Winbind daemon connection manager
- Copyright (C) Tim Potter 2001
- Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Tim Potter 2001
+ Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Gerald (Jerry) Carter 2003-2005.
+ Copyright (C) Volker Lendecke 2004-2005
+ Copyright (C) Jeremy Allison 2006
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
-/* Global list of connections. Initially a DLIST but can become a hash
- table or whatever later. */
-
-struct winbindd_cm_conn {
- struct winbindd_cm_conn *prev, *next;
- fstring domain;
- fstring controller;
- fstring pipe_name;
- struct cli_state *cli;
- POLICY_HND pol;
+struct dc_name_ip {
+ fstring name;
+ struct in_addr ip;
};
-static struct winbindd_cm_conn *cm_conns = NULL;
+extern struct winbindd_methods reconnect_methods;
+extern BOOL override_logfile;
+
+static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
+static void set_dc_type_and_flags( struct winbindd_domain *domain );
+static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
+ struct dc_name_ip **dcs, int *num_dcs);
+
+/****************************************************************
+ Child failed to find DC's. Reschedule check.
+****************************************************************/
+
+static void msg_failed_to_go_online(struct messaging_context *msg,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbindd_domain *domain;
+ const char *domainname = (const char *)data->data;
+
+ if (data->data == NULL || data->length == 0) {
+ return;
+ }
+
+ DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ if (domain->internal) {
+ continue;
+ }
+
+ if (strequal(domain->name, domainname)) {
+ if (domain->online) {
+ /* We're already online, ignore. */
+ DEBUG(5,("msg_fail_to_go_online: domain %s "
+ "already online.\n", domainname));
+ continue;
+ }
+
+ /* Reschedule the online check. */
+ set_domain_offline(domain);
+ break;
+ }
+ }
+}
+
+/****************************************************************
+ Actually cause a reconnect from a message.
+****************************************************************/
+
+static void msg_try_to_go_online(struct messaging_context *msg,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbindd_domain *domain;
+ const char *domainname = (const char *)data->data;
+
+ if (data->data == NULL || data->length == 0) {
+ return;
+ }
+
+ DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ if (domain->internal) {
+ continue;
+ }
+
+ if (strequal(domain->name, domainname)) {
+
+ if (domain->online) {
+ /* We're already online, ignore. */
+ DEBUG(5,("msg_try_to_go_online: domain %s "
+ "already online.\n", domainname));
+ continue;
+ }
+
+ /* This call takes care of setting the online
+ flag to true if we connected, or re-adding
+ the offline handler if false. Bypasses online
+ check so always does network calls. */
+
+ init_dc_connection_network(domain);
+ break;
+ }
+ }
+}
+
+/****************************************************************
+ Fork a child to try and contact a DC. Do this as contacting a
+ DC requires blocking lookups and we don't want to block our
+ parent.
+****************************************************************/
+
+static BOOL fork_child_dc_connect(struct winbindd_domain *domain)
+{
+ struct dc_name_ip *dcs = NULL;
+ int num_dcs = 0;
+ TALLOC_CTX *mem_ctx = NULL;
+ pid_t child_pid;
+ pid_t parent_pid = sys_getpid();
+
+ /* Stop zombies */
+ CatchChild();
+
+ child_pid = sys_fork();
+
+ if (child_pid == -1) {
+ DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
+ return False;
+ }
+
+ if (child_pid != 0) {
+ /* Parent */
+ messaging_register(winbind_messaging_context(), NULL,
+ MSG_WINBIND_TRY_TO_GO_ONLINE,
+ msg_try_to_go_online);
+ messaging_register(winbind_messaging_context(), NULL,
+ MSG_WINBIND_FAILED_TO_GO_ONLINE,
+ msg_failed_to_go_online);
+ return True;
+ }
+
+ /* Child. */
+
+ /* Leave messages blocked - we will never process one. */
+
+ /* tdb needs special fork handling */
+ if (tdb_reopen_all(1) == -1) {
+ DEBUG(0,("tdb_reopen_all failed.\n"));
+ _exit(0);
+ }
+
+ close_conns_after_fork();
+
+ if (!override_logfile) {
+ pstring logfile;
+ pstr_sprintf(logfile, "%s/log.winbindd-dc-connect", dyn_LOGFILEBASE);
+ lp_set_logfile(logfile);
+ reopen_logs();
+ }
+
+ mem_ctx = talloc_init("fork_child_dc_connect");
+ if (!mem_ctx) {
+ DEBUG(0,("talloc_init failed.\n"));
+ _exit(0);
+ }
+
+ if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
+ /* Still offline ? Can't find DC's. */
+ messaging_send_buf(winbind_messaging_context(),
+ pid_to_procid(parent_pid),
+ MSG_WINBIND_FAILED_TO_GO_ONLINE,
+ (uint8 *)domain->name,
+ strlen(domain->name)+1);
+ _exit(0);
+ }
+
+ /* We got a DC. Send a message to our parent to get it to
+ try and do the same. */
+
+ messaging_send_buf(winbind_messaging_context(),
+ pid_to_procid(parent_pid),
+ MSG_WINBIND_TRY_TO_GO_ONLINE,
+ (uint8 *)domain->name,
+ strlen(domain->name)+1);
+ _exit(0);
+}
+
+/****************************************************************
+ Handler triggered if we're offline to try and detect a DC.
+****************************************************************/
+
+static void check_domain_online_handler(struct event_context *ctx,
+ struct timed_event *te,
+ const struct timeval *now,
+ void *private_data)
+{
+ struct winbindd_domain *domain =
+ (struct winbindd_domain *)private_data;
+
+ DEBUG(10,("check_domain_online_handler: called for domain "
+ "%s (online = %s)\n", domain->name,
+ domain->online ? "True" : "False" ));
+
+ TALLOC_FREE(domain->check_online_event);
+
+ /* Are we still in "startup" mode ? */
+
+ if (domain->startup && (now->tv_sec > domain->startup_time + 30)) {
+ /* No longer in "startup" mode. */
+ DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
+ domain->name ));
+ domain->startup = False;
+ }
+
+ /* We've been told to stay offline, so stay
+ that way. */
+
+ if (get_global_winbindd_state_offline()) {
+ DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
+ domain->name ));
+ return;
+ }
+
+ /* Fork a child to test if it can contact a DC.
+ If it can then send ourselves a message to
+ cause a reconnect. */
+
+ fork_child_dc_connect(domain);
+}
+
+/****************************************************************
+ If we're still offline setup the timeout check.
+****************************************************************/
+
+static void calc_new_online_timeout_check(struct winbindd_domain *domain)
+{
+ int wbc = lp_winbind_cache_time();
+
+ if (domain->startup) {
+ domain->check_online_timeout = 10;
+ } else if (domain->check_online_timeout < wbc) {
+ domain->check_online_timeout = wbc;
+ }
+}
+
+/****************************************************************
+ Set domain offline and also add handler to put us back online
+ if we detect a DC.
+****************************************************************/
+
+void set_domain_offline(struct winbindd_domain *domain)
+{
+ DEBUG(10,("set_domain_offline: called for domain %s\n",
+ domain->name ));
+
+ TALLOC_FREE(domain->check_online_event);
+
+ if (domain->internal) {
+ DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
+ domain->name ));
+ return;
+ }
+
+ domain->online = False;
+
+ /* Offline domains are always initialized. They're
+ re-initialized when they go back online. */
+
+ domain->initialized = True;
+
+ /* We only add the timeout handler that checks and
+ allows us to go back online when we've not
+ been told to remain offline. */
+
+ if (get_global_winbindd_state_offline()) {
+ DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
+ domain->name ));
+ return;
+ }
+
+ /* If we're in statup mode, check again in 10 seconds, not in
+ lp_winbind_cache_time() seconds (which is 5 mins by default). */
+
+ calc_new_online_timeout_check(domain);
+
+ domain->check_online_event = event_add_timed(winbind_event_context(),
+ NULL,
+ timeval_current_ofs(domain->check_online_timeout,0),
+ "check_domain_online_handler",
+ check_domain_online_handler,
+ domain);
+
+ /* The above *has* to succeed for winbindd to work. */
+ if (!domain->check_online_event) {
+ smb_panic("set_domain_offline: failed to add online handler");
+ }
+
+ DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
+ domain->name ));
+
+ /* Send an offline message to the idmap child when our
+ primary domain goes offline */
+
+ if ( domain->primary ) {
+ struct winbindd_child *idmap = idmap_child();
+
+ if ( idmap->pid != 0 ) {
+ messaging_send_buf(winbind_messaging_context(),
+ pid_to_procid(idmap->pid),
+ MSG_WINBIND_OFFLINE,
+ (uint8 *)domain->name,
+ strlen(domain->name)+1);
+ }
+ }
+
+ return;
+}
+
+/****************************************************************
+ Set domain online - if allowed.
+****************************************************************/
+
+static void set_domain_online(struct winbindd_domain *domain)
+{
+ struct timeval now;
+
+ DEBUG(10,("set_domain_online: called for domain %s\n",
+ domain->name ));
+
+ if (domain->internal) {
+ DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
+ domain->name ));
+ return;
+ }
+
+ if (get_global_winbindd_state_offline()) {
+ DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
+ domain->name ));
+ return;
+ }
+
+ /* If we are waiting to get a krb5 ticket, trigger immediately. */
+ GetTimeOfDay(&now);
+ set_event_dispatch_time(winbind_event_context(),
+ "krb5_ticket_gain_handler", now);
+
+ /* Ok, we're out of any startup mode now... */
+ domain->startup = False;
+
+ if (domain->online == False) {
+ /* We were offline - now we're online. We default to
+ using the MS-RPC backend if we started offline,
+ and if we're going online for the first time we
+ should really re-initialize the backends and the
+ checks to see if we're talking to an AD or NT domain.
