A composite API for initializing a domain
Copyright (C) Volker Lendecke 2005
-
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "libcli/composite/composite.h"
#include "libcli/smb_composite/smb_composite.h"
-#include "winbind/wb_async_helpers.h"
#include "winbind/wb_server.h"
-#include "smbd/service_stream.h"
+#include "winbind/wb_async_helpers.h"
+#include "winbind/wb_helper.h"
#include "smbd/service_task.h"
-#include "dlinklist.h"
-
-#include "librpc/gen_ndr/nbt.h"
-#include "librpc/gen_ndr/samr.h"
-#include "lib/messaging/irpc.h"
-#include "librpc/gen_ndr/irpc.h"
-#include "librpc/gen_ndr/ndr_irpc.h"
-#include "libcli/raw/libcliraw.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
-#include "librpc/gen_ndr/ndr_lsa.h"
+#include "librpc/gen_ndr/ndr_lsa_c.h"
+#include "librpc/gen_ndr/ndr_samr_c.h"
+#include "libcli/libcli.h"
+
#include "libcli/auth/credentials.h"
+#include "libcli/security/security.h"
+
+#include "libcli/ldap/ldap_client.h"
+#include "auth/credentials/credentials.h"
+#include "param/param.h"
/*
* Initialize a domain:
*
- * - With schannel credentials, try to open the SMB connection with the
- * machine creds. This works against W2k3SP1 with an NTLMSSP session
- * setup. Fall back to anonymous.
+ * - With schannel credentials, try to open the SMB connection and
+ * NETLOGON pipe with the machine creds. This works against W2k3SP1
+ * with an NTLMSSP session setup. Fall back to anonymous (for the CIFS level).
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
- * - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
- * to schannel and then to anon bind.
+ * - Open LSA. If we have machine creds, try to open with SPNEGO or NTLMSSP. Fall back
+ * to schannel.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
struct init_domain_state {
struct composite_context *ctx;
struct wbsrv_domain *domain;
+ struct wbsrv_service *service;
- int num_dcs;
- struct nbt_dc_name *dcs;
-
- struct smb_composite_connect conn;
-
- struct dcerpc_pipe *auth2_pipe;
- struct dcerpc_pipe *netlogon_pipe;
-
- struct dcerpc_pipe *lsa_pipe;
- struct policy_handle *lsa_policy;
-
- struct dcerpc_pipe *samr_pipe;
- struct policy_handle *samr_handle;
- struct policy_handle *domain_handle;
-
+ struct lsa_ObjectAttribute objectattr;
+ struct lsa_OpenPolicy2 lsa_openpolicy;
struct lsa_QueryInfoPolicy queryinfo;
+ union lsa_PolicyInformation *info;
};
-static void init_domain_recv_dcs(struct composite_context *ctx);
-static void init_domain_recv_dcip(struct composite_context *ctx);
-static void init_domain_recv_tree(struct composite_context *ctx);
-static void init_domain_recv_netlogoncreds(struct composite_context *ctx);
static void init_domain_recv_netlogonpipe(struct composite_context *ctx);
-static void init_domain_recv_lsa(struct composite_context *ctx);
+static void init_domain_recv_lsa_pipe(struct composite_context *ctx);
+static void init_domain_recv_lsa_policy(struct rpc_request *req);
static void init_domain_recv_queryinfo(struct rpc_request *req);
static void init_domain_recv_samr(struct composite_context *ctx);
-struct composite_context *wb_init_domain_send(struct wbsrv_domain *domain,
- struct event_context *event_ctx,
- struct messaging_context *msg_ctx)
+static struct dcerpc_binding *init_domain_binding(struct init_domain_state *state,
+ const struct ndr_interface_table *table)
+{
+ struct dcerpc_binding *binding;
+ NTSTATUS status;
+
+ /* Make a binding string */
+ {
+ char *s = talloc_asprintf(state, "ncacn_np:%s", state->domain->dc_name);
+ if (s == NULL) return NULL;
+ status = dcerpc_parse_binding(state, s, &binding);
+ talloc_free(s);
+ if (!NT_STATUS_IS_OK(status)) {
+ return NULL;
+ }
+ }
+
+ /* Alter binding to contain hostname, but also address (so we don't look it up twice) */
+ binding->target_hostname = state->domain->dc_name;
+ binding->host = state->domain->dc_address;
+
