Copyright (C) Gerald (Jerry) Carter 2003-2005.
Copyright (C) Volker Lendecke 2004-2005
Copyright (C) Jeremy Allison 2006
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
We need to manage connections to domain controllers without having to
mess up the main winbindd code with other issues. The aim of the
connection manager is to:
-
+
- make connections to domain controllers and cache them
- re-establish connections when networks or servers go down
- centralise the policy on connection timeouts, domain controller
selection etc
- manage re-entrancy for when winbindd becomes able to handle
multiple outstanding rpc requests
-
+
Why not have connection management as part of the rpc layer like tng?
Good question. This code may morph into libsmb/rpc_cache.c or something
like that but at the moment it's simply staying as part of winbind. I
struct dc_name_ip *dcs = NULL;
int num_dcs = 0;
TALLOC_CTX *mem_ctx = NULL;
- pid_t child_pid;
pid_t parent_pid = sys_getpid();
/* Stop zombies */
CatchChild();
- child_pid = sys_fork();
+ if (domain->dc_probe_pid != (pid_t)-1) {
+ /*
+ * We might already have a DC probe
+ * child working, check.
+ */
+ if (process_exists_by_pid(domain->dc_probe_pid)) {
+ DEBUG(10,("fork_child_dc_connect: pid %u already "
+ "checking for DC's.\n",
+ (unsigned int)domain->dc_probe_pid));
+ return true;
+ }
+ domain->dc_probe_pid = (pid_t)-1;
+ }
- if (child_pid == -1) {
+ domain->dc_probe_pid = sys_fork();
+
+ if (domain->dc_probe_pid == (pid_t)-1) {
DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
return False;
}
- if (child_pid != 0) {
+ if (domain->dc_probe_pid != (pid_t)0) {
/* Parent */
messaging_register(winbind_messaging_context(), NULL,
MSG_WINBIND_TRY_TO_GO_ONLINE,
if (!reinit_after_fork(winbind_messaging_context(), true)) {
DEBUG(0,("reinit_after_fork() failed\n"));
+ messaging_send_buf(winbind_messaging_context(),
+ pid_to_procid(parent_pid),
+ MSG_WINBIND_FAILED_TO_GO_ONLINE,
+ (uint8 *)domain->name,
+ strlen(domain->name)+1);
_exit(0);
}
close_conns_after_fork();
if (!override_logfile) {
- char *logfile;
- if (asprintf(&logfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) > 0) {
- lp_set_logfile(logfile);
- SAFE_FREE(logfile);
+ char *lfile;
+ if (asprintf(&lfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) > 0) {
+ lp_set_logfile(lfile);
+ SAFE_FREE(lfile);
reopen_logs();
}
}
mem_ctx = talloc_init("fork_child_dc_connect");
if (!mem_ctx) {
DEBUG(0,("talloc_init failed.\n"));
+ messaging_send_buf(winbind_messaging_context(),
+ pid_to_procid(parent_pid),
+ MSG_WINBIND_FAILED_TO_GO_ONLINE,
+ (uint8 *)domain->name,
+ strlen(domain->name)+1);
_exit(0);
}
static void calc_new_online_timeout_check(struct winbindd_domain *domain)
{
- int wbc = lp_winbind_cache_time();
+ int wbr = lp_winbind_reconnect_delay();
if (domain->startup) {
domain->check_online_timeout = 10;
- } else if (domain->check_online_timeout < wbc) {
- domain->check_online_timeout = wbc;
+ } else if (domain->check_online_timeout < wbr) {
+ domain->check_online_timeout = wbr;
}
}
}
/* If we're in statup mode, check again in 10 seconds, not in
- lp_winbind_cache_time() seconds (which is 5 mins by default). */
+ lp_winbind_reconnect_delay() seconds (which is 30 seconds by default). */
calc_new_online_timeout_check(domain);
if ( domain->primary ) {
struct winbindd_child *idmap = idmap_child();
-
+
if ( idmap->pid != 0 ) {
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(idmap->pid),
if ( domain->primary ) {
struct winbindd_child *idmap = idmap_child();
-
+
if ( idmap->pid != 0 ) {
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(idmap->pid),
an authenticated connection if DCs have the RestrictAnonymous registry
entry set > 0, or the "Additional restrictions for anonymous
connections" set in the win2k Local Security Policy.
