search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug 10196 - RW Deny for a specific user is not overriding RW Allow for a group.
[Samba.git] / source3 / winbindd / winbindd_cm.c
blob61917db83b108f4ba5b5e6cb511833beddde9c99
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon connection manager
5
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Gerald (Jerry) Carter 2003-2005.
9 Copyright (C) Volker Lendecke 2004-2005
10 Copyright (C) Jeremy Allison 2006
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27 We need to manage connections to domain controllers without having to
28 mess up the main winbindd code with other issues. The aim of the
29 connection manager is to:
30
31 - make connections to domain controllers and cache them
32 - re-establish connections when networks or servers go down
33 - centralise the policy on connection timeouts, domain controller
34 selection etc
35 - manage re-entrancy for when winbindd becomes able to handle
36 multiple outstanding rpc requests
37
38 Why not have connection management as part of the rpc layer like tng?
39 Good question. This code may morph into libsmb/rpc_cache.c or something
40 like that but at the moment it's simply staying as part of winbind. I
41 think the TNG architecture of forcing every user of the rpc layer to use
42 the connection caching system is a bad idea. It should be an optional
43 method of using the routines.
44
45 The TNG design is quite good but I disagree with some aspects of the
46 implementation. -tpot
47
48 */
49
50 /*
51 TODO:
52
53 - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
54 moved down into another function.
55
56 - Take care when destroying cli_structs as they can be shared between
57 various sam handles.
58
59 */
60
61 #include "includes.h"
62 #include "winbindd.h"
63 #include "../libcli/auth/libcli_auth.h"
64 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
65 #include "rpc_client/cli_pipe.h"
66 #include "rpc_client/cli_netlogon.h"
67 #include "../librpc/gen_ndr/ndr_samr_c.h"
68 #include "../librpc/gen_ndr/ndr_lsa_c.h"
69 #include "rpc_client/cli_lsarpc.h"
70 #include "../librpc/gen_ndr/ndr_dssetup_c.h"
71 #include "libads/sitename_cache.h"
72 #include "libsmb/libsmb.h"
73 #include "libsmb/clidgram.h"
74 #include "ads.h"
75 #include "secrets.h"
76 #include "../libcli/security/security.h"
77 #include "passdb.h"
78 #include "messages.h"
79 #include "auth/gensec/gensec.h"
80 #include "../libcli/smb/smbXcli_base.h"
81 #include "lib/param/loadparm.h"
82
83 #undef DBGC_CLASS
84 #define DBGC_CLASS DBGC_WINBIND
85
86 struct dc_name_ip {
87 fstring name;
88 struct sockaddr_storage ss;
89 };
90
91 extern struct winbindd_methods reconnect_methods;
92 extern bool override_logfile;
93
94 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
95 static void set_dc_type_and_flags( struct winbindd_domain *domain );
96 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
97 struct dc_name_ip **dcs, int *num_dcs);
98
99 /****************************************************************
100 Child failed to find DC's. Reschedule check.
101 ****************************************************************/
102
103 static void msg_failed_to_go_online(struct messaging_context *msg,
104 void *private_data,
105 uint32_t msg_type,
106 struct server_id server_id,
107 DATA_BLOB *data)
108 {
109 struct winbindd_domain *domain;
110 const char *domainname = (const char *)data->data;
111
112 if (data->data == NULL || data->length == 0) {
113 return;
114 }
115
116 DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
117
118 for (domain = domain_list(); domain; domain = domain->next) {
119 if (domain->internal) {
120 continue;
121 }
122
123 if (strequal(domain->name, domainname)) {
124 if (domain->online) {
125 /* We're already online, ignore. */
126 DEBUG(5,("msg_fail_to_go_online: domain %s "
127 "already online.\n", domainname));
128 continue;
129 }
130
131 /* Reschedule the online check. */
132 set_domain_offline(domain);
133 break;
134 }
135 }
136 }
137
138 /****************************************************************
139 Actually cause a reconnect from a message.
140 ****************************************************************/
141
142 static void msg_try_to_go_online(struct messaging_context *msg,
143 void *private_data,
144 uint32_t msg_type,
145 struct server_id server_id,
146 DATA_BLOB *data)
147 {
148 struct winbindd_domain *domain;
149 const char *domainname = (const char *)data->data;
150
151 if (data->data == NULL || data->length == 0) {
152 return;
153 }
154
155 DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
156
157 for (domain = domain_list(); domain; domain = domain->next) {
158 if (domain->internal) {
159 continue;
160 }
161
162 if (strequal(domain->name, domainname)) {
163
164 if (domain->online) {
165 /* We're already online, ignore. */
166 DEBUG(5,("msg_try_to_go_online: domain %s "
167 "already online.\n", domainname));
168 continue;
169 }
170
171 /* This call takes care of setting the online
172 flag to true if we connected, or re-adding
173 the offline handler if false. Bypasses online
174 check so always does network calls. */
175
176 init_dc_connection_network(domain);
177 break;
178 }
179 }
180 }
181
182 /****************************************************************
183 Fork a child to try and contact a DC. Do this as contacting a
184 DC requires blocking lookups and we don't want to block our
185 parent.
186 ****************************************************************/
187
188 static bool fork_child_dc_connect(struct winbindd_domain *domain)
189 {
190 struct dc_name_ip *dcs = NULL;
191 int num_dcs = 0;
192 TALLOC_CTX *mem_ctx = NULL;
193 pid_t parent_pid = getpid();
194 char *lfile = NULL;
195 NTSTATUS status;
196
197 if (domain->dc_probe_pid != (pid_t)-1) {
198 /*
199 * We might already have a DC probe
200 * child working, check.
201 */
202 if (process_exists_by_pid(domain->dc_probe_pid)) {
203 DEBUG(10,("fork_child_dc_connect: pid %u already "
204 "checking for DC's.\n",
205 (unsigned int)domain->dc_probe_pid));
206 return true;
207 }
208 domain->dc_probe_pid = (pid_t)-1;
209 }
210
211 domain->dc_probe_pid = fork();
212
213 if (domain->dc_probe_pid == (pid_t)-1) {
214 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
215 return False;
216 }
217
218 if (domain->dc_probe_pid != (pid_t)0) {
219 /* Parent */
220 messaging_register(winbind_messaging_context(), NULL,
221 MSG_WINBIND_TRY_TO_GO_ONLINE,
222 msg_try_to_go_online);
223 messaging_register(winbind_messaging_context(), NULL,
224 MSG_WINBIND_FAILED_TO_GO_ONLINE,
225 msg_failed_to_go_online);
226 return True;
227 }
228
229 /* Child. */
230
231 /* Leave messages blocked - we will never process one. */
232
233 if (!override_logfile) {
234 if (asprintf(&lfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) == -1) {
235 DEBUG(0, ("fork_child_dc_connect: out of memory.\n"));
236 _exit(1);
237 }
238 }
239
240 status = winbindd_reinit_after_fork(NULL, lfile);
241 if (!NT_STATUS_IS_OK(status)) {
242 DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n",
243 nt_errstr(status)));
244 messaging_send_buf(winbind_messaging_context(),
245 pid_to_procid(parent_pid),
246 MSG_WINBIND_FAILED_TO_GO_ONLINE,
247 (const uint8_t *)domain->name,
248 strlen(domain->name)+1);
249 _exit(1);
250 }
251 SAFE_FREE(lfile);
252
253 mem_ctx = talloc_init("fork_child_dc_connect");
254 if (!mem_ctx) {
255 DEBUG(0,("talloc_init failed.\n"));
256 messaging_send_buf(winbind_messaging_context(),
257 pid_to_procid(parent_pid),
258 MSG_WINBIND_FAILED_TO_GO_ONLINE,
259 (const uint8_t *)domain->name,
260 strlen(domain->name)+1);
261 _exit(1);
262 }
263
264 if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
265 /* Still offline ? Can't find DC's. */
266 messaging_send_buf(winbind_messaging_context(),
267 pid_to_procid(parent_pid),
268 MSG_WINBIND_FAILED_TO_GO_ONLINE,
269 (const uint8_t *)domain->name,
270 strlen(domain->name)+1);
271 _exit(0);
272 }
273
274 /* We got a DC. Send a message to our parent to get it to
275 try and do the same. */
276
277 messaging_send_buf(winbind_messaging_context(),
278 pid_to_procid(parent_pid),
279 MSG_WINBIND_TRY_TO_GO_ONLINE,
280 (const uint8_t *)domain->name,
281 strlen(domain->name)+1);
282 _exit(0);
283 }
284
285 /****************************************************************
286 Handler triggered if we're offline to try and detect a DC.
287 ****************************************************************/
288
289 static void check_domain_online_handler(struct tevent_context *ctx,
290 struct tevent_timer *te,
291 struct timeval now,
292 void *private_data)
293 {
294 struct winbindd_domain *domain =
295 (struct winbindd_domain *)private_data;
296
297 DEBUG(10,("check_domain_online_handler: called for domain "
298 "%s (online = %s)\n", domain->name,
299 domain->online ? "True" : "False" ));
300
301 TALLOC_FREE(domain->check_online_event);
302
303 /* Are we still in "startup" mode ? */
304
305 if (domain->startup && (time_mono(NULL) > domain->startup_time + 30)) {
306 /* No longer in "startup" mode. */
307 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
308 domain->name ));
309 domain->startup = False;
310 }
311
312 /* We've been told to stay offline, so stay
313 that way. */
314
315 if (get_global_winbindd_state_offline()) {
316 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
317 domain->name ));
318 return;
319 }
320
321 /* Fork a child to test if it can contact a DC.
