8fcbae77ff75ca2c75be33b5cd2049d9cbf0a0f9
[kai/samba.git] / source / winbindd / winbindd_cm.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon connection manager
5
6    Copyright (C) Tim Potter                2001
7    Copyright (C) Andrew Bartlett           2002
8    Copyright (C) Gerald (Jerry) Carter     2003-2005.
9    Copyright (C) Volker Lendecke           2004-2005
10    Copyright (C) Jeremy Allison            2006
11    
12    This program is free software; you can redistribute it and/or modify
13    it under the terms of the GNU General Public License as published by
14    the Free Software Foundation; either version 3 of the License, or
15    (at your option) any later version.
16    
17    This program is distributed in the hope that it will be useful,
18    but WITHOUT ANY WARRANTY; without even the implied warranty of
19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20    GNU General Public License for more details.
21    
22    You should have received a copy of the GNU General Public License
23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27    We need to manage connections to domain controllers without having to
28    mess up the main winbindd code with other issues.  The aim of the
29    connection manager is to:
30   
31        - make connections to domain controllers and cache them
32        - re-establish connections when networks or servers go down
33        - centralise the policy on connection timeouts, domain controller
34          selection etc
35        - manage re-entrancy for when winbindd becomes able to handle
36          multiple outstanding rpc requests
37   
38    Why not have connection management as part of the rpc layer like tng?
39    Good question.  This code may morph into libsmb/rpc_cache.c or something
40    like that but at the moment it's simply staying as part of winbind.  I
41    think the TNG architecture of forcing every user of the rpc layer to use
42    the connection caching system is a bad idea.  It should be an optional
43    method of using the routines.
44
45    The TNG design is quite good but I disagree with some aspects of the
46    implementation. -tpot
47
48  */
49
50 /*
51    TODO:
52
53      - I'm pretty annoyed by all the make_nmb_name() stuff.  It should be
54        moved down into another function.
55
56      - Take care when destroying cli_structs as they can be shared between
57        various sam handles.
58
59  */
60
61 #include "includes.h"
62 #include "winbindd.h"
63
64 #undef DBGC_CLASS
65 #define DBGC_CLASS DBGC_WINBIND
66
67 struct dc_name_ip {
68         fstring name;
69         struct sockaddr_storage ss;
70 };
71
72 extern struct winbindd_methods reconnect_methods;
73 extern bool override_logfile;
74
75 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
76 static void set_dc_type_and_flags( struct winbindd_domain *domain );
77 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
78                     struct dc_name_ip **dcs, int *num_dcs);
79
80 /****************************************************************
81  Child failed to find DC's. Reschedule check.
82 ****************************************************************/
83
84 static void msg_failed_to_go_online(struct messaging_context *msg,
85                                     void *private_data,
86                                     uint32_t msg_type,
87                                     struct server_id server_id,
88                                     DATA_BLOB *data)
89 {
90         struct winbindd_domain *domain;
91         const char *domainname = (const char *)data->data;
92
93         if (data->data == NULL || data->length == 0) {
94                 return;
95         }
96
97         DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
98
99         for (domain = domain_list(); domain; domain = domain->next) {
100                 if (domain->internal) {
101                         continue;
102                 }
103
104                 if (strequal(domain->name, domainname)) {
105                         if (domain->online) {
106                                 /* We're already online, ignore. */
107                                 DEBUG(5,("msg_fail_to_go_online: domain %s "
108                                         "already online.\n", domainname));
109                                 continue;
110                         }
111
112                         /* Reschedule the online check. */
113                         set_domain_offline(domain);
114                         break;
115                 }
116         }
117 }
118
119 /****************************************************************
120  Actually cause a reconnect from a message.
121 ****************************************************************/
122
123 static void msg_try_to_go_online(struct messaging_context *msg,
124                                  void *private_data,
125                                  uint32_t msg_type,
126                                  struct server_id server_id,
127                                  DATA_BLOB *data)
128 {
129         struct winbindd_domain *domain;
130         const char *domainname = (const char *)data->data;
131
132         if (data->data == NULL || data->length == 0) {
133                 return;
134         }
135
136         DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
137
138         for (domain = domain_list(); domain; domain = domain->next) {
139                 if (domain->internal) {
140                         continue;
141                 }
142
143                 if (strequal(domain->name, domainname)) {
144
145                         if (domain->online) {
146                                 /* We're already online, ignore. */
147                                 DEBUG(5,("msg_try_to_go_online: domain %s "
148                                         "already online.\n", domainname));
149                                 continue;
150                         }
151
152                         /* This call takes care of setting the online
153                            flag to true if we connected, or re-adding
154                            the offline handler if false. Bypasses online
155                            check so always does network calls. */
156
157                         init_dc_connection_network(domain);
158                         break;
159                 }
160         }
161 }
162
163 /****************************************************************
164  Fork a child to try and contact a DC. Do this as contacting a
165  DC requires blocking lookups and we don't want to block our
166  parent.
167 ****************************************************************/
168
169 static bool fork_child_dc_connect(struct winbindd_domain *domain)
170 {
171         struct dc_name_ip *dcs = NULL;
172         int num_dcs = 0;
173         TALLOC_CTX *mem_ctx = NULL;
174         pid_t child_pid;
175         pid_t parent_pid = sys_getpid();
176
177         /* Stop zombies */
178         CatchChild();
179
180         child_pid = sys_fork();
181
182         if (child_pid == -1) {
183                 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
184                 return False;
185         }
186
187         if (child_pid != 0) {
188                 /* Parent */
189                 messaging_register(winbind_messaging_context(), NULL,
190                                    MSG_WINBIND_TRY_TO_GO_ONLINE,
191                                    msg_try_to_go_online);
192                 messaging_register(winbind_messaging_context(), NULL,
193                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
194                                    msg_failed_to_go_online);
195                 return True;
196         }
197
198         /* Child. */
199
200         /* Leave messages blocked - we will never process one. */
201
202         if (!reinit_after_fork(winbind_messaging_context())) {
203                 DEBUG(0,("reinit_after_fork() failed\n"));
204                 _exit(0);
205         }
206
207         close_conns_after_fork();
208
209         if (!override_logfile) {
210                 char *logfile;
211                 if (asprintf(&logfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) > 0) {
212                         lp_set_logfile(logfile);
213                         SAFE_FREE(logfile);
214                         reopen_logs();
215                 }
216         }
217
218         mem_ctx = talloc_init("fork_child_dc_connect");
219         if (!mem_ctx) {
220                 DEBUG(0,("talloc_init failed.\n"));
221                 _exit(0);
222         }
223
224         if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
225                 /* Still offline ? Can't find DC's. */
226                 messaging_send_buf(winbind_messaging_context(),
227                                    pid_to_procid(parent_pid),
228                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
229                                    (uint8 *)domain->name,
230                                    strlen(domain->name)+1);
231                 _exit(0);
232         }
233
234         /* We got a DC. Send a message to our parent to get it to
235            try and do the same. */
236
237         messaging_send_buf(winbind_messaging_context(),
238                            pid_to_procid(parent_pid),
239                            MSG_WINBIND_TRY_TO_GO_ONLINE,
240                            (uint8 *)domain->name,
241                            strlen(domain->name)+1);
242         _exit(0);
243 }
244
245 /****************************************************************
246  Handler triggered if we're offline to try and detect a DC.
247 ****************************************************************/
248
249 static void check_domain_online_handler(struct event_context *ctx,
250                                         struct timed_event *te,
251                                         const struct timeval *now,
252                                         void *private_data)
253 {
254         struct winbindd_domain *domain =
255                 (struct winbindd_domain *)private_data;
256
257         DEBUG(10,("check_domain_online_handler: called for domain "
258                   "%s (online = %s)\n", domain->name, 
259                   domain->online ? "True" : "False" ));
260
261         TALLOC_FREE(domain->check_online_event);
262
263         /* Are we still in "startup" mode ? */
264
265         if (domain->startup && (now->tv_sec > domain->startup_time + 30)) {
266                 /* No longer in "startup" mode. */
267                 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
268                         domain->name ));
269                 domain->startup = False;
270         }
271
272         /* We've been told to stay offline, so stay
273            that way. */
274
275         if (get_global_winbindd_state_offline()) {
276                 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
277                         domain->name ));
278                 return;
279         }
280
281         /* Fork a child to test if it can contact a DC. 
282            If it can then send ourselves a message to
283            cause a reconnect. */
284
285         fork_child_dc_connect(domain);
286 }
287
288 /****************************************************************
289  If we're still offline setup the timeout check.
290 ****************************************************************/
291
292 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
293 {
294         int wbc = lp_winbind_cache_time();
295
296         if (domain->startup) {
297                 domain->check_online_timeout = 10;
298         } else if (domain->check_online_timeout < wbc) {
299                 domain->check_online_timeout = wbc;
300         }
301 }
302
303 /****************************************************************
304  Set domain offline and also add handler to put us back online
305  if we detect a DC.
