2 Unix SMB/CIFS implementation.
4 Winbind daemon connection manager
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Gerald (Jerry) Carter 2003-2005.
9 Copyright (C) Volker Lendecke 2004-2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 We need to manage connections to domain controllers without having to
28 mess up the main winbindd code with other issues. The aim of the
29 connection manager is to:
31 - make connections to domain controllers and cache them
32 - re-establish connections when networks or servers go down
33 - centralise the policy on connection timeouts, domain controller
35 - manage re-entrancy for when winbindd becomes able to handle
36 multiple outstanding rpc requests
38 Why not have connection management as part of the rpc layer like tng?
39 Good question. This code may morph into libsmb/rpc_cache.c or something
40 like that but at the moment it's simply staying as part of winbind. I
41 think the TNG architecture of forcing every user of the rpc layer to use
42 the connection caching system is a bad idea. It should be an optional
43 method of using the routines.
45 The TNG design is quite good but I disagree with some aspects of the
53 - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
54 moved down into another function.
56 - Take care when destroying cli_structs as they can be shared between
65 #define DBGC_CLASS DBGC_WINBIND
68 /******************************************************************
69 Disabling schannl on the LSA pipe for now since
70 both Win2K-SP4 SR1 & Win2K3-SP1 fail the open_policy()
71 call (return codes 0xc0020042 and 0xc0020041 respectively).
72 We really need to fix this soon. Had to disable on the
73 SAMR pipe as well for now. --jerry
74 ******************************************************************/
76 /* #define DISABLE_SCHANNEL_WIN2K3_SP1 1 */
79 /* Choose between anonymous or authenticated connections. We need to use
80 an authenticated connection if DCs have the RestrictAnonymous registry
81 entry set > 0, or the "Additional restrictions for anonymous
82 connections" set in the win2k Local Security Policy.
84 Caller to free() result in domain, username, password
87 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
89 *username = secrets_fetch(SECRETS_AUTH_USER, NULL);
90 *domain = secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
91 *password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
93 if (*username && **username) {
95 if (!*domain || !**domain)
96 *domain = smb_xstrdup(lp_workgroup());
98 if (!*password || !**password)
99 *password = smb_xstrdup("");
101 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
102 *domain, *username));
105 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
106 *username = smb_xstrdup("");
107 *domain = smb_xstrdup("");
108 *password = smb_xstrdup("");
112 static BOOL get_dc_name_via_netlogon(const struct winbindd_domain *domain,
113 fstring dcname, struct in_addr *dc_ip)
115 struct winbindd_domain *our_domain;
116 struct rpc_pipe_client *netlogon_pipe;
119 const char *server_name;
124 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
131 if (domain->primary) {
135 our_domain = find_our_domain();
137 if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
141 result = cm_connect_netlogon(our_domain, &netlogon_pipe);
142 if (!NT_STATUS_IS_OK(result)) {
146 server_name = talloc_asprintf(mem_ctx, "\\\\%s", our_domain->dcname);
147 if (server_name == NULL) {
151 result = rpccli_netlogon_getdcname(netlogon_pipe, mem_ctx, server_name,
154 talloc_destroy(mem_ctx);
156 if (!NT_STATUS_IS_OK(result)) {
157 DEBUG(10, ("rpccli_netlogon_getdcname failed: %s\n",
162 /* cli_netlogon_getdcname gives us a name with \\ */