322 If it can then send ourselves a message to
323 cause a reconnect. */
324
325 fork_child_dc_connect(domain);
326 }
327
328 /****************************************************************
329 If we're still offline setup the timeout check.
330 ****************************************************************/
331
332 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
333 {
334 int wbr = lp_winbind_reconnect_delay();
335
336 if (domain->startup) {
337 domain->check_online_timeout = 10;
338 } else if (domain->check_online_timeout < wbr) {
339 domain->check_online_timeout = wbr;
340 }
341 }
342
343 void winbind_msg_domain_offline(struct messaging_context *msg_ctx,
344 void *private_data,
345 uint32_t msg_type,
346 struct server_id server_id,
347 DATA_BLOB *data)
348 {
349 const char *domain_name = (const char *)data->data;
350 struct winbindd_domain *domain;
351
352 domain = find_domain_from_name_noinit(domain_name);
353 if (domain == NULL) {
354 return;
355 }
356
357 domain->online = false;
358
359 DEBUG(10, ("Domain %s is marked as offline now.\n",
360 domain_name));
361 }
362
363 void winbind_msg_domain_online(struct messaging_context *msg_ctx,
364 void *private_data,
365 uint32_t msg_type,
366 struct server_id server_id,
367 DATA_BLOB *data)
368 {
369 const char *domain_name = (const char *)data->data;
370 struct winbindd_domain *domain;
371
372 domain = find_domain_from_name_noinit(domain_name);
373 if (domain == NULL) {
374 return;
375 }
376
377 domain->online = true;
378
379 DEBUG(10, ("Domain %s is marked as online now.\n",
380 domain_name));
381 }
382
383 /****************************************************************
384 Set domain offline and also add handler to put us back online
385 if we detect a DC.
386 ****************************************************************/
387
388 void set_domain_offline(struct winbindd_domain *domain)
389 {
390 pid_t parent_pid = getppid();
391
392 DEBUG(10,("set_domain_offline: called for domain %s\n",
393 domain->name ));
394
395 TALLOC_FREE(domain->check_online_event);
396
397 if (domain->internal) {
398 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
399 domain->name ));
400 return;
401 }
402
403 domain->online = False;
404
405 /* Offline domains are always initialized. They're
406 re-initialized when they go back online. */
407
408 domain->initialized = True;
409
410 /* We only add the timeout handler that checks and
411 allows us to go back online when we've not
412 been told to remain offline. */
413
414 if (get_global_winbindd_state_offline()) {
415 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
416 domain->name ));
417 return;
418 }
419
420 /* If we're in startup mode, check again in 10 seconds, not in
421 lp_winbind_reconnect_delay() seconds (which is 30 seconds by default). */
422
423 calc_new_online_timeout_check(domain);
424
425 domain->check_online_event = tevent_add_timer(winbind_event_context(),
426 NULL,
427 timeval_current_ofs(domain->check_online_timeout,0),
428 check_domain_online_handler,
429 domain);
430
431 /* The above *has* to succeed for winbindd to work. */
432 if (!domain->check_online_event) {
433 smb_panic("set_domain_offline: failed to add online handler");
434 }
435
436 DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
437 domain->name ));
438
439 /* Send a message to the parent that the domain is offline. */
440 if (parent_pid > 1 && !domain->internal) {
441 messaging_send_buf(winbind_messaging_context(),
442 pid_to_procid(parent_pid),
443 MSG_WINBIND_DOMAIN_OFFLINE,
444 (uint8 *)domain->name,
445 strlen(domain->name) + 1);
446 }
447
448 /* Send an offline message to the idmap child when our
449 primary domain goes offline */
450
451 if ( domain->primary ) {
452 struct winbindd_child *idmap = idmap_child();
453
454 if ( idmap->pid != 0 ) {
455 messaging_send_buf(winbind_messaging_context(),
456 pid_to_procid(idmap->pid),
457 MSG_WINBIND_OFFLINE,
458 (const uint8_t *)domain->name,
459 strlen(domain->name)+1);
460 }
461 }
462
463 return;
464 }
465
466 /****************************************************************
467 Set domain online - if allowed.
468 ****************************************************************/
469
470 static void set_domain_online(struct winbindd_domain *domain)
471 {
472 pid_t parent_pid = getppid();
473
474 DEBUG(10,("set_domain_online: called for domain %s\n",
475 domain->name ));
476
477 if (domain->internal) {
478 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
479 domain->name ));
480 return;
481 }
482
483 if (get_global_winbindd_state_offline()) {
484 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
485 domain->name ));
486 return;
487 }
488
489 winbindd_set_locator_kdc_envs(domain);
490
491 /* If we are waiting to get a krb5 ticket, trigger immediately. */
492 ccache_regain_all_now();
493
494 /* Ok, we're out of any startup mode now... */
495 domain->startup = False;
496
497 if (domain->online == False) {
498 /* We were offline - now we're online. We default to
499 using the MS-RPC backend if we started offline,
500 and if we're going online for the first time we
501 should really re-initialize the backends and the
502 checks to see if we're talking to an AD or NT domain.
503 */
504
505 domain->initialized = False;
506
507 /* 'reconnect_methods' is the MS-RPC backend. */
508 if (domain->backend == &reconnect_methods) {
509 domain->backend = NULL;
510 }
511 }
512
513 /* Ensure we have no online timeout checks. */
514 domain->check_online_timeout = 0;
515 TALLOC_FREE(domain->check_online_event);
516
517 /* Ensure we ignore any pending child messages. */
518 messaging_deregister(winbind_messaging_context(),
519 MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
520 messaging_deregister(winbind_messaging_context(),
521 MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
522
523 domain->online = True;
524
525 /* Send a message to the parent that the domain is online. */
526 if (parent_pid > 1 && !domain->internal) {
527 messaging_send_buf(winbind_messaging_context(),
528 pid_to_procid(parent_pid),
529 MSG_WINBIND_DOMAIN_ONLINE,
530 (uint8 *)domain->name,
531 strlen(domain->name) + 1);
532 }
533
534 /* Send an online message to the idmap child when our
535 primary domain comes online */
536
537 if ( domain->primary ) {
538 struct winbindd_child *idmap = idmap_child();
539
540 if ( idmap->pid != 0 ) {
541 messaging_send_buf(winbind_messaging_context(),
542 pid_to_procid(idmap->pid),
543 MSG_WINBIND_ONLINE,
544 (const uint8_t *)domain->name,
545 strlen(domain->name)+1);
546 }
547 }
548
549 return;
550 }
551
552 /****************************************************************
553 Requested to set a domain online.
554 ****************************************************************/
555
556 void set_domain_online_request(struct winbindd_domain *domain)
557 {
558 struct timeval tev;
559
560 DEBUG(10,("set_domain_online_request: called for domain %s\n",
561 domain->name ));
562
563 if (get_global_winbindd_state_offline()) {
564 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
565 domain->name ));
566 return;
567 }
568
569 if (domain->internal) {
570 DEBUG(10, ("set_domain_online_request: Internal domains are "
571 "always online\n"));
572 return;
573 }
574
575 /* We've been told it's safe to go online and
576 try and connect to a DC. But I don't believe it
577 because network manager seems to lie.
578 Wait at least 5 seconds. Heuristics suck... */
579
580
581 GetTimeOfDay(&tev);
582
583 /* Go into "startup" mode again. */
584 domain->startup_time = time_mono(NULL);
585 domain->startup = True;
586
587 tev.tv_sec += 5;
588
589 if (!domain->check_online_event) {
590 /* If we've come from being globally offline we
591 don't have a check online event handler set.
592 We need to add one now we're trying to go
593 back online. */
594
595 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
596 domain->name ));
597 }
598
599 TALLOC_FREE(domain->check_online_event);
600
601 domain->check_online_event = tevent_add_timer(winbind_event_context(),
602 NULL,
603 tev,
604 check_domain_online_handler,
605 domain);
606
607 /* The above *has* to succeed for winbindd to work. */
608 if (!domain->check_online_event) {
609 smb_panic("set_domain_online_request: failed to add online handler");
610 }
611 }
612
613 /****************************************************************
614 Add -ve connection cache entries for domain and realm.
615 ****************************************************************/
616
617 static void winbind_add_failed_connection_entry(
618 const struct winbindd_domain *domain,
619 const char *server,
620 NTSTATUS result)
621 {
622 add_failed_connection_entry(domain->name, server, result);
623 /* If this was the saf name for the last thing we talked to,
624 remove it. */
625 saf_delete(domain->name);
626 if (domain->alt_name != NULL) {
627 add_failed_connection_entry(domain->alt_name, server, result);
628 saf_delete(domain->alt_name);
629 }
630 winbindd_unset_locator_kdc_env(domain);
631 }
632
633 /* Choose between anonymous or authenticated connections. We need to use
634 an authenticated connection if DCs have the RestrictAnonymous registry
635 entry set > 0, or the "Additional restrictions for anonymous
636 connections" set in the win2k Local Security Policy.
