/*
- Unix SMB/Netbios implementation.
- Version 3.0
+ Unix SMB/CIFS implementation.
Winbind daemon connection manager
Copyright (C) Tim Potter 2001
+ Copyright (C) Andrew Bartlett 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- make connections to domain controllers and cache them
- re-establish connections when networks or servers go down
- centralise the policy on connection timeouts, domain controller
- selection etc
+ selection etc
- manage re-entrancy for when winbindd becomes able to handle
- multiple outstanding rpc requests
+ multiple outstanding rpc requests
Why not have connection management as part of the rpc layer like tng?
Good question. This code may morph into libsmb/rpc_cache.c or something
- like that but at the moment it's simply staying as part of winbind. I
+ like that but at the moment it's simply staying as part of winbind. I
think the TNG architecture of forcing every user of the rpc layer to use
- the connection caching system is a bad idea. It should be an optional
+ the connection caching system is a bad idea. It should be an optional
method of using the routines.
The TNG design is quite good but I disagree with some aspects of the
#include "winbindd.h"
-/* Global list of connections. Initially a DLIST but can become a hash
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+/* Global list of connections. Initially a DLIST but can become a hash
table or whatever later. */
struct winbindd_cm_conn {
fstring domain;
fstring controller;
fstring pipe_name;
+ size_t mutex_ref_count;
struct cli_state *cli;
POLICY_HND pol;
};
-struct winbindd_cm_conn *cm_conns = NULL;
+static struct winbindd_cm_conn *cm_conns = NULL;
/* Get a domain controller name. Cache positive and negative lookups so we
don't go to the network too often when something is badly broken. */
struct get_dc_name_cache *prev, *next;
};
-static BOOL cm_get_dc_name(char *domain, fstring srv_name)
+/*
+ find the DC for a domain using methods appropriate for a ADS domain
+*/
+static BOOL cm_ads_find_dc(const char *domain, struct in_addr *dc_ip, fstring srv_name)
+{
+ ADS_STRUCT *ads;
+ const char *realm = domain;
+
+ if (strcasecmp(realm, lp_workgroup()) == 0)
+ realm = lp_realm();
+
+ ads = ads_init(realm, domain, NULL);
+ if (!ads)
+ return False;
+
+ /* we don't need to bind, just connect */
+ ads->auth.flags |= ADS_AUTH_NO_BIND;
+
+ DEBUG(4,("cm_ads_find_dc: domain=%s\n", domain));
+
+#ifdef HAVE_ADS
+ /* a full ads_connect() is actually overkill, as we don't srictly need
+ to do the SASL auth in order to get the info we need, but libads
+ doesn't offer a better way right now */
+ ads_connect(ads);
+#endif
+
+ if (!ads->config.realm)
+ return False;
+
+ fstrcpy(srv_name, ads->config.ldap_server_name);
+ strupper(srv_name);
+ *dc_ip = ads->ldap_ip;
+ ads_destroy(&ads);
+
+ DEBUG(4,("cm_ads_find_dc: using server='%s' IP=%s\n",
+ srv_name, inet_ntoa(*dc_ip)));
+
+ return True;
+}
+
+
+
+static BOOL cm_get_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out)
{
static struct get_dc_name_cache *get_dc_name_cache;
struct get_dc_name_cache *dcc;
- struct in_addr *ip_list, dc_ip;
- extern pstring global_myname;
- int count, i;
+ struct in_addr dc_ip;
+ BOOL ret;
/* Check the cache for previous lookups */
if (!strequal(domain, dcc->domain_name))
continue; /* Not our domain */
- if ((time(NULL) - dcc->lookup_time) > GET_DC_NAME_CACHE_TIMEOUT) {
+ if ((time(NULL) - dcc->lookup_time) >
+ GET_DC_NAME_CACHE_TIMEOUT) {
/* Cache entry has expired, delete it */
/* Return a positive or negative lookup for this domain */
if (dcc->srv_name[0]) {
- DEBUG(10, ("returning positive get_dc_name_cache " "entry for %s\n", domain));
+ DEBUG(10, ("returning positive get_dc_name_cache entry for %s\n", domain));
fstrcpy(srv_name, dcc->srv_name);
return True;
} else {
- DEBUG(10, ("returning negative get_dc_name_cache " "entry for %s\n", domain));
+ DEBUG(10, ("returning negative get_dc_name_cache entry for %s\n", domain));
return False;
}
}
DEBUG(10, ("Creating get_dc_name_cache entry for %s\n", domain));
- if (!(dcc = (struct get_dc_name_cache *) malloc(sizeof(struct get_dc_name_cache))))
+ if (!(dcc = (struct get_dc_name_cache *)
+ malloc(sizeof(struct get_dc_name_cache))))
return False;
ZERO_STRUCTP(dcc);
DLIST_ADD(get_dc_name_cache, dcc);
- /* Lookup domain controller name */
-
- if (!get_dc_list(False, domain, &ip_list, &count))
- return False;
-
- /* Firstly choose a PDC/BDC who has the same network address as any
- of our interfaces. */
-
- for (i = 0; i < count; i++) {
- if(is_local_net(ip_list[i]))
- goto got_ip;
+ zero_ip(&dc_ip);
+
+ ret = False;
+ if (lp_security() == SEC_ADS)
+ ret = cm_ads_find_dc(domain, &dc_ip, srv_name);
+
+ if (!ret) {
+ /* fall back on rpc methods if the ADS methods fail */
+ ret = rpc_find_dc(domain, srv_name, &dc_ip);
}
-
- i = (sys_random() % count);
-
- got_ip:
- dc_ip = ip_list[i];
- SAFE_FREE(ip_list);
-
- if (!lookup_pdc_name(global_myname, domain, &dc_ip, srv_name))
+
+ if (!ret)
return False;
/* We have a name so make the cache entry positive now */
-
fstrcpy(dcc->srv_name, srv_name);
+ DEBUG(3, ("cm_get_dc_name: Returning DC %s (%s) for domain %s\n", srv_name,
+ inet_ntoa(dc_ip), domain));
+
+ *ip_out = dc_ip;
+
return True;
}
+/* Choose between anonymous or authenticated connections. We need to use
+ an authenticated connection if DCs have the RestrictAnonymous registry
+ entry set > 0, or the "Additional restrictions for anonymous
+ connections" set in the win2k Local Security Policy.
