#include "../libcli/auth/netlogon_creds_cli.h"
#include "passdb.h"
#include "../source4/dsdb/samdb/samdb.h"
+#include "rpc_client/cli_netlogon.h"
+#include "rpc_client/util_netlogon.h"
+#include "libsmb/dsgetdcname.h"
void _wbint_Ping(struct pipes_struct *p, struct wbint_Ping *r)
{
*r->out.out_data = r->in.in_data;
}
-static bool reset_cm_connection_on_error(struct winbindd_domain *domain,
- NTSTATUS status)
+bool reset_cm_connection_on_error(struct winbindd_domain *domain,
+ struct dcerpc_binding_handle *b,
+ NTSTATUS status)
{
- if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
+ invalidate_cm_connection(domain);
+ domain->conn.netlogon_force_reauth = true;
+ return true;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR))
+ {
invalidate_cm_connection(domain);
/* We invalidated the connection. */
return true;
}
+
+ if (b != NULL && !dcerpc_binding_handle_is_connected(b)) {
+ invalidate_cm_connection(domain);
+ return true;
+ }
+
return false;
}
status = wb_cache_sid_to_name(domain, p->mem_ctx, r->in.sid,
&dom_name, &name, &type);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
struct winbindd_domain *domain = wb_child_domain();
struct lsa_RefDomainList *domains = r->out.domains;
NTSTATUS status;
+ bool retry = false;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
* and winbindd_ad call into lsa_lookupsids anyway. Caching is
* done at the wbint RPC layer.
*/
+again:
status = rpc_lookup_sids(p->mem_ctx, domain, r->in.sids,
&domains, &r->out.names);
r->out.domains = domains;
}
- reset_cm_connection_on_error(domain, status);
+ if (!retry && reset_cm_connection_on_error(domain, NULL, status)) {
+ retry = true;
+ goto again;
+ }
+
return status;
}
status = wb_cache_name_to_sid(domain, p->mem_ctx, r->in.domain,
r->in.name, r->in.flags,
r->out.sid, r->out.type);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
return status;
}
dom = idmap_find_domain_with_sid(d->name.string, d->sid);
if (dom == NULL) {
+ struct dom_sid_buf buf;
DEBUG(10, ("idmap domain %s:%s not found\n",
- d->name.string, sid_string_dbg(d->sid)));
+ d->name.string,
+ dom_sid_str_buf(d->sid, &buf)));
for (i=0; i<num_ids; i++) {
status = dom->methods->sids_to_unixids(dom, id_map_ptrs);
+ if (NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
+ /*
+ * This is okay. We need to transfer the mapped ones
+ * up to our caller. The individual mappings carry the
+ * information whether they are mapped or not.
+ */
+ status = NT_STATUS_OK;
+ }
+
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("sids_to_unixids returned %s\n",
nt_errstr(status)));
struct id_map *m = id_map_ptrs[i];
if (!idmap_unix_id_is_in_range(m->xid.id, dom)) {
+ DBG_DEBUG("id %"PRIu32" is out of range "
+ "%"PRIu32"-%"PRIu32" for domain %s\n",
+ m->xid.id, dom->low_id, dom->high_id,
+ dom->name);
m->status = ID_UNMAPPED;
}
maps[i]->xid = r->in.xids[i];
}
- status = idmap_backend_unixids_to_sids(maps, r->in.domain_name);
+ status = idmap_backend_unixids_to_sids(maps, r->in.domain_name,
+ r->in.domain_sid);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(maps);
return status;
r->in.sids->sids,
&r->out.rids->num_rids,
&r->out.rids->rids);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
return status;
}
status = wb_cache_lookup_usergroups(domain, p->mem_ctx, r->in.sid,
&r->out.sids->num_sids,
&r->out.sids->sids);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
return status;
}
}
status = wb_cache_sequence_number(domain, r->out.sequence);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
return status;
}
status = wb_cache_lookup_groupmem(domain, p->mem_ctx, r->in.sid,
r->in.type, &num_names, &sid_mem,
&names, &name_types);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
}
-NTSTATUS _wbint_QueryUserList(struct pipes_struct *p,
- struct wbint_QueryUserList *r)
-{
- struct winbindd_domain *domain = wb_child_domain();
- NTSTATUS status;
-
- if (domain == NULL) {
- return NT_STATUS_REQUEST_NOT_ACCEPTED;
- }
-
- status = wb_cache_query_user_list(domain, p->mem_ctx,
- &r->out.users->num_userinfos,
- &r->out.users->userinfos);
- reset_cm_connection_on_error(domain, status);
- return status;
-}
-
NTSTATUS _wbint_QueryGroupList(struct pipes_struct *p,
struct wbint_QueryGroupList *r)
{
+ TALLOC_CTX *frame = NULL;
struct winbindd_domain *domain = wb_child_domain();
uint32_t i;
uint32_t num_local_groups = 0;
uint32_t ti = 0;
uint64_t num_total = 0;
struct wbint_Principal *result;
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
