#include "winbindd.h"
#include "../libcli/auth/libcli_auth.h"
#include "../librpc/gen_ndr/ndr_netlogon_c.h"
+#include "rpc_client/cli_pipe.h"
#include "rpc_client/cli_netlogon.h"
-#include "../librpc/gen_ndr/cli_samr.h"
-#include "../librpc/gen_ndr/cli_lsa.h"
+#include "../librpc/gen_ndr/ndr_samr_c.h"
+#include "../librpc/gen_ndr/ndr_lsa_c.h"
#include "rpc_client/cli_lsarpc.h"
#include "../librpc/gen_ndr/ndr_dssetup_c.h"
#include "libads/sitename_cache.h"
-#include "librpc/gen_ndr/messaging.h"
+#include "libsmb/libsmb.h"
#include "libsmb/clidgram.h"
#include "ads.h"
#include "secrets.h"
#include "../libcli/security/security.h"
+#include "passdb.h"
+#include "messages.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
TALLOC_CTX *mem_ctx = NULL;
pid_t parent_pid = sys_getpid();
char *lfile = NULL;
+ NTSTATUS status;
if (domain->dc_probe_pid != (pid_t)-1) {
/*
}
}
- if (!winbindd_reinit_after_fork(lfile)) {
+ status = winbindd_reinit_after_fork(NULL, lfile);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n",
+ nt_errstr(status)));
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(parent_pid),
MSG_WINBIND_FAILED_TO_GO_ONLINE,
char *ipc_username = NULL;
char *ipc_domain = NULL;
char *ipc_password = NULL;
+ int flags = 0;
+ uint16_t sec_mode = 0;
struct named_mutex *mutex;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- struct sockaddr peeraddr;
- socklen_t peeraddr_len;
-
- struct sockaddr_in *peeraddr_in =
- (struct sockaddr_in *)(void *)&peeraddr;
-
DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
controller, domain->name ));
mutex = grab_named_mutex(talloc_tos(), controller,
WINBIND_SERVER_MUTEX_WAIT_TIME);
if (mutex == NULL) {
+ close(sockfd);
DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
controller));
result = NT_STATUS_POSSIBLE_DEADLOCK;
goto done;
}
- if ((*cli = cli_initialise()) == NULL) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
+
+ *cli = cli_state_create(NULL, sockfd,
+ controller, domain->alt_name,
+ SMB_SIGNING_DEFAULT, flags);
+ if (*cli == NULL) {
+ close(sockfd);
DEBUG(1, ("Could not cli_initialize\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
- (*cli)->timeout = 10000; /* 10 seconds */
- (*cli)->fd = sockfd;
- fstrcpy((*cli)->desthost, controller);
- (*cli)->use_kerberos = True;
-
- peeraddr_len = sizeof(peeraddr);
-
- if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0)) {
- DEBUG(0,("cm_prepare_connection: getpeername failed with: %s\n",
- strerror(errno)));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- if ((peeraddr_len != sizeof(struct sockaddr_in))
-#ifdef HAVE_IPV6
- && (peeraddr_len != sizeof(struct sockaddr_in6))
-#endif
- ) {
- DEBUG(0,("cm_prepare_connection: got unexpected peeraddr len %d\n",
- peeraddr_len));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- if ((peeraddr_in->sin_family != PF_INET)
-#ifdef HAVE_IPV6
- && (peeraddr_in->sin_family != PF_INET6)
-#endif
- ) {
- DEBUG(0,("cm_prepare_connection: got unexpected family %d\n",
- peeraddr_in->sin_family));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
+ cli_set_timeout(*cli, 10000); /* 10 seconds */
- result = cli_negprot(*cli);
+ result = cli_negprot(*cli, PROTOCOL_NT1);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
}
if (!is_dc_trusted_domain_situation(domain->name) &&
- (*cli)->protocol >= PROTOCOL_NT1 &&
- (*cli)->capabilities & CAP_EXTENDED_SECURITY)
+ cli_state_protocol(*cli) >= PROTOCOL_NT1 &&
+ cli_state_capabilities(*cli) & CAP_EXTENDED_SECURITY)
{
- ADS_STATUS ads_status;
-
result = get_trust_creds(domain, &machine_password,