+ /* This shouldn't make a network call, as the mappings for named pipes are well known */
+ status = dcerpc_epm_map_binding(binding, binding, table, state->service->task->event_ctx,
+ state->service->task->lp_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return NULL;
+ }
+
+ return binding;
+}
+
+struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
+ struct wbsrv_service *service,
+ struct wb_dom_info *dom_info)
{
struct composite_context *result, *ctx;
struct init_domain_state *state;
- result = talloc(domain, struct composite_context);
+ result = composite_create(mem_ctx, service->task->event_ctx);
if (result == NULL) goto failed;
- result->state = COMPOSITE_STATE_IN_PROGRESS;
- result->async.fn = NULL;
- result->event_ctx = event_ctx;
state = talloc_zero(result, struct init_domain_state);
if (state == NULL) goto failed;
state->ctx = result;
result->private_data = state;
- state->domain = domain;
-
- if (domain->dcname != NULL) {
- struct nbt_name name;
- make_nbt_name(&name, domain->dcname, 0x20);
- ctx = resolve_name_send(&name, result->event_ctx,
- lp_name_resolve_order());
- if (ctx == NULL) goto failed;
- ctx->async.fn = init_domain_recv_dcip;
- ctx->async.private_data = state;
- return result;
- }
+ state->service = service;
- if (state->domain->schannel_creds != NULL) {
- talloc_free(state->domain->schannel_creds);
- }
+ state->domain = talloc(state, struct wbsrv_domain);
+ if (state->domain == NULL) goto failed;
- state->domain->schannel_creds = cli_credentials_init(state->domain);
- if (state->domain->schannel_creds == NULL) goto failed;
- cli_credentials_set_conf(state->domain->schannel_creds);
- state->ctx->status =
- cli_credentials_set_machine_account(state->domain->
- schannel_creds);
- if (!NT_STATUS_IS_OK(state->ctx->status)) goto failed;
+ state->domain->info = talloc_reference(state->domain, dom_info);
+ if (state->domain->info == NULL) goto failed;
- ctx = wb_finddcs_send(domain->name, domain->sid, event_ctx, msg_ctx);
- if (ctx == NULL) goto failed;
+ /* Caller should check, but to be safe: */
+ if (dom_info->num_dcs < 1) {
+ goto failed;
+ }
+
+ /* For now, we just pick the first. The next step will be to
+ * walk the entire list. Also need to fix finddcs() to return
+ * the entire list */
+ state->domain->dc_name = dom_info->dcs[0].name;
+ state->domain->dc_address = dom_info->dcs[0].address;
- ctx->async.fn = init_domain_recv_dcs;
- ctx->async.private_data = state;
- return result;
+ state->domain->libnet_ctx = libnet_context_init(service->task->event_ctx,
+ service->task->lp_ctx);
- failed:
- talloc_free(result);
- return NULL;
-}
+ /* Create a credentials structure */
+ state->domain->libnet_ctx->cred = cli_credentials_init(state->domain);
+ if (state->domain->libnet_ctx->cred == NULL) goto failed;
-static void init_domain_recv_dcs(struct composite_context *ctx)
-{
- struct init_domain_state *state =
- talloc_get_type(ctx->async.private_data,
- struct init_domain_state);
+ cli_credentials_set_conf(state->domain->libnet_ctx->cred, service->task->lp_ctx);
- state->ctx->status = wb_finddcs_recv(ctx, state, &state->num_dcs,
- &state->dcs);
- if (!composite_is_ok(state->ctx)) return;
+ /* Connect the machine account to the credentials */
+ state->ctx->status =
+ cli_credentials_set_machine_account(state->domain->libnet_ctx->cred, state->domain->libnet_ctx->lp_ctx);
+ if (!NT_STATUS_IS_OK(state->ctx->status)) goto failed;
- if (state->num_dcs < 1) {
- composite_error(state->ctx, NT_STATUS_NO_LOGON_SERVERS);
- return;
- }
+ state->domain->netlogon_binding = init_domain_binding(state, &ndr_table_netlogon);
- state->conn.in.dest_host = state->dcs[0].address;
- state->conn.in.port = 0;
- state->conn.in.called_name = state->dcs[0].name;
- state->conn.in.service = "IPC$";
- state->conn.in.service_type = "IPC";
- state->conn.in.workgroup = state->domain->name;