+ */
+
+ domain->initialized = False;
+
+ /* 'reconnect_methods' is the MS-RPC backend. */
+ if (domain->backend == &reconnect_methods) {
+ domain->backend = NULL;
+ }
+ }
+
+ /* Ensure we have no online timeout checks. */
+ domain->check_online_timeout = 0;
+ TALLOC_FREE(domain->check_online_event);
+
+ /* Ensure we ignore any pending child messages. */
+ messaging_deregister(winbind_messaging_context(),
+ MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
+ messaging_deregister(winbind_messaging_context(),
+ MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
+
+ domain->online = True;
+
+ /* Send an online message to the idmap child when our
+ primary domain comes online */
+
+ if ( domain->primary ) {
+ struct winbindd_child *idmap = idmap_child();
+
+ if ( idmap->pid != 0 ) {
+ messaging_send_buf(winbind_messaging_context(),
+ pid_to_procid(idmap->pid),
+ MSG_WINBIND_ONLINE,
+ (uint8 *)domain->name,
+ strlen(domain->name)+1);
+ }
+ }
+
+ return;
+}
+
+/****************************************************************
+ Requested to set a domain online.
+****************************************************************/
+
+void set_domain_online_request(struct winbindd_domain *domain)
+{
+ struct timeval tev;
+
+ DEBUG(10,("set_domain_online_request: called for domain %s\n",
+ domain->name ));
+
+ if (get_global_winbindd_state_offline()) {
+ DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
+ domain->name ));
+ return;
+ }
+
+ /* We've been told it's safe to go online and
+ try and connect to a DC. But I don't believe it
+ because network manager seems to lie.
+ Wait at least 5 seconds. Heuristics suck... */
+
+ if (!domain->check_online_event) {
+ /* If we've come from being globally offline we
+ don't have a check online event handler set.
+ We need to add one now we're trying to go
+ back online. */
+
+ DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
+ domain->name ));
+
+ domain->check_online_event = event_add_timed(winbind_event_context(),
+ NULL,
+ timeval_current_ofs(5, 0),
+ "check_domain_online_handler",
+ check_domain_online_handler,
+ domain);
+
+ /* The above *has* to succeed for winbindd to work. */
+ if (!domain->check_online_event) {
+ smb_panic("set_domain_online_request: failed to add online handler");
+ }
+ }
+
+ GetTimeOfDay(&tev);
+
+ /* Go into "startup" mode again. */
+ domain->startup_time = tev.tv_sec;
+ domain->startup = True;
+
+ tev.tv_sec += 5;
-static NTSTATUS get_connection_from_cache(struct winbindd_domain *domain,
- const char *pipe_name,
- struct winbindd_cm_conn **conn_out);
+ set_event_dispatch_time(winbind_event_context(), "check_domain_online_handler", tev);
+}
+
+/****************************************************************
+ Add -ve connection cache entries for domain and realm.
+****************************************************************/
+
+void winbind_add_failed_connection_entry(const struct winbindd_domain *domain,
+ const char *server,
+ NTSTATUS result)
+{
+ add_failed_connection_entry(domain->name, server, result);
+ /* If this was the saf name for the last thing we talked to,
+ remove it. */
+ saf_delete(domain->name);
+ if (*domain->alt_name) {
+ add_failed_connection_entry(domain->alt_name, server, result);
+ saf_delete(domain->alt_name);
+ }
+}
/* Choose between anonymous or authenticated connections. We need to use
an authenticated connection if DCs have the RestrictAnonymous registry
static void cm_get_ipc_userpass(char **username, char **domain, char **password)
{
- *username = secrets_fetch(SECRETS_AUTH_USER, NULL);
- *domain = secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
- *password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
+ *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
+ *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
+ *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
if (*username && **username) {
if (!*password || !**password)
*password = smb_xstrdup("");
- DEBUG(3, ("IPC$ connections done by user %s\\%s\n",
+ DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
*domain, *username));
} else {
- DEBUG(3, ("IPC$ connections done anonymously\n"));
+ DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
*username = smb_xstrdup("");
*domain = smb_xstrdup("");
*password = smb_xstrdup("");
}
}
-/*
- setup for schannel on any pipes opened on this connection
-*/
-static NTSTATUS setup_schannel( struct cli_state *cli, const char *domain )
-{
- NTSTATUS ret;
- uchar trust_password[16];
- uint32 sec_channel_type;
- DOM_SID sid;
- time_t lct;
-
- /* use the domain trust password if we're on a DC
- and this is not our domain */
-
- if ( IS_DC && !strequal(domain, lp_workgroup()) ) {
- char *pass = NULL;
-
- if ( !secrets_fetch_trusted_domain_password( domain,
- &pass, &sid, &lct) )
- {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- sec_channel_type = SEC_CHAN_DOMAIN;
- E_md4hash(pass, trust_password);
- SAFE_FREE( pass );
-
- } else {
- if (!secrets_fetch_trust_account_password(lp_workgroup(),
- trust_password, NULL, &sec_channel_type))
- {
- return NT_STATUS_UNSUCCESSFUL;
- }
- }
-
- ret = cli_nt_setup_netsec(cli, sec_channel_type,
- AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, trust_password);
-
- return ret;
-}
-
static BOOL get_dc_name_via_netlogon(const struct winbindd_domain *domain,
fstring dcname, struct in_addr *dc_ip)
{
- struct winbindd_domain *our_domain;
+ struct winbindd_domain *our_domain = NULL;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
NTSTATUS result;
- struct winbindd_cm_conn *conn;
+ WERROR werr;
TALLOC_CTX *mem_ctx;
-
+ unsigned int orig_timeout;
fstring tmp;
char *p;
- if (IS_DC)
- return False;
+ /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
+ * moment.... */
- if (domain->primary)
+ if (IS_DC) {
return False;
+ }
- if ((our_domain = find_our_domain()) == NULL)
+ if (domain->primary) {
return False;
+ }
- result = get_connection_from_cache(our_domain, PIPE_NETLOGON, &conn);
- if (!NT_STATUS_IS_OK(result))
+ our_domain = find_our_domain();
+
+ if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
return False;
+ }
- if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL)
+ result = cm_connect_netlogon(our_domain, &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ talloc_destroy(mem_ctx);
return False;
+ }
+
+ /* This call can take a long time - allow the server to time out.
+ 35 seconds should do it. */
+
+ orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000);
+
+ werr = rpccli_netlogon_getanydcname(netlogon_pipe, mem_ctx, our_domain->dcname,
+ domain->name, tmp);
- result = cli_netlogon_getdcname(conn->cli, mem_ctx, domain->name, tmp);
+ /* And restore our original timeout. */
+ cli_set_timeout(netlogon_pipe->cli, orig_timeout);
talloc_destroy(mem_ctx);
- if (!NT_STATUS_IS_OK(result))
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(10, ("rpccli_netlogon_getanydcname failed: %s\n",
+ dos_errstr(werr)));
return False;
+ }
- /* cli_netlogon_getdcname gives us a name with \\ */
+ /* cli_netlogon_getanydcname gives us a name with \\ */
p = tmp;
- if (*p == '\\') p+=1;
- if (*p == '\\') p+=1;
+ if (*p == '\\') {
+ p+=1;
+ }
+ if (*p == '\\') {
+ p+=1;
+ }
fstrcpy(dcname, p);
- if (!resolve_name(dcname, dc_ip, 0x20))
+ DEBUG(10, ("rpccli_netlogon_getanydcname returned %s\n", dcname));
+
+ if (!resolve_name(dcname, dc_ip, 0x20)) {
return False;
+ }
return True;
}
static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
const int sockfd,
- const int pipe_index,
const char *controller,
struct cli_state **cli,
BOOL *retry)
{
- char *machine_password, *machine_krb5_principal;
+ char *machine_password, *machine_krb5_principal, *machine_account;
char *ipc_username, *ipc_domain, *ipc_password;
- struct ntuser_creds creds;
BOOL got_mutex;
- BOOL add_failed_connection = True;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct sockaddr_in *peeraddr_in = (struct sockaddr_in *)&peeraddr;
+ DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
+ controller, domain->name ));
+
machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL,
NULL);
+ if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
+ SAFE_FREE(machine_password);
+ return NT_STATUS_NO_MEMORY;
+ }
+
if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(),
lp_realm()) == -1) {
+ SAFE_FREE(machine_account);
SAFE_FREE(machine_password);
return NT_STATUS_NO_MEMORY;
}
WINBIND_SERVER_MUTEX_WAIT_TIME);
if (!got_mutex) {
- DEBUG(0,("cm_open_connection: mutex grab failed for %s\n",
+ DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
controller));
result = NT_STATUS_POSSIBLE_DEADLOCK;
goto done;
}
- if ((*cli = cli_initialise(NULL)) == NULL) {
+ if ((*cli = cli_initialise()) == NULL) {
DEBUG(1, ("Could not cli_initialize\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
(peeraddr_in->sin_family != PF_INET))
{
DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
+ result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (!cli_session_request(*cli, &calling, &called)) {
DEBUG(8, ("cli_session_request failed for %s\n",
controller));
+ result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
}
if (!cli_negprot(*cli)) {
DEBUG(1, ("cli_negprot failed\n"));
- cli_shutdown(*cli);
+ result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
-
- /* Krb5 session */
- if ((lp_security() == SEC_ADS)
- && ((*cli)->protocol >= PROTOCOL_NT1 &&
- (*cli)->capabilities & CAP_EXTENDED_SECURITY)) {
-
+ if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) {
ADS_STATUS ads_status;
- (*cli)->use_kerberos = True;
- DEBUG(5, ("connecting to %s from %s with kerberos principal "
- "[%s]\n", controller, global_myname(),
- machine_krb5_principal));
+
+ if (lp_security() == SEC_ADS) {
+
+ /* Try a krb5 session */
+
+ (*cli)->use_kerberos = True;