306 ****************************************************************/
307
308 void set_domain_offline(struct winbindd_domain *domain)
309 {
310         DEBUG(10,("set_domain_offline: called for domain %s\n",
311                 domain->name ));
312
313         TALLOC_FREE(domain->check_online_event);
314
315         if (domain->internal) {
316                 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
317                         domain->name ));
318                 return;
319         }
320
321         domain->online = False;
322
323         /* Offline domains are always initialized. They're
324            re-initialized when they go back online. */
325
326         domain->initialized = True;
327
328         /* We only add the timeout handler that checks and
329            allows us to go back online when we've not
330            been told to remain offline. */
331
332         if (get_global_winbindd_state_offline()) {
333                 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
334                         domain->name ));
335                 return;
336         }
337
338         /* If we're in statup mode, check again in 10 seconds, not in
339            lp_winbind_cache_time() seconds (which is 5 mins by default). */
340
341         calc_new_online_timeout_check(domain);
342
343         domain->check_online_event = event_add_timed(winbind_event_context(),
344                                                 NULL,
345                                                 timeval_current_ofs(domain->check_online_timeout,0),
346                                                 "check_domain_online_handler",
347                                                 check_domain_online_handler,
348                                                 domain);
349
350         /* The above *has* to succeed for winbindd to work. */
351         if (!domain->check_online_event) {
352                 smb_panic("set_domain_offline: failed to add online handler");
353         }
354
355         DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
356                 domain->name ));
357
358         /* Send an offline message to the idmap child when our
359            primary domain goes offline */
360
361         if ( domain->primary ) {
362                 struct winbindd_child *idmap = idmap_child();
363                 
364                 if ( idmap->pid != 0 ) {
365                         messaging_send_buf(winbind_messaging_context(),
366                                            pid_to_procid(idmap->pid), 
367                                            MSG_WINBIND_OFFLINE, 
368                                            (uint8 *)domain->name, 
369                                            strlen(domain->name)+1);
370                 }                       
371         }
372
373         return; 
374 }
375
376 /****************************************************************
377  Set domain online - if allowed.
378 ****************************************************************/
379
380 static void set_domain_online(struct winbindd_domain *domain)
381 {
382         struct timeval now;
383
384         DEBUG(10,("set_domain_online: called for domain %s\n",
385                 domain->name ));
386
387         if (domain->internal) {
388                 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
389                         domain->name ));
390                 return;
391         }
392
393         if (get_global_winbindd_state_offline()) {
394                 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
395                         domain->name ));
396                 return;
397         }
398
399         winbindd_set_locator_kdc_envs(domain);
400
401         /* If we are waiting to get a krb5 ticket, trigger immediately. */
402         GetTimeOfDay(&now);
403         set_event_dispatch_time(winbind_event_context(),
404                                 "krb5_ticket_gain_handler", now);
405
406         /* Ok, we're out of any startup mode now... */
407         domain->startup = False;
408
409         if (domain->online == False) {
410                 /* We were offline - now we're online. We default to
411                    using the MS-RPC backend if we started offline,
412                    and if we're going online for the first time we
413                    should really re-initialize the backends and the
414                    checks to see if we're talking to an AD or NT domain.
415                 */
416
417                 domain->initialized = False;
418
419                 /* 'reconnect_methods' is the MS-RPC backend. */
420                 if (domain->backend == &reconnect_methods) {
421                         domain->backend = NULL;
422                 }
423         }
424
425         /* Ensure we have no online timeout checks. */
426         domain->check_online_timeout = 0;
427         TALLOC_FREE(domain->check_online_event);
428
429         /* Ensure we ignore any pending child messages. */
430         messaging_deregister(winbind_messaging_context(),
431                              MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
432         messaging_deregister(winbind_messaging_context(),
433                              MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
434
435         domain->online = True;
436
437         /* Send an online message to the idmap child when our
438            primary domain comes online */
439
440         if ( domain->primary ) {
441                 struct winbindd_child *idmap = idmap_child();
442                 
443                 if ( idmap->pid != 0 ) {
444                         messaging_send_buf(winbind_messaging_context(),
445                                            pid_to_procid(idmap->pid), 
446                                            MSG_WINBIND_ONLINE, 
447                                            (uint8 *)domain->name, 
448                                            strlen(domain->name)+1);
449                 }                       
450         }
451
452         return; 
453 }
454
455 /****************************************************************
456  Requested to set a domain online.
457 ****************************************************************/
458
459 void set_domain_online_request(struct winbindd_domain *domain)
460 {
461         struct timeval tev;
462
463         DEBUG(10,("set_domain_online_request: called for domain %s\n",
464                 domain->name ));
465
466         if (get_global_winbindd_state_offline()) {
467                 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
468                         domain->name ));
469                 return;
470         }
471
472         /* We've been told it's safe to go online and
473            try and connect to a DC. But I don't believe it
474            because network manager seems to lie.
475            Wait at least 5 seconds. Heuristics suck... */
476
477         if (!domain->check_online_event) {
478                 /* If we've come from being globally offline we
479                    don't have a check online event handler set.
480                    We need to add one now we're trying to go
481                    back online. */
482
483                 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
484                         domain->name ));
485
486                 domain->check_online_event = event_add_timed(winbind_event_context(),
487                                                                 NULL,
488                                                                 timeval_current_ofs(5, 0),
489                                                                 "check_domain_online_handler",
490                                                                 check_domain_online_handler,
491                                                                 domain);
492
493                 /* The above *has* to succeed for winbindd to work. */
494                 if (!domain->check_online_event) {
495                         smb_panic("set_domain_online_request: failed to add online handler");
496                 }
497         }
498
499         GetTimeOfDay(&tev);
500
501         /* Go into "startup" mode again. */
502         domain->startup_time = tev.tv_sec;
503         domain->startup = True;
504
505         tev.tv_sec += 5;
506
507         set_event_dispatch_time(winbind_event_context(), "check_domain_online_handler", tev);
508 }
509
510 /****************************************************************
511  Add -ve connection cache entries for domain and realm.
512 ****************************************************************/
513
514 void winbind_add_failed_connection_entry(const struct winbindd_domain *domain,
515                                         const char *server,
516                                         NTSTATUS result)
517 {
518         add_failed_connection_entry(domain->name, server, result);
519         /* If this was the saf name for the last thing we talked to,
520            remove it. */
521         saf_delete(domain->name);
522         if (*domain->alt_name) {
523                 add_failed_connection_entry(domain->alt_name, server, result);
524                 saf_delete(domain->alt_name);
525         }
526         winbindd_unset_locator_kdc_env(domain);
527 }
528
529 /* Choose between anonymous or authenticated connections.  We need to use
530    an authenticated connection if DCs have the RestrictAnonymous registry
531    entry set > 0, or the "Additional restrictions for anonymous
532    connections" set in the win2k Local Security Policy. 
533    
534    Caller to free() result in domain, username, password
535 */
536
537 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
538 {
539         *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
540         *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
541         *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
542         
543         if (*username && **username) {
544
545                 if (!*domain || !**domain)
546                         *domain = smb_xstrdup(lp_workgroup());
547                 
548                 if (!*password || !**password)
549                         *password = smb_xstrdup("");
550
551                 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n", 
552                           *domain, *username));
553
554         } else {
555                 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
556                 *username = smb_xstrdup("");
557                 *domain = smb_xstrdup("");
558                 *password = smb_xstrdup("");
559         }
560 }
561
562 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
563                                      fstring dcname,
564                                      struct sockaddr_storage *dc_ss)
565 {
566         struct winbindd_domain *our_domain = NULL;
567         struct rpc_pipe_client *netlogon_pipe = NULL;
568         NTSTATUS result;
569         WERROR werr;
570         TALLOC_CTX *mem_ctx;
571         unsigned int orig_timeout;
572         const char *tmp = NULL;
573         const char *p;
574
575         /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
576          * moment.... */
577
578         if (IS_DC) {
579                 return False;
580         }
581
582         if (domain->primary) {
583                 return False;
584         }
585
586         our_domain = find_our_domain();
587
588         if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
589                 return False;
590         }
591
592         result = cm_connect_netlogon(our_domain, &netlogon_pipe);
593         if (!NT_STATUS_IS_OK(result)) {
594                 talloc_destroy(mem_ctx);
595                 return False;
596         }
597
598         /* This call can take a long time - allow the server to time out.
