s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order to work against w2k8r2

[kai/samba.git] / source4 / winbind / wb_init_domain.c

diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c
index 8b82ab711e366fb86dfdb0cd8402f863308cc826..9847afbba052ca4545822253ee4cc932e17e01bf 100644 (file)
--- a/source4/winbind/wb_init_domain.c
+++ b/source4/winbind/wb_init_domain.c
@@ -22,20 +22,15 @@
 
 #include "includes.h"
 #include "libcli/composite/composite.h"
-#include "libcli/smb_composite/smb_composite.h"
 #include "winbind/wb_server.h"
-#include "winbind/wb_async_helpers.h"
-#include "winbind/wb_helper.h"
 #include "smbd/service_task.h"
 #include "librpc/gen_ndr/ndr_netlogon.h"
 #include "librpc/gen_ndr/ndr_lsa_c.h"
 #include "librpc/gen_ndr/ndr_samr_c.h"
 #include "libcli/libcli.h"
 
-#include "libcli/auth/credentials.h"
 #include "libcli/security/security.h"
 
-#include "libcli/ldap/ldap_client.h"
 
 #include "auth/credentials/credentials.h"
 #include "param/param.h"
@@ -70,13 +65,13 @@ struct init_domain_state {
        struct lsa_ObjectAttribute objectattr;
        struct lsa_OpenPolicy2 lsa_openpolicy;
        struct lsa_QueryInfoPolicy queryinfo;
+       union lsa_PolicyInformation *info;
 };
 
 static void init_domain_recv_netlogonpipe(struct composite_context *ctx);
 static void init_domain_recv_lsa_pipe(struct composite_context *ctx);
-static void init_domain_recv_lsa_policy(struct rpc_request *req);
-static void init_domain_recv_queryinfo(struct rpc_request *req);
-static void init_domain_recv_ldapconn(struct composite_context *ctx);
+static void init_domain_recv_lsa_policy(struct tevent_req *subreq);
+static void init_domain_recv_queryinfo(struct tevent_req *subreq);
 static void init_domain_recv_samr(struct composite_context *ctx);
 
 static struct dcerpc_binding *init_domain_binding(struct init_domain_state *state, 
@@ -133,16 +128,8 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
        state->domain->info = talloc_reference(state->domain, dom_info);
        if (state->domain->info == NULL) goto failed;
 
-       /* Caller should check, but to be safe: */
-       if (dom_info->num_dcs < 1) {
-               goto failed;
-       }
-       
-       /* For now, we just pick the first.  The next step will be to
-        * walk the entire list.  Also need to fix finddcs() to return
-        * the entire list */
-       state->domain->dc_name = dom_info->dcs[0].name;
-       state->domain->dc_address = dom_info->dcs[0].address;
+       state->domain->dc_name = dom_info->dc->name;
+       state->domain->dc_address = dom_info->dc->address;
 
        state->domain->libnet_ctx = libnet_context_init(service->task->event_ctx, 
                                                        service->task->lp_ctx);
@@ -163,14 +150,14 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
        state->domain->netlogon_pipe = NULL;
 
        if ((!cli_credentials_is_anonymous(state->domain->libnet_ctx->cred)) &&
-           ((lp_server_role(service->task->lp_ctx) == ROLE_DOMAIN_MEMBER) ||
-            (lp_server_role(service->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER)) &&
+           ((lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_MEMBER) ||
+            (lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER)) &&
            (dom_sid_equal(state->domain->info->sid,
                           state->service->primary_sid))) {
-               state->domain->netlogon_binding->flags |= DCERPC_SCHANNEL;
+               state->domain->netlogon_binding->flags |= DCERPC_SCHANNEL | DCERPC_SCHANNEL_128;
 
                /* For debugging, it can be a real pain if all the traffic is encrypted */
-               if (lp_winbind_sealed_pipes(service->task->lp_ctx)) {
+               if (lpcfg_winbind_sealed_pipes(service->task->lp_ctx)) {
                        state->domain->netlogon_binding->flags |= (DCERPC_SIGN | DCERPC_SEAL );
                } else {
                        state->domain->netlogon_binding->flags |= (DCERPC_SIGN);
@@ -211,12 +198,12 @@ static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
        if (!composite_is_ok(state->ctx)) {
                return;
        }
-       talloc_steal(state->domain->netlogon_pipe, state->domain->netlogon_binding);
+       talloc_reparent(state, state->domain->netlogon_pipe, state->domain->netlogon_binding);
 
        state->domain->lsa_binding = init_domain_binding(state, &ndr_table_lsarpc);
 