+ DEBUG(5, ("connecting to %s from %s with kerberos principal "
+ "[%s]\n", controller, global_myname(),
+ machine_krb5_principal));
+
+ ads_status = cli_session_setup_spnego(*cli,
+ machine_krb5_principal,
+ machine_password,
+ lp_workgroup());
+
+ if (!ADS_ERR_OK(ads_status)) {
+ DEBUG(4,("failed kerberos session setup with %s\n",
+ ads_errstr(ads_status)));
+ }
+
+ result = ads_ntstatus(ads_status);
+ if (NT_STATUS_IS_OK(result)) {
+ /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
+ cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+ goto session_setup_done;
+ }
+ }
+
+ /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
+ (*cli)->use_kerberos = False;
+
+ DEBUG(5, ("connecting to %s from %s with username "
+ "[%s]\\[%s]\n", controller, global_myname(),
+ lp_workgroup(), machine_account));
ads_status = cli_session_setup_spnego(*cli,
- machine_krb5_principal,
+ machine_account,
machine_password,
lp_workgroup());
-
- if (!ADS_ERR_OK(ads_status))
- DEBUG(4,("failed kerberos session setup with %s\n",
- ads_errstr(ads_status)));
+ if (!ADS_ERR_OK(ads_status)) {
+ DEBUG(4, ("authenticated session setup failed with %s\n",
+ ads_errstr(ads_status)));
+ }
result = ads_ntstatus(ads_status);
+ if (NT_STATUS_IS_OK(result)) {
+ /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
+ cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+ goto session_setup_done;
+ }
}
- if (NT_STATUS_IS_OK(result))
- goto session_setup_done;
-
/* Fall back to non-kerberos session setup */
(*cli)->use_kerberos = False;
"[%s]\\[%s]\n", controller, global_myname(),
ipc_domain, ipc_username));
- if (cli_session_setup(*cli, ipc_username,
- ipc_password, strlen(ipc_password)+1,
- ipc_password, strlen(ipc_password)+1,
- ipc_domain)) {
- DEBUG(5, ("authenticated session setup failed\n"));
+ if (NT_STATUS_IS_OK(cli_session_setup(
+ *cli, ipc_username,
+ ipc_password, strlen(ipc_password)+1,
+ ipc_password, strlen(ipc_password)+1,
+ ipc_domain))) {
+ /* Successful logon with given username. */
+ cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
goto session_setup_done;
+ } else {
+ DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
+ ipc_domain, ipc_username ));
}
}
/* Fall back to anonymous connection, this might fail later */
- if (cli_session_setup(*cli, "", NULL, 0, NULL, 0, "")) {
+ if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
+ NULL, 0, ""))) {
DEBUG(5, ("Connected anonymously\n"));
+ cli_init_creds(*cli, "", "", "");
goto session_setup_done;
}
session_setup_done:
+ /* cache the server name for later connections */
+
+ saf_store( domain->name, (*cli)->desthost );
+ if (domain->alt_name && (*cli)->use_kerberos) {
+ saf_store( domain->alt_name, (*cli)->desthost );
+ }
+
if (!cli_send_tconX(*cli, "IPC$", "IPC", "", 0)) {
result = cli_nt_error(*cli);
if (NT_STATUS_IS_OK(result))
result = NT_STATUS_UNSUCCESSFUL;
- cli_shutdown(*cli);
goto done;
}
- init_creds(&creds, ipc_username, ipc_domain, ipc_password);
- cli_init_creds(*cli, &creds);
-
secrets_named_mutex_release(controller);
got_mutex = False;
*retry = False;
- if (domain->primary || IS_DC) {
- NTSTATUS status = setup_schannel( *cli, domain->name );
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3,("schannel refused - continuing without "
- "schannel (%s)\n", nt_errstr(status)));
- }
- }
-
/* set the domain if empty; needed for schannel connections */
- if ( !*(*cli)->domain )
+ if ( !*(*cli)->domain ) {
fstrcpy( (*cli)->domain, domain->name );
-
- if ( !cli_nt_session_open (*cli, pipe_index) ) {
-
- result = NT_STATUS_PIPE_NOT_AVAILABLE;
-
- /* This might be a NT4 DC */
- if ( is_win2k_pipe(pipe_index) )
- add_failed_connection = False;
-
- cli_shutdown(*cli);
- goto done;
}
result = NT_STATUS_OK;
- add_failed_connection = False;
done:
- if (got_mutex)
+ if (got_mutex) {
secrets_named_mutex_release(controller);
+ }
+ SAFE_FREE(machine_account);
SAFE_FREE(machine_password);
SAFE_FREE(machine_krb5_principal);
SAFE_FREE(ipc_username);
SAFE_FREE(ipc_domain);
SAFE_FREE(ipc_password);
- if (add_failed_connection)
- add_failed_connection_entry(domain->name, controller, result);
+ if (!NT_STATUS_IS_OK(result)) {
+ winbind_add_failed_connection_entry(domain, controller, result);
+ if ((*cli) != NULL) {
+ cli_shutdown(*cli);
+ *cli = NULL;
+ }
+ }
return result;
}
-struct dc_name_ip {
- fstring name;
- struct in_addr ip;
-};
-
static BOOL add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
const char *dcname, struct in_addr ip,
struct dc_name_ip **dcs, int *num)
{
- if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname)))
+ if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
+ DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
return False;
+ }
*dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
return True;
}
-static BOOL add_string_to_array(TALLOC_CTX *mem_ctx,
- const char *str, char ***array, int *num)
-{
- char *dup_str = talloc_strdup(mem_ctx, str);
-
- *array = TALLOC_REALLOC_ARRAY(mem_ctx, *array, char *, (*num)+1);
-
- if ((*array == NULL) || (dup_str == NULL))
- return False;
-
- (*array)[*num] = dup_str;
- *num += 1;
- return True;
-}
-
static BOOL add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
struct in_addr ip, uint16 port,
struct sockaddr_in **addrs, int *num)
{
*addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_in, (*num)+1);
- if (*addrs == NULL)
+ if (*addrs == NULL) {
+ *num = 0;
return False;
+ }
(*addrs)[*num].sin_family = PF_INET;
putip((char *)&((*addrs)[*num].sin_addr), (char *)&ip);
return True;
}
-static BOOL get_dcs_1c(TALLOC_CTX *mem_ctx,
- const struct winbindd_domain *domain,
- struct dc_name_ip **dcs, int *num_dcs)
+static void mailslot_name(struct in_addr dc_ip, fstring name)
+{
+ fstr_sprintf(name, "\\MAILSLOT\\NET\\GETDC%X", dc_ip.s_addr);
+}
+
+static BOOL send_getdc_request(struct in_addr dc_ip,
+ const char *domain_name,
+ const DOM_SID *sid)
+{
+ pstring outbuf;
+ char *p;
+ fstring my_acct_name;
+ fstring my_mailslot;
+
+ mailslot_name(dc_ip, my_mailslot);
+
+ memset(outbuf, '\0', sizeof(outbuf));
+
+ p = outbuf;
+
+ SCVAL(p, 0, SAMLOGON);
+ p++;
+
+ SCVAL(p, 0, 0); /* Count pointer ... */
+ p++;
+
+ SIVAL(p, 0, 0); /* The sender's token ... */
+ p += 2;
+
+ p += dos_PutUniCode(p, global_myname(), sizeof(pstring), True);
+ fstr_sprintf(my_acct_name, "%s$", global_myname());
+ p += dos_PutUniCode(p, my_acct_name, sizeof(pstring), True);
+
+ memcpy(p, my_mailslot, strlen(my_mailslot)+1);
+ p += strlen(my_mailslot)+1;
+
+ SIVAL(p, 0, 0x80);
+ p+=4;
+
+ SIVAL(p, 0, sid_size(sid));
+ p+=4;
+
+ p = ALIGN4(p, outbuf);
+
+ sid_linearize(p, sid_size(sid), sid);
+ p += sid_size(sid);
+
+ SIVAL(p, 0, 1);
+ SSVAL(p, 4, 0xffff);
+ SSVAL(p, 6, 0xffff);
+ p+=8;
+
+ return cli_send_mailslot(winbind_messaging_context(),
+ False, "\\MAILSLOT\\NET\\NTLOGON", 0,
+ outbuf, PTR_DIFF(p, outbuf),
+ global_myname(), 0, domain_name, 0x1c,
+ dc_ip);
+}
+
+static BOOL receive_getdc_response(struct in_addr dc_ip,
+ const char *domain_name,
+ fstring dc_name)
{
- struct ip_service *iplist = NULL;
- int i, num = 0;
+ struct packet_struct *packet;
+ fstring my_mailslot;
+ char *buf, *p;
+ fstring dcname, user, domain;
+ int len;
+
+ mailslot_name(dc_ip, my_mailslot);
- if (!internal_resolve_name(domain->name, 0x1c, &iplist, &num,
- lp_name_resolve_order()))
+ packet = receive_unexpected(DGRAM_PACKET, 0, my_mailslot);
+
+ if (packet == NULL) {
+ DEBUG(5, ("Did not receive packet for %s\n", my_mailslot));
return False;
+ }
- /* Now try to find the server names of at least one IP address, hosts
- * not replying are cached as such */
+ DEBUG(5, ("Received packet for %s\n", my_mailslot));
- for (i=0; i<num; i++) {
+ buf = packet->packet.dgram.data;
+ len = packet->packet.dgram.datasize;
- fstring dcname;
+ if (len < 70) {
+ /* 70 is a completely arbitrary value to make sure
+ the SVAL below does not read uninitialized memory */
+ DEBUG(3, ("GetDC got short response\n"));
+ return False;
+ }
- if (!name_status_find(domain->name, 0x1c, 0x20, iplist[i].ip,
- dcname))
- continue;
+ /* This should be (buf-4)+SVAL(buf-4, smb_vwv12)... */
+ p = buf+SVAL(buf, smb_vwv10);
- if (add_one_dc_unique(mem_ctx, domain->name, dcname,
- iplist[i].ip, dcs, num_dcs)) {
- /* One DC responded, so we assume that he will also
- work on 139/445 */
- break;
- }
+ if (CVAL(p,0) != SAMLOGON_R) {
+ DEBUG(8, ("GetDC got invalid response type %d\n", CVAL(p, 0)));
+ return False;
+ }
+
+ p+=2;
+ pull_ucs2(buf, dcname, p, sizeof(dcname), PTR_DIFF(buf+len, p),
+ STR_TERMINATE|STR_NOALIGN);
+ p = skip_unibuf(p, PTR_DIFF(buf+len, p));
+ pull_ucs2(buf, user, p, sizeof(dcname), PTR_DIFF(buf+len, p),
+ STR_TERMINATE|STR_NOALIGN);
+ p = skip_unibuf(p, PTR_DIFF(buf+len, p));
+ pull_ucs2(buf, domain, p, sizeof(dcname), PTR_DIFF(buf+len, p),
+ STR_TERMINATE|STR_NOALIGN);
+ p = skip_unibuf(p, PTR_DIFF(buf+len, p));
+
+ if (!strequal(domain, domain_name)) {
+ DEBUG(3, ("GetDC: Expected domain %s, got %s\n",
+ domain_name, domain));
+ return False;
}
+ p = dcname;
+ if (*p == '\\') p += 1;
+ if (*p == '\\') p += 1;
+
+ fstrcpy(dc_name, p);
+
+ DEBUG(10, ("GetDC gave name %s for domain %s\n",
+ dc_name, domain));
+
return True;
}
-static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
- struct dc_name_ip **dcs, int *num_dcs)
+/*******************************************************************
+ convert an ip to a name
+*******************************************************************/
+
+static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip, fstring name )
{
- fstring dcname;
- struct in_addr ip;
- BOOL is_our_domain;
+ struct ip_service ip_list;
- const char *p;
+ ip_list.ip = ip;
+ ip_list.port = 0;
- is_our_domain = strequal(domain->name, lp_workgroup());
+#ifdef WITH_ADS
+ /* For active directory servers, try to get the ldap server name.