599            35 seconds should do it. */
600
601         orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
602
603         if (our_domain->active_directory) {
604                 struct netr_DsRGetDCNameInfo *domain_info = NULL;
605
606                 result = rpccli_netr_DsRGetDCName(netlogon_pipe,
607                                                   mem_ctx,
608                                                   our_domain->dcname,
609                                                   domain->name,
610                                                   NULL,
611                                                   NULL,
612                                                   DS_RETURN_DNS_NAME,
613                                                   &domain_info,
614                                                   &werr);
615                 if (W_ERROR_IS_OK(werr)) {
616                         tmp = talloc_strdup(
617                                 mem_ctx, domain_info->dc_unc);
618                         if (tmp == NULL) {
619                                 DEBUG(0, ("talloc_strdup failed\n"));
620                                 talloc_destroy(mem_ctx);
621                                 return false;
622                         }
623                         if (strlen(domain->alt_name) == 0) {
624                                 fstrcpy(domain->alt_name,
625                                         domain_info->domain_name);
626                         }
627                         if (strlen(domain->forest_name) == 0) {
628                                 fstrcpy(domain->forest_name,
629                                         domain_info->forest_name);
630                         }
631                 }
632         } else {
633                 result = rpccli_netr_GetAnyDCName(netlogon_pipe, mem_ctx,
634                                                   our_domain->dcname,
635                                                   domain->name,
636                                                   &tmp,
637                                                   &werr);
638         }
639
640         /* And restore our original timeout. */
641         rpccli_set_timeout(netlogon_pipe, orig_timeout);
642
643         if (!NT_STATUS_IS_OK(result)) {
644                 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
645                         nt_errstr(result)));
646                 talloc_destroy(mem_ctx);
647                 return false;
648         }
649
650         if (!W_ERROR_IS_OK(werr)) {
651                 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
652                            dos_errstr(werr)));
653                 talloc_destroy(mem_ctx);
654                 return false;
655         }
656
657         /* rpccli_netr_GetAnyDCName gives us a name with \\ */
658         p = tmp;
659         if (*p == '\\') {
660                 p+=1;
661         }
662         if (*p == '\\') {
663                 p+=1;
664         }
665
666         fstrcpy(dcname, p);
667
668         talloc_destroy(mem_ctx);
669
670         DEBUG(10,("rpccli_netr_GetAnyDCName returned %s\n", dcname));
671
672         if (!resolve_name(dcname, dc_ss, 0x20)) {
673                 return False;
674         }
675
676         return True;
677 }
678
679 /**
680  * Helper function to assemble trust password and account name
681  */
682 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
683                                 char **machine_password,
684                                 char **machine_account,
685                                 char **machine_krb5_principal)
686 {
687         const char *account_name;
688         const char *name = NULL;
689         
690         /* If we are a DC and this is not our own domain */
691
692         if (IS_DC) {
693                 name = domain->name;
694         } else {
695                 struct winbindd_domain *our_domain = find_our_domain();
696
697                 if (!our_domain)
698                         return NT_STATUS_INVALID_SERVER_STATE;          
699                 
700                 name = our_domain->name;                
701         }       
702         
703         if (!get_trust_pw_clear(name, machine_password,
704                                 &account_name, NULL))
705         {
706                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
707         }
708
709         if ((machine_account != NULL) &&
710             (asprintf(machine_account, "%s$", account_name) == -1))
711         {
712                 return NT_STATUS_NO_MEMORY;
713         }
714
715         /* this is at least correct when domain is our domain,
716          * which is the only case, when this is currently used: */
717         if (machine_krb5_principal != NULL)
718         {
719                 if (asprintf(machine_krb5_principal, "%s$@%s",
720                              account_name, domain->alt_name) == -1)
721                 {
722                         return NT_STATUS_NO_MEMORY;
723                 }
724
725                 strupper_m(*machine_krb5_principal);
726         }
727
728         return NT_STATUS_OK;
729 }
730
731 /************************************************************************
732  Given a fd with a just-connected TCP connection to a DC, open a connection
733  to the pipe.
734 ************************************************************************/
735
736 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
737                                       const int sockfd,
738                                       const char *controller,
739                                       struct cli_state **cli,
740                                       bool *retry)
741 {
742         char *machine_password = NULL;
743         char *machine_krb5_principal = NULL;
744         char *machine_account = NULL;
745         char *ipc_username = NULL;
746         char *ipc_domain = NULL;
747         char *ipc_password = NULL;
748
749         struct named_mutex *mutex;
750
751         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
752
753         struct sockaddr peeraddr;
754         socklen_t peeraddr_len;
755
756         struct sockaddr_in *peeraddr_in = (struct sockaddr_in *)&peeraddr;
757
758         DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
759                 controller, domain->name ));
760
761         *retry = True;
762
763         mutex = grab_named_mutex(talloc_tos(), controller,
764                                  WINBIND_SERVER_MUTEX_WAIT_TIME);
765         if (mutex == NULL) {
766                 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
767                          controller));
768                 result = NT_STATUS_POSSIBLE_DEADLOCK;
769                 goto done;
770         }
771
772         if ((*cli = cli_initialise()) == NULL) {
773                 DEBUG(1, ("Could not cli_initialize\n"));
774                 result = NT_STATUS_NO_MEMORY;
775                 goto done;
776         }
777
778         (*cli)->timeout = 10000;        /* 10 seconds */
779         (*cli)->fd = sockfd;
780         fstrcpy((*cli)->desthost, controller);
781         (*cli)->use_kerberos = True;
782
783         peeraddr_len = sizeof(peeraddr);
784
785         if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) ||
786             (peeraddr_len != sizeof(struct sockaddr_in)) ||
787             (peeraddr_in->sin_family != PF_INET))
788         {
789                 DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
790                 result = NT_STATUS_UNSUCCESSFUL;
791                 goto done;
792         }
793
794         if (ntohs(peeraddr_in->sin_port) == 139) {
795                 struct nmb_name calling;
796                 struct nmb_name called;
797
798                 make_nmb_name(&calling, global_myname(), 0x0);
799                 make_nmb_name(&called, "*SMBSERVER", 0x20);
800
801                 if (!cli_session_request(*cli, &calling, &called)) {
802                         DEBUG(8, ("cli_session_request failed for %s\n",
803                                   controller));
804                         result = NT_STATUS_UNSUCCESSFUL;
805                         goto done;
806                 }
807         }
808
809         cli_setup_signing_state(*cli, Undefined);
810
811         if (!cli_negprot(*cli)) {
812                 DEBUG(1, ("cli_negprot failed\n"));
813                 result = NT_STATUS_UNSUCCESSFUL;
814                 goto done;
815         }
816
817         if (!is_trusted_domain_situation(domain->name) &&
818             (*cli)->protocol >= PROTOCOL_NT1 &&
819             (*cli)->capabilities & CAP_EXTENDED_SECURITY)
820         {
821                 ADS_STATUS ads_status;
822
823                 result = get_trust_creds(domain, &machine_password,
824                                          &machine_account,
825                                          &machine_krb5_principal);
826                 if (!NT_STATUS_IS_OK(result)) {
827                         goto anon_fallback;
828                 }
829
830                 if (lp_security() == SEC_ADS) {
831
832                         /* Try a krb5 session */
833
834                         (*cli)->use_kerberos = True;
835                         DEBUG(5, ("connecting to %s from %s with kerberos principal "
836                                   "[%s]\n", controller, global_myname(),
837                                   machine_krb5_principal));
838
839                         winbindd_set_locator_kdc_envs(domain);
840
841                         ads_status = cli_session_setup_spnego(*cli,
842                                                               machine_krb5_principal, 
843                                                               machine_password, 
844                                                               domain->name);
845
846                         if (!ADS_ERR_OK(ads_status)) {
847                                 DEBUG(4,("failed kerberos session setup with %s\n",
848                                          ads_errstr(ads_status)));
849                         }
850
851                         result = ads_ntstatus(ads_status);
852                         if (NT_STATUS_IS_OK(result)) {
853                                 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
854                                 cli_init_creds(*cli, machine_account, domain->name, machine_password);
855                                 goto session_setup_done;
856                         }
857                 }
858
859                 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
860                 (*cli)->use_kerberos = False;
861
862                 DEBUG(5, ("connecting to %s from %s with username "
863                           "[%s]\\[%s]\n",  controller, global_myname(),
864                           domain->name, machine_account));
865
866                 ads_status = cli_session_setup_spnego(*cli,
867                                                       machine_account, 
868                                                       machine_password, 
869                                                       domain->name);
870                 if (!ADS_ERR_OK(ads_status)) {
871                         DEBUG(4, ("authenticated session setup failed with %s\n",