+
+ Caller to free() result in domain, username, password
+*/
+
+static void cm_get_ipc_userpass(char **username, char **domain, char **password)
+{
+ *username = secrets_fetch(SECRETS_AUTH_USER, NULL);
+ *domain = secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
+ *password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
+
+ if (*username && **username) {
+
+ if (!*domain || !**domain)
+ *domain = smb_xstrdup(lp_workgroup());
+
+ if (!*password || !**password)
+ *password = smb_xstrdup("");
+
+ DEBUG(3, ("IPC$ connections done by user %s\\%s\n",
+ *domain, *username));
+
+ } else {
+ DEBUG(3, ("IPC$ connections done anonymously\n"));
+ *username = smb_xstrdup("");
+ *domain = smb_xstrdup("");
+ *password = smb_xstrdup("");
+ }
+}
+
/* Open a new smb pipe connection to a DC on a given domain. Cache
negative creation attempts so we don't try and connect to broken
machines too often. */
-#define OPEN_CONNECTION_CACHE_TIMEOUT 30 /* Seconds between attempts */
+#define FAILED_CONNECTION_CACHE_TIMEOUT 30 /* Seconds between attempts */
-struct open_connection_cache {
+struct failed_connection_cache {
fstring domain_name;
fstring controller;
time_t lookup_time;
- struct open_connection_cache *prev, *next;
+ NTSTATUS nt_status;
+ struct failed_connection_cache *prev, *next;
};
-static BOOL cm_open_connection(char *domain, char *pipe_name,
- struct winbindd_cm_conn *new_conn)
+static struct failed_connection_cache *failed_connection_cache;
+
+/* Add an entry to the failed conneciton cache */
+
+static void add_failed_connection_entry(struct winbindd_cm_conn *new_conn,
+ NTSTATUS result)
+{
+ struct failed_connection_cache *fcc;
+
+ SMB_ASSERT(!NT_STATUS_IS_OK(result));
+
+ /* Check we already aren't in the cache */
+
+ for (fcc = failed_connection_cache; fcc; fcc = fcc->next) {
+ if (strequal(fcc->domain_name, new_conn->domain)) {
+ DEBUG(10, ("domain %s already tried and failed\n",
+ fcc->domain_name));
+ return;
+ }
+ }
+
+ /* Create negative lookup cache entry for this domain and controller */
+
+ if (!(fcc = (struct failed_connection_cache *)
+ malloc(sizeof(struct failed_connection_cache)))) {
+ DEBUG(0, ("malloc failed in add_failed_connection_entry!\n"));
+ return;
+ }
+
+ ZERO_STRUCTP(fcc);
+
+ fstrcpy(fcc->domain_name, new_conn->domain);
+ fstrcpy(fcc->controller, new_conn->controller);
+ fcc->lookup_time = time(NULL);
+ fcc->nt_status = result;
+
+ DLIST_ADD(failed_connection_cache, fcc);
+}
+
+/* Open a connction to the remote server, cache failures for 30 seconds */
+
+static NTSTATUS cm_open_connection(const char *domain, const int pipe_index,
+ struct winbindd_cm_conn *new_conn)
{
- static struct open_connection_cache *open_connection_cache;
- struct open_connection_cache *occ;
- struct nmb_name calling, called;
- extern pstring global_myname;
- fstring dest_host;
- struct in_addr dest_ip;
- BOOL result = False;
- struct ntuser_creds creds;
+ struct failed_connection_cache *fcc;
+ NTSTATUS result;
+ char *ipc_username, *ipc_domain, *ipc_password;
+ struct in_addr dc_ip;
+ int i;
+ BOOL retry = True;
+
+ ZERO_STRUCT(dc_ip);
fstrcpy(new_conn->domain, domain);
- fstrcpy(new_conn->pipe_name, pipe_name);
-
+ fstrcpy(new_conn->pipe_name, get_pipe_name_from_index(pipe_index));
+
/* Look for a domain controller for this domain. Negative results
- are cached so don't bother applying the caching for this
- function just yet. */
-
- if (!cm_get_dc_name(domain, new_conn->controller))
- goto done;
+ are cached so don't bother applying the caching for this
+ function just yet. */
+ if (!cm_get_dc_name(domain, new_conn->controller, &dc_ip)) {
+ result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+ add_failed_connection_entry(new_conn, result);
+ return result;
+ }
+
/* Return false if we have tried to look up this domain and netbios
- name before and failed. */
+ name before and failed. */
- for (occ = open_connection_cache; occ; occ = occ->next) {
-
- if (!(strequal(domain, occ->domain_name) &&