+ None of these failures should be considered critical for now */
- if (!is_our_domain && get_dc_name_via_netlogon(domain, dcname, &ip) &&
- add_one_dc_unique(mem_ctx, domain->name, dcname, ip, dcs, num_dcs))
+ if (lp_security() == SEC_ADS) {
+ ADS_STRUCT *ads;
+
+ ads = ads_init(domain->alt_name, domain->name, NULL);
+ ads->auth.flags |= ADS_AUTH_NO_BIND;
+
+ if (ads_try_connect( ads, inet_ntoa(ip) ) ) {
+ /* We got a cldap packet. */
+ fstrcpy(name, ads->config.ldap_server_name);
+ namecache_store(name, 0x20, 1, &ip_list);
+
+ DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
+
+ if (domain->primary && (ads->config.flags & ADS_KDC) && ads_closest_dc(ads)) {
+ char *sitename = sitename_fetch(ads->config.realm);
+
+ /* We're going to use this KDC for this realm/domain.
+ If we are using sites, then force the krb5 libs
+ to use this KDC. */
+
+ create_local_private_krb5_conf_for_domain(domain->alt_name,
+ domain->name,
+ sitename,
+ ip);
+
+ SAFE_FREE(sitename);
+ /* Ensure we contact this DC also. */
+ saf_store( domain->name, name);
+ saf_store( domain->alt_name, name);
+ }
+
+ ads_destroy( &ads );
return True;
+ }
- if (!is_our_domain) {
- /* NETLOGON to our own domain could not give us a DC name
- * (which is an error), fall back to looking up domain#1c */
- return get_dcs_1c(mem_ctx, domain, dcs, num_dcs);
+ ads_destroy( &ads );
}
+#endif
- if (must_use_pdc(domain->name) && get_pdc_ip(domain->name, &ip)) {
+ /* try GETDC requests next */
+
+ if (send_getdc_request(ip, domain->name, &domain->sid)) {
+ int i;
+ smb_msleep(100);
+ for (i=0; i<5; i++) {
+ if (receive_getdc_response(ip, domain->name, name)) {
+ namecache_store(name, 0x20, 1, &ip_list);
+ return True;
+ }
+ smb_msleep(500);
+ }
+ }
- if (!name_status_find(domain->name, 0x1b, 0x20, ip, dcname))
- return False;
+ /* try node status request */
- if (add_one_dc_unique(mem_ctx, domain->name,
- dcname, ip, dcs, num_dcs))
- return True;
+ if ( name_status_find(domain->name, 0x1c, 0x20, ip, name) ) {
+ namecache_store(name, 0x20, 1, &ip_list);
+ return True;
}
+ return False;
+}
- p = lp_passwordserver();
+/*******************************************************************
+ Retreive a list of IP address for domain controllers. Fill in
+ the dcs[] with results.
+*******************************************************************/
- if (*p == 0)
- return get_dcs_1c(mem_ctx, domain, dcs, num_dcs);
+static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
+ struct dc_name_ip **dcs, int *num_dcs)
+{
+ fstring dcname;
+ struct in_addr ip;
+ struct ip_service *ip_list = NULL;
+ int iplist_size = 0;
+ int i;
+ BOOL is_our_domain;
+ enum security_types sec = (enum security_types)lp_security();
- while (next_token(&p, dcname, LIST_SEP, sizeof(dcname))) {
+ is_our_domain = strequal(domain->name, lp_workgroup());
- if (strequal(dcname, "*")) {
- get_dcs_1c(mem_ctx, domain, dcs, num_dcs);
- continue;
+ if ( !is_our_domain
+ && get_dc_name_via_netlogon(domain, dcname, &ip)
+ && add_one_dc_unique(mem_ctx, domain->name, dcname, ip, dcs, num_dcs) )
+ {
+ DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
+ dcname, inet_ntoa(ip)));
+ return True;
+ }
+
+ if (sec == SEC_ADS) {
+ char *sitename = NULL;
+
+ /* We need to make sure we know the local site before
+ doing any DNS queries, as this will restrict the
+ get_sorted_dc_list() call below to only fetching
+ DNS records for the correct site. */
+
+ /* Find any DC to get the site record.
+ We deliberately don't care about the
+ return here. */
+
+ get_dc_name(domain->name, domain->alt_name, dcname, &ip);
+
+ sitename = sitename_fetch(domain->alt_name);
+ if (sitename) {
+
+ /* Do the site-specific AD dns lookup first. */
+ get_sorted_dc_list(domain->alt_name, sitename, &ip_list, &iplist_size, True);
+
+ for ( i=0; i<iplist_size; i++ ) {
+ add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
+ ip_list[i].ip, dcs, num_dcs);
+ }
+
+ SAFE_FREE(ip_list);
+ SAFE_FREE(sitename);
+ iplist_size = 0;
}
- if (!resolve_name(dcname, &ip, 0x20))
- continue;
+ /* Now we add DCs from the main AD dns lookup. */
+ get_sorted_dc_list(domain->alt_name, NULL, &ip_list, &iplist_size, True);
+
+ for ( i=0; i<iplist_size; i++ ) {
+ add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
+ ip_list[i].ip, dcs, num_dcs);
+ }
+ }
+
+ /* try standard netbios queries if no ADS */
- add_one_dc_unique(mem_ctx, domain->name, dcname, ip,
- dcs, num_dcs);
+ if (iplist_size==0) {
+ get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size, False);
}
+ /* FIXME!! this is where we should re-insert the GETDC requests --jerry */
+
+ /* now add to the dc array. We'll wait until the last minute
+ to look up the name of the DC. But we fill in the char* for
+ the ip now in to make the failed connection cache work */
+
+ for ( i=0; i<iplist_size; i++ ) {
+ add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
+ ip_list[i].ip, dcs, num_dcs);
+ }
+
+ SAFE_FREE( ip_list );
+
return True;
}
struct dc_name_ip *dcs = NULL;
int num_dcs = 0;
- char **dcnames = NULL;
+ const char **dcnames = NULL;
int num_dcnames = 0;
struct sockaddr_in *addrs = NULL;
int i, fd_index;
+ again:
if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
return False;
for (i=0; i<num_dcs; i++) {
- add_string_to_array(mem_ctx, dcs[i].name,
- &dcnames, &num_dcnames);
- add_sockaddr_to_array(mem_ctx, dcs[i].ip, 445,
- &addrs, &num_addrs);
+ if (!add_string_to_array(mem_ctx, dcs[i].name,
+ &dcnames, &num_dcnames)) {
+ return False;
+ }
+ if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 445,
+ &addrs, &num_addrs)) {
+ return False;
+ }
- add_string_to_array(mem_ctx, dcs[i].name,
- &dcnames, &num_dcnames);
- add_sockaddr_to_array(mem_ctx, dcs[i].ip, 139,
- &addrs, &num_addrs);
+ if (!add_string_to_array(mem_ctx, dcs[i].name,
+ &dcnames, &num_dcnames)) {
+ return False;
+ }
+ if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 139,
+ &addrs, &num_addrs)) {
+ return False;
+ }
}
if ((num_dcnames == 0) || (num_dcnames != num_addrs))
return False;
- if (!open_any_socket_out(addrs, num_addrs, 10000, &fd_index, fd)) {
+ if ((addrs == NULL) || (dcnames == NULL))
+ return False;
+
+ /* 5 second timeout. */
+ if ( !open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) )
+ {
for (i=0; i<num_dcs; i++) {
- add_failed_connection_entry(domain->name,
- dcs[i].name,
- NT_STATUS_UNSUCCESSFUL);
+ DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
+ "domain %s address %s. Error was %s\n",
+ domain->name, inet_ntoa(dcs[i].ip), strerror(errno) ));
+ winbind_add_failed_connection_entry(domain,
+ dcs[i].name, NT_STATUS_UNSUCCESSFUL);
}
return False;
}
- fstrcpy(dcname, dcnames[fd_index]);
*addr = addrs[fd_index];
- return True;
+ if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
+ /* Ok, we've got a name for the DC */
+ fstrcpy(dcname, dcnames[fd_index]);
+ return True;
+ }
+
+ /* Try to figure out the name */
+ if (dcip_to_name( domain, addr->sin_addr, dcname )) {
+ return True;
+ }
+
