************************
558  Requested to set a domain online.
559 ****************************************************************/
560
561 void set_domain_online_request(struct winbindd_domain *domain)
562 {
563         struct timeval tev;
564
565         DEBUG(10,("set_domain_online_request: called for domain %s\n",
566                 domain->name ));
567
568         if (get_global_winbindd_state_offline()) {
569                 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
570                         domain->name ));
571                 return;
572         }
573
574         if (domain->internal) {
575                 DEBUG(10, ("set_domain_online_request: Internal domains are "
576                            "always online\n"));
577                 return;
578         }
579
580         /* We've been told it's safe to go online and
581            try and connect to a DC. But I don't believe it
582            because network manager seems to lie.
583            Wait at least 5 seconds. Heuristics suck... */
584
585
586         GetTimeOfDay(&tev);
587
588         /* Go into "startup" mode again. */
589         domain->startup_time = time_mono(NULL);
590         domain->startup = True;
591
592         tev.tv_sec += 5;
593
594         if (!domain->check_online_event) {
595                 /* If we've come from being globally offline we
596                    don't have a check online event handler set.
597                    We need to add one now we're trying to go
598                    back online. */
599
600                 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
601                         domain->name ));
602         }
603
604         TALLOC_FREE(domain->check_online_event);
605
606         domain->check_online_event = tevent_add_timer(winbind_event_context(),
607                                                      NULL,
608                                                      tev,
609                                                      check_domain_online_handler,
610                                                      domain);
611
612         /* The above *has* to succeed for winbindd to work. */
613         if (!domain->check_online_event) {
614                 smb_panic("set_domain_online_request: failed to add online handler");
615         }
616 }
617
618 /****************************************************************
619  Add -ve connection cache entries for domain and realm.
620 ****************************************************************/
621
622 static void winbind_add_failed_connection_entry(
623         const struct winbindd_domain *domain,
624         const char *server,
625         NTSTATUS result)
626 {
627         add_failed_connection_entry(domain->name, server, result);
628         /* If this was the saf name for the last thing we talked to,
629            remove it. */
630         saf_delete(domain->name);
631         if (domain->alt_name != NULL) {
632                 add_failed_connection_entry(domain->alt_name, server, result);
633                 saf_delete(domain->alt_name);
634         }
635         winbindd_unset_locator_kdc_env(domain);
636 }
637
638 /* Choose between anonymous or authenticated connections.  We need to use
639    an authenticated connection if DCs have the RestrictAnonymous registry
640    entry set > 0, or the "Additional restrictions for anonymous
641    connections" set in the win2k Local Security Policy. 
642
643    Caller to free() result in domain, username, password
644 */
645
646 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
647 {
648         *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
649         *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
650         *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
651
652         if (*username && **username) {
653
654                 if (!*domain || !**domain)
655                         *domain = smb_xstrdup(lp_workgroup());
656
657                 if (!*password || !**password)
658                         *password = smb_xstrdup("");
659
660                 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n", 
661                           *domain, *username));
662
663         } else {
664                 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
665                 *username = smb_xstrdup("");
666                 *domain = smb_xstrdup("");
667                 *password = smb_xstrdup("");
668         }
669 }
670
671 static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx,
672                                        struct cli_credentials **_creds)
673 {
674
675         TALLOC_CTX *frame = talloc_stackframe();
676         NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
677         struct loadparm_context *lp_ctx;
678         char *username = NULL;
679         char *netbios_domain = NULL;
680         char *password = NULL;
681         struct cli_credentials *creds = NULL;
682         bool ok;
683
684         cm_get_ipc_userpass(&username, &netbios_domain, &password);
685
686         lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
687         if (lp_ctx == NULL) {
688                 DEBUG(1, ("loadparm_init_s3 failed\n"));
689                 status = NT_STATUS_INTERNAL_ERROR;
690                 goto fail;
691         }
692
693         creds = cli_credentials_init(mem_ctx);
694         if (creds == NULL) {
695                 status = NT_STATUS_NO_MEMORY;
696                 goto fail;
697         }
698
699         cli_credentials_set_conf(creds, lp_ctx);
700         cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
701
702         ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
703         if (!ok) {
704                 status = NT_STATUS_NO_MEMORY;
705                 goto fail;
706         }
707
708         ok = cli_credentials_set_username(creds, username, CRED_SPECIFIED);
709         if (!ok) {
710                 status = NT_STATUS_NO_MEMORY;
711                 goto fail;
712         }
713
714         ok = cli_credentials_set_password(creds, password, CRED_SPECIFIED);
715         if (!ok) {
716                 status = NT_STATUS_NO_MEMORY;
717                 goto fail;
718         }
719
720         *_creds = creds;
721         creds = NULL;
722         status = NT_STATUS_OK;
723  fail:
724         TALLOC_FREE(creds);
725         SAFE_FREE(username);
726         SAFE_FREE(netbios_domain);
727         SAFE_FREE(password);
728         TALLOC_FREE(frame);
729         return status;
730 }
731
732 static bool cm_is_ipc_credentials(struct cli_credentials *creds)
733 {
734         TALLOC_CTX *frame = talloc_stackframe();
735         char *ipc_account = NULL;
736         char *ipc_domain = NULL;
737         char *ipc_password = NULL;
738         const char *creds_account = NULL;
739         const char *creds_domain = NULL;
740         const char *creds_password = NULL;
741         bool ret = false;
742
743         cm_get_ipc_userpass(&ipc_account, &ipc_domain, &ipc_password);
744
745         creds_account = cli_credentials_get_username(creds);
746         creds_domain = cli_credentials_get_domain(creds);
747         creds_password = cli_credentials_get_password(creds);
748
749         if (!strequal(ipc_domain, creds_domain)) {
750                 goto done;
751         }
752
753         if (!strequal(ipc_account, creds_account)) {
754                 goto done;
755         }
756
757         if (!strcsequal(ipc_password, creds_password)) {
758                 goto done;
759         }
760
761         ret = true;
762  done:
763         SAFE_FREE(ipc_account);
764         SAFE_FREE(ipc_domain);
765         SAFE_FREE(ipc_password);
766         TALLOC_FREE(frame);
767         return ret;
768 }
769
770 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
771                                      fstring dcname,
772                                      struct sockaddr_storage *dc_ss)
773 {
774         struct winbindd_domain *our_domain = NULL;
775         struct rpc_pipe_client *netlogon_pipe = NULL;
776         NTSTATUS result;
777         WERROR werr;
778         TALLOC_CTX *mem_ctx;
779         unsigned int orig_timeout;
780         const char *tmp = NULL;
781         const char *p;
782         struct dcerpc_binding_handle *b;
783
784         /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
785          * moment.... */
786
787         if (IS_DC) {
788                 return False;
789         }
790
791         if (domain->primary) {
792                 return False;
793         }
794
795         our_domain = find_our_domain();
796
797         if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
798                 return False;
799         }
800
801         result = cm_connect_netlogon(our_domain, &netlogon_pipe);
802         if (!NT_STATUS_IS_OK(result)) {
803                 talloc_destroy(mem_ctx);
804                 return False;
805         }
806
807         b = netlogon_pipe->binding_handle;
808
809         /* This call can take a long time - allow the server to time out.
810            35 seconds should do it. */
811
812         orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
813
814         if (our_domain->active_directory) {
815                 struct netr_DsRGetDCNameInfo *domain_info = NULL;
816
817                 result = dcerpc_netr_DsRGetDCName(b,
818                                                   mem_ctx,
819                                                   our_domain->dcname,
820                                                   domain->name,
821                                                   NULL,
822                                                   NULL,
823                                                   DS_RETURN_DNS_NAME,
824                                                   &domain_info,
825                                                   &werr);
826                 if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
827                         tmp = talloc_strdup(
828                                 mem_ctx, domain_info->dc_unc);
829                         if (tmp == NULL) {
830                                 DEBUG(0, ("talloc_strdup failed\n"));
831                                 talloc_destroy(mem_ctx);
832                                 return false;
833                         }
834                         if (domain->alt_name == NULL) {
835                                 domain->alt_name = talloc_strdup(domain,
836                                                                  domain_info->domain_name);
837                                 if (domain->alt_name == NULL) {
838                                         DEBUG(0, ("talloc_strdup failed\n"));
839                                         talloc_destroy(mem_ctx);
840                                         return false;
841                                 }
842                         }
843                         if (domain->forest_name == NULL) {
844                                 domain->forest_name = talloc_strdup(domain,
845                                                                     domain_info->forest_name);
846                                 if (domain->forest_name == NULL) {
847                                         DEBUG(0, ("talloc_strdup failed\n"));
848                                         talloc_destroy(mem_ctx);
849                                         return false;
850                                 }
851                         }
852                 }
853         } else {
854                 result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
855                                                   our_domain->dcname,
856                                                   domain->name,
857                                                   &tmp,
858                                                   &werr);
859         }
860
861         /* And restore our original timeout. */
862         rpccli_set_timeout(netlogon_pipe, orig_timeout);
863
864         if (!NT_STATUS_IS_OK(result)) {
865                 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
866                         nt_errstr(result)));
867                 talloc_destroy(mem_ctx);
868                 return false;
869         }
870
871         if (!W_ERROR_IS_OK(werr)) {
872                 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
873                            win_errstr(werr)));
874                 talloc_destroy(mem_ctx);
875                 return false;
876         }
877
878         /* dcerpc_netr_GetAnyDCName gives us a name with \\ */
879         p = strip_hostname(tmp);
880
881         fstrcpy(dcname, p);
882
883         talloc_destroy(mem_ctx);
884
885         DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
886
887         if (!resolve_name(dcname, dc_ss, 0x20, true)) {
888                 return False;
889         }
890
891         return True;
892 }
893
894 /**
895  * Helper function to assemble trust password and account name
896  */
897 static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
898                                       TALLOC_CTX *mem_ctx,
899                                       bool netlogon,
900                                       struct cli_credentials **_creds)
901 {
902         const struct winbindd_domain *creds_domain = NULL;
903         struct cli_credentials *creds;
904         NTSTATUS status;
905         bool force_machine_account = false;
906
907         /* If we are a DC and this is not our own domain */
908
909         if (!domain->active_directory) {
910                 if (!netlogon) {
911                         /*
912                          * For non active directory domains
913                          * we can only use NTLMSSP for SMB.
914                          *
915                          * But the trust account is not allowed
916                          * to use SMB with NTLMSSP.
