/* Leave messages blocked - we will never process one. */
- /* tdb needs special fork handling */
- if (tdb_reopen_all(1) == -1) {
- DEBUG(0,("tdb_reopen_all failed.\n"));
+ if (!reinit_after_fork(winbind_messaging_context(), true)) {
+ DEBUG(0,("reinit_after_fork() failed\n"));
_exit(0);
}
/* This call can take a long time - allow the server to time out.
35 seconds should do it. */
- orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000);
+ orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
if (our_domain->active_directory) {
struct netr_DsRGetDCNameInfo *domain_info = NULL;
}
/* And restore our original timeout. */
- cli_set_timeout(netlogon_pipe->cli, orig_timeout);
+ rpccli_set_timeout(netlogon_pipe, orig_timeout);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
}
/* rpccli_netr_GetAnyDCName gives us a name with \\ */
- p = tmp;
- if (*p == '\\') {
- p+=1;
- }
- if (*p == '\\') {
- p+=1;
- }
+ p = strip_hostname(tmp);
fstrcpy(dcname, p);
return NT_STATUS_NO_MEMORY;
}
- /* this is at least correct when domain is our domain,
- * which is the only case, when this is currently used: */
+ /* For now assume our machine account only exists in our domain */
+
if (machine_krb5_principal != NULL)
{
+ struct winbindd_domain *our_domain = find_our_domain();
+
+ if (!our_domain) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
if (asprintf(machine_krb5_principal, "%s$@%s",
- account_name, domain->alt_name) == -1)
+ account_name, our_domain->alt_name) == -1)
{
return NT_STATUS_NO_MEMORY;
}
goto done;
}
- if (!is_trusted_domain_situation(domain->name) &&
+ if (!is_dc_trusted_domain_situation(domain->name) &&
(*cli)->protocol >= PROTOCOL_NT1 &&
(*cli)->capabilities & CAP_EXTENDED_SECURITY)
{
(*cli)->use_kerberos = True;
DEBUG(5, ("connecting to %s from %s with kerberos principal "
- "[%s]\n", controller, global_myname(),
- machine_krb5_principal));
+ "[%s] and realm [%s]\n", controller, global_myname(),
+ machine_krb5_principal, domain->alt_name));
winbindd_set_locator_kdc_envs(domain);
ads_status = cli_session_setup_spnego(*cli,
machine_krb5_principal,
- machine_password,
+ machine_password,
+ lp_workgroup(),
domain->name);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(5, ("connecting to %s from %s with username "
"[%s]\\[%s]\n", controller, global_myname(),
- domain->name, machine_account));
+ lp_workgroup(), machine_account));
ads_status = cli_session_setup_spnego(*cli,
machine_account,
machine_password,
- domain->name);
+ lp_workgroup(),
+ NULL);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4, ("authenticated session setup failed with %s\n",
ads_errstr(ads_status)));
convert an ip to a name
*******************************************************************/
-static bool dcip_to_name(const struct winbindd_domain *domain,
+static bool dcip_to_name(TALLOC_CTX *mem_ctx,
+ const struct winbindd_domain *domain,
struct sockaddr_storage *pss,
fstring name )
{
struct ip_service ip_list;
+ uint32_t nt_version = NETLOGON_VERSION_1;
ip_list.ss = *pss;
ip_list.port = 0;
if (lp_security() == SEC_ADS) {
ADS_STRUCT *ads;
+ ADS_STATUS ads_status;
char addr[INET6_ADDRSTRLEN];
print_sockaddr(addr, sizeof(addr), pss);
- ads = ads_init(domain->alt_name, domain->name, NULL);
+ ads = ads_init(domain->alt_name, domain->name, addr);
ads->auth.flags |= ADS_AUTH_NO_BIND;
- if (ads_try_connect(ads, addr)) {
+ ads_status = ads_connect(ads);
+ if (ADS_ERR_OK(ads_status)) {
/* We got a cldap packet. */
fstrcpy(name, ads->config.ldap_server_name);
namecache_store(name, 0x20, 1, &ip_list);
DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
- if (domain->primary && (ads->config.flags & ADS_KDC)) {
+ if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
if (ads_closest_dc(ads)) {
char *sitename = sitename_fetch(ads->config.realm);
/* try GETDC requests next */
- if (send_getdc_request(winbind_messaging_context(),
- pss, domain->name, &domain->sid)) {
+ if (send_getdc_request(mem_ctx, winbind_messaging_context(),
+ pss, domain->name, &domain->sid,
+ nt_version)) {
+ const char *dc_name = NULL;
int i;
smb_msleep(100);
for (i=0; i<5; i++) {
- if (receive_getdc_response(pss, domain->name, name)) {
+ if (receive_getdc_response(mem_ctx, pss, domain->name,
+ &nt_version,
+ &dc_name, NULL)) {
+ fstrcpy(name, dc_name);
namecache_store(name, 0x20, 1, &ip_list);
return True;
}
int i, fd_index;
+ *fd = -1;
+
again:
if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
return False;
}
/* Try to figure out the name */
- if (dcip_to_name(domain, pss, dcname)) {