+ /* We can not continue without the DC's name */
+ winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
+ NT_STATUS_UNSUCCESSFUL);
+ goto again;
}
static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
- const int pipe_index,
struct winbindd_cm_conn *new_conn)
{
TALLOC_CTX *mem_ctx;
NTSTATUS result;
-
+ char *saf_servername = saf_fetch( domain->name );
int retries;
- if ((mem_ctx = talloc_init("cm_open_connection")) == NULL)
+ if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
+ SAFE_FREE(saf_servername);
+ set_domain_offline(domain);
return NT_STATUS_NO_MEMORY;
+ }
+
+ /* we have to check the server affinity cache here since
+ later we selecte a DC based on response time and not preference */
+
+ /* Check the negative connection cache
+ before talking to it. It going down may have
+ triggered the reconnection. */
+
+ if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
+
+ DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
+ saf_servername, domain->name ));
+
+ /* convert an ip address to a name */
+ if ( is_ipaddress( saf_servername ) ) {
+ fstring saf_name;
+ struct in_addr ip;
+
+ ip = *interpret_addr2( saf_servername );
+ if (dcip_to_name( domain, ip, saf_name )) {
+ fstrcpy( domain->dcname, saf_name );
+ } else {
+ winbind_add_failed_connection_entry(
+ domain, saf_servername,
+ NT_STATUS_UNSUCCESSFUL);
+ }
+ } else {
+ fstrcpy( domain->dcname, saf_servername );
+ }
+
+ SAFE_FREE( saf_servername );
+ }
for (retries = 0; retries < 3; retries++) {
int fd = -1;
- BOOL retry;
+ BOOL retry = False;
result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
- if ((strlen(domain->dcname) > 0) &&
- NT_STATUS_IS_OK(check_negative_conn_cache(domain->name,
- domain->dcname))) {
- int dummy;
- if (!open_any_socket_out(&domain->dcaddr, 1, 10000,
- &dummy, &fd)) {
+ DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
+ domain->dcname, domain->name ));
+
+ if (*domain->dcname
+ && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
+ && (resolve_name(domain->dcname, &domain->dcaddr.sin_addr, 0x20)))
+ {
+ struct sockaddr_in *addrs = NULL;
+ int num_addrs = 0;
+ int dummy = 0;
+
+ if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 445, &addrs, &num_addrs)) {
+ set_domain_offline(domain);
+ talloc_destroy(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 139, &addrs, &num_addrs)) {
+ set_domain_offline(domain);
+ talloc_destroy(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* 5 second timeout. */
+ if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) {
fd = -1;
}
}
- if ((fd == -1) &&
- !find_new_dc(mem_ctx, domain, domain->dcname,
- &domain->dcaddr, &fd))
+ if ((fd == -1)
+ && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd))
+ {
+ /* This is the one place where we will
+ set the global winbindd offline state
+ to true, if a "WINBINDD_OFFLINE" entry
+ is found in the winbindd cache. */
+ set_global_winbindd_state_offline();
break;
+ }
new_conn->cli = NULL;
- result = cm_prepare_connection(domain, fd, pipe_index,
- domain->dcname,
- &new_conn->cli, &retry);
-
- if (NT_STATUS_IS_OK(result)) {
- fstrcpy(new_conn->domain, domain->name);
- /* Initialise SMB connection */
- fstrcpy(new_conn->pipe_name,
- get_pipe_name_from_index(pipe_index));
- break;
- }
+ result = cm_prepare_connection(domain, fd, domain->dcname,
+ &new_conn->cli, &retry);
if (!retry)
break;
}
+ if (NT_STATUS_IS_OK(result)) {
+ if (domain->online == False) {
+ /* We're changing state from offline to online. */
+ set_global_winbindd_state_online();
+ }
+ set_domain_online(domain);
+ } else {
+ /* Ensure we setup the retry handler. */
+ set_domain_offline(domain);
+ }
+
talloc_destroy(mem_ctx);
return result;
}
-/************************************************************************
- Wrapper around statuc cm_open_connection to retreive a freshly
- setup cli_state struct
-************************************************************************/
+/* Close down all open pipes on a connection. */
-NTSTATUS cm_fresh_connection(struct winbindd_domain *domain, const int pipe_index,
- struct cli_state **cli)
+void invalidate_cm_connection(struct winbindd_cm_conn *conn)
{
- NTSTATUS result;
- struct winbindd_cm_conn conn;
-
- result = cm_open_connection( domain, pipe_index, &conn );
-
- if ( NT_STATUS_IS_OK(result) )
- *cli = conn.cli;
+ /* We're closing down a possibly dead
+ connection. Don't have impossibly long (10s) timeouts. */
- return result;
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 1000); /* 1 second. */
+ }
+
+ if (conn->samr_pipe != NULL) {
+ if (!cli_rpc_pipe_close(conn->samr_pipe)) {
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
+ }
+ }
+ conn->samr_pipe = NULL;
+ }
+
+ if (conn->lsa_pipe != NULL) {
+ if (!cli_rpc_pipe_close(conn->lsa_pipe)) {
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
+ }
+ }
+ conn->lsa_pipe = NULL;
+ }
+
+ if (conn->netlogon_pipe != NULL) {
+ if (!cli_rpc_pipe_close(conn->netlogon_pipe)) {
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
+ }
+ }
+ conn->netlogon_pipe = NULL;
+ }
+
+ if (conn->cli) {
+ cli_shutdown(conn->cli);
+ }
+
+ conn->cli = NULL;
}
-/* Return true if a connection is still alive */
+void close_conns_after_fork(void)
+{
+ struct winbindd_domain *domain;
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ if (domain->conn.cli == NULL)
+ continue;
+
+ if (domain->conn.cli->fd == -1)
+ continue;
+
+ close(domain->conn.cli->fd);
+ domain->conn.cli->fd = -1;
+ }
+}
-static BOOL connection_ok(struct winbindd_cm_conn *conn)
+static BOOL connection_ok(struct winbindd_domain *domain)
{
- if (!conn) {
- smb_panic("Invalid parameter passed to connection_ok(): conn was NULL!\n");
+ if (domain->conn.cli == NULL) {
+ DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
+ "cli!\n", domain->dcname, domain->name));
return False;
}
- if (!conn->cli) {
- DEBUG(3, ("Connection to %s for domain %s (pipe %s) has NULL conn->cli!\n",
- conn->controller, conn->domain, conn->pipe_name));
+ if (!domain->conn.cli->initialised) {
+ DEBUG(3, ("connection_ok: Connection to %s for domain %s was never "
+ "initialised!\n", domain->dcname, domain->name));
return False;
}
- if (!conn->cli->initialised) {
- DEBUG(3, ("Connection to %s for domain %s (pipe %s) was never initialised!\n",
- conn->controller, conn->domain, conn->pipe_name));
+ if (domain->conn.cli->fd == -1) {
+ DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was "
+ "never started (fd == -1)\n",
+ domain->dcname, domain->name));
return False;
}
- if (conn->cli->fd == -1) {
- DEBUG(3, ("Connection to %s for domain %s (pipe %s) has died or was never started (fd == -1)\n",
- conn->controller, conn->domain, conn->pipe_name));
+ if (domain->online == False) {
+ DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
return False;
}
-
+
return True;
}
-/* Search the cache for a connection. If there is a broken one,
- shut it down properly and return NULL. */
+/* Initialize a new connection up to the RPC BIND.