173 DEBUG(10, ("rpccli_netlogon_getdcname returned %s\n", dcname));
175 if (!resolve_name(dcname, dc_ip, 0x20)) {
182 /************************************************************************
183 Given a fd with a just-connected TCP connection to a DC, open a connection
185 ************************************************************************/
187 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
189 const char *controller,
190 struct cli_state **cli,
193 char *machine_password, *machine_krb5_principal, *machine_account;
194 char *ipc_username, *ipc_domain, *ipc_password;
197 BOOL add_failed_connection = True;
199 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
201 struct sockaddr peeraddr;
202 socklen_t peeraddr_len;
204 struct sockaddr_in *peeraddr_in = (struct sockaddr_in *)&peeraddr;
206 machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL,
209 if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
210 SAFE_FREE(machine_password);
211 return NT_STATUS_NO_MEMORY;
214 if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(),
216 SAFE_FREE(machine_account);
217 SAFE_FREE(machine_password);
218 return NT_STATUS_NO_MEMORY;
221 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
225 got_mutex = secrets_named_mutex(controller,
226 WINBIND_SERVER_MUTEX_WAIT_TIME);
229 DEBUG(0,("cm_open_connection: mutex grab failed for %s\n",
231 result = NT_STATUS_POSSIBLE_DEADLOCK;
235 if ((*cli = cli_initialise(NULL)) == NULL) {
236 DEBUG(1, ("Could not cli_initialize\n"));
237 result = NT_STATUS_NO_MEMORY;
241 (*cli)->timeout = 10000; /* 10 seconds */
243 fstrcpy((*cli)->desthost, controller);
244 (*cli)->use_kerberos = True;
246 peeraddr_len = sizeof(peeraddr);
248 if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) ||
249 (peeraddr_len != sizeof(struct sockaddr_in)) ||
250 (peeraddr_in->sin_family != PF_INET))
252 DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
256 if (ntohs(peeraddr_in->sin_port) == 139) {
257 struct nmb_name calling;
258 struct nmb_name called;
260 make_nmb_name(&calling, global_myname(), 0x0);
261 make_nmb_name(&called, "*SMBSERVER", 0x20);
263 if (!cli_session_request(*cli, &calling, &called)) {
264 DEBUG(8, ("cli_session_request failed for %s\n",
270 cli_setup_signing_state(*cli, Undefined);
272 if (!cli_negprot(*cli)) {
273 DEBUG(1, ("cli_negprot failed\n"));
279 if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) {
280 ADS_STATUS ads_status;
282 if (lp_security() == SEC_ADS) {
284 /* Try a krb5 session */
286 (*cli)->use_kerberos = True;
287 DEBUG(5, ("connecting to %s from %s with kerberos principal "
288 "[%s]\n", controller, global_myname(),
289 machine_krb5_principal));
291 ads_status = cli_session_setup_spnego(*cli,
292 machine_krb5_principal,
296 if (!ADS_ERR_OK(ads_status)) {
297 DEBUG(4,("failed kerberos session setup with %s\n",
298 ads_errstr(ads_status)));
301 result = ads_ntstatus(ads_status);
302 if (NT_STATUS_IS_OK(result)) {
303 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
304 cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
305 goto session_setup_done;
309 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
310 (*cli)->use_kerberos = False;
312 DEBUG(5, ("connecting to %s from %s with username "
313 "[%s]\\[%s]\n", controller, global_myname(),
314 machine_account, machine_password));
316 ads_status = cli_session_setup_spnego(*cli,
320 if (!ADS_ERR_OK(ads_status)) {
321 DEBUG(4, ("authenticated session setup failed with %s\n",
322 ads_errstr(ads_status)));
325 result = ads_ntstatus(ads_status);
326 if (NT_STATUS_IS_OK(result)) {
327 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
328 cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
329 goto session_setup_done;