bool include_local_groups = false;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
+ frame = talloc_stackframe();
+
switch (lp_server_role()) {
case ROLE_ACTIVE_DIRECTORY_DC:
if (domain->internal) {
}
if (include_local_groups) {
- status = wb_cache_enum_local_groups(domain, talloc_tos(),
+ status = wb_cache_enum_local_groups(domain, frame,
&num_local_groups,
&local_groups);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ goto out;
}
}
- status = wb_cache_enum_dom_groups(domain, talloc_tos(),
+ status = wb_cache_enum_dom_groups(domain, frame,
&num_dom_groups,
&dom_groups);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ goto out;
}
num_total = num_local_groups + num_dom_groups;
if (num_total > UINT32_MAX) {
- return NT_STATUS_INTERNAL_ERROR;
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
}
- result = talloc_array(r->out.groups, struct wbint_Principal,
- num_total);
+ result = talloc_array(frame, struct wbint_Principal, num_total);
if (result == NULL) {
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}
for (i = 0; i < num_local_groups; i++) {
rg->type = SID_NAME_ALIAS;
rg->name = talloc_strdup(result, lg->acct_name);
if (rg->name == NULL) {
- TALLOC_FREE(result);
- TALLOC_FREE(dom_groups);
- TALLOC_FREE(local_groups);
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}
}
num_local_groups = 0;
- TALLOC_FREE(local_groups);
for (i = 0; i < num_dom_groups; i++) {
struct wb_acct_info *dg = &dom_groups[i];
rg->type = SID_NAME_DOM_GRP;
rg->name = talloc_strdup(result, dg->acct_name);
if (rg->name == NULL) {
- TALLOC_FREE(result);
- TALLOC_FREE(dom_groups);
- TALLOC_FREE(local_groups);
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}
}
num_dom_groups = 0;
- TALLOC_FREE(dom_groups);
r->out.groups->num_principals = ti;
- r->out.groups->principals = result;
+ r->out.groups->principals = talloc_move(r->out.groups, &result);
- return NT_STATUS_OK;
+ status = NT_STATUS_OK;
+out:
+ TALLOC_FREE(frame);
+ return status;
}
NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p,
struct wbint_QueryUserRidList *r)
{
struct winbindd_domain *domain = wb_child_domain();
- uint32_t i, num_userinfos;
- struct wbint_userinfo *userinfos;
NTSTATUS status;
if (domain == NULL) {
*/
status = wb_cache_query_user_list(domain, p->mem_ctx,
- &num_userinfos, &userinfos);
- reset_cm_connection_on_error(domain, status);
+ &r->out.rids->rids);
+ reset_cm_connection_on_error(domain, NULL, status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- r->out.rids->rids = talloc_array(r->out.rids, uint32_t, num_userinfos);
- if (r->out.rids->rids == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- for (i=0; i<num_userinfos; i++) {
- struct wbint_userinfo *info = &userinfos[i];
+ r->out.rids->num_rids = talloc_array_length(r->out.rids->rids);
- if (!dom_sid_in_domain(&domain->sid, &info->user_sid)) {
- fstring sidstr, domstr;
- DBG_WARNING("Got sid %s in domain %s\n",
- sid_to_fstring(sidstr, &info->user_sid),
- sid_to_fstring(domstr, &domain->sid));
- continue;
- }
- sid_split_rid(&info->user_sid,
- &r->out.rids->rids[r->out.rids->num_rids++]);
- }
-
- return status;
+ return NT_STATUS_OK;
}
NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r)
WERROR werr;
unsigned int orig_timeout;
struct dcerpc_binding_handle *b;
+ bool retry = false;
+ bool try_dsrgetdcname = false;
if (domain == NULL) {
- return dsgetdcname(p->mem_ctx, winbind_messaging_context(),
+ return dsgetdcname(p->mem_ctx, global_messaging_context(),
r->in.domain_name, r->in.domain_guid,
r->in.site_name ? r->in.site_name : "",
r->in.flags,
r->out.dc_info);
}
+ if (domain->active_directory) {
+ try_dsrgetdcname = true;
+ }
+
+reconnect:
status = cm_connect_netlogon(domain, &netlogon_pipe);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Can't contact the NETLOGON pipe\n"));
return status;
orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
- if (domain->active_directory) {
+ if (try_dsrgetdcname) {
status = dcerpc_netr_DsRGetDCName(b,
p->mem_ctx, domain->dcname,
r->in.domain_name, NULL, r->in.domain_guid,
if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) {
goto done;
}
- if (reset_cm_connection_on_error(domain, status)) {
- /* Re-initialize. */
- status = cm_connect_netlogon(domain, &netlogon_pipe);
-
- reset_cm_connection_on_error(domain, status);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Can't contact the NETLOGON pipe\n"));
- return status;
- }
-
- b = netlogon_pipe->binding_handle;
-
- /* This call can take a long time - allow the server to time out.