637
638 Caller to free() result in domain, username, password
639 */
640
641 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
642 {
643 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
644 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
645 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
646
647 if (*username && **username) {
648
649 if (!*domain || !**domain)
650 *domain = smb_xstrdup(lp_workgroup());
651
652 if (!*password || !**password)
653 *password = smb_xstrdup("");
654
655 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
656 *domain, *username));
657
658 } else {
659 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
660 *username = smb_xstrdup("");
661 *domain = smb_xstrdup("");
662 *password = smb_xstrdup("");
663 }
664 }
665
666 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
667 fstring dcname,
668 struct sockaddr_storage *dc_ss)
669 {
670 struct winbindd_domain *our_domain = NULL;
671 struct rpc_pipe_client *netlogon_pipe = NULL;
672 NTSTATUS result;
673 WERROR werr;
674 TALLOC_CTX *mem_ctx;
675 unsigned int orig_timeout;
676 const char *tmp = NULL;
677 const char *p;
678 struct dcerpc_binding_handle *b;
679
680 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
681 * moment.... */
682
683 if (IS_DC) {
684 return False;
685 }
686
687 if (domain->primary) {
688 return False;
689 }
690
691 our_domain = find_our_domain();
692
693 if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
694 return False;
695 }
696
697 result = cm_connect_netlogon(our_domain, &netlogon_pipe);
698 if (!NT_STATUS_IS_OK(result)) {
699 talloc_destroy(mem_ctx);
700 return False;
701 }
702
703 b = netlogon_pipe->binding_handle;
704
705 /* This call can take a long time - allow the server to time out.
706 35 seconds should do it. */
707
708 orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
709
710 if (our_domain->active_directory) {
711 struct netr_DsRGetDCNameInfo *domain_info = NULL;
712
713 result = dcerpc_netr_DsRGetDCName(b,
714 mem_ctx,
715 our_domain->dcname,
716 domain->name,
717 NULL,
718 NULL,
719 DS_RETURN_DNS_NAME,
720 &domain_info,
721 &werr);
722 if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
723 tmp = talloc_strdup(
724 mem_ctx, domain_info->dc_unc);
725 if (tmp == NULL) {
726 DEBUG(0, ("talloc_strdup failed\n"));
727 talloc_destroy(mem_ctx);
728 return false;
729 }
730 if (domain->alt_name == NULL) {
731 domain->alt_name = talloc_strdup(domain,
732 domain_info->domain_name);
733 if (domain->alt_name == NULL) {
734 DEBUG(0, ("talloc_strdup failed\n"));
735 talloc_destroy(mem_ctx);
736 return false;
737 }
738 }
739 if (domain->forest_name == NULL) {
740 domain->forest_name = talloc_strdup(domain,
741 domain_info->forest_name);
742 if (domain->forest_name == NULL) {
743 DEBUG(0, ("talloc_strdup failed\n"));
744 talloc_destroy(mem_ctx);
745 return false;
746 }
747 }
748 }
749 } else {
750 result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
751 our_domain->dcname,
752 domain->name,
753 &tmp,
754 &werr);
755 }
756
757 /* And restore our original timeout. */
758 rpccli_set_timeout(netlogon_pipe, orig_timeout);
759
760 if (!NT_STATUS_IS_OK(result)) {
761 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
762 nt_errstr(result)));
763 talloc_destroy(mem_ctx);
764 return false;
765 }
766
767 if (!W_ERROR_IS_OK(werr)) {
768 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
769 win_errstr(werr)));
770 talloc_destroy(mem_ctx);
771 return false;
772 }
773
774 /* dcerpc_netr_GetAnyDCName gives us a name with \\ */
775 p = strip_hostname(tmp);
776
777 fstrcpy(dcname, p);
778
779 talloc_destroy(mem_ctx);
780
781 DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
782
783 if (!resolve_name(dcname, dc_ss, 0x20, true)) {
784 return False;
785 }
786
787 return True;
788 }
789
790 /**
791 * Helper function to assemble trust password and account name
792 */
793 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
794 char **machine_password,
795 char **machine_account,
796 char **machine_krb5_principal)
797 {
798 const char *account_name;
799 const char *name = NULL;
800
801 /* If we are a DC and this is not our own domain */
802
803 if (IS_DC) {
804 name = domain->name;
805 } else {
806 struct winbindd_domain *our_domain = find_our_domain();
807
808 if (!our_domain)
809 return NT_STATUS_INVALID_SERVER_STATE;
810
811 name = our_domain->name;
812 }
813
814 if (!get_trust_pw_clear(name, machine_password,
815 &account_name, NULL))
816 {
817 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
818 }
819
820 if ((machine_account != NULL) &&
821 (asprintf(machine_account, "%s$", account_name) == -1))
822 {
823 return NT_STATUS_NO_MEMORY;
824 }
825
826 /* For now assume our machine account only exists in our domain */
827
828 if (machine_krb5_principal != NULL)
829 {
830 struct winbindd_domain *our_domain = find_our_domain();
831
832 if (!our_domain) {
833 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
834 }
835
836 if (asprintf(machine_krb5_principal, "%s$@%s",
837 account_name, our_domain->alt_name) == -1)
838 {
839 return NT_STATUS_NO_MEMORY;
840 }
841
842 if (!strupper_m(*machine_krb5_principal)) {
843 SAFE_FREE(machine_krb5_principal);
844 return NT_STATUS_INVALID_PARAMETER;
845 }
846 }
847
848 return NT_STATUS_OK;
849 }
850
851 /************************************************************************
852 Given a fd with a just-connected TCP connection to a DC, open a connection
853 to the pipe.
854 ************************************************************************/
855
856 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
857 const int sockfd,
858 const char *controller,
859 struct cli_state **cli,
860 bool *retry)
861 {
862 bool try_spnego = false;
863 bool try_ipc_auth = false;
864 char *machine_password = NULL;
865 char *machine_krb5_principal = NULL;
866 char *machine_account = NULL;
867 char *ipc_username = NULL;
868 char *ipc_domain = NULL;
869 char *ipc_password = NULL;
870 int flags = 0;
871 uint16_t sec_mode = 0;
872
873 struct named_mutex *mutex;
874
875 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
876
877 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
878 controller, domain->name ));
879
880 *retry = True;
881
882 mutex = grab_named_mutex(talloc_tos(), controller,
883 WINBIND_SERVER_MUTEX_WAIT_TIME);
884 if (mutex == NULL) {
885 close(sockfd);
886 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
887 controller));
888 result = NT_STATUS_POSSIBLE_DEADLOCK;
889 goto done;
890 }
891
892 flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
893
894 *cli = cli_state_create(NULL, sockfd,
895 controller, domain->alt_name,
896 SMB_SIGNING_DEFAULT, flags);
897 if (*cli == NULL) {
898 close(sockfd);
899 DEBUG(1, ("Could not cli_initialize\n"));
900 result = NT_STATUS_NO_MEMORY;
901 goto done;
902 }
903
904 cli_set_timeout(*cli, 10000); /* 10 seconds */
905
906 result = smbXcli_negprot((*cli)->conn, (*cli)->timeout,
907 lp_cli_minprotocol(),
908 lp_cli_maxprotocol());
909
910 if (!NT_STATUS_IS_OK(result)) {
911 DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
912 goto done;
913 }
914
915 if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
916 smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
917 try_spnego = true;
918 } else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
919 try_spnego = true;
920 }
921
922 if (!is_dc_trusted_domain_situation(domain->name) && try_spnego) {
923 result = get_trust_creds(domain, &machine_password,
924 &machine_account,
925 &machine_krb5_principal);
926 if (!NT_STATUS_IS_OK(result)) {
927 goto anon_fallback;
928 }
929
930 if (lp_security() == SEC_ADS) {
931
932 /* Try a krb5 session */
933
934 (*cli)->use_kerberos = True;
935 DEBUG(5, ("connecting to %s from %s with kerberos principal "
936 "[%s] and realm [%s]\n", controller, lp_netbios_name(),
937 machine_krb5_principal, domain->alt_name));
938
939 winbindd_set_locator_kdc_envs(domain);
940
941 result = cli_session_setup(*cli,
942 machine_krb5_principal,
943 machine_password,
944 strlen(machine_password)+1,
945 machine_password,
946 strlen(machine_password)+1,
947 lp_workgroup());
948
949 if (!NT_STATUS_IS_OK(result)) {
950 DEBUG(4,("failed kerberos session setup with %s\n",
951 nt_errstr(result)));
952 }
953
954 if (NT_STATUS_IS_OK(result)) {
955 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
956 result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
957 if (!NT_STATUS_IS_OK(result)) {
958 goto done;
959 }
960 goto session_setup_done;
961 }
962 }
963
964 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
965 (*cli)->use_kerberos = False;
966
967 DEBUG(5, ("connecting to %s from %s with username "
968 "[%s]\\[%s]\n", controller, lp_netbios_name(),
969 lp_workgroup(), machine_account));
970
971 result = cli_session_setup(*cli,
972 machine_account,
973 machine_password,
974 strlen(machine_password)+1,
975 machine_password,
976 strlen(machine_password)+1,
977 lp_workgroup());
978 if (!NT_STATUS_IS_OK(result)) {
979 DEBUG(4, ("authenticated session setup failed with %s\n",
980 nt_errstr(result)));
981 }
982
983 if (NT_STATUS_IS_OK(result)) {
984 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
985 result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
986 if (!NT_STATUS_IS_OK(result)) {
987 goto done;
988 }
989 goto session_setup_done;
990 }
991 }
992
993 /* Fall back to non-kerberos session setup with auth_user */
994
995 (*cli)->use_kerberos = False;
996
997 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
998
999 sec_mode = smb1cli_conn_server_security_mode((*cli)->conn);
1000
1001 try_ipc_auth = false;
1002 if (try_spnego) {
1003 try_ipc_auth = true;
1004 } else if (sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
1005 try_ipc_auth = true;
1006 }
1007
1008 if (try_ipc_auth && (strlen(ipc_username) > 0)) {
1009
1010 /* Only try authenticated if we have a username */
1011
1012 DEBUG(5, ("connecting to %s from %s with username "
1013 "[%s]\\[%s]\n", controller, lp_netbios_name(),
1014 ipc_domain, ipc_username));
1015
1016 if (NT_STATUS_IS_OK(cli_session_setup(
1017 *cli, ipc_username,
1018 ipc_password, strlen(ipc_password)+1,
1019 ipc_password, strlen(ipc_password)+1,
1020 ipc_domain))) {
1021 /* Successful logon with given username. */
1022 result = cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
1023 if (!NT_STATUS_IS_OK(result)) {
1024 goto done;
1025 }
1026 goto session_setup_done;
1027 } else {
1028 DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
1029 ipc_domain, ipc_username ));
1030 }
1031 }
1032
1033 anon_fallback:
1034
1035 /* Fall back to anonymous connection, this might fail later */
1036 DEBUG(10,("cm_prepare_connection: falling back to anonymous "
1037 "connection for DC %s\n",
1038 controller ));
1039
1040 result = cli_session_setup(*cli, "", NULL, 0, NULL, 0, "");
1041 if (NT_STATUS_IS_OK(result)) {
1042 DEBUG(5, ("Connected anonymously\n"));
1043 result = cli_init_creds(*cli, "", "", "");
1044 if (!NT_STATUS_IS_OK(result)) {
1045 goto done;
1046 }
1047 goto session_setup_done;
1048 }
1049
1050 /* We can't session setup */
1051 goto done;
1052
1053 session_setup_done:
1054
1055 /*
1056 * This should be a short term hack until
1057 * dynamic re-authentication is implemented.