333 /* Fall back to non-kerberos session setup */
335 (*cli)->use_kerberos = False;
337 if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
338 (strlen(ipc_username) > 0)) {
340 /* Only try authenticated if we have a username */
342 DEBUG(5, ("connecting to %s from %s with username "
343 "[%s]\\[%s]\n", controller, global_myname(),
344 ipc_domain, ipc_username));
346 if (cli_session_setup(*cli, ipc_username,
347 ipc_password, strlen(ipc_password)+1,
348 ipc_password, strlen(ipc_password)+1,
350 /* Successful logon with given username. */
351 cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
352 goto session_setup_done;
354 DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
355 ipc_domain, ipc_username ));
359 /* Fall back to anonymous connection, this might fail later */
361 if (cli_session_setup(*cli, "", NULL, 0, NULL, 0, "")) {
362 DEBUG(5, ("Connected anonymously\n"));
363 cli_init_creds(*cli, "", "", "");
364 goto session_setup_done;
367 result = cli_nt_error(*cli);
369 if (NT_STATUS_IS_OK(result))
370 result = NT_STATUS_UNSUCCESSFUL;
372 /* We can't session setup */
378 if (!cli_send_tconX(*cli, "IPC$", "IPC", "", 0)) {
380 result = cli_nt_error(*cli);
382 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
384 if (NT_STATUS_IS_OK(result))
385 result = NT_STATUS_UNSUCCESSFUL;
391 secrets_named_mutex_release(controller);
395 /* set the domain if empty; needed for schannel connections */
396 if ( !*(*cli)->domain ) {
397 fstrcpy( (*cli)->domain, domain->name );
400 result = NT_STATUS_OK;
401 add_failed_connection = False;
405 secrets_named_mutex_release(controller);
408 SAFE_FREE(machine_account);
409 SAFE_FREE(machine_password);
410 SAFE_FREE(machine_krb5_principal);
411 SAFE_FREE(ipc_username);
412 SAFE_FREE(ipc_domain);
413 SAFE_FREE(ipc_password);
415 if (add_failed_connection) {
416 add_failed_connection_entry(domain->name, controller, result);
427 static BOOL add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
428 const char *dcname, struct in_addr ip,
429 struct dc_name_ip **dcs, int *num)
431 if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
432 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
436 *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
441 fstrcpy((*dcs)[*num].name, dcname);
442 (*dcs)[*num].ip = ip;
447 static BOOL add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
448 struct in_addr ip, uint16 port,
449 struct sockaddr_in **addrs, int *num)
451 *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_in, (*num)+1);
456 (*addrs)[*num].sin_family = PF_INET;
457 putip((char *)&((*addrs)[*num].sin_addr), (char *)&ip);
458 (*addrs)[*num].sin_port = htons(port);
464 static void mailslot_name(struct in_addr dc_ip, fstring name)
466 fstr_sprintf(name, "\\MAILSLOT\\NET\\GETDC%X", dc_ip.s_addr);
469 static BOOL send_getdc_request(struct in_addr dc_ip,
470 const char *domain_name,
475 fstring my_acct_name;
478 mailslot_name(dc_ip, my_mailslot);
480 memset(outbuf, '\0', sizeof(outbuf));
484 SCVAL(p, 0, SAMLOGON);
487 SCVAL(p, 0, 0); /* Count pointer ... */
490 SIVAL(p, 0, 0); /* The sender's token ... */
493 p += dos_PutUniCode(p, global_myname(), sizeof(pstring), True);
494 fstr_sprintf(my_acct_name, "%s$", global_myname());
495 p += dos_PutUniCode(p, my_acct_name, sizeof(pstring), True);
497 memcpy(p, my_mailslot, strlen(my_mailslot)+1);
498 p += strlen(my_mailslot)+1;
503 SIVAL(p, 0, sid_size(sid));
506 p = ALIGN4(p, outbuf);
508 sid_linearize(p, sid_size(sid), sid);
516 return cli_send_mailslot(False, "\\MAILSLOT\\NET\\NTLOGON", 0,
517 outbuf, PTR_DIFF(p, outbuf),
518 global_myname(), 0, domain_name, 0x1c,
522 static BOOL receive_getdc_response(struct in_addr dc_ip,