&machine_account,
&machine_krb5_principal);
(*cli)->use_kerberos = True;
DEBUG(5, ("connecting to %s from %s with kerberos principal "
- "[%s] and realm [%s]\n", controller, global_myname(),
+ "[%s] and realm [%s]\n", controller, lp_netbios_name(),
machine_krb5_principal, domain->alt_name));
winbindd_set_locator_kdc_envs(domain);
- ads_status = cli_session_setup_spnego(*cli,
- machine_krb5_principal,
- machine_password,
- lp_workgroup(),
- domain->alt_name);
+ result = cli_session_setup(*cli,
+ machine_krb5_principal,
+ machine_password,
+ strlen(machine_password)+1,
+ machine_password,
+ strlen(machine_password)+1,
+ lp_workgroup());
- if (!ADS_ERR_OK(ads_status)) {
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(4,("failed kerberos session setup with %s\n",
- ads_errstr(ads_status)));
+ nt_errstr(result)));
}
- result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
(*cli)->use_kerberos = False;
DEBUG(5, ("connecting to %s from %s with username "
- "[%s]\\[%s]\n", controller, global_myname(),
+ "[%s]\\[%s]\n", controller, lp_netbios_name(),
lp_workgroup(), machine_account));
- ads_status = cli_session_setup_spnego(*cli,
- machine_account,
- machine_password,
- lp_workgroup(),
- NULL);
- if (!ADS_ERR_OK(ads_status)) {
+ result = cli_session_setup(*cli,
+ machine_account,
+ machine_password,
+ strlen(machine_password)+1,
+ machine_password,
+ strlen(machine_password)+1,
+ lp_workgroup());
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(4, ("authenticated session setup failed with %s\n",
- ads_errstr(ads_status)));
+ nt_errstr(result)));
}
- result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
- if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
+ sec_mode = cli_state_security_mode(*cli);
+ if (((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
(strlen(ipc_username) > 0)) {
/* Only try authenticated if we have a username */
DEBUG(5, ("connecting to %s from %s with username "
- "[%s]\\[%s]\n", controller, global_myname(),
+ "[%s]\\[%s]\n", controller, lp_netbios_name(),
ipc_domain, ipc_username));
if (NT_STATUS_IS_OK(cli_session_setup(
"connection for DC %s\n",
controller ));
- if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
- NULL, 0, ""))) {
+ result = cli_session_setup(*cli, "", NULL, 0, NULL, 0, "");
+ if (NT_STATUS_IS_OK(result)) {
DEBUG(5, ("Connected anonymously\n"));
result = cli_init_creds(*cli, "", "", "");
if (!NT_STATUS_IS_OK(result)) {
goto session_setup_done;
}
- result = cli_nt_error(*cli);
-
- if (NT_STATUS_IS_OK(result))
- result = NT_STATUS_UNSUCCESSFUL;
-
/* We can't session setup */
-
goto done;
session_setup_done:
/* cache the server name for later connections */
- saf_store( domain->name, (*cli)->desthost );
+ saf_store(domain->name, controller);
if (domain->alt_name && (*cli)->use_kerberos) {
- saf_store( domain->alt_name, (*cli)->desthost );
+ saf_store(domain->alt_name, controller);
}
winbindd_set_locator_kdc_envs(domain);
(struct sockaddr *)(void *)pss))
return False;
- *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
+ *dcs = talloc_realloc(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
if (*dcs == NULL)
return False;
struct sockaddr_storage *pss, uint16 port,
struct sockaddr_storage **addrs, int *num)
{
- *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
+ *addrs = talloc_realloc(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
if (*addrs == NULL) {
*num = 0;
ip_list.ss = *pss;
ip_list.port = 0;
-#ifdef WITH_ADS
+#ifdef HAVE_ADS
/* For active directory servers, try to get the ldap server name.