+ Bypass online status check so always does network calls. */
-static void find_cm_connection(struct winbindd_domain *domain, const char *pipe_name,
- struct winbindd_cm_conn **conn_out)
+static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
{
- struct winbindd_cm_conn *conn;
+ NTSTATUS result;
- for (conn = cm_conns; conn; ) {
- if (strequal(conn->domain, domain->name) &&
- strequal(conn->pipe_name, pipe_name)) {
- if (!connection_ok(conn)) {
- /* Dead connection - remove it. */
- struct winbindd_cm_conn *conn_temp = conn->next;
- if (conn->cli)
- cli_shutdown(conn->cli);
- DLIST_REMOVE(cm_conns, conn);
- SAFE_FREE(conn);
- conn = conn_temp; /* Keep the loop moving */
- continue;
- } else {
- break;
- }
+ /* Internal connections never use the network. */
+ if (domain->internal) {
+ domain->initialized = True;
+ return NT_STATUS_OK;
+ }
+
+ if (connection_ok(domain)) {
+ if (!domain->initialized) {
+ set_dc_type_and_flags(domain);
}
- conn = conn->next;
+ return NT_STATUS_OK;
}
- *conn_out = conn;
-}
+ invalidate_cm_connection(&domain->conn);
-/* Initialize a new connection up to the RPC BIND. */
+ result = cm_open_connection(domain, &domain->conn);
-static NTSTATUS new_cm_connection(struct winbindd_domain *domain, const char *pipe_name,
- struct winbindd_cm_conn **conn_out)
-{
- struct winbindd_cm_conn *conn;
- NTSTATUS result;
+ if (NT_STATUS_IS_OK(result) && !domain->initialized) {
+ set_dc_type_and_flags(domain);
+ }
- if (!(conn = SMB_MALLOC_P(struct winbindd_cm_conn)))
- return NT_STATUS_NO_MEMORY;
-
- ZERO_STRUCTP(conn);
-
- if (!NT_STATUS_IS_OK(result = cm_open_connection(domain, get_pipe_index(pipe_name), conn))) {
- DEBUG(3, ("Could not open a connection to %s for %s (%s)\n",
- domain->name, pipe_name, nt_errstr(result)));
- SAFE_FREE(conn);
- return result;
+ return result;
+}
+
+NTSTATUS init_dc_connection(struct winbindd_domain *domain)
+{
+ if (domain->initialized && !domain->online) {
+ /* We check for online status elsewhere. */
+ return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
}
- DLIST_ADD(cm_conns, conn);
- *conn_out = conn;
- return NT_STATUS_OK;
+ return init_dc_connection_network(domain);
}
-/* Get a connection to the remote DC and open the pipe. If there is already a connection, use that */
+/******************************************************************************
+ Set the trust flags (direction and forest location) for a domain
+******************************************************************************/
-static NTSTATUS get_connection_from_cache(struct winbindd_domain *domain, const char *pipe_name,
- struct winbindd_cm_conn **conn_out)
+static BOOL set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
{
- find_cm_connection(domain, pipe_name, conn_out);
+ struct winbindd_domain *our_domain;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ struct ds_domain_trust *domains = NULL;
+ int count = 0;
+ int i;
+ uint32 flags = (DS_DOMAIN_IN_FOREST |
+ DS_DOMAIN_DIRECT_OUTBOUND |
+ DS_DOMAIN_DIRECT_INBOUND);
+ struct rpc_pipe_client *cli;
+ TALLOC_CTX *mem_ctx = NULL;
+
+ DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
+
+ /* Our primary domain doesn't need to worry about trust flags.
+ Force it to go through the network setup */
+ if ( domain->primary ) {
+ return False;
+ }
+
+ our_domain = find_our_domain();
+
+ if ( !connection_ok(our_domain) ) {
+ DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));
+ return False;
+ }
- if (*conn_out != NULL)
- return NT_STATUS_OK;
+ /* This won't work unless our domain is AD */
+
+ if ( !our_domain->active_directory ) {
+ return False;
+ }
+
+ /* Use DsEnumerateDomainTrusts to get us the trust direction
+ and type */
+
+ result = cm_connect_netlogon(our_domain, &cli);
- return new_cm_connection(domain, pipe_name, conn_out);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
+ "a connection to %s for PIPE_NETLOGON (%s)\n",
+ domain->name, nt_errstr(result)));
+ return False;
+ }
+
+ if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
+ DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
+ return False;
+ }
+
+ result = rpccli_ds_enum_domain_trusts(cli, mem_ctx,
+ cli->cli->desthost,
+ flags, &domains,
+ (unsigned int *)&count);
+
+ /* Now find the domain name and get the flags */
+
+ for ( i=0; i<count; i++ ) {
+ if ( strequal( domain->name, domains[i].netbios_domain ) ) {
+ domain->domain_flags = domains[i].flags;
+ domain->domain_type = domains[i].trust_type;
+ domain->domain_trust_attribs = domains[i].trust_attributes;
+
+ if ( domain->domain_type == DS_DOMAIN_TRUST_TYPE_UPLEVEL )
+ domain->active_directory = True;
+
+ /* This flag is only set if the domain is *our*
+ primary domain and the primary domain is in
+ native mode */
+
+ domain->native_mode = (domain->domain_flags & DS_DOMAIN_NATIVE_MODE);
+
+ DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
+ "native mode.\n", domain->name,
+ domain->native_mode ? "" : "NOT "));
+
+ DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
+ "running active directory.\n", domain->name,
+ domain->active_directory ? "" : "NOT "));
+
+
+ domain->initialized = True;
+
+ if ( !winbindd_can_contact_domain( domain) )
+ domain->internal = True;
+
+ break;
+ }
+ }
+
+ talloc_destroy( mem_ctx );
+
+ return domain->initialized;
}
-/**********************************************************************************
- We can 'sense' certain things about the DC by it's replies to certain questions.
+/******************************************************************************
+ We can 'sense' certain things about the DC by it's replies to certain
+ questions.
- This tells us if this particular remote server is Active Directory, and if it is
- native mode.
-**********************************************************************************/
+ This tells us if this particular remote server is Active Directory, and if it
+ is native mode.
+******************************************************************************/
-void set_dc_type_and_flags( struct winbindd_domain *domain )
+static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
{
NTSTATUS result;
- struct winbindd_cm_conn conn;
DS_DOMINFO_CTR ctr;
TALLOC_CTX *mem_ctx = NULL;
-
- ZERO_STRUCT( conn );
+ struct rpc_pipe_client *cli;
+ POLICY_HND pol;
+
+ char *domain_name = NULL;
+ char *dns_name = NULL;
+ char *forest_name = NULL;
+ DOM_SID *dom_sid = NULL;
+
ZERO_STRUCT( ctr );
- domain->native_mode = False;
- domain->active_directory = False;
+ if (!connection_ok(domain)) {
+ return;
+ }
- if (domain->internal) {
- domain->initialized = True;
+ DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
+
+ cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC_DS,
+ &result);
+
+ if (cli == NULL) {
+ DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
+ "PI_LSARPC_DS on domain %s: (%s)\n",
+ domain->name, nt_errstr(result)));
+
+ /* if this is just a non-AD domain we need to continue
+ * identifying so that we can in the end return with
+ * domain->initialized = True - gd */
+
+ goto no_lsarpc_ds;
+ }
+
+ result = rpccli_ds_getprimarydominfo(cli, cli->cli->mem_ctx,
+ DsRolePrimaryDomainInfoBasic,
+ &ctr);
+ cli_rpc_pipe_close(cli);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
+ "on domain %s failed: (%s)\n",
+ domain->name, nt_errstr(result)));
return;
}
- if ( !NT_STATUS_IS_OK(result = cm_open_connection(domain, PI_LSARPC_DS, &conn)) ) {
- DEBUG(5, ("set_dc_type_and_flags: Could not open a connection to %s for PIPE_LSARPC (%s)\n",
+ if ((ctr.basic->flags & DSROLE_PRIMARY_DS_RUNNING) &&
+ !(ctr.basic->flags & DSROLE_PRIMARY_DS_MIXED_MODE)) {
+ domain->native_mode = True;
+ } else {
+ domain->native_mode = False;
+ }
+
+no_lsarpc_ds:
+ cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result);
+
+ if (cli == NULL) {
+ DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
+ "PI_LSARPC on domain %s: (%s)\n",
domain->name, nt_errstr(result)));
- domain->initialized = True;
+ cli_rpc_pipe_close(cli);
return;
}
-
- if ( conn.cli ) {
- if ( !NT_STATUS_IS_OK(cli_ds_getprimarydominfo( conn.cli,
- conn.cli->mem_ctx, DsRolePrimaryDomainInfoBasic, &ctr)) ) {
- goto done;
- }
+
+ mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
+ domain->name);
+ if (!mem_ctx) {
+ DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
+ cli_rpc_pipe_close(cli);
+ return;
}
-
- if ( (ctr.basic->flags & DSROLE_PRIMARY_DS_RUNNING)
- && !(ctr.basic->flags & DSROLE_PRIMARY_DS_MIXED_MODE) )
- domain->native_mode = True;
- /* Cheat - shut down the DS pipe, and open LSA */
+ result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
+ SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
+
+ if (NT_STATUS_IS_OK(result)) {
+ /* This particular query is exactly what Win2k clients use
+ to determine that the DC is active directory */
+ result = rpccli_lsa_query_info_policy2(cli, mem_ctx, &pol,
+ 12, &domain_name,
+ &dns_name, &forest_name,
+ NULL, &dom_sid);
+ }
- cli_nt_session_close(conn.cli);
+ if (NT_STATUS_IS_OK(result)) {
+ domain->active_directory = True;
- if ( cli_nt_session_open (conn.cli, PI_LSARPC) ) {
- char *domain_name = NULL;
- char *dns_name = NULL;
- DOM_SID *dom_sid = NULL;
+ if (domain_name)
+ fstrcpy(domain->name, domain_name);
- mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n", domain->name);
- if (!mem_ctx) {
- DEBUG(1, ("set_dc_type_and_flags: talloc_init() failed\n"));
- return;
- }
+ if (dns_name)
+ fstrcpy(domain->alt_name, dns_name);
- result = cli_lsa_open_policy2(conn.cli, mem_ctx, True,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- &conn.pol);
-
- if (NT_STATUS_IS_OK(result)) {
- /* This particular query is exactly what Win2k clients use
- to determine that the DC is active directory */
- result = cli_lsa_query_info_policy2(conn.cli, mem_ctx,
- &conn.pol,
- 12, &domain_name,
- &dns_name, NULL,
- NULL, &dom_sid);
- }
+ if ( forest_name )
+ fstrcpy(domain->forest_name, forest_name);
+ if (dom_sid)
+ sid_copy(&domain->sid, dom_sid);
+ } else {
+ domain->active_directory = False;
+
+ result = rpccli_lsa_open_policy(cli, mem_ctx, True,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &pol);
+
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ result = rpccli_lsa_query_info_policy(cli, mem_ctx,
+ &pol, 5, &domain_name,
+ &dom_sid);
+
if (NT_STATUS_IS_OK(result)) {
if (domain_name)
fstrcpy(domain->name, domain_name);
-
- if (dns_name)
- fstrcpy(domain->alt_name, dns_name);
if (dom_sid)
sid_copy(&domain->sid, dom_sid);
-
- domain->active_directory = True;
- } else {
-
- result = cli_lsa_open_policy(conn.cli, mem_ctx, True,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- &conn.pol);
-
- if (!NT_STATUS_IS_OK(result))
- goto done;
-
- result = cli_lsa_query_info_policy(conn.cli, mem_ctx,
- &conn.pol, 5, &domain_name,
- &dom_sid);
-
- if (NT_STATUS_IS_OK(result)) {
- if (domain_name)
- fstrcpy(domain->name, domain_name);
-
- if (dom_sid)
- sid_copy(&domain->sid, dom_sid);
- }
}
}
-
done:
-
- /* close the connection; no other calls use this pipe and it is called only
- on reestablishing the domain list --jerry */
-
- if ( conn.cli )
- cli_shutdown( conn.cli );
+
+ DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
+ domain->name, domain->native_mode ? "" : "NOT "));
+
+ DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
+ domain->name, domain->active_directory ? "" : "NOT "));
+
+ cli_rpc_pipe_close(cli);
talloc_destroy(mem_ctx);
domain->initialized = True;
-
+}
+
+/**********************************************************************
+ Set the domain_flags (trust attributes, domain operating modes, etc...