1058 *
1059 * See Bug 9175 - winbindd doesn't recover from
1060 * NT_STATUS_NETWORK_SESSION_EXPIRED
1061 */
1062 if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
1063 smbXcli_session_set_disconnect_expired((*cli)->smb2.session);
1064 }
1065
1066 /* cache the server name for later connections */
1067
1068 saf_store(domain->name, controller);
1069 if (domain->alt_name && (*cli)->use_kerberos) {
1070 saf_store(domain->alt_name, controller);
1071 }
1072
1073 winbindd_set_locator_kdc_envs(domain);
1074
1075 result = cli_tree_connect(*cli, "IPC$", "IPC", "", 0);
1076
1077 if (!NT_STATUS_IS_OK(result)) {
1078 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
1079 goto done;
1080 }
1081
1082 TALLOC_FREE(mutex);
1083 *retry = False;
1084
1085 /* set the domain if empty; needed for schannel connections */
1086 if ( !(*cli)->domain[0] ) {
1087 result = cli_set_domain((*cli), domain->name);
1088 if (!NT_STATUS_IS_OK(result)) {
1089 SAFE_FREE(ipc_username);
1090 SAFE_FREE(ipc_domain);
1091 SAFE_FREE(ipc_password);
1092 return result;
1093 }
1094 }
1095
1096 result = NT_STATUS_OK;
1097
1098 done:
1099 TALLOC_FREE(mutex);
1100 SAFE_FREE(machine_account);
1101 SAFE_FREE(machine_password);
1102 SAFE_FREE(machine_krb5_principal);
1103 SAFE_FREE(ipc_username);
1104 SAFE_FREE(ipc_domain);
1105 SAFE_FREE(ipc_password);
1106
1107 if (!NT_STATUS_IS_OK(result)) {
1108 winbind_add_failed_connection_entry(domain, controller, result);
1109 if ((*cli) != NULL) {
1110 cli_shutdown(*cli);
1111 *cli = NULL;
1112 }
1113 }
1114
1115 return result;
1116 }
1117
1118 /*******************************************************************
1119 Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
1120 array.
1121
1122 Keeps the list unique by not adding duplicate entries.
1123
1124 @param[in] mem_ctx talloc memory context to allocate from
1125 @param[in] domain_name domain of the DC
1126 @param[in] dcname name of the DC to add to the list
1127 @param[in] pss Internet address and port pair to add to the list
1128 @param[in,out] dcs array of dc_name_ip structures to add to
1129 @param[in,out] num_dcs number of dcs returned in the dcs array
1130 @return true if the list was added to, false otherwise
1131 *******************************************************************/
1132
1133 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1134 const char *dcname, struct sockaddr_storage *pss,
1135 struct dc_name_ip **dcs, int *num)
1136 {
1137 int i = 0;
1138
1139 if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1140 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1141 return False;
1142 }
1143
1144 /* Make sure there's no duplicates in the list */
1145 for (i=0; i<*num; i++)
1146 if (sockaddr_equal(
1147 (struct sockaddr *)(void *)&(*dcs)[i].ss,
1148 (struct sockaddr *)(void *)pss))
1149 return False;
1150
1151 *dcs = talloc_realloc(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1152
1153 if (*dcs == NULL)
1154 return False;
1155
1156 fstrcpy((*dcs)[*num].name, dcname);
1157 (*dcs)[*num].ss = *pss;
1158 *num += 1;
1159 return True;
1160 }
1161
1162 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1163 struct sockaddr_storage *pss, uint16 port,
1164 struct sockaddr_storage **addrs, int *num)
1165 {
1166 *addrs = talloc_realloc(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1167
1168 if (*addrs == NULL) {
1169 *num = 0;
1170 return False;
1171 }
1172
1173 (*addrs)[*num] = *pss;
1174 set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
1175
1176 *num += 1;
1177 return True;
1178 }
1179
1180 /*******************************************************************
1181 convert an ip to a name
1182 *******************************************************************/
1183
1184 static bool dcip_to_name(TALLOC_CTX *mem_ctx,
1185 const struct winbindd_domain *domain,
1186 struct sockaddr_storage *pss,
1187 char **name)
1188 {
1189 struct ip_service ip_list;
1190 uint32_t nt_version = NETLOGON_NT_VERSION_1;
1191 NTSTATUS status;
1192 const char *dc_name;
1193 fstring nbtname;
1194
1195 ip_list.ss = *pss;
1196 ip_list.port = 0;
1197
1198 #ifdef HAVE_ADS
1199 /* For active directory servers, try to get the ldap server name.
1200 None of these failures should be considered critical for now */
1201
1202 if (lp_security() == SEC_ADS) {
1203 ADS_STRUCT *ads;
1204 ADS_STATUS ads_status;
1205 char addr[INET6_ADDRSTRLEN];
1206
1207 print_sockaddr(addr, sizeof(addr), pss);
1208
1209 ads = ads_init(domain->alt_name, domain->name, addr);
1210 ads->auth.flags |= ADS_AUTH_NO_BIND;
1211
1212 ads_status = ads_connect(ads);
1213 if (ADS_ERR_OK(ads_status)) {
1214 /* We got a cldap packet. */
1215 *name = talloc_strdup(mem_ctx,
1216 ads->config.ldap_server_name);
1217 if (*name == NULL) {
1218 return false;
1219 }
1220 namecache_store(*name, 0x20, 1, &ip_list);
1221
1222 DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1223
1224 if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1225 if (ads_closest_dc(ads)) {
1226 char *sitename = sitename_fetch(ads->config.realm);
1227
1228 /* We're going to use this KDC for this realm/domain.
1229 If we are using sites, then force the krb5 libs
1230 to use this KDC. */
1231
1232 create_local_private_krb5_conf_for_domain(domain->alt_name,
1233 domain->name,
1234 sitename,
1235 pss,
1236 *name);
1237
1238 SAFE_FREE(sitename);
1239 } else {
1240 /* use an off site KDC */
1241 create_local_private_krb5_conf_for_domain(domain->alt_name,
1242 domain->name,
1243 NULL,
1244 pss,
1245 *name);
1246 }
1247 winbindd_set_locator_kdc_envs(domain);
1248
1249 /* Ensure we contact this DC also. */
1250 saf_store(domain->name, *name);
1251 saf_store(domain->alt_name, *name);
1252 }
1253
1254 ads_destroy( &ads );
1255 return True;
1256 }
1257
1258 ads_destroy( &ads );
1259 return false;
1260 }
1261 #endif
1262
1263 status = nbt_getdc(winbind_messaging_context(), 10, pss, domain->name,
1264 &domain->sid, nt_version, mem_ctx, &nt_version,
1265 &dc_name, NULL);
1266 if (NT_STATUS_IS_OK(status)) {
1267 *name = talloc_strdup(mem_ctx, dc_name);
1268 if (*name == NULL) {
1269 return false;
1270 }
1271 namecache_store(*name, 0x20, 1, &ip_list);
1272 return True;
1273 }
1274
1275 /* try node status request */
1276
1277 if (name_status_find(domain->name, 0x1c, 0x20, pss, nbtname) ) {
1278 namecache_store(nbtname, 0x20, 1, &ip_list);
1279
1280 if (name != NULL) {
1281 *name = talloc_strdup(mem_ctx, nbtname);
1282 if (*name == NULL) {
1283 return false;
1284 }
1285 }
1286
1287 return true;
1288 }
1289 return False;
1290 }
1291
1292 /*******************************************************************
1293 Retrieve a list of IP addresses for domain controllers.
1294
1295 The array is sorted in the preferred connection order.
1296
1297 @param[in] mem_ctx talloc memory context to allocate from
1298 @param[in] domain domain to retrieve DCs for
1299 @param[out] dcs array of dcs that will be returned
1300 @param[out] num_dcs number of dcs returned in the dcs array
1301 @return always true
1302 *******************************************************************/
1303
1304 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1305 struct dc_name_ip **dcs, int *num_dcs)
1306 {
1307 fstring dcname;
1308 struct sockaddr_storage ss;
1309 struct ip_service *ip_list = NULL;
1310 int iplist_size = 0;
1311 int i;
1312 bool is_our_domain;
1313 enum security_types sec = (enum security_types)lp_security();
1314
1315 is_our_domain = strequal(domain->name, lp_workgroup());
1316
1317 /* If not our domain, get the preferred DC, by asking our primary DC */
1318 if ( !is_our_domain
1319 && get_dc_name_via_netlogon(domain, dcname, &ss)
1320 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1321 num_dcs) )
1322 {
1323 char addr[INET6_ADDRSTRLEN];
1324 print_sockaddr(addr, sizeof(addr), &ss);
1325 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1326 dcname, addr));
1327 return True;
1328 }
1329
1330 if (sec == SEC_ADS) {
1331 char *sitename = NULL;
1332
1333 /* We need to make sure we know the local site before
1334 doing any DNS queries, as this will restrict the
1335 get_sorted_dc_list() call below to only fetching
1336 DNS records for the correct site. */
1337
1338 /* Find any DC to get the site record.