523 const char *domain_name,
526 struct packet_struct *packet;
529 fstring dcname, user, domain;
532 mailslot_name(dc_ip, my_mailslot);
534 packet = receive_unexpected(DGRAM_PACKET, 0, my_mailslot);
536 if (packet == NULL) {
537 DEBUG(5, ("Did not receive packet for %s\n", my_mailslot));
541 DEBUG(5, ("Received packet for %s\n", my_mailslot));
543 buf = packet->packet.dgram.data;
544 len = packet->packet.dgram.datasize;
547 /* 70 is a completely arbitrary value to make sure
548 the SVAL below does not read uninitialized memory */
549 DEBUG(3, ("GetDC got short response\n"));
553 /* This should be (buf-4)+SVAL(buf-4, smb_vwv12)... */
554 p = buf+SVAL(buf, smb_vwv10);
556 if (CVAL(p,0) != SAMLOGON_R) {
557 DEBUG(8, ("GetDC got invalid response type %d\n", CVAL(p, 0)));
562 pull_ucs2(buf, dcname, p, sizeof(dcname), PTR_DIFF(buf+len, p),
563 STR_TERMINATE|STR_NOALIGN);
564 p = skip_unibuf(p, PTR_DIFF(buf+len, p));
565 pull_ucs2(buf, user, p, sizeof(dcname), PTR_DIFF(buf+len, p),
566 STR_TERMINATE|STR_NOALIGN);
567 p = skip_unibuf(p, PTR_DIFF(buf+len, p));
568 pull_ucs2(buf, domain, p, sizeof(dcname), PTR_DIFF(buf+len, p),
569 STR_TERMINATE|STR_NOALIGN);
570 p = skip_unibuf(p, PTR_DIFF(buf+len, p));
572 if (!strequal(domain, domain_name)) {
573 DEBUG(3, ("GetDC: Expected domain %s, got %s\n",
574 domain_name, domain));
579 if (*p == '\\') p += 1;
580 if (*p == '\\') p += 1;
584 DEBUG(10, ("GetDC gave name %s for domain %s\n",
590 /*******************************************************************
591 convert an ip to a name
592 *******************************************************************/
594 static void dcip_to_name( const char *domainname, const char *realm,
595 const DOM_SID *sid, struct in_addr ip, fstring name )
598 /* try GETDC requests first */
600 if (send_getdc_request(ip, domainname, sid)) {
603 for (i=0; i<5; i++) {
604 if (receive_getdc_response(ip, domainname, name))
610 /* try node status request */
612 if ( name_status_find(domainname, 0x1c, 0x20, ip, name) )
615 /* backup in case the netbios stuff fails */
617 fstrcpy( name, inet_ntoa(ip) );
620 /* for active directory servers, try to get the ldap server name.
621 None of these failure should be considered critical for now */
623 if ( lp_security() == SEC_ADS )
628 ads = ads_init( realm, domainname, NULL );
629 ads->auth.flags |= ADS_AUTH_NO_BIND;
631 if ( !ads_try_connect( ads, inet_ntoa(ip), LDAP_PORT ) ) {
636 status = ads_server_info(ads);
637 if ( !ADS_ERR_OK(status) ) {
642 fstrcpy(name, ads->config.ldap_server_name);
651 /*******************************************************************
652 Retreive a list of IP address for domain controllers. Fill in
653 the dcs[] with results.
654 *******************************************************************/
656 static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
657 struct dc_name_ip **dcs, int *num_dcs)
661 struct ip_service *ip_list = NULL;
667 is_our_domain = strequal(domain->name, lp_workgroup());
670 && get_dc_name_via_netlogon(domain, dcname, &ip)
671 && add_one_dc_unique(mem_ctx, domain->name, dcname, ip, dcs, num_dcs) )
673 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
674 dcname, inet_ntoa(ip)));
679 && must_use_pdc(domain->name)
680 && get_pdc_ip(domain->name, &ip))
682 if (add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip), ip, dcs, num_dcs))
686 /* try standard netbios queries first */
688 get_sorted_dc_list(domain->name, &ip_list, &iplist_size, False);
690 /* check for security = ads and use DNS if we can */
692 if ( iplist_size==0 && lp_security() == SEC_ADS )
693 get_sorted_dc_list(domain->alt_name, &ip_list, &iplist_size, True);
695 /* FIXME!! this is where we should re-insert the GETDC requests --jerry */