872                                 ads_errstr(ads_status)));
873                 }
874
875                 result = ads_ntstatus(ads_status);
876                 if (NT_STATUS_IS_OK(result)) {
877                         /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
878                         cli_init_creds(*cli, machine_account, domain->name, machine_password);
879                         goto session_setup_done;
880                 }
881         }
882
883         /* Fall back to non-kerberos session setup with auth_user */
884
885         (*cli)->use_kerberos = False;
886
887         cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
888
889         if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
890             (strlen(ipc_username) > 0)) {
891
892                 /* Only try authenticated if we have a username */
893
894                 DEBUG(5, ("connecting to %s from %s with username "
895                           "[%s]\\[%s]\n",  controller, global_myname(),
896                           ipc_domain, ipc_username));
897
898                 if (NT_STATUS_IS_OK(cli_session_setup(
899                                             *cli, ipc_username,
900                                             ipc_password, strlen(ipc_password)+1,
901                                             ipc_password, strlen(ipc_password)+1,
902                                             ipc_domain))) {
903                         /* Successful logon with given username. */
904                         cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
905                         goto session_setup_done;
906                 } else {
907                         DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
908                                 ipc_domain, ipc_username ));
909                 }
910         }
911
912  anon_fallback:
913
914         /* Fall back to anonymous connection, this might fail later */
915
916         if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
917                                               NULL, 0, ""))) {
918                 DEBUG(5, ("Connected anonymously\n"));
919                 cli_init_creds(*cli, "", "", "");
920                 goto session_setup_done;
921         }
922
923         result = cli_nt_error(*cli);
924
925         if (NT_STATUS_IS_OK(result))
926                 result = NT_STATUS_UNSUCCESSFUL;
927
928         /* We can't session setup */
929
930         goto done;
931
932  session_setup_done:
933
934         /* cache the server name for later connections */
935
936         saf_store( domain->name, (*cli)->desthost );
937         if (domain->alt_name && (*cli)->use_kerberos) {
938                 saf_store( domain->alt_name, (*cli)->desthost );
939         }
940
941         winbindd_set_locator_kdc_envs(domain);
942
943         if (!cli_send_tconX(*cli, "IPC$", "IPC", "", 0)) {
944
945                 result = cli_nt_error(*cli);
946
947                 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
948
949                 if (NT_STATUS_IS_OK(result))
950                         result = NT_STATUS_UNSUCCESSFUL;
951
952                 goto done;
953         }
954
955         TALLOC_FREE(mutex);
956         *retry = False;
957
958         /* set the domain if empty; needed for schannel connections */
959         if ( !*(*cli)->domain ) {
960                 fstrcpy( (*cli)->domain, domain->name );
961         }
962
963         result = NT_STATUS_OK;
964
965  done:
966         TALLOC_FREE(mutex);
967         SAFE_FREE(machine_account);
968         SAFE_FREE(machine_password);
969         SAFE_FREE(machine_krb5_principal);
970         SAFE_FREE(ipc_username);
971         SAFE_FREE(ipc_domain);
972         SAFE_FREE(ipc_password);
973
974         if (!NT_STATUS_IS_OK(result)) {
975                 winbind_add_failed_connection_entry(domain, controller, result);
976                 if ((*cli) != NULL) {
977                         cli_shutdown(*cli);
978                         *cli = NULL;
979                 }
980         }
981
982         return result;
983 }
984
985 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
986                               const char *dcname, struct sockaddr_storage *pss,
987                               struct dc_name_ip **dcs, int *num)
988 {
989         if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
990                 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
991                 return False;
992         }
993
994         *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
995
996         if (*dcs == NULL)
997                 return False;
998
999         fstrcpy((*dcs)[*num].name, dcname);
1000         (*dcs)[*num].ss = *pss;
1001         *num += 1;
1002         return True;
1003 }
1004
1005 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1006                                   struct sockaddr_storage *pss, uint16 port,
1007                                   struct sockaddr_storage **addrs, int *num)
1008 {
1009         *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1010
1011         if (*addrs == NULL) {
1012                 *num = 0;
1013                 return False;
1014         }
1015
1016         (*addrs)[*num] = *pss;
1017         set_sockaddr_port(&(*addrs)[*num], port);
1018
1019         *num += 1;
1020         return True;
1021 }
1022
1023 /*******************************************************************
1024  convert an ip to a name
1025 *******************************************************************/
1026
1027 static bool dcip_to_name(const struct winbindd_domain *domain,
1028                 struct sockaddr_storage *pss,
1029                 fstring name )
1030 {
1031         struct ip_service ip_list;
1032
1033         ip_list.ss = *pss;
1034         ip_list.port = 0;
1035
1036 #ifdef WITH_ADS
1037         /* For active directory servers, try to get the ldap server name.
1038            None of these failures should be considered critical for now */
1039
1040         if (lp_security() == SEC_ADS) {
1041                 ADS_STRUCT *ads;
1042                 char addr[INET6_ADDRSTRLEN];
1043
1044                 print_sockaddr(addr, sizeof(addr), pss);
1045
1046                 ads = ads_init(domain->alt_name, domain->name, NULL);
1047                 ads->auth.flags |= ADS_AUTH_NO_BIND;
1048
1049                 if (ads_try_connect(ads, addr)) {
1050                         /* We got a cldap packet. */
1051                         fstrcpy(name, ads->config.ldap_server_name);
1052                         namecache_store(name, 0x20, 1, &ip_list);
1053
1054                         DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1055
1056                         if (domain->primary && (ads->config.flags & ADS_KDC)) {
1057                                 if (ads_closest_dc(ads)) {
1058                                         char *sitename = sitename_fetch(ads->config.realm);
1059
1060                                         /* We're going to use this KDC for this realm/domain.
1061                                            If we are using sites, then force the krb5 libs
1062                                            to use this KDC. */
1063
1064                                         create_local_private_krb5_conf_for_domain(domain->alt_name,
1065                                                                         domain->name,
1066                                                                         sitename,
1067                                                                         pss);
1068
1069                                         SAFE_FREE(sitename);
1070                                 } else {
1071                                         /* use an off site KDC */
1072                                         create_local_private_krb5_conf_for_domain(domain->alt_name,
1073                                                                         domain->name,
1074                                                                         NULL,
1075                                                                         pss);
1076                                 }
1077                                 winbindd_set_locator_kdc_envs(domain);
1078
1079                                 /* Ensure we contact this DC also. */
1080                                 saf_store( domain->name, name);
1081                                 saf_store( domain->alt_name, name);
1082                         }
1083
1084                         ads_destroy( &ads );
1085                         return True;
1086                 }
1087
1088                 ads_destroy( &ads );
1089         }
1090 #endif
1091
1092         /* try GETDC requests next */
1093
1094         if (send_getdc_request(winbind_messaging_context(),
1095                                pss, domain->name, &domain->sid)) {
1096                 int i;
1097                 smb_msleep(100);
1098                 for (i=0; i<5; i++) {
1099                         if (receive_getdc_response(pss, domain->name, name)) {
1100                                 namecache_store(name, 0x20, 1, &ip_list);
1101                                 return True;
1102                         }
1103                         smb_msleep(500);
1104                 }
1105         }
1106
1107         /* try node status request */
1108
1109         if ( name_status_find(domain->name, 0x1c, 0x20, pss, name) ) {
1110                 namecache_store(name, 0x20, 1, &ip_list);
1111                 return True;
1112         }
1113         return False;
1114 }
1115
1116 /*******************************************************************
1117  Retreive a list of IP address for domain controllers.  Fill in 
1118  the dcs[]  with results.
1119 *******************************************************************/
1120
1121 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1122                     struct dc_name_ip **dcs, int *num_dcs)
1123 {
1124         fstring dcname;
1125         struct  sockaddr_storage ss;
1126         struct  ip_service *ip_list = NULL;
1127         int     iplist_size = 0;
1128         int     i;
1129         bool    is_our_domain;
1130         enum security_types sec = (enum security_types)lp_security();
1131
1132         is_our_domain = strequal(domain->name, lp_workgroup());
1133
1134         if ( !is_our_domain
1135                 && get_dc_name_via_netlogon(domain, dcname, &ss)
1136                 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, num_dcs) )
1137         {
1138                 char addr[INET6_ADDRSTRLEN];
1139                 print_sockaddr(addr, sizeof(addr), &ss);
1140                 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1141                            dcname, addr));
1142                 return True;
1143         }
1144
1145         if (sec == SEC_ADS) {
1146                 char *sitename = NULL;
1147
1148                 /* We need to make sure we know the local site before
1149                    doing any DNS queries, as this will restrict the
1150                    get_sorted_dc_list() call below to only fetching
1151                    DNS records for the correct site. */
1152
1153                 /* Find any DC to get the site record.
