Replace cli_rpc_pipe_close by a talloc destructor on rpc_pipe_struct
[kai/samba.git] / source3 / winbindd / winbindd_cm.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon connection manager
5
6    Copyright (C) Tim Potter                2001
7    Copyright (C) Andrew Bartlett           2002
8    Copyright (C) Gerald (Jerry) Carter     2003-2005.
9    Copyright (C) Volker Lendecke           2004-2005
10    Copyright (C) Jeremy Allison            2006
11    
12    This program is free software; you can redistribute it and/or modify
13    it under the terms of the GNU General Public License as published by
14    the Free Software Foundation; either version 3 of the License, or
15    (at your option) any later version.
16    
17    This program is distributed in the hope that it will be useful,
18    but WITHOUT ANY WARRANTY; without even the implied warranty of
19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20    GNU General Public License for more details.
21    
22    You should have received a copy of the GNU General Public License
23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27    We need to manage connections to domain controllers without having to
28    mess up the main winbindd code with other issues.  The aim of the
29    connection manager is to:
30   
31        - make connections to domain controllers and cache them
32        - re-establish connections when networks or servers go down
33        - centralise the policy on connection timeouts, domain controller
34          selection etc
35        - manage re-entrancy for when winbindd becomes able to handle
36          multiple outstanding rpc requests
37   
38    Why not have connection management as part of the rpc layer like tng?
39    Good question.  This code may morph into libsmb/rpc_cache.c or something
40    like that but at the moment it's simply staying as part of winbind.  I
41    think the TNG architecture of forcing every user of the rpc layer to use
42    the connection caching system is a bad idea.  It should be an optional
43    method of using the routines.
44
45    The TNG design is quite good but I disagree with some aspects of the
46    implementation. -tpot
47
48  */
49
50 /*
51    TODO:
52
53      - I'm pretty annoyed by all the make_nmb_name() stuff.  It should be
54        moved down into another function.
55
56      - Take care when destroying cli_structs as they can be shared between
57        various sam handles.
58
59  */
60
61 #include "includes.h"
62 #include "winbindd.h"
63
64 #undef DBGC_CLASS
65 #define DBGC_CLASS DBGC_WINBIND
66
67 struct dc_name_ip {
68         fstring name;
69         struct sockaddr_storage ss;
70 };
71
72 extern struct winbindd_methods reconnect_methods;
73 extern bool override_logfile;
74
75 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
76 static void set_dc_type_and_flags( struct winbindd_domain *domain );
77 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
78                     struct dc_name_ip **dcs, int *num_dcs);
79
80 /****************************************************************
81  Child failed to find DC's. Reschedule check.
82 ****************************************************************/
83
84 static void msg_failed_to_go_online(struct messaging_context *msg,
85                                     void *private_data,
86                                     uint32_t msg_type,
87                                     struct server_id server_id,
88                                     DATA_BLOB *data)
89 {
90         struct winbindd_domain *domain;
91         const char *domainname = (const char *)data->data;
92
93         if (data->data == NULL || data->length == 0) {
94                 return;
95         }
96
97         DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
98
99         for (domain = domain_list(); domain; domain = domain->next) {
100                 if (domain->internal) {
101                         continue;
102                 }
103
104                 if (strequal(domain->name, domainname)) {
105                         if (domain->online) {
106                                 /* We're already online, ignore. */
107                                 DEBUG(5,("msg_fail_to_go_online: domain %s "
108                                         "already online.\n", domainname));
109                                 continue;
110                         }
111
112                         /* Reschedule the online check. */
113                         set_domain_offline(domain);
114                         break;
115                 }
116         }
117 }
118
119 /****************************************************************
120  Actually cause a reconnect from a message.
121 ****************************************************************/
122
123 static void msg_try_to_go_online(struct messaging_context *msg,
124                                  void *private_data,
125                                  uint32_t msg_type,
126                                  struct server_id server_id,
127                                  DATA_BLOB *data)
128 {
129         struct winbindd_domain *domain;
130         const char *domainname = (const char *)data->data;
131
132         if (data->data == NULL || data->length == 0) {
133                 return;
134         }
135
136         DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
137
138         for (domain = domain_list(); domain; domain = domain->next) {
139                 if (domain->internal) {
140                         continue;
141                 }
142
143                 if (strequal(domain->name, domainname)) {
144
145                         if (domain->online) {
146                                 /* We're already online, ignore. */
147                                 DEBUG(5,("msg_try_to_go_online: domain %s "
148                                         "already online.\n", domainname));
149                                 continue;
150                         }
151
152                         /* This call takes care of setting the online
153                            flag to true if we connected, or re-adding
154                            the offline handler if false. Bypasses online
155                            check so always does network calls. */
156
157                         init_dc_connection_network(domain);
158                         break;
159                 }
160         }
161 }
162
163 /****************************************************************
164  Fork a child to try and contact a DC. Do this as contacting a
165  DC requires blocking lookups and we don't want to block our
166  parent.
167 ****************************************************************/
168
169 static bool fork_child_dc_connect(struct winbindd_domain *domain)
170 {
171         struct dc_name_ip *dcs = NULL;
172         int num_dcs = 0;
173         TALLOC_CTX *mem_ctx = NULL;
174         pid_t child_pid;
175         pid_t parent_pid = sys_getpid();
176
177         /* Stop zombies */
178         CatchChild();
179
180         child_pid = sys_fork();
181
182         if (child_pid == -1) {
183                 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
184                 return False;
185         }
186
187         if (child_pid != 0) {
188                 /* Parent */
189                 messaging_register(winbind_messaging_context(), NULL,
190                                    MSG_WINBIND_TRY_TO_GO_ONLINE,
191                                    msg_try_to_go_online);
192                 messaging_register(winbind_messaging_context(), NULL,
193                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
194                                    msg_failed_to_go_online);
195                 return True;
196         }
197
198         /* Child. */
199
200         /* Leave messages blocked - we will never process one. */
201
202         if (!reinit_after_fork(winbind_messaging_context())) {
203                 DEBUG(0,("reinit_after_fork() failed\n"));
204                 _exit(0);
205         }
206
207         close_conns_after_fork();
208
209         if (!override_logfile) {
210                 char *logfile;
211                 if (asprintf(&logfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) > 0) {
212                         lp_set_logfile(logfile);
213                         SAFE_FREE(logfile);
214                         reopen_logs();
215                 }
216         }
217
218         mem_ctx = talloc_init("fork_child_dc_connect");
219         if (!mem_ctx) {
220                 DEBUG(0,("talloc_init failed.\n"));
221                 _exit(0);
222         }
223
224         if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
225                 /* Still offline ? Can't find DC's. */
226                 messaging_send_buf(winbind_messaging_context(),
227                                    pid_to_procid(parent_pid),
228                                    MSG_WINBIND_FAILED_TO_GO_ONLINE,
229                                    (uint8 *)domain->name,
230                                    strlen(domain->name)+1);
231                 _exit(0);
232         }
233
234         /* We got a DC. Send a message to our parent to get it to
235            try and do the same. */
236
237         messaging_send_buf(winbind_messaging_context(),
238                            pid_to_procid(parent_pid),
239                            MSG_WINBIND_TRY_TO_GO_ONLINE,
240                            (uint8 *)domain->name,
241                            strlen(domain->name)+1);
242         _exit(0);
243 }
244
245 /****************************************************************
246  Handler triggered if we're offline to try and detect a DC.
247 ****************************************************************/
248
249 static void check_domain_online_handler(struct event_context *ctx,
250                                         struct timed_event *te,
251                                         const struct timeval *now,
252                                         void *private_data)
253 {
254         struct winbindd_domain *domain =
255                 (struct winbindd_domain *)private_data;
256
257         DEBUG(10,("check_domain_online_handler: called for domain "
258                   "%s (online = %s)\n", domain->name, 
259                   domain->online ? "True" : "False" ));
260
261         TALLOC_FREE(domain->check_online_event);
262
263         /* Are we still in "startup" mode ? */
264
265         if (domain->startup && (now->tv_sec > domain->startup_time + 30)) {
266                 /* No longer in "startup" mode. */
267                 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
268                         domain->name ));
269                 domain->startup = False;
270         }
271
272         /* We've been told to stay offline, so stay
273            that way. */
274
275         if (get_global_winbindd_state_offline()) {
276                 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
277                         domain->name ));
278                 return;
279         }
280
281         /* Fork a child to test if it can contact a DC. 
282            If it can then send ourselves a message to
283            cause a reconnect. */
284
285         fork_child_dc_connect(domain);
286 }
287
288 /****************************************************************
289  If we're still offline setup the timeout check.
290 ****************************************************************/
291
292 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
293 {
294         int wbc = lp_winbind_cache_time();
295
296         if (domain->startup) {
297                 domain->check_online_timeout = 10;
298         } else if (domain->check_online_timeout < wbc) {
299                 domain->check_online_timeout = wbc;
300         }
301 }
302
303 /****************************************************************
304  Set domain offline and also add handler to put us back online
305  if we detect a DC.