        /* For debugging, it can be a real pain if all the traffic is encrypted */
-       if (lp_winbind_sealed_pipes(state->service->task->lp_ctx)) {
+       if (lpcfg_winbind_sealed_pipes(state->service->task->lp_ctx)) {
                state->domain->lsa_binding->flags |= (DCERPC_SIGN | DCERPC_SEAL );
        } else {
                state->domain->lsa_binding->flags |= (DCERPC_SIGN);
@@ -269,10 +256,10 @@ static bool retry_with_schannel(struct init_domain_state *state,
  */    
 static void init_domain_recv_lsa_pipe(struct composite_context *ctx)
 {
-       struct rpc_request *req;
        struct init_domain_state *state =
                talloc_get_type(ctx->async.private_data,
                                struct init_domain_state);
+       struct tevent_req *subreq;
 
        state->ctx->status = dcerpc_secondary_auth_connection_recv(ctx, state->domain,
                                                                   &state->domain->libnet_ctx->lsa.pipe);
@@ -286,7 +273,7 @@ static void init_domain_recv_lsa_pipe(struct composite_context *ctx)
        if (!composite_is_ok(state->ctx)) return;
 
        talloc_steal(state->domain->libnet_ctx, state->domain->libnet_ctx->lsa.pipe);
-       talloc_steal(state->domain->libnet_ctx->lsa.pipe, state->domain->lsa_binding);
+       talloc_reparent(state, state->domain->libnet_ctx->lsa.pipe, state->domain->lsa_binding);
        state->domain->libnet_ctx->lsa.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
        state->domain->libnet_ctx->lsa.name = state->domain->info->name;
 
@@ -299,22 +286,25 @@ static void init_domain_recv_lsa_pipe(struct composite_context *ctx)
        state->lsa_openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
        state->lsa_openpolicy.out.handle = &state->domain->libnet_ctx->lsa.handle;
 
-       req = dcerpc_lsa_OpenPolicy2_send(state->domain->libnet_ctx->lsa.pipe, state,
-                                         &state->lsa_openpolicy);
-
-       composite_continue_rpc(state->ctx, req, init_domain_recv_lsa_policy, state);
+       subreq = dcerpc_lsa_OpenPolicy2_r_send(state,
+                                              state->ctx->event_ctx,
+                                              state->domain->libnet_ctx->lsa.pipe->binding_handle,
+                                              &state->lsa_openpolicy);
+       if (composite_nomem(subreq, state->ctx)) return;
+       tevent_req_set_callback(subreq, init_domain_recv_lsa_policy, state);
 }
 
 /* Receive a policy handle (or not, and retry the authentication) and
  * obtain some basic information about the domain */
 
-static void init_domain_recv_lsa_policy(struct rpc_request *req)
+static void init_domain_recv_lsa_policy(struct tevent_req *subreq)
 {
        struct init_domain_state *state =
-               talloc_get_type(req->async.private_data,
-                               struct init_domain_state);
+               tevent_req_callback_data(subreq,
+               struct init_domain_state);
 
-       state->ctx->status = dcerpc_ndr_request_recv(req);
+       state->ctx->status = dcerpc_lsa_OpenPolicy2_r_recv(subreq, state);
+       TALLOC_FREE(subreq);
        if ((!NT_STATUS_IS_OK(state->ctx->status)
              || !NT_STATUS_IS_OK(state->lsa_openpolicy.out.result))) {
                if (retry_with_schannel(state, state->domain->lsa_binding, 
@@ -327,28 +317,36 @@ static void init_domain_recv_lsa_policy(struct rpc_request *req)
        state->ctx->status = state->lsa_openpolicy.out.result;
        if (!composite_is_ok(state->ctx)) return;
 