1339 We deliberately don't care about the
1340 return here. */
1341
1342 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1343
1344 sitename = sitename_fetch(domain->alt_name);
1345 if (sitename) {
1346
1347 /* Do the site-specific AD dns lookup first. */
1348 get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
1349 &iplist_size, True);
1350
1351 /* Add ips to the DC array. We don't look up the name
1352 of the DC in this function, but we fill in the char*
1353 of the ip now to make the failed connection cache
1354 work */
1355 for ( i=0; i<iplist_size; i++ ) {
1356 char addr[INET6_ADDRSTRLEN];
1357 print_sockaddr(addr, sizeof(addr),
1358 &ip_list[i].ss);
1359 add_one_dc_unique(mem_ctx,
1360 domain->name,
1361 addr,
1362 &ip_list[i].ss,
1363 dcs,
1364 num_dcs);
1365 }
1366
1367 SAFE_FREE(ip_list);
1368 SAFE_FREE(sitename);
1369 iplist_size = 0;
1370 }
1371
1372 /* Now we add DCs from the main AD DNS lookup. */
1373 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1374 &iplist_size, True);
1375
1376 for ( i=0; i<iplist_size; i++ ) {
1377 char addr[INET6_ADDRSTRLEN];
1378 print_sockaddr(addr, sizeof(addr),
1379 &ip_list[i].ss);
1380 add_one_dc_unique(mem_ctx,
1381 domain->name,
1382 addr,
1383 &ip_list[i].ss,
1384 dcs,
1385 num_dcs);
1386 }
1387
1388 SAFE_FREE(ip_list);
1389 iplist_size = 0;
1390 }
1391
1392 /* Try standard netbios queries if no ADS and fall back to DNS queries
1393 * if alt_name is available */
1394 if (*num_dcs == 0) {
1395 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
1396 false);
1397 if (iplist_size == 0) {
1398 if (domain->alt_name != NULL) {
1399 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1400 &iplist_size, true);
1401 }
1402 }
1403
1404 for ( i=0; i<iplist_size; i++ ) {
1405 char addr[INET6_ADDRSTRLEN];
1406 print_sockaddr(addr, sizeof(addr),
1407 &ip_list[i].ss);
1408 add_one_dc_unique(mem_ctx,
1409 domain->name,
1410 addr,
1411 &ip_list[i].ss,
1412 dcs,
1413 num_dcs);
1414 }
1415
1416 SAFE_FREE(ip_list);
1417 iplist_size = 0;
1418 }
1419
1420 return True;
1421 }
1422
1423 /*******************************************************************
1424 Find and make a connection to a DC in the given domain.
1425
1426 @param[in] mem_ctx talloc memory context to allocate from
1427 @param[in] domain domain to find a dc in
1428 @param[out] dcname NetBIOS or FQDN of DC that's connected to
1429 @param[out] pss DC Internet address and port
1430 @param[out] fd fd of the open socket connected to the newly found dc
1431 @return true when a DC connection is made, false otherwise
1432 *******************************************************************/
1433
1434 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1435 struct winbindd_domain *domain,
1436 char **dcname, struct sockaddr_storage *pss, int *fd)
1437 {
1438 struct dc_name_ip *dcs = NULL;
1439 int num_dcs = 0;
1440
1441 const char **dcnames = NULL;
1442 int num_dcnames = 0;
1443
1444 struct sockaddr_storage *addrs = NULL;
1445 int num_addrs = 0;
1446
1447 int i;
1448 size_t fd_index;
1449
1450 NTSTATUS status;
1451
1452 *fd = -1;
1453
1454 again:
1455 if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1456 return False;
1457
1458 for (i=0; i<num_dcs; i++) {
1459
1460 if (!add_string_to_array(mem_ctx, dcs[i].name,
1461 &dcnames, &num_dcnames)) {
1462 return False;
1463 }
1464 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, TCP_SMB_PORT,
1465 &addrs, &num_addrs)) {
1466 return False;
1467 }
1468 }
1469
1470 if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1471 return False;
1472
1473 if ((addrs == NULL) || (dcnames == NULL))
1474 return False;
1475
1476 status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL,
1477 num_addrs, 0, 10, fd, &fd_index, NULL);
1478 if (!NT_STATUS_IS_OK(status)) {
1479 for (i=0; i<num_dcs; i++) {
1480 char ab[INET6_ADDRSTRLEN];
1481 print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1482 DEBUG(10, ("find_new_dc: smbsock_any_connect failed for "
1483 "domain %s address %s. Error was %s\n",
1484 domain->name, ab, nt_errstr(status) ));
1485 winbind_add_failed_connection_entry(domain,
1486 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1487 }
1488 return False;
1489 }
1490
1491 *pss = addrs[fd_index];
1492
1493 if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1494 /* Ok, we've got a name for the DC */
1495 *dcname = talloc_strdup(mem_ctx, dcnames[fd_index]);
1496 if (*dcname == NULL) {
1497 return false;
1498 }
1499 return true;
1500 }
1501
1502 /* Try to figure out the name */
1503 if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
1504 return True;
1505 }
1506
1507 /* We can not continue without the DC's name */
1508 winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1509 NT_STATUS_UNSUCCESSFUL);
1510
1511 /* Throw away all arrays as we're doing this again. */
1512 TALLOC_FREE(dcs);
1513 num_dcs = 0;
1514
1515 TALLOC_FREE(dcnames);
1516 num_dcnames = 0;
1517
1518 TALLOC_FREE(addrs);
1519 num_addrs = 0;
1520
1521 close(*fd);
1522 *fd = -1;
1523
1524 goto again;
1525 }
1526
1527 static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name)
1528 {
1529 return talloc_asprintf_strupper_m(mem_ctx, "CURRENT_DCNAME/%s",
1530 domain_name);
1531 }
1532
1533 static void store_current_dc_in_gencache(const char *domain_name,
1534 const char *dc_name,
1535 struct cli_state *cli)
1536 {
1537 char addr[INET6_ADDRSTRLEN];
1538 char *key = NULL;
1539 char *value = NULL;
1540
1541 if (!cli_state_is_connected(cli)) {
1542 return;
1543 }
1544
1545 print_sockaddr(addr, sizeof(addr),
1546 smbXcli_conn_remote_sockaddr(cli->conn));
1547
1548 key = current_dc_key(talloc_tos(), domain_name);
1549 if (key == NULL) {
1550 goto done;
1551 }
1552
1553 value = talloc_asprintf(talloc_tos(), "%s %s", addr, dc_name);
1554 if (value == NULL) {
1555 goto done;
1556 }
1557
1558 gencache_set(key, value, 0x7fffffff);
1559 done:
1560 TALLOC_FREE(value);
1561 TALLOC_FREE(key);
1562 }
1563
1564 bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx,
1565 const char *domain_name,
1566 char **p_dc_name, char **p_dc_ip)
1567 {
1568 char *key, *value, *p;
1569 bool ret = false;
1570 char *dc_name = NULL;
1571 char *dc_ip = NULL;
1572
1573 key = current_dc_key(talloc_tos(), domain_name);
1574 if (key == NULL) {
1575 goto done;
1576 }
1577 if (!gencache_get(key, &value, NULL)) {
1578 goto done;
1579 }
1580 p = strchr(value, ' ');
1581 if (p == NULL) {
1582 goto done;
1583 }
1584 dc_ip = talloc_strndup(mem_ctx, value, p - value);
1585 if (dc_ip == NULL) {
1586 goto done;
1587 }
1588 dc_name = talloc_strdup(mem_ctx, p+1);
1589 if (dc_name == NULL) {
1590 goto done;
1591 }
1592
1593 if (p_dc_ip != NULL) {
1594 *p_dc_ip = dc_ip;
1595 dc_ip = NULL;
1596 }
1597 if (p_dc_name != NULL) {
1598 *p_dc_name = dc_name;
1599 dc_name = NULL;
1600 }
1601 ret = true;
1602 done:
1603 TALLOC_FREE(dc_name);
1604 TALLOC_FREE(dc_ip);
1605 TALLOC_FREE(key);
1606 return ret;
1607 }
1608
1609 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1610 struct winbindd_cm_conn *new_conn)
1611 {
1612 TALLOC_CTX *mem_ctx;
1613 NTSTATUS result;
1614 char *saf_servername = saf_fetch( domain->name );
1615 int retries;
1616
1617 if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1618 SAFE_FREE(saf_servername);
1619 set_domain_offline(domain);
1620 return NT_STATUS_NO_MEMORY;
1621 }
1622
1623 /* we have to check the server affinity cache here since
1624 later we select a DC based on response time and not preference */
1625
1626 /* Check the negative connection cache
1627 before talking to it. It going down may have
1628 triggered the reconnection. */
1629
1630 if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1631
1632 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1633 saf_servername, domain->name ));
1634
1635 /* convert an ip address to a name */
1636 if (is_ipaddress( saf_servername ) ) {
1637 char *dcname = NULL;
1638 struct sockaddr_storage ss;
1639
1640 if (!interpret_string_addr(&ss, saf_servername,
1641 AI_NUMERICHOST)) {
1642 return NT_STATUS_UNSUCCESSFUL;
1643 }
1644 if (dcip_to_name(mem_ctx, domain, &ss, &dcname)) {
1645 domain->dcname = talloc_strdup(domain,
1646 dcname);
1647 if (domain->dcname == NULL) {
1648 SAFE_FREE(saf_servername);
1649 return NT_STATUS_NO_MEMORY;
1650 }
1651 } else {