- strequal(new_conn->controller, occ->controller)))
+ for (fcc = failed_connection_cache; fcc; fcc = fcc->next) {
+
+ if (!(strequal(domain, fcc->domain_name) &&
+ strequal(new_conn->controller, fcc->controller)))
continue; /* Not our domain */
- if ((time(NULL) - occ->lookup_time) > OPEN_CONNECTION_CACHE_TIMEOUT) {
+ if ((time(NULL) - fcc->lookup_time) >
+ FAILED_CONNECTION_CACHE_TIMEOUT) {
+
/* Cache entry has expired, delete it */
- DEBUG(10, ("cm_open_connection cache entry expired for %s, %s\n", domain,
- new_conn->controller));
+ DEBUG(10, ("cm_open_connection cache entry expired for %s, %s\n", domain, new_conn->controller));
- DLIST_REMOVE(open_connection_cache, occ);
- free(occ);
+ DLIST_REMOVE(failed_connection_cache, fcc);
+ free(fcc);
break;
}
/* The timeout hasn't expired yet so return false */
- DEBUG(10, ("returning negative open_connection_cache entry for %s, %s\n",
- domain, new_conn->controller));
+ DEBUG(10, ("returning negative open_connection_cache entry for %s, %s\n", domain, new_conn->controller));
- goto done;
+ result = fcc->nt_status;
+ SMB_ASSERT(!NT_STATUS_IS_OK(result));
+ return result;
}
/* Initialise SMB connection */
- if (!(new_conn->cli = cli_initialise(NULL)))
- goto done;
-
- if (!resolve_srv_name(new_conn->controller, dest_host, &dest_ip))
- goto done;
+ cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
- make_nmb_name(&called, dns_to_netbios_name(new_conn->controller), 0x20);
- make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0);
+ DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n",
+ new_conn->controller, global_myname(), ipc_domain, ipc_username));
- ZERO_STRUCT(creds);
- creds.pwd.null_pwd = 1;
-
- cli_init_creds(new_conn->cli, &creds);
-
- if (!cli_establish_connection(new_conn->cli, new_conn->controller,
- &dest_ip, &calling, &called, "IPC$",
- "IPC", False, True))
- goto done;
-
- if (!cli_nt_session_open (new_conn->cli, pipe_name))
- goto done;
-
- result = True;
-
- done:
-
- /* Create negative lookup cache entry for this domain and controller */
-
- if (!result) {
- if (!(occ = (struct open_connection_cache *)
- malloc(sizeof(struct open_connection_cache))))
- return False;
+ for (i = 0; retry && (i < 3); i++) {
+ BOOL got_mutex;
+ if (!(got_mutex = secrets_named_mutex(new_conn->controller, WINBIND_SERVER_MUTEX_WAIT_TIME))) {
+ DEBUG(0,("cm_open_connection: mutex grab failed for %s\n", new_conn->controller));
+ result = NT_STATUS_POSSIBLE_DEADLOCK;
+ continue;
+ }
+
+ result = cli_full_connection(&new_conn->cli, global_myname(), new_conn->controller,
+ &dc_ip, 0, "IPC$", "IPC", ipc_username, ipc_domain,
+ ipc_password, CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, &retry);
+
+ secrets_named_mutex_release(new_conn->controller);
- ZERO_STRUCTP(occ);
+ if (NT_STATUS_IS_OK(result))
+ break;
+ }
- fstrcpy(occ->domain_name, domain);
- fstrcpy(occ->controller, new_conn->controller);
- occ->lookup_time = time(NULL);
+ SAFE_FREE(ipc_username);
+ SAFE_FREE(ipc_domain);
+ SAFE_FREE(ipc_password);
- DLIST_ADD(open_connection_cache, occ);
+ if (!NT_STATUS_IS_OK(result)) {
+ add_failed_connection_entry(new_conn, result);
+ return result;
}
-
- if (!result && new_conn->cli)
+
+ if ( !cli_nt_session_open (new_conn->cli, pipe_index) ) {
+ result = NT_STATUS_PIPE_NOT_AVAILABLE;
+ /*
+ * only cache a failure if we are not trying to open the
+ * **win2k** specific lsarpc UUID. This could be an NT PDC
+ * and therefore a failure is normal. This should probably
+ * be abstracted to a check for 2k specific pipes and wondering
+ * if the PDC is an NT4 box. but since there is only one 2k
+ * specific UUID right now, i'm not going to bother. --jerry
+ */
+ if ( !is_win2k_pipe(pipe_index) )
+ add_failed_connection_entry(new_conn, result);
cli_shutdown(new_conn->cli);
+ return result;
+ }
- return result;
+ return NT_STATUS_OK;
}
/* Return true if a connection is still alive */
static BOOL connection_ok(struct winbindd_cm_conn *conn)
{
- if (!conn->cli->initialised)