+       state->info = talloc_zero(state->ctx, union lsa_PolicyInformation);
+       if (composite_nomem(state->info, state->ctx)) return;
+
        state->queryinfo.in.handle = &state->domain->libnet_ctx->lsa.handle;
        state->queryinfo.in.level = LSA_POLICY_INFO_ACCOUNT_DOMAIN;
-
-       req = dcerpc_lsa_QueryInfoPolicy_send(state->domain->libnet_ctx->lsa.pipe, state,
-                                             &state->queryinfo);
-       composite_continue_rpc(state->ctx, req,
-                              init_domain_recv_queryinfo, state);
+       state->queryinfo.out.info = &state->info;
+
+       subreq = dcerpc_lsa_QueryInfoPolicy_r_send(state,
+                                                  state->ctx->event_ctx,
+                                                  state->domain->libnet_ctx->lsa.pipe->binding_handle,
+                                                  &state->queryinfo);
+       if (composite_nomem(subreq, state->ctx)) return;
+       tevent_req_set_callback(subreq, init_domain_recv_queryinfo, state);
 }
 
-static void init_domain_recv_queryinfo(struct rpc_request *req)
+static void init_domain_recv_queryinfo(struct tevent_req *subreq)
 {
        struct init_domain_state *state =
-               talloc_get_type(req->async.private_data, struct init_domain_state);
+               tevent_req_callback_data(subreq,
+               struct init_domain_state);
        struct lsa_DomainInfo *dominfo;
        struct composite_context *ctx;
 
-       state->ctx->status = dcerpc_ndr_request_recv(req);
+       state->ctx->status = dcerpc_lsa_QueryInfoPolicy_r_recv(subreq, state);
+       TALLOC_FREE(subreq);
        if (!composite_is_ok(state->ctx)) return;
        state->ctx->status = state->queryinfo.out.result;
        if (!composite_is_ok(state->ctx)) return;
 
-       dominfo = &state->queryinfo.out.info->account_domain;
+       dominfo = &(*state->queryinfo.out.info)->account_domain;
 
        if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
                DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
@@ -384,7 +382,6 @@ static void init_domain_recv_queryinfo(struct rpc_request *req)
  * open an LDAP connection */
 static void init_domain_recv_samr(struct composite_context *ctx)
 {
-       const char *ldap_url;
        struct init_domain_state *state =
                talloc_get_type(ctx->async.private_data,
                                struct init_domain_state);
@@ -392,45 +389,16 @@ static void init_domain_recv_samr(struct composite_context *ctx)
        state->ctx->status = wb_connect_samr_recv(
                ctx, state->domain,
                &state->domain->libnet_ctx->samr.pipe,
-               &state->domain->libnet_ctx->samr.handle, 
+               &state->domain->libnet_ctx->samr.connect_handle,
                &state->domain->libnet_ctx->samr.handle);
        if (!composite_is_ok(state->ctx)) return;
 
-       talloc_steal(state->domain->libnet_ctx->samr.pipe, state->domain->samr_binding);
+       talloc_reparent(state, state->domain->libnet_ctx->samr.pipe, state->domain->samr_binding);
        state->domain->libnet_ctx->samr.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
        state->domain->libnet_ctx->samr.name = state->domain->info->name;
-       state->domain->libnet_ctx->samr.sid = state->domain->info->sid;
-
-       state->domain->ldap_conn =
-               ldap4_new_connection(state->domain, state->domain->libnet_ctx->lp_ctx, state->ctx->event_ctx);
-       composite_nomem(state->domain->ldap_conn, state->ctx);
-
-       ldap_url = talloc_asprintf(state, "ldap://%s/",
-                                  state->domain->dc_address);
-       composite_nomem(ldap_url, state->ctx);
-
-       ctx = ldap_connect_send(state->domain->ldap_conn, ldap_url);
-       composite_continue(state->ctx, ctx, init_domain_recv_ldapconn, state);
-}
-
-static void init_domain_recv_ldapconn(struct composite_context *ctx)
-{
-       struct init_domain_state *state =
-               talloc_get_type(ctx->async.private_data,
-                               struct init_domain_state);
-
-       state->ctx->status = ldap_connect_recv(ctx);
-       if (NT_STATUS_IS_OK(state->ctx->status)) {
-               state->domain->ldap_conn->host =
-                       talloc_strdup(state->domain->ldap_conn,
-                                     state->domain->dc_name);
-               state->ctx->status =
-                       ldap_bind_sasl(state->domain->ldap_conn,
-                                      state->domain->libnet_ctx->cred,
-                                      state->domain->libnet_ctx->lp_ctx);
-               DEBUG(0, ("ldap_bind returned %s\n",
-                         nt_errstr(state->ctx->status)));
-       }
+       state->domain->libnet_ctx->samr.sid = dom_sid_dup(
+                                               state->domain->libnet_ctx,
+                                               state->domain->info->sid);
 
        composite_done(state->ctx);
 }