306 ****************************************************************/
307
308 void set_domain_offline(struct winbindd_domain *domain)
309 {
310         DEBUG(10,("set_domain_offline: called for domain %s\n",
311                 domain->name ));
312
313         TALLOC_FREE(domain->check_online_event);
314
315         if (domain->internal) {
316                 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
317                         domain->name ));
318                 return;
319         }
320
321         domain->online = False;
322
323         /* Offline domains are always initialized. They're
324            re-initialized when they go back online. */
325
326         domain->initialized = True;
327
328         /* We only add the timeout handler that checks and
329            allows us to go back online when we've not
330            been told to remain offline. */
331
332         if (get_global_winbindd_state_offline()) {
333                 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
334                         domain->name ));
335                 return;
336         }
337
338         /* If we're in statup mode, check again in 10 seconds, not in
339            lp_winbind_cache_time() seconds (which is 5 mins by default). */
340
341         calc_new_online_timeout_check(domain);
342
343         domain->check_online_event = event_add_timed(winbind_event_context(),
344                                                 NULL,
345                                                 timeval_current_ofs(domain->check_online_timeout,0),
346                                                 "check_domain_online_handler",
347                                                 check_domain_online_handler,
348                                                 domain);
349
350         /* The above *has* to succeed for winbindd to work. */
351         if (!domain->check_online_event) {
352                 smb_panic("set_domain_offline: failed to add online handler");
353         }
354
355         DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
356                 domain->name ));
357
358         /* Send an offline message to the idmap child when our
359            primary domain goes offline */
360
361         if ( domain->primary ) {
362                 struct winbindd_child *idmap = idmap_child();
363                 
364                 if ( idmap->pid != 0 ) {
365                         messaging_send_buf(winbind_messaging_context(),
366                                            pid_to_procid(idmap->pid), 
367                                            MSG_WINBIND_OFFLINE, 
368                                            (uint8 *)domain->name, 
369                                            strlen(domain->name)+1);
370                 }                       
371         }
372
373         return; 
374 }
375
376 /****************************************************************
377  Set domain online - if allowed.
378 ****************************************************************/
379
380 static void set_domain_online(struct winbindd_domain *domain)
381 {
382         struct timeval now;
383
384         DEBUG(10,("set_domain_online: called for domain %s\n",
385                 domain->name ));
386
387         if (domain->internal) {
388                 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
389                         domain->name ));
390                 return;
391         }
392
393         if (get_global_winbindd_state_offline()) {
394                 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
395                         domain->name ));
396                 return;
397         }
398
399         winbindd_set_locator_kdc_envs(domain);
400
401         /* If we are waiting to get a krb5 ticket, trigger immediately. */
402         GetTimeOfDay(&now);
403         set_event_dispatch_time(winbind_event_context(),
404                                 "krb5_ticket_gain_handler", now);
405
406         /* Ok, we're out of any startup mode now... */
407         domain->startup = False;
408
409         if (domain->online == False) {
410                 /* We were offline - now we're online. We default to
411                    using the MS-RPC backend if we started offline,
412                    and if we're going online for the first time we
413                    should really re-initialize the backends and the
414                    checks to see if we're talking to an AD or NT domain.
415                 */
416
417                 domain->initialized = False;
418
419                 /* 'reconnect_methods' is the MS-RPC backend. */
420                 if (domain->backend == &reconnect_methods) {
421                         domain->backend = NULL;
422                 }
423         }
424
425         /* Ensure we have no online timeout checks. */
426         domain->check_online_timeout = 0;
427         TALLOC_FREE(domain->check_online_event);
428
429         /* Ensure we ignore any pending child messages. */
430         messaging_deregister(winbind_messaging_context(),
431                              MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
432         messaging_deregister(winbind_messaging_context(),
433                              MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
434
435         domain->online = True;
436
437         /* Send an online message to the idmap child when our
438            primary domain comes online */
439
440         if ( domain->primary ) {
441                 struct winbindd_child *idmap = idmap_child();
442                 
443                 if ( idmap->pid != 0 ) {
444                         messaging_send_buf(winbind_messaging_context(),
445                                            pid_to_procid(idmap->pid), 
446                                            MSG_WINBIND_ONLINE, 
447                                            (uint8 *)domain->name, 
448                                            strlen(domain->name)+1);
449                 }                       
450         }
451
452         return; 
453 }
454
455 /****************************************************************
456  Requested to set a domain online.
457 ****************************************************************/
458
459 void set_domain_online_request(struct winbindd_domain *domain)
460 {
461         struct timeval tev;
462
463         DEBUG(10,("set_domain_online_request: called for domain %s\n",
464                 domain->name ));
465
466         if (get_global_winbindd_state_offline()) {
467                 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
468                         domain->name ));
469                 return;
470         }
471
472         /* We've been told it's safe to go online and
473            try and connect to a DC. But I don't believe it
474            because network manager seems to lie.
475            Wait at least 5 seconds. Heuristics suck... */
476
477         if (!domain->check_online_event) {
478                 /* If we've come from being globally offline we
479                    don't have a check online event handler set.
480                    We need to add one now we're trying to go
481                    back online. */
482
483                 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
484                         domain->name ));
485
486                 domain->check_online_event = event_add_timed(winbind_event_context(),
487                                                                 NULL,
488                                                                 timeval_current_ofs(5, 0),
489                                                                 "check_domain_online_handler",
490                                                                 check_domain_online_handler,
491                                                                 domain);
492
493                 /* The above *has* to succeed for winbindd to work. */
494                 if (!domain->check_online_event) {
495                         smb_panic("set_domain_online_request: failed to add online handler");
496                 }
497         }
498
499         GetTimeOfDay(&tev);
500
501         /* Go into "startup" mode again. */
502         domain->startup_time = tev.tv_sec;
503         domain->startup = True;
504
505         tev.tv_sec += 5;
506
507         set_event_dispatch_time(winbind_event_context(), "check_domain_online_handler", tev);
508 }
509
510 /****************************************************************
511  Add -ve connection cache entries for domain and realm.
512 ****************************************************************/
513
514 void winbind_add_failed_connection_entry(const struct winbindd_domain *domain,
515                                         const char *server,
516                                         NTSTATUS result)
517 {
518         add_failed_connection_entry(domain->name, server, result);
519         /* If this was the saf name for the last thing we talked to,
520            remove it. */
521         saf_delete(domain->name);
522         if (*domain->alt_name) {
523                 add_failed_connection_entry(domain->alt_name, server, result);
524                 saf_delete(domain->alt_name);
525         }
526         winbindd_unset_locator_kdc_env(domain);
527 }
528
529 /* Choose between anonymous or authenticated connections.  We need to use
530    an authenticated connection if DCs have the RestrictAnonymous registry
531    entry set > 0, or the "Additional restrictions for anonymous
532    connections" set in the win2k Local Security Policy. 
533    
534    Caller to free() result in domain, username, password
535 */
536
537 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
538 {
539         *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
540         *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
541         *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
542         
543         if (*username && **username) {
544
545                 if (!*domain || !**domain)
546                         *domain = smb_xstrdup(lp_workgroup());
547                 
548                 if (!*password || !**password)
549                         *password = smb_xstrdup("");
550
551                 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n", 
552                           *domain, *username));
553
554         } else {
555                 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
556                 *username = smb_xstrdup("");
557                 *domain = smb_xstrdup("");
558                 *password = smb_xstrdup("");
559         }
560 }
561
562 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
563                                      fstring dcname,
564                                      struct sockaddr_storage *dc_ss)
565 {
566         struct winbindd_domain *our_domain = NULL;
567         struct rpc_pipe_client *netlogon_pipe = NULL;
568         NTSTATUS result;
569         WERROR werr;
570         TALLOC_CTX *mem_ctx;
571         unsigned int orig_timeout;
572         const char *tmp = NULL;
573         const char *p;
574
575         /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
576          * moment.... */
577
578         if (IS_DC) {
579                 return False;
580         }
581
582         if (domain->primary) {
583                 return False;
584         }
585
586         our_domain = find_our_domain();
587
588         if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
589                 return False;
590         }
591
592         result = cm_connect_netlogon(our_domain, &netlogon_pipe);
593         if (!NT_STATUS_IS_OK(result)) {
594                 talloc_destroy(mem_ctx);
595                 return False;
596         }
597
598         /* This call can take a long time - allow the server to time out.