+ state->domain->netlogon_pipe = NULL;
- state->conn.in.credentials = state->domain->schannel_creds;
+ if ((!cli_credentials_is_anonymous(state->domain->libnet_ctx->cred)) &&
+ ((lp_server_role(service->task->lp_ctx) == ROLE_DOMAIN_MEMBER) ||
+ (lp_server_role(service->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER)) &&
+ (dom_sid_equal(state->domain->info->sid,
+ state->service->primary_sid))) {
+ state->domain->netlogon_binding->flags |= DCERPC_SCHANNEL;
- if (state->conn.in.credentials == NULL) {
- state->conn.in.credentials = cli_credentials_init(state);
- if (composite_nomem(state->conn.in.credentials, state->ctx)) {
- return;
+ /* For debugging, it can be a real pain if all the traffic is encrypted */
+ if (lp_winbind_sealed_pipes(service->task->lp_ctx)) {
+ state->domain->netlogon_binding->flags |= (DCERPC_SIGN | DCERPC_SEAL );
+ } else {
+ state->domain->netlogon_binding->flags |= (DCERPC_SIGN);
}
- cli_credentials_set_conf(state->conn.in.credentials);
- cli_credentials_set_anonymous(state->conn.in.credentials);
}
-
- state->conn.in.fallback_to_anonymous = True;
- ctx = smb_composite_connect_send(&state->conn, state,
- state->ctx->event_ctx);
- composite_continue(state->ctx, ctx, init_domain_recv_tree, state);
+ /* No encryption on anonymous pipes */
+
+ ctx = dcerpc_pipe_connect_b_send(state, state->domain->netlogon_binding,
+ &ndr_table_netlogon,
+ state->domain->libnet_ctx->cred,
+ service->task->event_ctx,
+ service->task->lp_ctx);
+
+ if (composite_nomem(ctx, state->ctx)) {
+ goto failed;
+ }
+
+ composite_continue(state->ctx, ctx, init_domain_recv_netlogonpipe,
+ state);
+ return result;
+ failed:
+ talloc_free(result);
+ return NULL;
}
-static void init_domain_recv_dcip(struct composite_context *ctx)
+/* Having make a netlogon connection (possibly secured with schannel),
+ * make an LSA connection to the same DC, on the same IPC$ share */
+static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
{
struct init_domain_state *state =
talloc_get_type(ctx->async.private_data,
struct init_domain_state);
- const char *dcaddr;
- state->ctx->status = resolve_name_recv(ctx, state, &dcaddr);
- if (!composite_is_ok(state->ctx)) return;
+ state->ctx->status = dcerpc_pipe_connect_b_recv(ctx, state->domain,
+ &state->domain->netlogon_pipe);
+
+ if (!composite_is_ok(state->ctx)) {
+ return;
+ }
+ talloc_steal(state->domain->netlogon_pipe, state->domain->netlogon_binding);
- state->conn.in.dest_host = dcaddr;
- state->conn.in.port = 0;
- state->conn.in.called_name = state->domain->dcname;
- state->conn.in.service = "IPC$";
- state->conn.in.service_type = "IPC";
- state->conn.in.workgroup = state->domain->name;
- state->conn.in.credentials = state->domain->schannel_creds;
+ state->domain->lsa_binding = init_domain_binding(state, &ndr_table_lsarpc);
- state->conn.in.fallback_to_anonymous = True;
+ /* For debugging, it can be a real pain if all the traffic is encrypted */
+ if (lp_winbind_sealed_pipes(state->service->task->lp_ctx)) {
+ state->domain->lsa_binding->flags |= (DCERPC_SIGN | DCERPC_SEAL );
+ } else {
+ state->domain->lsa_binding->flags |= (DCERPC_SIGN);
+ }
- ctx = smb_composite_connect_send(&state->conn, state,
- state->ctx->event_ctx);
- composite_continue(state->ctx, ctx, init_domain_recv_tree, state);
+ state->domain->libnet_ctx->lsa.pipe = NULL;
+
+ /* this will make the secondary connection on the same IPC$ share,
+ secured with SPNEGO or NTLMSSP */
+ ctx = dcerpc_secondary_auth_connection_send(state->domain->netlogon_pipe,
+ state->domain->lsa_binding,
+ &ndr_table_lsarpc,
+ state->domain->libnet_ctx->cred,
+ state->domain->libnet_ctx->lp_ctx
+ );
+ composite_continue(state->ctx, ctx, init_domain_recv_lsa_pipe, state);
}
-static void init_domain_recv_tree(struct composite_context *ctx)
+static bool retry_with_schannel(struct init_domain_state *state,
+ struct dcerpc_binding *binding,