-
+
Caller to free() result in domain, username, password
*/
*username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
*domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
*password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
-
+
if (*username && **username) {
if (!*domain || !**domain)
*domain = smb_xstrdup(lp_workgroup());
-
+
if (!*password || !**password)
*password = smb_xstrdup("");
if (!W_ERROR_IS_OK(werr)) {
DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
- dos_errstr(werr)));
+ win_errstr(werr)));
talloc_destroy(mem_ctx);
return false;
}
{
const char *account_name;
const char *name = NULL;
-
+
/* If we are a DC and this is not our own domain */
if (IS_DC) {
if (!our_domain)
return NT_STATUS_INVALID_SERVER_STATE;
-
+
name = our_domain->name;
}
-
+
if (!get_trust_pw_clear(name, machine_password,
&account_name, NULL))
{
if (!our_domain) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
-
+
if (asprintf(machine_krb5_principal, "%s$@%s",
account_name, our_domain->alt_name) == -1)
{
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, domain->name, machine_password);
+ cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
goto session_setup_done;
}
}
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, domain->name, machine_password);
+ cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
goto session_setup_done;
}
}
anon_fallback:
/* Fall back to anonymous connection, this might fail later */
+ DEBUG(10,("cm_prepare_connection: falling back to anonymous "
+ "connection for DC %s\n",
+ controller ));
if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
NULL, 0, ""))) {
return result;
}
+/*******************************************************************
+ Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
+ array.
+
+ Keeps the list unique by not adding duplicate entries.
+
+ @param[in] mem_ctx talloc memory context to allocate from
+ @param[in] domain_name domain of the DC
+ @param[in] dcname name of the DC to add to the list
+ @param[in] pss Internet address and port pair to add to the list
+ @param[in,out] dcs array of dc_name_ip structures to add to
+ @param[in,out] num_dcs number of dcs returned in the dcs array
+ @return true if the list was added to, false otherwise
+*******************************************************************/
+
static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
const char *dcname, struct sockaddr_storage *pss,
struct dc_name_ip **dcs, int *num)
{
+ int i = 0;
+
if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
return False;
}
+ /* Make sure there's no duplicates in the list */
+ for (i=0; i<*num; i++)
+ if (sockaddr_equal((struct sockaddr *)&(*dcs)[i].ss, (struct sockaddr *)pss))
+ return False;
+
*dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
if (*dcs == NULL)
}
(*addrs)[*num] = *pss;
- set_sockaddr_port(&(*addrs)[*num], port);
+ set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
*num += 1;
return True;
fstring name )
{
struct ip_service ip_list;
- uint32_t nt_version = NETLOGON_VERSION_1;
+ uint32_t nt_version = NETLOGON_NT_VERSION_1;
ip_list.ss = *pss;
ip_list.port = 0;
}
/*******************************************************************
- Retreive a list of IP address for domain controllers. Fill in
- the dcs[] with results.
+ Retrieve a list of IP addresses for domain controllers.
+
+ The array is sorted in the preferred connection order.
+
+ @param[in] mem_ctx talloc memory context to allocate from
+ @param[in] domain domain to retrieve DCs for
+ @param[out] dcs array of dcs that will be returned
+ @param[out] num_dcs number of dcs returned in the dcs array
+ @return always true
*******************************************************************/
static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
is_our_domain = strequal(domain->name, lp_workgroup());
+ /* If not our domain, get the preferred DC, by asking our primary DC */
if ( !is_our_domain
&& get_dc_name_via_netlogon(domain, dcname, &ss)
- && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, num_dcs) )
+ && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
+ num_dcs) )
{
char addr[INET6_ADDRSTRLEN];
print_sockaddr(addr, sizeof(addr), &ss);
if (sitename) {
/* Do the site-specific AD dns lookup first. */
- get_sorted_dc_list(domain->alt_name, sitename, &ip_list, &iplist_size, True);
+ get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
