r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
[tprouty/samba.git] / source / nsswitch / winbindd_cm.c
index 832672e64cbda72012a564a92a0d4ec7ba1cb0ef..269dab0389b976eb52db0e59ac5b8996a3114c48 100644 (file)
@@ -3,12 +3,15 @@
 
    Winbind daemon connection manager
 
-   Copyright (C) Tim Potter 2001
-   Copyright (C) Andrew Bartlett 2002
+   Copyright (C) Tim Potter                2001
+   Copyright (C) Andrew Bartlett           2002
+   Copyright (C) Gerald (Jerry) Carter     2003-2005.
+   Copyright (C) Volker Lendecke           2004-2005
+   Copyright (C) Jeremy Allison                   2006
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
+   the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
@@ -17,8 +20,7 @@
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 /*
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
-/* Global list of connections. Initially a DLIST but can become a hash
-   table or whatever later. */
-
-struct winbindd_cm_conn {
-       struct winbindd_cm_conn *prev, *next;
-       fstring domain;
-       fstring controller;
-       fstring pipe_name;
-       struct cli_state *cli;
-       POLICY_HND pol;
+struct dc_name_ip {
+       fstring name;
+       struct in_addr ip;
 };
 
-static struct winbindd_cm_conn *cm_conns = NULL;
+extern struct winbindd_methods reconnect_methods;
+extern BOOL override_logfile;
+
+static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
+static void set_dc_type_and_flags( struct winbindd_domain *domain );
+static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
+                   struct dc_name_ip **dcs, int *num_dcs);
+
+/****************************************************************
+ Child failed to find DC's. Reschedule check.
+****************************************************************/
+
+static void msg_failed_to_go_online(struct messaging_context *msg,
+                                   void *private_data,
+                                   uint32_t msg_type,
+                                   struct server_id server_id,
+                                   DATA_BLOB *data)
+{
+       struct winbindd_domain *domain;
+       const char *domainname = (const char *)data->data;
+
+       if (data->data == NULL || data->length == 0) {
+               return;
+       }
+
+       DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
+
+       for (domain = domain_list(); domain; domain = domain->next) {
+               if (domain->internal) {
+                       continue;
+               }
+
+               if (strequal(domain->name, domainname)) {
+                       if (domain->online) {
+                               /* We're already online, ignore. */
+                               DEBUG(5,("msg_fail_to_go_online: domain %s "
+                                       "already online.\n", domainname));
+                               continue;
+                       }
+
+                       /* Reschedule the online check. */
+                       set_domain_offline(domain);
+                       break;
+               }
+       }
+}
+
+/****************************************************************
+ Actually cause a reconnect from a message.
+****************************************************************/
+
+static void msg_try_to_go_online(struct messaging_context *msg,
+                                void *private_data,
+                                uint32_t msg_type,
+                                struct server_id server_id,
+                                DATA_BLOB *data)
+{
+       struct winbindd_domain *domain;
+       const char *domainname = (const char *)data->data;
+
+       if (data->data == NULL || data->length == 0) {
+               return;
+       }
+
+       DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
+
+       for (domain = domain_list(); domain; domain = domain->next) {
+               if (domain->internal) {
+                       continue;
+               }
+
+               if (strequal(domain->name, domainname)) {
+
+                       if (domain->online) {
+                               /* We're already online, ignore. */
+                               DEBUG(5,("msg_try_to_go_online: domain %s "
+                                       "already online.\n", domainname));
+                               continue;
+                       }
+
+                       /* This call takes care of setting the online
+                          flag to true if we connected, or re-adding
+                          the offline handler if false. Bypasses online
+                          check so always does network calls. */
+
+                       init_dc_connection_network(domain);
+                       break;
+               }
+       }
+}
+
+/****************************************************************
+ Fork a child to try and contact a DC. Do this as contacting a
+ DC requires blocking lookups and we don't want to block our
+ parent.
+****************************************************************/
+
+static BOOL fork_child_dc_connect(struct winbindd_domain *domain)
+{
+       struct dc_name_ip *dcs = NULL;
+       int num_dcs = 0;
+       TALLOC_CTX *mem_ctx = NULL;
+       pid_t child_pid;
+       pid_t parent_pid = sys_getpid();
+
+       /* Stop zombies */
+       CatchChild();
+
+       child_pid = sys_fork();
+
+       if (child_pid == -1) {
+               DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
+               return False;
+       }
+
+       if (child_pid != 0) {
+               /* Parent */
+               messaging_register(winbind_messaging_context(), NULL,
+                                  MSG_WINBIND_TRY_TO_GO_ONLINE,
+                                  msg_try_to_go_online);
+               messaging_register(winbind_messaging_context(), NULL,
+                                  MSG_WINBIND_FAILED_TO_GO_ONLINE,
+                                  msg_failed_to_go_online);
+               return True;
+       }
+
+       /* Child. */
+
+       /* Leave messages blocked - we will never process one. */
+
+       /* tdb needs special fork handling */
+       if (tdb_reopen_all(1) == -1) {
+               DEBUG(0,("tdb_reopen_all failed.\n"));
+               _exit(0);
+       }
+
+       close_conns_after_fork();
+
+       if (!override_logfile) {
+               pstring logfile;
+               pstr_sprintf(logfile, "%s/log.winbindd-dc-connect", dyn_LOGFILEBASE);
+               lp_set_logfile(logfile);
+               reopen_logs();
+       }
+
+       mem_ctx = talloc_init("fork_child_dc_connect");
+       if (!mem_ctx) {
+               DEBUG(0,("talloc_init failed.\n"));
+               _exit(0);
+       }
+
+       if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
+               /* Still offline ? Can't find DC's. */
+               messaging_send_buf(winbind_messaging_context(),
+                                  pid_to_procid(parent_pid),
+                                  MSG_WINBIND_FAILED_TO_GO_ONLINE,
+                                  (uint8 *)domain->name,
+                                  strlen(domain->name)+1);
+               _exit(0);
+       }
+
+       /* We got a DC. Send a message to our parent to get it to
+          try and do the same. */
+
+       messaging_send_buf(winbind_messaging_context(),
+                          pid_to_procid(parent_pid),
+                          MSG_WINBIND_TRY_TO_GO_ONLINE,
+                          (uint8 *)domain->name,
+                          strlen(domain->name)+1);
+       _exit(0);
+}
+
+/****************************************************************
+ Handler triggered if we're offline to try and detect a DC.
+****************************************************************/
+
+static void check_domain_online_handler(struct event_context *ctx,
+                                       struct timed_event *te,
+                                       const struct timeval *now,
+                                       void *private_data)
+{
+        struct winbindd_domain *domain =
+                (struct winbindd_domain *)private_data;
+
+       DEBUG(10,("check_domain_online_handler: called for domain "
+                 "%s (online = %s)\n", domain->name, 
+                 domain->online ? "True" : "False" ));
+
+       TALLOC_FREE(domain->check_online_event);
+
+       /* Are we still in "startup" mode ? */
+
+       if (domain->startup && (now->tv_sec > domain->startup_time + 30)) {
+               /* No longer in "startup" mode. */
+               DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
+                       domain->name ));
+               domain->startup = False;
+       }
+
+       /* We've been told to stay offline, so stay
+          that way. */
+
+       if (get_global_winbindd_state_offline()) {
+               DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
+                       domain->name ));
+               return;
+       }
+
+       /* Fork a child to test if it can contact a DC. 
+          If it can then send ourselves a message to
+          cause a reconnect. */
+
+       fork_child_dc_connect(domain);
+}
+
+/****************************************************************
+ If we're still offline setup the timeout check.
+****************************************************************/
+
+static void calc_new_online_timeout_check(struct winbindd_domain *domain)
+{
+       int wbc = lp_winbind_cache_time();
+
+       if (domain->startup) {
+               domain->check_online_timeout = 10;
+       } else if (domain->check_online_timeout < wbc) {
+               domain->check_online_timeout = wbc;
+       }
+}
+
+/****************************************************************
+ Set domain offline and also add handler to put us back online
+ if we detect a DC.
+****************************************************************/
+
+void set_domain_offline(struct winbindd_domain *domain)
+{
+       DEBUG(10,("set_domain_offline: called for domain %s\n",
+               domain->name ));
+
+       TALLOC_FREE(domain->check_online_event);
+
+       if (domain->internal) {
+               DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
+                       domain->name ));
+               return;
+       }
+
+       domain->online = False;
+
+       /* Offline domains are always initialized. They're
+          re-initialized when they go back online. */
+
+       domain->initialized = True;
+
+       /* We only add the timeout handler that checks and
+          allows us to go back online when we've not
+          been told to remain offline. */
+
+       if (get_global_winbindd_state_offline()) {
+               DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
+                       domain->name ));
+               return;
+       }
+
+       /* If we're in statup mode, check again in 10 seconds, not in
+          lp_winbind_cache_time() seconds (which is 5 mins by default). */
+
+       calc_new_online_timeout_check(domain);
+
+       domain->check_online_event = event_add_timed(winbind_event_context(),
+                                               NULL,
+                                               timeval_current_ofs(domain->check_online_timeout,0),
+                                               "check_domain_online_handler",
+                                               check_domain_online_handler,
+                                               domain);
+
+       /* The above *has* to succeed for winbindd to work. */
+       if (!domain->check_online_event) {
+               smb_panic("set_domain_offline: failed to add online handler");
+       }
+
+       DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
+               domain->name ));
+
+       /* Send an offline message to the idmap child when our
+          primary domain goes offline */
+
+       if ( domain->primary ) {
+               struct winbindd_child *idmap = idmap_child();
+               
+               if ( idmap->pid != 0 ) {
+                       messaging_send_buf(winbind_messaging_context(),
+                                          pid_to_procid(idmap->pid), 
+                                          MSG_WINBIND_OFFLINE, 
+                                          (uint8 *)domain->name, 
+                                          strlen(domain->name)+1);
+               }                       
+       }
+
+       return; 
+}
+
+/****************************************************************
+ Set domain online - if allowed.
+****************************************************************/
+
+static void set_domain_online(struct winbindd_domain *domain)
+{
+       struct timeval now;
+
+       DEBUG(10,("set_domain_online: called for domain %s\n",
+               domain->name ));
+
+       if (domain->internal) {
+               DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
+                       domain->name ));
+               return;
+       }
+
+       if (get_global_winbindd_state_offline()) {
+               DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
+                       domain->name ));
+               return;
+       }
+
+       /* If we are waiting to get a krb5 ticket, trigger immediately. */
+       GetTimeOfDay(&now);
+       set_event_dispatch_time(winbind_event_context(),
+                               "krb5_ticket_gain_handler", now);
+
+       /* Ok, we're out of any startup mode now... */
+       domain->startup = False;
+
+       if (domain->online == False) {
+               /* We were offline - now we're online. We default to
+                  using the MS-RPC backend if we started offline,
+                  and if we're going online for the first time we
+                  should really re-initialize the backends and the
+                  checks to see if we're talking to an AD or NT domain.
+               */
+
+               domain->initialized = False;
+
+               /* 'reconnect_methods' is the MS-RPC backend. */
+               if (domain->backend == &reconnect_methods) {
+                       domain->backend = NULL;
+               }
+       }
+
+       /* Ensure we have no online timeout checks. */
+       domain->check_online_timeout = 0;
+       TALLOC_FREE(domain->check_online_event);
+
+       /* Ensure we ignore any pending child messages. */
+       messaging_deregister(winbind_messaging_context(),
+                            MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
+       messaging_deregister(winbind_messaging_context(),
+                            MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
+
+       domain->online = True;
+
+       /* Send an online message to the idmap child when our
+          primary domain comes online */
+
+       if ( domain->primary ) {
+               struct winbindd_child *idmap = idmap_child();
+               
+               if ( idmap->pid != 0 ) {
+                       messaging_send_buf(winbind_messaging_context(),
+                                          pid_to_procid(idmap->pid), 
+                                          MSG_WINBIND_ONLINE, 
+                                          (uint8 *)domain->name, 
+                                          strlen(domain->name)+1);
+               }                       
+       }
+
+       return; 
+}
+
+/****************************************************************
+ Requested to set a domain online.
+****************************************************************/
+
+void set_domain_online_request(struct winbindd_domain *domain)
+{
+       struct timeval tev;
+
+       DEBUG(10,("set_domain_online_request: called for domain %s\n",
+               domain->name ));
+
+       if (get_global_winbindd_state_offline()) {
+               DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
+                       domain->name ));
+               return;
+       }
+
+       /* We've been told it's safe to go online and
+          try and connect to a DC. But I don't believe it
+          because network manager seems to lie.
+          Wait at least 5 seconds. Heuristics suck... */
+
+       if (!domain->check_online_event) {
+               /* If we've come from being globally offline we
+                  don't have a check online event handler set.
+                  We need to add one now we're trying to go
+                  back online. */
+
+               DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
+                       domain->name ));
+
+               domain->check_online_event = event_add_timed(winbind_event_context(),
+                                                               NULL,
+                                                               timeval_current_ofs(5, 0),
+                                                               "check_domain_online_handler",
+                                                               check_domain_online_handler,
+                                                               domain);
+
+               /* The above *has* to succeed for winbindd to work. */
+               if (!domain->check_online_event) {
+                       smb_panic("set_domain_online_request: failed to add online handler");
+               }
+       }
+
+       GetTimeOfDay(&tev);
+
+       /* Go into "startup" mode again. */
+       domain->startup_time = tev.tv_sec;
+       domain->startup = True;
 