+ const struct ndr_interface_table *table,
+ void (*continuation)(struct composite_context *))
{
- struct init_domain_state *state =
- talloc_get_type(ctx->async.private_data,
- struct init_domain_state);
-
- state->ctx->status = smb_composite_connect_recv(ctx, state);
- if (!composite_is_ok(state->ctx)) return;
-
- if ((state->domain->schannel_creds == NULL) ||
- cli_credentials_is_anonymous(state->domain->schannel_creds)) {
- /* No chance to open netlogon */
- ctx = wb_connect_lsa_send(state->conn.out.tree, NULL);
- composite_continue(state->ctx, ctx,
- init_domain_recv_lsa, state);
- return;
+ struct composite_context *ctx;
+ state->ctx->status = NT_STATUS_OK;
+ if (state->domain->netlogon_binding->flags & DCERPC_SCHANNEL
+ && !(binding->flags & DCERPC_SCHANNEL)) {
+ /* Opening a policy handle failed, perhaps it was
+ * because we don't get a 'wrong password' error on
+ * NTLMSSP binds */
+
+ /* Try again with schannel */
+ binding->flags |= DCERPC_SCHANNEL;
+
+ /* Try again, likewise on the same IPC$ share,
+ secured with SCHANNEL */
+ ctx = dcerpc_secondary_auth_connection_send(state->domain->netlogon_pipe,
+ binding,
+ table,
+ state->domain->libnet_ctx->cred,
+ state->domain->libnet_ctx->lp_ctx);
+ composite_continue(state->ctx, ctx, continuation, state);
+ return true;
+ } else {
+ return false;
}
-
- ctx = wb_get_schannel_creds_send(state->domain->schannel_creds,
- state->conn.out.tree,
- state->ctx->event_ctx);
- composite_continue(state->ctx, ctx,
- init_domain_recv_netlogoncreds, state);
}
-
-static void init_domain_recv_netlogoncreds(struct composite_context *ctx)
+/* We should now have either an authenticated LSA pipe, or an error.
+ * On success, open a policy handle
+ */
+static void init_domain_recv_lsa_pipe(struct composite_context *ctx)
{
+ struct rpc_request *req;
struct init_domain_state *state =
talloc_get_type(ctx->async.private_data,
struct init_domain_state);
- struct smbcli_tree *tree = NULL;
-
- state->ctx->status = wb_get_schannel_creds_recv(ctx, state,
- &state->auth2_pipe);
- if (!composite_is_ok(state->ctx)) return;
-
- talloc_unlink(state, state->conn.out.tree); /* The pipe owns it now */
- if (!lp_winbind_sealed_pipes()) {
- state->netlogon_pipe = talloc_reference(state,
- state->auth2_pipe);
- ctx = wb_connect_lsa_send(state->conn.out.tree, NULL);
- composite_continue(state->ctx, ctx, init_domain_recv_lsa,
- state);
- return;
+ state->ctx->status = dcerpc_secondary_auth_connection_recv(ctx, state->domain,
+ &state->domain->libnet_ctx->lsa.pipe);
+ if (NT_STATUS_EQUAL(state->ctx->status, NT_STATUS_LOGON_FAILURE)) {
+ if (retry_with_schannel(state, state->domain->lsa_binding,
+ &ndr_table_lsarpc,
+ init_domain_recv_lsa_pipe)) {
+ return;
+ }
}
+ if (!composite_is_ok(state->ctx)) return;
- state->netlogon_pipe = dcerpc_pipe_init(state, state->ctx->event_ctx);
- if (composite_nomem(state->netlogon_pipe, state->ctx)) return;
+ talloc_steal(state->domain->libnet_ctx, state->domain->libnet_ctx->lsa.pipe);
+ talloc_steal(state->domain->libnet_ctx->lsa.pipe, state->domain->lsa_binding);
+ state->domain->libnet_ctx->lsa.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ state->domain->libnet_ctx->lsa.name = state->domain->info->name;
- if (state->auth2_pipe != NULL) {
- tree = dcerpc_smb_tree(state->auth2_pipe->conn);
- }
+ ZERO_STRUCT(state->domain->libnet_ctx->lsa.handle);
+ state->lsa_openpolicy.in.system_name =
+ talloc_asprintf(state, "\\\\%s",
+ dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe));
+ ZERO_STRUCT(state->objectattr);
+ state->lsa_openpolicy.in.attr = &state->objectattr;
+ state->lsa_openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ state->lsa_openpolicy.out.handle = &state->domain->libnet_ctx->lsa.handle;
- if (tree == NULL) {
- composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
- return;
- }