917                          */
918                         force_machine_account = true;
919                 }
920         }
921
922         if (IS_DC && !force_machine_account) {
923                 creds_domain = domain;
924         } else {
925                 creds_domain = find_our_domain();
926                 if (creds_domain == NULL) {
927                         return NT_STATUS_INVALID_SERVER_STATE;
928                 }
929         }
930
931         status = pdb_get_trust_credentials(creds_domain->name,
932                                            creds_domain->alt_name,
933                                            mem_ctx,
934                                            &creds);
935         if (!NT_STATUS_IS_OK(status)) {
936                 goto ipc_fallback;
937         }
938
939         if (domain->primary && lp_security() == SEC_ADS) {
940                 cli_credentials_set_kerberos_state(creds,
941                                                    CRED_AUTO_USE_KERBEROS);
942         } else if (domain->active_directory) {
943                 cli_credentials_set_kerberos_state(creds,
944                                                    CRED_MUST_USE_KERBEROS);
945         } else {
946                 cli_credentials_set_kerberos_state(creds,
947                                                    CRED_DONT_USE_KERBEROS);
948         }
949
950         if (creds_domain != domain) {
951                 /*
952                  * We can only use schannel against a direct trust
953                  */
954                 cli_credentials_set_secure_channel_type(creds,
955                                                         SEC_CHAN_NULL);
956         }
957
958         *_creds = creds;
959         return NT_STATUS_OK;
960
961  ipc_fallback:
962         if (netlogon) {
963                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
964         }
965
966         status = cm_get_ipc_credentials(mem_ctx, &creds);
967         if (!NT_STATUS_IS_OK(status)) {
968                 return status;
969         }
970
971         *_creds = creds;
972         return NT_STATUS_OK;
973 }
974
975 /************************************************************************
976  Given a fd with a just-connected TCP connection to a DC, open a connection
977  to the pipe.
978 ************************************************************************/
979
980 static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
981                                       const int sockfd,
982                                       const char *controller,
983                                       struct cli_state **cli,
984                                       bool *retry)
985 {
986         bool try_ipc_auth = false;
987         const char *machine_password = NULL;
988         const char *machine_krb5_principal = NULL;
989         const char *machine_account = NULL;
990         const char *machine_domain = NULL;
991         int flags = 0;
992         struct cli_credentials *creds = NULL;
993         enum credentials_use_kerberos krb5_state;
994
995         struct named_mutex *mutex;
996
997         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
998
999         enum smb_signing_setting smb_sign_client_connections = lp_client_signing();
1000
1001         if (smb_sign_client_connections == SMB_SIGNING_DEFAULT) {
1002                 /*
1003                  * If we are connecting to our own AD domain, require
1004                  * smb signing to disrupt MITM attacks
1005                  */
1006                 if (domain->primary && lp_security() == SEC_ADS) {
1007                         smb_sign_client_connections = SMB_SIGNING_REQUIRED;
1008                 /*
1009                  * If we are in or are an AD domain and connecting to another
1010                  * AD domain in our forest
1011                  * then require smb signing to disrupt MITM attacks
1012                  */
1013                 } else if ((lp_security() == SEC_ADS ||
1014                             lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
1015                            && domain->active_directory
1016                            && (domain->domain_trust_attribs
1017                                & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)) {
1018                         smb_sign_client_connections = SMB_SIGNING_REQUIRED;
1019                 }
1020         }
1021
1022         DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
1023                 controller, domain->name ));
1024
1025         *retry = True;
1026
1027         mutex = grab_named_mutex(talloc_tos(), controller,
1028                                  WINBIND_SERVER_MUTEX_WAIT_TIME);
1029         if (mutex == NULL) {
1030                 close(sockfd);
1031                 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
1032                          controller));
1033                 result = NT_STATUS_POSSIBLE_DEADLOCK;
1034                 goto done;
1035         }
1036
1037         flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
1038
1039         *cli = cli_state_create(NULL, sockfd,
1040                                 controller, domain->alt_name,
1041                                 smb_sign_client_connections, flags);
1042         if (*cli == NULL) {
1043                 close(sockfd);
1044                 DEBUG(1, ("Could not cli_initialize\n"));
1045                 result = NT_STATUS_NO_MEMORY;
1046                 goto done;
1047         }
1048
1049         cli_set_timeout(*cli, 10000); /* 10 seconds */
1050
1051         result = smbXcli_negprot((*cli)->conn, (*cli)->timeout,
1052                                  lp_client_ipc_min_protocol(),
1053                                  lp_client_ipc_max_protocol());
1054
1055         if (!NT_STATUS_IS_OK(result)) {
1056                 DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
1057                 goto done;
1058         }
1059
1060         if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
1061             smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
1062                 try_ipc_auth = true;
1063         } else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
1064                 try_ipc_auth = true;
1065         } else if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
1066                 /*
1067                  * If we are forcing on SMB signing, then we must
1068                  * require authentication unless this is a one-way
1069                  * trust, and we have no stored user/password
1070                  */
1071                 try_ipc_auth = true;
1072         }
1073
1074         if (try_ipc_auth) {
1075                 result = get_trust_credentials(domain, talloc_tos(), false, &creds);
1076                 if (!NT_STATUS_IS_OK(result)) {
1077                         DEBUG(1, ("get_trust_credentials(%s) failed: %s\n",
1078                                   domain->name, nt_errstr(result)));
1079                         goto done;
1080                 }
1081         } else {
1082                 /*
1083                  * Without SPNEGO or NTLMSSP (perhaps via SMB2) we
1084                  * would try and authentication with our machine
1085                  * account password and fail.  This is very rare in
1086                  * the modern world however
1087                  */
1088                 creds = cli_credentials_init_anon(talloc_tos());
1089                 if (creds == NULL) {
1090                         result = NT_STATUS_NO_MEMORY;
1091                         DEBUG(1, ("cli_credentials_init_anon(%s) failed: %s\n",
1092                                   domain->name, nt_errstr(result)));
1093                         goto done;
1094                 }
1095         }
1096
1097         krb5_state = cli_credentials_get_kerberos_state(creds);
1098
1099         machine_krb5_principal = cli_credentials_get_principal(creds,
1100                                                         talloc_tos());
1101         if (machine_krb5_principal == NULL) {
1102                 krb5_state = CRED_DONT_USE_KERBEROS;
1103         }
1104
1105         machine_account = cli_credentials_get_username(creds);
1106         machine_password = cli_credentials_get_password(creds);
1107         machine_domain = cli_credentials_get_domain(creds);
1108
1109         if (krb5_state != CRED_DONT_USE_KERBEROS) {
1110
1111                 /* Try a krb5 session */
1112
1113                 (*cli)->use_kerberos = True;
1114                 DEBUG(5, ("connecting to %s from %s with kerberos principal "
1115                           "[%s] and realm [%s]\n", controller, lp_netbios_name(),
1116                           machine_krb5_principal, domain->alt_name));
1117
1118                 winbindd_set_locator_kdc_envs(domain);
1119
1120                 result = cli_session_setup(*cli,
1121                                            machine_krb5_principal,
1122                                            machine_password,
1123                                            strlen(machine_password)+1,
1124                                            machine_password,
1125                                            strlen(machine_password)+1,
1126                                            machine_domain);
1127
1128                 if (NT_STATUS_IS_OK(result)) {
1129                         goto session_setup_done;
1130                 }
1131
1132                 DEBUG(4,("failed kerberos session setup with %s\n",
1133                          nt_errstr(result)));
1134         }
1135
1136         if (krb5_state != CRED_MUST_USE_KERBEROS) {
1137                 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
1138                 (*cli)->use_kerberos = False;
1139
1140                 DEBUG(5, ("connecting to %s from %s using NTLMSSP with username "
1141                           "[%s]\\[%s]\n",  controller, lp_netbios_name(),
1142                           machine_domain, machine_account));
1143
1144                 result = cli_session_setup(*cli,
1145                                            machine_account,
1146                                            machine_password,
1147                                            strlen(machine_password)+1,
1148                                            machine_password,
1149                                            strlen(machine_password)+1,
1150                                            machine_domain);
1151         }
1152
1153         if (NT_STATUS_IS_OK(result)) {
1154                 goto session_setup_done;
1155         }
1156
1157         /*
1158          * If we are not going to validiate the conneciton
1159          * with SMB signing, then allow us to fall back to
1160          * anonymous
1161          */
1162         if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
1163             || NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
1164             || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
1165             || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
1166             || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
1167         {
1168                 if (cli_credentials_is_anonymous(creds)) {
1169                         goto done;
1170                 }
1171
1172                 if (!cm_is_ipc_credentials(creds)) {
1173                         goto ipc_fallback;
1174                 }
1175
1176                 if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
1177                         goto done;
1178                 }
1179
1180                 goto anon_fallback;
1181         }
1182
1183         DEBUG(4, ("authenticated session setup failed with %s\n",
1184                 nt_errstr(result)));
1185
1186         goto done;
1187
1188  ipc_fallback:
1189         result = cm_get_ipc_credentials(talloc_tos(), &creds);
1190         if (!NT_STATUS_IS_OK(result)) {
1191                 goto done;
1192         }
1193
1194         if (cli_credentials_is_anonymous(creds)) {
1195                 TALLOC_FREE(creds);
1196                 goto anon_fallback;
1197         }
1198
1199         machine_account = cli_credentials_get_username(creds);
1200         machine_password = cli_credentials_get_password(creds);
1201         machine_domain = cli_credentials_get_domain(creds);
1202
1203         /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the ipc creds. */
1204         (*cli)->use_kerberos = False;
1205
1206         DEBUG(5, ("connecting to %s from %s using NTLMSSP with username "
1207                   "[%s]\\[%s]\n",  controller, lp_netbios_name(),
1208                   machine_domain, machine_account));
1209
1210         result = cli_session_setup(*cli,
1211                                    machine_account,
1212                                    machine_password,
1213                                    strlen(machine_password)+1,
1214                                    machine_password,
1215                                    strlen(machine_password)+1,
1216                                    machine_domain);
1217
1218         if (NT_STATUS_IS_OK(result)) {
1219                 goto session_setup_done;
1220         }
1221
1222         /*
1223          * If we are not going to validiate the conneciton
1224          * with SMB signing, then allow us to fall back to
1225          * anonymous
1226          */
1227         if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
1228             || NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
1229             || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
1230             || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
1231             || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
1232         {
1233                 goto anon_fallback;
1234         }
1235
1236         DEBUG(4, ("authenticated session setup failed with %s\n",
1237                 nt_errstr(result)));
1238
1239         goto done;
1240
1241  anon_fallback:
1242
1243         if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
1244                 goto done;
1245         }
1246
1247         /* Fall back to anonymous connection, this might fail later */
1248         DEBUG(10,("cm_prepare_connection: falling back to anonymous "
1249                 "connection for DC %s\n",
1250                 controller ));
1251
1252         (*cli)->use_kerberos = False;
1253
1254         result = cli_session_setup(*cli, "", "", 0, "", 0, "");
1255         if (NT_STATUS_IS_OK(result)) {
1256                 DEBUG(5, ("Connected anonymously\n"));
1257                 goto session_setup_done;
1258         }
1259
1260         /* We can't session setup */
1261         goto done;
1262
1263  session_setup_done:
1264
1265         /*
1266          * This should be a short term hack until
1267          * dynamic re-authentication is implemented.