1154                    We deliberately don't care about the
1155                    return here. */
1156
1157                 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1158
1159                 sitename = sitename_fetch(domain->alt_name);
1160                 if (sitename) {
1161
1162                         /* Do the site-specific AD dns lookup first. */
1163                         get_sorted_dc_list(domain->alt_name, sitename, &ip_list, &iplist_size, True);
1164
1165                         for ( i=0; i<iplist_size; i++ ) {
1166                                 char addr[INET6_ADDRSTRLEN];
1167                                 print_sockaddr(addr, sizeof(addr),
1168                                                 &ip_list[i].ss);
1169                                 add_one_dc_unique(mem_ctx,
1170                                                 domain->name,
1171                                                 addr,
1172                                                 &ip_list[i].ss,
1173                                                 dcs,
1174                                                 num_dcs);
1175                         }
1176
1177                         SAFE_FREE(ip_list);
1178                         SAFE_FREE(sitename);
1179                         iplist_size = 0;
1180                 }
1181
1182                 /* Now we add DCs from the main AD dns lookup. */
1183                 get_sorted_dc_list(domain->alt_name, NULL, &ip_list, &iplist_size, True);
1184
1185                 for ( i=0; i<iplist_size; i++ ) {
1186                         char addr[INET6_ADDRSTRLEN];
1187                         print_sockaddr(addr, sizeof(addr),
1188                                         &ip_list[i].ss);
1189                         add_one_dc_unique(mem_ctx,
1190                                         domain->name,
1191                                         addr,
1192                                         &ip_list[i].ss,
1193                                         dcs,
1194                                         num_dcs);
1195                 }
1196         }
1197
1198         /* try standard netbios queries if no ADS */
1199
1200         if (iplist_size==0) {
1201                 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size, False);
1202         }
1203
1204         /* FIXME!! this is where we should re-insert the GETDC requests --jerry */
1205
1206         /* now add to the dc array.  We'll wait until the last minute 
1207            to look up the name of the DC.  But we fill in the char* for 
1208            the ip now in to make the failed connection cache work */
1209
1210         for ( i=0; i<iplist_size; i++ ) {
1211                 char addr[INET6_ADDRSTRLEN];
1212                 print_sockaddr(addr, sizeof(addr),
1213                                 &ip_list[i].ss);
1214                 add_one_dc_unique(mem_ctx, domain->name, addr,
1215                         &ip_list[i].ss, dcs, num_dcs);
1216         }
1217
1218         SAFE_FREE( ip_list );
1219
1220         return True;
1221 }
1222
1223 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1224                         struct winbindd_domain *domain,
1225                         fstring dcname, struct sockaddr_storage *pss, int *fd)
1226 {
1227         struct dc_name_ip *dcs = NULL;
1228         int num_dcs = 0;
1229
1230         const char **dcnames = NULL;
1231         int num_dcnames = 0;
1232
1233         struct sockaddr_storage *addrs = NULL;
1234         int num_addrs = 0;
1235
1236         int i, fd_index;
1237
1238  again:
1239         if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1240                 return False;
1241
1242         for (i=0; i<num_dcs; i++) {
1243
1244                 if (!add_string_to_array(mem_ctx, dcs[i].name,
1245                                     &dcnames, &num_dcnames)) {
1246                         return False;
1247                 }
1248                 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 445,
1249                                       &addrs, &num_addrs)) {
1250                         return False;
1251                 }
1252
1253                 if (!add_string_to_array(mem_ctx, dcs[i].name,
1254                                     &dcnames, &num_dcnames)) {
1255                         return False;
1256                 }
1257                 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 139,
1258                                       &addrs, &num_addrs)) {
1259                         return False;
1260                 }
1261         }
1262
1263         if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1264                 return False;
1265
1266         if ((addrs == NULL) || (dcnames == NULL))
1267                 return False;
1268
1269         /* 5 second timeout. */
1270         if (!open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) {
1271                 for (i=0; i<num_dcs; i++) {
1272                         char ab[INET6_ADDRSTRLEN];
1273                         print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1274                         DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
1275                                 "domain %s address %s. Error was %s\n",
1276                                 domain->name, ab, strerror(errno) ));
1277                         winbind_add_failed_connection_entry(domain,
1278                                 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1279                 }
1280                 return False;
1281         }
1282
1283         *pss = addrs[fd_index];
1284
1285         if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1286                 /* Ok, we've got a name for the DC */
1287                 fstrcpy(dcname, dcnames[fd_index]);
1288                 return True;
1289         }
1290
1291         /* Try to figure out the name */
1292         if (dcip_to_name(domain, pss, dcname)) {
1293                 return True;
1294         }
1295
1296         /* We can not continue without the DC's name */
1297         winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1298                                     NT_STATUS_UNSUCCESSFUL);
1299         goto again;
1300 }
1301
1302 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1303                                    struct winbindd_cm_conn *new_conn)
1304 {
1305         TALLOC_CTX *mem_ctx;
1306         NTSTATUS result;
1307         char *saf_servername = saf_fetch( domain->name );
1308         int retries;
1309
1310         if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1311                 SAFE_FREE(saf_servername);
1312                 set_domain_offline(domain);
1313                 return NT_STATUS_NO_MEMORY;
1314         }
1315
1316         /* we have to check the server affinity cache here since 
1317            later we selecte a DC based on response time and not preference */
1318            
1319         /* Check the negative connection cache
1320            before talking to it. It going down may have
1321            triggered the reconnection. */
1322
1323         if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1324
1325                 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1326                         saf_servername, domain->name ));
1327
1328                 /* convert an ip address to a name */
1329                 if (is_ipaddress( saf_servername ) ) {
1330                         fstring saf_name;
1331                         struct sockaddr_storage ss;
1332
1333                         if (!interpret_string_addr(&ss, saf_servername,
1334                                                 AI_NUMERICHOST)) {
1335                                 return NT_STATUS_UNSUCCESSFUL;
1336                         }
1337                         if (dcip_to_name( domain, &ss, saf_name )) {
1338                                 fstrcpy( domain->dcname, saf_name );
1339                         } else {
1340                                 winbind_add_failed_connection_entry(
1341                                         domain, saf_servername,
1342                                         NT_STATUS_UNSUCCESSFUL);
1343                         }
1344                 } else {
1345                         fstrcpy( domain->dcname, saf_servername );
1346                 }
1347
1348                 SAFE_FREE( saf_servername );
1349         }
1350
1351         for (retries = 0; retries < 3; retries++) {
1352                 int fd = -1;
1353                 bool retry = False;
1354
1355                 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1356
1357                 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1358                         domain->dcname, domain->name ));
1359
1360                 if (*domain->dcname 
1361                         && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1362                         && (resolve_name(domain->dcname, &domain->dcaddr, 0x20)))
1363                 {
1364                         struct sockaddr_storage *addrs = NULL;
1365                         int num_addrs = 0;
1366                         int dummy = 0;
1367
1368                         if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 445, &addrs, &num_addrs)) {
1369                                 set_domain_offline(domain);
1370                                 talloc_destroy(mem_ctx);
1371                                 return NT_STATUS_NO_MEMORY;
1372                         }
1373                         if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 139, &addrs, &num_addrs)) {
1374                                 set_domain_offline(domain);
1375                                 talloc_destroy(mem_ctx);
1376                                 return NT_STATUS_NO_MEMORY;
1377                         }
1378
1379                         /* 5 second timeout. */
1380                         if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) {
1381                                 fd = -1;
1382                         }
1383                 }
1384
1385                 if ((fd == -1) 
1386                         && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd))
1387                 {
1388                         /* This is the one place where we will
1389                            set the global winbindd offline state
1390                            to true, if a "WINBINDD_OFFLINE" entry
1391                            is found in the winbindd cache. */
1392                         set_global_winbindd_state_offline();
1393                         break;
1394                 }
1395
1396                 new_conn->cli = NULL;
1397
1398                 result = cm_prepare_connection(domain, fd, domain->dcname,
1399                         &new_conn->cli, &retry);
1400
1401                 if (!retry)
1402                         break;
1403         }
1404
1405         if (NT_STATUS_IS_OK(result)) {
1406
1407                 winbindd_set_locator_kdc_envs(domain);
1408
1409                 if (domain->online == False) {
1410                         /* We're changing state from offline to online. */
1411                         set_global_winbindd_state_online();
1412                 }
1413                 set_domain_online(domain);
1414         } else {
1415                 /* Ensure we setup the retry handler. */
1416                 set_domain_offline(domain);
1417         }
1418
1419         talloc_destroy(mem_ctx);
1420         return result;
1421 }
1422
1423 /* Close down all open pipes on a connection. */
1424
1425 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1426 {
1427         /* We're closing down a possibly dead
1428            connection. Don't have impossibly long (10s) timeouts. */
1429
1430         if (conn->cli) {
1431                 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1432         }
1433
1434         if (conn->samr_pipe != NULL) {
1435                 if (!cli_rpc_pipe_close(conn->samr_pipe)) {
1436                         /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1437                         if (conn->cli) {
1438                                 cli_set_timeout(conn->cli, 500);
1439                         }
1440                 }
1441                 conn->samr_pipe = NULL;
1442         }
1443
1444         if (conn->lsa_pipe != NULL) {
1445                 if (!cli_rpc_pipe_close(conn->lsa_pipe)) {
1446                         /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1447                         if (conn->cli) {
1448                                 cli_set_timeout(conn->cli, 500);
1449                         }
1450                 }
1451                 conn->lsa_pipe = NULL;
1452         }
1453
1454         if (conn->netlogon_pipe != NULL) {
1455                 if (!cli_rpc_pipe_close(conn->netlogon_pipe)) {
1456                         /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1457                         if (conn->cli) {
1458                                 cli_set_timeout(conn->cli, 500);
1459                         }
1460                 }
1461                 conn->netlogon_pipe = NULL;
1462         }
1463
1464         if (conn->cli) {
1465                 cli_shutdown(conn->cli);
1466         }
1467
1468         conn->cli = NULL;
1469 }
1470
1471 void close_conns_after_fork(void)
1472 {
1473         struct winbindd_domain *domain;
1474
1475         for (domain = domain_list(); domain; domain = domain->next) {
1476                 if (domain->conn.cli == NULL)
1477                         continue;
1478
1479                 if (domain->conn.cli->fd == -1)
1480                         continue;
1481
1482                 close(domain->conn.cli->fd);
1483                 domain->conn.cli->fd = -1;
1484         }
1485 }
1486
1487 static bool connection_ok(struct winbindd_domain *domain)
1488 {
1489         if (domain->conn.cli == NULL) {
1490                 DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
1491                           "cli!\n", domain->dcname, domain->name));
1492                 return False;
1493         }
1494
1495         if (!domain->conn.cli->initialised) {
1496                 DEBUG(3, ("connection_ok: Connection to %s for domain %s was never "
1497                           "initialised!\n", domain->dcname, domain->name));
1498                 return False;
1499         }
1500
1501         if (domain->conn.cli->fd == -1) {
1502                 DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was "
1503                           "never started (fd == -1)\n", 
1504                           domain->dcname, domain->name));
1505                 return False;
1506         }
1507
1508         if (domain->online == False) {
1509                 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1510                 return False;
1511         }
1512
1513         return True;
1514 }
1515
1516 /* Initialize a new connection up to the RPC BIND.