+ req = dcerpc_lsa_OpenPolicy2_send(state->domain->libnet_ctx->lsa.pipe, state,
+ &state->lsa_openpolicy);
- ctx = dcerpc_pipe_open_smb_send(state->netlogon_pipe->conn, tree,
- "\\netlogon");
- composite_continue(state->ctx, ctx,
- init_domain_recv_netlogonpipe, state);
+ composite_continue_rpc(state->ctx, req, init_domain_recv_lsa_policy, state);
}
-static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
-{
- struct init_domain_state *state =
- talloc_get_type(ctx->async.private_data,
- struct init_domain_state);
-
- state->ctx->status = dcerpc_pipe_open_smb_recv(ctx);
- if (!composite_is_ok(state->ctx)) return;
-
- state->netlogon_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL);
- state->ctx->status =
- dcerpc_bind_auth_password(state->netlogon_pipe,
- DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION,
- state->domain->schannel_creds,
- DCERPC_AUTH_TYPE_SCHANNEL,
- NULL);
- if (!composite_is_ok(state->ctx)) return;
+/* Receive a policy handle (or not, and retry the authentication) and
+ * obtain some basic information about the domain */
- ctx = wb_connect_lsa_send(state->conn.out.tree,
- state->domain->schannel_creds);
- composite_continue(state->ctx, ctx, init_domain_recv_lsa, state);
-}
-
-static void init_domain_recv_lsa(struct composite_context *ctx)
+static void init_domain_recv_lsa_policy(struct rpc_request *req)
{
struct init_domain_state *state =
- talloc_get_type(ctx->async.private_data,
+ talloc_get_type(req->async.private_data,
struct init_domain_state);
- struct rpc_request *req;
-
- state->ctx->status = wb_connect_lsa_recv(ctx, state,
- &state->domain->lsa_auth_type,
- &state->lsa_pipe,
- &state->lsa_policy);
+ state->ctx->status = dcerpc_ndr_request_recv(req);
+ if ((!NT_STATUS_IS_OK(state->ctx->status)
+ || !NT_STATUS_IS_OK(state->lsa_openpolicy.out.result))) {
+ if (retry_with_schannel(state, state->domain->lsa_binding,
+ &ndr_table_lsarpc,
+ init_domain_recv_lsa_pipe)) {
+ return;
+ }
+ }
+ if (!composite_is_ok(state->ctx)) return;
+ state->ctx->status = state->lsa_openpolicy.out.result;
if (!composite_is_ok(state->ctx)) return;
- if (state->auth2_pipe == NULL) {
- /* Give the tree to the LSA pipe. If auth2_pipe exists we have
- * given it to that already */
- talloc_unlink(state, state->conn.out.tree);
- }
+ state->info = talloc_zero(state->ctx, union lsa_PolicyInformation);
+ if (composite_nomem(state->info, state->ctx)) return;
- state->queryinfo.in.handle = state->lsa_policy;
+ state->queryinfo.in.handle = &state->domain->libnet_ctx->lsa.handle;
state->queryinfo.in.level = LSA_POLICY_INFO_ACCOUNT_DOMAIN;
+ state->queryinfo.out.info = &state->info;
- req = dcerpc_lsa_QueryInfoPolicy_send(state->lsa_pipe, state,
+ req = dcerpc_lsa_QueryInfoPolicy_send(state->domain->libnet_ctx->lsa.pipe, state,
&state->queryinfo);
composite_continue_rpc(state->ctx, req,
init_domain_recv_queryinfo, state);
static void init_domain_recv_queryinfo(struct rpc_request *req)
{
struct init_domain_state *state =
- talloc_get_type(req->async.private, struct init_domain_state);
+ talloc_get_type(req->async.private_data, struct init_domain_state);
struct lsa_DomainInfo *dominfo;
struct composite_context *ctx;
state->ctx->status = state->queryinfo.out.result;
if (!composite_is_ok(state->ctx)) return;
- dominfo = &state->queryinfo.out.info->account_domain;
+ dominfo = &(*state->queryinfo.out.info)->account_domain;
- if (strcasecmp(state->domain->name, dominfo->name.string) != 0) {
+ if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
- state->domain->name,
- dcerpc_server_name(state->lsa_pipe),
+ state->domain->info->name,
+ dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
dominfo->name.string));
composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
return;
}
- if (!dom_sid_equal(state->domain->sid, dominfo->sid)) {
+ if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