+ if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
return True;
}
/* We can not continue without the DC's name */
winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
NT_STATUS_UNSUCCESSFUL);
+
+ /* Throw away all arrays as we're doing this again. */
+ TALLOC_FREE(dcs);
+ num_dcs = 0;
+
+ TALLOC_FREE(dcnames);
+ num_dcnames = 0;
+
+ TALLOC_FREE(addrs);
+ num_addrs = 0;
+
+ *fd = -1;
+
goto again;
}
AI_NUMERICHOST)) {
return NT_STATUS_UNSUCCESSFUL;
}
- if (dcip_to_name( domain, &ss, saf_name )) {
+ if (dcip_to_name(mem_ctx, domain, &ss, saf_name )) {
fstrcpy( domain->dcname, saf_name );
} else {
winbind_add_failed_connection_entry(
}
if (conn->samr_pipe != NULL) {
- if (!cli_rpc_pipe_close(conn->samr_pipe)) {
- /* Ok, it must be dead. Drop timeout to 0.5 sec. */
- if (conn->cli) {
- cli_set_timeout(conn->cli, 500);
- }
+ TALLOC_FREE(conn->samr_pipe);
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
}
- conn->samr_pipe = NULL;
}
if (conn->lsa_pipe != NULL) {
- if (!cli_rpc_pipe_close(conn->lsa_pipe)) {
- /* Ok, it must be dead. Drop timeout to 0.5 sec. */
- if (conn->cli) {
- cli_set_timeout(conn->cli, 500);
- }
+ TALLOC_FREE(conn->lsa_pipe);
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
}
- conn->lsa_pipe = NULL;
}
if (conn->netlogon_pipe != NULL) {
- if (!cli_rpc_pipe_close(conn->netlogon_pipe)) {
- /* Ok, it must be dead. Drop timeout to 0.5 sec. */
- if (conn->cli) {
- cli_set_timeout(conn->cli, 500);
- }
+ TALLOC_FREE(conn->netlogon_pipe);
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
}
- conn->netlogon_pipe = NULL;
}
if (conn->cli) {
}
result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
- cli->cli->desthost,
+ cli->desthost,
flags,
&trusts,
NULL);
DS_ROLE_BASIC_INFORMATION,
&info,
&werr);
- cli_rpc_pipe_close(cli);
+ TALLOC_FREE(cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
"PI_LSARPC on domain %s: (%s)\n",
domain->name, nt_errstr(result)));
- cli_rpc_pipe_close(cli);
+ TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
return;
}
DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
domain->name, domain->active_directory ? "" : "NOT "));
- cli_rpc_pipe_close(cli);
+ TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
domain_name, machine_account));
result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
- conn->samr_pipe->cli->desthost,
+ conn->samr_pipe->desthost,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&conn->sam_connect_handle);
if (NT_STATUS_IS_OK(result)) {
DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_Connect2 "
"failed for domain %s, error was %s. Trying schannel\n",
domain->name, nt_errstr(result) ));
- cli_rpc_pipe_close(conn->samr_pipe);
+ TALLOC_FREE(conn->samr_pipe);
schannel:
"schannel.\n", domain->name ));
result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
- conn->samr_pipe->cli->desthost,
+ conn->samr_pipe->desthost,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&conn->sam_connect_handle);
if (NT_STATUS_IS_OK(result)) {
DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_Connect2 failed "
"for domain %s, error was %s. Trying anonymous\n",
domain->name, nt_errstr(result) ));
- cli_rpc_pipe_close(conn->samr_pipe);
+ TALLOC_FREE(conn->samr_pipe);
anonymous:
}
result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
- conn->samr_pipe->cli->desthost,
+ conn->samr_pipe->desthost,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&conn->sam_connect_handle);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
"schannel\n"));
- cli_rpc_pipe_close(conn->lsa_pipe);
+ TALLOC_FREE(conn->lsa_pipe);
schannel:
DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
"anonymous\n"));
- cli_rpc_pipe_close(conn->lsa_pipe);
+ TALLOC_FREE(conn->lsa_pipe);
anonymous:
if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
&sec_chan_type))
{
- cli_rpc_pipe_close(netlogon_pipe);
+ TALLOC_FREE(netlogon_pipe);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
&neg_flags);
if (!NT_STATUS_IS_OK(result)) {
- cli_rpc_pipe_close(netlogon_pipe);
+ TALLOC_FREE(netlogon_pipe);
return result;
}
if ((lp_client_schannel() == True) &&
((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
DEBUG(3, ("Server did not offer schannel\n"));
- cli_rpc_pipe_close(netlogon_pipe);
+ TALLOC_FREE(netlogon_pipe);
return NT_STATUS_ACCESS_DENIED;
}
&result);
/* We can now close the initial netlogon pipe. */
- cli_rpc_pipe_close(netlogon_pipe);
+ TALLOC_FREE(netlogon_pipe);
if (conn->netlogon_pipe == NULL) {
DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "