search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4: lib: auth: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that...
[Samba.git] / source3 / winbindd / winbindd_cm.c
blobee4b4822049f50d53f460268fb992af8b7340f4a
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon connection manager
5
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Gerald (Jerry) Carter 2003-2005.
9 Copyright (C) Volker Lendecke 2004-2005
10 Copyright (C) Jeremy Allison 2006
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27 We need to manage connections to domain controllers without having to
28 mess up the main winbindd code with other issues. The aim of the
29 connection manager is to:
30
31 - make connections to domain controllers and cache them
32 - re-establish connections when networks or servers go down
33 - centralise the policy on connection timeouts, domain controller
34 selection etc
35 - manage re-entrancy for when winbindd becomes able to handle
36 multiple outstanding rpc requests
37
38 Why not have connection management as part of the rpc layer like tng?
39 Good question. This code may morph into libsmb/rpc_cache.c or something
40 like that but at the moment it's simply staying as part of winbind. I
41 think the TNG architecture of forcing every user of the rpc layer to use
42 the connection caching system is a bad idea. It should be an optional
43 method of using the routines.
44
45 The TNG design is quite good but I disagree with some aspects of the
46 implementation. -tpot
47
48 */
49
50 /*
51 TODO:
52
53 - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
54 moved down into another function.
55
56 - Take care when destroying cli_structs as they can be shared between
57 various sam handles.
58
59 */
60
61 #include "includes.h"
62 #include "winbindd.h"
63 #include "../libcli/auth/libcli_auth.h"
64 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
65 #include "rpc_client/cli_pipe.h"
66 #include "rpc_client/cli_netlogon.h"
67 #include "../librpc/gen_ndr/ndr_samr_c.h"
68 #include "../librpc/gen_ndr/ndr_lsa_c.h"
69 #include "rpc_client/cli_lsarpc.h"
70 #include "../librpc/gen_ndr/ndr_dssetup_c.h"
71 #include "libads/sitename_cache.h"
72 #include "libsmb/libsmb.h"
73 #include "libsmb/clidgram.h"
74 #include "ads.h"
75 #include "secrets.h"
76 #include "../libcli/security/security.h"
77 #include "passdb.h"
78 #include "messages.h"
79 #include "auth/gensec/gensec.h"
80 #include "../libcli/smb/smbXcli_base.h"
81 #include "lib/param/loadparm.h"
82
83 #undef DBGC_CLASS
84 #define DBGC_CLASS DBGC_WINBIND
85
86 struct dc_name_ip {
87 fstring name;
88 struct sockaddr_storage ss;
89 };
90
91 extern struct winbindd_methods reconnect_methods;
92 extern bool override_logfile;
93
94 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
95 static void set_dc_type_and_flags( struct winbindd_domain *domain );
96 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
97 struct dc_name_ip **dcs, int *num_dcs);
98
99 /****************************************************************
100 Child failed to find DC's. Reschedule check.
101 ****************************************************************/
102
103 static void msg_failed_to_go_online(struct messaging_context *msg,
104 void *private_data,
105 uint32_t msg_type,
106 struct server_id server_id,
107 DATA_BLOB *data)
108 {
109 struct winbindd_domain *domain;
110 const char *domainname = (const char *)data->data;
111
112 if (data->data == NULL || data->length == 0) {
113 return;
114 }
115
116 DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
117
118 for (domain = domain_list(); domain; domain = domain->next) {
119 if (domain->internal) {
120 continue;
121 }
122
123 if (strequal(domain->name, domainname)) {
124 if (domain->online) {
125 /* We're already online, ignore. */
126 DEBUG(5,("msg_fail_to_go_online: domain %s "
127 "already online.\n", domainname));
128 continue;
129 }
130
131 /* Reschedule the online check. */
132 set_domain_offline(domain);
133 break;
134 }
135 }
136 }
137
138 /****************************************************************
139 Actually cause a reconnect from a message.
140 ****************************************************************/
141
142 static void msg_try_to_go_online(struct messaging_context *msg,
143 void *private_data,
144 uint32_t msg_type,
145 struct server_id server_id,
146 DATA_BLOB *data)
147 {
148 struct winbindd_domain *domain;
149 const char *domainname = (const char *)data->data;
150
151 if (data->data == NULL || data->length == 0) {
152 return;
153 }
154
155 DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
156
157 for (domain = domain_list(); domain; domain = domain->next) {
158 if (domain->internal) {
159 continue;
160 }
161
162 if (strequal(domain->name, domainname)) {
163
164 if (domain->online) {
165 /* We're already online, ignore. */
166 DEBUG(5,("msg_try_to_go_online: domain %s "
167 "already online.\n", domainname));
168 continue;
169 }
170
171 /* This call takes care of setting the online
172 flag to true if we connected, or re-adding
173 the offline handler if false. Bypasses online
174 check so always does network calls. */
175
176 init_dc_connection_network(domain);
177 break;
178 }
179 }
180 }
181
182 /****************************************************************
183 Fork a child to try and contact a DC. Do this as contacting a
184 DC requires blocking lookups and we don't want to block our
185 parent.
186 ****************************************************************/
187
188 static bool fork_child_dc_connect(struct winbindd_domain *domain)
189 {
190 struct dc_name_ip *dcs = NULL;
191 int num_dcs = 0;
192 TALLOC_CTX *mem_ctx = NULL;
193 pid_t parent_pid = getpid();
194 char *lfile = NULL;
195 NTSTATUS status;
196
197 if (domain->dc_probe_pid != (pid_t)-1) {
198 /*
199 * We might already have a DC probe
200 * child working, check.
201 */
202 if (process_exists_by_pid(domain->dc_probe_pid)) {
203 DEBUG(10,("fork_child_dc_connect: pid %u already "
204 "checking for DC's.\n",
205 (unsigned int)domain->dc_probe_pid));
206 return true;
207 }
208 domain->dc_probe_pid = (pid_t)-1;
209 }
210
211 domain->dc_probe_pid = fork();
212
213 if (domain->dc_probe_pid == (pid_t)-1) {
214 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
215 return False;
216 }
217
218 if (domain->dc_probe_pid != (pid_t)0) {
219 /* Parent */
220 messaging_register(winbind_messaging_context(), NULL,
221 MSG_WINBIND_TRY_TO_GO_ONLINE,
222 msg_try_to_go_online);
223 messaging_register(winbind_messaging_context(), NULL,
224 MSG_WINBIND_FAILED_TO_GO_ONLINE,
225 msg_failed_to_go_online);
226 return True;
227 }
228
229 /* Child. */
230
231 /* Leave messages blocked - we will never process one. */
232
233 if (!override_logfile) {
234 if (asprintf(&lfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) == -1) {
235 DEBUG(0, ("fork_child_dc_connect: out of memory.\n"));
236 _exit(1);
237 }
238 }
239
240 status = winbindd_reinit_after_fork(NULL, lfile);
241 if (!NT_STATUS_IS_OK(status)) {
242 DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n",
243 nt_errstr(status)));
244 messaging_send_buf(winbind_messaging_context(),
245 pid_to_procid(parent_pid),
246 MSG_WINBIND_FAILED_TO_GO_ONLINE,
247 (const uint8_t *)domain->name,
248 strlen(domain->name)+1);
249 _exit(1);
250 }
251 SAFE_FREE(lfile);
252
253 mem_ctx = talloc_init("fork_child_dc_connect");
254 if (!mem_ctx) {
255 DEBUG(0,("talloc_init failed.\n"));
256 messaging_send_buf(winbind_messaging_context(),
257 pid_to_procid(parent_pid),
258 MSG_WINBIND_FAILED_TO_GO_ONLINE,
259 (const uint8_t *)domain->name,
260 strlen(domain->name)+1);
261 _exit(1);
262 }
263
264 if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
265 /* Still offline ? Can't find DC's. */
266 messaging_send_buf(winbind_messaging_context(),
267 pid_to_procid(parent_pid),
268 MSG_WINBIND_FAILED_TO_GO_ONLINE,
269 (const uint8_t *)domain->name,
270 strlen(domain->name)+1);
271 _exit(0);
272 }
273
274 /* We got a DC. Send a message to our parent to get it to
275 try and do the same. */
276
277 messaging_send_buf(winbind_messaging_context(),
278 pid_to_procid(parent_pid),
279 MSG_WINBIND_TRY_TO_GO_ONLINE,
280 (const uint8_t *)domain->name,
281 strlen(domain->name)+1);
282 _exit(0);
283 }
284
285 /****************************************************************
286 Handler triggered if we're offline to try and detect a DC.
287 ****************************************************************/
288
289 static void check_domain_online_handler(struct tevent_context *ctx,
290 struct tevent_timer *te,
291 struct timeval now,
292 void *private_data)
293 {
294 struct winbindd_domain *domain =
295 (struct winbindd_domain *)private_data;
296
297 DEBUG(10,("check_domain_online_handler: called for domain "
298 "%s (online = %s)\n", domain->name,
299 domain->online ? "True" : "False" ));
300
301 TALLOC_FREE(domain->check_online_event);
302
303 /* Are we still in "startup" mode ? */
304
305 if (domain->startup && (time_mono(NULL) > domain->startup_time + 30)) {
306 /* No longer in "startup" mode. */
307 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
308 domain->name ));
309 domain->startup = False;
310 }
311
312 /* We've been told to stay offline, so stay
313 that way. */
314
315 if (get_global_winbindd_state_offline()) {
316 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
317 domain->name ));
318 return;
319 }
320
321 /* Fork a child to test if it can contact a DC.
322 If it can then send ourselves a message to
323 cause a reconnect. */
324
325 fork_child_dc_connect(domain);
326 }
327
328 /****************************************************************
329 If we're still offline setup the timeout check.
330 ****************************************************************/
331
332 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
333 {
334 int wbr = lp_winbind_reconnect_delay();
335
336 if (domain->startup) {
337 domain->check_online_timeout = 10;
338 } else if (domain->check_online_timeout < wbr) {
339 domain->check_online_timeout = wbr;
340 }
341 }
342
343 void winbind_msg_domain_offline(struct messaging_context *msg_ctx,
344 void *private_data,
345 uint32_t msg_type,
346 struct server_id server_id,
347 DATA_BLOB *data)
348 {
349 const char *domain_name = (const char *)data->data;
350 struct winbindd_domain *domain;
351
352 domain = find_domain_from_name_noinit(domain_name);
353 if (domain == NULL) {
354 return;
355 }
356
357 domain->online = false;
358
359 DEBUG(10, ("Domain %s is marked as offline now.\n",
360 domain_name));
361 }
362
363 void winbind_msg_domain_online(struct messaging_context *msg_ctx,
364 void *private_data,
365 uint32_t msg_type,
366 struct server_id server_id,
367 DATA_BLOB *data)
368 {
369 const char *domain_name = (const char *)data->data;
370 struct winbindd_domain *domain;
371
372 domain = find_domain_from_name_noinit(domain_name);
373 if (domain == NULL) {
374 return;
375 }
376
377 domain->online = true;
378
379 DEBUG(10, ("Domain %s is marked as online now.\n",
380 domain_name));
381 }
382
383 /****************************************************************
384 Set domain offline and also add handler to put us back online
385 if we detect a DC.
386 ****************************************************************/
387
388 void set_domain_offline(struct winbindd_domain *domain)
389 {
390 pid_t parent_pid = getppid();
391
392 DEBUG(10,("set_domain_offline: called for domain %s\n",
393 domain->name ));
394
395 TALLOC_FREE(domain->check_online_event);
396
397 if (domain->internal) {
398 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
399 domain->name ));
400 return;
401 }
402
403 domain->online = False;
404
405 /* Offline domains are always initialized. They're
406 re-initialized when they go back online. */
407
408 domain->initialized = True;
409
410 /* We only add the timeout handler that checks and
411 allows us to go back online when we've not
412 been told to remain offline. */
413
414 if (get_global_winbindd_state_offline()) {
415 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
416 domain->name ));
417 return;
418 }
419
420 /* If we're in startup mode, check again in 10 seconds, not in
421 lp_winbind_reconnect_delay() seconds (which is 30 seconds by default). */
422
423 calc_new_online_timeout_check(domain);
424
425 domain->check_online_event = tevent_add_timer(winbind_event_context(),
426 NULL,
427 timeval_current_ofs(domain->check_online_timeout,0),
428 check_domain_online_handler,
429 domain);
430
431 /* The above *has* to succeed for winbindd to work. */
432 if (!domain->check_online_event) {
433 smb_panic("set_domain_offline: failed to add online handler");
434 }
435
436 DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
437 domain->name ));
438
439 /* Send a message to the parent that the domain is offline. */
440 if (parent_pid > 1 && !domain->internal) {
441 messaging_send_buf(winbind_messaging_context(),
442 pid_to_procid(parent_pid),
443 MSG_WINBIND_DOMAIN_OFFLINE,
444 (uint8 *)domain->name,
445 strlen(domain->name) + 1);
446 }
447
448 /* Send an offline message to the idmap child when our
449 primary domain goes offline */
450
451 if ( domain->primary ) {
452 struct winbindd_child *idmap = idmap_child();
453
454 if ( idmap->pid != 0 ) {
455 messaging_send_buf(winbind_messaging_context(),
456 pid_to_procid(idmap->pid),
457 MSG_WINBIND_OFFLINE,
458 (const uint8_t *)domain->name,
459 strlen(domain->name)+1);
460 }
461 }
462
463 return;
464 }
465
466 /****************************************************************
467 Set domain online - if allowed.
468 ****************************************************************/
469
470 static void set_domain_online(struct winbindd_domain *domain)
471 {
472 pid_t parent_pid = getppid();
473
474 DEBUG(10,("set_domain_online: called for domain %s\n",
475 domain->name ));
476
477 if (domain->internal) {
478 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
479 domain->name ));
480 return;
481 }
482
483 if (get_global_winbindd_state_offline()) {
484 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
485 domain->name ));
486 return;
487 }
488
489 winbindd_set_locator_kdc_envs(domain);
490
491 /* If we are waiting to get a krb5 ticket, trigger immediately. */
492 ccache_regain_all_now();
493
494 /* Ok, we're out of any startup mode now... */
495 domain->startup = False;
496
497 if (domain->online == False) {
498 /* We were offline - now we're online. We default to
499 using the MS-RPC backend if we started offline,
500 and if we're going online for the first time we
501 should really re-initialize the backends and the
502 checks to see if we're talking to an AD or NT domain.
503 */
504
505 domain->initialized = False;
506
507 /* 'reconnect_methods' is the MS-RPC backend. */
508 if (domain->backend == &reconnect_methods) {
509 domain->backend = NULL;
510 }
511 }
512
513 /* Ensure we have no online timeout checks. */
514 domain->check_online_timeout = 0;
515 TALLOC_FREE(domain->check_online_event);
516
517 /* Ensure we ignore any pending child messages. */
518 messaging_deregister(winbind_messaging_context(),
519 MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
520 messaging_deregister(winbind_messaging_context(),
521 MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
522
523 domain->online = True;
524
525 /* Send a message to the parent that the domain is online. */
526 if (parent_pid > 1 && !domain->internal) {
527 messaging_send_buf(winbind_messaging_context(),
528 pid_to_procid(parent_pid),
529 MSG_WINBIND_DOMAIN_ONLINE,
530 (uint8 *)domain->name,
531 strlen(domain->name) + 1);
532 }
533
534 /* Send an online message to the idmap child when our
535 primary domain comes online */
536
537 if ( domain->primary ) {
538 struct winbindd_child *idmap = idmap_child();
539
540 if ( idmap->pid != 0 ) {
541 messaging_send_buf(winbind_messaging_context(),
542 pid_to_procid(idmap->pid),
543 MSG_WINBIND_ONLINE,
544 (const uint8_t *)domain->name,
545 strlen(domain->name)+1);
546 }
547 }
548
549 return;
550 }
551
552 /****************************************************************
553 Requested to set a domain online.
554 ****************************************************************/
555
556 void set_domain_online_request(struct winbindd_domain *domain)
557 {
558 struct timeval tev;
559
560 DEBUG(10,("set_domain_online_request: called for domain %s\n",
561 domain->name ));
562
563 if (get_global_winbindd_state_offline()) {
564 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
565 domain->name ));
566 return;
567 }
568
569 if (domain->internal) {
570 DEBUG(10, ("set_domain_online_request: Internal domains are "
571 "always online\n"));
572 return;
573 }
574
575 /* We've been told it's safe to go online and
576 try and connect to a DC. But I don't believe it
577 because network manager seems to lie.
578 Wait at least 5 seconds. Heuristics suck... */
579
580
581 GetTimeOfDay(&tev);
582
583 /* Go into "startup" mode again. */
584 domain->startup_time = time_mono(NULL);
585 domain->startup = True;
586
587 tev.tv_sec += 5;
588
589 if (!domain->check_online_event) {
590 /* If we've come from being globally offline we
591 don't have a check online event handler set.
592 We need to add one now we're trying to go
593 back online. */
594
595 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
596 domain->name ));
597 }
598
599 TALLOC_FREE(domain->check_online_event);
600
601 domain->check_online_event = tevent_add_timer(winbind_event_context(),
602 NULL,
603 tev,
604 check_domain_online_handler,
605 domain);
606
607 /* The above *has* to succeed for winbindd to work. */
608 if (!domain->check_online_event) {
609 smb_panic("set_domain_online_request: failed to add online handler");
610 }
611 }
612
613 /****************************************************************
614 Add -ve connection cache entries for domain and realm.
615 ****************************************************************/
616
617 static void winbind_add_failed_connection_entry(
618 const struct winbindd_domain *domain,
619 const char *server,
620 NTSTATUS result)
621 {
622 add_failed_connection_entry(domain->name, server, result);
623 /* If this was the saf name for the last thing we talked to,
624 remove it. */
625 saf_delete(domain->name);
626 if (domain->alt_name != NULL) {
627 add_failed_connection_entry(domain->alt_name, server, result);
628 saf_delete(domain->alt_name);
629 }
630 winbindd_unset_locator_kdc_env(domain);
631 }
632
633 /* Choose between anonymous or authenticated connections. We need to use
634 an authenticated connection if DCs have the RestrictAnonymous registry
635 entry set > 0, or the "Additional restrictions for anonymous
636 connections" set in the win2k Local Security Policy.
637
638 Caller to free() result in domain, username, password
639 */
640
641 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
642 {
643 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
644 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
645 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
646
647 if (*username && **username) {
648
649 if (!*domain || !**domain)
650 *domain = smb_xstrdup(lp_workgroup());
651
652 if (!*password || !**password)
653 *password = smb_xstrdup("");
654
655 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
656 *domain, *username));
657
658 } else {
659 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
660 *username = smb_xstrdup("");
661 *domain = smb_xstrdup("");
662 *password = smb_xstrdup("");
663 }
664 }
665
666 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
667 fstring dcname,
668 struct sockaddr_storage *dc_ss)
669 {
670 struct winbindd_domain *our_domain = NULL;
671 struct rpc_pipe_client *netlogon_pipe = NULL;
672 NTSTATUS result;
673 WERROR werr;
674 TALLOC_CTX *mem_ctx;
675 unsigned int orig_timeout;
676 const char *tmp = NULL;
677 const char *p;
678 struct dcerpc_binding_handle *b;
679
680 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
681 * moment.... */
682
683 if (IS_DC) {
684 return False;
685 }
686
687 if (domain->primary) {
688 return False;
689 }
690
691 our_domain = find_our_domain();
692
693 if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
694 return False;
695 }
696
697 result = cm_connect_netlogon(our_domain, &netlogon_pipe);
698 if (!NT_STATUS_IS_OK(result)) {
699 talloc_destroy(mem_ctx);
700 return False;
701 }
702
703 b = netlogon_pipe->binding_handle;
704
705 /* This call can take a long time - allow the server to time out.
706 35 seconds should do it. */
707
708 orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
709
710 if (our_domain->active_directory) {
711 struct netr_DsRGetDCNameInfo *domain_info = NULL;
712
713 result = dcerpc_netr_DsRGetDCName(b,
714 mem_ctx,
715 our_domain->dcname,
716 domain->name,
717 NULL,
718 NULL,
719 DS_RETURN_DNS_NAME,
720 &domain_info,
721 &werr);
722 if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
723 tmp = talloc_strdup(
724 mem_ctx, domain_info->dc_unc);
725 if (tmp == NULL) {
726 DEBUG(0, ("talloc_strdup failed\n"));
727 talloc_destroy(mem_ctx);
728 return false;
729 }
730 if (domain->alt_name == NULL) {
731 domain->alt_name = talloc_strdup(domain,
732 domain_info->domain_name);
733 if (domain->alt_name == NULL) {
734 DEBUG(0, ("talloc_strdup failed\n"));
735 talloc_destroy(mem_ctx);
736 return false;
737 }
738 }
739 if (domain->forest_name == NULL) {
740 domain->forest_name = talloc_strdup(domain,
741 domain_info->forest_name);
742 if (domain->forest_name == NULL) {
743 DEBUG(0, ("talloc_strdup failed\n"));
744 talloc_destroy(mem_ctx);
745 return false;
746 }
747 }
748 }
749 } else {
750 result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
751 our_domain->dcname,
752 domain->name,
753 &tmp,
754 &werr);
755 }
756
757 /* And restore our original timeout. */
758 rpccli_set_timeout(netlogon_pipe, orig_timeout);
759
760 if (!NT_STATUS_IS_OK(result)) {
761 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
762 nt_errstr(result)));
763 talloc_destroy(mem_ctx);
764 return false;
765 }
766
767 if (!W_ERROR_IS_OK(werr)) {
768 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
769 win_errstr(werr)));
770 talloc_destroy(mem_ctx);
771 return false;
772 }
773
774 /* dcerpc_netr_GetAnyDCName gives us a name with \\ */
775 p = strip_hostname(tmp);
776
777 fstrcpy(dcname, p);
778
779 talloc_destroy(mem_ctx);
780
781 DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
782
783 if (!resolve_name(dcname, dc_ss, 0x20, true)) {
784 return False;
785 }
786
787 return True;
788 }
789
790 /**
791 * Helper function to assemble trust password and account name
792 */
793 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
794 char **machine_password,
795 char **machine_account,
796 char **machine_krb5_principal)
797 {
798 const char *account_name;
799 const char *name = NULL;
800
801 /* If we are a DC and this is not our own domain */
802
803 if (IS_DC) {
804 name = domain->name;
805 } else {
806 struct winbindd_domain *our_domain = find_our_domain();
807
808 if (!our_domain)
809 return NT_STATUS_INVALID_SERVER_STATE;
810
811 name = our_domain->name;
812 }
813
814 if (!get_trust_pw_clear(name, machine_password,
815 &account_name, NULL))
816 {
817 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
818 }
819
820 if ((machine_account != NULL) &&
821 (asprintf(machine_account, "%s$", account_name) == -1))
822 {
823 return NT_STATUS_NO_MEMORY;
824 }
825
826 /* For now assume our machine account only exists in our domain */
827
828 if (machine_krb5_principal != NULL)
829 {
830 struct winbindd_domain *our_domain = find_our_domain();
831
832 if (!our_domain) {
833 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
834 }
835
836 if (our_domain->alt_name == NULL) {
837 return NT_STATUS_INVALID_PARAMETER;
838 }
839
840 if (asprintf(machine_krb5_principal, "%s$@%s",
841 account_name, our_domain->alt_name) == -1)
842 {
843 return NT_STATUS_NO_MEMORY;
844 }
845
846 if (!strupper_m(*machine_krb5_principal)) {
847 SAFE_FREE(machine_krb5_principal);
848 return NT_STATUS_INVALID_PARAMETER;
849 }
850 }
851
852 return NT_STATUS_OK;
853 }
854
855 /************************************************************************
856 Given a fd with a just-connected TCP connection to a DC, open a connection
857 to the pipe.
858 ************************************************************************/
859
860 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
861 const int sockfd,
862 const char *controller,
863 struct cli_state **cli,
864 bool *retry)
865 {
866 bool try_spnego = false;
867 bool try_ipc_auth = false;
868 char *machine_password = NULL;
869 char *machine_krb5_principal = NULL;
870 char *machine_account = NULL;
871 char *ipc_username = NULL;
872 char *ipc_domain = NULL;
873 char *ipc_password = NULL;
874 int flags = 0;
875 uint16_t sec_mode = 0;
876
877 struct named_mutex *mutex;
878
879 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
880
881 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
882 controller, domain->name ));
883
884 *retry = True;
885
886 mutex = grab_named_mutex(talloc_tos(), controller,
887 WINBIND_SERVER_MUTEX_WAIT_TIME);
888 if (mutex == NULL) {
889 close(sockfd);
890 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
891 controller));
892 result = NT_STATUS_POSSIBLE_DEADLOCK;
893 goto done;
894 }
895
896 flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
897
898 *cli = cli_state_create(NULL, sockfd,
899 controller, domain->alt_name,
900 SMB_SIGNING_DEFAULT, flags);
901 if (*cli == NULL) {
902 close(sockfd);
903 DEBUG(1, ("Could not cli_initialize\n"));
904 result = NT_STATUS_NO_MEMORY;
905 goto done;
906 }
907
908 cli_set_timeout(*cli, 10000); /* 10 seconds */
909
910 result = smbXcli_negprot((*cli)->conn, (*cli)->timeout,
911 lp_cli_minprotocol(),
912 lp_cli_maxprotocol());
913
914 if (!NT_STATUS_IS_OK(result)) {
915 DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
916 goto done;
917 }
918
919 if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
920 smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
921 try_spnego = true;
922 } else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
923 try_spnego = true;
924 }
925
926 if (!is_dc_trusted_domain_situation(domain->name) && try_spnego) {
927 result = get_trust_creds(domain, &machine_password,
928 &machine_account,
929 &machine_krb5_principal);
930 if (!NT_STATUS_IS_OK(result)) {
931 goto anon_fallback;
932 }
933
934 if (lp_security() == SEC_ADS) {
935
936 /* Try a krb5 session */
937
938 (*cli)->use_kerberos = True;
939 DEBUG(5, ("connecting to %s from %s with kerberos principal "
940 "[%s] and realm [%s]\n", controller, lp_netbios_name(),
941 machine_krb5_principal, domain->alt_name));
942
943 winbindd_set_locator_kdc_envs(domain);
944
945 result = cli_session_setup(*cli,
946 machine_krb5_principal,
947 machine_password,
948 strlen(machine_password)+1,
949 machine_password,
950 strlen(machine_password)+1,
951 lp_workgroup());
952
953 if (!NT_STATUS_IS_OK(result)) {
954 DEBUG(4,("failed kerberos session setup with %s\n",
955 nt_errstr(result)));
956 }
957
958 if (NT_STATUS_IS_OK(result)) {
959 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
960 result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
961 if (!NT_STATUS_IS_OK(result)) {
962 goto done;
963 }
964 goto session_setup_done;
965 }
966 }
967
968 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
969 (*cli)->use_kerberos = False;
970
971 DEBUG(5, ("connecting to %s from %s with username "
972 "[%s]\\[%s]\n", controller, lp_netbios_name(),
973 lp_workgroup(), machine_account));
974
975 result = cli_session_setup(*cli,
976 machine_account,
977 machine_password,
978 strlen(machine_password)+1,
979 machine_password,
980 strlen(machine_password)+1,
981 lp_workgroup());
982 if (!NT_STATUS_IS_OK(result)) {
983 DEBUG(4, ("authenticated session setup failed with %s\n",
984 nt_errstr(result)));
985 }
986
987 if (NT_STATUS_IS_OK(result)) {
988 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
989 result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
990 if (!NT_STATUS_IS_OK(result)) {
991 goto done;
992 }
993 goto session_setup_done;
994 }
995 }
996
997 /* Fall back to non-kerberos session setup with auth_user */
998
999 (*cli)->use_kerberos = False;
1000
1001 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
1002
1003 sec_mode = smb1cli_conn_server_security_mode((*cli)->conn);
1004
1005 try_ipc_auth = false;
1006 if (try_spnego) {
1007 try_ipc_auth = true;
1008 } else if (sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
1009 try_ipc_auth = true;
1010 }
1011
1012 if (try_ipc_auth && (strlen(ipc_username) > 0)) {
1013
1014 /* Only try authenticated if we have a username */
1015
1016 DEBUG(5, ("connecting to %s from %s with username "
1017 "[%s]\\[%s]\n", controller, lp_netbios_name(),
1018 ipc_domain, ipc_username));
1019
1020 if (NT_STATUS_IS_OK(cli_session_setup(
1021 *cli, ipc_username,
1022 ipc_password, strlen(ipc_password)+1,
1023 ipc_password, strlen(ipc_password)+1,
1024 ipc_domain))) {
1025 /* Successful logon with given username. */
1026 result = cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
1027 if (!NT_STATUS_IS_OK(result)) {
1028 goto done;
1029 }
1030 goto session_setup_done;
1031 } else {
1032 DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
1033 ipc_domain, ipc_username ));
1034 }
1035 }
1036
1037 anon_fallback:
1038
1039 /* Fall back to anonymous connection, this might fail later */
1040 DEBUG(10,("cm_prepare_connection: falling back to anonymous "
1041 "connection for DC %s\n",
1042 controller ));
1043
1044 result = cli_session_setup(*cli, "", NULL, 0, NULL, 0, "");
1045 if (NT_STATUS_IS_OK(result)) {
1046 DEBUG(5, ("Connected anonymously\n"));
1047 result = cli_init_creds(*cli, "", "", "");
1048 if (!NT_STATUS_IS_OK(result)) {
1049 goto done;
1050 }
1051 goto session_setup_done;
1052 }
1053
1054 /* We can't session setup */
1055 goto done;
1056
1057 session_setup_done:
1058
1059 /*
1060 * This should be a short term hack until
1061 * dynamic re-authentication is implemented.
1062 *
1063 * See Bug 9175 - winbindd doesn't recover from
1064 * NT_STATUS_NETWORK_SESSION_EXPIRED
1065 */
1066 if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
1067 smbXcli_session_set_disconnect_expired((*cli)->smb2.session);
1068 }
1069
1070 /* cache the server name for later connections */
1071
1072 saf_store(domain->name, controller);
1073 if (domain->alt_name && (*cli)->use_kerberos) {
1074 saf_store(domain->alt_name, controller);
1075 }
1076
1077 winbindd_set_locator_kdc_envs(domain);
1078
1079 result = cli_tree_connect(*cli, "IPC$", "IPC", "", 0);
1080
1081 if (!NT_STATUS_IS_OK(result)) {
1082 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
1083 goto done;
1084 }
1085
1086 TALLOC_FREE(mutex);
1087 *retry = False;
1088
1089 /* set the domain if empty; needed for schannel connections */
1090 if ( !(*cli)->domain[0] ) {
1091 result = cli_set_domain((*cli), domain->name);
1092 if (!NT_STATUS_IS_OK(result)) {
1093 SAFE_FREE(ipc_username);
1094 SAFE_FREE(ipc_domain);
1095 SAFE_FREE(ipc_password);
1096 return result;
1097 }
1098 }
1099
1100 result = NT_STATUS_OK;
1101
1102 done:
1103 TALLOC_FREE(mutex);
1104 SAFE_FREE(machine_account);
1105 SAFE_FREE(machine_password);
1106 SAFE_FREE(machine_krb5_principal);
1107 SAFE_FREE(ipc_username);
1108 SAFE_FREE(ipc_domain);
1109 SAFE_FREE(ipc_password);
1110
1111 if (!NT_STATUS_IS_OK(result)) {
1112 winbind_add_failed_connection_entry(domain, controller, result);
1113 if ((*cli) != NULL) {
1114 cli_shutdown(*cli);
1115 *cli = NULL;
1116 }
1117 }
1118
1119 return result;
1120 }
1121
1122 /*******************************************************************
1123 Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
1124 array.
1125
1126 Keeps the list unique by not adding duplicate entries.
1127
1128 @param[in] mem_ctx talloc memory context to allocate from
1129 @param[in] domain_name domain of the DC
1130 @param[in] dcname name of the DC to add to the list
1131 @param[in] pss Internet address and port pair to add to the list
1132 @param[in,out] dcs array of dc_name_ip structures to add to
1133 @param[in,out] num_dcs number of dcs returned in the dcs array
1134 @return true if the list was added to, false otherwise
1135 *******************************************************************/
1136
1137 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1138 const char *dcname, struct sockaddr_storage *pss,
1139 struct dc_name_ip **dcs, int *num)
1140 {
1141 int i = 0;
1142
1143 if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1144 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1145 return False;
1146 }
1147
1148 /* Make sure there's no duplicates in the list */
1149 for (i=0; i<*num; i++)
1150 if (sockaddr_equal(
1151 (struct sockaddr *)(void *)&(*dcs)[i].ss,
1152 (struct sockaddr *)(void *)pss))
1153 return False;
1154
1155 *dcs = talloc_realloc(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1156
1157 if (*dcs == NULL)
1158 return False;
1159
1160 fstrcpy((*dcs)[*num].name, dcname);
1161 (*dcs)[*num].ss = *pss;
1162 *num += 1;
1163 return True;
1164 }
1165
1166 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1167 struct sockaddr_storage *pss, uint16 port,
1168 struct sockaddr_storage **addrs, int *num)
1169 {
1170 *addrs = talloc_realloc(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1171
1172 if (*addrs == NULL) {
1173 *num = 0;
1174 return False;
1175 }
1176
1177 (*addrs)[*num] = *pss;
1178 set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
1179
1180 *num += 1;
1181 return True;
1182 }
1183
1184 /*******************************************************************
1185 convert an ip to a name
1186 *******************************************************************/
1187
1188 static bool dcip_to_name(TALLOC_CTX *mem_ctx,
1189 const struct winbindd_domain *domain,
1190 struct sockaddr_storage *pss,
1191 char **name)
1192 {
1193 struct ip_service ip_list;
1194 uint32_t nt_version = NETLOGON_NT_VERSION_1;
1195 NTSTATUS status;
1196 const char *dc_name;
1197 fstring nbtname;
1198
1199 ip_list.ss = *pss;
1200 ip_list.port = 0;
1201
1202 #ifdef HAVE_ADS
1203 /* For active directory servers, try to get the ldap server name.
1204 None of these failures should be considered critical for now */
1205
1206 if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
1207 ADS_STRUCT *ads;
1208 ADS_STATUS ads_status;
1209 char addr[INET6_ADDRSTRLEN];
1210
1211 print_sockaddr(addr, sizeof(addr), pss);
1212
1213 ads = ads_init(domain->alt_name, domain->name, addr);
1214 ads->auth.flags |= ADS_AUTH_NO_BIND;
1215
1216 ads_status = ads_connect(ads);
1217 if (ADS_ERR_OK(ads_status)) {
1218 /* We got a cldap packet. */
1219 *name = talloc_strdup(mem_ctx,
1220 ads->config.ldap_server_name);
1221 if (*name == NULL) {
1222 return false;
1223 }
1224 namecache_store(*name, 0x20, 1, &ip_list);
1225
1226 DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1227
1228 if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1229 if (ads_closest_dc(ads)) {
1230 char *sitename = sitename_fetch(ads->config.realm);
1231
1232 /* We're going to use this KDC for this realm/domain.
1233 If we are using sites, then force the krb5 libs
1234 to use this KDC. */
1235
1236 create_local_private_krb5_conf_for_domain(domain->alt_name,
1237 domain->name,
1238 sitename,
1239 pss,
1240 *name);
1241
1242 SAFE_FREE(sitename);
1243 } else {
1244 /* use an off site KDC */
1245 create_local_private_krb5_conf_for_domain(domain->alt_name,
1246 domain->name,
1247 NULL,
1248 pss,
1249 *name);
1250 }
1251 winbindd_set_locator_kdc_envs(domain);
1252
1253 /* Ensure we contact this DC also. */
1254 saf_store(domain->name, *name);
1255 saf_store(domain->alt_name, *name);
1256 }
1257
1258 ads_destroy( &ads );
1259 return True;
1260 }
1261
1262 ads_destroy( &ads );
1263 return false;
1264 }
1265 #endif
1266
1267 status = nbt_getdc(winbind_messaging_context(), 10, pss, domain->name,
1268 &domain->sid, nt_version, mem_ctx, &nt_version,
1269 &dc_name, NULL);
1270 if (NT_STATUS_IS_OK(status)) {
1271 *name = talloc_strdup(mem_ctx, dc_name);
1272 if (*name == NULL) {
1273 return false;
1274 }
1275 namecache_store(*name, 0x20, 1, &ip_list);
1276 return True;
1277 }
1278
1279 /* try node status request */
1280
1281 if (name_status_find(domain->name, 0x1c, 0x20, pss, nbtname) ) {
1282 namecache_store(nbtname, 0x20, 1, &ip_list);
1283
1284 if (name != NULL) {
1285 *name = talloc_strdup(mem_ctx, nbtname);
1286 if (*name == NULL) {
1287 return false;
1288 }
1289 }
1290
1291 return true;
1292 }
1293 return False;
1294 }
1295
1296 /*******************************************************************
1297 Retrieve a list of IP addresses for domain controllers.
1298
1299 The array is sorted in the preferred connection order.
1300
1301 @param[in] mem_ctx talloc memory context to allocate from
1302 @param[in] domain domain to retrieve DCs for
1303 @param[out] dcs array of dcs that will be returned
1304 @param[out] num_dcs number of dcs returned in the dcs array
1305 @return always true
1306 *******************************************************************/
1307
1308 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1309 struct dc_name_ip **dcs, int *num_dcs)
1310 {
1311 fstring dcname;
1312 struct sockaddr_storage ss;
1313 struct ip_service *ip_list = NULL;
1314 int iplist_size = 0;
1315 int i;
1316 bool is_our_domain;
1317 enum security_types sec = (enum security_types)lp_security();
1318
1319 is_our_domain = strequal(domain->name, lp_workgroup());
1320
1321 /* If not our domain, get the preferred DC, by asking our primary DC */
1322 if ( !is_our_domain
1323 && get_dc_name_via_netlogon(domain, dcname, &ss)
1324 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1325 num_dcs) )
1326 {
1327 char addr[INET6_ADDRSTRLEN];
1328 print_sockaddr(addr, sizeof(addr), &ss);
1329 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1330 dcname, addr));
1331 return True;
1332 }
1333
1334 if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
1335 char *sitename = NULL;
1336
1337 /* We need to make sure we know the local site before
1338 doing any DNS queries, as this will restrict the
1339 get_sorted_dc_list() call below to only fetching
1340 DNS records for the correct site. */
1341
1342 /* Find any DC to get the site record.
1343 We deliberately don't care about the
1344 return here. */
1345
1346 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1347
1348 sitename = sitename_fetch(domain->alt_name);
1349 if (sitename) {
1350
1351 /* Do the site-specific AD dns lookup first. */
1352 get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
1353 &iplist_size, True);
1354
1355 /* Add ips to the DC array. We don't look up the name
1356 of the DC in this function, but we fill in the char*
1357 of the ip now to make the failed connection cache
1358 work */
1359 for ( i=0; i<iplist_size; i++ ) {
1360 char addr[INET6_ADDRSTRLEN];
1361 print_sockaddr(addr, sizeof(addr),
1362 &ip_list[i].ss);
1363 add_one_dc_unique(mem_ctx,
1364 domain->name,
1365 addr,
1366 &ip_list[i].ss,
1367 dcs,
1368 num_dcs);
1369 }
1370
1371 SAFE_FREE(ip_list);
1372 SAFE_FREE(sitename);
1373 iplist_size = 0;
1374 }
1375
1376 /* Now we add DCs from the main AD DNS lookup. */
1377 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1378 &iplist_size, True);
1379
1380 for ( i=0; i<iplist_size; i++ ) {
1381 char addr[INET6_ADDRSTRLEN];
1382 print_sockaddr(addr, sizeof(addr),
1383 &ip_list[i].ss);
1384 add_one_dc_unique(mem_ctx,
1385 domain->name,
1386 addr,
1387 &ip_list[i].ss,
1388 dcs,
1389 num_dcs);
1390 }
1391
1392 SAFE_FREE(ip_list);
1393 iplist_size = 0;
1394 }
1395
1396 /* Try standard netbios queries if no ADS and fall back to DNS queries
1397 * if alt_name is available */
1398 if (*num_dcs == 0) {
1399 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
1400 false);
1401 if (iplist_size == 0) {
1402 if (domain->alt_name != NULL) {
1403 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1404 &iplist_size, true);
1405 }
1406 }
1407
1408 for ( i=0; i<iplist_size; i++ ) {
1409 char addr[INET6_ADDRSTRLEN];
1410 print_sockaddr(addr, sizeof(addr),
1411 &ip_list[i].ss);
1412 add_one_dc_unique(mem_ctx,
1413 domain->name,
1414 addr,
1415 &ip_list[i].ss,
1416 dcs,
1417 num_dcs);
1418 }
1419
1420 SAFE_FREE(ip_list);
1421 iplist_size = 0;
1422 }
1423
1424 return True;