599            35 seconds should do it. */
600
601         orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
602
603         if (our_domain->active_directory) {
604                 struct netr_DsRGetDCNameInfo *domain_info = NULL;
605
606                 result = rpccli_netr_DsRGetDCName(netlogon_pipe,
607                                                   mem_ctx,
608                                                   our_domain->dcname,
609                                                   domain->name,
610                                                   NULL,
611                                                   NULL,
612                                                   DS_RETURN_DNS_NAME,
613                                                   &domain_info,
614                                                   &werr);
615                 if (W_ERROR_IS_OK(werr)) {
616                         tmp = talloc_strdup(
617                                 mem_ctx, domain_info->dc_unc);
618                         if (tmp == NULL) {
619                                 DEBUG(0, ("talloc_strdup failed\n"));
620                                 talloc_destroy(mem_ctx);
621                                 return false;
622                         }
623                         if (strlen(domain->alt_name) == 0) {
624                                 fstrcpy(domain->alt_name,
625                                         domain_info->domain_name);
626                         }
627                         if (strlen(domain->forest_name) == 0) {
628                                 fstrcpy(domain->forest_name,
629                                         domain_info->forest_name);
630                         }
631                 }
632         } else {
633                 result = rpccli_netr_GetAnyDCName(netlogon_pipe, mem_ctx,
634                                                   our_domain->dcname,
635                                                   domain->name,
636                                                   &tmp,
637                                                   &werr);
638         }
639
640         /* And restore our original timeout. */
641         rpccli_set_timeout(netlogon_pipe, orig_timeout);
642
643         if (!NT_STATUS_IS_OK(result)) {
644                 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
645                         nt_errstr(result)));
646                 talloc_destroy(mem_ctx);
647                 return false;
648         }
649
650         if (!W_ERROR_IS_OK(werr)) {
651                 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
652                            dos_errstr(werr)));
653                 talloc_destroy(mem_ctx);
654                 return false;
655         }
656
657         /* rpccli_netr_GetAnyDCName gives us a name with \\ */
658         p = tmp;
659         if (*p == '\\') {
660                 p+=1;
661         }
662         if (*p == '\\') {
663                 p+=1;
664         }
665
666         fstrcpy(dcname, p);
667
668         talloc_destroy(mem_ctx);
669
670         DEBUG(10,("rpccli_netr_GetAnyDCName returned %s\n", dcname));
671
672         if (!resolve_name(dcname, dc_ss, 0x20)) {
673                 return False;
674         }
675
676         return True;
677 }
678
679 /**
680  * Helper function to assemble trust password and account name
681  */
682 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
683                                 char **machine_password,
684                                 char **machine_account,
685                                 char **machine_krb5_principal)
686 {
687         const char *account_name;
688         const char *name = NULL;
689         
690         /* If we are a DC and this is not our own domain */
691
692         if (IS_DC) {
693                 name = domain->name;
694         } else {
695                 struct winbindd_domain *our_domain = find_our_domain();
696
697                 if (!our_domain)
698                         return NT_STATUS_INVALID_SERVER_STATE;          
699                 
700                 name = our_domain->name;                
701         }       
702         
703         if (!get_trust_pw_clear(name, machine_password,
704                                 &account_name, NULL))
705         {
706                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
707         }
708
709         if ((machine_account != NULL) &&
710             (asprintf(machine_account, "%s$", account_name) == -1))
711         {
712                 return NT_STATUS_NO_MEMORY;
713         }
714
715         /* this is at least correct when domain is our domain,
716          * which is the only case, when this is currently used: */
717         if (machine_krb5_principal != NULL)
718         {
719                 if (asprintf(machine_krb5_principal, "%s$@%s",
720                              account_name, domain->alt_name) == -1)
721                 {
722                         return NT_STATUS_NO_MEMORY;
723                 }
724
725                 strupper_m(*machine_krb5_principal);
726         }
727
728         return NT_STATUS_OK;
729 }
730
731 /************************************************************************
732  Given a fd with a just-connected TCP connection to a DC, open a connection
733  to the pipe.
734 ************************************************************************/
735
736 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
737                                       const int sockfd,
738                                       const char *controller,
739                                       struct cli_state **cli,
740                                       bool *retry)
741 {
742         char *machine_password = NULL;
743         char *machine_krb5_principal = NULL;
744         char *machine_account = NULL;
745         char *ipc_username = NULL;
746         char *ipc_domain = NULL;
747         char *ipc_password = NULL;
748
749         struct named_mutex *mutex;
750
751         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
752
753         struct sockaddr peeraddr;
754         socklen_t peeraddr_len;
755
756         struct sockaddr_in *peeraddr_in = (struct sockaddr_in *)&peeraddr;
757
758         DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
759                 controller, domain->name ));
760
761         *retry = True;
762
763         mutex = grab_named_mutex(talloc_tos(), controller,
764                                  WINBIND_SERVER_MUTEX_WAIT_TIME);
765         if (mutex == NULL) {
766                 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
767                          controller));
768                 result = NT_STATUS_POSSIBLE_DEADLOCK;
769                 goto done;
770         }
771
772         if ((*cli = cli_initialise()) == NULL) {
773                 DEBUG(1, ("Could not cli_initialize\n"));
774                 result = NT_STATUS_NO_MEMORY;
775                 goto done;
776         }
777
778         (*cli)->timeout = 10000;        /* 10 seconds */
779         (*cli)->fd = sockfd;
780         fstrcpy((*cli)->desthost, controller);
781         (*cli)->use_kerberos = True;
782
783         peeraddr_len = sizeof(peeraddr);
784
785         if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) ||
786             (peeraddr_len != sizeof(struct sockaddr_in)) ||
787             (peeraddr_in->sin_family != PF_INET))
788         {
789                 DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
790                 result = NT_STATUS_UNSUCCESSFUL;
791                 goto done;
792         }
793
794         if (ntohs(peeraddr_in->sin_port) == 139) {
795                 struct nmb_name calling;
796                 struct nmb_name called;
797
798                 make_nmb_name(&calling, global_myname(), 0x0);
799                 make_nmb_name(&called, "*SMBSERVER", 0x20);
800
801                 if (!cli_session_request(*cli, &calling, &called)) {
802                         DEBUG(8, ("cli_session_request failed for %s\n",
803                                   controller));
804                         result = NT_STATUS_UNSUCCESSFUL;
805                         goto done;
806                 }
807         }
808
809         cli_setup_signing_state(*cli, Undefined);
810
811         if (!cli_negprot(*cli)) {
812                 DEBUG(1, ("cli_negprot failed\n"));
813                 result = NT_STATUS_UNSUCCESSFUL;
814                 goto done;
815         }
816
817         if (!is_trusted_domain_situation(domain->name) &&
818             (*cli)->protocol >= PROTOCOL_NT1 &&
819             (*cli)->capabilities & CAP_EXTENDED_SECURITY)
820         {
821                 ADS_STATUS ads_status;
822
823                 result = get_trust_creds(domain, &machine_password,
824                                          &machine_account,
825                                          &machine_krb5_principal);
826                 if (!NT_STATUS_IS_OK(result)) {
827                         goto anon_fallback;
828                 }
829
830                 if (lp_security() == SEC_ADS) {
831
832                         /* Try a krb5 session */
833
834                         (*cli)->use_kerberos = True;
835                         DEBUG(5, ("connecting to %s from %s with kerberos principal "
836                                   "[%s]\n", controller, global_myname(),
837                                   machine_krb5_principal));
838
839                         winbindd_set_locator_kdc_envs(domain);
840
841                         ads_status = cli_session_setup_spnego(*cli,
842                                                               machine_krb5_principal, 
843                                                               machine_password, 
844                                                               domain->name);
845
846                         if (!ADS_ERR_OK(ads_status)) {
847                                 DEBUG(4,("failed kerberos session setup with %s\n",
848                                          ads_errstr(ads_status)));
849                         }
850
851                         result = ads_ntstatus(ads_status);
852                         if (NT_STATUS_IS_OK(result)) {
853                                 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
854                                 cli_init_creds(*cli, machine_account, domain->name, machine_password);
855                                 goto session_setup_done;
856                         }
857                 }
858
859                 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
860                 (*cli)->use_kerberos = False;
861
862                 DEBUG(5, ("connecting to %s from %s with username "
863                           "[%s]\\[%s]\n",  controller, global_myname(),
864                           domain->name, machine_account));
865
866                 ads_status = cli_session_setup_spnego(*cli,
867                                                       machine_account, 
868                                                       machine_password, 
869                                                       domain->name);
870                 if (!ADS_ERR_OK(ads_status)) {
871                         DEBUG(4, ("authenticated session setup failed with %s\n",
