s3-winbindd: Fix Bug #6700: Use dns domain name when needing to guess server principal.
[ira/wip.git] / source3 / winbindd / winbindd_cm.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon connection manager
5
6    Copyright (C) Tim Potter                2001
7    Copyright (C) Andrew Bartlett           2002
8    Copyright (C) Gerald (Jerry) Carter     2003-2005.
9    Copyright (C) Volker Lendecke           2004-2005
10    Copyright (C) Jeremy Allison            2006
11
12    This program is free software; you can redistribute it and/or modify
13    it under the terms of the GNU General Public License as published by
14    the Free Software Foundation; either version 3 of the License, or
15    (at your option) any later version.
16
17    This program is distributed in the hope that it will be useful,
18    but WITHOUT ANY WARRANTY; without even the implied warranty of
19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20    GNU General Public License for more details.
21
22    You should have received a copy of the GNU General Public License
23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27    We need to manage connections to domain controllers without having to
28    mess up the main winbindd code with other issues.  The aim of the
29    connection manager is to:
30
31        - make connections to domain controllers and cache them
32        - re-establish connections when networks or servers go down
33        - centralise the policy on connection timeouts, domain controller
34          selection etc
35        - manage re-entrancy for when winbindd becomes able to handle
36          multiple outstanding rpc requests
37
38    Why not have connection management as part of the rpc layer like tng?
39    Good question.  This code may morph into libsmb/rpc_cache.c or something
40    like that but at the moment it's simply staying as part of winbind.  I
41    think the TNG architecture of forcing every user of the rpc layer to use
42    the connection caching system is a bad idea.  It should be an optional
43    method of using the routines.
44
45    The TNG design is quite good but I disagree with some aspects of the
46    implementation. -tpot
47
48  */
49
50 /*
51    TODO:
52
53      - I'm pretty annoyed by all the make_nmb_name() stuff.  It should be
54        moved down into another function.
55
56      - Take care when destroying cli_structs as they can be shared between
57        various sam handles.
58
59  */
60
61 #include "includes.h"
62 #include "winbindd.h"
63 #include "../libcli/auth/libcli_auth.h"
64
65 #undef DBGC_CLASS
66 #define DBGC_CLASS DBGC_WINBIND
67
68 struct dc_name_ip {
69         fstring name;
70         struct sockaddr_storage ss;
71 };
72
73 extern struct winbindd_methods reconnect_methods;
74 extern bool override_logfile;
75
76 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
77 static void set_dc_type_and_flags( struct winbindd_domain *domain );
78 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
79                     struct dc_name_ip **dcs, int *num_dcs);
80
81 /****************************************************************
82  Child failed to find DC's. Reschedule check.
83 ****************************************************************/
84
85 static void msg_failed_to_go_online(struct messaging_context *msg,
86                                     void *private_data,
87                                     uint32_t msg_type,
88                                     struct server_id server_id,
89                                     DATA_BLOB *data)
90 {
91         struct winbindd_domain *domain;
92         const char *domainname = (const char *)data->data;
93
94         if (data->data == NULL || data->length == 0) {
95                 return;
96         }
97
98         DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
99
100         for (domain = domain_list(); domain; domain = domain->next) {
101                 if (domain->internal) {
102                         continue;
103                 }
104
105                 if (strequal(domain->name, domainname)) {
106                         if (domain->online) {
107                                 /* We're already online, ignore. */
108                                 DEBUG(5,("msg_fail_to_go_online: domain %s "
109                                         "already online.\n", domainname));
110                                 continue;
111                         }
112
113                         /* Reschedule the online check. */
114                         set_domain_offline(domain);
115                         break;
116                 }
117         }
118 }
119
120 /****************************************************************
121  Actually cause a reconnect from a message.
122 ****************************************************************/
123
124 static void msg_try_to_go_online(struct messaging_context *msg,
125                                  void *private_data,
126                                  uint32_t msg_type,
127                                  struct server_id server_id,
128                                  DATA_BLOB *data)
129 {
130         struct winbindd_domain *domain;
131         const char *domainname = (const char *)data->data;
132
133         if (data->data == NULL || data->length == 0) {
134                 return;
135         }
136
137         DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
138
139         for (domain = domain_list(); domain; domain = domain->next) {
140                 if (domain->internal) {
141                         continue;
142                 }
143
144                 if (strequal(domain->name, domainname)) {
145
146                         if (domain->online) {
147                                 /* We're already online, ignore. */
148                                 DEBUG(5,("msg_try_to_go_online: domain %s "
149                                         "already online.\n", domainname));
150                                 continue;
151                         }
152
153                         /* This call takes care of setting the online
154                            flag to true if we connected, or re-adding
155                            the offline handler if false. Bypasses online
156                            check so always does network calls. */
157
158                         init_dc_connection_network(domain);
159                         break;
160                 }
161         }
162 }
163
164 /****************************************************************
165  Fork a child to try and contact a DC. Do this as contacting a
166  DC requires blocking lookups and we don't want to block our
167  parent.
168 ****************************************************************/
169
170 static bool fork_child_dc_connect(struct winbindd_domain *domain)
171 {
172         struct dc_name_ip *dcs = NULL;
173         int num_dcs = 0;
174         TALLOC_CTX *mem_ctx = NULL;
175         pid_t parent_pid = sys_getpid();
176         char *lfile = NULL;
177
178         /* Stop zombies */
179         CatchChild();
180
181         if (domain->dc_probe_pid != (pid_t)-1) {
182                 /*
183                  * We might already have a DC probe
184                  * child working, check.
185                  */
186                 if (process_exists_by_pid(domain->dc_probe_pid)) {
187                         DEBUG(10,("fork_child_dc_connect: pid %u already "
188                                 "checking for DC's.\n",
189                                 (unsigned int)domain->dc_probe_pid));
190                         return true;
191                 }
192                 domain->dc_probe_pid = (pid_t)-1;
193         }
194
195         domain->dc_probe_pid = sys_fork();
196
197         if (domain->dc_probe_pid == (pid_t)-1) {
198                 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
199                 return False;
200         }
201
202         if (domain->dc_probe_pid != (pid_t)0) {
203                 /* Parent */
204                 messaging_register(winbind_messaging_context(), NULL,
205                                    MSG_WINBIND_TRY_TO_GO_ONLINE,
206                                    msg_try_to_go_online);
207                 messaging_register(winbind_messaging_context(), NULL,
208                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
209                                    msg_failed_to_go_online);
210                 return True;
211         }
212
213         /* Child. */
214
215         /* Leave messages blocked - we will never process one. */
216
217         if (!override_logfile) {
218                 if (asprintf(&lfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) == -1) {
219                         DEBUG(0, ("fork_child_dc_connect: out of memory.\n"));
220                         _exit(1);
221                 }
222         }
223
224         if (!winbindd_reinit_after_fork(lfile)) {
225                 messaging_send_buf(winbind_messaging_context(),
226                                    pid_to_procid(parent_pid),
227                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
228                                    (uint8 *)domain->name,
229                                    strlen(domain->name)+1);
230                 _exit(1);
231         }
232         SAFE_FREE(lfile);
233
234         mem_ctx = talloc_init("fork_child_dc_connect");
235         if (!mem_ctx) {
236                 DEBUG(0,("talloc_init failed.\n"));
237                 messaging_send_buf(winbind_messaging_context(),
238                                    pid_to_procid(parent_pid),
239                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
240                                    (uint8 *)domain->name,
241                                    strlen(domain->name)+1);
242                 _exit(1);
243         }
244
245         if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
246                 /* Still offline ? Can't find DC's. */
247                 messaging_send_buf(winbind_messaging_context(),
248                                    pid_to_procid(parent_pid),
249                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
250                                    (uint8 *)domain->name,
251                                    strlen(domain->name)+1);
252                 _exit(0);
253         }
254
255         /* We got a DC. Send a message to our parent to get it to
256            try and do the same. */
257
258         messaging_send_buf(winbind_messaging_context(),
259                            pid_to_procid(parent_pid),
260                            MSG_WINBIND_TRY_TO_GO_ONLINE,
261                            (uint8 *)domain->name,
262                            strlen(domain->name)+1);
263         _exit(0);
264 }
265
266 /****************************************************************
267  Handler triggered if we're offline to try and detect a DC.
268 ****************************************************************/
269
270 static void check_domain_online_handler(struct event_context *ctx,
271                                         struct timed_event *te,
272                                         struct timeval now,
273                                         void *private_data)
274 {
275         struct winbindd_domain *domain =
276                 (struct winbindd_domain *)private_data;
277
278         DEBUG(10,("check_domain_online_handler: called for domain "
279                   "%s (online = %s)\n", domain->name, 
280                   domain->online ? "True" : "False" ));
281
282         TALLOC_FREE(domain->check_online_event);
283
284         /* Are we still in "startup" mode ? */
285
286         if (domain->startup && (now.tv_sec > domain->startup_time + 30)) {
287                 /* No longer in "startup" mode. */
288                 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
289                         domain->name ));
290                 domain->startup = False;
291         }
292
293         /* We've been told to stay offline, so stay
294            that way. */
295
296         if (get_global_winbindd_state_offline()) {
297                 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
298                         domain->name ));
299                 return;
300         }
301
302         /* Fork a child to test if it can contact a DC. 