1425 }
1426
1427 /*******************************************************************
1428 Find and make a connection to a DC in the given domain.
1429
1430 @param[in] mem_ctx talloc memory context to allocate from
1431 @param[in] domain domain to find a dc in
1432 @param[out] dcname NetBIOS or FQDN of DC that's connected to
1433 @param[out] pss DC Internet address and port
1434 @param[out] fd fd of the open socket connected to the newly found dc
1435 @return true when a DC connection is made, false otherwise
1436 *******************************************************************/
1437
1438 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1439 struct winbindd_domain *domain,
1440 char **dcname, struct sockaddr_storage *pss, int *fd)
1441 {
1442 struct dc_name_ip *dcs = NULL;
1443 int num_dcs = 0;
1444
1445 const char **dcnames = NULL;
1446 size_t num_dcnames = 0;
1447
1448 struct sockaddr_storage *addrs = NULL;
1449 int num_addrs = 0;
1450
1451 int i;
1452 size_t fd_index;
1453
1454 NTSTATUS status;
1455
1456 *fd = -1;
1457
1458 again:
1459 if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1460 return False;
1461
1462 for (i=0; i<num_dcs; i++) {
1463
1464 if (!add_string_to_array(mem_ctx, dcs[i].name,
1465 &dcnames, &num_dcnames)) {
1466 return False;
1467 }
1468 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, TCP_SMB_PORT,
1469 &addrs, &num_addrs)) {
1470 return False;
1471 }
1472 }
1473
1474 if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1475 return False;
1476
1477 if ((addrs == NULL) || (dcnames == NULL))
1478 return False;
1479
1480 status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL,
1481 num_addrs, 0, 10, fd, &fd_index, NULL);
1482 if (!NT_STATUS_IS_OK(status)) {
1483 for (i=0; i<num_dcs; i++) {
1484 char ab[INET6_ADDRSTRLEN];
1485 print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1486 DEBUG(10, ("find_new_dc: smbsock_any_connect failed for "
1487 "domain %s address %s. Error was %s\n",
1488 domain->name, ab, nt_errstr(status) ));
1489 winbind_add_failed_connection_entry(domain,
1490 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1491 }
1492 return False;
1493 }
1494
1495 *pss = addrs[fd_index];
1496
1497 if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1498 /* Ok, we've got a name for the DC */
1499 *dcname = talloc_strdup(mem_ctx, dcnames[fd_index]);
1500 if (*dcname == NULL) {
1501 return false;
1502 }
1503 return true;
1504 }
1505
1506 /* Try to figure out the name */
1507 if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
1508 return True;
1509 }
1510
1511 /* We can not continue without the DC's name */
1512 winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1513 NT_STATUS_UNSUCCESSFUL);
1514
1515 /* Throw away all arrays as we're doing this again. */
1516 TALLOC_FREE(dcs);
1517 num_dcs = 0;
1518
1519 TALLOC_FREE(dcnames);
1520 num_dcnames = 0;
1521
1522 TALLOC_FREE(addrs);
1523 num_addrs = 0;
1524
1525 close(*fd);
1526 *fd = -1;
1527
1528 goto again;
1529 }
1530
1531 static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name)
1532 {
1533 return talloc_asprintf_strupper_m(mem_ctx, "CURRENT_DCNAME/%s",
1534 domain_name);
1535 }
1536
1537 static void store_current_dc_in_gencache(const char *domain_name,
1538 const char *dc_name,
1539 struct cli_state *cli)
1540 {
1541 char addr[INET6_ADDRSTRLEN];
1542 char *key = NULL;
1543 char *value = NULL;
1544
1545 if (!cli_state_is_connected(cli)) {
1546 return;
1547 }
1548
1549 print_sockaddr(addr, sizeof(addr),
1550 smbXcli_conn_remote_sockaddr(cli->conn));
1551
1552 key = current_dc_key(talloc_tos(), domain_name);
1553 if (key == NULL) {
1554 goto done;
1555 }
1556
1557 value = talloc_asprintf(talloc_tos(), "%s %s", addr, dc_name);
1558 if (value == NULL) {
1559 goto done;
1560 }
1561
1562 gencache_set(key, value, 0x7fffffff);
1563 done:
1564 TALLOC_FREE(value);
1565 TALLOC_FREE(key);
1566 }
1567
1568 bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx,
1569 const char *domain_name,
1570 char **p_dc_name, char **p_dc_ip)
1571 {
1572 char *key, *value, *p;
1573 bool ret = false;
1574 char *dc_name = NULL;
1575 char *dc_ip = NULL;
1576
1577 key = current_dc_key(talloc_tos(), domain_name);
1578 if (key == NULL) {
1579 goto done;
1580 }
1581 if (!gencache_get(key, &value, NULL)) {
1582 goto done;
1583 }
1584 p = strchr(value, ' ');
1585 if (p == NULL) {
1586 goto done;
1587 }
1588 dc_ip = talloc_strndup(mem_ctx, value, p - value);
1589 if (dc_ip == NULL) {
1590 goto done;
1591 }
1592 dc_name = talloc_strdup(mem_ctx, p+1);
1593 if (dc_name == NULL) {
1594 goto done;
1595 }
1596
1597 if (p_dc_ip != NULL) {
1598 *p_dc_ip = dc_ip;
1599 dc_ip = NULL;
1600 }
1601 if (p_dc_name != NULL) {
1602 *p_dc_name = dc_name;
1603 dc_name = NULL;
1604 }
1605 ret = true;
1606 done:
1607 TALLOC_FREE(dc_name);
1608 TALLOC_FREE(dc_ip);
1609 TALLOC_FREE(key);
1610 return ret;
1611 }
1612
1613 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1614 struct winbindd_cm_conn *new_conn)
1615 {
1616 TALLOC_CTX *mem_ctx;
1617 NTSTATUS result;
1618 char *saf_servername = saf_fetch( domain->name );
1619 int retries;
1620
1621 if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1622 SAFE_FREE(saf_servername);
1623 set_domain_offline(domain);
1624 return NT_STATUS_NO_MEMORY;
1625 }
1626
1627 /* we have to check the server affinity cache here since
1628 later we select a DC based on response time and not preference */
1629
1630 /* Check the negative connection cache
1631 before talking to it. It going down may have
1632 triggered the reconnection. */
1633
1634 if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1635
1636 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1637 saf_servername, domain->name ));
1638
1639 /* convert an ip address to a name */
1640 if (is_ipaddress( saf_servername ) ) {
1641 char *dcname = NULL;
1642 struct sockaddr_storage ss;
1643
1644 if (!interpret_string_addr(&ss, saf_servername,
1645 AI_NUMERICHOST)) {
1646 return NT_STATUS_UNSUCCESSFUL;
1647 }
1648 if (dcip_to_name(mem_ctx, domain, &ss, &dcname)) {
1649 domain->dcname = talloc_strdup(domain,
1650 dcname);
1651 if (domain->dcname == NULL) {
1652 SAFE_FREE(saf_servername);
1653 return NT_STATUS_NO_MEMORY;
1654 }
1655 } else {
1656 winbind_add_failed_connection_entry(
1657 domain, saf_servername,
1658 NT_STATUS_UNSUCCESSFUL);
1659 }
1660 } else {
1661 domain->dcname = talloc_strdup(domain, saf_servername);
1662 if (domain->dcname == NULL) {
1663 SAFE_FREE(saf_servername);
1664 return NT_STATUS_NO_MEMORY;
1665 }
1666 }
1667
1668 SAFE_FREE( saf_servername );
1669 }
1670
1671 for (retries = 0; retries < 3; retries++) {
1672 int fd = -1;
1673 bool retry = False;
1674 char *dcname = NULL;
1675
1676 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1677
1678 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1679 domain->dcname ? domain->dcname : "", domain->name ));
1680
1681 if (domain->dcname != NULL
1682 && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1683 && (resolve_name(domain->dcname, &domain->dcaddr, 0x20, true)))
1684 {
1685 NTSTATUS status;
1686
1687 status = smbsock_connect(&domain->dcaddr, 0,
1688 NULL, -1, NULL, -1,
1689 &fd, NULL, 10);
1690 if (!NT_STATUS_IS_OK(status)) {
1691 fd = -1;
1692 }
1693 }
1694
1695 if ((fd == -1) &&
1696 !find_new_dc(mem_ctx, domain, &dcname, &domain->dcaddr, &fd))
1697 {
1698 /* This is the one place where we will
1699 set the global winbindd offline state
1700 to true, if a "WINBINDD_OFFLINE" entry
1701 is found in the winbindd cache. */
1702 set_global_winbindd_state_offline();
1703 break;
1704 }
1705 if (dcname != NULL) {
1706 talloc_free(domain->dcname);
1707
1708 domain->dcname = talloc_move(domain, &dcname);
1709 if (domain->dcname == NULL) {
1710 result = NT_STATUS_NO_MEMORY;
1711 break;
1712 }
1713 }
1714
1715 new_conn->cli = NULL;
1716
1717 result = cm_prepare_connection(domain, fd, domain->dcname,
1718 &new_conn->cli, &retry);
1719 if (!NT_STATUS_IS_OK(result)) {
1720 /* Don't leak the smb connection socket */
1721 close(fd);
1722 }
1723
1724 if (!retry)
1725 break;
1726 }
1727
1728 if (NT_STATUS_IS_OK(result)) {
1729
1730 winbindd_set_locator_kdc_envs(domain);
1731
1732 if (domain->online == False) {
1733 /* We're changing state from offline to online. */
1734 set_global_winbindd_state_online();
1735 }
1736 set_domain_online(domain);
1737
1738 /*
1739 * Much as I hate global state, this seems to be the point
1740 * where we can be certain that we have a proper connection to
1741 * a DC. wbinfo --dc-info needs that information, store it in
1742 * gencache with a looong timeout. This will need revisiting
1743 * once we start to connect to multiple DCs, wbcDcInfo is
1744 * already prepared for that.
1745 */
1746 store_current_dc_in_gencache(domain->name, domain->dcname,
1747 new_conn->cli);
1748 } else {
1749 /* Ensure we setup the retry handler. */
1750 set_domain_offline(domain);
1751 }
1752
1753 talloc_destroy(mem_ctx);
1754 return result;
1755 }
1756
1757 /* Close down all open pipes on a connection. */
1758
1759 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1760 {
1761 NTSTATUS result;
1762
1763 /* We're closing down a possibly dead
1764 connection. Don't have impossibly long (10s) timeouts. */
1765
1766 if (conn->cli) {
1767 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1768 }
1769
1770 if (conn->samr_pipe != NULL) {
1771 if (is_valid_policy_hnd(&conn->sam_connect_handle)) {
1772 dcerpc_samr_Close(conn->samr_pipe->binding_handle,
1773 talloc_tos(),
1774 &conn->sam_connect_handle,
1775 &result);
1776 }
1777 TALLOC_FREE(conn->samr_pipe);
1778 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1779 if (conn->cli) {
1780 cli_set_timeout(conn->cli, 500);
1781 }
1782 }
1783
1784 if (conn->lsa_pipe != NULL) {
1785 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1786 dcerpc_lsa_Close(conn->lsa_pipe->binding_handle,
1787 talloc_tos(),
1788 &conn->lsa_policy,
1789 &result);
1790 }
1791 TALLOC_FREE(conn->lsa_pipe);
1792 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1793 if (conn->cli) {
1794 cli_set_timeout(conn->cli, 500);
1795 }
1796 }
1797
1798 if (conn->lsa_pipe_tcp != NULL) {
1799 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1800 dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle,
1801 talloc_tos(),
1802 &conn->lsa_policy,
1803 &result);
1804 }
1805 TALLOC_FREE(conn->lsa_pipe_tcp);
1806 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1807 if (conn->cli) {
1808 cli_set_timeout(conn->cli, 500);
1809 }
1810 }
1811
1812 if (conn->netlogon_pipe != NULL) {
1813 TALLOC_FREE(conn->netlogon_pipe);
1814 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1815 if (conn->cli) {
1816 cli_set_timeout(conn->cli, 500);
1817 }
1818 }
1819
1820 if (conn->cli) {
1821 cli_shutdown(conn->cli);
1822 }
1823
1824 conn->cli = NULL;
1825 }
1826
1827 void close_conns_after_fork(void)
1828 {
1829 struct winbindd_domain *domain;
1830 struct winbindd_cli_state *cli_state;
1831
1832 for (domain = domain_list(); domain; domain = domain->next) {
1833 /*
1834 * first close the low level SMB TCP connection
1835 * so that we don't generate any SMBclose
1836 * requests in invalidate_cm_connection()
1837 */
1838 if (cli_state_is_connected(domain->conn.cli)) {
1839 smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
1840 }
1841
1842 invalidate_cm_connection(&domain->conn);
1843 }
1844
1845 for (cli_state = winbindd_client_list();
1846 cli_state != NULL;
1847 cli_state = cli_state->next) {
1848 if (cli_state->sock >= 0) {
1849 close(cli_state->sock);
1850 cli_state->sock = -1;
1851 }
1852 }
1853 }
1854
1855 static bool connection_ok(struct winbindd_domain *domain)
1856 {
1857 bool ok;
1858
1859 ok = cli_state_is_connected(domain->conn.cli);
1860 if (!ok) {
1861 DEBUG(3, ("connection_ok: Connection to %s for domain %s is not connected\n",
1862 domain->dcname, domain->name));
1863 return False;
1864 }
1865
1866 if (domain->online == False) {
1867 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1868 return False;
1869 }
1870
1871 return True;
1872 }
1873
1874 /* Initialize a new connection up to the RPC BIND.
1875 Bypass online status check so always does network calls. */
1876
1877 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1878 {
1879 NTSTATUS result;
1880
1881 /* Internal connections never use the network. */
1882 if (domain->internal) {
1883 domain->initialized = True;
1884 return NT_STATUS_OK;
1885 }
1886
1887 if (connection_ok(domain)) {
1888 if (!domain->initialized) {
1889 set_dc_type_and_flags(domain);
1890 }
1891 return NT_STATUS_OK;
1892 }
1893
1894 invalidate_cm_connection(&domain->conn);
1895
1896 result = cm_open_connection(domain, &domain->conn);
1897
1898 if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1899 set_dc_type_and_flags(domain);
1900 }
1901
1902 return result;
1903 }
1904
1905 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1906 {
1907 if (domain->internal) {
1908 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1909 }
1910
1911 if (domain->initialized && !domain->online) {
1912 /* We check for online status elsewhere. */
1913 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1914 }
1915
1916 return init_dc_connection_network(domain);
1917 }
1918
1919 static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain)
1920 {
1921 NTSTATUS status;
1922
1923 status = init_dc_connection(domain);
1924 if (!NT_STATUS_IS_OK(status)) {
1925 return status;
1926 }
1927
1928 if (!domain->internal && domain->conn.cli == NULL) {
1929 /* happens for trusted domains without inbound trust */
1930 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
1931 }
1932
1933 return NT_STATUS_OK;
1934 }
1935
1936 /******************************************************************************
1937 Set the trust flags (direction and forest location) for a domain
1938 ******************************************************************************/
1939
1940 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1941 {
1942 struct winbindd_domain *our_domain;
1943 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1944 WERROR werr;
1945 struct netr_DomainTrustList trusts;
1946 int i;
1947 uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
1948 NETR_TRUST_FLAG_OUTBOUND |
1949 NETR_TRUST_FLAG_INBOUND);
1950 struct rpc_pipe_client *cli;
1951 TALLOC_CTX *mem_ctx = NULL;
1952 struct dcerpc_binding_handle *b;
1953
1954 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1955
1956 /* Our primary domain doesn't need to worry about trust flags.
1957 Force it to go through the network setup */
1958 if ( domain->primary ) {
1959 return False;
1960 }
1961
1962 our_domain = find_our_domain();
1963
1964 if ( !connection_ok(our_domain) ) {
1965 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));
1966 return False;
1967 }
1968
1969 /* This won't work unless our domain is AD */
1970
1971 if ( !our_domain->active_directory ) {
1972 return False;
1973 }
1974
1975 /* Use DsEnumerateDomainTrusts to get us the trust direction
1976 and type */
1977
1978 result = cm_connect_netlogon(our_domain, &cli);
1979
1980 if (!NT_STATUS_IS_OK(result)) {
1981 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1982 "a connection to %s for PIPE_NETLOGON (%s)\n",
1983 domain->name, nt_errstr(result)));
1984 return False;
1985 }
1986
1987 b = cli->binding_handle;
1988
1989 if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
1990 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
1991 return False;
1992 }
1993
1994 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1995 cli->desthost,
1996 flags,
1997 &trusts,
1998 &werr);
1999 if (!NT_STATUS_IS_OK(result)) {
2000 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2001 "failed to query trusted domain list: %s\n",
2002 nt_errstr(result)));
2003 talloc_destroy(mem_ctx);
2004 return false;
2005 }
2006 if (!W_ERROR_IS_OK(werr)) {
2007 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2008 "failed to query trusted domain list: %s\n",
2009 win_errstr(werr)));
2010 talloc_destroy(mem_ctx);
2011 return false;
2012 }
2013
2014 /* Now find the domain name and get the flags */
2015
2016 for ( i=0; i<trusts.count; i++ ) {
2017 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
2018 domain->domain_flags = trusts.array[i].trust_flags;
2019 domain->domain_type = trusts.array[i].trust_type;
2020 domain->domain_trust_attribs = trusts.array[i].trust_attributes;
2021
2022 if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL )
2023 domain->active_directory = True;
2024
2025 /* This flag is only set if the domain is *our*
2026 primary domain and the primary domain is in
2027 native mode */
2028
2029 domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
2030
2031 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
2032 "native mode.\n", domain->name,
2033 domain->native_mode ? "" : "NOT "));
2034
2035 DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
2036 "running active directory.\n", domain->name,
2037 domain->active_directory ? "" : "NOT "));
2038
2039 domain->can_do_ncacn_ip_tcp = domain->active_directory;
2040 domain->can_do_validation6 = domain->active_directory;
2041
2042 domain->initialized = True;
2043
2044 break;
2045 }
2046 }
2047
2048 talloc_destroy( mem_ctx );
2049
2050 return domain->initialized;
2051 }
2052
2053 /******************************************************************************
2054 We can 'sense' certain things about the DC by it's replies to certain
2055 questions.
2056
2057 This tells us if this particular remote server is Active Directory, and if it
2058 is native mode.
2059 ******************************************************************************/
2060
2061 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
2062 {
2063 NTSTATUS status, result;
2064 WERROR werr;
2065 TALLOC_CTX *mem_ctx = NULL;
2066 struct rpc_pipe_client *cli = NULL;
2067 struct policy_handle pol;
2068 union dssetup_DsRoleInfo info;
2069 union lsa_PolicyInformation *lsa_info = NULL;
2070
2071 if (!connection_ok(domain)) {
2072 return;
2073 }
2074
2075 mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
2076 domain->name);
2077 if (!mem_ctx) {
2078 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
2079 return;
2080 }
2081
2082 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
2083
2084 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2085 &ndr_table_dssetup.syntax_id,
2086 &cli);
2087
2088 if (!NT_STATUS_IS_OK(status)) {
2089 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2090 "PI_DSSETUP on domain %s: (%s)\n",
2091 domain->name, nt_errstr(status)));
2092
2093 /* if this is just a non-AD domain we need to continue
2094 * identifying so that we can in the end return with
2095 * domain->initialized = True - gd */
2096
2097 goto no_dssetup;
2098 }
2099
2100 status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
2101 DS_ROLE_BASIC_INFORMATION,
2102 &info,
2103 &werr);
2104 TALLOC_FREE(cli);
2105
2106 if (NT_STATUS_IS_OK(status)) {
2107 result = werror_to_ntstatus(werr);
2108 }
2109 if (!NT_STATUS_IS_OK(status)) {
2110 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
2111 "on domain %s failed: (%s)\n",
2112 domain->name, nt_errstr(status)));
2113
2114 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
2115 * every opcode on the DSSETUP pipe, continue with
2116 * no_dssetup mode here as well to get domain->initialized
2117 * set - gd */
2118
2119 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
2120 goto no_dssetup;
2121 }
2122
2123 TALLOC_FREE(mem_ctx);
2124 return;
2125 }
2126
2127 if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
2128 !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
2129 domain->native_mode = True;
2130 } else {
2131 domain->native_mode = False;
2132 }
2133
2134 no_dssetup:
2135 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2136 &ndr_table_lsarpc.syntax_id, &cli);
2137
2138 if (!NT_STATUS_IS_OK(status)) {
2139 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2140 "PI_LSARPC on domain %s: (%s)\n",
2141 domain->name, nt_errstr(status)));
2142 TALLOC_FREE(cli);
2143 TALLOC_FREE(mem_ctx);
2144 return;
2145 }
2146
2147 status = rpccli_lsa_open_policy2(cli, mem_ctx, True,
2148 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
2149
2150 if (NT_STATUS_IS_OK(status)) {
2151 /* This particular query is exactly what Win2k clients use
2152 to determine that the DC is active directory */
2153 status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx,
2154 &pol,
2155 LSA_POLICY_INFO_DNS,
2156 &lsa_info,
2157 &result);
2158 }
2159
2160 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2161 domain->active_directory = True;
2162
2163 if (lsa_info->dns.name.string) {
2164 talloc_free(domain->name);
2165 domain->name = talloc_strdup(domain,
2166 lsa_info->dns.name.string);
2167 if (domain->name == NULL) {
2168 goto done;
2169 }
2170 }
2171
2172 if (lsa_info->dns.dns_domain.string) {
2173 talloc_free(domain->alt_name);
2174 domain->alt_name =
2175 talloc_strdup(domain,
2176 lsa_info->dns.dns_domain.string);
2177 if (domain->alt_name == NULL) {
2178 goto done;
2179 }
2180 }
2181
2182 /* See if we can set some domain trust flags about
2183 ourself */
2184
2185 if (lsa_info->dns.dns_forest.string) {
2186 talloc_free(domain->forest_name);
2187 domain->forest_name =
2188 talloc_strdup(domain,
2189 lsa_info->dns.dns_forest.string);
2190 if (domain->forest_name == NULL) {
2191 goto done;
2192 }
2193
2194 if (strequal(domain->forest_name, domain->alt_name)) {
2195 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
2196 }
2197 }
2198
2199 if (lsa_info->dns.sid) {
2200 sid_copy(&domain->sid, lsa_info->dns.sid);
2201 }
2202 } else {
2203 domain->active_directory = False;
2204
2205 status = rpccli_lsa_open_policy(cli, mem_ctx, True,
2206 SEC_FLAG_MAXIMUM_ALLOWED,
2207 &pol);
2208
2209 if (!NT_STATUS_IS_OK(status)) {
2210 goto done;
2211 }
2212
2213 status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx,
2214 &pol,
2215 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
2216 &lsa_info,
2217 &result);
2218 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2219
2220 if (lsa_info->account_domain.name.string) {
2221 talloc_free(domain->name);
2222 domain->name =
2223 talloc_strdup(domain,
2224 lsa_info->account_domain.name.string);
2225 }
2226
2227 if (lsa_info->account_domain.sid) {
2228 sid_copy(&domain->sid, lsa_info->account_domain.sid);
2229 }
2230 }
2231 }
2232 done:
2233
2234 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
2235 domain->name, domain->native_mode ? "" : "NOT "));
2236
2237 DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
2238 domain->name, domain->active_directory ? "" : "NOT "));
2239
2240 domain->can_do_ncacn_ip_tcp = domain->active_directory;
2241 domain->can_do_validation6 = domain->active_directory;
2242
2243 TALLOC_FREE(cli);
2244
2245 TALLOC_FREE(mem_ctx);
2246
2247 domain->initialized = True;