1652 winbind_add_failed_connection_entry(
1653 domain, saf_servername,
1654 NT_STATUS_UNSUCCESSFUL);
1655 }
1656 } else {
1657 domain->dcname = talloc_strdup(domain, saf_servername);
1658 if (domain->dcname == NULL) {
1659 SAFE_FREE(saf_servername);
1660 return NT_STATUS_NO_MEMORY;
1661 }
1662 }
1663
1664 SAFE_FREE( saf_servername );
1665 }
1666
1667 for (retries = 0; retries < 3; retries++) {
1668 int fd = -1;
1669 bool retry = False;
1670 char *dcname = NULL;
1671
1672 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1673
1674 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1675 domain->dcname ? domain->dcname : "", domain->name ));
1676
1677 if (domain->dcname != NULL
1678 && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1679 && (resolve_name(domain->dcname, &domain->dcaddr, 0x20, true)))
1680 {
1681 NTSTATUS status;
1682
1683 status = smbsock_connect(&domain->dcaddr, 0,
1684 NULL, -1, NULL, -1,
1685 &fd, NULL, 10);
1686 if (!NT_STATUS_IS_OK(status)) {
1687 fd = -1;
1688 }
1689 }
1690
1691 if ((fd == -1) &&
1692 !find_new_dc(mem_ctx, domain, &dcname, &domain->dcaddr, &fd))
1693 {
1694 /* This is the one place where we will
1695 set the global winbindd offline state
1696 to true, if a "WINBINDD_OFFLINE" entry
1697 is found in the winbindd cache. */
1698 set_global_winbindd_state_offline();
1699 break;
1700 }
1701 if (dcname != NULL) {
1702 talloc_free(domain->dcname);
1703
1704 domain->dcname = talloc_move(domain, &dcname);
1705 if (domain->dcname == NULL) {
1706 result = NT_STATUS_NO_MEMORY;
1707 break;
1708 }
1709 }
1710
1711 new_conn->cli = NULL;
1712
1713 result = cm_prepare_connection(domain, fd, domain->dcname,
1714 &new_conn->cli, &retry);
1715 if (!NT_STATUS_IS_OK(result)) {
1716 /* Don't leak the smb connection socket */
1717 close(fd);
1718 }
1719
1720 if (!retry)
1721 break;
1722 }
1723
1724 if (NT_STATUS_IS_OK(result)) {
1725
1726 winbindd_set_locator_kdc_envs(domain);
1727
1728 if (domain->online == False) {
1729 /* We're changing state from offline to online. */
1730 set_global_winbindd_state_online();
1731 }
1732 set_domain_online(domain);
1733
1734 /*
1735 * Much as I hate global state, this seems to be the point
1736 * where we can be certain that we have a proper connection to
1737 * a DC. wbinfo --dc-info needs that information, store it in
1738 * gencache with a looong timeout. This will need revisiting
1739 * once we start to connect to multiple DCs, wbcDcInfo is
1740 * already prepared for that.
1741 */
1742 store_current_dc_in_gencache(domain->name, domain->dcname,
1743 new_conn->cli);
1744 } else {
1745 /* Ensure we setup the retry handler. */
1746 set_domain_offline(domain);
1747 }
1748
1749 talloc_destroy(mem_ctx);
1750 return result;
1751 }
1752
1753 /* Close down all open pipes on a connection. */
1754
1755 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1756 {
1757 NTSTATUS result;
1758
1759 /* We're closing down a possibly dead
1760 connection. Don't have impossibly long (10s) timeouts. */
1761
1762 if (conn->cli) {
1763 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1764 }
1765
1766 if (conn->samr_pipe != NULL) {
1767 if (is_valid_policy_hnd(&conn->sam_connect_handle)) {
1768 dcerpc_samr_Close(conn->samr_pipe->binding_handle,
1769 talloc_tos(),
1770 &conn->sam_connect_handle,
1771 &result);
1772 }
1773 TALLOC_FREE(conn->samr_pipe);
1774 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1775 if (conn->cli) {
1776 cli_set_timeout(conn->cli, 500);
1777 }
1778 }
1779
1780 if (conn->lsa_pipe != NULL) {
1781 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1782 dcerpc_lsa_Close(conn->lsa_pipe->binding_handle,
1783 talloc_tos(),
1784 &conn->lsa_policy,
1785 &result);
1786 }
1787 TALLOC_FREE(conn->lsa_pipe);
1788 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1789 if (conn->cli) {
1790 cli_set_timeout(conn->cli, 500);
1791 }
1792 }
1793
1794 if (conn->lsa_pipe_tcp != NULL) {
1795 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1796 dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle,
1797 talloc_tos(),
1798 &conn->lsa_policy,
1799 &result);
1800 }
1801 TALLOC_FREE(conn->lsa_pipe_tcp);
1802 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1803 if (conn->cli) {
1804 cli_set_timeout(conn->cli, 500);
1805 }
1806 }
1807
1808 if (conn->netlogon_pipe != NULL) {
1809 TALLOC_FREE(conn->netlogon_pipe);
1810 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1811 if (conn->cli) {
1812 cli_set_timeout(conn->cli, 500);
1813 }
1814 }
1815
1816 if (conn->cli) {
1817 cli_shutdown(conn->cli);
1818 }
1819
1820 conn->cli = NULL;
1821 }
1822
1823 void close_conns_after_fork(void)
1824 {
1825 struct winbindd_domain *domain;
1826 struct winbindd_cli_state *cli_state;
1827
1828 for (domain = domain_list(); domain; domain = domain->next) {
1829 /*
1830 * first close the low level SMB TCP connection
1831 * so that we don't generate any SMBclose
1832 * requests in invalidate_cm_connection()
1833 */
1834 if (cli_state_is_connected(domain->conn.cli)) {
1835 smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
1836 }
1837
1838 invalidate_cm_connection(&domain->conn);
1839 }
1840
1841 for (cli_state = winbindd_client_list();
1842 cli_state != NULL;
1843 cli_state = cli_state->next) {
1844 if (cli_state->sock >= 0) {
1845 close(cli_state->sock);
1846 cli_state->sock = -1;
1847 }
1848 }
1849 }
1850
1851 static bool connection_ok(struct winbindd_domain *domain)
1852 {
1853 bool ok;
1854
1855 ok = cli_state_is_connected(domain->conn.cli);
1856 if (!ok) {
1857 DEBUG(3, ("connection_ok: Connection to %s for domain %s is not connected\n",
1858 domain->dcname, domain->name));
1859 return False;
1860 }
1861
1862 if (domain->online == False) {
1863 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1864 return False;
1865 }
1866
1867 return True;
1868 }
1869
1870 /* Initialize a new connection up to the RPC BIND.
1871 Bypass online status check so always does network calls. */
1872
1873 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1874 {
1875 NTSTATUS result;
1876
1877 /* Internal connections never use the network. */
1878 if (domain->internal) {
1879 domain->initialized = True;
1880 return NT_STATUS_OK;
1881 }
1882
1883 if (connection_ok(domain)) {
1884 if (!domain->initialized) {
1885 set_dc_type_and_flags(domain);
1886 }
1887 return NT_STATUS_OK;
1888 }
1889
1890 invalidate_cm_connection(&domain->conn);
1891
1892 result = cm_open_connection(domain, &domain->conn);
1893
1894 if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1895 set_dc_type_and_flags(domain);
1896 }
1897
1898 return result;
1899 }
1900
1901 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1902 {
1903 if (domain->internal) {
1904 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1905 }
1906
1907 if (domain->initialized && !domain->online) {
1908 /* We check for online status elsewhere. */
1909 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1910 }
1911
1912 return init_dc_connection_network(domain);
1913 }
1914
1915 static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain)
1916 {
1917 NTSTATUS status;
1918
1919 status = init_dc_connection(domain);
1920 if (!NT_STATUS_IS_OK(status)) {
1921 return status;
1922 }
1923
1924 if (!domain->internal && domain->conn.cli == NULL) {
1925 /* happens for trusted domains without inbound trust */
1926 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
1927 }
1928
1929 return NT_STATUS_OK;
1930 }
1931
1932 /******************************************************************************
1933 Set the trust flags (direction and forest location) for a domain
1934 ******************************************************************************/
1935
1936 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1937 {
1938 struct winbindd_domain *our_domain;
1939 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1940 WERROR werr;
1941 struct netr_DomainTrustList trusts;
1942 int i;
1943 uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
1944 NETR_TRUST_FLAG_OUTBOUND |
1945 NETR_TRUST_FLAG_INBOUND);
1946 struct rpc_pipe_client *cli;
1947 TALLOC_CTX *mem_ctx = NULL;
1948 struct dcerpc_binding_handle *b;
1949
1950 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1951
1952 /* Our primary domain doesn't need to worry about trust flags.