303            If it can then send ourselves a message to
304            cause a reconnect. */
305
306         fork_child_dc_connect(domain);
307 }
308
309 /****************************************************************
310  If we're still offline setup the timeout check.
311 ****************************************************************/
312
313 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
314 {
315         int wbr = lp_winbind_reconnect_delay();
316
317         if (domain->startup) {
318                 domain->check_online_timeout = 10;
319         } else if (domain->check_online_timeout < wbr) {
320                 domain->check_online_timeout = wbr;
321         }
322 }
323
324 /****************************************************************
325  Set domain offline and also add handler to put us back online
326  if we detect a DC.
327 ****************************************************************/
328
329 void set_domain_offline(struct winbindd_domain *domain)
330 {
331         DEBUG(10,("set_domain_offline: called for domain %s\n",
332                 domain->name ));
333
334         TALLOC_FREE(domain->check_online_event);
335
336         if (domain->internal) {
337                 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
338                         domain->name ));
339                 return;
340         }
341
342         domain->online = False;
343
344         /* Offline domains are always initialized. They're
345            re-initialized when they go back online. */
346
347         domain->initialized = True;
348
349         /* We only add the timeout handler that checks and
350            allows us to go back online when we've not
351            been told to remain offline. */
352
353         if (get_global_winbindd_state_offline()) {
354                 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
355                         domain->name ));
356                 return;
357         }
358
359         /* If we're in startup mode, check again in 10 seconds, not in
360            lp_winbind_reconnect_delay() seconds (which is 30 seconds by default). */
361
362         calc_new_online_timeout_check(domain);
363
364         domain->check_online_event = event_add_timed(winbind_event_context(),
365                                                 NULL,
366                                                 timeval_current_ofs(domain->check_online_timeout,0),
367                                                 check_domain_online_handler,
368                                                 domain);
369
370         /* The above *has* to succeed for winbindd to work. */
371         if (!domain->check_online_event) {
372                 smb_panic("set_domain_offline: failed to add online handler");
373         }
374
375         DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
376                 domain->name ));
377
378         /* Send an offline message to the idmap child when our
379            primary domain goes offline */
380
381         if ( domain->primary ) {
382                 struct winbindd_child *idmap = idmap_child();
383
384                 if ( idmap->pid != 0 ) {
385                         messaging_send_buf(winbind_messaging_context(),
386                                            pid_to_procid(idmap->pid), 
387                                            MSG_WINBIND_OFFLINE, 
388                                            (uint8 *)domain->name, 
389                                            strlen(domain->name)+1);
390                 }                       
391         }
392
393         return; 
394 }
395
396 /****************************************************************
397  Set domain online - if allowed.
398 ****************************************************************/
399
400 static void set_domain_online(struct winbindd_domain *domain)
401 {
402         DEBUG(10,("set_domain_online: called for domain %s\n",
403                 domain->name ));
404
405         if (domain->internal) {
406                 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
407                         domain->name ));
408                 return;
409         }
410
411         if (get_global_winbindd_state_offline()) {
412                 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
413                         domain->name ));
414                 return;
415         }
416
417         winbindd_set_locator_kdc_envs(domain);
418
419         /* If we are waiting to get a krb5 ticket, trigger immediately. */
420         ccache_regain_all_now();
421
422         /* Ok, we're out of any startup mode now... */
423         domain->startup = False;
424
425         if (domain->online == False) {
426                 /* We were offline - now we're online. We default to
427                    using the MS-RPC backend if we started offline,
428                    and if we're going online for the first time we
429                    should really re-initialize the backends and the
430                    checks to see if we're talking to an AD or NT domain.
431                 */
432
433                 domain->initialized = False;
434
435                 /* 'reconnect_methods' is the MS-RPC backend. */
436                 if (domain->backend == &reconnect_methods) {
437                         domain->backend = NULL;
438                 }
439         }
440
441         /* Ensure we have no online timeout checks. */
442         domain->check_online_timeout = 0;
443         TALLOC_FREE(domain->check_online_event);
444
445         /* Ensure we ignore any pending child messages. */
446         messaging_deregister(winbind_messaging_context(),
447                              MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
448         messaging_deregister(winbind_messaging_context(),
449                              MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
450
451         domain->online = True;
452
453         /* Send an online message to the idmap child when our
454            primary domain comes online */
455
456         if ( domain->primary ) {
457                 struct winbindd_child *idmap = idmap_child();
458
459                 if ( idmap->pid != 0 ) {
460                         messaging_send_buf(winbind_messaging_context(),
461                                            pid_to_procid(idmap->pid), 
462                                            MSG_WINBIND_ONLINE, 
463                                            (uint8 *)domain->name, 
464                                            strlen(domain->name)+1);
465                 }                       
466         }
467
468         return; 
469 }
470
471 /****************************************************************
472  Requested to set a domain online.
473 ****************************************************************/
474
475 void set_domain_online_request(struct winbindd_domain *domain)
476 {
477         struct timeval tev;
478
479         DEBUG(10,("set_domain_online_request: called for domain %s\n",
480                 domain->name ));
481
482         if (get_global_winbindd_state_offline()) {
483                 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
484                         domain->name ));
485                 return;
486         }
487
488         if (domain->internal) {
489                 DEBUG(10, ("set_domain_online_request: Internal domains are "
490                            "always online\n"));
491                 return;
492         }
493
494         /* We've been told it's safe to go online and
495            try and connect to a DC. But I don't believe it
496            because network manager seems to lie.
497            Wait at least 5 seconds. Heuristics suck... */
498
499
500         GetTimeOfDay(&tev);
501
502         /* Go into "startup" mode again. */
503         domain->startup_time = tev.tv_sec;
504         domain->startup = True;
505
506         tev.tv_sec += 5;
507
508         if (!domain->check_online_event) {
509                 /* If we've come from being globally offline we
510                    don't have a check online event handler set.
511                    We need to add one now we're trying to go
512                    back online. */
513
514                 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
515                         domain->name ));
516         }
517
518         TALLOC_FREE(domain->check_online_event);
519
520         domain->check_online_event = event_add_timed(winbind_event_context(),
521                                                      NULL,
522                                                      tev,
523                                                      check_domain_online_handler,
524                                                      domain);
525
526         /* The above *has* to succeed for winbindd to work. */
527         if (!domain->check_online_event) {
528                 smb_panic("set_domain_online_request: failed to add online handler");
529         }
530 }
531
532 /****************************************************************
533  Add -ve connection cache entries for domain and realm.
534 ****************************************************************/
535
536 void winbind_add_failed_connection_entry(const struct winbindd_domain *domain,
537                                         const char *server,
538                                         NTSTATUS result)
539 {
540         add_failed_connection_entry(domain->name, server, result);
541         /* If this was the saf name for the last thing we talked to,
542            remove it. */
543         saf_delete(domain->name);
544         if (*domain->alt_name) {
545                 add_failed_connection_entry(domain->alt_name, server, result);
546                 saf_delete(domain->alt_name);
547         }
548         winbindd_unset_locator_kdc_env(domain);
549 }
550
551 /* Choose between anonymous or authenticated connections.  We need to use
552    an authenticated connection if DCs have the RestrictAnonymous registry
553    entry set > 0, or the "Additional restrictions for anonymous
554    connections" set in the win2k Local Security Policy. 
555
556    Caller to free() result in domain, username, password
557 */
558
559 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
560 {
561         *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
562         *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
563         *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
564
565         if (*username && **username) {
566
567                 if (!*domain || !**domain)
568                         *domain = smb_xstrdup(lp_workgroup());
569
570                 if (!*password || !**password)
571                         *password = smb_xstrdup("");
572
573                 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n", 
574                           *domain, *username));
575
576         } else {
577                 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
578                 *username = smb_xstrdup("");
579                 *domain = smb_xstrdup("");
580                 *password = smb_xstrdup("");
581         }
582 }
583
584 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
585                                      fstring dcname,
586                                      struct sockaddr_storage *dc_ss)
587 {
588         struct winbindd_domain *our_domain = NULL;
589         struct rpc_pipe_client *netlogon_pipe = NULL;
590         NTSTATUS result;
591         WERROR werr;
592         TALLOC_CTX *mem_ctx;
593         unsigned int orig_timeout;
594         const char *tmp = NULL;
595         const char *p;
596
597         /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
598          * moment.... */
599
600         if (IS_DC) {
601                 return False;
602         }
603
604         if (domain->primary) {
605                 return False;
606         }
607
608         our_domain = find_our_domain();
609
610         if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
611                 return False;
612         }
613
614         result = cm_connect_netlogon(our_domain, &netlogon_pipe);
615         if (!NT_STATUS_IS_OK(result)) {
616                 talloc_destroy(mem_ctx);
617                 return False;
618         }
619
620         /* This call can take a long time - allow the server to time out.