- dom_sid_string(state, state->domain->sid),
- dcerpc_server_name(state->lsa_pipe),
+ dom_sid_string(state, state->domain->info->sid),
+ dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
dom_sid_string(state, dominfo->sid)));
composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
return;
}
- state->samr_pipe = dcerpc_pipe_init(state, state->ctx->event_ctx);
- if (composite_nomem(state->samr_pipe, state->ctx)) return;
+ state->domain->samr_binding = init_domain_binding(state, &ndr_table_samr);
+
+ /* We want to use the same flags as the LSA pipe did (so, if
+ * it needed schannel, then we need that here too) */
+ state->domain->samr_binding->flags = state->domain->lsa_binding->flags;
+
+ state->domain->libnet_ctx->samr.pipe = NULL;
- ctx = wb_connect_sam_send(state->conn.out.tree,
- state->domain->lsa_auth_type,
- state->domain->schannel_creds,
- state->domain->sid);
- composite_continue(state->ctx, ctx,
- init_domain_recv_samr, state);
+ ctx = wb_connect_samr_send(state, state->domain);
+ composite_continue(state->ctx, ctx, init_domain_recv_samr, state);
}
+/* Recv the SAMR details (SamrConnect and SamrOpenDomain handle) and
+ * open an LDAP connection */
static void init_domain_recv_samr(struct composite_context *ctx)
{
+ const char *ldap_url;
struct init_domain_state *state =
talloc_get_type(ctx->async.private_data,
struct init_domain_state);
- state->ctx->status = wb_connect_sam_recv(ctx, state, &state->samr_pipe,
- &state->samr_handle,
- &state->domain_handle);
+ state->ctx->status = wb_connect_samr_recv(
+ ctx, state->domain,
+ &state->domain->libnet_ctx->samr.pipe,
+ &state->domain->libnet_ctx->samr.connect_handle,
+ &state->domain->libnet_ctx->samr.handle);
if (!composite_is_ok(state->ctx)) return;
+ talloc_steal(state->domain->libnet_ctx->samr.pipe, state->domain->samr_binding);
+ state->domain->libnet_ctx->samr.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ state->domain->libnet_ctx->samr.name = state->domain->info->name;
+ state->domain->libnet_ctx->samr.sid = state->domain->info->sid;
+
composite_done(state->ctx);
}
-NTSTATUS wb_init_domain_recv(struct composite_context *c)
+NTSTATUS wb_init_domain_recv(struct composite_context *c,
+ TALLOC_CTX *mem_ctx,
+ struct wbsrv_domain **result)
{
NTSTATUS status = composite_wait(c);
if (NT_STATUS_IS_OK(status)) {
struct init_domain_state *state =
talloc_get_type(c->private_data,
struct init_domain_state);
- struct wbsrv_domain *domain = state->domain;
-
- talloc_free(domain->netlogon_auth2_pipe);
- domain->netlogon_auth2_pipe =
- talloc_steal(domain, state->auth2_pipe);
-
- talloc_free(domain->netlogon_pipe);
- domain->netlogon_pipe =
- talloc_steal(domain, state->netlogon_pipe);
-
- talloc_free(domain->lsa_pipe);
- domain->lsa_pipe =
- talloc_steal(domain, state->lsa_pipe);
-
- talloc_free(domain->lsa_policy);
- domain->lsa_policy =
- talloc_steal(domain, state->lsa_policy);
-
- talloc_free(domain->samr_pipe);
- domain->samr_pipe =
- talloc_steal(domain, state->samr_pipe);
-
- talloc_free(domain->samr_handle);
- domain->samr_handle =
- talloc_steal(domain, state->samr_handle);
-
- talloc_free(domain->domain_handle);
- domain->domain_handle =
- talloc_steal(domain, state->domain_handle);
-
- domain->initialized = True;
+ *result = talloc_steal(mem_ctx, state->domain);
}
talloc_free(c);
return status;
}
-NTSTATUS wb_init_domain(struct wbsrv_domain *domain,
- struct event_context *event_ctx,
- struct messaging_context *messaging_ctx)
+NTSTATUS wb_init_domain(TALLOC_CTX *mem_ctx, struct wbsrv_service *service,
+ struct wb_dom_info *dom_info,
+ struct wbsrv_domain **result)
{
struct composite_context *c =
- wb_init_domain_send(domain, event_ctx, messaging_ctx);
- return wb_init_domain_recv(c);
+ wb_init_domain_send(mem_ctx, service, dom_info);
+ return wb_init_domain_recv(c, mem_ctx, result);
}
git.samba.org / kai / samba.git / blobdiff