1268          *
1269          * See Bug 9175 - winbindd doesn't recover from
1270          * NT_STATUS_NETWORK_SESSION_EXPIRED
1271          */
1272         if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
1273                 smbXcli_session_set_disconnect_expired((*cli)->smb2.session);
1274         }
1275
1276         result = cli_tree_connect(*cli, "IPC$", "IPC", "", 0);
1277
1278         if (!NT_STATUS_IS_OK(result)) {
1279                 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
1280                 goto done;
1281         }
1282
1283         /* cache the server name for later connections */
1284
1285         saf_store(domain->name, controller);
1286         if (domain->alt_name && (*cli)->use_kerberos) {
1287                 saf_store(domain->alt_name, controller);
1288         }
1289
1290         winbindd_set_locator_kdc_envs(domain);
1291
1292         TALLOC_FREE(mutex);
1293         *retry = False;
1294
1295         result = NT_STATUS_OK;
1296
1297  done:
1298         TALLOC_FREE(mutex);
1299
1300         if (!NT_STATUS_IS_OK(result)) {
1301                 winbind_add_failed_connection_entry(domain, controller, result);
1302                 if ((*cli) != NULL) {
1303                         cli_shutdown(*cli);
1304                         *cli = NULL;
1305                 }
1306         }
1307
1308         return result;
1309 }
1310
1311 /*******************************************************************
1312  Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
1313  array.
1314
1315  Keeps the list unique by not adding duplicate entries.
1316
1317  @param[in] mem_ctx talloc memory context to allocate from
1318  @param[in] domain_name domain of the DC
1319  @param[in] dcname name of the DC to add to the list
1320  @param[in] pss Internet address and port pair to add to the list
1321  @param[in,out] dcs array of dc_name_ip structures to add to
1322  @param[in,out] num_dcs number of dcs returned in the dcs array
1323  @return true if the list was added to, false otherwise
1324 *******************************************************************/
1325
1326 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1327                               const char *dcname, struct sockaddr_storage *pss,
1328                               struct dc_name_ip **dcs, int *num)
1329 {
1330         int i = 0;
1331
1332         if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1333                 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1334                 return False;
1335         }
1336
1337         /* Make sure there's no duplicates in the list */
1338         for (i=0; i<*num; i++)
1339                 if (sockaddr_equal(
1340                             (struct sockaddr *)(void *)&(*dcs)[i].ss,
1341                             (struct sockaddr *)(void *)pss))
1342                         return False;
1343
1344         *dcs = talloc_realloc(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1345
1346         if (*dcs == NULL)
1347                 return False;
1348
1349         fstrcpy((*dcs)[*num].name, dcname);
1350         (*dcs)[*num].ss = *pss;
1351         *num += 1;
1352         return True;
1353 }
1354
1355 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1356                                   struct sockaddr_storage *pss, uint16_t port,
1357                                   struct sockaddr_storage **addrs, int *num)
1358 {
1359         *addrs = talloc_realloc(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1360
1361         if (*addrs == NULL) {
1362                 *num = 0;
1363                 return False;
1364         }
1365
1366         (*addrs)[*num] = *pss;
1367         set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
1368
1369         *num += 1;
1370         return True;
1371 }
1372
1373 /*******************************************************************
1374  convert an ip to a name
1375 *******************************************************************/
1376
1377 static bool dcip_to_name(TALLOC_CTX *mem_ctx,
1378                 const struct winbindd_domain *domain,
1379                 struct sockaddr_storage *pss,
1380                 char **name)
1381 {
1382         struct ip_service ip_list;
1383         uint32_t nt_version = NETLOGON_NT_VERSION_1;
1384         NTSTATUS status;
1385         const char *dc_name;
1386         fstring nbtname;
1387 #ifdef HAVE_ADS
1388         bool is_ad_domain = false;
1389 #endif
1390         ip_list.ss = *pss;
1391         ip_list.port = 0;
1392
1393 #ifdef HAVE_ADS
1394         /* For active directory servers, try to get the ldap server name.
1395            None of these failures should be considered critical for now */
1396
1397         if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
1398                 is_ad_domain = true;
1399         } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1400                 is_ad_domain = domain->active_directory;
1401         }
1402
1403         if (is_ad_domain) {
1404                 ADS_STRUCT *ads;
1405                 ADS_STATUS ads_status;
1406                 char addr[INET6_ADDRSTRLEN];
1407
1408                 print_sockaddr(addr, sizeof(addr), pss);
1409
1410                 ads = ads_init(domain->alt_name, domain->name, addr);
1411                 ads->auth.flags |= ADS_AUTH_NO_BIND;
1412
1413                 ads_status = ads_connect(ads);
1414                 if (ADS_ERR_OK(ads_status)) {
1415                         /* We got a cldap packet. */
1416                         *name = talloc_strdup(mem_ctx,
1417                                              ads->config.ldap_server_name);
1418                         if (*name == NULL) {
1419                                 return false;
1420                         }
1421                         namecache_store(*name, 0x20, 1, &ip_list);
1422
1423                         DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1424
1425                         if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1426                                 if (ads_closest_dc(ads)) {
1427                                         char *sitename = sitename_fetch(mem_ctx, ads->config.realm);
1428
1429                                         /* We're going to use this KDC for this realm/domain.
1430                                            If we are using sites, then force the krb5 libs
1431                                            to use this KDC. */
1432
1433                                         create_local_private_krb5_conf_for_domain(domain->alt_name,
1434                                                                         domain->name,
1435                                                                         sitename,
1436                                                                         pss);
1437
1438                                         TALLOC_FREE(sitename);
1439                                 } else {
1440                                         /* use an off site KDC */
1441                                         create_local_private_krb5_conf_for_domain(domain->alt_name,
1442                                                                         domain->name,
1443                                                                         NULL,
1444                                                                         pss);
1445                                 }
1446                                 winbindd_set_locator_kdc_envs(domain);
1447
1448                                 /* Ensure we contact this DC also. */
1449                                 saf_store(domain->name, *name);
1450                                 saf_store(domain->alt_name, *name);
1451                         }
1452
1453                         ads_destroy( &ads );
1454                         return True;
1455                 }
1456
1457                 ads_destroy( &ads );
1458                 return false;
1459         }
1460 #endif
1461
1462         status = nbt_getdc(winbind_messaging_context(), 10, pss, domain->name,
1463                            &domain->sid, nt_version, mem_ctx, &nt_version,
1464                            &dc_name, NULL);
1465         if (NT_STATUS_IS_OK(status)) {
1466                 *name = talloc_strdup(mem_ctx, dc_name);
1467                 if (*name == NULL) {
1468                         return false;
1469                 }
1470                 namecache_store(*name, 0x20, 1, &ip_list);
1471                 return True;
1472         }
1473
1474         /* try node status request */
1475
1476         if (name_status_find(domain->name, 0x1c, 0x20, pss, nbtname) ) {
1477                 namecache_store(nbtname, 0x20, 1, &ip_list);
1478
1479                 if (name != NULL) {
1480                         *name = talloc_strdup(mem_ctx, nbtname);
1481                         if (*name == NULL) {
1482                                 return false;
1483                         }
1484                 }
1485
1486                 return true;
1487         }
1488         return False;
1489 }
1490
1491 /*******************************************************************
1492  Retrieve a list of IP addresses for domain controllers.
1493
1494  The array is sorted in the preferred connection order.
1495
1496  @param[in] mem_ctx talloc memory context to allocate from
1497  @param[in] domain domain to retrieve DCs for
1498  @param[out] dcs array of dcs that will be returned
1499  @param[out] num_dcs number of dcs returned in the dcs array
1500  @return always true
1501 *******************************************************************/
1502
1503 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1504                     struct dc_name_ip **dcs, int *num_dcs)
1505 {
1506         fstring dcname;
1507         struct  sockaddr_storage ss;
1508         struct  ip_service *ip_list = NULL;
1509         int     iplist_size = 0;
1510         int     i;
1511         bool    is_our_domain;
1512         enum security_types sec = (enum security_types)lp_security();
1513
1514         is_our_domain = strequal(domain->name, lp_workgroup());
1515
1516         /* If not our domain, get the preferred DC, by asking our primary DC */
1517         if ( !is_our_domain
1518                 && get_dc_name_via_netlogon(domain, dcname, &ss)
1519                 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1520                        num_dcs) )
1521         {
1522                 char addr[INET6_ADDRSTRLEN];
1523                 print_sockaddr(addr, sizeof(addr), &ss);
1524                 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1525                            dcname, addr));
1526                 return True;
1527         }
1528
1529         if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
1530                 char *sitename = NULL;
1531
1532                 /* We need to make sure we know the local site before
1533                    doing any DNS queries, as this will restrict the
1534                    get_sorted_dc_list() call below to only fetching
1535                    DNS records for the correct site. */
1536
1537                 /* Find any DC to get the site record.