621            35 seconds should do it. */
622
623         orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
624
625         if (our_domain->active_directory) {
626                 struct netr_DsRGetDCNameInfo *domain_info = NULL;
627
628                 result = rpccli_netr_DsRGetDCName(netlogon_pipe,
629                                                   mem_ctx,
630                                                   our_domain->dcname,
631                                                   domain->name,
632                                                   NULL,
633                                                   NULL,
634                                                   DS_RETURN_DNS_NAME,
635                                                   &domain_info,
636                                                   &werr);
637                 if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
638                         tmp = talloc_strdup(
639                                 mem_ctx, domain_info->dc_unc);
640                         if (tmp == NULL) {
641                                 DEBUG(0, ("talloc_strdup failed\n"));
642                                 talloc_destroy(mem_ctx);
643                                 return false;
644                         }
645                         if (strlen(domain->alt_name) == 0) {
646                                 fstrcpy(domain->alt_name,
647                                         domain_info->domain_name);
648                         }
649                         if (strlen(domain->forest_name) == 0) {
650                                 fstrcpy(domain->forest_name,
651                                         domain_info->forest_name);
652                         }
653                 }
654         } else {
655                 result = rpccli_netr_GetAnyDCName(netlogon_pipe, mem_ctx,
656                                                   our_domain->dcname,
657                                                   domain->name,
658                                                   &tmp,
659                                                   &werr);
660         }
661
662         /* And restore our original timeout. */
663         rpccli_set_timeout(netlogon_pipe, orig_timeout);
664
665         if (!NT_STATUS_IS_OK(result)) {
666                 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
667                         nt_errstr(result)));
668                 talloc_destroy(mem_ctx);
669                 return false;
670         }
671
672         if (!W_ERROR_IS_OK(werr)) {
673                 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
674                            win_errstr(werr)));
675                 talloc_destroy(mem_ctx);
676                 return false;
677         }
678
679         /* rpccli_netr_GetAnyDCName gives us a name with \\ */
680         p = strip_hostname(tmp);
681
682         fstrcpy(dcname, p);
683
684         talloc_destroy(mem_ctx);
685
686         DEBUG(10,("rpccli_netr_GetAnyDCName returned %s\n", dcname));
687
688         if (!resolve_name(dcname, dc_ss, 0x20, true)) {
689                 return False;
690         }
691
692         return True;
693 }
694
695 /**
696  * Helper function to assemble trust password and account name
697  */
698 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
699                                 char **machine_password,
700                                 char **machine_account,
701                                 char **machine_krb5_principal)
702 {
703         const char *account_name;
704         const char *name = NULL;
705
706         /* If we are a DC and this is not our own domain */
707
708         if (IS_DC) {
709                 name = domain->name;
710         } else {
711                 struct winbindd_domain *our_domain = find_our_domain();
712
713                 if (!our_domain)
714                         return NT_STATUS_INVALID_SERVER_STATE;          
715
716                 name = our_domain->name;                
717         }       
718
719         if (!get_trust_pw_clear(name, machine_password,
720                                 &account_name, NULL))
721         {
722                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
723         }
724
725         if ((machine_account != NULL) &&
726             (asprintf(machine_account, "%s$", account_name) == -1))
727         {
728                 return NT_STATUS_NO_MEMORY;
729         }
730
731         /* For now assume our machine account only exists in our domain */
732
733         if (machine_krb5_principal != NULL)
734         {
735                 struct winbindd_domain *our_domain = find_our_domain();
736
737                 if (!our_domain) {
738                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;                       
739                 }
740
741                 if (asprintf(machine_krb5_principal, "%s$@%s",
742                              account_name, our_domain->alt_name) == -1)
743                 {
744                         return NT_STATUS_NO_MEMORY;
745                 }
746
747                 strupper_m(*machine_krb5_principal);
748         }
749
750         return NT_STATUS_OK;
751 }
752
753 /************************************************************************
754  Given a fd with a just-connected TCP connection to a DC, open a connection
755  to the pipe.
756 ************************************************************************/
757
758 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
759                                       const int sockfd,
760                                       const char *controller,
761                                       struct cli_state **cli,
762                                       bool *retry)
763 {
764         char *machine_password = NULL;
765         char *machine_krb5_principal = NULL;
766         char *machine_account = NULL;
767         char *ipc_username = NULL;
768         char *ipc_domain = NULL;
769         char *ipc_password = NULL;
770
771         struct named_mutex *mutex;
772
773         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
774
775         struct sockaddr peeraddr;
776         socklen_t peeraddr_len;
777
778         struct sockaddr_in *peeraddr_in =
779                 (struct sockaddr_in *)(void *)&peeraddr;
780
781         DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
782                 controller, domain->name ));
783
784         *retry = True;
785
786         mutex = grab_named_mutex(talloc_tos(), controller,
787                                  WINBIND_SERVER_MUTEX_WAIT_TIME);
788         if (mutex == NULL) {
789                 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
790                          controller));
791                 result = NT_STATUS_POSSIBLE_DEADLOCK;
792                 goto done;
793         }
794
795         if ((*cli = cli_initialise()) == NULL) {
796                 DEBUG(1, ("Could not cli_initialize\n"));
797                 result = NT_STATUS_NO_MEMORY;
798                 goto done;
799         }
800
801         (*cli)->timeout = 10000;        /* 10 seconds */
802         (*cli)->fd = sockfd;
803         fstrcpy((*cli)->desthost, controller);
804         (*cli)->use_kerberos = True;
805
806         peeraddr_len = sizeof(peeraddr);
807
808         if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) ||
809             (peeraddr_len != sizeof(struct sockaddr_in)) ||
810             (peeraddr_in->sin_family != PF_INET))
811         {
812                 DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
813                 result = NT_STATUS_UNSUCCESSFUL;
814                 goto done;
815         }
816
817         if (ntohs(peeraddr_in->sin_port) == 139) {
818                 struct nmb_name calling;
819                 struct nmb_name called;
820
821                 make_nmb_name(&calling, global_myname(), 0x0);
822                 make_nmb_name(&called, "*SMBSERVER", 0x20);
823
824                 if (!cli_session_request(*cli, &calling, &called)) {
825                         DEBUG(8, ("cli_session_request failed for %s\n",
826                                   controller));
827                         result = NT_STATUS_UNSUCCESSFUL;
828                         goto done;
829                 }
830         }
831
832         result = cli_negprot(*cli);
833
834         if (!NT_STATUS_IS_OK(result)) {
835                 DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
836                 goto done;
837         }
838
839         if (!is_dc_trusted_domain_situation(domain->name) &&
840             (*cli)->protocol >= PROTOCOL_NT1 &&
841             (*cli)->capabilities & CAP_EXTENDED_SECURITY)
842         {
843                 ADS_STATUS ads_status;
844
845                 result = get_trust_creds(domain, &machine_password,
846                                          &machine_account,
847                                          &machine_krb5_principal);
848                 if (!NT_STATUS_IS_OK(result)) {
849                         goto anon_fallback;
850                 }
851
852                 if (lp_security() == SEC_ADS) {
853
854                         /* Try a krb5 session */
855
856                         (*cli)->use_kerberos = True;
857                         DEBUG(5, ("connecting to %s from %s with kerberos principal "
858                                   "[%s] and realm [%s]\n", controller, global_myname(),
859                                   machine_krb5_principal, domain->alt_name));
860
861                         winbindd_set_locator_kdc_envs(domain);
862
863                         ads_status = cli_session_setup_spnego(*cli,
864                                                               machine_krb5_principal, 
865                                                               machine_password,
866                                                               lp_workgroup(),
867                                                               domain->alt_name);
868
869                         if (!ADS_ERR_OK(ads_status)) {
870                                 DEBUG(4,("failed kerberos session setup with %s\n",
871                                          ads_errstr(ads_status)));
872                         }
873
874                         result = ads_ntstatus(ads_status);
875                         if (NT_STATUS_IS_OK(result)) {
876                                 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
877                                 result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
878                                 if (!NT_STATUS_IS_OK(result)) {
879                                         goto done;
880                                 }
881                                 goto session_setup_done;
882                         }
883                 }
884
885                 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
886                 (*cli)->use_kerberos = False;
887
888                 DEBUG(5, ("connecting to %s from %s with username "
889                           "[%s]\\[%s]\n",  controller, global_myname(),
890                           lp_workgroup(), machine_account));
891
892                 ads_status = cli_session_setup_spnego(*cli,
893                                                       machine_account, 
894                                                       machine_password, 
895                                                       lp_workgroup(),
896                                                       NULL);
897                 if (!ADS_ERR_OK(ads_status)) {
898                         DEBUG(4, ("authenticated session setup failed with %s\n",
899                                 ads_errstr(ads_status)));
900                 }
901
902                 result = ads_ntstatus(ads_status);
903                 if (NT_STATUS_IS_OK(result)) {
904                         /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
905                         result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
906                         if (!NT_STATUS_IS_OK(result)) {
907                                 goto done;
908                         }
909                         goto session_setup_done;
910                 }
911         }
912
913         /* Fall back to non-kerberos session setup with auth_user */
914
915         (*cli)->use_kerberos = False;
916
917         cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
918
919         if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
920             (strlen(ipc_username) > 0)) {
921
922                 /* Only try authenticated if we have a username */
923
924                 DEBUG(5, ("connecting to %s from %s with username "
925                           "[%s]\\[%s]\n",  controller, global_myname(),
926                           ipc_domain, ipc_username));
927
928                 if (NT_STATUS_IS_OK(cli_session_setup(
929                                             *cli, ipc_username,
930                                             ipc_password, strlen(ipc_password)+1,
931                                             ipc_password, strlen(ipc_password)+1,
932                                             ipc_domain))) {
933                         /* Successful logon with given username. */
934                         result = cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
935                         if (!NT_STATUS_IS_OK(result)) {
936                                 goto done;
937                         }
938                         goto session_setup_done;
939                 } else {
940                         DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
941                                 ipc_domain, ipc_username ));
942                 }
943         }
944
945  anon_fallback:
946
947         /* Fall back to anonymous connection, this might fail later */
948         DEBUG(10,("cm_prepare_connection: falling back to anonymous "
949                 "connection for DC %s\n",
950                 controller ));
951
952         if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
953                                               NULL, 0, ""))) {
954                 DEBUG(5, ("Connected anonymously\n"));
955                 result = cli_init_creds(*cli, "", "", "");
956                 if (!NT_STATUS_IS_OK(result)) {
957                         goto done;
958                 }
959                 goto session_setup_done;
960         }
961
962         result = cli_nt_error(*cli);
963
964         if (NT_STATUS_IS_OK(result))
965                 result = NT_STATUS_UNSUCCESSFUL;
966
967         /* We can't session setup */
968
969         goto done;
970
971  session_setup_done:
972
973         /* cache the server name for later connections */
974
975         saf_store( domain->name, (*cli)->desthost );
976         if (domain->alt_name && (*cli)->use_kerberos) {
977                 saf_store( domain->alt_name, (*cli)->desthost );
978         }
979
980         winbindd_set_locator_kdc_envs(domain);
981
982         result = cli_tcon_andx(*cli, "IPC$", "IPC", "", 0);
983
984         if (!NT_STATUS_IS_OK(result)) {
985                 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
986                 goto done;
987         }
988
989         TALLOC_FREE(mutex);
990         *retry = False;
991
992         /* set the domain if empty; needed for schannel connections */
993         if ( !(*cli)->domain[0] ) {
994                 result = cli_set_domain((*cli), domain->name);
995                 if (!NT_STATUS_IS_OK(result)) {
996                         return result;
997                 }
998         }
999
1000         result = NT_STATUS_OK;
1001
1002  done:
1003         TALLOC_FREE(mutex);
1004         SAFE_FREE(machine_account);
1005         SAFE_FREE(machine_password);
1006         SAFE_FREE(machine_krb5_principal);
1007         SAFE_FREE(ipc_username);
1008         SAFE_FREE(ipc_domain);
1009         SAFE_FREE(ipc_password);
1010
1011         if (!NT_STATUS_IS_OK(result)) {
1012                 winbind_add_failed_connection_entry(domain, controller, result);
1013                 if ((*cli) != NULL) {
1014                         cli_shutdown(*cli);
1015                         *cli = NULL;
1016                 }
1017         }
1018
1019         return result;
1020 }
1021
1022 /*******************************************************************
1023  Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
1024  array.
