s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we can

This is very helpful in the trusted domain situation, as we may not
have a two-way trust but we can use our domain trust account to set up
a connection to NETLOGON

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct  8 12:48:15 CEST 2014 on sn-devel-104

diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index ce7e6ea2722badecd3c0c116e1281704f8a2b5d8..1b54b807a935d38a2e4777114eb0dfc8cab9965f 100644 (file)
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -22,6 +22,8 @@
 #ifndef __DEFAULT_LIBRPC_RPCCOMMON_H__
 #define __DEFAULT_LIBRPC_RPCCOMMON_H__
 
+#include "gen_ndr/dcerpc.h"
+
 struct dcerpc_binding_handle;
 struct GUID;
 struct ndr_interface_table;

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 937841c29cc1952bb78d3aa23a301d10392ea47b..373b596d69c67a3463c07477b042c4a493c1caed 100644 (file)
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -148,7 +148,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
                return result;
        }
 
-       result = rpccli_setup_netlogon_creds(cli,
+       result = rpccli_setup_netlogon_creds(cli, NCACN_NP,
                                             netlogon_creds,
                                             false, /* force_reauth */
                                             current_nt_hash,

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index e70e11a852d7ca95636ad2006ac355d497b03637..be953aea79a7d97ba2a3e91456d3becfbfab2d92 100644 (file)
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -983,7 +983,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
                return status;
        }
 
-       status = rpccli_setup_netlogon_creds(cli,
+       status = rpccli_setup_netlogon_creds(cli, NCACN_NP,
                                             netlogon_creds,
                                             true, /* force_reauth */
                                             current_nt_hash,
@@ -1444,7 +1444,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
                return status;
        }
 
-       status = rpccli_setup_netlogon_creds(cli,
+       status = rpccli_setup_netlogon_creds(cli, NCACN_NP,
                                             netlogon_creds,
                                             true, /* force_reauth */
                                             current_nt_hash,

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 7063351ef8a5600c4d5b17a1d798bba8c8c2f2f9..a5ea02cfa8429975a0669d14ba8344696b98bc2a 100644 (file)
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -125,6 +125,7 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
 }
 
 NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+                                    enum dcerpc_transport_t transport,
                                     struct netlogon_creds_cli_context *netlogon_creds,
                                     bool force_reauth,
                                     struct samr_Password current_nt_hash,
@@ -155,9 +156,10 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
                TALLOC_FREE(creds);
        }
 
-       status = cli_rpc_pipe_open_noauth(cli,
-                                         &ndr_table_netlogon,
-                                         &netlogon_pipe);
+       status = cli_rpc_pipe_open_noauth_transport(cli,
+                                                   transport,
+                                                   &ndr_table_netlogon,
+                                                   &netlogon_pipe);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
                         __FUNCTION__,

diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index fee08016d5d7b18758785ba6508547a1f091dd39..cc4033e0804d5af724f3a3eb0a53141e4b931662 100644 (file)
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -27,6 +27,7 @@ struct cli_state;
 struct messaging_context;
 struct netlogon_creds_cli_context;
 struct dcerpc_binding_handle;
+#include "librpc/rpc/rpc_common.h"
 
 /* The following definitions come from rpc_client/cli_netlogon.c  */
 
@@ -39,6 +40,7 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
                                      TALLOC_CTX *mem_ctx,
                                      struct netlogon_creds_cli_context **netlogon_creds);
 NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+                                    enum dcerpc_transport_t transport,
                                     struct netlogon_creds_cli_context *netlogon_creds,
                                     bool force_reauth,
                                     struct samr_Password current_nt_hash,

diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index a8423337cb568c7736901227afea81a42fc131ea..7b53cf08bbba6ba51ca03e936808d65d1859dc0b 100644 (file)
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -90,7 +90,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
                return status;
        }
 
-       status = rpccli_setup_netlogon_creds(cli,
+       status = rpccli_setup_netlogon_creds(cli, transport,
                                             netlogon_creds,
                                             false, /* force_reauth */
                                             current_nt_hash,

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 7b190c15e1db389889c809668f7bff241bec11be..a573106d6e1493468179a3a02532cabd34656568 100644 (file)
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -805,7 +805,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
                                return ntresult;
                        }
 
-                       ntresult = rpccli_setup_netlogon_creds(cli,
+                       ntresult = rpccli_setup_netlogon_creds(cli, NCACN_NP,
                                                        rpcclient_netlogon_creds,
                                                        false, /* force_reauth */
                                                        current_nt_hash,

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 96c457756282fc6b7ad6e93ad89b0fc686a26acf..24ff1f7f9031d7ea7a71ff3f4cc0f2531d4743eb 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2947,6 +2947,8 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
                 * we tried twice to connect via ncan_ip_tcp and schannel and
                 * failed - maybe it is a trusted domain we can't connect to ?
                 * do not try tcp next time - gd
+                *
+                * This also prevents NETLOGON over TCP
                 */
                domain->can_do_ncacn_ip_tcp = false;
        }
@@ -2961,8 +2963,9 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
  session key stored in conn->netlogon_pipe->dc->sess_key.
 ****************************************************************************/
 
-NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
-                            struct rpc_pipe_client **cli)
+static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
+                                             enum dcerpc_transport_t transport,
+                                             struct rpc_pipe_client **cli)
 {
        struct messaging_context *msg_ctx = winbind_messaging_context();
        struct winbindd_cm_conn *conn;
@@ -3028,7 +3031,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                return result;
        }
 
-       result = rpccli_setup_netlogon_creds(conn->cli,
+       result = rpccli_setup_netlogon_creds(conn->cli, transport,
                                             conn->netlogon_creds,
                                             conn->netlogon_force_reauth,
                                             current_nt_hash,
@@ -3066,9 +3069,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                        invalidate_cm_connection(domain);
                        return result;
                }
-               result = cli_rpc_pipe_open_noauth(conn->cli,
-                                       &ndr_table_netlogon,
-                                       &conn->netlogon_pipe);
+               result = cli_rpc_pipe_open_noauth_transport(conn->cli,
+                                                           transport,
+                                                           &ndr_table_netlogon,
+                                                           &conn->netlogon_pipe);
                if (!NT_STATUS_IS_OK(result)) {
                        invalidate_cm_connection(domain);
                        return result;
@@ -3084,7 +3088,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
        */
 
        result = cli_rpc_pipe_open_schannel_with_key(
-               conn->cli, &ndr_table_netlogon, NCACN_NP,
+               conn->cli, &ndr_table_netlogon, transport,
                domain->name,
                conn->netlogon_creds,
                &conn->netlogon_pipe);
@@ -3100,6 +3104,42 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
        return NT_STATUS_OK;
 }
 
+/****************************************************************************
+Open a LSA connection to a DC, suiteable for LSA lookup calls.
+****************************************************************************/
+
+NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+                            struct rpc_pipe_client **cli)
+{
+       NTSTATUS status;
+
+       if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
+               status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
+               if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+                   NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
+                   NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
+                       invalidate_cm_connection(domain);
+                       status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
+               }
+               if (NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
+
+               /*
+                * we tried twice to connect via ncan_ip_tcp and schannel and
+                * failed - maybe it is a trusted domain we can't connect to ?
+                * do not try tcp next time - gd
+                *
+                * This also prevents LSA over TCP
+                */
+               domain->can_do_ncacn_ip_tcp = false;
+       }
+
+       status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
+
+       return status;
+}
+
 void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
                            void *private_data,
                            uint32_t msg_type,