None of these failures should be considered critical for now */
return False;
status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL,
- num_addrs, 0, fd, &fd_index, NULL);
+ num_addrs, 0, 10, fd, &fd_index, NULL);
if (!NT_STATUS_IS_OK(status)) {
for (i=0; i<num_dcs; i++) {
char ab[INET6_ADDRSTRLEN];
struct cli_state *cli)
{
char addr[INET6_ADDRSTRLEN];
- char *key, *value;
+ char *key = NULL;
+ char *value = NULL;
- if (cli == NULL) {
+ if (!cli_state_is_connected(cli)) {
return;
}
- if (cli->fd == -1) {
- return;
- }
- get_peer_addr(cli->fd, addr, sizeof(addr));
+
+ print_sockaddr(addr, sizeof(addr),
+ cli_state_remote_sockaddr(cli));
key = current_dc_key(talloc_tos(), domain_name);
if (key == NULL) {
goto done;
}
- gencache_set(key, value, 0x7ffffffff);
+ gencache_set(key, value, 0x7fffffff);
done:
TALLOC_FREE(value);
TALLOC_FREE(key);
return NT_STATUS_UNSUCCESSFUL;
}
if (dcip_to_name(mem_ctx, domain, &ss, saf_name )) {
- fstrcpy( domain->dcname, saf_name );
+ strlcpy(domain->dcname, saf_name, sizeof(domain->dcname));
} else {
winbind_add_failed_connection_entry(
domain, saf_servername,
status = smbsock_connect(&domain->dcaddr, 0,
NULL, -1, NULL, -1,
- &fd, NULL);
+ &fd, NULL, 10);
if (!NT_STATUS_IS_OK(status)) {
fd = -1;
}
void invalidate_cm_connection(struct winbindd_cm_conn *conn)
{
+ NTSTATUS result;
+
/* We're closing down a possibly dead
connection. Don't have impossibly long (10s) timeouts. */
if (conn->samr_pipe != NULL) {
if (is_valid_policy_hnd(&conn->sam_connect_handle)) {
- rpccli_samr_Close(conn->samr_pipe, talloc_tos(),
- &conn->sam_connect_handle);
+ dcerpc_samr_Close(conn->samr_pipe->binding_handle,
+ talloc_tos(),
+ &conn->sam_connect_handle,
+ &result);
}
TALLOC_FREE(conn->samr_pipe);
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
if (conn->lsa_pipe != NULL) {
if (is_valid_policy_hnd(&conn->lsa_policy)) {
- rpccli_lsa_Close(conn->lsa_pipe, talloc_tos(),
- &conn->lsa_policy);
+ dcerpc_lsa_Close(conn->lsa_pipe->binding_handle,
+ talloc_tos(),
+ &conn->lsa_policy,
+ &result);
}
TALLOC_FREE(conn->lsa_pipe);
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
if (conn->lsa_pipe_tcp != NULL) {
if (is_valid_policy_hnd(&conn->lsa_policy)) {
- rpccli_lsa_Close(conn->lsa_pipe, talloc_tos(),
- &conn->lsa_policy);
+ dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle,
+ talloc_tos(),
+ &conn->lsa_policy,
+ &result);
}
TALLOC_FREE(conn->lsa_pipe_tcp);
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
void close_conns_after_fork(void)
{
struct winbindd_domain *domain;
+ struct winbindd_cli_state *cli_state;
for (domain = domain_list(); domain; domain = domain->next) {
- struct cli_state *cli = domain->conn.cli;
-
/*
* first close the low level SMB TCP connection
* so that we don't generate any SMBclose
* requests in invalidate_cm_connection()
*/
- if (cli && cli->fd != -1) {
- close(domain->conn.cli->fd);
- domain->conn.cli->fd = -1;
+ if (cli_state_is_connected(domain->conn.cli)) {
+ cli_state_disconnect(domain->conn.cli);
}
invalidate_cm_connection(&domain->conn);
}
+
+ for (cli_state = winbindd_client_list();
+ cli_state != NULL;
+ cli_state = cli_state->next) {
+ if (cli_state->sock >= 0) {
+ close(cli_state->sock);
+ cli_state->sock = -1;
+ }
+ }
}
static bool connection_ok(struct winbindd_domain *domain)
static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
{
- NTSTATUS result;
+ NTSTATUS status, result;
WERROR werr;
TALLOC_CTX *mem_ctx = NULL;
struct rpc_pipe_client *cli = NULL;
DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
- result = cli_rpc_pipe_open_noauth(domain->conn.cli,
+ status = cli_rpc_pipe_open_noauth(domain->conn.cli,
&ndr_table_dssetup.syntax_id,
&cli);
- if (!NT_STATUS_IS_OK(result)) {
+ if (!NT_STATUS_IS_OK(status)) {
DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
"PI_DSSETUP on domain %s: (%s)\n",
- domain->name, nt_errstr(result)));
+ domain->name, nt_errstr(status)));
/* if this is just a non-AD domain we need to continue
* identifying so that we can in the end return with
goto no_dssetup;
}
- result = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
+ status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
DS_ROLE_BASIC_INFORMATION,
&info,
&werr);
TALLOC_FREE(cli);
- if (NT_STATUS_IS_OK(result)) {
+ if (NT_STATUS_IS_OK(status)) {
result = werror_to_ntstatus(werr);