- 35 seconds should do it. */
-
- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
+ if (!retry &&
+ reset_cm_connection_on_error(domain, NULL, status))
+ {
+ retry = true;
+ goto reconnect;
}
+ try_dsrgetdcname = false;
+ retry = false;
}
/*
r->in.domain_name, &dc_info->dc_unc, &werr);
}
- reset_cm_connection_on_error(domain, status);
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
+ retry = true;
+ goto reconnect;
+ }
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
nt_errstr(status)));
enum lsa_SidType *types;
struct wbint_Principal *result;
NTSTATUS status;
- int i;
+ uint32_t i;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
status = wb_cache_rids_to_names(domain, talloc_tos(), r->in.domain_sid,
r->in.rids->rids, r->in.rids->num_rids,
&domain_name, &names, &types);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
domain->conn.netlogon_force_reauth = true;
{
- struct rpc_pipe_client *netlogon_pipe;
- status = cm_connect_netlogon(domain, &netlogon_pipe);
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
}
/* There is a race condition between fetching the trust account
NTSTATUS _wbint_ChangeMachineAccount(struct pipes_struct *p,
struct wbint_ChangeMachineAccount *r)
{
- struct messaging_context *msg_ctx = winbind_messaging_context();
+ struct messaging_context *msg_ctx = global_messaging_context();
struct winbindd_domain *domain;
NTSTATUS status;
- struct rpc_pipe_client *netlogon_pipe;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
domain = wb_child_domain();
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- status = cm_connect_netlogon(domain, &netlogon_pipe);
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
goto done;
}
- status = trust_pw_change(domain->conn.netlogon_creds,
+ status = trust_pw_change(netlogon_creds_ctx,
msg_ctx,
netlogon_pipe->binding_handle,
domain->name,
+ domain->dcname,
true); /* force */
/* Pass back result code - zero for success, other values for
reconnect:
status = cm_connect_netlogon(domain, &netlogon_pipe);
- reset_cm_connection_on_error(domain, status);
+ reset_cm_connection_on_error(domain, NULL, status);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
nt_errstr(status)));
logon_server, NETLOGON_CONTROL_QUERY,
2, &info, &werr);
- if (!dcerpc_binding_handle_is_connected(b) && !retry) {
- DEBUG(10, ("Session might have expired. "
- "Reconnect and retry once.\n"));
- invalidate_cm_connection(domain);
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
retry = true;
goto reconnect;
}
- reset_cm_connection_on_error(domain, status);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("dcerpc_netr_LogonControl failed: %s\n",
nt_errstr(status)));
{
struct winbindd_domain *domain;
NTSTATUS status;
- struct rpc_pipe_client *netlogon_pipe;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ struct dcerpc_binding_handle *b = NULL;
+ bool retry = false;
domain = wb_child_domain();
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- status = cm_connect_netlogon(domain, &netlogon_pipe);
+reconnect:
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
goto done;
}
- status = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords(domain->conn.netlogon_creds,
+ b = netlogon_pipe->binding_handle;
+
+ status = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords(netlogon_creds_ctx,
netlogon_pipe->binding_handle,
r->in.site_name,
r->in.dns_ttl,
r->in.dns_names);
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
+ retry = true;
+ goto reconnect;
+ }
+
/* Pass back result code - zero for success, other values for
specific failures. */
{
struct winbindd_domain *domain;
NTSTATUS status;
+ struct netr_IdentityInfo *identity_info = NULL;
+ const uint8_t chal_zero[8] = {0, };
+ const uint8_t *challenge = chal_zero;
DATA_BLOB lm_response, nt_response;
+ uint32_t flags = 0;
+ uint16_t validation_level;
+ union netr_Validation *validation = NULL;
+ bool interactive = false;
+
domain = wb_child_domain();
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- /* TODO: Handle interactive logons here */
- if (r->in.validation_level != 3 ||
- r->in.logon.network == NULL ||