1517    Bypass online status check so always does network calls. */
1518
1519 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1520 {
1521         NTSTATUS result;
1522
1523         /* Internal connections never use the network. */
1524         if (domain->internal) {
1525                 domain->initialized = True;
1526                 return NT_STATUS_OK;
1527         }
1528
1529         if (connection_ok(domain)) {
1530                 if (!domain->initialized) {
1531                         set_dc_type_and_flags(domain);
1532                 }
1533                 return NT_STATUS_OK;
1534         }
1535
1536         invalidate_cm_connection(&domain->conn);
1537
1538         result = cm_open_connection(domain, &domain->conn);
1539
1540         if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1541                 set_dc_type_and_flags(domain);
1542         }
1543
1544         return result;
1545 }
1546
1547 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1548 {
1549         if (domain->initialized && !domain->online) {
1550                 /* We check for online status elsewhere. */
1551                 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1552         }
1553
1554         return init_dc_connection_network(domain);
1555 }
1556
1557 /******************************************************************************
1558  Set the trust flags (direction and forest location) for a domain
1559 ******************************************************************************/
1560
1561 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1562 {
1563         struct winbindd_domain *our_domain;
1564         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1565         struct netr_DomainTrustList trusts;
1566         int i;
1567         uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
1568                         NETR_TRUST_FLAG_OUTBOUND |
1569                         NETR_TRUST_FLAG_INBOUND);
1570         struct rpc_pipe_client *cli;
1571         TALLOC_CTX *mem_ctx = NULL;
1572
1573         DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1574         
1575         /* Our primary domain doesn't need to worry about trust flags.
1576            Force it to go through the network setup */
1577         if ( domain->primary ) {                
1578                 return False;           
1579         }
1580         
1581         our_domain = find_our_domain();
1582         
1583         if ( !connection_ok(our_domain) ) {
1584                 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));           
1585                 return False;
1586         }
1587
1588         /* This won't work unless our domain is AD */
1589          
1590         if ( !our_domain->active_directory ) {
1591                 return False;
1592         }
1593         
1594         /* Use DsEnumerateDomainTrusts to get us the trust direction
1595            and type */
1596
1597         result = cm_connect_netlogon(our_domain, &cli);
1598
1599         if (!NT_STATUS_IS_OK(result)) {
1600                 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1601                           "a connection to %s for PIPE_NETLOGON (%s)\n", 
1602                           domain->name, nt_errstr(result)));
1603                 return False;
1604         }
1605
1606         if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
1607                 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
1608                 return False;
1609         }       
1610
1611         result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1612                                                       cli->desthost,
1613                                                       flags,
1614                                                       &trusts,
1615                                                       NULL);
1616         if (!NT_STATUS_IS_OK(result)) {
1617                 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
1618                         "failed to query trusted domain list: %s\n",
1619                         nt_errstr(result)));
1620                 talloc_destroy(mem_ctx);
1621                 return false;
1622         }
1623
1624         /* Now find the domain name and get the flags */
1625
1626         for ( i=0; i<trusts.count; i++ ) {
1627                 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
1628                         domain->domain_flags          = trusts.array[i].trust_flags;
1629                         domain->domain_type           = trusts.array[i].trust_type;
1630                         domain->domain_trust_attribs  = trusts.array[i].trust_attributes;
1631
1632                         if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL )
1633                                 domain->active_directory = True;
1634
1635                         /* This flag is only set if the domain is *our* 
1636                            primary domain and the primary domain is in
1637                            native mode */
1638
1639                         domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
1640
1641                         DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
1642                                   "native mode.\n", domain->name, 
1643                                   domain->native_mode ? "" : "NOT "));
1644
1645                         DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
1646                                  "running active directory.\n", domain->name, 
1647                                  domain->active_directory ? "" : "NOT "));
1648
1649
1650                         domain->initialized = True;
1651
1652                         if ( !winbindd_can_contact_domain( domain) )
1653                                 domain->internal = True;
1654                         
1655                         break;
1656                 }               
1657         }
1658         
1659         talloc_destroy( mem_ctx );
1660         
1661         return domain->initialized;     
1662 }
1663
1664 /******************************************************************************
1665  We can 'sense' certain things about the DC by it's replies to certain
1666  questions.
1667
1668  This tells us if this particular remote server is Active Directory, and if it
1669  is native mode.