1025
1026  Keeps the list unique by not adding duplicate entries.
1027
1028  @param[in] mem_ctx talloc memory context to allocate from
1029  @param[in] domain_name domain of the DC
1030  @param[in] dcname name of the DC to add to the list
1031  @param[in] pss Internet address and port pair to add to the list
1032  @param[in,out] dcs array of dc_name_ip structures to add to
1033  @param[in,out] num_dcs number of dcs returned in the dcs array
1034  @return true if the list was added to, false otherwise
1035 *******************************************************************/
1036
1037 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1038                               const char *dcname, struct sockaddr_storage *pss,
1039                               struct dc_name_ip **dcs, int *num)
1040 {
1041         int i = 0;
1042
1043         if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1044                 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1045                 return False;
1046         }
1047
1048         /* Make sure there's no duplicates in the list */
1049         for (i=0; i<*num; i++)
1050                 if (sockaddr_equal(
1051                             (struct sockaddr *)(void *)&(*dcs)[i].ss,
1052                             (struct sockaddr *)(void *)pss))
1053                         return False;
1054
1055         *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1056
1057         if (*dcs == NULL)
1058                 return False;
1059
1060         fstrcpy((*dcs)[*num].name, dcname);
1061         (*dcs)[*num].ss = *pss;
1062         *num += 1;
1063         return True;
1064 }
1065
1066 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1067                                   struct sockaddr_storage *pss, uint16 port,
1068                                   struct sockaddr_storage **addrs, int *num)
1069 {
1070         *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1071
1072         if (*addrs == NULL) {
1073                 *num = 0;
1074                 return False;
1075         }
1076
1077         (*addrs)[*num] = *pss;
1078         set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
1079
1080         *num += 1;
1081         return True;
1082 }
1083
1084 /*******************************************************************
1085  convert an ip to a name
1086 *******************************************************************/
1087
1088 static bool dcip_to_name(TALLOC_CTX *mem_ctx,
1089                 const struct winbindd_domain *domain,
1090                 struct sockaddr_storage *pss,
1091                 fstring name )
1092 {
1093         struct ip_service ip_list;
1094         uint32_t nt_version = NETLOGON_NT_VERSION_1;
1095
1096         ip_list.ss = *pss;
1097         ip_list.port = 0;
1098
1099 #ifdef WITH_ADS
1100         /* For active directory servers, try to get the ldap server name.
1101            None of these failures should be considered critical for now */
1102
1103         if (lp_security() == SEC_ADS) {
1104                 ADS_STRUCT *ads;
1105                 ADS_STATUS ads_status;
1106                 char addr[INET6_ADDRSTRLEN];
1107
1108                 print_sockaddr(addr, sizeof(addr), pss);
1109
1110                 ads = ads_init(domain->alt_name, domain->name, addr);
1111                 ads->auth.flags |= ADS_AUTH_NO_BIND;
1112
1113                 ads_status = ads_connect(ads);
1114                 if (ADS_ERR_OK(ads_status)) {
1115                         /* We got a cldap packet. */
1116                         fstrcpy(name, ads->config.ldap_server_name);
1117                         namecache_store(name, 0x20, 1, &ip_list);
1118
1119                         DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1120
1121                         if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1122                                 if (ads_closest_dc(ads)) {
1123                                         char *sitename = sitename_fetch(ads->config.realm);
1124
1125                                         /* We're going to use this KDC for this realm/domain.
1126                                            If we are using sites, then force the krb5 libs
1127                                            to use this KDC. */
1128
1129                                         create_local_private_krb5_conf_for_domain(domain->alt_name,
1130                                                                         domain->name,
1131                                                                         sitename,
1132                                                                         pss);
1133
1134                                         SAFE_FREE(sitename);
1135                                 } else {
1136                                         /* use an off site KDC */
1137                                         create_local_private_krb5_conf_for_domain(domain->alt_name,
1138                                                                         domain->name,
1139                                                                         NULL,
1140                                                                         pss);
1141                                 }
1142                                 winbindd_set_locator_kdc_envs(domain);
1143
1144                                 /* Ensure we contact this DC also. */
1145                                 saf_store( domain->name, name);
1146                                 saf_store( domain->alt_name, name);
1147                         }
1148
1149                         ads_destroy( &ads );
1150                         return True;
1151                 }
1152
1153                 ads_destroy( &ads );
1154         }
1155 #endif
1156
1157         /* try GETDC requests next */
1158
1159         if (send_getdc_request(mem_ctx, winbind_messaging_context(),
1160                                pss, domain->name, &domain->sid,
1161                                nt_version)) {
1162                 const char *dc_name = NULL;
1163                 int i;
1164                 smb_msleep(100);
1165                 for (i=0; i<5; i++) {
1166                         if (receive_getdc_response(mem_ctx, pss, domain->name,
1167                                                    &nt_version,
1168                                                    &dc_name, NULL)) {
1169                                 fstrcpy(name, dc_name);
1170                                 namecache_store(name, 0x20, 1, &ip_list);
1171                                 return True;
1172                         }
1173                         smb_msleep(500);
1174                 }
1175         }
1176
1177         /* try node status request */
1178
1179         if ( name_status_find(domain->name, 0x1c, 0x20, pss, name) ) {
1180                 namecache_store(name, 0x20, 1, &ip_list);
1181                 return True;
1182         }
1183         return False;
1184 }
1185
1186 /*******************************************************************
1187  Retrieve a list of IP addresses for domain controllers.
1188
1189  The array is sorted in the preferred connection order.
1190
1191  @param[in] mem_ctx talloc memory context to allocate from
1192  @param[in] domain domain to retrieve DCs for
1193  @param[out] dcs array of dcs that will be returned
1194  @param[out] num_dcs number of dcs returned in the dcs array
1195  @return always true
1196 *******************************************************************/
1197
1198 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1199                     struct dc_name_ip **dcs, int *num_dcs)
1200 {
1201         fstring dcname;
1202         struct  sockaddr_storage ss;
1203         struct  ip_service *ip_list = NULL;
1204         int     iplist_size = 0;
1205         int     i;
1206         bool    is_our_domain;
1207         enum security_types sec = (enum security_types)lp_security();
1208
1209         is_our_domain = strequal(domain->name, lp_workgroup());
1210
1211         /* If not our domain, get the preferred DC, by asking our primary DC */
1212         if ( !is_our_domain
1213                 && get_dc_name_via_netlogon(domain, dcname, &ss)
1214                 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1215                        num_dcs) )
1216         {
1217                 char addr[INET6_ADDRSTRLEN];
1218                 print_sockaddr(addr, sizeof(addr), &ss);
1219                 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1220                            dcname, addr));
1221                 return True;
1222         }
1223
1224         if (sec == SEC_ADS) {
1225                 char *sitename = NULL;
1226
1227                 /* We need to make sure we know the local site before
1228                    doing any DNS queries, as this will restrict the
1229                    get_sorted_dc_list() call below to only fetching
1230                    DNS records for the correct site. */
1231
1232                 /* Find any DC to get the site record.