+ if (!conn) {
+ smb_panic("Invalid paramater passed to conneciton_ok(): conn was NULL!\n");
return False;
+ }
+
+ if (!conn->cli) {
+ DEBUG(0, ("Connection to %s for domain %s (pipe %s) has NULL conn->cli!\n",
+ conn->controller, conn->domain, conn->pipe_name));
+ smb_panic("connection_ok: conn->cli was null!");
+ return False;
+ }
- if (conn->cli->fd == -1)
+ if (!conn->cli->initialised) {
+ DEBUG(0, ("Connection to %s for domain %s (pipe %s) was never initialised!\n",
+ conn->controller, conn->domain, conn->pipe_name));
+ smb_panic("connection_ok: conn->cli->initialised is False!");
return False;
+ }
+
+ if (conn->cli->fd == -1) {
+ DEBUG(3, ("Connection to %s for domain %s (pipe %s) has died or was never started (fd == -1)\n",
+ conn->controller, conn->domain, conn->pipe_name));
+ return False;
+ }
return True;
}
-/* Return a LSA policy handle on a domain */
+/* Get a connection to the remote DC and open the pipe. If there is already a connection, use that */
-CLI_POLICY_HND *cm_get_lsa_handle(char *domain)
+static NTSTATUS get_connection_from_cache(const char *domain, const char *pipe_name,
+ struct winbindd_cm_conn **conn_out)
{
- struct winbindd_cm_conn *conn;
- uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ struct winbindd_cm_conn *conn, conn_temp;
NTSTATUS result;
- static CLI_POLICY_HND hnd;
-
- /* Look for existing connections */
for (conn = cm_conns; conn; conn = conn->next) {
- if (strequal(conn->domain, domain) && strequal(conn->pipe_name, PIPE_LSARPC)) {
-
+ if (strequal(conn->domain, domain) &&
+ strequal(conn->pipe_name, pipe_name)) {
if (!connection_ok(conn)) {
+ if (conn->cli)
+ cli_shutdown(conn->cli);
+ ZERO_STRUCT(conn_temp);
+ conn_temp.next = conn->next;
DLIST_REMOVE(cm_conns, conn);
- return NULL;
+ SAFE_FREE(conn);
+ conn = &conn_temp; /* Just to keep the loop moving */
+ } else {
+ break;
}
+ }
+ }
+
+ if (!conn) {
+ if (!(conn = malloc(sizeof(*conn))))
+ return NT_STATUS_NO_MEMORY;
+
+ ZERO_STRUCTP(conn);
+
+ if (!NT_STATUS_IS_OK(result = cm_open_connection(domain, get_pipe_index(pipe_name), conn))) {
+ DEBUG(3, ("Could not open a connection to %s for %s (%s)\n",
+ domain, pipe_name, nt_errstr(result)));
+ SAFE_FREE(conn);
+ return result;
+ }
+ DLIST_ADD(cm_conns, conn);
+ }
+
+ *conn_out = conn;
+ return NT_STATUS_OK;
+}
- goto ok;
+
+/**********************************************************************************
+**********************************************************************************/
+
+BOOL cm_check_for_native_mode_win2k( const char *domain )
+{
+ NTSTATUS result;
+ struct winbindd_cm_conn conn;
+ DS_DOMINFO_CTR ctr;
+ BOOL ret = False;
+
+ ZERO_STRUCT( conn );
+ ZERO_STRUCT( ctr );
+
+
+ if ( !NT_STATUS_IS_OK(result = cm_open_connection(domain, PI_LSARPC_DS, &conn)) ) {
+ DEBUG(5, ("cm_check_for_native_mode_win2k: Could not open a connection to %s for PIPE_LSARPC (%s)\n",
+ domain, nt_errstr(result)));
+ return False;
+ }
+
+ if ( conn.cli ) {
+ if ( !NT_STATUS_IS_OK(cli_ds_getprimarydominfo( conn.cli,
+ conn.cli->mem_ctx, DsRolePrimaryDomainInfoBasic, &ctr)) ) {
+ ret = False;
+ goto done;
}
}
+
+ if ( (ctr.basic->flags & DSROLE_PRIMARY_DS_RUNNING)
+ && !(ctr.basic->flags & DSROLE_PRIMARY_DS_MIXED_MODE) )
+ ret = True;
+
+done:
+ if ( conn.cli )
+ cli_shutdown( conn.cli );
+
+ return ret;
+}
- /* Create a new one */
- if (!(conn = (struct winbindd_cm_conn *) malloc(sizeof(struct winbindd_cm_conn))))
- return NULL;
- ZERO_STRUCTP(conn);
+/* Return a LSA policy handle on a domain */
- if (!cm_open_connection(domain, PIPE_LSARPC, conn)) {
- DEBUG(3, ("Could not connect to a dc for domain %s\n", domain));
- return NULL;
- }
+CLI_POLICY_HND *cm_get_lsa_handle(const char *domain)
+{
+ struct winbindd_cm_conn *conn;
+ uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
+ NTSTATUS result;
+ static CLI_POLICY_HND hnd;
- result = cli_lsa_open_policy(conn->cli, conn->cli->mem_ctx, False, des_access, &conn->pol);
+ /* Look for existing connections */