1670 ******************************************************************************/
1671
1672 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
1673 {
1674         NTSTATUS                result;
1675         WERROR werr;
1676         TALLOC_CTX              *mem_ctx = NULL;
1677         struct rpc_pipe_client  *cli;
1678         POLICY_HND pol;
1679         union dssetup_DsRoleInfo info;
1680         union lsa_PolicyInformation *lsa_info = NULL;
1681
1682         if (!connection_ok(domain)) {
1683                 return;
1684         }
1685
1686         mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
1687                               domain->name);
1688         if (!mem_ctx) {
1689                 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
1690                 return;
1691         }
1692
1693         DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
1694
1695         cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_DSSETUP,
1696                                        &result);
1697
1698         if (cli == NULL) {
1699                 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1700                           "PI_DSSETUP on domain %s: (%s)\n",
1701                           domain->name, nt_errstr(result)));
1702
1703                 /* if this is just a non-AD domain we need to continue
1704                  * identifying so that we can in the end return with
1705                  * domain->initialized = True - gd */
1706
1707                 goto no_dssetup;
1708         }
1709
1710         result = rpccli_dssetup_DsRoleGetPrimaryDomainInformation(cli, mem_ctx,
1711                                                                   DS_ROLE_BASIC_INFORMATION,
1712                                                                   &info,
1713                                                                   &werr);
1714         cli_rpc_pipe_close(cli);
1715
1716         if (!NT_STATUS_IS_OK(result)) {
1717                 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
1718                           "on domain %s failed: (%s)\n",
1719                           domain->name, nt_errstr(result)));
1720
1721                 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
1722                  * every opcode on the DSSETUP pipe, continue with
1723                  * no_dssetup mode here as well to get domain->initialized
1724                  * set - gd */
1725
1726                 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
1727                         goto no_dssetup;
1728                 }
1729
1730                 TALLOC_FREE(mem_ctx);
1731                 return;
1732         }
1733
1734         if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
1735             !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
1736                 domain->native_mode = True;
1737         } else {
1738                 domain->native_mode = False;
1739         }
1740
1741 no_dssetup:
1742         cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result);
1743
1744         if (cli == NULL) {
1745                 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1746                           "PI_LSARPC on domain %s: (%s)\n",
1747                           domain->name, nt_errstr(result)));
1748                 cli_rpc_pipe_close(cli);
1749                 TALLOC_FREE(mem_ctx);
1750                 return;
1751         }
1752
1753         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
1754                                          SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
1755                 
1756         if (NT_STATUS_IS_OK(result)) {
1757                 /* This particular query is exactly what Win2k clients use 
1758                    to determine that the DC is active directory */
1759                 result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,
1760                                                      &pol,
1761                                                      LSA_POLICY_INFO_DNS,
1762                                                      &lsa_info);
1763         }
1764
1765         if (NT_STATUS_IS_OK(result)) {
1766                 domain->active_directory = True;
1767
1768                 if (lsa_info->dns.name.string) {
1769                         fstrcpy(domain->name, lsa_info->dns.name.string);
1770                 }
1771
1772                 if (lsa_info->dns.dns_domain.string) {
1773                         fstrcpy(domain->alt_name,
1774                                 lsa_info->dns.dns_domain.string);
1775                 }
1776
1777                 /* See if we can set some domain trust flags about
1778                    ourself */
1779
1780                 if (lsa_info->dns.dns_forest.string) {
1781                         fstrcpy(domain->forest_name,
1782                                 lsa_info->dns.dns_forest.string);
1783
1784                         if (strequal(domain->forest_name, domain->alt_name)) {
1785                                 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
1786                         }
1787                 }
1788
1789                 if (lsa_info->dns.sid) {
1790                         sid_copy(&domain->sid, lsa_info->dns.sid);
1791                 }
1792         } else {
1793                 domain->active_directory = False;
1794
1795                 result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
1796                                                 SEC_RIGHTS_MAXIMUM_ALLOWED,
1797                                                 &pol);
1798
1799                 if (!NT_STATUS_IS_OK(result)) {
1800                         goto done;
1801                 }
1802
1803                 result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,
1804                                                     &pol,
1805                                                     LSA_POLICY_INFO_ACCOUNT_DOMAIN,
1806                                                     &lsa_info);
1807
1808                 if (NT_STATUS_IS_OK(result)) {
1809
1810                         if (lsa_info->account_domain.name.string) {
1811                                 fstrcpy(domain->name,
1812                                         lsa_info->account_domain.name.string);
1813                         }
1814
1815                         if (lsa_info->account_domain.sid) {
1816                                 sid_copy(&domain->sid, lsa_info->account_domain.sid);
1817                         }
1818                 }
1819         }
1820 done:
1821
1822         DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
1823                   domain->name, domain->native_mode ? "" : "NOT "));
1824
1825         DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
1826                   domain->name, domain->active_directory ? "" : "NOT "));
1827
1828         cli_rpc_pipe_close(cli);
1829
1830         TALLOC_FREE(mem_ctx);
1831
1832         domain->initialized = True;
1833 }
1834
1835 /**********************************************************************
1836  Set the domain_flags (trust attributes, domain operating modes, etc... 
1837 ***********************************************************************/
1838
1839 static void set_dc_type_and_flags( struct winbindd_domain *domain )
1840 {
1841         /* we always have to contact our primary domain */
1842
1843         if ( domain->primary ) {
1844                 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
1845                           "primary domain\n"));
1846                 set_dc_type_and_flags_connect( domain );
1847                 return;         
1848         }
1849
1850         /* Use our DC to get the information if possible */
1851
1852         if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
1853                 /* Otherwise, fallback to contacting the 
1854                    domain directly */
1855                 set_dc_type_and_flags_connect( domain );
1856         }
1857
1858         return;
1859 }
1860
1861
1862
1863 /**********************************************************************
1864 ***********************************************************************/
1865
1866 static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain,
1867                                    struct dcinfo **ppdc)
1868 {
1869         NTSTATUS result;
1870         struct rpc_pipe_client *netlogon_pipe;
1871
1872         if (lp_client_schannel() == False) {
1873                 return False;
1874         }
1875
1876         result = cm_connect_netlogon(domain, &netlogon_pipe);
1877         if (!NT_STATUS_IS_OK(result)) {
1878                 return False;
1879         }
1880
1881         /* Return a pointer to the struct dcinfo from the
1882            netlogon pipe. */
1883
1884         *ppdc = domain->conn.netlogon_pipe->dc;
1885         return True;
1886 }
1887
1888 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
1889                         struct rpc_pipe_client **cli, POLICY_HND *sam_handle)
1890 {
1891         struct winbindd_cm_conn *conn;
1892         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1893         fstring conn_pwd;
1894         struct dcinfo *p_dcinfo;
1895         char *machine_password = NULL;
1896         char *machine_account = NULL;
1897         char *domain_name = NULL;
1898
1899         result = init_dc_connection(domain);
1900         if (!NT_STATUS_IS_OK(result)) {
1901                 return result;
1902         }
1903
1904         conn = &domain->conn;
1905
1906         if (conn->samr_pipe != NULL) {
1907                 goto done;
1908         }
1909
1910         /*
1911          * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
1912          * sign and sealed pipe using the machine account password by
1913          * preference. If we can't - try schannel, if that fails, try
1914          * anonymous.
1915          */
1916
1917         pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
1918         if ((conn->cli->user_name[0] == '\0') ||
1919             (conn->cli->domain[0] == '\0') || 
1920             (conn_pwd[0] == '\0'))
1921         {
1922                 result = get_trust_creds(domain, &machine_password,
1923                                          &machine_account, NULL);
1924                 if (!NT_STATUS_IS_OK(result)) {
1925                         DEBUG(10, ("cm_connect_sam: No no user available for "
1926                                    "domain %s, trying schannel\n", conn->cli->domain));
1927                         goto schannel;
1928                 }
1929                 domain_name = domain->name;
1930         } else {
1931                 machine_password = SMB_STRDUP(conn_pwd);                
1932                 machine_account = SMB_STRDUP(conn->cli->user_name);
1933                 domain_name = conn->cli->domain;
1934         }
1935
1936         if (!machine_password || !machine_account) {
1937                 result = NT_STATUS_NO_MEMORY;
1938                 goto done;
1939         }
1940
1941         /* We have an authenticated connection. Use a NTLMSSP SPNEGO
1942            authenticated SAMR pipe with sign & seal. */
1943         conn->samr_pipe =
1944                 cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
1945                                                  PIPE_AUTH_LEVEL_PRIVACY,
1946                                                  domain_name,
1947                                                  machine_account,
1948                                                  machine_password, &result);
1949
1950         if (conn->samr_pipe == NULL) {
1951                 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
1952                           "pipe for domain %s using NTLMSSP "
1953                           "authenticated pipe: user %s\\%s. Error was "
1954                           "%s\n", domain->name, domain_name,
1955                           machine_account, nt_errstr(result)));
1956                 goto schannel;
1957         }
1958
1959         DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
1960                   "domain %s using NTLMSSP authenticated "
1961                   "pipe: user %s\\%s\n", domain->name,
1962                   domain_name, machine_account));
1963
1964         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
1965                                       conn->samr_pipe->desthost,
1966                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
1967                                       &conn->sam_connect_handle);
1968         if (NT_STATUS_IS_OK(result)) {
1969                 goto open_domain;
1970         }
1971         DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_Connect2 "
1972                   "failed for domain %s, error was %s. Trying schannel\n",
1973                   domain->name, nt_errstr(result) ));
1974         cli_rpc_pipe_close(conn->samr_pipe);
1975
1976  schannel:
1977
1978         /* Fall back to schannel if it's a W2K pre-SP1 box. */
1979
1980         if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
1981                 /* If this call fails - conn->cli can now be NULL ! */