1953 Force it to go through the network setup */
1954 if ( domain->primary ) {
1955 return False;
1956 }
1957
1958 our_domain = find_our_domain();
1959
1960 if ( !connection_ok(our_domain) ) {
1961 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));
1962 return False;
1963 }
1964
1965 /* This won't work unless our domain is AD */
1966
1967 if ( !our_domain->active_directory ) {
1968 return False;
1969 }
1970
1971 /* Use DsEnumerateDomainTrusts to get us the trust direction
1972 and type */
1973
1974 result = cm_connect_netlogon(our_domain, &cli);
1975
1976 if (!NT_STATUS_IS_OK(result)) {
1977 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1978 "a connection to %s for PIPE_NETLOGON (%s)\n",
1979 domain->name, nt_errstr(result)));
1980 return False;
1981 }
1982
1983 b = cli->binding_handle;
1984
1985 if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
1986 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
1987 return False;
1988 }
1989
1990 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1991 cli->desthost,
1992 flags,
1993 &trusts,
1994 &werr);
1995 if (!NT_STATUS_IS_OK(result)) {
1996 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
1997 "failed to query trusted domain list: %s\n",
1998 nt_errstr(result)));
1999 talloc_destroy(mem_ctx);
2000 return false;
2001 }
2002 if (!W_ERROR_IS_OK(werr)) {
2003 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2004 "failed to query trusted domain list: %s\n",
2005 win_errstr(werr)));
2006 talloc_destroy(mem_ctx);
2007 return false;
2008 }
2009
2010 /* Now find the domain name and get the flags */
2011
2012 for ( i=0; i<trusts.count; i++ ) {
2013 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
2014 domain->domain_flags = trusts.array[i].trust_flags;
2015 domain->domain_type = trusts.array[i].trust_type;
2016 domain->domain_trust_attribs = trusts.array[i].trust_attributes;
2017
2018 if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL )
2019 domain->active_directory = True;
2020
2021 /* This flag is only set if the domain is *our*
2022 primary domain and the primary domain is in
2023 native mode */
2024
2025 domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
2026
2027 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
2028 "native mode.\n", domain->name,
2029 domain->native_mode ? "" : "NOT "));
2030
2031 DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
2032 "running active directory.\n", domain->name,
2033 domain->active_directory ? "" : "NOT "));
2034
2035 domain->can_do_ncacn_ip_tcp = domain->active_directory;
2036 domain->can_do_validation6 = domain->active_directory;
2037
2038 domain->initialized = True;
2039
2040 break;
2041 }
2042 }
2043
2044 talloc_destroy( mem_ctx );
2045
2046 return domain->initialized;
2047 }
2048
2049 /******************************************************************************
2050 We can 'sense' certain things about the DC by it's replies to certain
2051 questions.
2052
2053 This tells us if this particular remote server is Active Directory, and if it
2054 is native mode.
2055 ******************************************************************************/
2056
2057 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
2058 {
2059 NTSTATUS status, result;
2060 WERROR werr;
2061 TALLOC_CTX *mem_ctx = NULL;
2062 struct rpc_pipe_client *cli = NULL;
2063 struct policy_handle pol;
2064 union dssetup_DsRoleInfo info;
2065 union lsa_PolicyInformation *lsa_info = NULL;
2066
2067 if (!connection_ok(domain)) {
2068 return;
2069 }
2070
2071 mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
2072 domain->name);
2073 if (!mem_ctx) {
2074 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
2075 return;
2076 }
2077
2078 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
2079
2080 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2081 &ndr_table_dssetup.syntax_id,
2082 &cli);
2083
2084 if (!NT_STATUS_IS_OK(status)) {
2085 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2086 "PI_DSSETUP on domain %s: (%s)\n",
2087 domain->name, nt_errstr(status)));
2088
2089 /* if this is just a non-AD domain we need to continue
2090 * identifying so that we can in the end return with
2091 * domain->initialized = True - gd */
2092
2093 goto no_dssetup;
2094 }
2095
2096 status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
2097 DS_ROLE_BASIC_INFORMATION,
2098 &info,
2099 &werr);
2100 TALLOC_FREE(cli);
2101
2102 if (NT_STATUS_IS_OK(status)) {
2103 result = werror_to_ntstatus(werr);
2104 }
2105 if (!NT_STATUS_IS_OK(status)) {
2106 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
2107 "on domain %s failed: (%s)\n",
2108 domain->name, nt_errstr(status)));
2109
2110 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
2111 * every opcode on the DSSETUP pipe, continue with
2112 * no_dssetup mode here as well to get domain->initialized
2113 * set - gd */
2114
2115 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
2116 goto no_dssetup;
2117 }
2118
2119 TALLOC_FREE(mem_ctx);
2120 return;
2121 }
2122
2123 if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
2124 !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
2125 domain->native_mode = True;
2126 } else {
2127 domain->native_mode = False;
2128 }
2129
2130 no_dssetup:
2131 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2132 &ndr_table_lsarpc.syntax_id, &cli);
2133
2134 if (!NT_STATUS_IS_OK(status)) {
2135 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2136 "PI_LSARPC on domain %s: (%s)\n",
2137 domain->name, nt_errstr(status)));
2138 TALLOC_FREE(cli);
2139 TALLOC_FREE(mem_ctx);
2140 return;
2141 }
2142
2143 status = rpccli_lsa_open_policy2(cli, mem_ctx, True,
2144 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
2145
2146 if (NT_STATUS_IS_OK(status)) {
2147 /* This particular query is exactly what Win2k clients use
2148 to determine that the DC is active directory */
2149 status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx,
2150 &pol,
2151 LSA_POLICY_INFO_DNS,
2152 &lsa_info,
2153 &result);
2154 }
2155
2156 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2157 domain->active_directory = True;
2158
2159 if (lsa_info->dns.name.string) {
2160 talloc_free(domain->name);
2161 domain->name = talloc_strdup(domain,
2162 lsa_info->dns.name.string);
2163 if (domain->name == NULL) {
2164 goto done;
2165 }
2166 }
2167
2168 if (lsa_info->dns.dns_domain.string) {
2169 talloc_free(domain->alt_name);
2170 domain->alt_name =
2171 talloc_strdup(domain,
2172 lsa_info->dns.dns_domain.string);
2173 if (domain->alt_name == NULL) {
2174 goto done;
2175 }
2176 }
2177
2178 /* See if we can set some domain trust flags about
2179 ourself */
2180
2181 if (lsa_info->dns.dns_forest.string) {
2182 talloc_free(domain->forest_name);
2183 domain->forest_name =
2184 talloc_strdup(domain,
2185 lsa_info->dns.dns_forest.string);
2186 if (domain->forest_name == NULL) {
2187 goto done;
2188 }
2189
2190 if (strequal(domain->forest_name, domain->alt_name)) {
2191 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
2192 }
2193 }
2194
2195 if (lsa_info->dns.sid) {
2196 sid_copy(&domain->sid, lsa_info->dns.sid);
2197 }
2198 } else {
2199 domain->active_directory = False;
2200
2201 status = rpccli_lsa_open_policy(cli, mem_ctx, True,
2202 SEC_FLAG_MAXIMUM_ALLOWED,
2203 &pol);
2204
2205 if (!NT_STATUS_IS_OK(status)) {
2206 goto done;
2207 }
2208
2209 status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx,
2210 &pol,
2211 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
2212 &lsa_info,
2213 &result);
2214 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2215
2216 if (lsa_info->account_domain.name.string) {
2217 talloc_free(domain->name);
2218 domain->name =
2219 talloc_strdup(domain,
2220 lsa_info->account_domain.name.string);
2221 }
2222
2223 if (lsa_info->account_domain.sid) {
2224 sid_copy(&domain->sid, lsa_info->account_domain.sid);
2225 }
2226 }
2227 }
2228 done:
2229
2230 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
2231 domain->name, domain->native_mode ? "" : "NOT "));
2232
2233 DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
2234 domain->name, domain->active_directory ? "" : "NOT "));
2235
2236 domain->can_do_ncacn_ip_tcp = domain->active_directory;
2237 domain->can_do_validation6 = domain->active_directory;
2238
2239 TALLOC_FREE(cli);
2240
2241 TALLOC_FREE(mem_ctx);
2242
2243 domain->initialized = True;