872                                 ads_errstr(ads_status)));
873                 }
874
875                 result = ads_ntstatus(ads_status);
876                 if (NT_STATUS_IS_OK(result)) {
877                         /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
878                         cli_init_creds(*cli, machine_account, domain->name, machine_password);
879                         goto session_setup_done;
880                 }
881         }
882
883         /* Fall back to non-kerberos session setup with auth_user */
884
885         (*cli)->use_kerberos = False;
886
887         cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
888
889         if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
890             (strlen(ipc_username) > 0)) {
891
892                 /* Only try authenticated if we have a username */
893
894                 DEBUG(5, ("connecting to %s from %s with username "
895                           "[%s]\\[%s]\n",  controller, global_myname(),
896                           ipc_domain, ipc_username));
897
898                 if (NT_STATUS_IS_OK(cli_session_setup(
899                                             *cli, ipc_username,
900                                             ipc_password, strlen(ipc_password)+1,
901                                             ipc_password, strlen(ipc_password)+1,
902                                             ipc_domain))) {
903                         /* Successful logon with given username. */
904                         cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
905                         goto session_setup_done;
906                 } else {
907                         DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
908                                 ipc_domain, ipc_username ));
909                 }
910         }
911
912  anon_fallback:
913
914         /* Fall back to anonymous connection, this might fail later */
915
916         if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
917                                               NULL, 0, ""))) {
918                 DEBUG(5, ("Connected anonymously\n"));
919                 cli_init_creds(*cli, "", "", "");
920                 goto session_setup_done;
921         }
922
923         result = cli_nt_error(*cli);
924
925         if (NT_STATUS_IS_OK(result))
926                 result = NT_STATUS_UNSUCCESSFUL;
927
928         /* We can't session setup */
929
930         goto done;
931
932  session_setup_done:
933
934         /* cache the server name for later connections */
935
936         saf_store( domain->name, (*cli)->desthost );
937         if (domain->alt_name && (*cli)->use_kerberos) {
938                 saf_store( domain->alt_name, (*cli)->desthost );
939         }
940
941         winbindd_set_locator_kdc_envs(domain);
942
943         if (!cli_send_tconX(*cli, "IPC$", "IPC", "", 0)) {
944
945                 result = cli_nt_error(*cli);
946
947                 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
948
949                 if (NT_STATUS_IS_OK(result))
950                         result = NT_STATUS_UNSUCCESSFUL;
951
952                 goto done;
953         }
954
955         TALLOC_FREE(mutex);
956         *retry = False;
957
958         /* set the domain if empty; needed for schannel connections */
959         if ( !*(*cli)->domain ) {
960                 fstrcpy( (*cli)->domain, domain->name );
961         }
962
963         result = NT_STATUS_OK;
964
965  done:
966         TALLOC_FREE(mutex);
967         SAFE_FREE(machine_account);
968         SAFE_FREE(machine_password);
969         SAFE_FREE(machine_krb5_principal);
970         SAFE_FREE(ipc_username);
971         SAFE_FREE(ipc_domain);
972         SAFE_FREE(ipc_password);
973
974         if (!NT_STATUS_IS_OK(result)) {
975                 winbind_add_failed_connection_entry(domain, controller, result);
976                 if ((*cli) != NULL) {
977                         cli_shutdown(*cli);
978                         *cli = NULL;
979                 }
980         }
981
982         return result;
983 }
984
985 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
986                               const char *dcname, struct sockaddr_storage *pss,
987                               struct dc_name_ip **dcs, int *num)
988 {
989         if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
990                 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
991                 return False;
992         }
993
994         *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
995
996         if (*dcs == NULL)
997                 return False;
998
999         fstrcpy((*dcs)[*num].name, dcname);
1000         (*dcs)[*num].ss = *pss;
1001         *num += 1;
1002         return True;
1003 }
1004
1005 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1006                                   struct sockaddr_storage *pss, uint16 port,
1007                                   struct sockaddr_storage **addrs, int *num)
1008 {
1009         *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1010
1011         if (*addrs == NULL) {
1012                 *num = 0;
1013                 return False;
1014         }
1015
1016         (*addrs)[*num] = *pss;
1017         set_sockaddr_port(&(*addrs)[*num], port);
1018
1019         *num += 1;
1020         return True;
1021 }
1022
1023 /*******************************************************************
1024  convert an ip to a name
1025 *******************************************************************/
1026
1027 static bool dcip_to_name(const struct winbindd_domain *domain,
1028                 struct sockaddr_storage *pss,
1029                 fstring name )
1030 {
1031         struct ip_service ip_list;
1032
1033         ip_list.ss = *pss;
1034         ip_list.port = 0;
1035
1036 #ifdef WITH_ADS
1037         /* For active directory servers, try to get the ldap server name.
1038            None of these failures should be considered critical for now */
1039
1040         if (lp_security() == SEC_ADS) {
1041                 ADS_STRUCT *ads;
1042                 char addr[INET6_ADDRSTRLEN];
1043
1044                 print_sockaddr(addr, sizeof(addr), pss);
1045
1046                 ads = ads_init(domain->alt_name, domain->name, NULL);
1047                 ads->auth.flags |= ADS_AUTH_NO_BIND;
1048
1049                 if (ads_try_connect(ads, addr)) {
1050                         /* We got a cldap packet. */
1051                         fstrcpy(name, ads->config.ldap_server_name);
1052                         namecache_store(name, 0x20, 1, &ip_list);
1053
1054                         DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1055
1056                         if (domain->primary && (ads->config.flags & ADS_KDC)) {
1057                                 if (ads_closest_dc(ads)) {
1058                                         char *sitename = sitename_fetch(ads->config.realm);
1059
1060                                         /* We're going to use this KDC for this realm/domain.
1061                                            If we are using sites, then force the krb5 libs
1062                                            to use this KDC. */
1063
1064                                         create_local_private_krb5_conf_for_domain(domain->alt_name,
1065                                                                         domain->name,
1066                                                                         sitename,
1067                                                                         pss);
1068
1069                                         SAFE_FREE(sitename);
1070                                 } else {
1071                                         /* use an off site KDC */
1072                                         create_local_private_krb5_conf_for_domain(domain->alt_name,
1073                                                                         domain->name,
1074                                                                         NULL,
1075                                                                         pss);
1076                                 }
1077                                 winbindd_set_locator_kdc_envs(domain);
1078
1079                                 /* Ensure we contact this DC also. */
1080                                 saf_store( domain->name, name);
1081                                 saf_store( domain->alt_name, name);
1082                         }
1083
1084                         ads_destroy( &ads );
1085                         return True;
1086                 }
1087
1088                 ads_destroy( &ads );
1089         }
1090 #endif
1091
1092         /* try GETDC requests next */
1093
1094         if (send_getdc_request(winbind_messaging_context(),
1095                                pss, domain->name, &domain->sid)) {
1096                 int i;
1097                 smb_msleep(100);
1098                 for (i=0; i<5; i++) {
1099                         if (receive_getdc_response(pss, domain->name, name)) {
1100                                 namecache_store(name, 0x20, 1, &ip_list);
1101                                 return True;
1102                         }
1103                         smb_msleep(500);
1104                 }
1105         }
1106
1107         /* try node status request */
1108
1109         if ( name_status_find(domain->name, 0x1c, 0x20, pss, name) ) {
1110                 namecache_store(name, 0x20, 1, &ip_list);
1111                 return True;
1112         }
1113         return False;
1114 }
1115
1116 /*******************************************************************
1117  Retreive a list of IP address for domain controllers.  Fill in 
1118  the dcs[]  with results.
1119 *******************************************************************/
1120
1121 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1122                     struct dc_name_ip **dcs, int *num_dcs)
1123 {
1124         fstring dcname;
1125         struct  sockaddr_storage ss;
1126         struct  ip_service *ip_list = NULL;
1127         int     iplist_size = 0;
1128         int     i;
1129         bool    is_our_domain;
1130         enum security_types sec = (enum security_types)lp_security();
1131
1132         is_our_domain = strequal(domain->name, lp_workgroup());
1133
1134         if ( !is_our_domain
1135                 && get_dc_name_via_netlogon(domain, dcname, &ss)
1136                 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, num_dcs) )
1137         {
1138                 char addr[INET6_ADDRSTRLEN];
1139                 print_sockaddr(addr, sizeof(addr), &ss);
1140                 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1141                            dcname, addr));
1142                 return True;
1143         }
1144
1145         if (sec == SEC_ADS) {
1146                 char *sitename = NULL;
1147
1148                 /* We need to make sure we know the local site before
1149                    doing any DNS queries, as this will restrict the
1150                    get_sorted_dc_list() call below to only fetching
1151                    DNS records for the correct site. */
1152
1153                 /* Find any DC to get the site record.