697 /* now add to the dc array. We'll wait until the last minute
698 to look up the name of the DC. But we fill in the char* for
699 the ip now in to make the failed connection cache work */
701 for ( i=0; i<iplist_size; i++ ) {
702 add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
703 ip_list[i].ip, dcs, num_dcs);
706 SAFE_FREE( ip_list );
711 static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
712 const struct winbindd_domain *domain,
713 fstring dcname, struct sockaddr_in *addr, int *fd)
715 struct dc_name_ip *dcs = NULL;
718 const char **dcnames = NULL;
721 struct sockaddr_in *addrs = NULL;
726 if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
729 for (i=0; i<num_dcs; i++) {
731 add_string_to_array(mem_ctx, dcs[i].name,
732 &dcnames, &num_dcnames);
733 add_sockaddr_to_array(mem_ctx, dcs[i].ip, 445,
736 add_string_to_array(mem_ctx, dcs[i].name,
737 &dcnames, &num_dcnames);
738 add_sockaddr_to_array(mem_ctx, dcs[i].ip, 139,
742 if ((num_dcnames == 0) || (num_dcnames != num_addrs))
745 if ( !open_any_socket_out(addrs, num_addrs, 10000, &fd_index, fd) )
747 for (i=0; i<num_dcs; i++) {
748 add_failed_connection_entry(domain->name,
749 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
754 *addr = addrs[fd_index];
756 /* if we have no name on the server or just an IP address for
757 the name, now try to get the name */
759 if ( is_ipaddress(dcnames[fd_index]) || *dcnames[fd_index] == '\0' )
760 dcip_to_name( domain->name, domain->alt_name, &domain->sid, addr->sin_addr, dcname );
762 fstrcpy(dcname, dcnames[fd_index]);
767 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
768 struct winbindd_cm_conn *new_conn)
775 if ((mem_ctx = talloc_init("cm_open_connection")) == NULL)
776 return NT_STATUS_NO_MEMORY;
778 for (retries = 0; retries < 3; retries++) {
783 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
785 if ((strlen(domain->dcname) > 0) &&
786 NT_STATUS_IS_OK(check_negative_conn_cache(domain->name,
789 if (!open_any_socket_out(&domain->dcaddr, 1, 10000,
796 !find_new_dc(mem_ctx, domain, domain->dcname,
797 &domain->dcaddr, &fd))
800 new_conn->cli = NULL;
802 result = cm_prepare_connection(domain, fd, domain->dcname,
803 &new_conn->cli, &retry);
809 talloc_destroy(mem_ctx);
813 /* Return true if a connection is still alive */
815 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
817 if (conn->samr_pipe != NULL) {
818 cli_rpc_pipe_close(conn->samr_pipe);
819 conn->samr_pipe = NULL;
822 if (conn->lsa_pipe != NULL) {
823 cli_rpc_pipe_close(conn->lsa_pipe);
824 conn->lsa_pipe = NULL;
827 if (conn->netlogon_pipe != NULL) {
828 cli_rpc_pipe_close(conn->netlogon_pipe);
829 conn->netlogon_pipe = NULL;
833 cli_shutdown(conn->cli);
839 void close_conns_after_fork(void)
841 struct winbindd_domain *domain;
843 for (domain = domain_list(); domain; domain = domain->next) {
844 if (domain->conn.cli == NULL)
847 if (domain->conn.cli->fd == -1)
850 close(domain->conn.cli->fd);
851 domain->conn.cli->fd = -1;
855 static BOOL connection_ok(struct winbindd_domain *domain)
857 if (domain->conn.cli == NULL) {
858 DEBUG(8, ("Connection to %s for domain %s has NULL "
859 "cli!\n", domain->dcname, domain->name));
863 if (!domain->conn.cli->initialised) {
864 DEBUG(3, ("Connection to %s for domain %s was never "
865 "initialised!\n", domain->dcname, domain->name));
869 if (domain->conn.cli->fd == -1) {
870 DEBUG(3, ("Connection to %s for domain %s has died or was "
871 "never started (fd == -1)\n",
872 domain->dcname, domain->name));
879 /* Initialize a new connection up to the RPC BIND. */
881 static NTSTATUS init_dc_connection(struct winbindd_domain *domain)
883 if (connection_ok(domain))