1233                    We deliberately don't care about the
1234                    return here. */
1235
1236                 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1237
1238                 sitename = sitename_fetch(domain->alt_name);
1239                 if (sitename) {
1240
1241                         /* Do the site-specific AD dns lookup first. */
1242                         get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
1243                                &iplist_size, True);
1244
1245                         /* Add ips to the DC array.  We don't look up the name
1246                            of the DC in this function, but we fill in the char*
1247                            of the ip now to make the failed connection cache
1248                            work */
1249                         for ( i=0; i<iplist_size; i++ ) {
1250                                 char addr[INET6_ADDRSTRLEN];
1251                                 print_sockaddr(addr, sizeof(addr),
1252                                                 &ip_list[i].ss);
1253                                 add_one_dc_unique(mem_ctx,
1254                                                 domain->name,
1255                                                 addr,
1256                                                 &ip_list[i].ss,
1257                                                 dcs,
1258                                                 num_dcs);
1259                         }
1260
1261                         SAFE_FREE(ip_list);
1262                         SAFE_FREE(sitename);
1263                         iplist_size = 0;
1264                 }
1265
1266                 /* Now we add DCs from the main AD DNS lookup. */
1267                 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1268                         &iplist_size, True);
1269
1270                 for ( i=0; i<iplist_size; i++ ) {
1271                         char addr[INET6_ADDRSTRLEN];
1272                         print_sockaddr(addr, sizeof(addr),
1273                                         &ip_list[i].ss);
1274                         add_one_dc_unique(mem_ctx,
1275                                         domain->name,
1276                                         addr,
1277                                         &ip_list[i].ss,
1278                                         dcs,
1279                                         num_dcs);
1280                 }
1281
1282                 SAFE_FREE(ip_list);
1283                 iplist_size = 0;
1284         }
1285
1286         /* Try standard netbios queries if no ADS */
1287         if (*num_dcs == 0) {
1288                 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
1289                        False);
1290
1291                 for ( i=0; i<iplist_size; i++ ) {
1292                         char addr[INET6_ADDRSTRLEN];
1293                         print_sockaddr(addr, sizeof(addr),
1294                                         &ip_list[i].ss);
1295                         add_one_dc_unique(mem_ctx,
1296                                         domain->name,
1297                                         addr,
1298                                         &ip_list[i].ss,
1299                                         dcs,
1300                                         num_dcs);
1301                 }
1302
1303                 SAFE_FREE(ip_list);
1304                 iplist_size = 0;
1305         }
1306
1307         return True;
1308 }
1309
1310 /*******************************************************************
1311  Find and make a connection to a DC in the given domain.
1312
1313  @param[in] mem_ctx talloc memory context to allocate from
1314  @param[in] domain domain to find a dc in
1315  @param[out] dcname NetBIOS or FQDN of DC that's connected to
1316  @param[out] pss DC Internet address and port
1317  @param[out] fd fd of the open socket connected to the newly found dc
1318  @return true when a DC connection is made, false otherwise
1319 *******************************************************************/
1320
1321 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1322                         struct winbindd_domain *domain,
1323                         fstring dcname, struct sockaddr_storage *pss, int *fd)
1324 {
1325         struct dc_name_ip *dcs = NULL;
1326         int num_dcs = 0;
1327
1328         const char **dcnames = NULL;
1329         int num_dcnames = 0;
1330
1331         struct sockaddr_storage *addrs = NULL;
1332         int num_addrs = 0;
1333
1334         int i, fd_index;
1335
1336         *fd = -1;
1337
1338  again:
1339         if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1340                 return False;
1341
1342         for (i=0; i<num_dcs; i++) {
1343
1344                 if (!add_string_to_array(mem_ctx, dcs[i].name,
1345                                     &dcnames, &num_dcnames)) {
1346                         return False;
1347                 }
1348                 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 445,
1349                                       &addrs, &num_addrs)) {
1350                         return False;
1351                 }
1352
1353                 if (!add_string_to_array(mem_ctx, dcs[i].name,
1354                                     &dcnames, &num_dcnames)) {
1355                         return False;
1356                 }
1357                 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 139,
1358                                       &addrs, &num_addrs)) {
1359                         return False;
1360                 }
1361         }
1362
1363         if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1364                 return False;
1365
1366         if ((addrs == NULL) || (dcnames == NULL))
1367                 return False;
1368
1369         /* 5 second timeout. */
1370         if (!open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) {
1371                 for (i=0; i<num_dcs; i++) {
1372                         char ab[INET6_ADDRSTRLEN];
1373                         print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1374                         DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
1375                                 "domain %s address %s. Error was %s\n",
1376                                 domain->name, ab, strerror(errno) ));
1377                         winbind_add_failed_connection_entry(domain,
1378                                 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1379                 }
1380                 return False;
1381         }
1382
1383         *pss = addrs[fd_index];
1384
1385         if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1386                 /* Ok, we've got a name for the DC */
1387                 fstrcpy(dcname, dcnames[fd_index]);
1388                 return True;
1389         }
1390
1391         /* Try to figure out the name */
1392         if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
1393                 return True;
1394         }
1395
1396         /* We can not continue without the DC's name */
1397         winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1398                                     NT_STATUS_UNSUCCESSFUL);
1399
1400         /* Throw away all arrays as we're doing this again. */
1401         TALLOC_FREE(dcs);
1402         num_dcs = 0;
1403
1404         TALLOC_FREE(dcnames);
1405         num_dcnames = 0;
1406
1407         TALLOC_FREE(addrs);
1408         num_addrs = 0;
1409
1410         close(*fd);
1411         *fd = -1;
1412
1413         goto again;
1414 }
1415
1416 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1417                                    struct winbindd_cm_conn *new_conn)
1418 {
1419         TALLOC_CTX *mem_ctx;
1420         NTSTATUS result;
1421         char *saf_servername = saf_fetch( domain->name );
1422         int retries;
1423
1424         if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1425                 SAFE_FREE(saf_servername);
1426                 set_domain_offline(domain);
1427                 return NT_STATUS_NO_MEMORY;
1428         }
1429
1430         /* we have to check the server affinity cache here since 
1431            later we selecte a DC based on response time and not preference */
1432
1433         /* Check the negative connection cache
1434            before talking to it. It going down may have
1435            triggered the reconnection. */
1436
1437         if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1438
1439                 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1440                         saf_servername, domain->name ));
1441
1442                 /* convert an ip address to a name */
1443                 if (is_ipaddress( saf_servername ) ) {
1444                         fstring saf_name;
1445                         struct sockaddr_storage ss;
1446
1447                         if (!interpret_string_addr(&ss, saf_servername,
1448                                                 AI_NUMERICHOST)) {
1449                                 return NT_STATUS_UNSUCCESSFUL;
1450                         }
1451                         if (dcip_to_name(mem_ctx, domain, &ss, saf_name )) {
1452                                 fstrcpy( domain->dcname, saf_name );
1453                         } else {
1454                                 winbind_add_failed_connection_entry(
1455                                         domain, saf_servername,
1456                                         NT_STATUS_UNSUCCESSFUL);
1457                         }
1458                 } else {
1459                         fstrcpy( domain->dcname, saf_servername );
1460                 }
1461
1462                 SAFE_FREE( saf_servername );
1463         }
1464
1465         for (retries = 0; retries < 3; retries++) {
1466                 int fd = -1;
1467                 bool retry = False;
1468
1469                 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1470
1471                 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1472                         domain->dcname, domain->name ));
1473
1474                 if (*domain->dcname 
1475                         && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1476                         && (resolve_name(domain->dcname, &domain->dcaddr, 0x20, true)))
1477                 {
1478                         struct sockaddr_storage *addrs = NULL;
1479                         int num_addrs = 0;
1480                         int dummy = 0;
1481
1482                         if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 445, &addrs, &num_addrs)) {
1483                                 set_domain_offline(domain);
1484                                 talloc_destroy(mem_ctx);
1485                                 return NT_STATUS_NO_MEMORY;
1486                         }
1487                         if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 139, &addrs, &num_addrs)) {
1488                                 set_domain_offline(domain);
1489                                 talloc_destroy(mem_ctx);
1490                                 return NT_STATUS_NO_MEMORY;
1491                         }
1492
1493                         /* 5 second timeout. */
1494                         if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) {
1495                                 fd = -1;
1496                         }
1497                 }
1498
1499                 if ((fd == -1) 
1500                         && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd))
1501                 {
1502                         /* This is the one place where we will
1503                            set the global winbindd offline state
1504                            to true, if a "WINBINDD_OFFLINE" entry
1505                            is found in the winbindd cache. */
1506                         set_global_winbindd_state_offline();
1507                         break;
1508                 }
1509
1510                 new_conn->cli = NULL;
1511
1512                 result = cm_prepare_connection(domain, fd, domain->dcname,
1513                         &new_conn->cli, &retry);
1514
1515                 if (!retry)
1516                         break;
1517         }
1518
1519         if (NT_STATUS_IS_OK(result)) {
1520
1521                 winbindd_set_locator_kdc_envs(domain);
1522
1523                 if (domain->online == False) {
1524                         /* We're changing state from offline to online. */
1525                         set_global_winbindd_state_online();
1526                 }
1527                 set_domain_online(domain);
1528         } else {
1529                 /* Ensure we setup the retry handler. */
1530                 set_domain_offline(domain);
1531         }
1532
1533         talloc_destroy(mem_ctx);
1534         return result;
1535 }
1536
1537 /* Close down all open pipes on a connection. */
1538
1539 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1540 {
1541         /* We're closing down a possibly dead
1542            connection. Don't have impossibly long (10s) timeouts. */
1543
1544         if (conn->cli) {
1545                 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1546         }
1547
1548         if (conn->samr_pipe != NULL) {
1549                 TALLOC_FREE(conn->samr_pipe);
1550                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1551                 if (conn->cli) {
1552                         cli_set_timeout(conn->cli, 500);
1553                 }
1554         }
1555
1556         if (conn->lsa_pipe != NULL) {
1557                 TALLOC_FREE(conn->lsa_pipe);
1558                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1559                 if (conn->cli) {
1560                         cli_set_timeout(conn->cli, 500);
1561                 }
1562         }
1563
1564         if (conn->netlogon_pipe != NULL) {
1565                 TALLOC_FREE(conn->netlogon_pipe);
1566                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1567                 if (conn->cli) {
1568                         cli_set_timeout(conn->cli, 500);
1569                 }
1570         }
1571
1572         if (conn->cli) {
1573                 cli_shutdown(conn->cli);
1574         }
1575
1576         conn->cli = NULL;
1577 }
1578
1579 void close_conns_after_fork(void)
1580 {
1581         struct winbindd_domain *domain;
1582
1583         for (domain = domain_list(); domain; domain = domain->next) {
1584                 if (domain->conn.cli == NULL)
1585                         continue;
1586
1587                 if (domain->conn.cli->fd == -1)
1588                         continue;
1589
1590                 close(domain->conn.cli->fd);
1591                 domain->conn.cli->fd = -1;
1592         }
1593 }
1594
1595 static bool connection_ok(struct winbindd_domain *domain)
1596 {
1597         if (domain->conn.cli == NULL) {
1598                 DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
1599                           "cli!\n", domain->dcname, domain->name));
1600                 return False;
1601         }
1602
1603         if (!domain->conn.cli->initialised) {
1604                 DEBUG(3, ("connection_ok: Connection to %s for domain %s was never "
1605                           "initialised!\n", domain->dcname, domain->name));
1606                 return False;
1607         }
1608
1609         if (domain->conn.cli->fd == -1) {
1610                 DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was "
1611                           "never started (fd == -1)\n", 
1612                           domain->dcname, domain->name));
1613                 return False;
1614         }
1615
1616         if (domain->online == False) {
1617                 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1618                 return False;
1619         }
1620
1621         return True;
1622 }
1623
1624 /* Initialize a new connection up to the RPC BIND.