1154                    We deliberately don't care about the
1155                    return here. */
1156
1157                 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1158
1159                 sitename = sitename_fetch(domain->alt_name);
1160                 if (sitename) {
1161
1162                         /* Do the site-specific AD dns lookup first. */
1163                         get_sorted_dc_list(domain->alt_name, sitename, &ip_list, &iplist_size, True);
1164
1165                         for ( i=0; i<iplist_size; i++ ) {
1166                                 char addr[INET6_ADDRSTRLEN];
1167                                 print_sockaddr(addr, sizeof(addr),
1168                                                 &ip_list[i].ss);
1169                                 add_one_dc_unique(mem_ctx,
1170                                                 domain->name,
1171                                                 addr,
1172                                                 &ip_list[i].ss,
1173                                                 dcs,
1174                                                 num_dcs);
1175                         }
1176
1177                         SAFE_FREE(ip_list);
1178                         SAFE_FREE(sitename);
1179                         iplist_size = 0;
1180                 }
1181
1182                 /* Now we add DCs from the main AD dns lookup. */
1183                 get_sorted_dc_list(domain->alt_name, NULL, &ip_list, &iplist_size, True);
1184
1185                 for ( i=0; i<iplist_size; i++ ) {
1186                         char addr[INET6_ADDRSTRLEN];
1187                         print_sockaddr(addr, sizeof(addr),
1188                                         &ip_list[i].ss);
1189                         add_one_dc_unique(mem_ctx,
1190                                         domain->name,
1191                                         addr,
1192                                         &ip_list[i].ss,
1193                                         dcs,
1194                                         num_dcs);
1195                 }
1196         }
1197
1198         /* try standard netbios queries if no ADS */
1199
1200         if (iplist_size==0) {
1201                 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size, False);
1202         }
1203
1204         /* FIXME!! this is where we should re-insert the GETDC requests --jerry */
1205
1206         /* now add to the dc array.  We'll wait until the last minute 
1207            to look up the name of the DC.  But we fill in the char* for 
1208            the ip now in to make the failed connection cache work */
1209
1210         for ( i=0; i<iplist_size; i++ ) {
1211                 char addr[INET6_ADDRSTRLEN];
1212                 print_sockaddr(addr, sizeof(addr),
1213                                 &ip_list[i].ss);
1214                 add_one_dc_unique(mem_ctx, domain->name, addr,
1215                         &ip_list[i].ss, dcs, num_dcs);
1216         }
1217
1218         SAFE_FREE( ip_list );
1219
1220         return True;
1221 }
1222
1223 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1224                         struct winbindd_domain *domain,
1225                         fstring dcname, struct sockaddr_storage *pss, int *fd)
1226 {
1227         struct dc_name_ip *dcs = NULL;
1228         int num_dcs = 0;
1229
1230         const char **dcnames = NULL;
1231         int num_dcnames = 0;
1232
1233         struct sockaddr_storage *addrs = NULL;
1234         int num_addrs = 0;
1235
1236         int i, fd_index;
1237
1238  again:
1239         if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1240                 return False;
1241
1242         for (i=0; i<num_dcs; i++) {
1243
1244                 if (!add_string_to_array(mem_ctx, dcs[i].name,
1245                                     &dcnames, &num_dcnames)) {
1246                         return False;
1247                 }
1248                 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 445,
1249                                       &addrs, &num_addrs)) {
1250                         return False;
1251                 }
1252
1253                 if (!add_string_to_array(mem_ctx, dcs[i].name,
1254                                     &dcnames, &num_dcnames)) {
1255                         return False;
1256                 }
1257                 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 139,
1258                                       &addrs, &num_addrs)) {
1259                         return False;
1260                 }
1261         }
1262
1263         if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1264                 return False;
1265
1266         if ((addrs == NULL) || (dcnames == NULL))
1267                 return False;
1268
1269         /* 5 second timeout. */
1270         if (!open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) {
1271                 for (i=0; i<num_dcs; i++) {
1272                         char ab[INET6_ADDRSTRLEN];
1273                         print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1274                         DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
1275                                 "domain %s address %s. Error was %s\n",
1276                                 domain->name, ab, strerror(errno) ));
1277                         winbind_add_failed_connection_entry(domain,
1278                                 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1279                 }
1280                 return False;
1281         }
1282
1283         *pss = addrs[fd_index];
1284
1285         if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1286                 /* Ok, we've got a name for the DC */
1287                 fstrcpy(dcname, dcnames[fd_index]);
1288                 return True;
1289         }
1290
1291         /* Try to figure out the name */
1292         if (dcip_to_name(domain, pss, dcname)) {
1293                 return True;
1294         }
1295
1296         /* We can not continue without the DC's name */
1297         winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1298                                     NT_STATUS_UNSUCCESSFUL);
1299         goto again;
1300 }
1301
1302 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1303                                    struct winbindd_cm_conn *new_conn)
1304 {
1305         TALLOC_CTX *mem_ctx;
1306         NTSTATUS result;
1307         char *saf_servername = saf_fetch( domain->name );
1308         int retries;
1309
1310         if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1311                 SAFE_FREE(saf_servername);
1312                 set_domain_offline(domain);
1313                 return NT_STATUS_NO_MEMORY;
1314         }
1315
1316         /* we have to check the server affinity cache here since 
1317            later we selecte a DC based on response time and not preference */
1318            
1319         /* Check the negative connection cache
1320            before talking to it. It going down may have
1321            triggered the reconnection. */
1322
1323         if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1324
1325                 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1326                         saf_servername, domain->name ));
1327
1328                 /* convert an ip address to a name */
1329                 if (is_ipaddress( saf_servername ) ) {
1330                         fstring saf_name;
1331                         struct sockaddr_storage ss;
1332
1333                         if (!interpret_string_addr(&ss, saf_servername,
1334                                                 AI_NUMERICHOST)) {
1335                                 return NT_STATUS_UNSUCCESSFUL;
1336                         }
1337                         if (dcip_to_name( domain, &ss, saf_name )) {
1338                                 fstrcpy( domain->dcname, saf_name );
1339                         } else {
1340                                 winbind_add_failed_connection_entry(
1341                                         domain, saf_servername,
1342                                         NT_STATUS_UNSUCCESSFUL);
1343                         }
1344                 } else {
1345                         fstrcpy( domain->dcname, saf_servername );
1346                 }
1347
1348                 SAFE_FREE( saf_servername );
1349         }
1350
1351         for (retries = 0; retries < 3; retries++) {
1352                 int fd = -1;
1353                 bool retry = False;
1354
1355                 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1356
1357                 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1358                         domain->dcname, domain->name ));
1359
1360                 if (*domain->dcname 
1361                         && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1362                         && (resolve_name(domain->dcname, &domain->dcaddr, 0x20)))
1363                 {
1364                         struct sockaddr_storage *addrs = NULL;
1365                         int num_addrs = 0;
1366                         int dummy = 0;
1367
1368                         if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 445, &addrs, &num_addrs)) {
1369                                 set_domain_offline(domain);
1370                                 talloc_destroy(mem_ctx);
1371                                 return NT_STATUS_NO_MEMORY;
1372                         }
1373                         if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 139, &addrs, &num_addrs)) {
1374                                 set_domain_offline(domain);
1375                                 talloc_destroy(mem_ctx);
1376                                 return NT_STATUS_NO_MEMORY;
1377                         }
1378
1379                         /* 5 second timeout. */
1380                         if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) {
1381                                 fd = -1;
1382                         }
1383                 }
1384
1385                 if ((fd == -1) 
1386                         && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd))
1387                 {
1388                         /* This is the one place where we will
1389                            set the global winbindd offline state
1390                            to true, if a "WINBINDD_OFFLINE" entry
1391                            is found in the winbindd cache. */
1392                         set_global_winbindd_state_offline();
1393                         break;
1394                 }
1395
1396                 new_conn->cli = NULL;
1397
1398                 result = cm_prepare_connection(domain, fd, domain->dcname,
1399                         &new_conn->cli, &retry);
1400
1401                 if (!retry)
1402                         break;
1403         }
1404
1405         if (NT_STATUS_IS_OK(result)) {
1406
1407                 winbindd_set_locator_kdc_envs(domain);
1408
1409                 if (domain->online == False) {
1410                         /* We're changing state from offline to online. */
1411                         set_global_winbindd_state_online();
1412                 }
1413                 set_domain_online(domain);
1414         } else {
1415                 /* Ensure we setup the retry handler. */
1416                 set_domain_offline(domain);
1417         }
1418
1419         talloc_destroy(mem_ctx);
1420         return result;
1421 }
1422
1423 /* Close down all open pipes on a connection. */
1424
1425 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1426 {
1427         /* We're closing down a possibly dead
1428            connection. Don't have impossibly long (10s) timeouts. */
1429
1430         if (conn->cli) {
1431                 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1432         }
1433
1434         if (conn->samr_pipe != NULL) {
1435                 TALLOC_FREE(conn->samr_pipe);
1436                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1437                 if (conn->cli) {
1438                         cli_set_timeout(conn->cli, 500);
1439                 }
1440         }
1441
1442         if (conn->lsa_pipe != NULL) {
1443                 TALLOC_FREE(conn->lsa_pipe);
1444                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1445                 if (conn->cli) {
1446                         cli_set_timeout(conn->cli, 500);
1447                 }
1448         }
1449
1450         if (conn->netlogon_pipe != NULL) {
1451                 TALLOC_FREE(conn->netlogon_pipe);
1452                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1453                 if (conn->cli) {
1454                         cli_set_timeout(conn->cli, 500);
1455                 }
1456         }
1457
1458         if (conn->cli) {
1459                 cli_shutdown(conn->cli);
1460         }
1461
1462         conn->cli = NULL;
1463 }
1464
1465 void close_conns_after_fork(void)
1466 {
1467         struct winbindd_domain *domain;
1468
1469         for (domain = domain_list(); domain; domain = domain->next) {
1470                 if (domain->conn.cli == NULL)
1471                         continue;
1472
1473                 if (domain->conn.cli->fd == -1)
1474                         continue;
1475
1476                 close(domain->conn.cli->fd);
1477                 domain->conn.cli->fd = -1;
1478         }
1479 }
1480
1481 static bool connection_ok(struct winbindd_domain *domain)
1482 {
1483         if (domain->conn.cli == NULL) {
1484                 DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
1485                           "cli!\n", domain->dcname, domain->name));
1486                 return False;
1487         }
1488
1489         if (!domain->conn.cli->initialised) {
1490                 DEBUG(3, ("connection_ok: Connection to %s for domain %s was never "
1491                           "initialised!\n", domain->dcname, domain->name));
1492                 return False;
1493         }
1494
1495         if (domain->conn.cli->fd == -1) {
1496                 DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was "
1497                           "never started (fd == -1)\n", 
1498                           domain->dcname, domain->name));
1499                 return False;
1500         }
1501
1502         if (domain->online == False) {
1503                 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1504                 return False;
1505         }
1506
1507         return True;
1508 }
1509
1510 /* Initialize a new connection up to the RPC BIND.