886 invalidate_cm_connection(&domain->conn);
888 return cm_open_connection(domain, &domain->conn);
891 /******************************************************************************
892 We can 'sense' certain things about the DC by it's replies to certain
895 This tells us if this particular remote server is Active Directory, and if it
897 ******************************************************************************/
899 void set_dc_type_and_flags( struct winbindd_domain *domain )
903 TALLOC_CTX *mem_ctx = NULL;
904 struct rpc_pipe_client *cli;
907 char *domain_name = NULL;
908 char *dns_name = NULL;
909 DOM_SID *dom_sid = NULL;
913 domain->native_mode = False;
914 domain->active_directory = False;
916 if (domain->internal) {
917 domain->initialized = True;
921 result = init_dc_connection(domain);
922 if (!NT_STATUS_IS_OK(result)) {
923 DEBUG(5, ("set_dc_type_and_flags: Could not open a connection "
924 "to %s: (%s)\n", domain->name, nt_errstr(result)));
925 domain->initialized = True;
929 cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC_DS,
933 DEBUG(5, ("set_dc_type_and_flags: Could not bind to "
934 "PI_LSARPC_DS on domain %s: (%s)\n",
935 domain->name, nt_errstr(result)));
936 domain->initialized = True;
940 result = rpccli_ds_getprimarydominfo(cli, cli->cli->mem_ctx,
941 DsRolePrimaryDomainInfoBasic,
943 cli_rpc_pipe_close(cli);
945 if (!NT_STATUS_IS_OK(result)) {
946 domain->initialized = True;
950 if ((ctr.basic->flags & DSROLE_PRIMARY_DS_RUNNING) &&
951 !(ctr.basic->flags & DSROLE_PRIMARY_DS_MIXED_MODE) )
952 domain->native_mode = True;
954 cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result);
957 domain->initialized = True;
961 mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
964 DEBUG(1, ("set_dc_type_and_flags: talloc_init() failed\n"));
965 cli_rpc_pipe_close(cli);
969 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
970 SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
972 if (NT_STATUS_IS_OK(result)) {
973 /* This particular query is exactly what Win2k clients use
974 to determine that the DC is active directory */
975 result = rpccli_lsa_query_info_policy2(cli, mem_ctx, &pol,
981 if (NT_STATUS_IS_OK(result)) {
983 fstrcpy(domain->name, domain_name);
986 fstrcpy(domain->alt_name, dns_name);
989 sid_copy(&domain->sid, dom_sid);
991 domain->active_directory = True;
994 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
995 SEC_RIGHTS_MAXIMUM_ALLOWED,
998 if (!NT_STATUS_IS_OK(result))
1001 result = rpccli_lsa_query_info_policy(cli, mem_ctx,
1002 &pol, 5, &domain_name,
1005 if (NT_STATUS_IS_OK(result)) {
1007 fstrcpy(domain->name, domain_name);
1010 sid_copy(&domain->sid, dom_sid);
1015 cli_rpc_pipe_close(cli);
1017 talloc_destroy(mem_ctx);
1019 domain->initialized = True;
1024 #ifndef DISABLE_SCHANNEL_WIN2K3_SP1
1025 static BOOL cm_get_schannel_dcinfo(struct winbindd_domain *domain,
1026 struct dcinfo **ppdc)
1029 struct rpc_pipe_client *netlogon_pipe;
1031 if (lp_client_schannel() == False) {
1035 result = cm_connect_netlogon(domain, &netlogon_pipe);
1036 if (!NT_STATUS_IS_OK(result)) {
1040 /* Return a pointer to the struct dcinfo from the
1043 *ppdc = domain->conn.netlogon_pipe->dc;
1048 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
1049 struct rpc_pipe_client **cli, POLICY_HND *sam_handle)
1051 struct winbindd_cm_conn *conn;
1054 result = init_dc_connection(domain);
1055 if (!NT_STATUS_IS_OK(result)) {
1059 conn = &domain->conn;
1061 if (conn->samr_pipe == NULL) {
1063 * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO
1064 * authenticated sign and sealed pipe using the machine
1065 * account password by preference. If we can't - try schannel,
1066 * if that fails, try anonymous.