2248 }
2249
2250 /**********************************************************************
2251 Set the domain_flags (trust attributes, domain operating modes, etc...
2252 ***********************************************************************/
2253
2254 static void set_dc_type_and_flags( struct winbindd_domain *domain )
2255 {
2256 /* we always have to contact our primary domain */
2257
2258 if ( domain->primary ) {
2259 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
2260 "primary domain\n"));
2261 set_dc_type_and_flags_connect( domain );
2262 return;
2263 }
2264
2265 /* Use our DC to get the information if possible */
2266
2267 if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
2268 /* Otherwise, fallback to contacting the
2269 domain directly */
2270 set_dc_type_and_flags_connect( domain );
2271 }
2272
2273 return;
2274 }
2275
2276
2277
2278 /**********************************************************************
2279 ***********************************************************************/
2280
2281 static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
2282 struct netlogon_creds_CredentialState **ppdc)
2283 {
2284 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2285 struct rpc_pipe_client *netlogon_pipe;
2286
2287 if (lp_client_schannel() == False) {
2288 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2289 }
2290
2291 result = cm_connect_netlogon(domain, &netlogon_pipe);
2292 if (!NT_STATUS_IS_OK(result)) {
2293 return result;
2294 }
2295
2296 /* Return a pointer to the struct netlogon_creds_CredentialState from the
2297 netlogon pipe. */
2298
2299 if (!domain->conn.netlogon_pipe->dc) {
2300 return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
2301 }
2302
2303 *ppdc = domain->conn.netlogon_pipe->dc;
2304 return NT_STATUS_OK;
2305 }
2306
2307 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2308 struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
2309 {
2310 struct winbindd_cm_conn *conn;
2311 NTSTATUS status, result;
2312 struct netlogon_creds_CredentialState *p_creds;
2313 char *machine_password = NULL;
2314 char *machine_account = NULL;
2315 const char *domain_name = NULL;
2316
2317 if (sid_check_is_our_sam(&domain->sid)) {
2318 return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
2319 }
2320
2321 status = init_dc_connection_rpc(domain);
2322 if (!NT_STATUS_IS_OK(status)) {
2323 return status;
2324 }
2325
2326 conn = &domain->conn;
2327
2328 if (rpccli_is_connected(conn->samr_pipe)) {
2329 goto done;
2330 }
2331
2332 TALLOC_FREE(conn->samr_pipe);
2333
2334 /*
2335 * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
2336 * sign and sealed pipe using the machine account password by
2337 * preference. If we can't - try schannel, if that fails, try
2338 * anonymous.
2339 */
2340
2341 if ((conn->cli->user_name[0] == '\0') ||
2342 (conn->cli->domain[0] == '\0') ||
2343 (conn->cli->password == NULL || conn->cli->password[0] == '\0'))
2344 {
2345 status = get_trust_creds(domain, &machine_password,
2346 &machine_account, NULL);
2347 if (!NT_STATUS_IS_OK(status)) {
2348 DEBUG(10, ("cm_connect_sam: No no user available for "
2349 "domain %s, trying schannel\n", conn->cli->domain));
2350 goto schannel;
2351 }
2352 domain_name = domain->name;
2353 } else {
2354 machine_password = SMB_STRDUP(conn->cli->password);
2355 machine_account = SMB_STRDUP(conn->cli->user_name);
2356 domain_name = conn->cli->domain;
2357 }
2358
2359 if (!machine_password || !machine_account) {
2360 status = NT_STATUS_NO_MEMORY;
2361 goto done;
2362 }
2363
2364 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2365 authenticated SAMR pipe with sign & seal. */
2366 status = cli_rpc_pipe_open_spnego(conn->cli,
2367 &ndr_table_samr,
2368 NCACN_NP,
2369 GENSEC_OID_NTLMSSP,
2370 DCERPC_AUTH_LEVEL_PRIVACY,
2371 smbXcli_conn_remote_name(conn->cli->conn),
2372 domain_name,
2373 machine_account,
2374 machine_password,
2375 &conn->samr_pipe);
2376
2377 if (!NT_STATUS_IS_OK(status)) {
2378 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2379 "pipe for domain %s using NTLMSSP "
2380 "authenticated pipe: user %s\\%s. Error was "
2381 "%s\n", domain->name, domain_name,
2382 machine_account, nt_errstr(status)));
2383 goto schannel;
2384 }
2385
2386 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2387 "domain %s using NTLMSSP authenticated "
2388 "pipe: user %s\\%s\n", domain->name,
2389 domain_name, machine_account));
2390
2391 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2392 conn->samr_pipe->desthost,
2393 SEC_FLAG_MAXIMUM_ALLOWED,
2394 &conn->sam_connect_handle,
2395 &result);
2396 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2397 goto open_domain;
2398 }
2399 if (NT_STATUS_IS_OK(status)) {
2400 status = result;
2401 }
2402
2403 DEBUG(10,("cm_connect_sam: ntlmssp-sealed dcerpc_samr_Connect2 "
2404 "failed for domain %s, error was %s. Trying schannel\n",
2405 domain->name, nt_errstr(status) ));
2406 TALLOC_FREE(conn->samr_pipe);
2407
2408 schannel:
2409
2410 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2411
2412 status = cm_get_schannel_creds(domain, &p_creds);
2413 if (!NT_STATUS_IS_OK(status)) {
2414 /* If this call fails - conn->cli can now be NULL ! */
2415 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2416 "for domain %s (error %s), trying anon\n",
2417 domain->name,
2418 nt_errstr(status) ));
2419 goto anonymous;
2420 }
2421 status = cli_rpc_pipe_open_schannel_with_key
2422 (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
2423 DCERPC_AUTH_LEVEL_PRIVACY,
2424 domain->name, &p_creds, &conn->samr_pipe);
2425
2426 if (!NT_STATUS_IS_OK(status)) {
2427 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2428 "domain %s using schannel. Error was %s\n",
2429 domain->name, nt_errstr(status) ));
2430 goto anonymous;
2431 }
2432 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2433 "schannel.\n", domain->name ));
2434
2435 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2436 conn->samr_pipe->desthost,
2437 SEC_FLAG_MAXIMUM_ALLOWED,
2438 &conn->sam_connect_handle,
2439 &result);
2440 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2441 goto open_domain;
2442 }
2443 if (NT_STATUS_IS_OK(status)) {
2444 status = result;
2445 }
2446 DEBUG(10,("cm_connect_sam: schannel-sealed dcerpc_samr_Connect2 failed "
2447 "for domain %s, error was %s. Trying anonymous\n",
2448 domain->name, nt_errstr(status) ));
2449 TALLOC_FREE(conn->samr_pipe);
2450
2451 anonymous:
2452
2453 /* Finally fall back to anonymous. */
2454 status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
2455 &conn->samr_pipe);
2456
2457 if (!NT_STATUS_IS_OK(status)) {
2458 goto done;
2459 }
2460
2461 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2462 conn->samr_pipe->desthost,
2463 SEC_FLAG_MAXIMUM_ALLOWED,
2464 &conn->sam_connect_handle,
2465 &result);
2466 if (!NT_STATUS_IS_OK(status)) {
2467 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2468 "for domain %s Error was %s\n",
2469 domain->name, nt_errstr(status) ));
2470 goto done;
2471 }
2472 if (!NT_STATUS_IS_OK(result)) {
2473 status = result;
2474 DEBUG(10,("cm_connect_sam: dcerpc_samr_Connect2 failed "
2475 "for domain %s Error was %s\n",
2476 domain->name, nt_errstr(result)));
2477 goto done;
2478 }
2479
2480 open_domain:
2481 status = dcerpc_samr_OpenDomain(conn->samr_pipe->binding_handle,
2482 mem_ctx,
2483 &conn->sam_connect_handle,
2484 SEC_FLAG_MAXIMUM_ALLOWED,
2485 &domain->sid,
2486 &conn->sam_domain_handle,
2487 &result);
2488 if (!NT_STATUS_IS_OK(status)) {
2489 goto done;
2490 }
2491
2492 status = result;
2493 done:
2494
2495 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
2496 /*
2497 * if we got access denied, we might just have no access rights
2498 * to talk to the remote samr server server (e.g. when we are a
2499 * PDC and we are connecting a w2k8 pdc via an interdomain
2500 * trust). In that case do not invalidate the whole connection
2501 * stack
2502 */
2503 TALLOC_FREE(conn->samr_pipe);
2504 ZERO_STRUCT(conn->sam_domain_handle);
2505 return status;
2506 } else if (!NT_STATUS_IS_OK(status)) {
2507 invalidate_cm_connection(conn);
2508 return status;
2509 }
2510
2511 *cli = conn->samr_pipe;
2512 *sam_handle = conn->sam_domain_handle;
2513 SAFE_FREE(machine_password);
2514 SAFE_FREE(machine_account);
2515 return status;
2516 }
2517
2518 /**********************************************************************
2519 open an schanneld ncacn_ip_tcp connection to LSA
2520 ***********************************************************************/
2521
2522 NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
2523 TALLOC_CTX *mem_ctx,
2524 struct rpc_pipe_client **cli)
2525 {
2526 struct winbindd_cm_conn *conn;
2527 struct netlogon_creds_CredentialState *creds;
2528 NTSTATUS status;
2529
2530 DEBUG(10,("cm_connect_lsa_tcp\n"));
2531
2532 status = init_dc_connection_rpc(domain);
2533 if (!NT_STATUS_IS_OK(status)) {
2534 return status;
2535 }
2536
2537 conn = &domain->conn;
2538
2539 if (conn->lsa_pipe_tcp &&
2540 conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
2541 conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
2542 rpccli_is_connected(conn->lsa_pipe_tcp)) {
2543 goto done;
2544 }
2545
2546 TALLOC_FREE(conn->lsa_pipe_tcp);
2547
2548 status = cm_get_schannel_creds(domain, &creds);
2549 if (!NT_STATUS_IS_OK(status)) {
2550 goto done;
2551 }
2552
2553 status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
2554 &ndr_table_lsarpc.syntax_id,
2555 NCACN_IP_TCP,
2556 DCERPC_AUTH_LEVEL_PRIVACY,
2557 domain->name,
2558 &creds,
2559 &conn->lsa_pipe_tcp);
2560 if (!NT_STATUS_IS_OK(status)) {
2561 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
2562 nt_errstr(status)));
2563 goto done;
2564 }
2565
2566 done:
2567 if (!NT_STATUS_IS_OK(status)) {
2568 TALLOC_FREE(conn->lsa_pipe_tcp);
2569 return status;
2570 }
2571
2572 *cli = conn->lsa_pipe_tcp;
2573
2574 return status;
2575 }
2576
2577 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2578 struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
2579 {
2580 struct winbindd_cm_conn *conn;
2581 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2582 struct netlogon_creds_CredentialState *p_creds;
2583
2584 result = init_dc_connection_rpc(domain);