1982                 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
1983                            "for domain %s, trying anon\n", domain->name));
1984                 goto anonymous;
1985         }
1986         conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key
1987                 (conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY,
1988                  domain->name, p_dcinfo, &result);
1989
1990         if (conn->samr_pipe == NULL) {
1991                 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
1992                           "domain %s using schannel. Error was %s\n",
1993                           domain->name, nt_errstr(result) ));
1994                 goto anonymous;
1995         }
1996         DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
1997                   "schannel.\n", domain->name ));
1998
1999         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2000                                       conn->samr_pipe->desthost,
2001                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
2002                                       &conn->sam_connect_handle);
2003         if (NT_STATUS_IS_OK(result)) {
2004                 goto open_domain;
2005         }
2006         DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_Connect2 failed "
2007                   "for domain %s, error was %s. Trying anonymous\n",
2008                   domain->name, nt_errstr(result) ));
2009         cli_rpc_pipe_close(conn->samr_pipe);
2010
2011  anonymous:
2012
2013         /* Finally fall back to anonymous. */
2014         conn->samr_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR,
2015                                                    &result);
2016
2017         if (conn->samr_pipe == NULL) {
2018                 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2019                 goto done;
2020         }
2021
2022         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2023                                       conn->samr_pipe->desthost,
2024                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
2025                                       &conn->sam_connect_handle);
2026         if (!NT_STATUS_IS_OK(result)) {
2027                 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2028                           "for domain %s Error was %s\n",
2029                           domain->name, nt_errstr(result) ));
2030                 goto done;
2031         }
2032
2033  open_domain:
2034         result = rpccli_samr_OpenDomain(conn->samr_pipe,
2035                                         mem_ctx,
2036                                         &conn->sam_connect_handle,
2037                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
2038                                         &domain->sid,
2039                                         &conn->sam_domain_handle);
2040
2041  done:
2042
2043         if (!NT_STATUS_IS_OK(result)) {
2044                 invalidate_cm_connection(conn);
2045                 return result;
2046         }
2047
2048         *cli = conn->samr_pipe;
2049         *sam_handle = conn->sam_domain_handle;
2050         SAFE_FREE(machine_password);
2051         SAFE_FREE(machine_account);
2052         return result;
2053 }
2054
2055 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2056                         struct rpc_pipe_client **cli, POLICY_HND *lsa_policy)
2057 {
2058         struct winbindd_cm_conn *conn;
2059         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2060         fstring conn_pwd;
2061         struct dcinfo *p_dcinfo;
2062
2063         result = init_dc_connection(domain);
2064         if (!NT_STATUS_IS_OK(result))
2065                 return result;
2066
2067         conn = &domain->conn;
2068
2069         if (conn->lsa_pipe != NULL) {
2070                 goto done;
2071         }
2072
2073         pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
2074         if ((conn->cli->user_name[0] == '\0') ||
2075             (conn->cli->domain[0] == '\0') || 
2076             (conn_pwd[0] == '\0')) {
2077                 DEBUG(10, ("cm_connect_lsa: No no user available for "
2078                            "domain %s, trying schannel\n", conn->cli->domain));
2079                 goto schannel;
2080         }
2081
2082         /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2083          * authenticated LSA pipe with sign & seal. */
2084         conn->lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp
2085                 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
2086                  conn->cli->domain, conn->cli->user_name, conn_pwd, &result);
2087
2088         if (conn->lsa_pipe == NULL) {
2089                 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2090                           "domain %s using NTLMSSP authenticated pipe: user "
2091                           "%s\\%s. Error was %s. Trying schannel.\n",
2092                           domain->name, conn->cli->domain,
2093                           conn->cli->user_name, nt_errstr(result)));
2094                 goto schannel;
2095         }
2096
2097         DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2098                   "NTLMSSP authenticated pipe: user %s\\%s\n",
2099                   domain->name, conn->cli->domain, conn->cli->user_name ));
2100
2101         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2102                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
2103                                         &conn->lsa_policy);
2104         if (NT_STATUS_IS_OK(result)) {
2105                 goto done;
2106         }
2107
2108         DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2109                   "schannel\n"));
2110
2111         cli_rpc_pipe_close(conn->lsa_pipe);
2112
2113  schannel:
2114
2115         /* Fall back to schannel if it's a W2K pre-SP1 box. */
2116
2117         if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
2118                 /* If this call fails - conn->cli can now be NULL ! */
2119                 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2120                            "for domain %s, trying anon\n", domain->name));
2121                 goto anonymous;
2122         }
2123         conn->lsa_pipe = cli_rpc_pipe_open_schannel_with_key
2124                 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
2125                  domain->name, p_dcinfo, &result);
2126
2127         if (conn->lsa_pipe == NULL) {
2128                 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2129                           "domain %s using schannel. Error was %s\n",
2130                           domain->name, nt_errstr(result) ));
2131                 goto anonymous;
2132         }
2133         DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2134                   "schannel.\n", domain->name ));
2135
2136         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2137                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
2138                                         &conn->lsa_policy);
2139         if (NT_STATUS_IS_OK(result)) {
2140                 goto done;
2141         }
2142
2143         DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2144                   "anonymous\n"));
2145
2146         cli_rpc_pipe_close(conn->lsa_pipe);
2147
2148  anonymous:
2149
2150         conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_LSARPC,
2151                                                   &result);
2152         if (conn->lsa_pipe == NULL) {
2153                 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2154                 goto done;
2155         }
2156
2157         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2158                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
2159                                         &conn->lsa_policy);
2160  done:
2161         if (!NT_STATUS_IS_OK(result)) {
2162                 invalidate_cm_connection(conn);
2163                 return result;
2164         }
2165
2166         *cli = conn->lsa_pipe;
2167         *lsa_policy = conn->lsa_policy;
2168         return result;
2169 }
2170
2171 /****************************************************************************
2172  Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2173  session key stored in conn->netlogon_pipe->dc->sess_key.
2174 ****************************************************************************/
2175
2176 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2177                              struct rpc_pipe_client **cli)
2178 {
2179         struct winbindd_cm_conn *conn;
2180         NTSTATUS result;
2181
2182         uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2183         uint8  mach_pwd[16];
2184         uint32  sec_chan_type;
2185         const char *account_name;
2186         struct rpc_pipe_client *netlogon_pipe = NULL;
2187
2188         *cli = NULL;
2189
2190         result = init_dc_connection(domain);
2191         if (!NT_STATUS_IS_OK(result)) {
2192                 return result;
2193         }
2194
2195         conn = &domain->conn;
2196
2197         if (conn->netlogon_pipe != NULL) {
2198                 *cli = conn->netlogon_pipe;
2199                 return NT_STATUS_OK;
2200         }
2201
2202         netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
2203                                                  &result);
2204         if (netlogon_pipe == NULL) {
2205                 return result;
2206         }
2207
2208         if ((!IS_DC) && (!domain->primary)) {
2209                 /* Clear the schannel request bit and drop down */
2210                 neg_flags &= ~NETLOGON_NEG_SCHANNEL;            
2211                 goto no_schannel;
2212         }
2213
2214         if (lp_client_schannel() != False) {
2215                 neg_flags |= NETLOGON_NEG_SCHANNEL;
2216         }
2217
2218         if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
2219                                &sec_chan_type))
2220         {
2221                 cli_rpc_pipe_close(netlogon_pipe);
2222                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2223         }
2224
2225         result = rpccli_netlogon_setup_creds(
2226                  netlogon_pipe,
2227                  domain->dcname, /* server name. */
2228                  domain->name,   /* domain name */
2229                  global_myname(), /* client name */
2230                  account_name,   /* machine account */
2231                  mach_pwd,       /* machine password */
2232                  sec_chan_type,  /* from get_trust_pw */
2233                  &neg_flags);
2234
2235         if (!NT_STATUS_IS_OK(result)) {
2236                 cli_rpc_pipe_close(netlogon_pipe);
2237                 return result;
2238         }
2239
2240         if ((lp_client_schannel() == True) &&
2241                         ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2242                 DEBUG(3, ("Server did not offer schannel\n"));
2243                 cli_rpc_pipe_close(netlogon_pipe);
2244                 return NT_STATUS_ACCESS_DENIED;
2245         }
2246
2247  no_schannel:
2248         if ((lp_client_schannel() == False) ||
2249                         ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2250                 /*
2251                  * NetSamLogonEx only works for schannel
2252                  */
2253                 domain->can_do_samlogon_ex = False;
2254
2255                 /* We're done - just keep the existing connection to NETLOGON
2256                  * open */
2257                 conn->netlogon_pipe = netlogon_pipe;
2258                 *cli = conn->netlogon_pipe;
2259                 return NT_STATUS_OK;
2260         }
2261
2262         /* Using the credentials from the first pipe, open a signed and sealed
2263            second netlogon pipe. The session key is stored in the schannel
2264            part of the new pipe auth struct.
2265         */
2266
2267         conn->netlogon_pipe =
2268                 cli_rpc_pipe_open_schannel_with_key(conn->cli,
2269                                                     PI_NETLOGON,
2270                                                     PIPE_AUTH_LEVEL_PRIVACY,
2271                                                     domain->name,
2272                                                     netlogon_pipe->dc,
2273                                                     &result);
2274
2275         /* We can now close the initial netlogon pipe. */
2276         cli_rpc_pipe_close(netlogon_pipe);
2277
2278         if (conn->netlogon_pipe == NULL) {
2279                 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2280                           "was %s\n", nt_errstr(result)));
2281                           
2282                 /* make sure we return something besides OK */
2283                 return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
2284         }
2285
2286         /*
2287          * Try NetSamLogonEx for AD domains
2288          */
2289         domain->can_do_samlogon_ex = domain->active_directory;
2290
2291         *cli = conn->netlogon_pipe;
2292         return NT_STATUS_OK;
2293 }