- if (!NT_STATUS_IS_OK(result))
+ if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_LSARPC, &conn)))
return NULL;
- /* Add to list */
+ /* This *shitty* code needs scrapping ! JRA */
+ if (policy_handle_is_valid(&conn->pol)) {
+ hnd.pol = conn->pol;
+ hnd.cli = conn->cli;
+ return &hnd;
+ }
+
+ result = cli_lsa_open_policy(conn->cli, conn->cli->mem_ctx, False,
+ des_access, &conn->pol);
- DLIST_ADD(cm_conns, conn);
+ if (!NT_STATUS_IS_OK(result)) {
+ /* Hit the cache code again. This cleans out the old connection and gets a new one */
+ if (conn->cli->fd == -1) { /* Try again, if the remote host disapeared */
+ if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_LSARPC, &conn)))
+ return NULL;
+
+ result = cli_lsa_open_policy(conn->cli, conn->cli->mem_ctx, False,
+ des_access, &conn->pol);
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ cli_shutdown(conn->cli);
+ DLIST_REMOVE(cm_conns, conn);
+ SAFE_FREE(conn);
+ return NULL;
+ }
+ }
- ok:
hnd.pol = conn->pol;
hnd.cli = conn->cli;
/* Look for existing connections */
+ if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_SAMR, &conn)))
+ return NULL;
+
+ /* This *shitty* code needs scrapping ! JRA */
+ if (policy_handle_is_valid(&conn->pol)) {
+ hnd.pol = conn->pol;
+ hnd.cli = conn->cli;
+ return &hnd;
+ }
+ result = cli_samr_connect(conn->cli, conn->cli->mem_ctx,
+ des_access, &conn->pol);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ /* Hit the cache code again. This cleans out the old connection and gets a new one */
+ if (conn->cli->fd == -1) { /* Try again, if the remote host disapeared */
+ if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_SAMR, &conn)))
+ return NULL;
+
+ result = cli_samr_connect(conn->cli, conn->cli->mem_ctx,
+ des_access, &conn->pol);
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ cli_shutdown(conn->cli);
+ DLIST_REMOVE(cm_conns, conn);
+ SAFE_FREE(conn);
+ return NULL;
+ }
+ }
+
+ hnd.pol = conn->pol;
+ hnd.cli = conn->cli;
+
+ return &hnd;
+}
+
+#if 0 /* This code now *well* out of date */
+
+/* Return a SAM domain policy handle on a domain */
+
+CLI_POLICY_HND *cm_get_sam_dom_handle(char *domain, DOM_SID *domain_sid)
+{
+ struct winbindd_cm_conn *conn, *basic_conn = NULL;
+ static CLI_POLICY_HND hnd;
+ NTSTATUS result;
+ uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
+
+ /* Look for existing connections */
+
for (conn = cm_conns; conn; conn = conn->next) {
- if (strequal(conn->domain, domain) && strequal(conn->pipe_name, PIPE_SAMR)) {
+ if (strequal(conn->domain, domain) &&
+ strequal(conn->pipe_name, PIPE_SAMR) &&
+ conn->pipe_data.samr.pipe_type == SAM_PIPE_DOM) {
if (!connection_ok(conn)) {
+ /* Shutdown cli? Free conn? Allow retry of DC? */
DLIST_REMOVE(cm_conns, conn);
return NULL;
}
}
}
- /* Create a new one */
+ /* Create a basic handle to open a domain handle from */
- if (!(conn = (struct winbindd_cm_conn *) malloc(sizeof(struct winbindd_cm_conn))))
- return NULL;
+ if (!cm_get_sam_handle(domain))
+ return False;
+ for (conn = cm_conns; conn; conn = conn->next) {
+ if (strequal(conn->domain, domain) &&
+ strequal(conn->pipe_name, PIPE_SAMR) &&
+ conn->pipe_data.samr.pipe_type == SAM_PIPE_BASIC)
+ basic_conn = conn;
+ }
+
+ if (!(conn = (struct winbindd_cm_conn *)
+ malloc(sizeof(struct winbindd_cm_conn))))
+ return NULL;
+
ZERO_STRUCTP(conn);
- if (!cm_open_connection(domain, PIPE_SAMR, conn)) {
- DEBUG(3, ("Could not connect to a dc for domain %s\n", domain));
- return NULL;
- }
+ fstrcpy(conn->domain, basic_conn->domain);
+ fstrcpy(conn->controller, basic_conn->controller);
+ fstrcpy(conn->pipe_name, basic_conn->pipe_name);
+
+ conn->pipe_data.samr.pipe_type = SAM_PIPE_DOM;
+ conn->cli = basic_conn->cli;
- result = cli_samr_connect(conn->cli, conn->cli->mem_ctx, des_access, &conn->pol);
+ result = cli_samr_open_domain(conn->cli, conn->cli->mem_ctx,
+ &basic_conn->pol, des_access,
+ domain_sid, &conn->pol);
if (!NT_STATUS_IS_OK(result))
return NULL;
hnd.pol = conn->pol;
hnd.cli = conn->cli;