1625    Bypass online status check so always does network calls. */
1626
1627 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1628 {
1629         NTSTATUS result;
1630
1631         /* Internal connections never use the network. */
1632         if (domain->internal) {
1633                 domain->initialized = True;
1634                 return NT_STATUS_OK;
1635         }
1636
1637         if (connection_ok(domain)) {
1638                 if (!domain->initialized) {
1639                         set_dc_type_and_flags(domain);
1640                 }
1641                 return NT_STATUS_OK;
1642         }
1643
1644         invalidate_cm_connection(&domain->conn);
1645
1646         result = cm_open_connection(domain, &domain->conn);
1647
1648         if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1649                 set_dc_type_and_flags(domain);
1650         }
1651
1652         return result;
1653 }
1654
1655 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1656 {
1657         if (domain->initialized && !domain->online) {
1658                 /* We check for online status elsewhere. */
1659                 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1660         }
1661
1662         return init_dc_connection_network(domain);
1663 }
1664
1665 /******************************************************************************
1666  Set the trust flags (direction and forest location) for a domain
1667 ******************************************************************************/
1668
1669 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1670 {
1671         struct winbindd_domain *our_domain;
1672         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1673         struct netr_DomainTrustList trusts;
1674         int i;
1675         uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
1676                         NETR_TRUST_FLAG_OUTBOUND |
1677                         NETR_TRUST_FLAG_INBOUND);
1678         struct rpc_pipe_client *cli;
1679         TALLOC_CTX *mem_ctx = NULL;
1680
1681         DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1682
1683         /* Our primary domain doesn't need to worry about trust flags.
1684            Force it to go through the network setup */
1685         if ( domain->primary ) {                
1686                 return False;           
1687         }
1688
1689         our_domain = find_our_domain();
1690
1691         if ( !connection_ok(our_domain) ) {
1692                 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));           
1693                 return False;
1694         }
1695
1696         /* This won't work unless our domain is AD */
1697
1698         if ( !our_domain->active_directory ) {
1699                 return False;
1700         }
1701
1702         /* Use DsEnumerateDomainTrusts to get us the trust direction
1703            and type */
1704
1705         result = cm_connect_netlogon(our_domain, &cli);
1706
1707         if (!NT_STATUS_IS_OK(result)) {
1708                 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1709                           "a connection to %s for PIPE_NETLOGON (%s)\n", 
1710                           domain->name, nt_errstr(result)));
1711                 return False;
1712         }
1713
1714         if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
1715                 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
1716                 return False;
1717         }       
1718
1719         result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1720                                                       cli->desthost,
1721                                                       flags,
1722                                                       &trusts,
1723                                                       NULL);
1724         if (!NT_STATUS_IS_OK(result)) {
1725                 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
1726                         "failed to query trusted domain list: %s\n",
1727                         nt_errstr(result)));
1728                 talloc_destroy(mem_ctx);
1729                 return false;
1730         }
1731
1732         /* Now find the domain name and get the flags */
1733
1734         for ( i=0; i<trusts.count; i++ ) {
1735                 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
1736                         domain->domain_flags          = trusts.array[i].trust_flags;
1737                         domain->domain_type           = trusts.array[i].trust_type;
1738                         domain->domain_trust_attribs  = trusts.array[i].trust_attributes;
1739
1740                         if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL )
1741                                 domain->active_directory = True;
1742
1743                         /* This flag is only set if the domain is *our* 
1744                            primary domain and the primary domain is in
1745                            native mode */
1746
1747                         domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
1748
1749                         DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
1750                                   "native mode.\n", domain->name, 
1751                                   domain->native_mode ? "" : "NOT "));
1752
1753                         DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
1754                                  "running active directory.\n", domain->name, 
1755                                  domain->active_directory ? "" : "NOT "));
1756
1757
1758                         domain->initialized = True;
1759
1760                         if ( !winbindd_can_contact_domain( domain) )
1761                                 domain->internal = True;
1762
1763                         break;
1764                 }               
1765         }
1766
1767         talloc_destroy( mem_ctx );
1768
1769         return domain->initialized;     
1770 }
1771
1772 /******************************************************************************
1773  We can 'sense' certain things about the DC by it's replies to certain
1774  questions.
1775
1776  This tells us if this particular remote server is Active Directory, and if it
1777  is native mode.