-static NTSTATUS get_connection_from_cache(struct winbindd_domain *domain,
-                                         const char *pipe_name,
-                                         struct winbindd_cm_conn **conn_out);
+       tev.tv_sec += 5;
+
+       set_event_dispatch_time(winbind_event_context(), "check_domain_online_handler", tev);
+}
+
+/****************************************************************
+ Add -ve connection cache entries for domain and realm.
+****************************************************************/
+
+void winbind_add_failed_connection_entry(const struct winbindd_domain *domain,
+                                       const char *server,
+                                       NTSTATUS result)
+{
+       add_failed_connection_entry(domain->name, server, result);
+       /* If this was the saf name for the last thing we talked to,
+          remove it. */
+       saf_delete(domain->name);
+       if (*domain->alt_name) {
+               add_failed_connection_entry(domain->alt_name, server, result);
+               saf_delete(domain->alt_name);
+       }
+}
 
 /* Choose between anonymous or authenticated connections.  We need to use
    an authenticated connection if DCs have the RestrictAnonymous registry
@@ -90,9 +532,9 @@ static NTSTATUS get_connection_from_cache(struct winbindd_domain *domain,
 
 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
 {
-       *username = secrets_fetch(SECRETS_AUTH_USER, NULL);
-       *domain = secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
-       *password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
+       *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
+       *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
+       *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
        
        if (*username && **username) {
 
@@ -113,90 +555,76 @@ static void cm_get_ipc_userpass(char **username, char **domain, char **password)
        }
 }
 
-/*
-  setup for schannel on any pipes opened on this connection
-*/
-static NTSTATUS setup_schannel( struct cli_state *cli, const char *domain )
-{
-       NTSTATUS ret;
-       uchar trust_password[16];
-       uint32 sec_channel_type;
-       DOM_SID sid;
-       time_t lct;
-
-       /* use the domain trust password if we're on a DC 
-          and this is not our domain */
-       
-       if ( IS_DC && !strequal(domain, lp_workgroup()) ) {
-               char *pass = NULL;
-               
-               if ( !secrets_fetch_trusted_domain_password( domain, 
-                       &pass, &sid, &lct) )
-               {
-                       return NT_STATUS_UNSUCCESSFUL;
-               }       
-
-               sec_channel_type = SEC_CHAN_DOMAIN;
-               E_md4hash(pass, trust_password);
-               SAFE_FREE( pass );
-               
-       } else {
-               if (!secrets_fetch_trust_account_password(lp_workgroup(),
-                       trust_password, NULL, &sec_channel_type)) 
-               {
-                       return NT_STATUS_UNSUCCESSFUL;
-               }
-       }
-
-       ret = cli_nt_setup_netsec(cli, sec_channel_type, 
-               AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, trust_password);
-
-       return ret;
-}
-
 static BOOL get_dc_name_via_netlogon(const struct winbindd_domain *domain,
                                     fstring dcname, struct in_addr *dc_ip)
 {
-       struct winbindd_domain *our_domain;
+       struct winbindd_domain *our_domain = NULL;
+       struct rpc_pipe_client *netlogon_pipe = NULL;
        NTSTATUS result;
-       struct winbindd_cm_conn *conn;
+       WERROR werr;
        TALLOC_CTX *mem_ctx;
-
+       unsigned int orig_timeout;
        fstring tmp;
        char *p;
 
-       if (IS_DC)
-               return False;
+       /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
+        * moment.... */
 
-       if (domain->primary)
+       if (IS_DC) {
                return False;
+       }
 
-       if ((our_domain = find_our_domain()) == NULL)
+       if (domain->primary) {
                return False;
+       }
 
-       result = get_connection_from_cache(our_domain, PIPE_NETLOGON, &conn);
-       if (!NT_STATUS_IS_OK(result))
+       our_domain = find_our_domain();
+
+       if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
                return False;
+       }
 
-       if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL)
+       result = cm_connect_netlogon(our_domain, &netlogon_pipe);
+       if (!NT_STATUS_IS_OK(result)) {
+               talloc_destroy(mem_ctx);
                return False;
+       }
+
+       /* This call can take a long time - allow the server to time out.
+          35 seconds should do it. */
+
+       orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000);
+       
+       werr = rpccli_netlogon_getanydcname(netlogon_pipe, mem_ctx, our_domain->dcname,
+                                           domain->name, tmp);
 
-       result = cli_netlogon_getdcname(conn->cli, mem_ctx, domain->name, tmp);
+       /* And restore our original timeout. */
+       cli_set_timeout(netlogon_pipe->cli, orig_timeout);
 
        talloc_destroy(mem_ctx);
 
-       if (!NT_STATUS_IS_OK(result))
+       if (!W_ERROR_IS_OK(werr)) {
+               DEBUG(10, ("rpccli_netlogon_getanydcname failed: %s\n",
+                          dos_errstr(werr)));
                return False;
+       }
 
-       /* cli_netlogon_getdcname gives us a name with \\ */
+       /* cli_netlogon_getanydcname gives us a name with \\ */
        p = tmp;
-       if (*p == '\\') p+=1;
-       if (*p == '\\') p+=1;
+       if (*p == '\\') {
+               p+=1;
+       }
+       if (*p == '\\') {
+               p+=1;
+       }
 
        fstrcpy(dcname, p);
 
-       if (!resolve_name(dcname, dc_ip, 0x20))
+       DEBUG(10, ("rpccli_netlogon_getanydcname returned %s\n", dcname));
+
+       if (!resolve_name(dcname, dc_ip, 0x20)) {
                return False;
+       }
 
        return True;
 }
@@ -208,16 +636,14 @@ static BOOL get_dc_name_via_netlogon(const struct winbindd_domain *domain,
 
 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                                      const int sockfd,
-                                     const int pipe_index,
                                      const char *controller,
                                      struct cli_state **cli,
                                      BOOL *retry)
 {
-       char *machine_password, *machine_krb5_principal;
+       char *machine_password, *machine_krb5_principal, *machine_account;
        char *ipc_username, *ipc_domain, *ipc_password;
 
        BOOL got_mutex;
-       BOOL add_failed_connection = True;
 
        NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 
@@ -226,11 +652,20 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
        struct sockaddr_in *peeraddr_in = (struct sockaddr_in *)&peeraddr;
 
+       DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
+               controller, domain->name ));
+
        machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL,
                                                          NULL);
        
+       if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
+               SAFE_FREE(machine_password);
+               return NT_STATUS_NO_MEMORY;
+       }
+
        if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(),
                     lp_realm()) == -1) {
+               SAFE_FREE(machine_account);
                SAFE_FREE(machine_password);
                return NT_STATUS_NO_MEMORY;
        }
@@ -243,13 +678,13 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                                        WINBIND_SERVER_MUTEX_WAIT_TIME);
 
        if (!got_mutex) {
-               DEBUG(0,("cm_open_connection: mutex grab failed for %s\n",
+               DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
                         controller));
                result = NT_STATUS_POSSIBLE_DEADLOCK;
                goto done;
        }
 
-       if ((*cli = cli_initialise(NULL)) == NULL) {
+       if ((*cli = cli_initialise()) == NULL) {
                DEBUG(1, ("Could not cli_initialize\n"));
                result = NT_STATUS_NO_MEMORY;
                goto done;
@@ -267,6 +702,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
            (peeraddr_in->sin_family != PF_INET))
        {
                DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
+               result = NT_STATUS_UNSUCCESSFUL;
                goto done;
        }
 