1511    Bypass online status check so always does network calls. */
1512
1513 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1514 {
1515         NTSTATUS result;
1516
1517         /* Internal connections never use the network. */
1518         if (domain->internal) {
1519                 domain->initialized = True;
1520                 return NT_STATUS_OK;
1521         }
1522
1523         if (connection_ok(domain)) {
1524                 if (!domain->initialized) {
1525                         set_dc_type_and_flags(domain);
1526                 }
1527                 return NT_STATUS_OK;
1528         }
1529
1530         invalidate_cm_connection(&domain->conn);
1531
1532         result = cm_open_connection(domain, &domain->conn);
1533
1534         if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1535                 set_dc_type_and_flags(domain);
1536         }
1537
1538         return result;
1539 }
1540
1541 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1542 {
1543         if (domain->initialized && !domain->online) {
1544                 /* We check for online status elsewhere. */
1545                 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1546         }
1547
1548         return init_dc_connection_network(domain);
1549 }
1550
1551 /******************************************************************************
1552  Set the trust flags (direction and forest location) for a domain
1553 ******************************************************************************/
1554
1555 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1556 {
1557         struct winbindd_domain *our_domain;
1558         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1559         struct netr_DomainTrustList trusts;
1560         int i;
1561         uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
1562                         NETR_TRUST_FLAG_OUTBOUND |
1563                         NETR_TRUST_FLAG_INBOUND);
1564         struct rpc_pipe_client *cli;
1565         TALLOC_CTX *mem_ctx = NULL;
1566
1567         DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1568         
1569         /* Our primary domain doesn't need to worry about trust flags.
1570            Force it to go through the network setup */
1571         if ( domain->primary ) {                
1572                 return False;           
1573         }
1574         
1575         our_domain = find_our_domain();
1576         
1577         if ( !connection_ok(our_domain) ) {
1578                 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));           
1579                 return False;
1580         }
1581
1582         /* This won't work unless our domain is AD */
1583          
1584         if ( !our_domain->active_directory ) {
1585                 return False;
1586         }
1587         
1588         /* Use DsEnumerateDomainTrusts to get us the trust direction
1589            and type */
1590
1591         result = cm_connect_netlogon(our_domain, &cli);
1592
1593         if (!NT_STATUS_IS_OK(result)) {
1594                 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1595                           "a connection to %s for PIPE_NETLOGON (%s)\n", 
1596                           domain->name, nt_errstr(result)));
1597                 return False;
1598         }
1599
1600         if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
1601                 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
1602                 return False;
1603         }       
1604
1605         result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1606                                                       cli->desthost,
1607                                                       flags,
1608                                                       &trusts,
1609                                                       NULL);
1610         if (!NT_STATUS_IS_OK(result)) {
1611                 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
1612                         "failed to query trusted domain list: %s\n",
1613                         nt_errstr(result)));
1614                 talloc_destroy(mem_ctx);
1615                 return false;
1616         }
1617
1618         /* Now find the domain name and get the flags */
1619
1620         for ( i=0; i<trusts.count; i++ ) {
1621                 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
1622                         domain->domain_flags          = trusts.array[i].trust_flags;
1623                         domain->domain_type           = trusts.array[i].trust_type;
1624                         domain->domain_trust_attribs  = trusts.array[i].trust_attributes;
1625
1626                         if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL )
1627                                 domain->active_directory = True;
1628
1629                         /* This flag is only set if the domain is *our* 
1630                            primary domain and the primary domain is in
1631                            native mode */
1632
1633                         domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
1634
1635                         DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
1636                                   "native mode.\n", domain->name, 
1637                                   domain->native_mode ? "" : "NOT "));
1638
1639                         DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
1640                                  "running active directory.\n", domain->name, 
1641                                  domain->active_directory ? "" : "NOT "));
1642
1643
1644                         domain->initialized = True;
1645
1646                         if ( !winbindd_can_contact_domain( domain) )
1647                                 domain->internal = True;
1648                         
1649                         break;
1650                 }               
1651         }
1652         
1653         talloc_destroy( mem_ctx );
1654         
1655         return domain->initialized;     
1656 }
1657
1658 /******************************************************************************
1659  We can 'sense' certain things about the DC by it's replies to certain
1660  questions.
1661
1662  This tells us if this particular remote server is Active Directory, and if it
1663  is native mode.