1538                    We deliberately don't care about the
1539                    return here. */
1540
1541                 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1542
1543                 sitename = sitename_fetch(mem_ctx, domain->alt_name);
1544                 if (sitename) {
1545
1546                         /* Do the site-specific AD dns lookup first. */
1547                         get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
1548                                &iplist_size, True);
1549
1550                         /* Add ips to the DC array.  We don't look up the name
1551                            of the DC in this function, but we fill in the char*
1552                            of the ip now to make the failed connection cache
1553                            work */
1554                         for ( i=0; i<iplist_size; i++ ) {
1555                                 char addr[INET6_ADDRSTRLEN];
1556                                 print_sockaddr(addr, sizeof(addr),
1557                                                 &ip_list[i].ss);
1558                                 add_one_dc_unique(mem_ctx,
1559                                                 domain->name,
1560                                                 addr,
1561                                                 &ip_list[i].ss,
1562                                                 dcs,
1563                                                 num_dcs);
1564                         }
1565
1566                         SAFE_FREE(ip_list);
1567                         TALLOC_FREE(sitename);
1568                         iplist_size = 0;
1569                 }
1570
1571                 /* Now we add DCs from the main AD DNS lookup. */
1572                 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1573                         &iplist_size, True);
1574
1575                 for ( i=0; i<iplist_size; i++ ) {
1576                         char addr[INET6_ADDRSTRLEN];
1577                         print_sockaddr(addr, sizeof(addr),
1578                                         &ip_list[i].ss);
1579                         add_one_dc_unique(mem_ctx,
1580                                         domain->name,
1581                                         addr,
1582                                         &ip_list[i].ss,
1583                                         dcs,
1584                                         num_dcs);
1585                 }
1586
1587                 SAFE_FREE(ip_list);
1588                 iplist_size = 0;
1589         }
1590
1591         /* Try standard netbios queries if no ADS and fall back to DNS queries
1592          * if alt_name is available */
1593         if (*num_dcs == 0) {
1594                 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
1595                        false);
1596                 if (iplist_size == 0) {
1597                         if (domain->alt_name != NULL) {
1598                                 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1599                                        &iplist_size, true);
1600                         }
1601                 }
1602
1603                 for ( i=0; i<iplist_size; i++ ) {
1604                         char addr[INET6_ADDRSTRLEN];
1605                         print_sockaddr(addr, sizeof(addr),
1606                                         &ip_list[i].ss);
1607                         add_one_dc_unique(mem_ctx,
1608                                         domain->name,
1609                                         addr,
1610                                         &ip_list[i].ss,
1611                                         dcs,
1612                                         num_dcs);
1613                 }
1614
1615                 SAFE_FREE(ip_list);
1616                 iplist_size = 0;
1617         }
1618
1619         return True;
1620 }
1621
1622 /*******************************************************************
1623  Find and make a connection to a DC in the given domain.
1624
1625  @param[in] mem_ctx talloc memory context to allocate from
1626  @param[in] domain domain to find a dc in
1627  @param[out] dcname NetBIOS or FQDN of DC that's connected to
1628  @param[out] pss DC Internet address and port
1629  @param[out] fd fd of the open socket connected to the newly found dc
1630  @return true when a DC connection is made, false otherwise
1631 *******************************************************************/
1632
1633 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1634                         struct winbindd_domain *domain,
1635                         char **dcname, struct sockaddr_storage *pss, int *fd)
1636 {
1637         struct dc_name_ip *dcs = NULL;
1638         int num_dcs = 0;
1639
1640         const char **dcnames = NULL;
1641         size_t num_dcnames = 0;
1642
1643         struct sockaddr_storage *addrs = NULL;
1644         int num_addrs = 0;
1645
1646         int i;
1647         size_t fd_index;
1648
1649         NTSTATUS status;
1650
1651         *fd = -1;
1652
1653  again:
1654         if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1655                 return False;
1656
1657         for (i=0; i<num_dcs; i++) {
1658
1659                 if (!add_string_to_array(mem_ctx, dcs[i].name,
1660                                     &dcnames, &num_dcnames)) {
1661                         return False;
1662                 }
1663                 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, TCP_SMB_PORT,
1664                                       &addrs, &num_addrs)) {
1665                         return False;
1666                 }
1667         }
1668
1669         if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1670                 return False;
1671
1672         if ((addrs == NULL) || (dcnames == NULL))
1673                 return False;
1674
1675         status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL,
1676                                      num_addrs, 0, 10, fd, &fd_index, NULL);
1677         if (!NT_STATUS_IS_OK(status)) {
1678                 for (i=0; i<num_dcs; i++) {
1679                         char ab[INET6_ADDRSTRLEN];
1680                         print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1681                         DEBUG(10, ("find_new_dc: smbsock_any_connect failed for "
1682                                 "domain %s address %s. Error was %s\n",
1683                                    domain->name, ab, nt_errstr(status) ));
1684                         winbind_add_failed_connection_entry(domain,
1685                                 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1686                 }
1687                 return False;
1688         }
1689
1690         *pss = addrs[fd_index];
1691
1692         if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1693                 /* Ok, we've got a name for the DC */
1694                 *dcname = talloc_strdup(mem_ctx, dcnames[fd_index]);
1695                 if (*dcname == NULL) {
1696                         return false;
1697                 }
1698                 return true;
1699         }
1700
1701         /* Try to figure out the name */
1702         if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
1703                 return True;
1704         }
1705
1706         /* We can not continue without the DC's name */
1707         winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1708                                     NT_STATUS_UNSUCCESSFUL);
1709
1710         /* Throw away all arrays as we're doing this again. */
1711         TALLOC_FREE(dcs);
1712         num_dcs = 0;
1713
1714         TALLOC_FREE(dcnames);
1715         num_dcnames = 0;
1716
1717         TALLOC_FREE(addrs);
1718         num_addrs = 0;
1719
1720         close(*fd);
1721         *fd = -1;
1722
1723         goto again;
1724 }
1725
1726 static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name)
1727 {
1728         return talloc_asprintf_strupper_m(mem_ctx, "CURRENT_DCNAME/%s",
1729                                           domain_name);
1730 }
1731
1732 static void store_current_dc_in_gencache(const char *domain_name,
1733                                          const char *dc_name,
1734                                          struct cli_state *cli)
1735 {
1736         char addr[INET6_ADDRSTRLEN];
1737         char *key = NULL;
1738         char *value = NULL;
1739
1740         if (!cli_state_is_connected(cli)) {
1741                 return;
1742         }
1743
1744         print_sockaddr(addr, sizeof(addr),
1745                        smbXcli_conn_remote_sockaddr(cli->conn));
1746
1747         key = current_dc_key(talloc_tos(), domain_name);
1748         if (key == NULL) {
1749                 goto done;
1750         }
1751
1752         value = talloc_asprintf(talloc_tos(), "%s %s", addr, dc_name);
1753         if (value == NULL) {
1754                 goto done;
1755         }
1756
1757         gencache_set(key, value, 0x7fffffff);
1758 done:
1759         TALLOC_FREE(value);
1760         TALLOC_FREE(key);
1761 }
1762
1763 bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx,
1764                                     const char *domain_name,
1765                                     char **p_dc_name, char **p_dc_ip)
1766 {
1767         char *key, *p;
1768         char *value = NULL;
1769         bool ret = false;
1770         char *dc_name = NULL;
1771         char *dc_ip = NULL;
1772
1773         key = current_dc_key(talloc_tos(), domain_name);
1774         if (key == NULL) {
1775                 goto done;
1776         }
1777         if (!gencache_get(key, mem_ctx, &value, NULL)) {
1778                 goto done;
1779         }
1780         p = strchr(value, ' ');
1781         if (p == NULL) {
1782                 goto done;
1783         }
1784         dc_ip = talloc_strndup(mem_ctx, value, p - value);
1785         if (dc_ip == NULL) {
1786                 goto done;
1787         }
1788         dc_name = talloc_strdup(mem_ctx, p+1);
1789         if (dc_name == NULL) {
1790                 goto done;
1791         }
1792
1793         if (p_dc_ip != NULL) {
1794                 *p_dc_ip = dc_ip;
1795                 dc_ip = NULL;
1796         }
1797         if (p_dc_name != NULL) {
1798                 *p_dc_name = dc_name;
1799                 dc_name = NULL;
1800         }
1801         ret = true;
1802 done:
1803         TALLOC_FREE(dc_name);
1804         TALLOC_FREE(dc_ip);
1805         TALLOC_FREE(key);
1806         TALLOC_FREE(value);
1807         return ret;
1808 }
1809
1810 NTSTATUS wb_open_internal_pipe(TALLOC_CTX *mem_ctx,
1811                                const struct ndr_interface_table *table,
1812                                struct rpc_pipe_client **ret_pipe)
1813 {
1814         struct rpc_pipe_client *cli = NULL;
1815         const struct auth_session_info *session_info;
1816         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1817
1818
1819         session_info = get_session_info_system();
1820         SMB_ASSERT(session_info != NULL);
1821
1822         /* create a connection to the specified pipe */
1823         if (lp_parm_bool(-1, "winbindd", "use external pipes", false)) {
1824                 status = rpc_pipe_open_interface(mem_ctx,
1825                                                  table,
1826                                                  session_info,
1827                                                  NULL,
1828                                                  winbind_messaging_context(),
1829                                                  &cli);
1830         } else {
1831                 status = rpc_pipe_open_internal(mem_ctx,
1832                                                 &table->syntax_id,
1833                                                 session_info,
1834                                                 NULL,
1835                                                 winbind_messaging_context(),
1836                                                 &cli);
1837         }
1838         if (!NT_STATUS_IS_OK(status)) {
1839                 DEBUG(0, ("open_internal_pipe: Could not connect to %s pipe: %s\n",
1840                           table->name, nt_errstr(status)));
1841                 return status;
1842         }
1843
1844         if (ret_pipe) {
1845                 *ret_pipe = cli;
1846         }
1847
1848         return NT_STATUS_OK;
1849 }
1850
1851 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1852                                    struct winbindd_cm_conn *new_conn)
1853 {
1854         TALLOC_CTX *mem_ctx;
1855         NTSTATUS result;
1856         char *saf_servername;
1857         int retries;
1858
1859         if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1860                 set_domain_offline(domain);
1861                 return NT_STATUS_NO_MEMORY;
1862         }
1863
1864         saf_servername = saf_fetch(mem_ctx, domain->name );
1865
1866         /* we have to check the server affinity cache here since 
1867            later we select a DC based on response time and not preference */
1868
1869         /* Check the negative connection cache
1870            before talking to it. It going down may have
1871            triggered the reconnection. */
1872
1873         if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1874
1875                 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1876                         saf_servername, domain->name ));
1877
1878                 /* convert an ip address to a name */
1879                 if (is_ipaddress( saf_servername ) ) {
1880                         char *dcname = NULL;
1881                         struct sockaddr_storage ss;
1882
1883                         if (!interpret_string_addr(&ss, saf_servername,
1884                                                 AI_NUMERICHOST)) {
1885                                 TALLOC_FREE(mem_ctx);
1886                                 return NT_STATUS_UNSUCCESSFUL;
1887                         }
1888                         if (dcip_to_name(mem_ctx, domain, &ss, &dcname)) {
1889                                 domain->dcname = talloc_strdup(domain,
1890                                                                dcname);
1891                                 if (domain->dcname == NULL) {
1892                                         TALLOC_FREE(mem_ctx);
1893                                         return NT_STATUS_NO_MEMORY;
1894                                 }
1895                         } else {
1896                                 winbind_add_failed_connection_entry(
1897                                         domain, saf_servername,
1898                                         NT_STATUS_UNSUCCESSFUL);
1899                         }
1900                 } else {
1901                         domain->dcname = talloc_strdup(domain, saf_servername);
1902                         if (domain->dcname == NULL) {
1903                                 TALLOC_FREE(mem_ctx);
1904                                 return NT_STATUS_NO_MEMORY;
1905                         }
1906                 }
1907         }
1908
1909         for (retries = 0; retries < 3; retries++) {
1910                 int fd = -1;
1911                 bool retry = False;
1912                 char *dcname = NULL;
1913
1914                 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1915
1916                 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1917                         domain->dcname ? domain->dcname : "", domain->name ));
1918
1919                 if (domain->dcname != NULL
1920                         && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1921                         && (resolve_name(domain->dcname, &domain->dcaddr, 0x20, true)))
1922                 {
1923                         NTSTATUS status;
1924
1925                         status = smbsock_connect(&domain->dcaddr, 0,
1926                                                  NULL, -1, NULL, -1,
1927                                                  &fd, NULL, 10);
1928                         if (!NT_STATUS_IS_OK(status)) {
1929                                 fd = -1;
1930                         }
1931                 }
1932
1933                 if ((fd == -1) &&
1934                     !find_new_dc(mem_ctx, domain, &dcname, &domain->dcaddr, &fd))
1935                 {
1936                         /* This is the one place where we will
1937                            set the global winbindd offline state
1938                            to true, if a "WINBINDD_OFFLINE" entry
1939                            is found in the winbindd cache. */
1940                         set_global_winbindd_state_offline();
1941                         break;
1942                 }
1943                 if (dcname != NULL) {
1944                         talloc_free(domain->dcname);
1945
1946                         domain->dcname = talloc_move(domain, &dcname);
1947                         if (domain->dcname == NULL) {
1948                                 result = NT_STATUS_NO_MEMORY;
1949                                 break;
1950                         }
1951                 }
1952
1953                 new_conn->cli = NULL;
1954
1955                 result = cm_prepare_connection(domain, fd, domain->dcname,
1956                         &new_conn->cli, &retry);
1957                 if (!NT_STATUS_IS_OK(result)) {
1958                         /* Don't leak the smb connection socket */
1959                         close(fd);
1960                 }
1961
1962                 if (!retry)
1963                         break;
1964         }
1965
1966         if (NT_STATUS_IS_OK(result)) {
1967                 bool seal_pipes = true;
1968
1969                 winbindd_set_locator_kdc_envs(domain);
1970
1971                 if (domain->online == False) {
1972                         /* We're changing state from offline to online. */
1973                         set_global_winbindd_state_online();
1974                 }
1975                 set_domain_online(domain);
1976
1977                 /*
1978                  * Much as I hate global state, this seems to be the point
1979                  * where we can be certain that we have a proper connection to
1980                  * a DC. wbinfo --dc-info needs that information, store it in
1981                  * gencache with a looong timeout. This will need revisiting
1982                  * once we start to connect to multiple DCs, wbcDcInfo is
1983                  * already prepared for that.