1778 ******************************************************************************/
1779
1780 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
1781 {
1782         NTSTATUS                result;
1783         WERROR werr;
1784         TALLOC_CTX              *mem_ctx = NULL;
1785         struct rpc_pipe_client  *cli = NULL;
1786         struct policy_handle pol;
1787         union dssetup_DsRoleInfo info;
1788         union lsa_PolicyInformation *lsa_info = NULL;
1789
1790         if (!connection_ok(domain)) {
1791                 return;
1792         }
1793
1794         mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
1795                               domain->name);
1796         if (!mem_ctx) {
1797                 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
1798                 return;
1799         }
1800
1801         DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
1802
1803         result = cli_rpc_pipe_open_noauth(domain->conn.cli,
1804                                           &ndr_table_dssetup.syntax_id,
1805                                           &cli);
1806
1807         if (!NT_STATUS_IS_OK(result)) {
1808                 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1809                           "PI_DSSETUP on domain %s: (%s)\n",
1810                           domain->name, nt_errstr(result)));
1811
1812                 /* if this is just a non-AD domain we need to continue
1813                  * identifying so that we can in the end return with
1814                  * domain->initialized = True - gd */
1815
1816                 goto no_dssetup;
1817         }
1818
1819         result = rpccli_dssetup_DsRoleGetPrimaryDomainInformation(cli, mem_ctx,
1820                                                                   DS_ROLE_BASIC_INFORMATION,
1821                                                                   &info,
1822                                                                   &werr);
1823         TALLOC_FREE(cli);
1824
1825         if (!NT_STATUS_IS_OK(result)) {
1826                 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
1827                           "on domain %s failed: (%s)\n",
1828                           domain->name, nt_errstr(result)));
1829
1830                 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
1831                  * every opcode on the DSSETUP pipe, continue with
1832                  * no_dssetup mode here as well to get domain->initialized
1833                  * set - gd */
1834
1835                 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
1836                         goto no_dssetup;
1837                 }
1838
1839                 TALLOC_FREE(mem_ctx);
1840                 return;
1841         }
1842
1843         if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
1844             !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
1845                 domain->native_mode = True;
1846         } else {
1847                 domain->native_mode = False;
1848         }
1849
1850 no_dssetup:
1851         result = cli_rpc_pipe_open_noauth(domain->conn.cli,
1852                                           &ndr_table_lsarpc.syntax_id, &cli);
1853
1854         if (!NT_STATUS_IS_OK(result)) {
1855                 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1856                           "PI_LSARPC on domain %s: (%s)\n",
1857                           domain->name, nt_errstr(result)));
1858                 TALLOC_FREE(cli);
1859                 TALLOC_FREE(mem_ctx);
1860                 return;
1861         }
1862
1863         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
1864                                          SEC_FLAG_MAXIMUM_ALLOWED, &pol);
1865
1866         if (NT_STATUS_IS_OK(result)) {
1867                 /* This particular query is exactly what Win2k clients use 
1868                    to determine that the DC is active directory */
1869                 result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,
1870                                                      &pol,
1871                                                      LSA_POLICY_INFO_DNS,
1872                                                      &lsa_info);
1873         }
1874
1875         if (NT_STATUS_IS_OK(result)) {
1876                 domain->active_directory = True;
1877
1878                 if (lsa_info->dns.name.string) {
1879                         fstrcpy(domain->name, lsa_info->dns.name.string);
1880                 }
1881
1882                 if (lsa_info->dns.dns_domain.string) {
1883                         fstrcpy(domain->alt_name,
1884                                 lsa_info->dns.dns_domain.string);
1885                 }
1886
1887                 /* See if we can set some domain trust flags about
1888                    ourself */
1889
1890                 if (lsa_info->dns.dns_forest.string) {
1891                         fstrcpy(domain->forest_name,
1892                                 lsa_info->dns.dns_forest.string);
1893
1894                         if (strequal(domain->forest_name, domain->alt_name)) {
1895                                 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
1896                         }
1897                 }
1898
1899                 if (lsa_info->dns.sid) {
1900                         sid_copy(&domain->sid, lsa_info->dns.sid);
1901                 }
1902         } else {
1903                 domain->active_directory = False;
1904
1905                 result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
1906                                                 SEC_FLAG_MAXIMUM_ALLOWED,
1907                                                 &pol);
1908
1909                 if (!NT_STATUS_IS_OK(result)) {
1910                         goto done;
1911                 }
1912
1913                 result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,
1914                                                     &pol,
1915                                                     LSA_POLICY_INFO_ACCOUNT_DOMAIN,
1916                                                     &lsa_info);
1917
1918                 if (NT_STATUS_IS_OK(result)) {
1919
1920                         if (lsa_info->account_domain.name.string) {
1921                                 fstrcpy(domain->name,
1922                                         lsa_info->account_domain.name.string);
1923                         }
1924
1925                         if (lsa_info->account_domain.sid) {
1926                                 sid_copy(&domain->sid, lsa_info->account_domain.sid);
1927                         }
1928                 }
1929         }
1930 done:
1931
1932         DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
1933                   domain->name, domain->native_mode ? "" : "NOT "));
1934
1935         DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
1936                   domain->name, domain->active_directory ? "" : "NOT "));
1937
1938         TALLOC_FREE(cli);
1939
1940         TALLOC_FREE(mem_ctx);
1941
1942         domain->initialized = True;
1943 }
1944
1945 /**********************************************************************
1946  Set the domain_flags (trust attributes, domain operating modes, etc... 
1947 ***********************************************************************/
1948
1949 static void set_dc_type_and_flags( struct winbindd_domain *domain )
1950 {
1951         /* we always have to contact our primary domain */
1952
1953         if ( domain->primary ) {
1954                 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
1955                           "primary domain\n"));
1956                 set_dc_type_and_flags_connect( domain );
1957                 return;         
1958         }
1959
1960         /* Use our DC to get the information if possible */
1961
1962         if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
1963                 /* Otherwise, fallback to contacting the 
1964                    domain directly */
1965                 set_dc_type_and_flags_connect( domain );
1966         }
1967
1968         return;
1969 }
1970
1971
1972
1973 /**********************************************************************
1974 ***********************************************************************/
1975
1976 static bool cm_get_schannel_creds(struct winbindd_domain *domain,
1977                                    struct netlogon_creds_CredentialState **ppdc)
1978 {
1979         NTSTATUS result;
1980         struct rpc_pipe_client *netlogon_pipe;
1981
1982         if (lp_client_schannel() == False) {
1983                 return False;
1984         }
1985
1986         result = cm_connect_netlogon(domain, &netlogon_pipe);
1987         if (!NT_STATUS_IS_OK(result)) {
1988                 return False;
1989         }
1990
1991         /* Return a pointer to the struct netlogon_creds_CredentialState from the
1992            netlogon pipe. */
1993
1994         if (!domain->conn.netlogon_pipe->dc) {
1995                 return false;
1996         }
1997
1998         *ppdc = domain->conn.netlogon_pipe->dc;
1999         return True;
2000 }
2001
2002 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2003                         struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
2004 {
2005         struct winbindd_cm_conn *conn;
2006         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2007         struct netlogon_creds_CredentialState *p_creds;
2008         char *machine_password = NULL;
2009         char *machine_account = NULL;
2010         char *domain_name = NULL;
2011
2012         result = init_dc_connection(domain);
2013         if (!NT_STATUS_IS_OK(result)) {
2014                 return result;
2015         }
2016
2017         conn = &domain->conn;
2018
2019         if (conn->samr_pipe != NULL) {
2020                 goto done;
2021         }
2022
2023
2024         /*
2025          * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
2026          * sign and sealed pipe using the machine account password by
2027          * preference. If we can't - try schannel, if that fails, try
2028          * anonymous.
2029          */
2030
2031         if ((conn->cli->user_name[0] == '\0') ||
2032             (conn->cli->domain[0] == '\0') || 
2033             (conn->cli->password == NULL || conn->cli->password[0] == '\0'))
2034         {
2035                 result = get_trust_creds(domain, &machine_password,
2036                                          &machine_account, NULL);
2037                 if (!NT_STATUS_IS_OK(result)) {
2038                         DEBUG(10, ("cm_connect_sam: No no user available for "
2039                                    "domain %s, trying schannel\n", conn->cli->domain));
2040                         goto schannel;
2041                 }
2042                 domain_name = domain->name;
2043         } else {
2044                 machine_password = SMB_STRDUP(conn->cli->password);
2045                 machine_account = SMB_STRDUP(conn->cli->user_name);
2046                 domain_name = conn->cli->domain;
2047         }
2048
2049         if (!machine_password || !machine_account) {
2050                 result = NT_STATUS_NO_MEMORY;
2051                 goto done;
2052         }
2053
2054         /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2055            authenticated SAMR pipe with sign & seal. */
2056         result = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli,
2057                                                   &ndr_table_samr.syntax_id,
2058                                                   PIPE_AUTH_LEVEL_PRIVACY,
2059                                                   domain_name,
2060                                                   machine_account,
2061                                                   machine_password,
2062                                                   &conn->samr_pipe);
2063
2064         if (!NT_STATUS_IS_OK(result)) {
2065                 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2066                           "pipe for domain %s using NTLMSSP "
2067                           "authenticated pipe: user %s\\%s. Error was "
2068                           "%s\n", domain->name, domain_name,
2069                           machine_account, nt_errstr(result)));
2070                 goto schannel;
2071         }
2072
2073         DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2074                   "domain %s using NTLMSSP authenticated "
2075                   "pipe: user %s\\%s\n", domain->name,
2076                   domain_name, machine_account));
2077
2078         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2079                                       conn->samr_pipe->desthost,
2080                                       SEC_FLAG_MAXIMUM_ALLOWED,
2081                                       &conn->sam_connect_handle);
2082         if (NT_STATUS_IS_OK(result)) {
2083                 goto open_domain;
2084         }
2085         DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_Connect2 "
2086                   "failed for domain %s, error was %s. Trying schannel\n",
2087                   domain->name, nt_errstr(result) ));