1070 pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
1071 if (conn->cli->user_name[0] && conn->cli->domain[0] &&
1073 /* We have an authenticated connection. Use
1074 a NTLMSSP SPNEGO authenticated SAMR pipe with
1076 conn->samr_pipe = cli_rpc_pipe_open_spnego_ntlmssp
1077 (conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY,
1078 conn->cli->domain, conn->cli->user_name,
1081 if (conn->samr_pipe == NULL) {
1082 DEBUG(10,("cm_connect_sam: failed to connect "
1083 "to SAMR pipe for domain %s using "
1084 "NTLMSSP authenticated pipe: user "
1085 "%s\\%s. Error was %s\n",
1086 domain->name, conn->cli->domain,
1087 conn->cli->user_name,
1088 nt_errstr(result)));
1090 DEBUG(10,("cm_connect_sam: connected to SAMR "
1091 "pipe for domain %s using NTLMSSP "
1092 "authenticated pipe: user %s\\%s\n",
1093 domain->name, conn->cli->domain,
1094 conn->cli->user_name ));
1098 #ifndef DISABLE_SCHANNEL_WIN2K3_SP1
1099 /* Fall back to schannel if it's a W2K pre-SP1 box. */
1100 if (conn->samr_pipe == NULL) {
1101 struct dcinfo *p_dcinfo;
1103 if (cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
1105 cli_rpc_pipe_open_schannel_with_key
1106 (conn->cli, PI_SAMR,
1107 PIPE_AUTH_LEVEL_PRIVACY,
1108 domain->name, p_dcinfo,
1111 if (conn->samr_pipe == NULL) {
1112 DEBUG(10,("cm_connect_sam: failed to connect "
1113 "to SAMR pipe for domain %s using "
1114 "schannel authenticated. Error "
1115 "was %s\n", domain->name,
1116 nt_errstr(result) ));
1118 DEBUG(10,("cm_connect_sam: connected to SAMR "
1119 "pipe for domain %s using schannel."
1120 "\n", domain->name ));
1123 #endif /* DISABLE_SCHANNEL_WIN2K3_SP1 */
1125 /* Finally fall back to anonymous. */
1126 if (conn->samr_pipe == NULL) {
1128 cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR,
1132 if (conn->samr_pipe == NULL) {
1133 result = NT_STATUS_PIPE_NOT_AVAILABLE;
1137 result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
1138 SEC_RIGHTS_MAXIMUM_ALLOWED,
1139 &conn->sam_connect_handle);
1140 if (!NT_STATUS_IS_OK(result)) {
1141 DEBUG(10,("cm_connect_sam: rpccli_samr_connect failed "
1142 "for domain %s Error was %s\n",
1143 domain->name, nt_errstr(result) ));
1147 result = rpccli_samr_open_domain(conn->samr_pipe,
1149 &conn->sam_connect_handle,
1150 SEC_RIGHTS_MAXIMUM_ALLOWED,
1152 &conn->sam_domain_handle);
1157 if (!NT_STATUS_IS_OK(result)) {
1158 invalidate_cm_connection(conn);
1162 *cli = conn->samr_pipe;
1163 *sam_handle = conn->sam_domain_handle;
1167 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
1168 struct rpc_pipe_client **cli, POLICY_HND *lsa_policy)
1170 struct winbindd_cm_conn *conn;
1173 result = init_dc_connection(domain);
1174 if (!NT_STATUS_IS_OK(result))
1177 conn = &domain->conn;
1179 if (conn->lsa_pipe == NULL) {
1181 pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
1182 if (conn->cli->user_name[0] && conn->cli->domain[0] &&
1184 /* We have an authenticated connection. Use
1185 a NTLMSSP SPNEGO authenticated LSA pipe with
1187 conn->lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp
1188 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
1189 conn->cli->domain, conn->cli->user_name,
1192 if (conn->lsa_pipe == NULL) {
1193 DEBUG(10,("cm_connect_lsa: failed to connect "
1194 "to LSA pipe for domain %s using "
1195 "NTLMSSP authenticated pipe: user "
1196 "%s\\%s. Error was %s\n",
1197 domain->name, conn->cli->domain,
1198 conn->cli->user_name,
1199 nt_errstr(result)));
1201 DEBUG(10,("cm_connect_lsa: connected to LSA "
1202 "pipe for domain %s using NTLMSSP "
1203 "authenticated pipe: user %s\\%s\n",
1204 domain->name, conn->cli->domain,
1205 conn->cli->user_name ));
1209 #ifndef DISABLE_SCHANNEL_WIN2K3_SP1
1210 /* Fall back to schannel if it's a W2K pre-SP1 box. */
1211 if (conn->lsa_pipe == NULL) {
1212 struct dcinfo *p_dcinfo;
1214 if (cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
1216 cli_rpc_pipe_open_schannel_with_key
1217 (conn->cli, PI_LSARPC,
1218 PIPE_AUTH_LEVEL_PRIVACY,
1219 domain->name, p_dcinfo,
1222 if (conn->lsa_pipe == NULL) {
1223 DEBUG(10,("cm_connect_lsa: failed to connect "
1224 "to LSA pipe for domain %s using "
1225 "schannel authenticated. Error "
1226 "was %s\n", domain->name,
1227 nt_errstr(result) ));
1229 DEBUG(10,("cm_connect_lsa: connected to LSA "
1230 "pipe for domain %s using schannel."