}
- if (!NT_STATUS_IS_OK(result)) {
+ if (!NT_STATUS_IS_OK(status)) {
DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
"on domain %s failed: (%s)\n",
- domain->name, nt_errstr(result)));
+ domain->name, nt_errstr(status)));
/* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
* every opcode on the DSSETUP pipe, continue with
* no_dssetup mode here as well to get domain->initialized
* set - gd */
- if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
goto no_dssetup;
}
}
no_dssetup:
- result = cli_rpc_pipe_open_noauth(domain->conn.cli,
+ status = cli_rpc_pipe_open_noauth(domain->conn.cli,
&ndr_table_lsarpc.syntax_id, &cli);
- if (!NT_STATUS_IS_OK(result)) {
+ if (!NT_STATUS_IS_OK(status)) {
DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
"PI_LSARPC on domain %s: (%s)\n",
- domain->name, nt_errstr(result)));
+ domain->name, nt_errstr(status)));
TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
return;
}
- result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
+ status = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED, &pol);
- if (NT_STATUS_IS_OK(result)) {
+ if (NT_STATUS_IS_OK(status)) {
/* This particular query is exactly what Win2k clients use
to determine that the DC is active directory */
- result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,
+ status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx,
&pol,
LSA_POLICY_INFO_DNS,
- &lsa_info);
+ &lsa_info,
+ &result);
}
- if (NT_STATUS_IS_OK(result)) {
+ if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
domain->active_directory = True;
if (lsa_info->dns.name.string) {
} else {
domain->active_directory = False;
- result = rpccli_lsa_open_policy(cli, mem_ctx, True,
+ status = rpccli_lsa_open_policy(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
- if (!NT_STATUS_IS_OK(result)) {
+ if (!NT_STATUS_IS_OK(status)) {
goto done;
}
- result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,
+ status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx,
&pol,
LSA_POLICY_INFO_ACCOUNT_DOMAIN,
- &lsa_info);
-
- if (NT_STATUS_IS_OK(result)) {
+ &lsa_info,
+ &result);
+ if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
if (lsa_info->account_domain.name.string) {
fstrcpy(domain->name,
domain->name, domain->active_directory ? "" : "NOT "));
domain->can_do_ncacn_ip_tcp = domain->active_directory;
+ domain->can_do_validation6 = domain->active_directory;
TALLOC_FREE(cli);
netlogon_pipe,
domain->dcname, /* server name. */
domain->name, /* domain name */
- global_myname(), /* client name */
+ lp_netbios_name(), /* client name */
account_name, /* machine account */
mach_pwd, /* machine password */
sec_chan_type, /* from get_trust_pw */
DATA_BLOB *data)
{
struct winbindd_domain *domain;
+ char *freeit = NULL;
+ char *addr;
if ((data == NULL)
|| (data->data == NULL)
|| (data->length == 0)
- || (data->data[data->length-1] != '\0')
- || !is_ipaddress((char *)data->data)) {
- DEBUG(1, ("invalid msg_ip_dropped message\n"));
+ || (data->data[data->length-1] != '\0')) {
+ DEBUG(1, ("invalid msg_ip_dropped message: not a valid "
+ "string\n"));
return;
}
+
+ addr = (char *)data->data;
+ DEBUG(10, ("IP %s dropped\n", addr));
+
+ if (!is_ipaddress(addr)) {
+ char *slash;
+ /*
+ * Some code sends us ip addresses with the /netmask
+ * suffix
+ */
+ slash = strchr(addr, '/');
+ if (slash == NULL) {
+ DEBUG(1, ("invalid msg_ip_dropped message: %s",
+ addr));
+ return;
+ }
+ freeit = talloc_strndup(talloc_tos(), addr, slash-addr);
+ if (freeit == NULL) {
+ DEBUG(1, ("talloc failed\n"));
+ return;
+ }
+ addr = freeit;
+ DEBUG(10, ("Stripped /netmask to IP %s\n", addr));
+ }
+
for (domain = domain_list(); domain != NULL; domain = domain->next) {
char sockaddr[INET6_ADDRSTRLEN];
- if (domain->conn.cli == NULL) {
- continue;
- }
- if (domain->conn.cli->fd == -1) {
+
+ if (!cli_state_is_connected(domain->conn.cli)) {
continue;
}
- client_socket_addr(domain->conn.cli->fd, sockaddr,
- sizeof(sockaddr));
- if (strequal(sockaddr, (char *)data->data)) {
- close(domain->conn.cli->fd);
- domain->conn.cli->fd = -1;
+
+ print_sockaddr(sockaddr, sizeof(sockaddr),
+ cli_state_local_sockaddr(domain->conn.cli));
+
+ if (strequal(sockaddr, addr)) {
+ cli_state_disconnect(domain->conn.cli);
}
}
+ TALLOC_FREE(freeit);
}
git.samba.org / gd / samba-autobuild / .git / blobdiff