@@ -280,6 +716,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                if (!cli_session_request(*cli, &calling, &called)) {
                        DEBUG(8, ("cli_session_request failed for %s\n",
                                  controller));
+                       result = NT_STATUS_UNSUCCESSFUL;
                        goto done;
                }
        }
@@ -288,37 +725,64 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
        if (!cli_negprot(*cli)) {
                DEBUG(1, ("cli_negprot failed\n"));
-               cli_shutdown(*cli);
+               result = NT_STATUS_UNSUCCESSFUL;
                goto done;
        }
-
-       /* Krb5 session */
                        
-       if ((lp_security() == SEC_ADS) 
-           && ((*cli)->protocol >= PROTOCOL_NT1 &&
-               (*cli)->capabilities & CAP_EXTENDED_SECURITY)) {
-
+       if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) {
                ADS_STATUS ads_status;
-               (*cli)->use_kerberos = True;
-               DEBUG(5, ("connecting to %s from %s with kerberos principal "
-                         "[%s]\n", controller, global_myname(),
-                         machine_krb5_principal));
+
+               if (lp_security() == SEC_ADS) {
+
+                       /* Try a krb5 session */
+
+                       (*cli)->use_kerberos = True;
+                       DEBUG(5, ("connecting to %s from %s with kerberos principal "
+                                 "[%s]\n", controller, global_myname(),
+                                 machine_krb5_principal));
+
+                       ads_status = cli_session_setup_spnego(*cli,
+                                                             machine_krb5_principal, 
+                                                             machine_password, 
+                                                             lp_workgroup());
+
+                       if (!ADS_ERR_OK(ads_status)) {
+                               DEBUG(4,("failed kerberos session setup with %s\n",
+                                        ads_errstr(ads_status)));
+                       }
+
+                       result = ads_ntstatus(ads_status);
+                       if (NT_STATUS_IS_OK(result)) {
+                               /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
+                               cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+                               goto session_setup_done;
+                       }
+               }
+
+               /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
+               (*cli)->use_kerberos = False;
+
+               DEBUG(5, ("connecting to %s from %s with username "
+                         "[%s]\\[%s]\n",  controller, global_myname(),
+                         lp_workgroup(), machine_account));
 
                ads_status = cli_session_setup_spnego(*cli,
-                                                     machine_krb5_principal
+                                                     machine_account
                                                      machine_password, 
                                                      lp_workgroup());
-
-               if (!ADS_ERR_OK(ads_status))
-                       DEBUG(4,("failed kerberos session setup with %s\n",
-                                ads_errstr(ads_status)));
+               if (!ADS_ERR_OK(ads_status)) {
+                       DEBUG(4, ("authenticated session setup failed with %s\n",
+                               ads_errstr(ads_status)));
+               }
 
                result = ads_ntstatus(ads_status);
+               if (NT_STATUS_IS_OK(result)) {
+                       /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
+                       cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+                       goto session_setup_done;
+               }
        }
 
-       if (NT_STATUS_IS_OK(result))
-               goto session_setup_done;
-
        /* Fall back to non-kerberos session setup */
 
        (*cli)->use_kerberos = False;
@@ -332,19 +796,26 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                          "[%s]\\[%s]\n",  controller, global_myname(),
                          ipc_domain, ipc_username));
 
-               if (cli_session_setup(*cli, ipc_username,
-                                     ipc_password, strlen(ipc_password)+1,
-                                     ipc_password, strlen(ipc_password)+1,
-                                     ipc_domain)) {
-                       DEBUG(5, ("authenticated session setup failed\n"));
+               if (NT_STATUS_IS_OK(cli_session_setup(
+                                           *cli, ipc_username,
+                                           ipc_password, strlen(ipc_password)+1,
+                                           ipc_password, strlen(ipc_password)+1,
+                                           ipc_domain))) {
+                       /* Successful logon with given username. */
+                       cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
                        goto session_setup_done;
+               } else {
+                       DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
+                               ipc_domain, ipc_username ));
                }
        }
 
        /* Fall back to anonymous connection, this might fail later */
 
-       if (cli_session_setup(*cli, "", NULL, 0, NULL, 0, "")) {
+       if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
+                                             NULL, 0, ""))) {
                DEBUG(5, ("Connected anonymously\n"));
+               cli_init_creds(*cli, "", "", "");
                goto session_setup_done;
        }
 
@@ -359,6 +830,13 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
  session_setup_done:
 
+       /* cache the server name for later connections */
+
+       saf_store( domain->name, (*cli)->desthost );
+       if (domain->alt_name && (*cli)->use_kerberos) {
+               saf_store( domain->alt_name, (*cli)->desthost );
+       }
+
        if (!cli_send_tconX(*cli, "IPC$", "IPC", "", 0)) {
 
                result = cli_nt_error(*cli);
@@ -368,7 +846,6 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                if (NT_STATUS_IS_OK(result))
                        result = NT_STATUS_UNSUCCESSFUL;
 
-               cli_shutdown(*cli);
                goto done;
        }
 
@@ -376,64 +853,44 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
        got_mutex = False;
        *retry = False;
 
-       /* Windows 2003 SP1 does not lie LsaOpenPolicy() over schannel.
-          Returns RPC_NT_CANNOT_SUPPPORT (0xc0020041) for that call.
-          So just drop it on the lsarpc pipe */
-
-       if ( (domain->primary || IS_DC) && (pipe_index!=PI_LSARPC) ) {
-               NTSTATUS status = setup_schannel( *cli, domain->name );
-               if (!NT_STATUS_IS_OK(status)) {
-                       DEBUG(3,("schannel refused - continuing without "
-                                "schannel (%s)\n", nt_errstr(status)));
-               }
-       }
-
        /* set the domain if empty; needed for schannel connections */
-       if ( !*(*cli)->domain )
+       if ( !*(*cli)->domain ) {
                fstrcpy( (*cli)->domain, domain->name );
-
-       if ( !cli_nt_session_open (*cli, pipe_index) ) {
-
-               result = NT_STATUS_PIPE_NOT_AVAILABLE;
-
-               /* This might be a NT4 DC */
-               if ( is_win2k_pipe(pipe_index) )
-                       add_failed_connection = False;
-
-               cli_shutdown(*cli);
-               goto done;
        }
 
        result = NT_STATUS_OK;
-       add_failed_connection = False;
 
  done:
-       if (got_mutex)
+       if (got_mutex) {
                secrets_named_mutex_release(controller);
+       }
 
+       SAFE_FREE(machine_account);
        SAFE_FREE(machine_password);
        SAFE_FREE(machine_krb5_principal);
        SAFE_FREE(ipc_username);
        SAFE_FREE(ipc_domain);
        SAFE_FREE(ipc_password);
 
-       if (add_failed_connection)
-               add_failed_connection_entry(domain->name, controller, result);
+       if (!NT_STATUS_IS_OK(result)) {
+               winbind_add_failed_connection_entry(domain, controller, result);
+               if ((*cli) != NULL) {
+                       cli_shutdown(*cli);
+                       *cli = NULL;
+               }
+       }
 
        return result;
 }
 
-struct dc_name_ip {
-       fstring name;
-       struct in_addr ip;
-};
-
 static BOOL add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
                              const char *dcname, struct in_addr ip,
                              struct dc_name_ip **dcs, int *num)
 {
-       if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname)))
+       if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
+               DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
                return False;
+       }
 
        *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
 
@@ -452,8 +909,10 @@ static BOOL add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
 {
        *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_in, (*num)+1);
 
-       if (*addrs == NULL)
+       if (*addrs == NULL) {
+               *num = 0;
                return False;
+       }
 
        (*addrs)[*num].sin_family = PF_INET;
        putip((char *)&((*addrs)[*num].sin_addr), (char *)&ip);
@@ -463,53 +922,209 @@ static BOOL add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
        return True;
 }
 
+static void mailslot_name(struct in_addr dc_ip, fstring name)
+{
+       fstr_sprintf(name, "\\MAILSLOT\\NET\\GETDC%X", dc_ip.s_addr);
+}
+
+static BOOL send_getdc_request(struct in_addr dc_ip,
+                              const char *domain_name,
+                              const DOM_SID *sid)
+{
+       pstring outbuf;
+       char *p;
+       fstring my_acct_name;
+       fstring my_mailslot;
+
+       mailslot_name(dc_ip, my_mailslot);
+
+       memset(outbuf, '\0', sizeof(outbuf));
+
+       p = outbuf;
+
+       SCVAL(p, 0, SAMLOGON);
+       p++;
+
+       SCVAL(p, 0, 0); /* Count pointer ... */
+       p++;
+
+       SIVAL(p, 0, 0); /* The sender's token ... */
+       p += 2;
+
+       p += dos_PutUniCode(p, global_myname(), sizeof(pstring), True);
+       fstr_sprintf(my_acct_name, "%s$", global_myname());
+       p += dos_PutUniCode(p, my_acct_name, sizeof(pstring), True);
+
+       memcpy(p, my_mailslot, strlen(my_mailslot)+1);
+       p += strlen(my_mailslot)+1;
+
+       SIVAL(p, 0, 0x80);
+       p+=4;
+
+       SIVAL(p, 0, sid_size(sid));
+       p+=4;
+
+       p = ALIGN4(p, outbuf);
+
+       sid_linearize(p, sid_size(sid), sid);
+       p += sid_size(sid);
+
+       SIVAL(p, 0, 1);
+       SSVAL(p, 4, 0xffff);
+       SSVAL(p, 6, 0xffff);
+       p+=8;
+
+       return cli_send_mailslot(winbind_messaging_context(),
+                                False, "\\MAILSLOT\\NET\\NTLOGON", 0,
+                                outbuf, PTR_DIFF(p, outbuf),
+                                global_myname(), 0, domain_name, 0x1c,
+                                dc_ip);
+}
+
+static BOOL receive_getdc_response(struct in_addr dc_ip,
+                                  const char *domain_name,
+                                  fstring dc_name)
+{
+       struct packet_struct *packet;
+       fstring my_mailslot;
+       char *buf, *p;
+       fstring dcname, user, domain;
+       int len;
+
+       mailslot_name(dc_ip, my_mailslot);
+
+       packet = receive_unexpected(DGRAM_PACKET, 0, my_mailslot);
+
+       if (packet == NULL) {
+               DEBUG(5, ("Did not receive packet for %s\n", my_mailslot));
+               return False;
+       }
+
+       DEBUG(5, ("Received packet for %s\n", my_mailslot));
+
+       buf = packet->packet.dgram.data;
+       len = packet->packet.dgram.datasize;
+
+       if (len < 70) {
+               /* 70 is a completely arbitrary value to make sure
+                  the SVAL below does not read uninitialized memory */
+               DEBUG(3, ("GetDC got short response\n"));
+               return False;
+       }
+
+       /* This should be (buf-4)+SVAL(buf-4, smb_vwv12)... */
+       p = buf+SVAL(buf, smb_vwv10);
+
+       if (CVAL(p,0) != SAMLOGON_R) {
+               DEBUG(8, ("GetDC got invalid response type %d\n", CVAL(p, 0)));
+               return False;
+       }
+
+       p+=2;
+       pull_ucs2(buf, dcname, p, sizeof(dcname), PTR_DIFF(buf+len, p),
+                 STR_TERMINATE|STR_NOALIGN);
+       p = skip_unibuf(p, PTR_DIFF(buf+len, p));
+       pull_ucs2(buf, user, p, sizeof(dcname), PTR_DIFF(buf+len, p),
+                 STR_TERMINATE|STR_NOALIGN);
+       p = skip_unibuf(p, PTR_DIFF(buf+len, p));
+       pull_ucs2(buf, domain, p, sizeof(dcname), PTR_DIFF(buf+len, p),
+                 STR_TERMINATE|STR_NOALIGN);
+       p = skip_unibuf(p, PTR_DIFF(buf+len, p));
+
+       if (!strequal(domain, domain_name)) {
+               DEBUG(3, ("GetDC: Expected domain %s, got %s\n",
+                         domain_name, domain));
+               return False;
+       }
+
+       p = dcname;
+       if (*p == '\\') p += 1;
+       if (*p == '\\') p += 1;
+
+       fstrcpy(dc_name, p);
+
+       DEBUG(10, ("GetDC gave name %s for domain %s\n",
+                  dc_name, domain));
+
+       return True;
+}
+
 /*******************************************************************
  convert an ip to a name
 *******************************************************************/
 