1984                  */
1985                 store_current_dc_in_gencache(domain->name, domain->dcname,
1986                                              new_conn->cli);
1987
1988                 seal_pipes = lp_winbind_sealed_pipes();
1989                 seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
1990                                           domain->name,
1991                                           seal_pipes);
1992
1993                 if (seal_pipes) {
1994                         new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1995                 } else {
1996                         new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1997                 }
1998         } else {
1999                 /* Ensure we setup the retry handler. */
2000                 set_domain_offline(domain);
2001         }
2002
2003         talloc_destroy(mem_ctx);
2004         return result;
2005 }
2006
2007 /* Close down all open pipes on a connection. */
2008
2009 void invalidate_cm_connection(struct winbindd_domain *domain)
2010 {
2011         NTSTATUS result;
2012         struct winbindd_cm_conn *conn = &domain->conn;
2013
2014         /* We're closing down a possibly dead
2015            connection. Don't have impossibly long (10s) timeouts. */
2016
2017         if (conn->cli) {
2018                 cli_set_timeout(conn->cli, 1000); /* 1 second. */
2019         }
2020
2021         if (conn->samr_pipe != NULL) {
2022                 if (is_valid_policy_hnd(&conn->sam_connect_handle)) {
2023                         dcerpc_samr_Close(conn->samr_pipe->binding_handle,
2024                                           talloc_tos(),
2025                                           &conn->sam_connect_handle,
2026                                           &result);
2027                 }
2028                 TALLOC_FREE(conn->samr_pipe);
2029                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
2030                 if (conn->cli) {
2031                         cli_set_timeout(conn->cli, 500);
2032                 }
2033         }
2034
2035         if (conn->lsa_pipe != NULL) {
2036                 if (is_valid_policy_hnd(&conn->lsa_policy)) {
2037                         dcerpc_lsa_Close(conn->lsa_pipe->binding_handle,
2038                                          talloc_tos(),
2039                                          &conn->lsa_policy,
2040                                          &result);
2041                 }
2042                 TALLOC_FREE(conn->lsa_pipe);
2043                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
2044                 if (conn->cli) {
2045                         cli_set_timeout(conn->cli, 500);
2046                 }
2047         }
2048
2049         if (conn->lsa_pipe_tcp != NULL) {
2050                 if (is_valid_policy_hnd(&conn->lsa_policy)) {
2051                         dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle,
2052                                          talloc_tos(),
2053                                          &conn->lsa_policy,
2054                                          &result);
2055                 }
2056                 TALLOC_FREE(conn->lsa_pipe_tcp);
2057                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
2058                 if (conn->cli) {
2059                         cli_set_timeout(conn->cli, 500);
2060                 }
2061         }
2062
2063         if (conn->netlogon_pipe != NULL) {
2064                 TALLOC_FREE(conn->netlogon_pipe);
2065                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
2066                 if (conn->cli) {
2067                         cli_set_timeout(conn->cli, 500);
2068                 }
2069         }
2070
2071         conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
2072         conn->netlogon_force_reauth = false;
2073         conn->netlogon_flags = 0;
2074         TALLOC_FREE(conn->netlogon_creds);
2075
2076         if (conn->cli) {
2077                 cli_shutdown(conn->cli);
2078         }
2079
2080         conn->cli = NULL;
2081 }
2082
2083 void close_conns_after_fork(void)
2084 {
2085         struct winbindd_domain *domain;
2086         struct winbindd_cli_state *cli_state;
2087
2088         for (domain = domain_list(); domain; domain = domain->next) {
2089                 /*
2090                  * first close the low level SMB TCP connection
2091                  * so that we don't generate any SMBclose
2092                  * requests in invalidate_cm_connection()
2093                  */
2094                 if (cli_state_is_connected(domain->conn.cli)) {
2095                         smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
2096                 }
2097
2098                 invalidate_cm_connection(domain);
2099         }
2100
2101         for (cli_state = winbindd_client_list();
2102              cli_state != NULL;
2103              cli_state = cli_state->next) {
2104                 if (cli_state->sock >= 0) {
2105                         close(cli_state->sock);
2106                         cli_state->sock = -1;
2107                 }
2108         }
2109 }
2110
2111 static bool connection_ok(struct winbindd_domain *domain)
2112 {
2113         bool ok;
2114
2115         ok = cli_state_is_connected(domain->conn.cli);
2116         if (!ok) {
2117                 DEBUG(3, ("connection_ok: Connection to %s for domain %s is not connected\n",
2118                           domain->dcname, domain->name));
2119                 return False;
2120         }
2121
2122         if (domain->online == False) {
2123                 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
2124                 return False;
2125         }
2126
2127         return True;
2128 }
2129
2130 /* Initialize a new connection up to the RPC BIND.
2131    Bypass online status check so always does network calls. */
2132
2133 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc)
2134 {
2135         NTSTATUS result;
2136         bool skip_connection = domain->internal;
2137         if (need_rw_dc && domain->rodc) {
2138                 skip_connection = false;
2139         }
2140
2141         /* Internal connections never use the network. */
2142         if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
2143                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2144         }
2145
2146         /* Still ask the internal LSA and SAMR server about the local domain */
2147         if (skip_connection || connection_ok(domain)) {
2148                 if (!domain->initialized) {
2149                         set_dc_type_and_flags(domain);
2150                 }
2151                 return NT_STATUS_OK;
2152         }
2153
2154         invalidate_cm_connection(domain);
2155
2156         if (!domain->primary && !domain->initialized) {
2157                 /*
2158                  * Before we connect to a trust, work out if it is an
2159                  * AD domain by asking our own domain.
2160                  */
2161                 set_dc_type_and_flags_trustinfo(domain);
2162         }
2163
2164         result = cm_open_connection(domain, &domain->conn);
2165
2166         if (NT_STATUS_IS_OK(result) && !domain->initialized) {
2167                 set_dc_type_and_flags(domain);
2168         }
2169
2170         return result;
2171 }
2172
2173 NTSTATUS init_dc_connection(struct winbindd_domain *domain, bool need_rw_dc)
2174 {
2175         if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
2176                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2177         }
2178
2179         if (domain->initialized && !domain->online) {
2180                 /* We check for online status elsewhere. */
2181                 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
2182         }
2183
2184         return init_dc_connection_network(domain, need_rw_dc);
2185 }
2186
2187 static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain, bool need_rw_dc)
2188 {
2189         NTSTATUS status;
2190
2191         status = init_dc_connection(domain, need_rw_dc);
2192         if (!NT_STATUS_IS_OK(status)) {
2193                 return status;
2194         }
2195
2196         if (!domain->internal && domain->conn.cli == NULL) {
2197                 /* happens for trusted domains without inbound trust */
2198                 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2199         }
2200
2201         return NT_STATUS_OK;
2202 }
2203
2204 /******************************************************************************
2205  Set the trust flags (direction and forest location) for a domain
2206 ******************************************************************************/
2207
2208 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
2209 {
2210         struct winbindd_domain *our_domain;
2211         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2212         WERROR werr;
2213         struct netr_DomainTrustList trusts;
2214         int i;
2215         uint32_t flags = (NETR_TRUST_FLAG_IN_FOREST |
2216                         NETR_TRUST_FLAG_OUTBOUND |
2217                         NETR_TRUST_FLAG_INBOUND);
2218         struct rpc_pipe_client *cli;
2219         TALLOC_CTX *mem_ctx = NULL;
2220         struct dcerpc_binding_handle *b;
2221
2222         DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
2223
2224         /* Our primary domain doesn't need to worry about trust flags.