2585 if (!NT_STATUS_IS_OK(result))
2586 return result;
2587
2588 conn = &domain->conn;
2589
2590 if (rpccli_is_connected(conn->lsa_pipe)) {
2591 goto done;
2592 }
2593
2594 TALLOC_FREE(conn->lsa_pipe);
2595
2596 if ((conn->cli->user_name[0] == '\0') ||
2597 (conn->cli->domain[0] == '\0') ||
2598 (conn->cli->password == NULL || conn->cli->password[0] == '\0')) {
2599 DEBUG(10, ("cm_connect_lsa: No no user available for "
2600 "domain %s, trying schannel\n", conn->cli->domain));
2601 goto schannel;
2602 }
2603
2604 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2605 * authenticated LSA pipe with sign & seal. */
2606 result = cli_rpc_pipe_open_spnego
2607 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
2608 GENSEC_OID_NTLMSSP,
2609 DCERPC_AUTH_LEVEL_PRIVACY,
2610 smbXcli_conn_remote_name(conn->cli->conn),
2611 conn->cli->domain, conn->cli->user_name, conn->cli->password,
2612 &conn->lsa_pipe);
2613
2614 if (!NT_STATUS_IS_OK(result)) {
2615 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2616 "domain %s using NTLMSSP authenticated pipe: user "
2617 "%s\\%s. Error was %s. Trying schannel.\n",
2618 domain->name, conn->cli->domain,
2619 conn->cli->user_name, nt_errstr(result)));
2620 goto schannel;
2621 }
2622
2623 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2624 "NTLMSSP authenticated pipe: user %s\\%s\n",
2625 domain->name, conn->cli->domain, conn->cli->user_name ));
2626
2627 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2628 SEC_FLAG_MAXIMUM_ALLOWED,
2629 &conn->lsa_policy);
2630 if (NT_STATUS_IS_OK(result)) {
2631 goto done;
2632 }
2633
2634 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2635 "schannel\n"));
2636
2637 TALLOC_FREE(conn->lsa_pipe);
2638
2639 schannel:
2640
2641 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2642
2643 result = cm_get_schannel_creds(domain, &p_creds);
2644 if (!NT_STATUS_IS_OK(result)) {
2645 /* If this call fails - conn->cli can now be NULL ! */
2646 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2647 "for domain %s (error %s), trying anon\n",
2648 domain->name,
2649 nt_errstr(result) ));
2650 goto anonymous;
2651 }
2652 result = cli_rpc_pipe_open_schannel_with_key
2653 (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
2654 DCERPC_AUTH_LEVEL_PRIVACY,
2655 domain->name, &p_creds, &conn->lsa_pipe);
2656
2657 if (!NT_STATUS_IS_OK(result)) {
2658 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2659 "domain %s using schannel. Error was %s\n",
2660 domain->name, nt_errstr(result) ));
2661 goto anonymous;
2662 }
2663 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2664 "schannel.\n", domain->name ));
2665
2666 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2667 SEC_FLAG_MAXIMUM_ALLOWED,
2668 &conn->lsa_policy);
2669 if (NT_STATUS_IS_OK(result)) {
2670 goto done;
2671 }
2672
2673 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2674 "anonymous\n"));
2675
2676 TALLOC_FREE(conn->lsa_pipe);
2677
2678 anonymous:
2679
2680 result = cli_rpc_pipe_open_noauth(conn->cli,
2681 &ndr_table_lsarpc.syntax_id,
2682 &conn->lsa_pipe);
2683 if (!NT_STATUS_IS_OK(result)) {
2684 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2685 goto done;
2686 }
2687
2688 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2689 SEC_FLAG_MAXIMUM_ALLOWED,
2690 &conn->lsa_policy);
2691 done:
2692 if (!NT_STATUS_IS_OK(result)) {
2693 invalidate_cm_connection(conn);
2694 return result;
2695 }
2696
2697 *cli = conn->lsa_pipe;
2698 *lsa_policy = conn->lsa_policy;
2699 return result;
2700 }
2701
2702 /****************************************************************************
2703 Open a LSA connection to a DC, suiteable for LSA lookup calls.
2704 ****************************************************************************/
2705
2706 NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
2707 TALLOC_CTX *mem_ctx,
2708 struct rpc_pipe_client **cli,
2709 struct policy_handle *lsa_policy)
2710 {
2711 NTSTATUS status;
2712
2713 if (domain->can_do_ncacn_ip_tcp) {
2714 status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
2715 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
2716 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
2717 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
2718 invalidate_cm_connection(&domain->conn);
2719 status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
2720 }
2721 if (NT_STATUS_IS_OK(status)) {
2722 return status;
2723 }
2724
2725 /*
2726 * we tried twice to connect via ncan_ip_tcp and schannel and
2727 * failed - maybe it is a trusted domain we can't connect to ?
2728 * do not try tcp next time - gd
2729 */
2730 domain->can_do_ncacn_ip_tcp = false;
2731 }
2732
2733 status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);
2734
2735 return status;
2736 }
2737
2738 /****************************************************************************
2739 Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2740 session key stored in conn->netlogon_pipe->dc->sess_key.
2741 ****************************************************************************/
2742
2743 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2744 struct rpc_pipe_client **cli)
2745 {
2746 struct winbindd_cm_conn *conn;
2747 NTSTATUS result;
2748
2749 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
2750 uint8_t mach_pwd[16];
2751 enum netr_SchannelType sec_chan_type;
2752 const char *account_name;
2753 struct rpc_pipe_client *netlogon_pipe = NULL;
2754
2755 *cli = NULL;
2756
2757 result = init_dc_connection_rpc(domain);
2758 if (!NT_STATUS_IS_OK(result)) {
2759 return result;
2760 }
2761
2762 conn = &domain->conn;
2763
2764 if (rpccli_is_connected(conn->netlogon_pipe)) {
2765 *cli = conn->netlogon_pipe;
2766 return NT_STATUS_OK;
2767 }
2768
2769 TALLOC_FREE(conn->netlogon_pipe);
2770
2771 result = cli_rpc_pipe_open_noauth(conn->cli,
2772 &ndr_table_netlogon.syntax_id,
2773 &netlogon_pipe);
2774 if (!NT_STATUS_IS_OK(result)) {
2775 return result;
2776 }
2777
2778 if ((!IS_DC) && (!domain->primary)) {
2779 /* Clear the schannel request bit and drop down */
2780 neg_flags &= ~NETLOGON_NEG_SCHANNEL;
2781 goto no_schannel;
2782 }
2783
2784 if (lp_client_schannel() != False) {
2785 neg_flags |= NETLOGON_NEG_SCHANNEL;
2786 }
2787
2788 if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
2789 &sec_chan_type))
2790 {
2791 TALLOC_FREE(netlogon_pipe);
2792 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2793 }
2794
2795 result = rpccli_netlogon_setup_creds(
2796 netlogon_pipe,
2797 domain->dcname, /* server name. */
2798 domain->name, /* domain name */
2799 lp_netbios_name(), /* client name */
2800 account_name, /* machine account */
2801 mach_pwd, /* machine password */
2802 sec_chan_type, /* from get_trust_pw */
2803 &neg_flags);
2804
2805 if (!NT_STATUS_IS_OK(result)) {
2806 TALLOC_FREE(netlogon_pipe);
2807 return result;
2808 }
2809
2810 if ((lp_client_schannel() == True) &&
2811 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2812 DEBUG(3, ("Server did not offer schannel\n"));
2813 TALLOC_FREE(netlogon_pipe);
2814 return NT_STATUS_ACCESS_DENIED;
2815 }
2816
2817 no_schannel:
2818 if ((lp_client_schannel() == False) ||
2819 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2820 /*
2821 * NetSamLogonEx only works for schannel
2822 */
2823 domain->can_do_samlogon_ex = False;
2824
2825 /* We're done - just keep the existing connection to NETLOGON
2826 * open */
2827 conn->netlogon_pipe = netlogon_pipe;
2828 *cli = conn->netlogon_pipe;
2829 return NT_STATUS_OK;
2830 }
2831
2832 /* Using the credentials from the first pipe, open a signed and sealed
2833 second netlogon pipe. The session key is stored in the schannel
2834 part of the new pipe auth struct.
2835 */
2836
2837 result = cli_rpc_pipe_open_schannel_with_key(
2838 conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
2839 DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
2840 &conn->netlogon_pipe);
2841
2842 /* We can now close the initial netlogon pipe. */
2843 TALLOC_FREE(netlogon_pipe);
2844
2845 if (!NT_STATUS_IS_OK(result)) {
2846 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2847 "was %s\n", nt_errstr(result)));
2848
2849 invalidate_cm_connection(conn);
2850 return result;
2851 }
2852
2853 /*
2854 * Always try netr_LogonSamLogonEx. We will fall back for NT4
2855 * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
2856 * supported). We used to only try SamLogonEx for AD, but
2857 * Samba DCs can also do it. And because we don't distinguish
2858 * between Samba and NT4, always try it once.
2859 */
2860 domain->can_do_samlogon_ex = true;
2861
2862 *cli = conn->netlogon_pipe;
2863 return NT_STATUS_OK;
2864 }
2865
2866 void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
2867 void *private_data,
2868 uint32_t msg_type,
2869 struct server_id server_id,
2870 DATA_BLOB *data)
2871 {
2872 struct winbindd_domain *domain;
2873 char *freeit = NULL;
2874 char *addr;
2875
2876 if ((data == NULL)
2877 || (data->data == NULL)
2878 || (data->length == 0)
2879 || (data->data[data->length-1] != '\0')) {
2880 DEBUG(1, ("invalid msg_ip_dropped message: not a valid "
2881 "string\n"));
2882 return;
2883 }
2884
2885 addr = (char *)data->data;
2886 DEBUG(10, ("IP %s dropped\n", addr));
2887
2888 if (!is_ipaddress(addr)) {
2889 char *slash;
2890 /*
2891 * Some code sends us ip addresses with the /netmask
2892 * suffix
2893 */
2894 slash = strchr(addr, '/');
2895 if (slash == NULL) {
2896 DEBUG(1, ("invalid msg_ip_dropped message: %s",
2897 addr));
2898 return;
2899 }
2900 freeit = talloc_strndup(talloc_tos(), addr, slash-addr);
2901 if (freeit == NULL) {
2902 DEBUG(1, ("talloc failed\n"));
2903 return;
2904 }
2905 addr = freeit;
2906 DEBUG(10, ("Stripped /netmask to IP %s\n", addr));
2907 }
2908
2909 for (domain = domain_list(); domain != NULL; domain = domain->next) {
2910 char sockaddr[INET6_ADDRSTRLEN];
2911
2912 if (!cli_state_is_connected(domain->conn.cli)) {
2913 continue;
2914 }
2915
2916 print_sockaddr(sockaddr, sizeof(sockaddr),
2917 smbXcli_conn_local_sockaddr(domain->conn.cli->conn));
2918
2919 if (strequal(sockaddr, addr)) {
2920 smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
2921 }
2922 }
2923 TALLOC_FREE(freeit);
2924 }
Samba GIT mirror