+ &iplist_size, True);
+ /* Add ips to the DC array. We don't look up the name
+ of the DC in this function, but we fill in the char*
+ of the ip now to make the failed connection cache
+ work */
for ( i=0; i<iplist_size; i++ ) {
char addr[INET6_ADDRSTRLEN];
print_sockaddr(addr, sizeof(addr),
iplist_size = 0;
}
- /* Now we add DCs from the main AD dns lookup. */
- get_sorted_dc_list(domain->alt_name, NULL, &ip_list, &iplist_size, True);
+ /* Now we add DCs from the main AD DNS lookup. */
+ get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
+ &iplist_size, True);
for ( i=0; i<iplist_size; i++ ) {
char addr[INET6_ADDRSTRLEN];
dcs,
num_dcs);
}
- }
- /* try standard netbios queries if no ADS */
-
- if (iplist_size==0) {
- get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size, False);
- }
+ SAFE_FREE(ip_list);
+ iplist_size = 0;
+ }
- /* FIXME!! this is where we should re-insert the GETDC requests --jerry */
+ /* Try standard netbios queries if no ADS */
+ if (*num_dcs == 0) {
+ get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
+ False);
- /* now add to the dc array. We'll wait until the last minute
- to look up the name of the DC. But we fill in the char* for
- the ip now in to make the failed connection cache work */
+ for ( i=0; i<iplist_size; i++ ) {
+ char addr[INET6_ADDRSTRLEN];
+ print_sockaddr(addr, sizeof(addr),
+ &ip_list[i].ss);
+ add_one_dc_unique(mem_ctx,
+ domain->name,
+ addr,
+ &ip_list[i].ss,
+ dcs,
+ num_dcs);
+ }
- for ( i=0; i<iplist_size; i++ ) {
- char addr[INET6_ADDRSTRLEN];
- print_sockaddr(addr, sizeof(addr),
- &ip_list[i].ss);
- add_one_dc_unique(mem_ctx, domain->name, addr,
- &ip_list[i].ss, dcs, num_dcs);
+ SAFE_FREE(ip_list);
+ iplist_size = 0;
}
- SAFE_FREE( ip_list );
-
return True;
}
+/*******************************************************************
+ Find and make a connection to a DC in the given domain.
+
+ @param[in] mem_ctx talloc memory context to allocate from
+ @param[in] domain domain to find a dc in
+ @param[out] dcname NetBIOS or FQDN of DC that's connected to
+ @param[out] pss DC Internet address and port
+ @param[out] fd fd of the open socket connected to the newly found dc
+ @return true when a DC connection is made, false otherwise
+*******************************************************************/
+
static bool find_new_dc(TALLOC_CTX *mem_ctx,
struct winbindd_domain *domain,
fstring dcname, struct sockaddr_storage *pss, int *fd)
TALLOC_FREE(dcnames);
num_dcnames = 0;
-
+
TALLOC_FREE(addrs);
num_addrs = 0;
+ close(*fd);
*fd = -1;
goto again;
/* we have to check the server affinity cache here since
later we selecte a DC based on response time and not preference */
-
+
/* Check the negative connection cache
before talking to it. It going down may have
triggered the reconnection. */
TALLOC_CTX *mem_ctx = NULL;
DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
-
+
/* Our primary domain doesn't need to worry about trust flags.
Force it to go through the network setup */
if ( domain->primary ) {
return False;
}
-
+
our_domain = find_our_domain();
-
+
if ( !connection_ok(our_domain) ) {
DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));
return False;
}
/* This won't work unless our domain is AD */
-
+
if ( !our_domain->active_directory ) {
return False;
}
-
+
/* Use DsEnumerateDomainTrusts to get us the trust direction
and type */
if ( !winbindd_can_contact_domain( domain) )
domain->internal = True;
-
+
break;
}
}
-
+
talloc_destroy( mem_ctx );
-
+
return domain->initialized;
}
DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
- cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_DSSETUP,
- &result);
+ result = cli_rpc_pipe_open_noauth(domain->conn.cli,
+ &ndr_table_dssetup.syntax_id,
+ &cli);
- if (cli == NULL) {
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
"PI_DSSETUP on domain %s: (%s)\n",
domain->name, nt_errstr(result)));
}
no_dssetup:
- cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result);
+ result = cli_rpc_pipe_open_noauth(domain->conn.cli,
+ &ndr_table_lsarpc.syntax_id, &cli);
- if (cli == NULL) {
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
"PI_LSARPC on domain %s: (%s)\n",
domain->name, nt_errstr(result)));
result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
-
+
if (NT_STATUS_IS_OK(result)) {
/* This particular query is exactly what Win2k clients use
to determine that the DC is active directory */