+***********************************************************************/
+
+static void set_dc_type_and_flags( struct winbindd_domain *domain )
+{
+ /* we always have to contact our primary domain */
+
+ if ( domain->primary ) {
+ DEBUG(10,("set_dc_type_and_flags: setting up flags for "
+ "primary domain\n"));
+ set_dc_type_and_flags_connect( domain );
+ return;
+ }
+
+ /* Use our DC to get the information if possible */
+
+ if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
+ /* Otherwise, fallback to contacting the
+ domain directly */
+ set_dc_type_and_flags_connect( domain );
+ }
+
return;
}
-/* Return a LSA policy handle on a domain */
+/**********************************************************************
+***********************************************************************/
-NTSTATUS cm_get_lsa_handle(struct winbindd_domain *domain, CLI_POLICY_HND **return_hnd)
+static BOOL cm_get_schannel_dcinfo(struct winbindd_domain *domain,
+ struct dcinfo **ppdc)
{
- struct winbindd_cm_conn *conn;
- uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
NTSTATUS result;
- static CLI_POLICY_HND hnd;
+ struct rpc_pipe_client *netlogon_pipe;
- /* Look for existing connections */
+ if (lp_client_schannel() == False) {
+ return False;
+ }
- if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_LSARPC, &conn)))
- return result;
+ result = cm_connect_netlogon(domain, &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ return False;
+ }
- /* This *shitty* code needs scrapping ! JRA */
-
- if (policy_handle_is_valid(&conn->pol)) {
- hnd.pol = conn->pol;
- hnd.cli = conn->cli;
- *return_hnd = &hnd;
+ /* Return a pointer to the struct dcinfo from the
+ netlogon pipe. */
- return NT_STATUS_OK;
- }
-
- result = cli_lsa_open_policy(conn->cli, conn->cli->mem_ctx, False,
- des_access, &conn->pol);
+ *ppdc = domain->conn.netlogon_pipe->dc;
+ return True;
+}
+NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **cli, POLICY_HND *sam_handle)
+{
+ struct winbindd_cm_conn *conn;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ fstring conn_pwd;
+ struct dcinfo *p_dcinfo;
+
+ result = init_dc_connection(domain);
if (!NT_STATUS_IS_OK(result)) {
- /* Hit the cache code again. This cleans out the old connection and gets a new one */
- if (conn->cli->fd == -1) { /* Try again, if the remote host disapeared */
- if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_LSARPC, &conn)))
- return result;
+ return result;
+ }
- result = cli_lsa_open_policy(conn->cli, conn->cli->mem_ctx, False,
- des_access, &conn->pol);
- }
+ conn = &domain->conn;
- if (!NT_STATUS_IS_OK(result)) {
- cli_shutdown(conn->cli);
- DLIST_REMOVE(cm_conns, conn);
- SAFE_FREE(conn);
- return result;
- }
- }
+ if (conn->samr_pipe != NULL) {
+ goto done;
+ }
- hnd.pol = conn->pol;
- hnd.cli = conn->cli;
+ /*
+ * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
+ * sign and sealed pipe using the machine account password by
+ * preference. If we can't - try schannel, if that fails, try
+ * anonymous.
+ */
+
+ pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
+ if ((conn->cli->user_name[0] == '\0') ||
+ (conn->cli->domain[0] == '\0') ||
+ (conn_pwd[0] == '\0')) {
+ DEBUG(10, ("cm_connect_sam: No no user available for "
+ "domain %s, trying schannel\n", conn->cli->domain));
+ goto schannel;
+ }
- *return_hnd = &hnd;
+ /* We have an authenticated connection. Use a NTLMSSP SPNEGO
+ authenticated SAMR pipe with sign & seal. */
+ conn->samr_pipe =
+ cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ conn->cli->domain,
+ conn->cli->user_name,
+ conn_pwd, &result);
+
+ if (conn->samr_pipe == NULL) {
+ DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
+ "pipe for domain %s using NTLMSSP "
+ "authenticated pipe: user %s\\%s. Error was "
+ "%s\n", domain->name, conn->cli->domain,
+ conn->cli->user_name, nt_errstr(result)));
+ goto schannel;
+ }
- return NT_STATUS_OK;
-}
+ DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
+ "domain %s using NTLMSSP authenticated "
+ "pipe: user %s\\%s\n", domain->name,
+ conn->cli->domain, conn->cli->user_name ));
-/* Return a SAM policy handle on a domain */
+ result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &conn->sam_connect_handle);
+ if (NT_STATUS_IS_OK(result)) {
+ goto open_domain;
+ }
+ DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_connect "
+ "failed for domain %s, error was %s. Trying schannel\n",
+ domain->name, nt_errstr(result) ));
+ cli_rpc_pipe_close(conn->samr_pipe);
-NTSTATUS cm_get_sam_handle(struct winbindd_domain *domain, CLI_POLICY_HND **return_hnd)
-{
- struct winbindd_cm_conn *conn;
- uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
- NTSTATUS result;
- static CLI_POLICY_HND hnd;
+ schannel:
- /* Look for existing connections */
+ /* Fall back to schannel if it's a W2K pre-SP1 box. */
- if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_SAMR, &conn)))
- return result;
-
- /* This *shitty* code needs scrapping ! JRA */
-
- if (policy_handle_is_valid(&conn->pol)) {
- hnd.pol = conn->pol;
- hnd.cli = conn->cli;
-
- *return_hnd = &hnd;
+ if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
+ /* If this call fails - conn->cli can now be NULL ! */
+ DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
+ "for domain %s, trying anon\n", domain->name));
+ goto anonymous;
+ }
+ conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key
+ (conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY,
+ domain->name, p_dcinfo, &result);
+
+ if (conn->samr_pipe == NULL) {
+ DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
+ "domain %s using schannel. Error was %s\n",
+ domain->name, nt_errstr(result) ));
+ goto anonymous;
+ }
+ DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
+ "schannel.\n", domain->name ));
+
+ result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &conn->sam_connect_handle);
+ if (NT_STATUS_IS_OK(result)) {
+ goto open_domain;
+ }
+ DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_connect failed "
+ "for domain %s, error was %s. Trying anonymous\n",
+ domain->name, nt_errstr(result) ));
+ cli_rpc_pipe_close(conn->samr_pipe);
- return NT_STATUS_OK;
+ anonymous:
+
+ /* Finally fall back to anonymous. */
+ conn->samr_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR,
+ &result);
+
+ if (conn->samr_pipe == NULL) {
+ result = NT_STATUS_PIPE_NOT_AVAILABLE;
+ goto done;
}
-
- result = cli_samr_connect(conn->cli, conn->cli->mem_ctx,
- des_access, &conn->pol);
+ result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &conn->sam_connect_handle);
if (!NT_STATUS_IS_OK(result)) {
- /* Hit the cache code again. This cleans out the old connection and gets a new one */
- if (conn->cli->fd == -1) { /* Try again, if the remote host disapeared */
-
- if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_SAMR, &conn)))
- return result;
-
- result = cli_samr_connect(conn->cli, conn->cli->mem_ctx,
- des_access, &conn->pol);
- }
+ DEBUG(10,("cm_connect_sam: rpccli_samr_connect failed "
+ "for domain %s Error was %s\n",
+ domain->name, nt_errstr(result) ));
+ goto done;
+ }
- if (!NT_STATUS_IS_OK(result)) {
-
- cli_shutdown(conn->cli);
- DLIST_REMOVE(cm_conns, conn);
- SAFE_FREE(conn);
-
- return result;
- }
- }
+ open_domain:
+ result = rpccli_samr_open_domain(conn->samr_pipe,
+ mem_ctx,
+ &conn->sam_connect_handle,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &domain->sid,
+ &conn->sam_domain_handle);
- hnd.pol = conn->pol;
- hnd.cli = conn->cli;
+ done:
- *return_hnd = &hnd;
+ if (!NT_STATUS_IS_OK(result)) {
+ invalidate_cm_connection(conn);
+ return result;
+ }
- return NT_STATUS_OK;
+ *cli = conn->samr_pipe;
+ *sam_handle = conn->sam_domain_handle;
+ return result;
}
-/* Get a handle on a netlogon pipe. This is a bit of a hack to re-use the
- netlogon pipe as no handle is returned. */
-
-NTSTATUS cm_get_netlogon_cli(struct winbindd_domain *domain,
- const unsigned char *trust_passwd,
- uint32 sec_channel_type,
- BOOL fresh,
- struct cli_state **cli)
+NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **cli, POLICY_HND *lsa_policy)
{
- NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
struct winbindd_cm_conn *conn;
- fstring lock_name;
- BOOL got_mutex;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ fstring conn_pwd;
+ struct dcinfo *p_dcinfo;
- if (!cli)
- return NT_STATUS_INVALID_PARAMETER;
+ result = init_dc_connection(domain);
+ if (!NT_STATUS_IS_OK(result))
+ return result;
- /* Open an initial conection - keep the mutex. */
+ conn = &domain->conn;
- find_cm_connection(domain, PIPE_NETLOGON, &conn);
+ if (conn->lsa_pipe != NULL) {
+ goto done;
+ }