2225            Force it to go through the network setup */
2226         if ( domain->primary ) {                
2227                 return False;           
2228         }
2229
2230         mem_ctx = talloc_stackframe();
2231         our_domain = find_our_domain();
2232         if (our_domain->internal) {
2233                 result = init_dc_connection(our_domain, false);
2234                 if (!NT_STATUS_IS_OK(result)) {
2235                         DEBUG(3,("set_dc_type_and_flags_trustinfo: "
2236                                  "Not able to make a connection to our domain: %s\n",
2237                                   nt_errstr(result)));
2238                         TALLOC_FREE(mem_ctx);
2239                         return false;
2240                 }
2241         }
2242
2243         /* This won't work unless our domain is AD */
2244         if ( !our_domain->active_directory ) {
2245                 TALLOC_FREE(mem_ctx);
2246                 return False;
2247         }
2248
2249         if (our_domain->internal) {
2250                 result = wb_open_internal_pipe(mem_ctx, &ndr_table_netlogon, &cli);
2251         } else if (!connection_ok(our_domain)) {
2252                 DEBUG(3,("set_dc_type_and_flags_trustinfo: "
2253                          "No connection to our domain!\n"));
2254                 TALLOC_FREE(mem_ctx);
2255                 return False;
2256         } else {
2257                 result = cm_connect_netlogon(our_domain, &cli);
2258         }
2259
2260         if (!NT_STATUS_IS_OK(result)) {
2261                 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
2262                           "a connection to %s for PIPE_NETLOGON (%s)\n", 
2263                           domain->name, nt_errstr(result)));
2264                 TALLOC_FREE(mem_ctx);
2265                 return False;
2266         }
2267         b = cli->binding_handle;
2268
2269         /* Use DsEnumerateDomainTrusts to get us the trust direction and type. */
2270         result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
2271                                                       cli->desthost,
2272                                                       flags,
2273                                                       &trusts,
2274                                                       &werr);
2275         if (!NT_STATUS_IS_OK(result)) {
2276                 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2277                         "failed to query trusted domain list: %s\n",
2278                         nt_errstr(result)));
2279                 TALLOC_FREE(mem_ctx);
2280                 return false;
2281         }
2282         if (!W_ERROR_IS_OK(werr)) {
2283                 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2284                         "failed to query trusted domain list: %s\n",
2285                         win_errstr(werr)));
2286                 TALLOC_FREE(mem_ctx);
2287                 return false;
2288         }
2289
2290         /* Now find the domain name and get the flags */
2291
2292         for ( i=0; i<trusts.count; i++ ) {
2293                 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
2294                         domain->domain_flags          = trusts.array[i].trust_flags;
2295                         domain->domain_type           = trusts.array[i].trust_type;
2296                         domain->domain_trust_attribs  = trusts.array[i].trust_attributes;
2297
2298                         if ( domain->domain_type == LSA_TRUST_TYPE_UPLEVEL )
2299                                 domain->active_directory = True;
2300
2301                         /* This flag is only set if the domain is *our* 
2302                            primary domain and the primary domain is in
2303                            native mode */
2304
2305                         domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
2306
2307                         DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
2308                                   "native mode.\n", domain->name, 
2309                                   domain->native_mode ? "" : "NOT "));
2310
2311                         DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
2312                                  "running active directory.\n", domain->name, 
2313                                  domain->active_directory ? "" : "NOT "));
2314
2315                         domain->can_do_ncacn_ip_tcp = domain->active_directory;
2316
2317                         domain->initialized = True;
2318
2319                         break;
2320                 }               
2321         }
2322
2323         TALLOC_FREE(mem_ctx);
2324
2325         return domain->initialized;     
2326 }
2327
2328 /******************************************************************************
2329  We can 'sense' certain things about the DC by it's replies to certain
2330  questions.
2331
2332  This tells us if this particular remote server is Active Directory, and if it
2333  is native mode.
2334 ******************************************************************************/
2335
2336 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
2337 {
2338         NTSTATUS status, result;
2339         WERROR werr;
2340         TALLOC_CTX              *mem_ctx = NULL;
2341         struct rpc_pipe_client  *cli = NULL;
2342         struct policy_handle pol;
2343         union dssetup_DsRoleInfo info;
2344         union lsa_PolicyInformation *lsa_info = NULL;
2345
2346         if (!domain->internal && !connection_ok(domain)) {
2347                 return;
2348         }
2349
2350         mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
2351                               domain->name);
2352         if (!mem_ctx) {
2353                 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
2354                 return;
2355         }
2356
2357         DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
2358
2359         if (domain->internal) {
2360                 status = wb_open_internal_pipe(mem_ctx,
2361                                                &ndr_table_dssetup,
2362                                                &cli);
2363         } else {
2364                 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2365                                                   &ndr_table_dssetup,
2366                                                   &cli);
2367         }
2368
2369         if (!NT_STATUS_IS_OK(status)) {
2370                 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2371                           "PI_DSSETUP on domain %s: (%s)\n",
2372                           domain->name, nt_errstr(status)));
2373
2374                 /* if this is just a non-AD domain we need to continue
2375                  * identifying so that we can in the end return with
2376                  * domain->initialized = True - gd */
2377
2378                 goto no_dssetup;
2379         }
2380
2381         status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
2382                                                                   DS_ROLE_BASIC_INFORMATION,
2383                                                                   &info,
2384                                                                   &werr);
2385         TALLOC_FREE(cli);
2386
2387         if (NT_STATUS_IS_OK(status)) {
2388                 result = werror_to_ntstatus(werr);
2389         }
2390         if (!NT_STATUS_IS_OK(status)) {
2391                 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
2392                           "on domain %s failed: (%s)\n",
2393                           domain->name, nt_errstr(status)));
2394
2395                 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
2396                  * every opcode on the DSSETUP pipe, continue with
2397                  * no_dssetup mode here as well to get domain->initialized
2398                  * set - gd */
2399
2400                 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
2401                         goto no_dssetup;
2402                 }
2403
2404                 TALLOC_FREE(mem_ctx);
2405                 return;
2406         }
2407
2408         if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
2409             !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
2410                 domain->native_mode = True;
2411         } else {
2412                 domain->native_mode = False;
2413         }
2414
2415 no_dssetup:
2416         if (domain->internal) {
2417                 status = wb_open_internal_pipe(mem_ctx,
2418                                                &ndr_table_lsarpc,
2419                                                &cli);
2420         } else {
2421                 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2422                                                   &ndr_table_lsarpc, &cli);
2423         }
2424         if (!NT_STATUS_IS_OK(status)) {
2425                 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2426                           "PI_LSARPC on domain %s: (%s)\n",
2427                           domain->name, nt_errstr(status)));
2428                 TALLOC_FREE(cli);
2429                 TALLOC_FREE(mem_ctx);
2430                 return;
2431         }
2432
2433         status = rpccli_lsa_open_policy2(cli, mem_ctx, True,
2434                                          SEC_FLAG_MAXIMUM_ALLOWED, &pol);
2435
2436         if (NT_STATUS_IS_OK(status)) {
2437                 /* This particular query is exactly what Win2k clients use 
2438                    to determine that the DC is active directory */
2439                 status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx,
2440                                                      &pol,
2441                                                      LSA_POLICY_INFO_DNS,
2442                                                      &lsa_info,
2443                                                      &result);
2444         }
2445
2446         if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2447                 domain->active_directory = True;
2448
2449                 if (lsa_info->dns.name.string) {
2450                         if (!strequal(domain->name, lsa_info->dns.name.string))
2451                         {
2452                                 DEBUG(1, ("set_dc_type_and_flags_connect: DC "
2453                                           "for domain %s claimed it was a DC "
2454                                           "for domain %s, refusing to "
2455                                           "initialize\n",
2456                                           domain->name,
2457                                           lsa_info->dns.name.string));
2458                                 TALLOC_FREE(cli);
2459                                 TALLOC_FREE(mem_ctx);
2460                                 return;
2461                         }
2462                         talloc_free(domain->name);
2463                         domain->name = talloc_strdup(domain,
2464                                                      lsa_info->dns.name.string);
2465                         if (domain->name == NULL) {
2466                                 goto done;
2467                         }
2468                 }
2469
2470                 if (lsa_info->dns.dns_domain.string) {
2471                         if (domain->alt_name != NULL &&
2472                             !strequal(domain->alt_name,
2473                                       lsa_info->dns.dns_domain.string))
2474                         {
2475                                 DEBUG(1, ("set_dc_type_and_flags_connect: DC "
2476                                           "for domain %s (%s) claimed it was "
2477                                           "a DC for domain %s, refusing to "
2478                                           "initialize\n",
2479                                           domain->alt_name, domain->name,
2480                                           lsa_info->dns.dns_domain.string));
2481                                 TALLOC_FREE(cli);
2482                                 TALLOC_FREE(mem_ctx);
2483                                 return;
2484                         }
2485                         talloc_free(domain->alt_name);
2486                         domain->alt_name =
2487                                 talloc_strdup(domain,
2488                                               lsa_info->dns.dns_domain.string);
2489                         if (domain->alt_name == NULL) {
2490                                 goto done;
2491                         }
2492                 }
2493
2494                 /* See if we can set some domain trust flags about
2495                    ourself */
2496
2497                 if (lsa_info->dns.dns_forest.string) {
2498                         talloc_free(domain->forest_name);
2499                         domain->forest_name =
2500                                 talloc_strdup(domain,
2501                                               lsa_info->dns.dns_forest.string);
2502                         if (domain->forest_name == NULL) {
2503                                 goto done;
2504                         }
2505
2506                         if (strequal(domain->forest_name, domain->alt_name)) {
2507                                 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
2508                         }
2509                 }
2510
2511                 if (lsa_info->dns.sid) {
2512                         if (!is_null_sid(&domain->sid) &&
2513                             !dom_sid_equal(&domain->sid,
2514                                            lsa_info->dns.sid))
2515                         {
2516                                 DEBUG(1, ("set_dc_type_and_flags_connect: DC "
2517                                           "for domain %s (%s) claimed it was "
2518                                           "a DC for domain %s, refusing to "
2519                                           "initialize\n",
2520                                           dom_sid_string(talloc_tos(),
2521                                                          &domain->sid),
2522                                           domain->name,
2523                                           dom_sid_string(talloc_tos(),
2524                                                          lsa_info->dns.sid)));
2525                                 TALLOC_FREE(cli);
2526                                 TALLOC_FREE(mem_ctx);
2527                                 return;
2528                         }
2529                         sid_copy(&domain->sid, lsa_info->dns.sid);
2530                 }
2531         } else {
2532                 domain->active_directory = False;
2533
2534                 status = rpccli_lsa_open_policy(cli, mem_ctx, True,
2535                                                 SEC_FLAG_MAXIMUM_ALLOWED,
2536                                                 &pol);
2537
2538                 if (!NT_STATUS_IS_OK(status)) {
2539                         goto done;
2540                 }
2541
2542                 status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx,
2543                                                     &pol,
2544                                                     LSA_POLICY_INFO_ACCOUNT_DOMAIN,
2545                                                     &lsa_info,
2546                                                     &result);
2547                 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2548
2549                         if (lsa_info->account_domain.name.string) {
2550                                 if (!strequal(domain->name,
2551                                         lsa_info->account_domain.name.string))
2552                                 {
2553                                         DEBUG(1,
2554                                               ("set_dc_type_and_flags_connect: "
2555                                                "DC for domain %s claimed it was"
2556                                                " a DC for domain %s, refusing "
2557                                                "to initialize\n", domain->name,
2558                                                lsa_info->
2559                                                 account_domain.name.string));
2560                                         TALLOC_FREE(cli);
2561                                         TALLOC_FREE(mem_ctx);
2562                                         return;
2563                                 }
2564                                 talloc_free(domain->name);
2565                                 domain->name =
2566                                         talloc_strdup(domain,
2567                                                       lsa_info->account_domain.name.string);
2568                         }
2569
2570                         if (lsa_info->account_domain.sid) {
2571                                 if (!is_null_sid(&domain->sid) &&
2572                                     !dom_sid_equal(&domain->sid,
2573                                                 lsa_info->account_domain.sid))
2574                                 {
2575                                         DEBUG(1,
2576                                               ("set_dc_type_and_flags_connect: "
2577                                                "DC for domain %s (%s) claimed "
2578                                                "it was a DC for domain %s, "
2579                                                "refusing to initialize\n",
2580                                                dom_sid_string(talloc_tos(),
2581                                                               &domain->sid),
2582                                                domain->name,
2583                                                dom_sid_string(talloc_tos(),
2584                                                 lsa_info->account_domain.sid)));
2585                                         TALLOC_FREE(cli);
2586                                         TALLOC_FREE(mem_ctx);
2587                                         return;
2588                                 }
2589                                 sid_copy(&domain->sid, lsa_info->account_domain.sid);
2590                         }
2591                 }
2592         }
2593 done:
2594
2595         DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
2596                   domain->name, domain->native_mode ? "" : "NOT "));
2597
2598         DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
2599                   domain->name, domain->active_directory ? "" : "NOT "));
2600
2601         domain->can_do_ncacn_ip_tcp = domain->active_directory;
2602
2603         TALLOC_FREE(cli);
2604
2605         TALLOC_FREE(mem_ctx);
2606
2607         domain->initialized = True;