-static void dcip_to_name( const char *domainname, const char *realm, struct in_addr ip, fstring name )
+static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip, fstring name )
 {
-       /* try node status request first */
-
-       if ( name_status_find(domainname, 0x1c, 0x20, ip, name) )
-               return;
-
-       /* backup in case the ads stuff fails */
+       struct ip_service ip_list;
 
-       fstrcpy( name, inet_ntoa(ip) );
+       ip_list.ip = ip;
+       ip_list.port = 0;
 
 #ifdef WITH_ADS
-       /* for active directory servers, try to get the ldap server name.
-          None of these failure should be considered critical for now */
+       /* For active directory servers, try to get the ldap server name.
+          None of these failures should be considered critical for now */
 
-       if ( lp_security() == SEC_ADS ) 
-       {
+       if (lp_security() == SEC_ADS) {
                ADS_STRUCT *ads;
-               ADS_STATUS status;
 
-               ads = ads_init( realm, domainname, NULL );
+               ads = ads_init(domain->alt_name, domain->name, NULL);
                ads->auth.flags |= ADS_AUTH_NO_BIND;
 
-               if ( !ads_try_connect( ads, inet_ntoa(ip), LDAP_PORT ) )  {
-                       ads_destroy( &ads );
-                       return;
-               }
+               if (ads_try_connect( ads, inet_ntoa(ip) ) )  {
+                       /* We got a cldap packet. */
+                       fstrcpy(name, ads->config.ldap_server_name);
+                       namecache_store(name, 0x20, 1, &ip_list);
+
+                       DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
+
+                       if (domain->primary && (ads->config.flags & ADS_KDC) && ads_closest_dc(ads)) {
+                               char *sitename = sitename_fetch(ads->config.realm);
+
+                               /* We're going to use this KDC for this realm/domain.
+                                  If we are using sites, then force the krb5 libs
+                                  to use this KDC. */
+
+                               create_local_private_krb5_conf_for_domain(domain->alt_name,
+                                                               domain->name,
+                                                               sitename,
+                                                               ip);
+
+                               SAFE_FREE(sitename);
+                               /* Ensure we contact this DC also. */
+                               saf_store( domain->name, name);
+                               saf_store( domain->alt_name, name);
+                       }
 
-               status = ads_server_info(ads);
-               if ( !ADS_ERR_OK(status) ) {
                        ads_destroy( &ads );
-                       return;
+                       return True;
                }
 
-               fstrcpy(name, ads->config.ldap_server_name);
-
                ads_destroy( &ads );
        }
 #endif
 
-       return;
-}
+       /* try GETDC requests next */
+       
+       if (send_getdc_request(ip, domain->name, &domain->sid)) {
+               int i;
+               smb_msleep(100);
+               for (i=0; i<5; i++) {
+                       if (receive_getdc_response(ip, domain->name, name)) {
+                               namecache_store(name, 0x20, 1, &ip_list);
+                               return True;
+                       }
+                       smb_msleep(500);
+               }
+       }
 
+       /* try node status request */
+
+       if ( name_status_find(domain->name, 0x1c, 0x20, ip, name) ) {
+               namecache_store(name, 0x20, 1, &ip_list);
+               return True;
+       }
+       return False;
+}
 
 /*******************************************************************
  Retreive a list of IP address for domain controllers.  Fill in 
@@ -525,7 +1140,7 @@ static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
        int     iplist_size = 0;
        int     i;
        BOOL    is_our_domain;
-
+       enum security_types sec = (enum security_types)lp_security();
 
        is_our_domain = strequal(domain->name, lp_workgroup());
 
@@ -533,25 +1148,57 @@ static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
                && get_dc_name_via_netlogon(domain, dcname, &ip) 
                && add_one_dc_unique(mem_ctx, domain->name, dcname, ip, dcs, num_dcs) )
        {
+               DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
+                          dcname, inet_ntoa(ip)));
                return True;
        }
 
-       if ( is_our_domain 
-               && must_use_pdc(domain->name) 
-               && get_pdc_ip(domain->name, &ip)) 
-       {
-               if (add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip), ip, dcs, num_dcs)) 
-                       return True;
-       }
+       if (sec == SEC_ADS) {
+               char *sitename = NULL;
+
+               /* We need to make sure we know the local site before
+                  doing any DNS queries, as this will restrict the
+                  get_sorted_dc_list() call below to only fetching
+                  DNS records for the correct site. */
 
-       /* try standard netbios queries first */
+               /* Find any DC to get the site record.
+                  We deliberately don't care about the
+                  return here. */
 
-       get_sorted_dc_list(domain->name, &ip_list, &iplist_size, False);
+               get_dc_name(domain->name, domain->alt_name, dcname, &ip);
 
-       /* check for security = ads and use DNS if we can */
+               sitename = sitename_fetch(domain->alt_name);
+               if (sitename) {
 
-       if ( iplist_size==0 && lp_security() == SEC_ADS ) 
-               get_sorted_dc_list(domain->alt_name, &ip_list, &iplist_size, True);
+                       /* Do the site-specific AD dns lookup first. */
+                       get_sorted_dc_list(domain->alt_name, sitename, &ip_list, &iplist_size, True);
+
+                       for ( i=0; i<iplist_size; i++ ) {
+                               add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
+                                                       ip_list[i].ip, dcs, num_dcs);
+                       }
+
+                       SAFE_FREE(ip_list);
+                       SAFE_FREE(sitename);
+                       iplist_size = 0;
+               }
+
+               /* Now we add DCs from the main AD dns lookup. */
+               get_sorted_dc_list(domain->alt_name, NULL, &ip_list, &iplist_size, True);
+
+               for ( i=0; i<iplist_size; i++ ) {
+                       add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
+                                               ip_list[i].ip, dcs, num_dcs);
+               }
+        }
+
+       /* try standard netbios queries if no ADS */
+
+       if (iplist_size==0) {
+               get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size, False);
+       }
+
+       /* FIXME!! this is where we should re-insert the GETDC requests --jerry */
 
        /* now add to the dc array.  We'll wait until the last minute 
           to look up the name of the DC.  But we fill in the char* for 
@@ -582,29 +1229,45 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
 
        int i, fd_index;
 
+ again:
        if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
                return False;
 
        for (i=0; i<num_dcs; i++) {
 
-               add_string_to_array(mem_ctx, dcs[i].name,
-                                   &dcnames, &num_dcnames);
-               add_sockaddr_to_array(mem_ctx, dcs[i].ip, 445,
-                                     &addrs, &num_addrs);
+               if (!add_string_to_array(mem_ctx, dcs[i].name,
+                                   &dcnames, &num_dcnames)) {
+                       return False;
+               }
+               if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 445,
+                                     &addrs, &num_addrs)) {
+                       return False;
+               }
 
-               add_string_to_array(mem_ctx, dcs[i].name,
-                                   &dcnames, &num_dcnames);
-               add_sockaddr_to_array(mem_ctx, dcs[i].ip, 139,
-                                     &addrs, &num_addrs);
+               if (!add_string_to_array(mem_ctx, dcs[i].name,
+                                   &dcnames, &num_dcnames)) {
+                       return False;
+               }
+               if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 139,
+                                     &addrs, &num_addrs)) {
+                       return False;
+               }
        }
 
        if ((num_dcnames == 0) || (num_dcnames != num_addrs))
                return False;
 
-       if ( !open_any_socket_out(addrs, num_addrs, 10000, &fd_index, fd) ) 
+       if ((addrs == NULL) || (dcnames == NULL))
+               return False;
+
+       /* 5 second timeout. */
+       if ( !open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) 
        {
                for (i=0; i<num_dcs; i++) {
-                       add_failed_connection_entry(domain->name,
+                       DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
+                               "domain %s address %s. Error was %s\n",
+                               domain->name, inet_ntoa(dcs[i].ip), strerror(errno) ));
+                       winbind_add_failed_connection_entry(domain,
                                dcs[i].name, NT_STATUS_UNSUCCESSFUL);
                }
                return False;
@@ -612,564 +1275,967 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
 
        *addr = addrs[fd_index];
 
-       /* if we have no name on the server or just an IP address for 
-          the name, now try to get the name */
-
-       if ( is_ipaddress(dcnames[fd_index]) || *dcnames[fd_index] == '\0' )
-               dcip_to_name( domain->name, domain->alt_name, addr->sin_addr, dcname );
-       else
+       if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
+               /* Ok, we've got a name for the DC */
                fstrcpy(dcname, dcnames[fd_index]);
+               return True;
+       }
 
-       return True;
+       /* Try to figure out the name */
+       if (dcip_to_name( domain, addr->sin_addr, dcname )) {
+               return True;
+       }
+
+       /* We can not continue without the DC's name */
+       winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
+                                   NT_STATUS_UNSUCCESSFUL);
+       goto again;
 }
 
 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
-                                  const int pipe_index,
                                   struct winbindd_cm_conn *new_conn)
 {
        TALLOC_CTX *mem_ctx;
        NTSTATUS result;
-
+       char *saf_servername = saf_fetch( domain->name );
        int retries;
 