/* Return a pointer to the struct dcinfo from the
netlogon pipe. */
+ if (!domain->conn.netlogon_pipe->dc) {
+ return false;
+ }
+
*ppdc = domain->conn.netlogon_pipe->dc;
return True;
}
goto done;
}
+
/*
* No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
* sign and sealed pipe using the machine account password by
/* We have an authenticated connection. Use a NTLMSSP SPNEGO
authenticated SAMR pipe with sign & seal. */
- conn->samr_pipe =
- cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
- PIPE_AUTH_LEVEL_PRIVACY,
- domain_name,
- machine_account,
- machine_password, &result);
-
- if (conn->samr_pipe == NULL) {
+ result = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli,
+ &ndr_table_samr.syntax_id,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ domain_name,
+ machine_account,
+ machine_password,
+ &conn->samr_pipe);
+
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
"pipe for domain %s using NTLMSSP "
"authenticated pipe: user %s\\%s. Error was "
"for domain %s, trying anon\n", domain->name));
goto anonymous;
}
- conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key
- (conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY,
- domain->name, p_dcinfo, &result);
+ result = cli_rpc_pipe_open_schannel_with_key
+ (conn->cli, &ndr_table_samr.syntax_id, PIPE_AUTH_LEVEL_PRIVACY,
+ domain->name, p_dcinfo, &conn->samr_pipe);
- if (conn->samr_pipe == NULL) {
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
"domain %s using schannel. Error was %s\n",
domain->name, nt_errstr(result) ));
anonymous:
/* Finally fall back to anonymous. */
- conn->samr_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR,
- &result);
+ result = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
+ &conn->samr_pipe);
- if (conn->samr_pipe == NULL) {
- result = NT_STATUS_PIPE_NOT_AVAILABLE;
+ if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* We have an authenticated connection. Use a NTLMSSP SPNEGO
* authenticated LSA pipe with sign & seal. */
- conn->lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp
- (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
- conn->cli->domain, conn->cli->user_name, conn_pwd, &result);
+ result = cli_rpc_pipe_open_spnego_ntlmssp
+ (conn->cli, &ndr_table_lsarpc.syntax_id,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ conn->cli->domain, conn->cli->user_name, conn_pwd,
+ &conn->lsa_pipe);
- if (conn->lsa_pipe == NULL) {
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
"domain %s using NTLMSSP authenticated pipe: user "
"%s\\%s. Error was %s. Trying schannel.\n",
"for domain %s, trying anon\n", domain->name));
goto anonymous;
}
- conn->lsa_pipe = cli_rpc_pipe_open_schannel_with_key
- (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
- domain->name, p_dcinfo, &result);
+ result = cli_rpc_pipe_open_schannel_with_key
+ (conn->cli, &ndr_table_lsarpc.syntax_id,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ domain->name, p_dcinfo, &conn->lsa_pipe);
- if (conn->lsa_pipe == NULL) {
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
"domain %s using schannel. Error was %s\n",
domain->name, nt_errstr(result) ));
anonymous:
- conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_LSARPC,
- &result);
- if (conn->lsa_pipe == NULL) {
+ result = cli_rpc_pipe_open_noauth(conn->cli,
+ &ndr_table_lsarpc.syntax_id,
+ &conn->lsa_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
result = NT_STATUS_PIPE_NOT_AVAILABLE;
goto done;
}
return NT_STATUS_OK;
}
- netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
- &result);
- if (netlogon_pipe == NULL) {
+ result = cli_rpc_pipe_open_noauth(conn->cli,
+ &ndr_table_netlogon.syntax_id,
+ &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
return result;
}
part of the new pipe auth struct.
*/
- conn->netlogon_pipe =
- cli_rpc_pipe_open_schannel_with_key(conn->cli,
- PI_NETLOGON,
- PIPE_AUTH_LEVEL_PRIVACY,
- domain->name,
- netlogon_pipe->dc,
- &result);
+ result = cli_rpc_pipe_open_schannel_with_key(
+ conn->cli, &ndr_table_netlogon.syntax_id,
+ PIPE_AUTH_LEVEL_PRIVACY, domain->name, netlogon_pipe->dc,
+ &conn->netlogon_pipe);
/* We can now close the initial netlogon pipe. */
TALLOC_FREE(netlogon_pipe);
- if (conn->netlogon_pipe == NULL) {
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
"was %s\n", nt_errstr(result)));
-
+
/* make sure we return something besides OK */
return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
}