- (r->in.logon_level != NetlogonNetworkInformation
- && r->in.logon_level != NetlogonNetworkTransitiveInformation)) {
+ switch (r->in.validation_level) {
+ case 3:
+ case 6:
+ break;
+ default:
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
+ switch (r->in.logon_level) {
+ case NetlogonInteractiveInformation:
+ case NetlogonServiceInformation:
+ case NetlogonInteractiveTransitiveInformation:
+ case NetlogonServiceTransitiveInformation:
+ if (r->in.logon.password == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ interactive = true;
+ identity_info = &r->in.logon.password->identity_info;
+
+ challenge = chal_zero;
+ lm_response = data_blob_talloc(p->mem_ctx,
+ r->in.logon.password->lmpassword.hash,
+ sizeof(r->in.logon.password->lmpassword.hash));
+ nt_response = data_blob_talloc(p->mem_ctx,
+ r->in.logon.password->ntpassword.hash,
+ sizeof(r->in.logon.password->ntpassword.hash));
+ break;
+
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation:
+ if (r->in.logon.network == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ interactive = false;
+ identity_info = &r->in.logon.network->identity_info;
+
+ challenge = r->in.logon.network->challenge;
+ lm_response = data_blob_talloc(p->mem_ctx,
+ r->in.logon.network->lm.data,
+ r->in.logon.network->lm.length);
+ nt_response = data_blob_talloc(p->mem_ctx,
+ r->in.logon.network->nt.data,
+ r->in.logon.network->nt.length);
+ break;
+
+ case NetlogonGenericInformation:
+ if (r->in.logon.generic == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ identity_info = &r->in.logon.generic->identity_info;
+ /*
+ * Not implemented here...
+ */
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
- lm_response = data_blob_talloc(p->mem_ctx, r->in.logon.network->lm.data, r->in.logon.network->lm.length);
- nt_response = data_blob_talloc(p->mem_ctx, r->in.logon.network->nt.data, r->in.logon.network->nt.length);
+ default:
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
status = winbind_dual_SamLogon(domain, p->mem_ctx,
- r->in.logon.network->identity_info.parameter_control,
- r->in.logon.network->identity_info.account_name.string,
- r->in.logon.network->identity_info.domain_name.string,
- r->in.logon.network->identity_info.workstation.string,
- r->in.logon.network->challenge,
- lm_response, nt_response, &r->out.validation.sam3);
- return status;
+ interactive,
+ identity_info->parameter_control,
+ identity_info->account_name.string,
+ identity_info->domain_name.string,
+ identity_info->workstation.string,
+ challenge,
+ lm_response, nt_response,
+ &r->out.authoritative,
+ true, /* skip_sam */
+ &flags,
+ &validation_level,
+ &validation);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ switch (r->in.validation_level) {
+ case 3:
+ status = map_validation_to_info3(p->mem_ctx,
+ validation_level,
+ validation,
+ &r->out.validation.sam3);
+ TALLOC_FREE(validation);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ return NT_STATUS_OK;
+ case 6:
+ status = map_validation_to_info6(p->mem_ctx,
+ validation_level,
+ validation,
+ &r->out.validation.sam6);
+ TALLOC_FREE(validation);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ return NT_STATUS_OK;
+ }
+
+ smb_panic(__location__);
+ return NT_STATUS_INTERNAL_ERROR;
}
static WERROR _winbind_LogonControl_REDISCOVER(struct pipes_struct *p,
{
NTSTATUS status;
struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
struct netr_NETLOGON_INFO_2 *info2 = NULL;
WERROR check_result = WERR_INTERNAL_ERROR;
*/
invalidate_cm_connection(domain);
domain->conn.netlogon_force_reauth = true;
- status = cm_connect_netlogon(domain, &netlogon_pipe);
- reset_cm_connection_on_error(domain, status);
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
status = NT_STATUS_NO_LOGON_SERVERS;
}
{
NTSTATUS status;
struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
struct netr_NETLOGON_INFO_2 *info2 = NULL;
WERROR check_result = WERR_INTERNAL_ERROR;
goto check_return;
}
- status = cm_connect_netlogon(domain, &netlogon_pipe);
- reset_cm_connection_on_error(domain, status);
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