1231 "\n", domain->name ));
1234 #endif /* DISABLE_SCHANNEL_WIN2K3_SP1 */
1236 /* Finally fall back to anonymous. */
1237 if (conn->lsa_pipe == NULL) {
1238 conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli,
1243 if (conn->lsa_pipe == NULL) {
1244 result = NT_STATUS_PIPE_NOT_AVAILABLE;
1248 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
1249 SEC_RIGHTS_MAXIMUM_ALLOWED,
1254 if (!NT_STATUS_IS_OK(result)) {
1255 invalidate_cm_connection(conn);
1256 return NT_STATUS_UNSUCCESSFUL;
1259 *cli = conn->lsa_pipe;
1260 *lsa_policy = conn->lsa_policy;
1264 /****************************************************************************
1265 Open the netlogon pipe to this DC. Use schannel if specified in client conf.
1266 session key stored in conn->netlogon_pipe->dc->sess_key.
1267 ****************************************************************************/
1269 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
1270 struct rpc_pipe_client **cli)
1272 struct winbindd_cm_conn *conn;
1275 uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
1277 uint32 sec_chan_type;
1278 const char *account_name;
1279 struct rpc_pipe_client *netlogon_pipe;
1281 result = init_dc_connection(domain);
1282 if (!NT_STATUS_IS_OK(result)) {
1286 conn = &domain->conn;
1288 if (conn->netlogon_pipe != NULL) {
1289 *cli = conn->netlogon_pipe;
1290 return NT_STATUS_OK;
1293 if (!get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
1294 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1297 netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
1299 if (netlogon_pipe == NULL) {
1303 if (lp_client_schannel() != False) {
1304 neg_flags |= NETLOGON_NEG_SCHANNEL;
1307 /* if we are a DC and this is a trusted domain, then we need to use our
1308 domain name in the net_req_auth2() request */
1311 && !strequal(domain->name, lp_workgroup())
1312 && lp_allow_trusted_domains() )
1314 account_name = lp_workgroup();
1316 account_name = domain->primary ?
1317 global_myname() : domain->name;
1320 if (account_name == NULL) {
1321 cli_rpc_pipe_close(netlogon_pipe);
1322 return NT_STATUS_NO_MEMORY;
1325 result = rpccli_netlogon_setup_creds
1327 domain->dcname, /* server name. */
1328 domain->name, /* domain name */
1329 account_name, /* machine account */
1330 mach_pwd, /* machine password */
1331 sec_chan_type, /* from get_trust_pw */
1334 if (!NT_STATUS_IS_OK(result)) {
1335 cli_rpc_pipe_close(netlogon_pipe);
1339 if ((lp_client_schannel() == True) &&
1340 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
1341 DEBUG(3, ("Server did not offer schannel\n"));
1342 cli_rpc_pipe_close(netlogon_pipe);
1343 return NT_STATUS_ACCESS_DENIED;
1346 if ((lp_client_schannel() == False) ||
1347 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
1348 /* We're done - just keep the existing connection to NETLOGON
1350 conn->netlogon_pipe = netlogon_pipe;
1351 *cli = conn->netlogon_pipe;
1352 return NT_STATUS_OK;
1355 /* Using the credentials from the first pipe, open a signed and sealed
1356 second netlogon pipe. The session key is stored in the schannel
1357 part of the new pipe auth struct.
1360 conn->netlogon_pipe =
1361 cli_rpc_pipe_open_schannel_with_key(conn->cli,
1363 PIPE_AUTH_LEVEL_PRIVACY,
1368 /* We can now close the initial netlogon pipe. */
1369 cli_rpc_pipe_close(netlogon_pipe);
1371 if (conn->netlogon_pipe == NULL) {
1372 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
1373 "was %s\n", nt_errstr(result)));
1377 *cli = conn->netlogon_pipe;
1378 return NT_STATUS_OK;