2608 }
2609
2610 /**********************************************************************
2611  Set the domain_flags (trust attributes, domain operating modes, etc... 
2612 ***********************************************************************/
2613
2614 static void set_dc_type_and_flags( struct winbindd_domain *domain )
2615 {
2616         /* we always have to contact our primary domain */
2617
2618         if ( domain->primary || domain->internal) {
2619                 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
2620                           "primary or internal domain\n"));
2621                 set_dc_type_and_flags_connect( domain );
2622                 return;         
2623         }
2624
2625         /* Use our DC to get the information if possible */
2626
2627         if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
2628                 /* Otherwise, fallback to contacting the 
2629                    domain directly */
2630                 set_dc_type_and_flags_connect( domain );
2631         }
2632
2633         return;
2634 }
2635
2636
2637
2638 /**********************************************************************
2639 ***********************************************************************/
2640
2641 static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
2642                                    struct netlogon_creds_cli_context **ppdc)
2643 {
2644         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2645         struct rpc_pipe_client *netlogon_pipe;
2646
2647         *ppdc = NULL;
2648
2649         if ((!IS_DC) && (!domain->primary)) {
2650                 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2651         }
2652
2653         if (domain->conn.netlogon_creds != NULL) {
2654                 if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
2655                         return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2656                 }
2657                 *ppdc = domain->conn.netlogon_creds;
2658                 return NT_STATUS_OK;
2659         }
2660
2661         result = cm_connect_netlogon(domain, &netlogon_pipe);
2662         if (!NT_STATUS_IS_OK(result)) {
2663                 return result;
2664         }
2665
2666         if (domain->conn.netlogon_creds == NULL) {
2667                 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2668         }
2669
2670         if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
2671                 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2672         }
2673
2674         *ppdc = domain->conn.netlogon_creds;
2675         return NT_STATUS_OK;
2676 }
2677
2678 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2679                         bool need_rw_dc,
2680                         struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
2681 {
2682         struct winbindd_cm_conn *conn;
2683         NTSTATUS status, result;
2684         struct netlogon_creds_cli_context *p_creds;
2685         struct cli_credentials *creds = NULL;
2686         bool retry = false; /* allow one retry attempt for expired session */
2687
2688         if (sid_check_is_our_sam(&domain->sid)) {
2689                 if (domain->rodc == false || need_rw_dc == false) {
2690                         return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
2691                 }
2692         }
2693
2694 retry:
2695         status = init_dc_connection_rpc(domain, need_rw_dc);
2696         if (!NT_STATUS_IS_OK(status)) {
2697                 return status;
2698         }
2699
2700         conn = &domain->conn;
2701
2702         if (rpccli_is_connected(conn->samr_pipe)) {
2703                 goto done;
2704         }
2705
2706         TALLOC_FREE(conn->samr_pipe);
2707
2708         /*
2709          * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
2710          * sign and sealed pipe using the machine account password by
2711          * preference. If we can't - try schannel, if that fails, try
2712          * anonymous.
2713          */
2714
2715         result = get_trust_credentials(domain, talloc_tos(), false, &creds);
2716         if (!NT_STATUS_IS_OK(result)) {
2717                 DEBUG(10, ("cm_connect_sam: No user available for "
2718                            "domain %s, trying schannel\n", domain->name));
2719                 goto schannel;
2720         }
2721
2722         if (cli_credentials_is_anonymous(creds)) {
2723                 goto anonymous;
2724         }
2725
2726         /*
2727          * We have an authenticated connection. Use a SPNEGO
2728          * authenticated SAMR pipe with sign & seal.
2729          */
2730         status = cli_rpc_pipe_open_with_creds(conn->cli,
2731                                               &ndr_table_samr,
2732                                               NCACN_NP,
2733                                               DCERPC_AUTH_TYPE_SPNEGO,
2734                                               conn->auth_level,
2735                                               smbXcli_conn_remote_name(conn->cli->conn),
2736                                               creds,
2737                                               &conn->samr_pipe);
2738
2739         if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
2740             && !retry) {
2741                 invalidate_cm_connection(domain);
2742                 retry = true;
2743                 goto retry;
2744         }
2745
2746         if (!NT_STATUS_IS_OK(status)) {
2747                 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2748                           "pipe for domain %s using NTLMSSP "
2749                           "authenticated pipe: user %s. Error was "
2750                           "%s\n", domain->name,
2751                           cli_credentials_get_unparsed_name(creds, talloc_tos()),
2752                           nt_errstr(status)));
2753                 goto schannel;
2754         }
2755
2756         DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2757                   "domain %s using NTLMSSP authenticated "
2758                   "pipe: user %s\n", domain->name,
2759                   cli_credentials_get_unparsed_name(creds, talloc_tos())));
2760
2761         status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2762                                       conn->samr_pipe->desthost,
2763                                       SEC_FLAG_MAXIMUM_ALLOWED,
2764                                       &conn->sam_connect_handle,
2765                                       &result);
2766
2767         if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
2768                 invalidate_cm_connection(domain);
2769                 TALLOC_FREE(conn->samr_pipe);
2770                 retry = true;
2771                 goto retry;
2772         }
2773
2774         if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2775                 goto open_domain;
2776         }
2777         if (NT_STATUS_IS_OK(status)) {
2778                 status = result;
2779         }
2780
2781         DEBUG(10,("cm_connect_sam: ntlmssp-sealed dcerpc_samr_Connect2 "
2782                   "failed for domain %s, error was %s. Trying schannel\n",
2783                   domain->name, nt_errstr(status) ));
2784         TALLOC_FREE(conn->samr_pipe);
2785
2786  schannel:
2787
2788         /* Fall back to schannel if it's a W2K pre-SP1 box. */
2789
2790         status = cm_get_schannel_creds(domain, &p_creds);
2791         if (!NT_STATUS_IS_OK(status)) {
2792                 /* If this call fails - conn->cli can now be NULL ! */
2793                 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2794                            "for domain %s (error %s), trying anon\n",
2795                         domain->name,
2796                         nt_errstr(status) ));
2797                 goto anonymous;
2798         }
2799         TALLOC_FREE(creds);
2800         result = get_trust_credentials(domain, talloc_tos(), true, &creds);
2801         if (!NT_STATUS_IS_OK(result)) {
2802                 DEBUG(10, ("cm_connect_sam: No user available for "
2803                            "domain %s (error %s), trying anon\n", domain->name,
2804                            nt_errstr(result)));
2805                 goto anonymous;
2806         }
2807         status = cli_rpc_pipe_open_schannel_with_creds
2808                 (conn->cli, &ndr_table_samr, NCACN_NP,
2809                  creds, p_creds, &conn->samr_pipe);
2810
2811         if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
2812             && !retry) {
2813                 invalidate_cm_connection(domain);
2814                 retry = true;
2815                 goto retry;
2816         }
2817
2818         if (!NT_STATUS_IS_OK(status)) {
2819                 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2820                           "domain %s using schannel. Error was %s\n",
2821                           domain->name, nt_errstr(status) ));
2822                 goto anonymous;
2823         }
2824         DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2825                   "schannel.\n", domain->name ));
2826
2827         status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2828                                       conn->samr_pipe->desthost,
2829                                       SEC_FLAG_MAXIMUM_ALLOWED,
2830                                       &conn->sam_connect_handle,
2831                                       &result);
2832
2833         if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
2834                 invalidate_cm_connection(domain);
2835                 TALLOC_FREE(conn->samr_pipe);
2836                 retry = true;
2837                 goto retry;
2838         }
2839
2840         if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2841                 goto open_domain;
2842         }
2843         if (NT_STATUS_IS_OK(status)) {
2844                 status = result;
2845         }
2846         DEBUG(10,("cm_connect_sam: schannel-sealed dcerpc_samr_Connect2 failed "
2847                   "for domain %s, error was %s. Trying anonymous\n",
2848                   domain->name, nt_errstr(status) ));
2849         TALLOC_FREE(conn->samr_pipe);
2850
2851  anonymous:
2852
2853         /* Finally fall back to anonymous. */
2854         if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
2855                 status = NT_STATUS_DOWNGRADE_DETECTED;
2856                 DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
2857                           "without connection level security, "
2858                           "must set 'winbind sealed pipes = false' and "
2859                           "'require strong key = false' to proceed: %s\n",
2860                           domain->name, nt_errstr(status)));
2861                 goto done;
2862         }
2863         status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
2864                                           &conn->samr_pipe);
2865
2866         if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
2867             && !retry) {
2868                 invalidate_cm_connection(domain);
2869                 retry = true;
2870                 goto retry;
2871         }
2872
2873         if (!NT_STATUS_IS_OK(status)) {
2874                 goto done;
2875         }
2876
2877         status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2878                                       conn->samr_pipe->desthost,
2879                                       SEC_FLAG_MAXIMUM_ALLOWED,
2880                                       &conn->sam_connect_handle,
