}
NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
struct netlogon_creds_cli_context *netlogon_creds,
bool force_reauth,
struct samr_Password current_nt_hash,
TALLOC_FREE(creds);
}
- status = cli_rpc_pipe_open_noauth(cli,
- &ndr_table_netlogon,
- &netlogon_pipe);
+ status = cli_rpc_pipe_open_noauth_transport(cli,
+ transport,
+ &ndr_table_netlogon,
+ &netlogon_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
__FUNCTION__,
struct messaging_context;
struct netlogon_creds_cli_context;
struct dcerpc_binding_handle;
+#include "librpc/rpc/rpc_common.h"
/* The following definitions come from rpc_client/cli_netlogon.c */
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **netlogon_creds);
NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
struct netlogon_creds_cli_context *netlogon_creds,
bool force_reauth,
struct samr_Password current_nt_hash,
* we tried twice to connect via ncan_ip_tcp and schannel and
* failed - maybe it is a trusted domain we can't connect to ?
* do not try tcp next time - gd
+ *
+ * This also prevents NETLOGON over TCP
*/
domain->can_do_ncacn_ip_tcp = false;
}
session key stored in conn->netlogon_pipe->dc->sess_key.
****************************************************************************/
-NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- struct rpc_pipe_client **cli)
+static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
+ enum dcerpc_transport_t transport,
+ struct rpc_pipe_client **cli)
{
struct messaging_context *msg_ctx = winbind_messaging_context();
struct winbindd_cm_conn *conn;
return result;
}
- result = rpccli_setup_netlogon_creds(conn->cli,
+ result = rpccli_setup_netlogon_creds(conn->cli, transport,
conn->netlogon_creds,
conn->netlogon_force_reauth,
current_nt_hash,
invalidate_cm_connection(domain);
return result;
}
- result = cli_rpc_pipe_open_noauth(conn->cli,
- &ndr_table_netlogon,
- &conn->netlogon_pipe);
+ result = cli_rpc_pipe_open_noauth_transport(conn->cli,
+ transport,
+ &ndr_table_netlogon,
+ &conn->netlogon_pipe);
if (!NT_STATUS_IS_OK(result)) {
invalidate_cm_connection(domain);
return result;
*/
result = cli_rpc_pipe_open_schannel_with_key(
- conn->cli, &ndr_table_netlogon, NCACN_NP,
+ conn->cli, &ndr_table_netlogon, transport,
domain->name,
conn->netlogon_creds,
&conn->netlogon_pipe);
return NT_STATUS_OK;
}
+/****************************************************************************
+Open a LSA connection to a DC, suiteable for LSA lookup calls.
+****************************************************************************/
+
+NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ struct rpc_pipe_client **cli)
+{
+ NTSTATUS status;
+
+ if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
+ status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
+ invalidate_cm_connection(domain);
+ status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /*
+ * we tried twice to connect via ncan_ip_tcp and schannel and
+ * failed - maybe it is a trusted domain we can't connect to ?
+ * do not try tcp next time - gd
+ *
+ * This also prevents LSA over TCP
+ */
+ domain->can_do_ncacn_ip_tcp = false;
+ }
+
+ status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
+
+ return status;
+}
+
void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
void *private_data,
uint32_t msg_type,