- return &hnd;
+ return &hnd;
}
-#if 0
-
-/* Return a SAM domain policy handle on a domain */
+/* Return a SAM policy handle on a domain user */
-CLI_POLICY_HND *cm_get_sam_dom_handle(char *domain, DOM_SID *domain_sid)
+CLI_POLICY_HND *cm_get_sam_user_handle(char *domain, DOM_SID *domain_sid,
+ uint32 user_rid)
{
- struct winbindd_cm_conn *conn, *basic_conn = NULL;
- static CLI_POLICY_HND hnd;
- NTSTATUS result;
- uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
-
- /* Look for existing connections */
+ struct winbindd_cm_conn *conn, *basic_conn = NULL;
+ static CLI_POLICY_HND hnd;
+ NTSTATUS result;
+ uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
- for (conn = cm_conns; conn; conn = conn->next) {
- if (strequal(conn->domain, domain) &&
- strequal(conn->pipe_name, PIPE_SAMR) &&
- conn->pipe_data.samr.pipe_type == SAM_PIPE_DOM) {
+ /* Look for existing connections */
- if (!connection_ok(conn)) {
- DLIST_REMOVE(cm_conns, conn);
- return NULL;
- }
+ for (conn = cm_conns; conn; conn = conn->next) {
+ if (strequal(conn->domain, domain) &&
+ strequal(conn->pipe_name, PIPE_SAMR) &&
+ conn->pipe_data.samr.pipe_type == SAM_PIPE_USER &&
+ conn->pipe_data.samr.rid == user_rid) {
- goto ok;
- }
- }
+ if (!connection_ok(conn)) {
+ /* Shutdown cli? Free conn? Allow retry of DC? */
+ DLIST_REMOVE(cm_conns, conn);
+ return NULL;
+ }
+
+ goto ok;
+ }
+ }
- /* Create a basic handle to open a domain handle from */
+ /* Create a domain handle to open a user handle from */
- if (!cm_get_sam_handle(domain))
- return False;
+ if (!cm_get_sam_dom_handle(domain, domain_sid))
+ return NULL;
- for (conn = cm_conns; conn; conn = conn->next) {
- if (strequal(conn->domain, domain) &&
- strequal(conn->pipe_name, PIPE_SAMR) &&
- conn->pipe_data.samr.pipe_type == SAM_PIPE_BASIC)
- basic_conn = conn;
- }
-
- if (!(conn = (struct winbindd_cm_conn *)
- malloc(sizeof(struct winbindd_cm_conn))))
- return NULL;
-
- ZERO_STRUCTP(conn);
+ for (conn = cm_conns; conn; conn = conn->next) {
+ if (strequal(conn->domain, domain) &&
+ strequal(conn->pipe_name, PIPE_SAMR) &&
+ conn->pipe_data.samr.pipe_type == SAM_PIPE_DOM)
+ basic_conn = conn;
+ }
+
+ if (!basic_conn) {
+ DEBUG(0, ("No domain sam handle was created!\n"));
+ return NULL;
+ }
- fstrcpy(conn->domain, basic_conn->domain);
- fstrcpy(conn->controller, basic_conn->controller);
- fstrcpy(conn->pipe_name, basic_conn->pipe_name);
+ if (!(conn = (struct winbindd_cm_conn *)
+ malloc(sizeof(struct winbindd_cm_conn))))
+ return NULL;
+
+ ZERO_STRUCTP(conn);
- conn->pipe_data.samr.pipe_type = SAM_PIPE_DOM;
- conn->cli = basic_conn->cli;
+ fstrcpy(conn->domain, basic_conn->domain);
+ fstrcpy(conn->controller, basic_conn->controller);
+ fstrcpy(conn->pipe_name, basic_conn->pipe_name);
+
+ conn->pipe_data.samr.pipe_type = SAM_PIPE_USER;
+ conn->cli = basic_conn->cli;
+ conn->pipe_data.samr.rid = user_rid;
- result = cli_samr_open_domain(conn->cli, conn->cli->mem_ctx,
- &basic_conn->pol, des_access,
- domain_sid, &conn->pol);
+ result = cli_samr_open_user(conn->cli, conn->cli->mem_ctx,
+ &basic_conn->pol, des_access, user_rid,
+ &conn->pol);
- if (!NT_STATUS_IS_OK(result))
- return NULL;
+ if (!NT_STATUS_IS_OK(result))
+ return NULL;
- /* Add to list */
+ /* Add to list */
- DLIST_ADD(cm_conns, conn);
+ DLIST_ADD(cm_conns, conn);
ok:
- hnd.pol = conn->pol;
- hnd.cli = conn->cli;
+ hnd.pol = conn->pol;
+ hnd.cli = conn->cli;
- return &hnd;
+ return &hnd;
}
-/* Return a SAM policy handle on a domain user */
+/* Return a SAM policy handle on a domain group */
-CLI_POLICY_HND *cm_get_sam_user_handle(char *domain, DOM_SID *domain_sid,
- uint32 user_rid)
+CLI_POLICY_HND *cm_get_sam_group_handle(char *domain, DOM_SID *domain_sid,
+ uint32 group_rid)
{
- struct winbindd_cm_conn *conn, *basic_conn = NULL;
- static CLI_POLICY_HND hnd;
- NTSTATUS result;
- uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
-
- /* Look for existing connections */
-
- for (conn = cm_conns; conn; conn = conn->next) {