-       if ((mem_ctx = talloc_init("cm_open_connection")) == NULL)
+       if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
+               SAFE_FREE(saf_servername);
+               set_domain_offline(domain);
                return NT_STATUS_NO_MEMORY;
+       }
+
+       /* we have to check the server affinity cache here since 
+          later we selecte a DC based on response time and not preference */
+          
+       /* Check the negative connection cache
+          before talking to it. It going down may have
+          triggered the reconnection. */
+
+       if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
+
+               DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
+                       saf_servername, domain->name ));
+
+               /* convert an ip address to a name */
+               if ( is_ipaddress( saf_servername ) ) {
+                       fstring saf_name;
+                       struct in_addr ip;
+
+                       ip = *interpret_addr2( saf_servername );
+                       if (dcip_to_name( domain, ip, saf_name )) {
+                               fstrcpy( domain->dcname, saf_name );
+                       } else {
+                               winbind_add_failed_connection_entry(
+                                       domain, saf_servername,
+                                       NT_STATUS_UNSUCCESSFUL);
+                       }
+               } else {
+                       fstrcpy( domain->dcname, saf_servername );
+               }
+
+               SAFE_FREE( saf_servername );
+       }
 
        for (retries = 0; retries < 3; retries++) {
 
                int fd = -1;
-               BOOL retry;
+               BOOL retry = False;
 
                result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
 
-               if ((strlen(domain->dcname) > 0) &&
-                   NT_STATUS_IS_OK(check_negative_conn_cache(domain->name,
-                                                             domain->dcname))) {
-                       int dummy;
-                       if (!open_any_socket_out(&domain->dcaddr, 1, 10000,
-                                                &dummy, &fd)) {
+               DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
+                       domain->dcname, domain->name ));
+
+               if (*domain->dcname 
+                       && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
+                       && (resolve_name(domain->dcname, &domain->dcaddr.sin_addr, 0x20)))
+               {
+                       struct sockaddr_in *addrs = NULL;
+                       int num_addrs = 0;
+                       int dummy = 0;
+
+                       if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 445, &addrs, &num_addrs)) {
+                               set_domain_offline(domain);
+                               talloc_destroy(mem_ctx);
+                               return NT_STATUS_NO_MEMORY;
+                       }
+                       if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 139, &addrs, &num_addrs)) {
+                               set_domain_offline(domain);
+                               talloc_destroy(mem_ctx);
+                               return NT_STATUS_NO_MEMORY;
+                       }
+
+                       /* 5 second timeout. */
+                       if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) {
                                fd = -1;
                        }
                }
 
-               if ((fd == -1) &&
-                   !find_new_dc(mem_ctx, domain, domain->dcname,
-                                &domain->dcaddr, &fd))
+               if ((fd == -1) 
+                       && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd))
+               {
+                       /* This is the one place where we will
+                          set the global winbindd offline state
+                          to true, if a "WINBINDD_OFFLINE" entry
+                          is found in the winbindd cache. */
+                       set_global_winbindd_state_offline();
                        break;
+               }
 
                new_conn->cli = NULL;
 
-               result = cm_prepare_connection(domain, fd, pipe_index,
-                                              domain->dcname,
-                                              &new_conn->cli, &retry);
-
-               if (NT_STATUS_IS_OK(result)) {
-                       fstrcpy(new_conn->domain, domain->name);
-                       /* Initialise SMB connection */
-                       fstrcpy(new_conn->pipe_name,
-                               get_pipe_name_from_index(pipe_index));
-                       break;
-               }
+               result = cm_prepare_connection(domain, fd, domain->dcname,
+                       &new_conn->cli, &retry);
 
                if (!retry)
                        break;
        }
 
+       if (NT_STATUS_IS_OK(result)) {
+               if (domain->online == False) {
+                       /* We're changing state from offline to online. */
+                       set_global_winbindd_state_online();
+               }
+               set_domain_online(domain);
+       } else {
+               /* Ensure we setup the retry handler. */
+               set_domain_offline(domain);
+       }
+
        talloc_destroy(mem_ctx);
        return result;
 }
 
-/************************************************************************
- Wrapper around statuc cm_open_connection to retreive a freshly
- setup cli_state struct
-************************************************************************/
+/* Close down all open pipes on a connection. */
 
-NTSTATUS cm_fresh_connection(struct winbindd_domain *domain, const int pipe_index,
-                              struct cli_state **cli)
+void invalidate_cm_connection(struct winbindd_cm_conn *conn)
 {
-       NTSTATUS result;
-       struct winbindd_cm_conn conn;
-       
-       result = cm_open_connection( domain, pipe_index, &conn );
-       
-       if ( NT_STATUS_IS_OK(result) ) 
-               *cli = conn.cli;
+       /* We're closing down a possibly dead
+          connection. Don't have impossibly long (10s) timeouts. */
 
-       return result;
+       if (conn->cli) {
+               cli_set_timeout(conn->cli, 1000); /* 1 second. */
+       }
+
+       if (conn->samr_pipe != NULL) {
+               if (!cli_rpc_pipe_close(conn->samr_pipe)) {
+                       /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+                       if (conn->cli) {
+                               cli_set_timeout(conn->cli, 500);
+                       }
+               }
+               conn->samr_pipe = NULL;
+       }
+
+       if (conn->lsa_pipe != NULL) {
+               if (!cli_rpc_pipe_close(conn->lsa_pipe)) {
+                       /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+                       if (conn->cli) {
+                               cli_set_timeout(conn->cli, 500);
+                       }
+               }
+               conn->lsa_pipe = NULL;
+       }
+
+       if (conn->netlogon_pipe != NULL) {
+               if (!cli_rpc_pipe_close(conn->netlogon_pipe)) {
+                       /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+                       if (conn->cli) {
+                               cli_set_timeout(conn->cli, 500);
+                       }
+               }
+               conn->netlogon_pipe = NULL;
+       }
+
+       if (conn->cli) {
+               cli_shutdown(conn->cli);
+       }
+
+       conn->cli = NULL;
 }
 
-/* Return true if a connection is still alive */
+void close_conns_after_fork(void)
+{
+       struct winbindd_domain *domain;
+
+       for (domain = domain_list(); domain; domain = domain->next) {
+               if (domain->conn.cli == NULL)
+                       continue;
 
-static BOOL connection_ok(struct winbindd_cm_conn *conn)
+               if (domain->conn.cli->fd == -1)
+                       continue;
+
+               close(domain->conn.cli->fd);
+               domain->conn.cli->fd = -1;
+       }
+}
+
+static BOOL connection_ok(struct winbindd_domain *domain)
 {
-       if (!conn) {
-               smb_panic("Invalid parameter passed to connection_ok():  conn was NULL!\n");
+       if (domain->conn.cli == NULL) {
+               DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
+                         "cli!\n", domain->dcname, domain->name));
                return False;
        }
 
-       if (!conn->cli) {
-               DEBUG(3, ("Connection to %s for domain %s (pipe %s) has NULL conn->cli!\n", 
-                         conn->controller, conn->domain, conn->pipe_name));
+       if (!domain->conn.cli->initialised) {
+               DEBUG(3, ("connection_ok: Connection to %s for domain %s was never "
+                         "initialised!\n", domain->dcname, domain->name));
                return False;
        }
 
-       if (!conn->cli->initialised) {
-               DEBUG(3, ("Connection to %s for domain %s (pipe %s) was never initialised!\n", 
-                         conn->controller, conn->domain, conn->pipe_name));
+       if (domain->conn.cli->fd == -1) {
+               DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was "
+                         "never started (fd == -1)\n", 
+                         domain->dcname, domain->name));
                return False;
        }
 
-       if (conn->cli->fd == -1) {
-               DEBUG(3, ("Connection to %s for domain %s (pipe %s) has died or was never started (fd == -1)\n", 
-                         conn->controller, conn->domain, conn->pipe_name));
+       if (domain->online == False) {
+               DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
                return False;
        }
-       
+
        return True;
 }
 
-/* Search the cache for a connection. If there is a broken one,
-   shut it down properly and return NULL. */
+/* Initialize a new connection up to the RPC BIND.
+   Bypass online status check so always does network calls. */
 
-static void find_cm_connection(struct winbindd_domain *domain, const char *pipe_name,
-                              struct winbindd_cm_conn **conn_out) 
+static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
 {
-       struct winbindd_cm_conn *conn;
+       NTSTATUS result;
 
-       for (conn = cm_conns; conn; ) {
-               if (strequal(conn->domain, domain->name) && 
-                   strequal(conn->pipe_name, pipe_name)) {
-                       if (!connection_ok(conn)) {
-                               /* Dead connection - remove it. */
-                               struct winbindd_cm_conn *conn_temp = conn->next;
-                               if (conn->cli)
-                                       cli_shutdown(conn->cli);
-                               DLIST_REMOVE(cm_conns, conn);
-                               SAFE_FREE(conn);
-                               conn = conn_temp;  /* Keep the loop moving */
-                               continue;
-                       } else {
-                               break;
-                       }
+       /* Internal connections never use the network. */
+       if (domain->internal) {
+               domain->initialized = True;
+               return NT_STATUS_OK;
+       }
+
+       if (connection_ok(domain)) {
+               if (!domain->initialized) {
+                       set_dc_type_and_flags(domain);
                }
-               conn = conn->next;
+               return NT_STATUS_OK;
        }
 
-       *conn_out = conn;
-}
+       invalidate_cm_connection(&domain->conn);
 
-/* Initialize a new connection up to the RPC BIND. */
+       result = cm_open_connection(domain, &domain->conn);
 
-static NTSTATUS new_cm_connection(struct winbindd_domain *domain, const char *pipe_name,
-                                 struct winbindd_cm_conn **conn_out)
-{
-       struct winbindd_cm_conn *conn;
-       NTSTATUS result;
+       if (NT_STATUS_IS_OK(result) && !domain->initialized) {
+               set_dc_type_and_flags(domain);
+       }
 
-       if (!(conn = SMB_MALLOC_P(struct winbindd_cm_conn)))
-               return NT_STATUS_NO_MEMORY;
-               
-       ZERO_STRUCTP(conn);
-               
-       if (!NT_STATUS_IS_OK(result = cm_open_connection(domain, get_pipe_index(pipe_name), conn))) {
-               DEBUG(3, ("Could not open a connection to %s for %s (%s)\n", 
-                         domain->name, pipe_name, nt_errstr(result)));
-               SAFE_FREE(conn);
-               return result;
+       return result;
+}
+
+NTSTATUS init_dc_connection(struct winbindd_domain *domain)
+{
+       if (domain->initialized && !domain->online) {
+               /* We check for online status elsewhere. */
+               return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
        }
-       DLIST_ADD(cm_conns, conn);
 