status = NT_STATUS_NO_LOGON_SERVERS;
}
struct policy_handle local_lsa_policy = {};
struct dcerpc_binding_handle *local_lsa = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
struct cli_credentials *creds = NULL;
struct samr_Password *cur_nt_hash = NULL;
uint32_t trust_attributes = 0;
}
reconnect:
- status = cm_connect_netlogon(domain, &netlogon_pipe);
- reset_cm_connection_on_error(domain, status);
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
status = NT_STATUS_NO_LOGON_SERVERS;
}
}
if (fetch_fti) {
- status = netlogon_creds_cli_GetForestTrustInformation(domain->conn.netlogon_creds,
+ status = netlogon_creds_cli_GetForestTrustInformation(netlogon_creds_ctx,
b, frame,
&new_fti);
if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
status = NT_STATUS_OK;
}
if (!NT_STATUS_IS_OK(status)) {
- if (!retry && dcerpc_binding_handle_is_connected(b)) {
- invalidate_cm_connection(domain);
+ if (!retry &&
+ reset_cm_connection_on_error(domain, b, status))
+ {
retry = true;
goto reconnect;
}
}
}
- status = netlogon_creds_cli_ServerGetTrustInfo(domain->conn.netlogon_creds,
+ status = netlogon_creds_cli_ServerGetTrustInfo(netlogon_creds_ctx,
b, frame,
&new_owf_password,
&old_owf_password,
goto verify_return;
}
if (!NT_STATUS_IS_OK(status)) {
- if (!retry && dcerpc_binding_handle_is_connected(b)) {
- invalidate_cm_connection(domain);
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
retry = true;
goto reconnect;
}
struct winbindd_domain *domain,
struct winbind_LogonControl *r)
{
- struct messaging_context *msg_ctx = winbind_messaging_context();
+ struct messaging_context *msg_ctx = global_messaging_context();
NTSTATUS status;
- struct rpc_pipe_client *netlogon_pipe;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
struct cli_credentials *creds = NULL;
struct samr_Password *cur_nt_hash = NULL;
struct netr_NETLOGON_INFO_1 *info1 = NULL;
}
reconnect:
- status = cm_connect_netlogon(domain, &netlogon_pipe);
- reset_cm_connection_on_error(domain, status);
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
status = NT_STATUS_NO_LOGON_SERVERS;
}
}
TALLOC_FREE(cur_nt_hash);
- status = trust_pw_change(domain->conn.netlogon_creds,
+ status = trust_pw_change(netlogon_creds_ctx,
msg_ctx, b, domain->name,
+ domain->dcname,
true); /* force */
if (!NT_STATUS_IS_OK(status)) {
- if (!retry && dcerpc_binding_handle_is_connected(b)) {
- invalidate_cm_connection(domain);
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
retry = true;
goto reconnect;
}
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status, result;
struct winbindd_domain *domain;
- struct rpc_pipe_client *netlogon_pipe;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
struct dcerpc_binding_handle *b;
bool retry = false;
struct lsa_String trusted_domain_name = {};
}
reconnect:
- status = cm_connect_netlogon(domain, &netlogon_pipe);
- reset_cm_connection_on_error(domain, status);
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
status = NT_STATUS_NO_LOGON_SERVERS;
}
}
b = netlogon_pipe->binding_handle;
- status = netlogon_creds_cli_GetForestTrustInformation(domain->conn.netlogon_creds,
+ status = netlogon_creds_cli_GetForestTrustInformation(netlogon_creds_ctx,
b, p->mem_ctx,
&new_fti);
if (!NT_STATUS_IS_OK(status)) {
- if (!retry && dcerpc_binding_handle_is_connected(b)) {
- invalidate_cm_connection(domain);
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
retry = true;
goto reconnect;
}
TALLOC_FREE(frame);
return WERR_OK;
}
+
+NTSTATUS _winbind_SendToSam(struct pipes_struct *p, struct winbind_SendToSam *r)
+{
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ struct dcerpc_binding_handle *b = NULL;
+ bool retry = false;
+
+ DEBUG(5, ("_winbind_SendToSam received\n"));
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+reconnect:
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+ return status;
+ }
+
+ b = netlogon_pipe->binding_handle;
+
+ status = netlogon_creds_cli_SendToSam(netlogon_creds_ctx,
+ b,
+ &r->in.message);
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
+ retry = true;
+ goto reconnect;
+ }
+
+ return status;
+}