- if (strequal(conn->domain, domain) &&
- strequal(conn->pipe_name, PIPE_SAMR) &&
- conn->pipe_data.samr.pipe_type == SAM_PIPE_USER &&
- conn->pipe_data.samr.rid == user_rid) {
-
- if (!connection_ok(conn)) {
- DLIST_REMOVE(cm_conns, conn);
- return NULL;
- }
-
- goto ok;
- }
- }
-
- /* Create a domain handle to open a user handle from */
-
- if (!cm_get_sam_dom_handle(domain, domain_sid))
- return NULL;
-
- for (conn = cm_conns; conn; conn = conn->next) {
- if (strequal(conn->domain, domain) &&
- strequal(conn->pipe_name, PIPE_SAMR) &&
- conn->pipe_data.samr.pipe_type == SAM_PIPE_DOM)
- basic_conn = conn;
- }
-
- if (!basic_conn) {
- DEBUG(0, ("No domain sam handle was created!\n"));
- return NULL;
- }
-
- if (!(conn = (struct winbindd_cm_conn *)
- malloc(sizeof(struct winbindd_cm_conn))))
- return NULL;
-
- ZERO_STRUCTP(conn);
-
- fstrcpy(conn->domain, basic_conn->domain);
- fstrcpy(conn->controller, basic_conn->controller);
- fstrcpy(conn->pipe_name, basic_conn->pipe_name);
-
- conn->pipe_data.samr.pipe_type = SAM_PIPE_USER;
- conn->cli = basic_conn->cli;
- conn->pipe_data.samr.rid = user_rid;
-
- result = cli_samr_open_user(conn->cli, conn->cli->mem_ctx,
- &basic_conn->pol, des_access, user_rid,
- &conn->pol);
-
- if (!NT_STATUS_IS_OK(result))
- return NULL;
-
- /* Add to list */
-
- DLIST_ADD(cm_conns, conn);
+ struct winbindd_cm_conn *conn, *basic_conn = NULL;
+ static CLI_POLICY_HND hnd;
+ NTSTATUS result;
+ uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
- ok:
- hnd.pol = conn->pol;
- hnd.cli = conn->cli;
+ /* Look for existing connections */
- return &hnd;
-}
+ for (conn = cm_conns; conn; conn = conn->next) {
+ if (strequal(conn->domain, domain) &&
+ strequal(conn->pipe_name, PIPE_SAMR) &&
+ conn->pipe_data.samr.pipe_type == SAM_PIPE_GROUP &&
+ conn->pipe_data.samr.rid == group_rid) {
-/* Return a SAM policy handle on a domain group */
+ if (!connection_ok(conn)) {
+ /* Shutdown cli? Free conn? Allow retry of DC? */
+ DLIST_REMOVE(cm_conns, conn);
+ return NULL;
+ }
+
+ goto ok;
+ }
+ }
-CLI_POLICY_HND *cm_get_sam_group_handle(char *domain, DOM_SID *domain_sid,
- uint32 group_rid)
-{
- struct winbindd_cm_conn *conn, *basic_conn = NULL;
- static CLI_POLICY_HND hnd;
- NTSTATUS result;
- uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
-
- /* Look for existing connections */
-
- for (conn = cm_conns; conn; conn = conn->next) {
- if (strequal(conn->domain, domain) &&
- strequal(conn->pipe_name, PIPE_SAMR) &&
- conn->pipe_data.samr.pipe_type == SAM_PIPE_GROUP &&
- conn->pipe_data.samr.rid == group_rid) {
-
- if (!connection_ok(conn)) {
- DLIST_REMOVE(cm_conns, conn);
- return NULL;
- }
-
- goto ok;
- }
- }
-
- /* Create a domain handle to open a user handle from */
-
- if (!cm_get_sam_dom_handle(domain, domain_sid))
- return NULL;
-
- for (conn = cm_conns; conn; conn = conn->next) {
- if (strequal(conn->domain, domain) &&
- strequal(conn->pipe_name, PIPE_SAMR) &&
- conn->pipe_data.samr.pipe_type == SAM_PIPE_DOM)
- basic_conn = conn;
- }
-
- if (!basic_conn) {
- DEBUG(0, ("No domain sam handle was created!\n"));
- return NULL;
- }
-
- if (!(conn = (struct winbindd_cm_conn *)
- malloc(sizeof(struct winbindd_cm_conn))))
- return NULL;
-
- ZERO_STRUCTP(conn);
-
- fstrcpy(conn->domain, basic_conn->domain);
- fstrcpy(conn->controller, basic_conn->controller);
- fstrcpy(conn->pipe_name, basic_conn->pipe_name);
-
- conn->pipe_data.samr.pipe_type = SAM_PIPE_GROUP;
- conn->cli = basic_conn->cli;
- conn->pipe_data.samr.rid = group_rid;
-
- result = cli_samr_open_group(conn->cli, conn->cli->mem_ctx,
- &basic_conn->pol, des_access, group_rid,
- &conn->pol);
-
- if (!NT_STATUS_IS_OK(result))
- return NULL;
-
- /* Add to list */
-
- DLIST_ADD(cm_conns, conn);
+ /* Create a domain handle to open a user handle from */
+
+ if (!cm_get_sam_dom_handle(domain, domain_sid))
+ return NULL;
+
+ for (conn = cm_conns; conn; conn = conn->next) {
+ if (strequal(conn->domain, domain) &&
+ strequal(conn->pipe_name, PIPE_SAMR) &&