1664 ******************************************************************************/
1665
1666 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
1667 {
1668         NTSTATUS                result;
1669         WERROR werr;
1670         TALLOC_CTX              *mem_ctx = NULL;
1671         struct rpc_pipe_client  *cli;
1672         POLICY_HND pol;
1673         union dssetup_DsRoleInfo info;
1674         union lsa_PolicyInformation *lsa_info = NULL;
1675
1676         if (!connection_ok(domain)) {
1677                 return;
1678         }
1679
1680         mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
1681                               domain->name);
1682         if (!mem_ctx) {
1683                 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
1684                 return;
1685         }
1686
1687         DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
1688
1689         cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_DSSETUP,
1690                                        &result);
1691
1692         if (cli == NULL) {
1693                 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1694                           "PI_DSSETUP on domain %s: (%s)\n",
1695                           domain->name, nt_errstr(result)));
1696
1697                 /* if this is just a non-AD domain we need to continue
1698                  * identifying so that we can in the end return with
1699                  * domain->initialized = True - gd */
1700
1701                 goto no_dssetup;
1702         }
1703
1704         result = rpccli_dssetup_DsRoleGetPrimaryDomainInformation(cli, mem_ctx,
1705                                                                   DS_ROLE_BASIC_INFORMATION,
1706                                                                   &info,
1707                                                                   &werr);
1708         TALLOC_FREE(cli);
1709
1710         if (!NT_STATUS_IS_OK(result)) {
1711                 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
1712                           "on domain %s failed: (%s)\n",
1713                           domain->name, nt_errstr(result)));
1714
1715                 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
1716                  * every opcode on the DSSETUP pipe, continue with
1717                  * no_dssetup mode here as well to get domain->initialized
1718                  * set - gd */
1719
1720                 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
1721                         goto no_dssetup;
1722                 }
1723
1724                 TALLOC_FREE(mem_ctx);
1725                 return;
1726         }
1727
1728         if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
1729             !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
1730                 domain->native_mode = True;
1731         } else {
1732                 domain->native_mode = False;
1733         }
1734
1735 no_dssetup:
1736         cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result);
1737
1738         if (cli == NULL) {
1739                 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1740                           "PI_LSARPC on domain %s: (%s)\n",
1741                           domain->name, nt_errstr(result)));
1742                 TALLOC_FREE(cli);
1743                 TALLOC_FREE(mem_ctx);
1744                 return;
1745         }
1746
1747         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
1748                                          SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
1749                 
1750         if (NT_STATUS_IS_OK(result)) {
1751                 /* This particular query is exactly what Win2k clients use 
1752                    to determine that the DC is active directory */
1753                 result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,
1754                                                      &pol,
1755                                                      LSA_POLICY_INFO_DNS,
1756                                                      &lsa_info);
1757         }
1758
1759         if (NT_STATUS_IS_OK(result)) {
1760                 domain->active_directory = True;
1761
1762                 if (lsa_info->dns.name.string) {
1763                         fstrcpy(domain->name, lsa_info->dns.name.string);
1764                 }
1765
1766                 if (lsa_info->dns.dns_domain.string) {
1767                         fstrcpy(domain->alt_name,
1768                                 lsa_info->dns.dns_domain.string);
1769                 }
1770
1771                 /* See if we can set some domain trust flags about
1772                    ourself */
1773
1774                 if (lsa_info->dns.dns_forest.string) {
1775                         fstrcpy(domain->forest_name,
1776                                 lsa_info->dns.dns_forest.string);
1777
1778                         if (strequal(domain->forest_name, domain->alt_name)) {
1779                                 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
1780                         }
1781                 }
1782
1783                 if (lsa_info->dns.sid) {
1784                         sid_copy(&domain->sid, lsa_info->dns.sid);
1785                 }
1786         } else {
1787                 domain->active_directory = False;
1788
1789                 result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
1790                                                 SEC_RIGHTS_MAXIMUM_ALLOWED,
1791                                                 &pol);
1792
1793                 if (!NT_STATUS_IS_OK(result)) {
1794                         goto done;
1795                 }
1796
1797                 result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,
1798                                                     &pol,
1799                                                     LSA_POLICY_INFO_ACCOUNT_DOMAIN,
1800                                                     &lsa_info);
1801
1802                 if (NT_STATUS_IS_OK(result)) {
1803
1804                         if (lsa_info->account_domain.name.string) {
1805                                 fstrcpy(domain->name,
1806                                         lsa_info->account_domain.name.string);
1807                         }
1808
1809                         if (lsa_info->account_domain.sid) {
1810                                 sid_copy(&domain->sid, lsa_info->account_domain.sid);
1811                         }
1812                 }
1813         }
1814 done:
1815
1816         DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
1817                   domain->name, domain->native_mode ? "" : "NOT "));
1818
1819         DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
1820                   domain->name, domain->active_directory ? "" : "NOT "));
1821
1822         TALLOC_FREE(cli);
1823
1824         TALLOC_FREE(mem_ctx);
1825
1826         domain->initialized = True;
1827 }
1828
1829 /**********************************************************************
1830  Set the domain_flags (trust attributes, domain operating modes, etc... 
1831 ***********************************************************************/
1832
1833 static void set_dc_type_and_flags( struct winbindd_domain *domain )
1834 {
1835         /* we always have to contact our primary domain */
1836
1837         if ( domain->primary ) {
1838                 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
1839                           "primary domain\n"));
1840                 set_dc_type_and_flags_connect( domain );
1841                 return;         
1842         }
1843
1844         /* Use our DC to get the information if possible */
1845
1846         if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
1847                 /* Otherwise, fallback to contacting the 
1848                    domain directly */
1849                 set_dc_type_and_flags_connect( domain );
1850         }
1851
1852         return;
1853 }
1854
1855
1856
1857 /**********************************************************************
1858 ***********************************************************************/
1859
1860 static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain,
1861                                    struct dcinfo **ppdc)
1862 {
1863         NTSTATUS result;
1864         struct rpc_pipe_client *netlogon_pipe;
1865
1866         if (lp_client_schannel() == False) {
1867                 return False;
1868         }
1869
1870         result = cm_connect_netlogon(domain, &netlogon_pipe);
1871         if (!NT_STATUS_IS_OK(result)) {
1872                 return False;
1873         }
1874
1875         /* Return a pointer to the struct dcinfo from the
1876            netlogon pipe. */
1877
1878         *ppdc = domain->conn.netlogon_pipe->dc;
1879         return True;
1880 }
1881
1882 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
1883                         struct rpc_pipe_client **cli, POLICY_HND *sam_handle)
1884 {
1885         struct winbindd_cm_conn *conn;
1886         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1887         fstring conn_pwd;
1888         struct dcinfo *p_dcinfo;
1889         char *machine_password = NULL;
1890         char *machine_account = NULL;
1891         char *domain_name = NULL;
1892
1893         result = init_dc_connection(domain);
1894         if (!NT_STATUS_IS_OK(result)) {
1895                 return result;
1896         }
1897
1898         conn = &domain->conn;
1899
1900         if (conn->samr_pipe != NULL) {
1901                 goto done;
1902         }
1903
1904         /*
1905          * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
1906          * sign and sealed pipe using the machine account password by
1907          * preference. If we can't - try schannel, if that fails, try
1908          * anonymous.
1909          */
1910
1911         pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
1912         if ((conn->cli->user_name[0] == '\0') ||
1913             (conn->cli->domain[0] == '\0') || 
1914             (conn_pwd[0] == '\0'))
1915         {
1916                 result = get_trust_creds(domain, &machine_password,
1917                                          &machine_account, NULL);
1918                 if (!NT_STATUS_IS_OK(result)) {
1919                         DEBUG(10, ("cm_connect_sam: No no user available for "
1920                                    "domain %s, trying schannel\n", conn->cli->domain));
1921                         goto schannel;
1922                 }
1923                 domain_name = domain->name;
1924         } else {
1925                 machine_password = SMB_STRDUP(conn_pwd);                
1926                 machine_account = SMB_STRDUP(conn->cli->user_name);
1927                 domain_name = conn->cli->domain;
1928         }
1929
1930         if (!machine_password || !machine_account) {
1931                 result = NT_STATUS_NO_MEMORY;
1932                 goto done;
1933         }
1934
1935         /* We have an authenticated connection. Use a NTLMSSP SPNEGO
1936            authenticated SAMR pipe with sign & seal. */
1937         conn->samr_pipe =
1938                 cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
1939                                                  PIPE_AUTH_LEVEL_PRIVACY,
1940                                                  domain_name,
1941                                                  machine_account,
1942                                                  machine_password, &result);
1943
1944         if (conn->samr_pipe == NULL) {
1945                 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
1946                           "pipe for domain %s using NTLMSSP "
1947                           "authenticated pipe: user %s\\%s. Error was "
1948                           "%s\n", domain->name, domain_name,
1949                           machine_account, nt_errstr(result)));
1950                 goto schannel;
1951         }
1952
1953         DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
1954                   "domain %s using NTLMSSP authenticated "
1955                   "pipe: user %s\\%s\n", domain->name,
1956                   domain_name, machine_account));
1957
1958         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
1959                                       conn->samr_pipe->desthost,
1960                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
1961                                       &conn->sam_connect_handle);
1962         if (NT_STATUS_IS_OK(result)) {
1963                 goto open_domain;
1964         }
1965         DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_Connect2 "
1966                   "failed for domain %s, error was %s. Trying schannel\n",
1967                   domain->name, nt_errstr(result) ));
1968         TALLOC_FREE(conn->samr_pipe);
1969
1970  schannel:
1971
1972         /* Fall back to schannel if it's a W2K pre-SP1 box. */
1973
1974         if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
1975                 /* If this call fails - conn->cli can now be NULL ! */