2881                                       &result);
2882
2883         if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
2884                 invalidate_cm_connection(domain);
2885                 TALLOC_FREE(conn->samr_pipe);
2886                 retry = true;
2887                 goto retry;
2888         }
2889
2890         if (!NT_STATUS_IS_OK(status)) {
2891                 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2892                           "for domain %s Error was %s\n",
2893                           domain->name, nt_errstr(status) ));
2894                 goto done;
2895         }
2896         if (!NT_STATUS_IS_OK(result)) {
2897                 status = result;
2898                 DEBUG(10,("cm_connect_sam: dcerpc_samr_Connect2 failed "
2899                           "for domain %s Error was %s\n",
2900                           domain->name, nt_errstr(result)));
2901                 goto done;
2902         }
2903
2904  open_domain:
2905         status = dcerpc_samr_OpenDomain(conn->samr_pipe->binding_handle,
2906                                         mem_ctx,
2907                                         &conn->sam_connect_handle,
2908                                         SEC_FLAG_MAXIMUM_ALLOWED,
2909                                         &domain->sid,
2910                                         &conn->sam_domain_handle,
2911                                         &result);
2912         if (!NT_STATUS_IS_OK(status)) {
2913                 goto done;
2914         }
2915
2916         status = result;
2917  done:
2918
2919         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
2920                 /*
2921                  * if we got access denied, we might just have no access rights
2922                  * to talk to the remote samr server server (e.g. when we are a
2923                  * PDC and we are connecting a w2k8 pdc via an interdomain
2924                  * trust). In that case do not invalidate the whole connection
2925                  * stack
2926                  */
2927                 TALLOC_FREE(conn->samr_pipe);
2928                 ZERO_STRUCT(conn->sam_domain_handle);
2929                 return status;
2930         } else if (!NT_STATUS_IS_OK(status)) {
2931                 invalidate_cm_connection(domain);
2932                 return status;
2933         }
2934
2935         *cli = conn->samr_pipe;
2936         *sam_handle = conn->sam_domain_handle;
2937         return status;
2938 }
2939
2940 /**********************************************************************
2941  open an schanneld ncacn_ip_tcp connection to LSA
2942 ***********************************************************************/
2943
2944 static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
2945                                    TALLOC_CTX *mem_ctx,
2946                                    struct rpc_pipe_client **cli)
2947 {
2948         struct winbindd_cm_conn *conn;
2949         struct netlogon_creds_cli_context *p_creds = NULL;
2950         struct cli_credentials *creds = NULL;
2951         NTSTATUS status;
2952
2953         DEBUG(10,("cm_connect_lsa_tcp\n"));
2954
2955         status = init_dc_connection_rpc(domain, false);
2956         if (!NT_STATUS_IS_OK(status)) {
2957                 return status;
2958         }
2959
2960         conn = &domain->conn;
2961
2962         if (conn->lsa_pipe_tcp &&
2963             conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
2964             conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
2965             rpccli_is_connected(conn->lsa_pipe_tcp)) {
2966                 goto done;
2967         }
2968
2969         TALLOC_FREE(conn->lsa_pipe_tcp);
2970
2971         status = cm_get_schannel_creds(domain, &p_creds);
2972         if (!NT_STATUS_IS_OK(status)) {
2973                 goto done;
2974         }
2975
2976         status = get_trust_credentials(domain, talloc_tos(), true, &creds);
2977         if (!NT_STATUS_IS_OK(status)) {
2978                 goto done;
2979         }
2980
2981         status = cli_rpc_pipe_open_schannel_with_creds(conn->cli,
2982                                                        &ndr_table_lsarpc,
2983                                                        NCACN_IP_TCP,
2984                                                        creds,
2985                                                        p_creds,
2986                                                        &conn->lsa_pipe_tcp);
2987         if (!NT_STATUS_IS_OK(status)) {
2988                 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
2989                         nt_errstr(status)));
2990                 goto done;
2991         }
2992
2993  done:
2994         if (!NT_STATUS_IS_OK(status)) {
2995                 TALLOC_FREE(conn->lsa_pipe_tcp);
2996                 return status;
2997         }
2998
2999         *cli = conn->lsa_pipe_tcp;
3000
3001         return status;
3002 }
3003
3004 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
3005                         struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
3006 {
3007         struct winbindd_cm_conn *conn;
3008         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
3009         struct netlogon_creds_cli_context *p_creds;
3010         struct cli_credentials *creds = NULL;
3011         bool retry = false; /* allow one retry attempt for expired session */
3012
3013 retry:
3014         result = init_dc_connection_rpc(domain, false);
3015         if (!NT_STATUS_IS_OK(result))
3016                 return result;
3017
3018         conn = &domain->conn;
3019
3020         if (rpccli_is_connected(conn->lsa_pipe)) {
3021                 goto done;
3022         }
3023
3024         TALLOC_FREE(conn->lsa_pipe);
3025
3026         result = get_trust_credentials(domain, talloc_tos(), false, &creds);
3027         if (!NT_STATUS_IS_OK(result)) {
3028                 DEBUG(10, ("cm_connect_lsa: No user available for "
3029                            "domain %s, trying schannel\n", domain->name));
3030                 goto schannel;
3031         }
3032
3033         if (cli_credentials_is_anonymous(creds)) {
3034                 goto anonymous;
3035         }
3036
3037         /*
3038          * We have an authenticated connection. Use a SPNEGO
3039          * authenticated LSA pipe with sign & seal.
3040          */
3041         result = cli_rpc_pipe_open_with_creds
3042                 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
3043                  DCERPC_AUTH_TYPE_SPNEGO,
3044                  conn->auth_level,
3045                  smbXcli_conn_remote_name(conn->cli->conn),
3046                  creds,
3047                  &conn->lsa_pipe);
3048
3049         if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
3050             && !retry) {
3051                 invalidate_cm_connection(domain);
3052                 retry = true;
3053                 goto retry;
3054         }
3055
3056         if (!NT_STATUS_IS_OK(result)) {
3057                 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
3058                           "domain %s using NTLMSSP authenticated pipe: user "
3059                           "%s. Error was %s. Trying schannel.\n",
3060                           domain->name,
3061                           cli_credentials_get_unparsed_name(creds, talloc_tos()),
3062                           nt_errstr(result)));
3063                 goto schannel;
3064         }
3065
3066         DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
3067                   "NTLMSSP authenticated pipe: user %s\n",
3068                   domain->name, cli_credentials_get_unparsed_name(creds, talloc_tos())));
3069
3070         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
3071                                         SEC_FLAG_MAXIMUM_ALLOWED,
3072                                         &conn->lsa_policy);
3073         if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
3074                 invalidate_cm_connection(domain);
3075                 TALLOC_FREE(conn->lsa_pipe);
3076                 retry = true;
3077                 goto retry;
3078         }
3079
3080         if (NT_STATUS_IS_OK(result)) {
3081                 goto done;
3082         }
3083
3084         DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
3085                   "schannel\n"));
3086
3087         TALLOC_FREE(conn->lsa_pipe);
3088
3089  schannel:
3090
3091         /* Fall back to schannel if it's a W2K pre-SP1 box. */
3092
3093         result = cm_get_schannel_creds(domain, &p_creds);
3094         if (!NT_STATUS_IS_OK(result)) {
3095                 /* If this call fails - conn->cli can now be NULL ! */
3096                 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
3097                            "for domain %s (error %s), trying anon\n",
3098                         domain->name,
3099                         nt_errstr(result) ));
3100                 goto anonymous;
3101         }
3102
3103         TALLOC_FREE(creds);
3104         result = get_trust_credentials(domain, talloc_tos(), true, &creds);
3105         if (!NT_STATUS_IS_OK(result)) {
3106                 DEBUG(10, ("cm_connect_lsa: No user available for "
3107                            "domain %s (error %s), trying anon\n", domain->name,
3108                            nt_errstr(result)));
3109                 goto anonymous;
3110         }
3111         result = cli_rpc_pipe_open_schannel_with_creds
3112                 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
3113                  creds, p_creds, &conn->lsa_pipe);
3114
3115         if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
3116             && !retry) {
3117                 invalidate_cm_connection(domain);
3118                 retry = true;
3119                 goto retry;
3120         }
3121
3122         if (!NT_STATUS_IS_OK(result)) {
3123                 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
3124                           "domain %s using schannel. Error was %s\n",
3125                           domain->name, nt_errstr(result) ));
3126                 goto anonymous;
3127         }
3128         DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
3129                   "schannel.\n", domain->name ));
3130
3131         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
3132                                         SEC_FLAG_MAXIMUM_ALLOWED,
3133                                         &conn->lsa_policy);
3134
3135         if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
3136                 invalidate_cm_connection(domain);
3137                 TALLOC_FREE(conn->lsa_pipe);
3138                 retry = true;
3139                 goto retry;
3140         }
3141
3142         if (NT_STATUS_IS_OK(result)) {
3143                 goto done;
3144         }
3145
3146         DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
3147                   "anonymous\n"));
3148
3149         TALLOC_FREE(conn->lsa_pipe);
3150
3151  anonymous:
3152
3153         if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
3154                 result = NT_STATUS_DOWNGRADE_DETECTED;
3155                 DEBUG(1, ("Unwilling to make LSA connection to domain %s "
3156                           "without connection level security, "
3157                           "must set 'winbind sealed pipes = false' and "
3158                           "'require strong key = false' to proceed: %s\n",
3159                           domain->name, nt_errstr(result)));