+ conn->pipe_data.samr.pipe_type == SAM_PIPE_DOM)
+ basic_conn = conn;
+ }
+
+ if (!basic_conn) {
+ DEBUG(0, ("No domain sam handle was created!\n"));
+ return NULL;
+ }
+
+ if (!(conn = (struct winbindd_cm_conn *)
+ malloc(sizeof(struct winbindd_cm_conn))))
+ return NULL;
+
+ ZERO_STRUCTP(conn);
+
+ fstrcpy(conn->domain, basic_conn->domain);
+ fstrcpy(conn->controller, basic_conn->controller);
+ fstrcpy(conn->pipe_name, basic_conn->pipe_name);
+
+ conn->pipe_data.samr.pipe_type = SAM_PIPE_GROUP;
+ conn->cli = basic_conn->cli;
+ conn->pipe_data.samr.rid = group_rid;
+
+ result = cli_samr_open_group(conn->cli, conn->cli->mem_ctx,
+ &basic_conn->pol, des_access, group_rid,
+ &conn->pol);
+
+ if (!NT_STATUS_IS_OK(result))
+ return NULL;
+
+ /* Add to list */
+
+ DLIST_ADD(cm_conns, conn);
ok:
- hnd.pol = conn->pol;
- hnd.cli = conn->cli;
+ hnd.pol = conn->pol;
+ hnd.cli = conn->cli;
- return &hnd;
+ return &hnd;
}
#endif
/* Get a handle on a netlogon pipe. This is a bit of a hack to re-use the
netlogon pipe as no handle is returned. */
-NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
- struct cli_state **cli)
+NTSTATUS cm_get_netlogon_cli(const char *domain,
+ const unsigned char *trust_passwd,
+ uint32 sec_channel_type,
+ struct cli_state **cli)
{
- struct winbindd_cm_conn conn;
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+ struct winbindd_cm_conn *conn;
+ uint32 neg_flags = 0x000001ff;
+ fstring lock_name;
+ BOOL got_mutex;
- /* Open an initial conection */
+ if (!cli)
+ return NT_STATUS_INVALID_PARAMETER;
- ZERO_STRUCT(conn);
+ /* Open an initial conection - keep the mutex. */
- if (!cm_open_connection(domain, PIPE_NETLOGON, &conn)) {
- DEBUG(3, ("Could not open a connection to %s\n", domain));
- return result;
- }
-
- result = cli_nt_setup_creds(conn.cli, trust_passwd);
+ if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_NETLOGON, &conn)))
+ return result;
+
+ snprintf(lock_name, sizeof(lock_name), "NETLOGON\\%s", conn->controller);
+ if (!(got_mutex = secrets_named_mutex(lock_name, WINBIND_SERVER_MUTEX_WAIT_TIME))) {
+ DEBUG(0,("cm_get_netlogon_cli: mutex grab failed for %s\n", conn->controller));
+ }
+
+ result = cli_nt_setup_creds(conn->cli, sec_channel_type, trust_passwd, &neg_flags, 2);
+
+ if (got_mutex)
+ secrets_named_mutex_release(lock_name);
+
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("error connecting to domain password server: %s\n",
- get_nt_error_msg(result)));
- cli_shutdown(conn.cli);
- return result;
+ nt_errstr(result)));
+
+ /* Hit the cache code again. This cleans out the old connection and gets a new one */
+ if (conn->cli->fd == -1) {
+ if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_NETLOGON, &conn)))
+ return result;
+
+ snprintf(lock_name, sizeof(lock_name), "NETLOGON\\%s", conn->controller);
+ if (!(got_mutex = secrets_named_mutex(lock_name, WINBIND_SERVER_MUTEX_WAIT_TIME))) {
+ DEBUG(0,("cm_get_netlogon_cli: mutex grab failed for %s\n", conn->controller));
+ }
+
+ /* Try again */
+ result = cli_nt_setup_creds( conn->cli, sec_channel_type,trust_passwd, &neg_flags, 2);
+
+ if (got_mutex)
+ secrets_named_mutex_release(lock_name);
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ cli_shutdown(conn->cli);
+ DLIST_REMOVE(cm_conns, conn);
+ SAFE_FREE(conn);
+ return result;
+ }
}
- if (cli)
- *cli = conn.cli;
+ *cli = conn->cli;
- return result;
+ return result;
}
/* Dump the current connection status */
{
struct winbindd_cm_conn *con;
- DEBUG(0, ("\tDomain Controller Pipe\n"));
+ DEBUG(0, ("\tDomain Controller Pipe\n"));
for(con = cm_conns; con; con = con->next) {
char *msg;
/* Display pipe info */
-
- asprintf(&msg, "\t%-15s %-15s %-16s", con->domain, con->controller, con->pipe_name);
-
- DEBUG(0, ("%s\n", msg));
- free(msg);
+
+ if (asprintf(&msg, "\t%-15s %-15s %-16s", con->domain, con->controller, con->pipe_name) < 0) {
+ DEBUG(0, ("Error: not enough memory!\n"));
+ } else {
+ DEBUG(0, ("%s\n", msg));
+ SAFE_FREE(msg);
+ }
}
}