- if ( fresh && (conn != NULL) ) {
- cli_shutdown(conn->cli);
- conn->cli = NULL;
+ pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
+ if ((conn->cli->user_name[0] == '\0') ||
+ (conn->cli->domain[0] == '\0') ||
+ (conn_pwd[0] == '\0')) {
+ DEBUG(10, ("cm_connect_lsa: No no user available for "
+ "domain %s, trying schannel\n", conn->cli->domain));
+ goto schannel;
+ }
- conn = NULL;
+ /* We have an authenticated connection. Use a NTLMSSP SPNEGO
+ * authenticated LSA pipe with sign & seal. */
+ conn->lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp
+ (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
+ conn->cli->domain, conn->cli->user_name, conn_pwd, &result);
+
+ if (conn->lsa_pipe == NULL) {
+ DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
+ "domain %s using NTLMSSP authenticated pipe: user "
+ "%s\\%s. Error was %s. Trying schannel.\n",
+ domain->name, conn->cli->domain,
+ conn->cli->user_name, nt_errstr(result)));
+ goto schannel;
+ }
- /* purge connection from cache */
- find_cm_connection(domain, PIPE_NETLOGON, &conn);
- if (conn != NULL) {
- DEBUG(0,("Could not purge connection\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
+ DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
+ "NTLMSSP authenticated pipe: user %s\\%s\n",
+ domain->name, conn->cli->domain, conn->cli->user_name ));
+
+ result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &conn->lsa_policy);
+ if (NT_STATUS_IS_OK(result)) {
+ goto done;
}
- if (conn != NULL) {
- *cli = conn->cli;
- return NT_STATUS_OK;
+ DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
+ "schannel\n"));
+
+ cli_rpc_pipe_close(conn->lsa_pipe);
+
+ schannel:
+
+ /* Fall back to schannel if it's a W2K pre-SP1 box. */
+
+ if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
+ /* If this call fails - conn->cli can now be NULL ! */
+ DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
+ "for domain %s, trying anon\n", domain->name));
+ goto anonymous;
+ }
+ conn->lsa_pipe = cli_rpc_pipe_open_schannel_with_key
+ (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
+ domain->name, p_dcinfo, &result);
+
+ if (conn->lsa_pipe == NULL) {
+ DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
+ "domain %s using schannel. Error was %s\n",
+ domain->name, nt_errstr(result) ));
+ goto anonymous;
}
+ DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
+ "schannel.\n", domain->name ));
- result = new_cm_connection(domain, PIPE_NETLOGON, &conn);
+ result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &conn->lsa_policy);
+ if (NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
- if (!NT_STATUS_IS_OK(result))
- return result;
-
- fstr_sprintf(lock_name, "NETLOGON\\%s", conn->controller);
+ DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
+ "anonymous\n"));
- if (!(got_mutex = secrets_named_mutex(lock_name, WINBIND_SERVER_MUTEX_WAIT_TIME))) {
- DEBUG(0,("cm_get_netlogon_cli: mutex grab failed for %s\n", conn->controller));
+ cli_rpc_pipe_close(conn->lsa_pipe);
+
+ anonymous:
+
+ conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_LSARPC,
+ &result);
+ if (conn->lsa_pipe == NULL) {
+ result = NT_STATUS_PIPE_NOT_AVAILABLE;
+ goto done;
}
-
- if ( sec_channel_type == SEC_CHAN_DOMAIN )
- fstr_sprintf(conn->cli->mach_acct, "%s$", lp_workgroup());
-
- /* This must be the remote domain (not ours) for schannel */
- fstrcpy( conn->cli->domain, domain->name);
-
- result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd);
-
- if (got_mutex)
- secrets_named_mutex_release(lock_name);
-
+ result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &conn->lsa_policy);
+ done:
if (!NT_STATUS_IS_OK(result)) {
- cli_shutdown(conn->cli);
- DLIST_REMOVE(cm_conns, conn);
- SAFE_FREE(conn);
+ invalidate_cm_connection(conn);
return result;
}
- *cli = conn->cli;
-
+ *cli = conn->lsa_pipe;
+ *lsa_policy = conn->lsa_policy;
return result;
}
-/* Dump the current connection status */
+/****************************************************************************
+ Open the netlogon pipe to this DC. Use schannel if specified in client conf.
+ session key stored in conn->netlogon_pipe->dc->sess_key.
+****************************************************************************/
-static void dump_conn_list(void)
+NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ struct rpc_pipe_client **cli)
{
- struct winbindd_cm_conn *con;
+ struct winbindd_cm_conn *conn;
+ NTSTATUS result;
- DEBUG(0, ("\tDomain Controller Pipe\n"));
+ uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+ uint8 mach_pwd[16];
+ uint32 sec_chan_type;
+ const char *account_name;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
- for(con = cm_conns; con; con = con->next) {
- char *msg;
+ *cli = NULL;
- /* Display pipe info */
-
- if (asprintf(&msg, "\t%-15s %-15s %-16s", con->domain, con->controller, con->pipe_name) < 0) {
- DEBUG(0, ("Error: not enough memory!\n"));
- } else {
- DEBUG(0, ("%s\n", msg));
- SAFE_FREE(msg);
- }
+ result = init_dc_connection(domain);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
}
-}
-void winbindd_cm_status(void)
-{
- /* List open connections */
+ conn = &domain->conn;
- DEBUG(0, ("winbindd connection manager status:\n"));
+ if (conn->netlogon_pipe != NULL) {
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
+ }
- if (cm_conns)
- dump_conn_list();
- else
- DEBUG(0, ("\tNo active connections\n"));
-}
+ if (domain->primary && !get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
-/* Close all cached connections */
+ netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
+ &result);
+ if (netlogon_pipe == NULL) {
+ return result;
+ }
-void winbindd_cm_flush(void)
-{
- struct winbindd_cm_conn *conn, tmp;
+ if ( !domain->primary ) {
+ /* Clear the schannel request bit and drop down */
+ neg_flags &= ~NETLOGON_NEG_SCHANNEL;
+ goto no_schannel;
+ }
+
+ if (lp_client_schannel() != False) {
+ neg_flags |= NETLOGON_NEG_SCHANNEL;
+ }
+
+ /* if we are a DC and this is a trusted domain, then we need to use our
+ domain name in the net_req_auth2() request */
+
+ if ( IS_DC
+ && !strequal(domain->name, lp_workgroup())
+ && lp_allow_trusted_domains() )
+ {
+ account_name = lp_workgroup();
+ } else {
+ account_name = domain->primary ?
+ global_myname() : domain->name;
+ }
- /* Flush connection cache */
+ if (account_name == NULL) {
+ cli_rpc_pipe_close(netlogon_pipe);
+ return NT_STATUS_NO_MEMORY;
+ }
- for (conn = cm_conns; conn; conn = conn->next) {
+ result = rpccli_netlogon_setup_creds(
+ netlogon_pipe,
+ domain->dcname, /* server name. */
+ domain->name, /* domain name */
+ global_myname(), /* client name */
+ account_name, /* machine account */
+ mach_pwd, /* machine password */
+ sec_chan_type, /* from get_trust_pw */
+ &neg_flags);
- if (!connection_ok(conn))
- continue;
+ if (!NT_STATUS_IS_OK(result)) {
+ cli_rpc_pipe_close(netlogon_pipe);
+ return result;
+ }
- DEBUG(10, ("Closing connection to %s on %s\n",
- conn->pipe_name, conn->controller));
+ if ((lp_client_schannel() == True) &&
+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ DEBUG(3, ("Server did not offer schannel\n"));
+ cli_rpc_pipe_close(netlogon_pipe);
+ return NT_STATUS_ACCESS_DENIED;
+ }
- if (conn->cli)
- cli_shutdown(conn->cli);
+ no_schannel:
+ if ((lp_client_schannel() == False) ||
+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
- tmp.next = conn->next;
+ /*
+ * NetSamLogonEx only works for schannel
+ */
+ domain->can_do_samlogon_ex = False;
- DLIST_REMOVE(cm_conns, conn);
- SAFE_FREE(conn);
- conn = &tmp;
+ /* We're done - just keep the existing connection to NETLOGON
+ * open */
+ conn->netlogon_pipe = netlogon_pipe;
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
}
- /* Flush failed connection cache */
+ /* Using the credentials from the first pipe, open a signed and sealed
+ second netlogon pipe. The session key is stored in the schannel
+ part of the new pipe auth struct.
+ */
+
+ conn->netlogon_pipe =
+ cli_rpc_pipe_open_schannel_with_key(conn->cli,
+ PI_NETLOGON,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ domain->name,
+ netlogon_pipe->dc,
+ &result);
+
+ /* We can now close the initial netlogon pipe. */
+ cli_rpc_pipe_close(netlogon_pipe);
+
+ if (conn->netlogon_pipe == NULL) {
+ DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
+ "was %s\n", nt_errstr(result)));
+
+ /* make sure we return something besides OK */
+ return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
+ }
- flush_negative_conn_cache();
+ /*
+ * Try NetSamLogonEx for AD domains
+ */
+ domain->can_do_samlogon_ex = domain->active_directory;
+
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
}