-       *conn_out = conn;
-       return NT_STATUS_OK;
+       return init_dc_connection_network(domain);
 }
 
-/* Get a connection to the remote DC and open the pipe.  If there is already a connection, use that */
+/******************************************************************************
+ Set the trust flags (direction and forest location) for a domain
+******************************************************************************/
 
-static NTSTATUS get_connection_from_cache(struct winbindd_domain *domain, const char *pipe_name,
-                                         struct winbindd_cm_conn **conn_out)
+static BOOL set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
 {
-       find_cm_connection(domain, pipe_name, conn_out);
+       struct winbindd_domain *our_domain;
+       NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+       struct ds_domain_trust *domains = NULL;
+       int count = 0;
+       int i;
+       uint32 flags = (DS_DOMAIN_IN_FOREST | 
+                       DS_DOMAIN_DIRECT_OUTBOUND | 
+                       DS_DOMAIN_DIRECT_INBOUND);
+       struct rpc_pipe_client *cli;
+       TALLOC_CTX *mem_ctx = NULL;
+
+       DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
+       
+       /* Our primary domain doesn't need to worry about trust flags.
+          Force it to go through the network setup */
+       if ( domain->primary ) {                
+               return False;           
+       }
+       
+       our_domain = find_our_domain();
+       
+       if ( !connection_ok(our_domain) ) {
+               DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));           
+               return False;
+       }
 
-       if (*conn_out != NULL)
-               return NT_STATUS_OK;
+       /* This won't work unless our domain is AD */
+        
+       if ( !our_domain->active_directory ) {
+               return False;
+       }
+       
+       /* Use DsEnumerateDomainTrusts to get us the trust direction
+          and type */
+
+       result = cm_connect_netlogon(our_domain, &cli);
+
+       if (!NT_STATUS_IS_OK(result)) {
+               DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
+                         "a connection to %s for PIPE_NETLOGON (%s)\n", 
+                         domain->name, nt_errstr(result)));
+               return False;
+       }
+
+       if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
+               DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
+               return False;
+       }       
 
-       return new_cm_connection(domain, pipe_name, conn_out);
+       result = rpccli_ds_enum_domain_trusts(cli, mem_ctx,
+                                             cli->cli->desthost, 
+                                             flags, &domains,
+                                             (unsigned int *)&count);
+
+       /* Now find the domain name and get the flags */
+
+       for ( i=0; i<count; i++ ) {
+               if ( strequal( domain->name, domains[i].netbios_domain ) ) {                    
+                       domain->domain_flags          = domains[i].flags;
+                       domain->domain_type           = domains[i].trust_type;
+                       domain->domain_trust_attribs  = domains[i].trust_attributes;
+                                               
+                       if ( domain->domain_type == DS_DOMAIN_TRUST_TYPE_UPLEVEL )
+                               domain->active_directory = True;
+
+                       /* This flag is only set if the domain is *our* 
+                          primary domain and the primary domain is in
+                          native mode */
+
+                       domain->native_mode = (domain->domain_flags & DS_DOMAIN_NATIVE_MODE);
+
+                       DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
+                                 "native mode.\n", domain->name, 
+                                 domain->native_mode ? "" : "NOT "));
+
+                       DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
+                                "running active directory.\n", domain->name, 
+                                domain->active_directory ? "" : "NOT "));
+
+
+                       domain->initialized = True;
+
+                       if ( !winbindd_can_contact_domain( domain) )
+                               domain->internal = True;
+                       
+                       break;
+               }               
+       }
+       
+       talloc_destroy( mem_ctx );
+       
+       return domain->initialized;     
 }
 
-/**********************************************************************************
- We can 'sense' certain things about the DC by it's replies to certain questions.
+/******************************************************************************
+ We can 'sense' certain things about the DC by it's replies to certain
+ questions.
 
- This tells us if this particular remote server is Active Directory, and if it is
- native mode.
-**********************************************************************************/
+ This tells us if this particular remote server is Active Directory, and if it
is native mode.
+******************************************************************************/
 
-void set_dc_type_and_flags( struct winbindd_domain *domain )
+static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
 {
        NTSTATUS                result;
-       struct winbindd_cm_conn conn;
        DS_DOMINFO_CTR          ctr;
        TALLOC_CTX              *mem_ctx = NULL;
-       
-       ZERO_STRUCT( conn );
+       struct rpc_pipe_client  *cli;
+       POLICY_HND pol;
+
+       char *domain_name = NULL;
+       char *dns_name = NULL;
+       char *forest_name = NULL;       
+       DOM_SID *dom_sid = NULL;        
+
        ZERO_STRUCT( ctr );
        
-       domain->native_mode = False;
-       domain->active_directory = False;
+       if (!connection_ok(domain)) {
+               return;
+       }
 
-       if (domain->internal) {
-               domain->initialized = True;
+       DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
+
+       cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC_DS,
+                                      &result);
+
+       if (cli == NULL) {
+               DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
+                         "PI_LSARPC_DS on domain %s: (%s)\n",
+                         domain->name, nt_errstr(result)));
+
+               /* if this is just a non-AD domain we need to continue
+                * identifying so that we can in the end return with
+                * domain->initialized = True - gd */
+
+               goto no_lsarpc_ds;
+       }
+
+       result = rpccli_ds_getprimarydominfo(cli, cli->cli->mem_ctx,
+                                            DsRolePrimaryDomainInfoBasic,
+                                            &ctr);
+       cli_rpc_pipe_close(cli);
+
+       if (!NT_STATUS_IS_OK(result)) {
+               DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
+                         "on domain %s failed: (%s)\n",
+                         domain->name, nt_errstr(result)));
                return;
        }
        
-       if ( !NT_STATUS_IS_OK(result = cm_open_connection(domain, PI_LSARPC_DS, &conn)) ) {
-               DEBUG(5, ("set_dc_type_and_flags: Could not open a connection to %s for PIPE_LSARPC (%s)\n", 
+       if ((ctr.basic->flags & DSROLE_PRIMARY_DS_RUNNING) &&
+           !(ctr.basic->flags & DSROLE_PRIMARY_DS_MIXED_MODE)) {
+               domain->native_mode = True;
+       } else {
+               domain->native_mode = False;
+       }
+
+no_lsarpc_ds:
+       cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result);
+
+       if (cli == NULL) {
+               DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
+                         "PI_LSARPC on domain %s: (%s)\n",
                          domain->name, nt_errstr(result)));
-               domain->initialized = True;
+               cli_rpc_pipe_close(cli);
                return;
        }
-       
-       if ( conn.cli ) {
-               if ( !NT_STATUS_IS_OK(cli_ds_getprimarydominfo( conn.cli, 
-                               conn.cli->mem_ctx, DsRolePrimaryDomainInfoBasic, &ctr)) ) {
-                       goto done;
-               }
+
+       mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
+                             domain->name);
+       if (!mem_ctx) {
+               DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
+               cli_rpc_pipe_close(cli);
+               return;
        }
-                               
-       if ( (ctr.basic->flags & DSROLE_PRIMARY_DS_RUNNING) 
-                       && !(ctr.basic->flags & DSROLE_PRIMARY_DS_MIXED_MODE) )
-               domain->native_mode = True;
 
-       /* Cheat - shut down the DS pipe, and open LSA */
+       result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
+                                        SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
+               
+       if (NT_STATUS_IS_OK(result)) {
+               /* This particular query is exactly what Win2k clients use 
+                  to determine that the DC is active directory */
+               result = rpccli_lsa_query_info_policy2(cli, mem_ctx, &pol,
+                                                      12, &domain_name,
+                                                      &dns_name, &forest_name,
+                                                      NULL, &dom_sid);
+       }
 
-       cli_nt_session_close(conn.cli);
+       if (NT_STATUS_IS_OK(result)) {
+               domain->active_directory = True;
 
-       if ( cli_nt_session_open (conn.cli, PI_LSARPC) ) {
-               char *domain_name = NULL;
-               char *dns_name = NULL;
-               DOM_SID *dom_sid = NULL;
+               if (domain_name)
+                       fstrcpy(domain->name, domain_name);
 
-               mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n", domain->name);
-               if (!mem_ctx) {
-                       DEBUG(1, ("set_dc_type_and_flags: talloc_init() failed\n"));
-                       return;
-               }
+               if (dns_name)
+                       fstrcpy(domain->alt_name, dns_name);
 
-               result = cli_lsa_open_policy2(conn.cli, mem_ctx, True, 
-                                             SEC_RIGHTS_MAXIMUM_ALLOWED,
-                                             &conn.pol);
-               
-               if (NT_STATUS_IS_OK(result)) {
-                       /* This particular query is exactly what Win2k clients use 
-                          to determine that the DC is active directory */
-                       result = cli_lsa_query_info_policy2(conn.cli, mem_ctx, 
-                                                           &conn.pol,
-                                                           12, &domain_name,
-                                                           &dns_name, NULL,
-                                                           NULL, &dom_sid);
-               }
+               if ( forest_name )
+                       fstrcpy(domain->forest_name, forest_name);              
 
+               if (dom_sid) 
+                       sid_copy(&domain->sid, dom_sid);
+       } else {
+               domain->active_directory = False;
+
+               result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
+                                               SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                               &pol);
+                       
+               if (!NT_STATUS_IS_OK(result))
+                       goto done;
+                       
+               result = rpccli_lsa_query_info_policy(cli, mem_ctx, 
+                                                     &pol, 5, &domain_name, 
+                                                     &dom_sid);
+                       
                if (NT_STATUS_IS_OK(result)) {
                        if (domain_name)
                                fstrcpy(domain->name, domain_name);
-                       
-                       if (dns_name)
-                               fstrcpy(domain->alt_name, dns_name);
 
                        if (dom_sid) 
                                sid_copy(&domain->sid, dom_sid);
-
-                       domain->active_directory = True;
-               } else {
-                       
-                       result = cli_lsa_open_policy(conn.cli, mem_ctx, True, 
-                                                    SEC_RIGHTS_MAXIMUM_ALLOWED,
-                                                    &conn.pol);
-                       
-                       if (!NT_STATUS_IS_OK(result))
-                               goto done;
-                       
-                       result = cli_lsa_query_info_policy(conn.cli, mem_ctx, 
-                                                          &conn.pol, 5, &domain_name, 
-                                                          &dom_sid);
-                       
-                       if (NT_STATUS_IS_OK(result)) {
-                               if (domain_name)
-                                       fstrcpy(domain->name, domain_name);
-                               
-                               if (dom_sid) 
-                                       sid_copy(&domain->sid, dom_sid);
-                       }
                }
        }
-       
 done:
-       
-       DEBUG(3,("add_trusted_domain: %s is an %s %s domain\n", domain->name,
-               domain->active_directory ? "ADS" : "NT4",
-               domain->native_mode ? "native mode" :
-               ((domain->active_directory && !domain->native_mode) ? "mixed mode" : "")));
 