1976                 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
1977                            "for domain %s, trying anon\n", domain->name));
1978                 goto anonymous;
1979         }
1980         conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key
1981                 (conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY,
1982                  domain->name, p_dcinfo, &result);
1983
1984         if (conn->samr_pipe == NULL) {
1985                 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
1986                           "domain %s using schannel. Error was %s\n",
1987                           domain->name, nt_errstr(result) ));
1988                 goto anonymous;
1989         }
1990         DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
1991                   "schannel.\n", domain->name ));
1992
1993         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
1994                                       conn->samr_pipe->desthost,
1995                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
1996                                       &conn->sam_connect_handle);
1997         if (NT_STATUS_IS_OK(result)) {
1998                 goto open_domain;
1999         }
2000         DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_Connect2 failed "
2001                   "for domain %s, error was %s. Trying anonymous\n",
2002                   domain->name, nt_errstr(result) ));
2003         TALLOC_FREE(conn->samr_pipe);
2004
2005  anonymous:
2006
2007         /* Finally fall back to anonymous. */
2008         conn->samr_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR,
2009                                                    &result);
2010
2011         if (conn->samr_pipe == NULL) {
2012                 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2013                 goto done;
2014         }
2015
2016         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2017                                       conn->samr_pipe->desthost,
2018                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
2019                                       &conn->sam_connect_handle);
2020         if (!NT_STATUS_IS_OK(result)) {
2021                 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2022                           "for domain %s Error was %s\n",
2023                           domain->name, nt_errstr(result) ));
2024                 goto done;
2025         }
2026
2027  open_domain:
2028         result = rpccli_samr_OpenDomain(conn->samr_pipe,
2029                                         mem_ctx,
2030                                         &conn->sam_connect_handle,
2031                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
2032                                         &domain->sid,
2033                                         &conn->sam_domain_handle);
2034
2035  done:
2036
2037         if (!NT_STATUS_IS_OK(result)) {
2038                 invalidate_cm_connection(conn);
2039                 return result;
2040         }
2041
2042         *cli = conn->samr_pipe;
2043         *sam_handle = conn->sam_domain_handle;
2044         SAFE_FREE(machine_password);
2045         SAFE_FREE(machine_account);
2046         return result;
2047 }
2048
2049 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2050                         struct rpc_pipe_client **cli, POLICY_HND *lsa_policy)
2051 {
2052         struct winbindd_cm_conn *conn;
2053         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2054         fstring conn_pwd;
2055         struct dcinfo *p_dcinfo;
2056
2057         result = init_dc_connection(domain);
2058         if (!NT_STATUS_IS_OK(result))
2059                 return result;
2060
2061         conn = &domain->conn;
2062
2063         if (conn->lsa_pipe != NULL) {
2064                 goto done;
2065         }
2066
2067         pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
2068         if ((conn->cli->user_name[0] == '\0') ||
2069             (conn->cli->domain[0] == '\0') || 
2070             (conn_pwd[0] == '\0')) {
2071                 DEBUG(10, ("cm_connect_lsa: No no user available for "
2072                            "domain %s, trying schannel\n", conn->cli->domain));
2073                 goto schannel;
2074         }
2075
2076         /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2077          * authenticated LSA pipe with sign & seal. */
2078         conn->lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp
2079                 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
2080                  conn->cli->domain, conn->cli->user_name, conn_pwd, &result);
2081
2082         if (conn->lsa_pipe == NULL) {
2083                 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2084                           "domain %s using NTLMSSP authenticated pipe: user "
2085                           "%s\\%s. Error was %s. Trying schannel.\n",
2086                           domain->name, conn->cli->domain,
2087                           conn->cli->user_name, nt_errstr(result)));
2088                 goto schannel;
2089         }
2090
2091         DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2092                   "NTLMSSP authenticated pipe: user %s\\%s\n",
2093                   domain->name, conn->cli->domain, conn->cli->user_name ));
2094
2095         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2096                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
2097                                         &conn->lsa_policy);
2098         if (NT_STATUS_IS_OK(result)) {
2099                 goto done;
2100         }
2101
2102         DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2103                   "schannel\n"));
2104
2105         TALLOC_FREE(conn->lsa_pipe);
2106
2107  schannel:
2108
2109         /* Fall back to schannel if it's a W2K pre-SP1 box. */
2110
2111         if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
2112                 /* If this call fails - conn->cli can now be NULL ! */
2113                 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2114                            "for domain %s, trying anon\n", domain->name));
2115                 goto anonymous;
2116         }
2117         conn->lsa_pipe = cli_rpc_pipe_open_schannel_with_key
2118                 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
2119                  domain->name, p_dcinfo, &result);
2120
2121         if (conn->lsa_pipe == NULL) {
2122                 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2123                           "domain %s using schannel. Error was %s\n",
2124                           domain->name, nt_errstr(result) ));
2125                 goto anonymous;
2126         }
2127         DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2128                   "schannel.\n", domain->name ));
2129
2130         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2131                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
2132                                         &conn->lsa_policy);
2133         if (NT_STATUS_IS_OK(result)) {
2134                 goto done;
2135         }
2136
2137         DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2138                   "anonymous\n"));
2139
2140         TALLOC_FREE(conn->lsa_pipe);
2141
2142  anonymous:
2143
2144         conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_LSARPC,
2145                                                   &result);
2146         if (conn->lsa_pipe == NULL) {
2147                 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2148                 goto done;
2149         }
2150
2151         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2152                                         SEC_RIGHTS_MAXIMUM_ALLOWED,
2153                                         &conn->lsa_policy);
2154  done:
2155         if (!NT_STATUS_IS_OK(result)) {
2156                 invalidate_cm_connection(conn);
2157                 return result;
2158         }
2159
2160         *cli = conn->lsa_pipe;
2161         *lsa_policy = conn->lsa_policy;
2162         return result;
2163 }
2164
2165 /****************************************************************************
2166  Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2167  session key stored in conn->netlogon_pipe->dc->sess_key.
2168 ****************************************************************************/
2169
2170 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2171                              struct rpc_pipe_client **cli)
2172 {
2173         struct winbindd_cm_conn *conn;
2174         NTSTATUS result;
2175
2176         uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2177         uint8  mach_pwd[16];
2178         uint32  sec_chan_type;
2179         const char *account_name;
2180         struct rpc_pipe_client *netlogon_pipe = NULL;
2181
2182         *cli = NULL;
2183
2184         result = init_dc_connection(domain);
2185         if (!NT_STATUS_IS_OK(result)) {
2186                 return result;
2187         }
2188
2189         conn = &domain->conn;
2190
2191         if (conn->netlogon_pipe != NULL) {
2192                 *cli = conn->netlogon_pipe;
2193                 return NT_STATUS_OK;
2194         }
2195
2196         netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
2197                                                  &result);
2198         if (netlogon_pipe == NULL) {
2199                 return result;
2200         }
2201
2202         if ((!IS_DC) && (!domain->primary)) {
2203                 /* Clear the schannel request bit and drop down */
2204                 neg_flags &= ~NETLOGON_NEG_SCHANNEL;            
2205                 goto no_schannel;
2206         }
2207
2208         if (lp_client_schannel() != False) {
2209                 neg_flags |= NETLOGON_NEG_SCHANNEL;
2210         }
2211
2212         if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
2213                                &sec_chan_type))
2214         {
2215                 TALLOC_FREE(netlogon_pipe);
2216                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2217         }
2218
2219         result = rpccli_netlogon_setup_creds(
2220                  netlogon_pipe,
2221                  domain->dcname, /* server name. */
2222                  domain->name,   /* domain name */
2223                  global_myname(), /* client name */
2224                  account_name,   /* machine account */
2225                  mach_pwd,       /* machine password */
2226                  sec_chan_type,  /* from get_trust_pw */
2227                  &neg_flags);
2228
2229         if (!NT_STATUS_IS_OK(result)) {
2230                 TALLOC_FREE(netlogon_pipe);
2231                 return result;
2232         }
2233
2234         if ((lp_client_schannel() == True) &&
2235                         ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2236                 DEBUG(3, ("Server did not offer schannel\n"));
2237                 TALLOC_FREE(netlogon_pipe);
2238                 return NT_STATUS_ACCESS_DENIED;
2239         }
2240
2241  no_schannel:
2242         if ((lp_client_schannel() == False) ||
2243                         ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2244                 /*
2245                  * NetSamLogonEx only works for schannel
2246                  */
2247                 domain->can_do_samlogon_ex = False;
2248
2249                 /* We're done - just keep the existing connection to NETLOGON
2250                  * open */
2251                 conn->netlogon_pipe = netlogon_pipe;
2252                 *cli = conn->netlogon_pipe;
2253                 return NT_STATUS_OK;
2254         }
2255
2256         /* Using the credentials from the first pipe, open a signed and sealed
2257            second netlogon pipe. The session key is stored in the schannel
2258            part of the new pipe auth struct.
2259         */
2260
2261         conn->netlogon_pipe =
2262                 cli_rpc_pipe_open_schannel_with_key(conn->cli,
2263                                                     PI_NETLOGON,
2264                                                     PIPE_AUTH_LEVEL_PRIVACY,
2265                                                     domain->name,
2266                                                     netlogon_pipe->dc,
2267                                                     &result);
2268
2269         /* We can now close the initial netlogon pipe. */
2270         TALLOC_FREE(netlogon_pipe);
2271
2272         if (conn->netlogon_pipe == NULL) {
2273                 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2274                           "was %s\n", nt_errstr(result)));
2275                           
2276                 /* make sure we return something besides OK */
2277                 return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
2278         }
2279
2280         /*
2281          * Try NetSamLogonEx for AD domains
2282          */
2283         domain->can_do_samlogon_ex = domain->active_directory;
2284
2285         *cli = conn->netlogon_pipe;
2286         return NT_STATUS_OK;
2287 }