2088         TALLOC_FREE(conn->samr_pipe);
2089
2090  schannel:
2091
2092         /* Fall back to schannel if it's a W2K pre-SP1 box. */
2093
2094         if (!cm_get_schannel_creds(domain, &p_creds)) {
2095                 /* If this call fails - conn->cli can now be NULL ! */
2096                 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2097                            "for domain %s, trying anon\n", domain->name));
2098                 goto anonymous;
2099         }
2100         result = cli_rpc_pipe_open_schannel_with_key
2101                 (conn->cli, &ndr_table_samr.syntax_id, PIPE_AUTH_LEVEL_PRIVACY,
2102                  domain->name, &p_creds, &conn->samr_pipe);
2103
2104         if (!NT_STATUS_IS_OK(result)) {
2105                 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2106                           "domain %s using schannel. Error was %s\n",
2107                           domain->name, nt_errstr(result) ));
2108                 goto anonymous;
2109         }
2110         DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2111                   "schannel.\n", domain->name ));
2112
2113         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2114                                       conn->samr_pipe->desthost,
2115                                       SEC_FLAG_MAXIMUM_ALLOWED,
2116                                       &conn->sam_connect_handle);
2117         if (NT_STATUS_IS_OK(result)) {
2118                 goto open_domain;
2119         }
2120         DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_Connect2 failed "
2121                   "for domain %s, error was %s. Trying anonymous\n",
2122                   domain->name, nt_errstr(result) ));
2123         TALLOC_FREE(conn->samr_pipe);
2124
2125  anonymous:
2126
2127         /* Finally fall back to anonymous. */
2128         result = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
2129                                           &conn->samr_pipe);
2130
2131         if (!NT_STATUS_IS_OK(result)) {
2132                 goto done;
2133         }
2134
2135         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2136                                       conn->samr_pipe->desthost,
2137                                       SEC_FLAG_MAXIMUM_ALLOWED,
2138                                       &conn->sam_connect_handle);
2139         if (!NT_STATUS_IS_OK(result)) {
2140                 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2141                           "for domain %s Error was %s\n",
2142                           domain->name, nt_errstr(result) ));
2143                 goto done;
2144         }
2145
2146  open_domain:
2147         result = rpccli_samr_OpenDomain(conn->samr_pipe,
2148                                         mem_ctx,
2149                                         &conn->sam_connect_handle,
2150                                         SEC_FLAG_MAXIMUM_ALLOWED,
2151                                         &domain->sid,
2152                                         &conn->sam_domain_handle);
2153
2154  done:
2155
2156         if (!NT_STATUS_IS_OK(result)) {
2157                 invalidate_cm_connection(conn);
2158                 return result;
2159         }
2160
2161         *cli = conn->samr_pipe;
2162         *sam_handle = conn->sam_domain_handle;
2163         SAFE_FREE(machine_password);
2164         SAFE_FREE(machine_account);
2165         return result;
2166 }
2167
2168 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2169                         struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
2170 {
2171         struct winbindd_cm_conn *conn;
2172         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2173         struct netlogon_creds_CredentialState *p_creds;
2174
2175         result = init_dc_connection(domain);
2176         if (!NT_STATUS_IS_OK(result))
2177                 return result;
2178
2179         conn = &domain->conn;
2180
2181         if (conn->lsa_pipe != NULL) {
2182                 goto done;
2183         }
2184
2185         if ((conn->cli->user_name[0] == '\0') ||
2186             (conn->cli->domain[0] == '\0') || 
2187             (conn->cli->password == NULL || conn->cli->password[0] == '\0')) {
2188                 DEBUG(10, ("cm_connect_lsa: No no user available for "
2189                            "domain %s, trying schannel\n", conn->cli->domain));
2190                 goto schannel;
2191         }
2192
2193         /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2194          * authenticated LSA pipe with sign & seal. */
2195         result = cli_rpc_pipe_open_spnego_ntlmssp
2196                 (conn->cli, &ndr_table_lsarpc.syntax_id,
2197                  PIPE_AUTH_LEVEL_PRIVACY,
2198                  conn->cli->domain, conn->cli->user_name, conn->cli->password,
2199                  &conn->lsa_pipe);
2200
2201         if (!NT_STATUS_IS_OK(result)) {
2202                 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2203                           "domain %s using NTLMSSP authenticated pipe: user "
2204                           "%s\\%s. Error was %s. Trying schannel.\n",
2205                           domain->name, conn->cli->domain,
2206                           conn->cli->user_name, nt_errstr(result)));
2207                 goto schannel;
2208         }
2209
2210         DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2211                   "NTLMSSP authenticated pipe: user %s\\%s\n",
2212                   domain->name, conn->cli->domain, conn->cli->user_name ));
2213
2214         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2215                                         SEC_FLAG_MAXIMUM_ALLOWED,
2216                                         &conn->lsa_policy);
2217         if (NT_STATUS_IS_OK(result)) {
2218                 goto done;
2219         }
2220
2221         DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2222                   "schannel\n"));
2223
2224         TALLOC_FREE(conn->lsa_pipe);
2225
2226  schannel:
2227
2228         /* Fall back to schannel if it's a W2K pre-SP1 box. */
2229
2230         if (!cm_get_schannel_creds(domain, &p_creds)) {
2231                 /* If this call fails - conn->cli can now be NULL ! */
2232                 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2233                            "for domain %s, trying anon\n", domain->name));
2234                 goto anonymous;
2235         }
2236         result = cli_rpc_pipe_open_schannel_with_key
2237                 (conn->cli, &ndr_table_lsarpc.syntax_id,
2238                  PIPE_AUTH_LEVEL_PRIVACY,
2239                  domain->name, &p_creds, &conn->lsa_pipe);
2240
2241         if (!NT_STATUS_IS_OK(result)) {
2242                 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2243                           "domain %s using schannel. Error was %s\n",
2244                           domain->name, nt_errstr(result) ));
2245                 goto anonymous;
2246         }
2247         DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2248                   "schannel.\n", domain->name ));
2249
2250         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2251                                         SEC_FLAG_MAXIMUM_ALLOWED,
2252                                         &conn->lsa_policy);
2253         if (NT_STATUS_IS_OK(result)) {
2254                 goto done;
2255         }
2256
2257         DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2258                   "anonymous\n"));
2259
2260         TALLOC_FREE(conn->lsa_pipe);
2261
2262  anonymous:
2263
2264         result = cli_rpc_pipe_open_noauth(conn->cli,
2265                                           &ndr_table_lsarpc.syntax_id,
2266                                           &conn->lsa_pipe);
2267         if (!NT_STATUS_IS_OK(result)) {
2268                 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2269                 goto done;
2270         }
2271
2272         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2273                                         SEC_FLAG_MAXIMUM_ALLOWED,
2274                                         &conn->lsa_policy);
2275  done:
2276         if (!NT_STATUS_IS_OK(result)) {
2277                 invalidate_cm_connection(conn);
2278                 return result;
2279         }
2280
2281         *cli = conn->lsa_pipe;
2282         *lsa_policy = conn->lsa_policy;
2283         return result;
2284 }
2285
2286 /****************************************************************************
2287  Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2288  session key stored in conn->netlogon_pipe->dc->sess_key.
2289 ****************************************************************************/
2290
2291 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2292                              struct rpc_pipe_client **cli)
2293 {
2294         struct winbindd_cm_conn *conn;
2295         NTSTATUS result;
2296
2297         uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2298         uint8  mach_pwd[16];
2299         uint32  sec_chan_type;
2300         const char *account_name;
2301         struct rpc_pipe_client *netlogon_pipe = NULL;
2302
2303         *cli = NULL;
2304
2305         result = init_dc_connection(domain);
2306         if (!NT_STATUS_IS_OK(result)) {
2307                 return result;
2308         }
2309
2310         conn = &domain->conn;
2311
2312         if (conn->netlogon_pipe != NULL) {
2313                 *cli = conn->netlogon_pipe;
2314                 return NT_STATUS_OK;
2315         }
2316
2317         result = cli_rpc_pipe_open_noauth(conn->cli,
2318                                           &ndr_table_netlogon.syntax_id,
2319                                           &netlogon_pipe);
2320         if (!NT_STATUS_IS_OK(result)) {
2321                 return result;
2322         }
2323
2324         if ((!IS_DC) && (!domain->primary)) {
2325                 /* Clear the schannel request bit and drop down */
2326                 neg_flags &= ~NETLOGON_NEG_SCHANNEL;            
2327                 goto no_schannel;
2328         }
2329
2330         if (lp_client_schannel() != False) {
2331                 neg_flags |= NETLOGON_NEG_SCHANNEL;
2332         }
2333
2334         if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
2335                                &sec_chan_type))
2336         {
2337                 TALLOC_FREE(netlogon_pipe);
2338                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2339         }
2340
2341         result = rpccli_netlogon_setup_creds(
2342                  netlogon_pipe,
2343                  domain->dcname, /* server name. */
2344                  domain->name,   /* domain name */
2345                  global_myname(), /* client name */
2346                  account_name,   /* machine account */
2347                  mach_pwd,       /* machine password */
2348                  sec_chan_type,  /* from get_trust_pw */
2349                  &neg_flags);
2350
2351         if (!NT_STATUS_IS_OK(result)) {
2352                 TALLOC_FREE(netlogon_pipe);
2353                 return result;
2354         }
2355
2356         if ((lp_client_schannel() == True) &&
2357                         ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2358                 DEBUG(3, ("Server did not offer schannel\n"));
2359                 TALLOC_FREE(netlogon_pipe);
2360                 return NT_STATUS_ACCESS_DENIED;
2361         }
2362
2363  no_schannel:
2364         if ((lp_client_schannel() == False) ||
2365                         ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2366                 /*
2367                  * NetSamLogonEx only works for schannel
2368                  */
2369                 domain->can_do_samlogon_ex = False;
2370
2371                 /* We're done - just keep the existing connection to NETLOGON
2372                  * open */
2373                 conn->netlogon_pipe = netlogon_pipe;
2374                 *cli = conn->netlogon_pipe;
2375                 return NT_STATUS_OK;
2376         }
2377
2378         /* Using the credentials from the first pipe, open a signed and sealed
2379            second netlogon pipe. The session key is stored in the schannel
2380            part of the new pipe auth struct.
2381         */
2382
2383         result = cli_rpc_pipe_open_schannel_with_key(
2384                 conn->cli, &ndr_table_netlogon.syntax_id,
2385                 PIPE_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
2386                 &conn->netlogon_pipe);
2387
2388         /* We can now close the initial netlogon pipe. */
2389         TALLOC_FREE(netlogon_pipe);
2390
2391         if (!NT_STATUS_IS_OK(result)) {
2392                 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2393                           "was %s\n", nt_errstr(result)));
2394
2395                 /* make sure we return something besides OK */
2396                 return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
2397         }
2398
2399         /*
2400          * Try NetSamLogonEx for AD domains
2401          */
2402         domain->can_do_samlogon_ex = domain->active_directory;
2403
2404         *cli = conn->netlogon_pipe;
2405         return NT_STATUS_OK;
2406 }