-       /* close the connection;  no other calls use this pipe and it is called only
-          on reestablishing the domain list   --jerry */
-       
-       if ( conn.cli )
-               cli_shutdown( conn.cli );
+       DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
+                 domain->name, domain->native_mode ? "" : "NOT "));
+
+       DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
+                 domain->name, domain->active_directory ? "" : "NOT "));
+
+       cli_rpc_pipe_close(cli);
        
        talloc_destroy(mem_ctx);
 
        domain->initialized = True;
-       
+}
+
+/**********************************************************************
+ Set the domain_flags (trust attributes, domain operating modes, etc... 
+***********************************************************************/
+
+static void set_dc_type_and_flags( struct winbindd_domain *domain )
+{
+       /* we always have to contact our primary domain */
+
+       if ( domain->primary ) {
+               DEBUG(10,("set_dc_type_and_flags: setting up flags for "
+                         "primary domain\n"));
+               set_dc_type_and_flags_connect( domain );
+               return;         
+       }
+
+       /* Use our DC to get the information if possible */
+
+       if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
+               /* Otherwise, fallback to contacting the 
+                  domain directly */
+               set_dc_type_and_flags_connect( domain );
+       }
+
        return;
 }
 
 
 
-/* Return a LSA policy handle on a domain */
+/**********************************************************************
+***********************************************************************/
 
-NTSTATUS cm_get_lsa_handle(struct winbindd_domain *domain, CLI_POLICY_HND **return_hnd)
+static BOOL cm_get_schannel_dcinfo(struct winbindd_domain *domain,
+                                  struct dcinfo **ppdc)
 {
-       struct winbindd_cm_conn *conn;
-       uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
        NTSTATUS result;
-       static CLI_POLICY_HND hnd;
+       struct rpc_pipe_client *netlogon_pipe;
 
-       /* Look for existing connections */
+       if (lp_client_schannel() == False) {
+               return False;
+       }
 
-       if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_LSARPC, &conn)))
-               return result;
+       result = cm_connect_netlogon(domain, &netlogon_pipe);
+       if (!NT_STATUS_IS_OK(result)) {
+               return False;
+       }
 
-       /* This *shitty* code needs scrapping ! JRA */
-       
-       if (policy_handle_is_valid(&conn->pol)) {
-               hnd.pol = conn->pol;
-               hnd.cli = conn->cli;
-               *return_hnd = &hnd;
+       /* Return a pointer to the struct dcinfo from the
+          netlogon pipe. */
 
-               return NT_STATUS_OK;
-       }
-       
-       result = cli_lsa_open_policy(conn->cli, conn->cli->mem_ctx, False, 
-                                    des_access, &conn->pol);
+       *ppdc = domain->conn.netlogon_pipe->dc;
+       return True;
+}
 
+NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+                       struct rpc_pipe_client **cli, POLICY_HND *sam_handle)
+{
+       struct winbindd_cm_conn *conn;
+       NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+       fstring conn_pwd;
+       struct dcinfo *p_dcinfo;
+
+       result = init_dc_connection(domain);
        if (!NT_STATUS_IS_OK(result)) {
-               /* Hit the cache code again.  This cleans out the old connection and gets a new one */
-               if (conn->cli->fd == -1) { /* Try again, if the remote host disapeared */
-                       if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_LSARPC, &conn)))
-                               return result;
+               return result;
+       }
 
-                       result = cli_lsa_open_policy(conn->cli, conn->cli->mem_ctx, False, 
-                                                    des_access, &conn->pol);
-               }
+       conn = &domain->conn;
 
-               if (!NT_STATUS_IS_OK(result)) {
-                       cli_shutdown(conn->cli);
-                       DLIST_REMOVE(cm_conns, conn);
-                       SAFE_FREE(conn);
-                       return result;
-               }
-       }       
+       if (conn->samr_pipe != NULL) {
+               goto done;
+       }
 
-       hnd.pol = conn->pol;
-       hnd.cli = conn->cli;
+       /*
+        * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
+        * sign and sealed pipe using the machine account password by
+        * preference. If we can't - try schannel, if that fails, try
+        * anonymous.
+        */
+
+       pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
+       if ((conn->cli->user_name[0] == '\0') ||
+           (conn->cli->domain[0] == '\0') || 
+           (conn_pwd[0] == '\0')) {
+               DEBUG(10, ("cm_connect_sam: No no user available for "
+                          "domain %s, trying schannel\n", conn->cli->domain));
+               goto schannel;
+       }
 
-       *return_hnd = &hnd;
+       /* We have an authenticated connection. Use a NTLMSSP SPNEGO
+          authenticated SAMR pipe with sign & seal. */
+       conn->samr_pipe =
+               cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
+                                                PIPE_AUTH_LEVEL_PRIVACY,
+                                                conn->cli->domain,
+                                                conn->cli->user_name,
+                                                conn_pwd, &result);
+
+       if (conn->samr_pipe == NULL) {
+               DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
+                         "pipe for domain %s using NTLMSSP "
+                         "authenticated pipe: user %s\\%s. Error was "
+                         "%s\n", domain->name, conn->cli->domain,
+                         conn->cli->user_name, nt_errstr(result)));
+               goto schannel;
+       }
 
-       return NT_STATUS_OK;
-}
+       DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
+                 "domain %s using NTLMSSP authenticated "
+                 "pipe: user %s\\%s\n", domain->name,
+                 conn->cli->domain, conn->cli->user_name ));
 
-/* Return a SAM policy handle on a domain */
+       result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
+                                    SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                    &conn->sam_connect_handle);
+       if (NT_STATUS_IS_OK(result)) {
+               goto open_domain;
+       }
+       DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_connect "
+                 "failed for domain %s, error was %s. Trying schannel\n",
+                 domain->name, nt_errstr(result) ));
+       cli_rpc_pipe_close(conn->samr_pipe);
 
-NTSTATUS cm_get_sam_handle(struct winbindd_domain *domain, CLI_POLICY_HND **return_hnd)
-{ 
-       struct winbindd_cm_conn *conn;
-       uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
-       NTSTATUS result;
-       static CLI_POLICY_HND hnd;
+ schannel:
 
-       /* Look for existing connections */
+       /* Fall back to schannel if it's a W2K pre-SP1 box. */
 
-       if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_SAMR, &conn)))
-               return result;
-       
-       /* This *shitty* code needs scrapping ! JRA */
-       
-       if (policy_handle_is_valid(&conn->pol)) {
-               hnd.pol = conn->pol;
-               hnd.cli = conn->cli;
-               
-               *return_hnd = &hnd;
+       if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
+               /* If this call fails - conn->cli can now be NULL ! */
+               DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
+                          "for domain %s, trying anon\n", domain->name));
+               goto anonymous;
+       }
+       conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key
+               (conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY,
+                domain->name, p_dcinfo, &result);
+
+       if (conn->samr_pipe == NULL) {
+               DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
+                         "domain %s using schannel. Error was %s\n",
+                         domain->name, nt_errstr(result) ));
+               goto anonymous;
+       }
+       DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
+                 "schannel.\n", domain->name ));
+
+       result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
+                                    SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                    &conn->sam_connect_handle);
+       if (NT_STATUS_IS_OK(result)) {
+               goto open_domain;
+       }
+       DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_connect failed "
+                 "for domain %s, error was %s. Trying anonymous\n",
+                 domain->name, nt_errstr(result) ));
+       cli_rpc_pipe_close(conn->samr_pipe);
 
-               return NT_STATUS_OK;
+ anonymous:
+
+       /* Finally fall back to anonymous. */
+       conn->samr_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR,
+                                                  &result);
+
+       if (conn->samr_pipe == NULL) {
+               result = NT_STATUS_PIPE_NOT_AVAILABLE;
+               goto done;
        }
-       
-       result = cli_samr_connect(conn->cli, conn->cli->mem_ctx,
-                                 des_access, &conn->pol);
 
+       result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
+                                    SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                    &conn->sam_connect_handle);
        if (!NT_STATUS_IS_OK(result)) {
-               /* Hit the cache code again.  This cleans out the old connection and gets a new one */
-               if (conn->cli->fd == -1) { /* Try again, if the remote host disapeared */
-               
-                       if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_SAMR, &conn)))
-                               return result;
+               DEBUG(10,("cm_connect_sam: rpccli_samr_connect failed "
+                         "for domain %s Error was %s\n",
+                         domain->name, nt_errstr(result) ));
+               goto done;
+       }
 
-                       result = cli_samr_connect(conn->cli, conn->cli->mem_ctx,
-                                                 des_access, &conn->pol);
-               }
+ open_domain:
+       result = rpccli_samr_open_domain(conn->samr_pipe,
+                                        mem_ctx,
+                                        &conn->sam_connect_handle,
+                                        SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                        &domain->sid,
+                                        &conn->sam_domain_handle);
 
-               if (!NT_STATUS_IS_OK(result)) {
-               
-                       cli_shutdown(conn->cli);
-                       DLIST_REMOVE(cm_conns, conn);
-                       SAFE_FREE(conn);
-                       
-                       return result;
-               }
-       }       
-
-       hnd.pol = conn->pol;
-       hnd.cli = conn->cli;
+ done:
 
-       *return_hnd = &hnd;
+       if (!NT_STATUS_IS_OK(result)) {
+               invalidate_cm_connection(conn);
+               return result;
+       }
 
-       return NT_STATUS_OK;
+       *cli = conn->samr_pipe;
+       *sam_handle = conn->sam_domain_handle;
+       return result;
 }
 
-/* Get a handle on a netlogon pipe.  This is a bit of a hack to re-use the
-   netlogon pipe as no handle is returned. */
-
-NTSTATUS cm_get_netlogon_cli(struct winbindd_domain *domain, 
-                            const unsigned char *trust_passwd, 
-                            uint32 sec_channel_type,
-                            BOOL fresh,
-                            struct cli_state **cli)
+NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+                       struct rpc_pipe_client **cli, POLICY_HND *lsa_policy)
 {
-       NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
        struct winbindd_cm_conn *conn;
-       fstring lock_name;
-       BOOL got_mutex;
+       NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+       fstring conn_pwd;
+       struct dcinfo *p_dcinfo;
+
+       result = init_dc_connection(domain);
+       if (!NT_STATUS_IS_OK(result))
+               return result;
 
-       if (!cli)
-               return NT_STATUS_INVALID_PARAMETER;
+       conn = &domain->conn;
 
-       /* Open an initial conection - keep the mutex. */
+       if (conn->lsa_pipe != NULL) {
+               goto done;
+       }
 
-       find_cm_connection(domain, PIPE_NETLOGON, &conn);
+       pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
+       if ((conn->cli->user_name[0] == '\0') ||
+           (conn->cli->domain[0] == '\0') || 
+           (conn_pwd[0] == '\0')) {
+               DEBUG(10, ("cm_connect_lsa: No no user available for "
+                          "domain %s, trying schannel\n", conn->cli->domain));
+               goto schannel;
+       }
 
-       if ( fresh && (conn != NULL) ) {
-               cli_shutdown(conn->cli);
-               conn->cli = NULL;
+       /* We have an authenticated connection. Use a NTLMSSP SPNEGO
+        * authenticated LSA pipe with sign & seal. */
+       conn->lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp
+               (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
+                conn->cli->domain, conn->cli->user_name, conn_pwd, &result);
+
+       if (conn->lsa_pipe == NULL) {
+               DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
+                         "domain %s using NTLMSSP authenticated pipe: user "
+                         "%s\\%s. Error was %s. Trying schannel.\n",
+                         domain->name, conn->cli->domain,
+                         conn->cli->user_name, nt_errstr(result)));
+               goto schannel;
+       }
 
-               conn = NULL;
+       DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
+                 "NTLMSSP authenticated pipe: user %s\\%s\n",
+                 domain->name, conn->cli->domain, conn->cli->user_name ));
 
-               /* purge connection from cache */
-               find_cm_connection(domain, PIPE_NETLOGON, &conn);
-               if (conn != NULL) {
-                       DEBUG(0,("Could not purge connection\n"));
-                       return NT_STATUS_UNSUCCESSFUL;
-               }
+       result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
+                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                       &conn->lsa_policy);
+       if (NT_STATUS_IS_OK(result)) {
+               goto done;
        }
 
-       if (conn != NULL) {
-               *cli = conn->cli;
-               return NT_STATUS_OK;
+       DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
+                 "schannel\n"));
+
+       cli_rpc_pipe_close(conn->lsa_pipe);
+
+ schannel:
+
+       /* Fall back to schannel if it's a W2K pre-SP1 box. */
+
+       if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
+               /* If this call fails - conn->cli can now be NULL ! */
+               DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
+                          "for domain %s, trying anon\n", domain->name));
+               goto anonymous;
        }
+       conn->lsa_pipe = cli_rpc_pipe_open_schannel_with_key
+               (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
+                domain->name, p_dcinfo, &result);
+
+       if (conn->lsa_pipe == NULL) {
+               DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
+                         "domain %s using schannel. Error was %s\n",
+                         domain->name, nt_errstr(result) ));
+               goto anonymous;
+       }
+       DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
+                 "schannel.\n", domain->name ));
 
-       result = new_cm_connection(domain, PIPE_NETLOGON, &conn);
+       result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
+                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                       &conn->lsa_policy);
+       if (NT_STATUS_IS_OK(result)) {
+               goto done;
+       }
 
-       if (!NT_STATUS_IS_OK(result))
-               return result;
-       
-       fstr_sprintf(lock_name, "NETLOGON\\%s", conn->controller);
+       DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
+                 "anonymous\n"));
+
+       cli_rpc_pipe_close(conn->lsa_pipe);
 
-       if (!(got_mutex = secrets_named_mutex(lock_name, WINBIND_SERVER_MUTEX_WAIT_TIME))) {
-               DEBUG(0,("cm_get_netlogon_cli: mutex grab failed for %s\n", conn->controller));
+ anonymous:
+
+       conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_LSARPC,
+                                                 &result);
+       if (conn->lsa_pipe == NULL) {
+               result = NT_STATUS_PIPE_NOT_AVAILABLE;
+               goto done;
        }
-       
-       if ( sec_channel_type == SEC_CHAN_DOMAIN )
-               fstr_sprintf(conn->cli->mach_acct, "%s$", lp_workgroup());
-                       
-       /* This must be the remote domain (not ours) for schannel */
 
-       fstrcpy( conn->cli->domain, domain->name);
-       
-       result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd);
-       
-       if (got_mutex)
-               secrets_named_mutex_release(lock_name);
-                               
+       result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
+                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                       &conn->lsa_policy);
+ done:
        if (!NT_STATUS_IS_OK(result)) {
-               cli_shutdown(conn->cli);
-               DLIST_REMOVE(cm_conns, conn);
-               SAFE_FREE(conn);
+               invalidate_cm_connection(conn);
                return result;
        }
 
-       *cli = conn->cli;
-
+       *cli = conn->lsa_pipe;
+       *lsa_policy = conn->lsa_policy;
        return result;
 }
 
-/* Dump the current connection status */
+/****************************************************************************
+ Open the netlogon pipe to this DC. Use schannel if specified in client conf.
+ session key stored in conn->netlogon_pipe->dc->sess_key.
+****************************************************************************/
 
-static void dump_conn_list(void)
+NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+                            struct rpc_pipe_client **cli)
 {
-       struct winbindd_cm_conn *con;
+       struct winbindd_cm_conn *conn;
+       NTSTATUS result;
 
-       DEBUG(0, ("\tDomain          Controller      Pipe\n"));
+       uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+       uint8  mach_pwd[16];
+       uint32  sec_chan_type;
+       const char *account_name;
+       struct rpc_pipe_client *netlogon_pipe = NULL;
 
-       for(con = cm_conns; con; con = con->next) {
-               char *msg;
+       *cli = NULL;
 
-               /* Display pipe info */
-               
-               if (asprintf(&msg, "\t%-15s %-15s %-16s", con->domain, con->controller, con->pipe_name) < 0) {
-                       DEBUG(0, ("Error: not enough memory!\n"));
-               } else {
-                       DEBUG(0, ("%s\n", msg));
-                       SAFE_FREE(msg);
-               }
+       result = init_dc_connection(domain);
+       if (!NT_STATUS_IS_OK(result)) {
+               return result;
        }
-}
 
-void winbindd_cm_status(void)
-{
-       /* List open connections */
+       conn = &domain->conn;
 
-       DEBUG(0, ("winbindd connection manager status:\n"));
+       if (conn->netlogon_pipe != NULL) {
+               *cli = conn->netlogon_pipe;
+               return NT_STATUS_OK;
+       }
 
-       if (cm_conns)
-               dump_conn_list();
-       else
-               DEBUG(0, ("\tNo active connections\n"));
-}
+       if (domain->primary && !get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+       }
 
-/* Close all cached connections */
+       netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
+                                                &result);
+       if (netlogon_pipe == NULL) {
+               return result;
+       }
 
-void winbindd_cm_flush(void)
-{
-       struct winbindd_cm_conn *conn, tmp;
+       if ( !domain->primary ) {
+               /* Clear the schannel request bit and drop down */
+               neg_flags &= ~NETLOGON_NEG_SCHANNEL;            
+               goto no_schannel;
+       }
+       
+       if (lp_client_schannel() != False) {
+               neg_flags |= NETLOGON_NEG_SCHANNEL;
+       }
+
+       /* if we are a DC and this is a trusted domain, then we need to use our
+          domain name in the net_req_auth2() request */
+
+       if ( IS_DC
+               && !strequal(domain->name, lp_workgroup())
+               && lp_allow_trusted_domains() ) 
+       {
+               account_name = lp_workgroup();
+       } else {
+               account_name = domain->primary ?
+                       global_myname() : domain->name;
+       }
 
-       /* Flush connection cache */
+       if (account_name == NULL) {
+               cli_rpc_pipe_close(netlogon_pipe);
+               return NT_STATUS_NO_MEMORY;
+       }
 
-       for (conn = cm_conns; conn; conn = conn->next) {
+       result = rpccli_netlogon_setup_creds(
+                netlogon_pipe,
+                domain->dcname, /* server name. */
+                domain->name,   /* domain name */
+                global_myname(), /* client name */
+                account_name,   /* machine account */
+                mach_pwd,       /* machine password */
+                sec_chan_type,  /* from get_trust_pw */
+                &neg_flags);
 
-               if (!connection_ok(conn))
-                       continue;
+       if (!NT_STATUS_IS_OK(result)) {
+               cli_rpc_pipe_close(netlogon_pipe);
+               return result;
+       }
 
-               DEBUG(10, ("Closing connection to %s on %s\n",
-                       conn->pipe_name, conn->controller));
+       if ((lp_client_schannel() == True) &&
+                       ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+               DEBUG(3, ("Server did not offer schannel\n"));
+               cli_rpc_pipe_close(netlogon_pipe);
+               return NT_STATUS_ACCESS_DENIED;
+       }
 
-               if (conn->cli)
-                       cli_shutdown(conn->cli);
+ no_schannel:
+       if ((lp_client_schannel() == False) ||
+                       ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
 
-               tmp.next = conn->next;
+               /*
+                * NetSamLogonEx only works for schannel
+                */
+               domain->can_do_samlogon_ex = False;
 
-               DLIST_REMOVE(cm_conns, conn);
-               SAFE_FREE(conn);
-               conn = &tmp;
+               /* We're done - just keep the existing connection to NETLOGON
+                * open */
+               conn->netlogon_pipe = netlogon_pipe;
+               *cli = conn->netlogon_pipe;
+               return NT_STATUS_OK;
        }
 
-       /* Flush failed connection cache */
+       /* Using the credentials from the first pipe, open a signed and sealed
+          second netlogon pipe. The session key is stored in the schannel
+          part of the new pipe auth struct.
+       */
+
+       conn->netlogon_pipe =
+               cli_rpc_pipe_open_schannel_with_key(conn->cli,
+                                                   PI_NETLOGON,
+                                                   PIPE_AUTH_LEVEL_PRIVACY,
+                                                   domain->name,
+                                                   netlogon_pipe->dc,
+                                                   &result);
+
+       /* We can now close the initial netlogon pipe. */
+       cli_rpc_pipe_close(netlogon_pipe);
+
+       if (conn->netlogon_pipe == NULL) {
+               DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
+                         "was %s\n", nt_errstr(result)));
+                         
+               /* make sure we return something besides OK */
+               return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
+       }
 
-       flush_negative_conn_cache();
+       /*
+        * Try NetSamLogonEx for AD domains
+        */
+       domain->can_do_samlogon_ex = domain->active_directory;
+       
+       *cli = conn->netlogon_pipe;
+       return NT_STATUS_OK;
 }