2244 }
2245
2246 /**********************************************************************
2247 Set the domain_flags (trust attributes, domain operating modes, etc...
2248 ***********************************************************************/
2249
2250 static void set_dc_type_and_flags( struct winbindd_domain *domain )
2251 {
2252 /* we always have to contact our primary domain */
2253
2254 if ( domain->primary ) {
2255 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
2256 "primary domain\n"));
2257 set_dc_type_and_flags_connect( domain );
2258 return;
2259 }
2260
2261 /* Use our DC to get the information if possible */
2262
2263 if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
2264 /* Otherwise, fallback to contacting the
2265 domain directly */
2266 set_dc_type_and_flags_connect( domain );
2267 }
2268
2269 return;
2270 }
2271
2272
2273
2274 /**********************************************************************
2275 ***********************************************************************/
2276
2277 static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
2278 struct netlogon_creds_CredentialState **ppdc)
2279 {
2280 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2281 struct rpc_pipe_client *netlogon_pipe;
2282
2283 if (lp_client_schannel() == False) {
2284 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2285 }
2286
2287 result = cm_connect_netlogon(domain, &netlogon_pipe);
2288 if (!NT_STATUS_IS_OK(result)) {
2289 return result;
2290 }
2291
2292 /* Return a pointer to the struct netlogon_creds_CredentialState from the
2293 netlogon pipe. */
2294
2295 if (!domain->conn.netlogon_pipe->dc) {
2296 return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
2297 }
2298
2299 *ppdc = domain->conn.netlogon_pipe->dc;
2300 return NT_STATUS_OK;
2301 }
2302
2303 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2304 struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
2305 {
2306 struct winbindd_cm_conn *conn;
2307 NTSTATUS status, result;
2308 struct netlogon_creds_CredentialState *p_creds;
2309 char *machine_password = NULL;
2310 char *machine_account = NULL;
2311 const char *domain_name = NULL;
2312
2313 if (sid_check_is_our_sam(&domain->sid)) {
2314 return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
2315 }
2316
2317 status = init_dc_connection_rpc(domain);
2318 if (!NT_STATUS_IS_OK(status)) {
2319 return status;
2320 }
2321
2322 conn = &domain->conn;
2323
2324 if (rpccli_is_connected(conn->samr_pipe)) {
2325 goto done;
2326 }
2327
2328 TALLOC_FREE(conn->samr_pipe);
2329
2330 /*
2331 * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
2332 * sign and sealed pipe using the machine account password by
2333 * preference. If we can't - try schannel, if that fails, try
2334 * anonymous.
2335 */
2336
2337 if ((conn->cli->user_name[0] == '\0') ||
2338 (conn->cli->domain[0] == '\0') ||
2339 (conn->cli->password == NULL || conn->cli->password[0] == '\0'))
2340 {
2341 status = get_trust_creds(domain, &machine_password,
2342 &machine_account, NULL);
2343 if (!NT_STATUS_IS_OK(status)) {
2344 DEBUG(10, ("cm_connect_sam: No no user available for "
2345 "domain %s, trying schannel\n", conn->cli->domain));
2346 goto schannel;
2347 }
2348 domain_name = domain->name;
2349 } else {
2350 machine_password = SMB_STRDUP(conn->cli->password);
2351 machine_account = SMB_STRDUP(conn->cli->user_name);
2352 domain_name = conn->cli->domain;
2353 }
2354
2355 if (!machine_password || !machine_account) {
2356 status = NT_STATUS_NO_MEMORY;
2357 goto done;
2358 }
2359
2360 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2361 authenticated SAMR pipe with sign & seal. */
2362 status = cli_rpc_pipe_open_spnego(conn->cli,
2363 &ndr_table_samr,
2364 NCACN_NP,
2365 GENSEC_OID_NTLMSSP,
2366 DCERPC_AUTH_LEVEL_PRIVACY,
2367 smbXcli_conn_remote_name(conn->cli->conn),
2368 domain_name,
2369 machine_account,
2370 machine_password,
2371 &conn->samr_pipe);
2372
2373 if (!NT_STATUS_IS_OK(status)) {
2374 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2375 "pipe for domain %s using NTLMSSP "
2376 "authenticated pipe: user %s\\%s. Error was "
2377 "%s\n", domain->name, domain_name,
2378 machine_account, nt_errstr(status)));
2379 goto schannel;
2380 }
2381
2382 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2383 "domain %s using NTLMSSP authenticated "
2384 "pipe: user %s\\%s\n", domain->name,
2385 domain_name, machine_account));
2386
2387 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2388 conn->samr_pipe->desthost,
2389 SEC_FLAG_MAXIMUM_ALLOWED,
2390 &conn->sam_connect_handle,
2391 &result);
2392 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2393 goto open_domain;
2394 }
2395 if (NT_STATUS_IS_OK(status)) {
2396 status = result;
2397 }
2398
2399 DEBUG(10,("cm_connect_sam: ntlmssp-sealed dcerpc_samr_Connect2 "
2400 "failed for domain %s, error was %s. Trying schannel\n",
2401 domain->name, nt_errstr(status) ));
2402 TALLOC_FREE(conn->samr_pipe);
2403
2404 schannel:
2405
2406 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2407
2408 status = cm_get_schannel_creds(domain, &p_creds);
2409 if (!NT_STATUS_IS_OK(status)) {
2410 /* If this call fails - conn->cli can now be NULL ! */
2411 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2412 "for domain %s (error %s), trying anon\n",
2413 domain->name,
2414 nt_errstr(status) ));
2415 goto anonymous;
2416 }
2417 status = cli_rpc_pipe_open_schannel_with_key
2418 (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
2419 DCERPC_AUTH_LEVEL_PRIVACY,
2420 domain->name, &p_creds, &conn->samr_pipe);
2421
2422 if (!NT_STATUS_IS_OK(status)) {
2423 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2424 "domain %s using schannel. Error was %s\n",
2425 domain->name, nt_errstr(status) ));
2426 goto anonymous;
2427 }
2428 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2429 "schannel.\n", domain->name ));
2430
2431 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2432 conn->samr_pipe->desthost,
2433 SEC_FLAG_MAXIMUM_ALLOWED,
2434 &conn->sam_connect_handle,
2435 &result);
2436 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2437 goto open_domain;
2438 }
2439 if (NT_STATUS_IS_OK(status)) {
2440 status = result;
2441 }
2442 DEBUG(10,("cm_connect_sam: schannel-sealed dcerpc_samr_Connect2 failed "
2443 "for domain %s, error was %s. Trying anonymous\n",
2444 domain->name, nt_errstr(status) ));
2445 TALLOC_FREE(conn->samr_pipe);
2446
2447 anonymous:
2448
2449 /* Finally fall back to anonymous. */
2450 status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
2451 &conn->samr_pipe);
2452
2453 if (!NT_STATUS_IS_OK(status)) {
2454 goto done;
2455 }
2456
2457 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2458 conn->samr_pipe->desthost,
2459 SEC_FLAG_MAXIMUM_ALLOWED,
2460 &conn->sam_connect_handle,
2461 &result);
2462 if (!NT_STATUS_IS_OK(status)) {
2463 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2464 "for domain %s Error was %s\n",
2465 domain->name, nt_errstr(status) ));
2466 goto done;
2467 }
2468 if (!NT_STATUS_IS_OK(result)) {
2469 status = result;
2470 DEBUG(10,("cm_connect_sam: dcerpc_samr_Connect2 failed "
2471 "for domain %s Error was %s\n",
2472 domain->name, nt_errstr(result)));
2473 goto done;
2474 }
2475
2476 open_domain:
2477 status = dcerpc_samr_OpenDomain(conn->samr_pipe->binding_handle,
2478 mem_ctx,
2479 &conn->sam_connect_handle,
2480 SEC_FLAG_MAXIMUM_ALLOWED,
2481 &domain->sid,
2482 &conn->sam_domain_handle,
2483 &result);
2484 if (!NT_STATUS_IS_OK(status)) {
2485 goto done;
2486 }
2487
2488 status = result;
2489 done:
2490
2491 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
2492 /*
2493 * if we got access denied, we might just have no access rights
2494 * to talk to the remote samr server server (e.g. when we are a
2495 * PDC and we are connecting a w2k8 pdc via an interdomain
2496 * trust). In that case do not invalidate the whole connection
2497 * stack
2498 */
2499 TALLOC_FREE(conn->samr_pipe);
2500 ZERO_STRUCT(conn->sam_domain_handle);
2501 return status;
2502 } else if (!NT_STATUS_IS_OK(status)) {
2503 invalidate_cm_connection(conn);
2504 return status;
2505 }
2506
2507 *cli = conn->samr_pipe;
2508 *sam_handle = conn->sam_domain_handle;
2509 SAFE_FREE(machine_password);
2510 SAFE_FREE(machine_account);
2511 return status;
2512 }
2513
2514 /**********************************************************************
2515 open an schanneld ncacn_ip_tcp connection to LSA
2516 ***********************************************************************/
2517
2518 NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
2519 TALLOC_CTX *mem_ctx,
2520 struct rpc_pipe_client **cli)
2521 {
2522 struct winbindd_cm_conn *conn;
2523 struct netlogon_creds_CredentialState *creds;
2524 NTSTATUS status;
2525
2526 DEBUG(10,("cm_connect_lsa_tcp\n"));
2527
2528 status = init_dc_connection_rpc(domain);
2529 if (!NT_STATUS_IS_OK(status)) {
2530 return status;
2531 }
2532
2533 conn = &domain->conn;
2534
2535 if (conn->lsa_pipe_tcp &&
2536 conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
2537 conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
2538 rpccli_is_connected(conn->lsa_pipe_tcp)) {
2539 goto done;
2540 }
2541
2542 TALLOC_FREE(conn->lsa_pipe_tcp);
2543
2544 status = cm_get_schannel_creds(domain, &creds);
2545 if (!NT_STATUS_IS_OK(status)) {
2546 goto done;
2547 }
2548
2549 status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
2550 &ndr_table_lsarpc.syntax_id,
2551 NCACN_IP_TCP,
2552 DCERPC_AUTH_LEVEL_PRIVACY,
2553 domain->name,
2554 &creds,
2555 &conn->lsa_pipe_tcp);
2556 if (!NT_STATUS_IS_OK(status)) {
2557 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
2558 nt_errstr(status)));
2559 goto done;
2560 }
2561
2562 done:
2563 if (!NT_STATUS_IS_OK(status)) {
2564 TALLOC_FREE(conn->lsa_pipe_tcp);
2565 return status;
2566 }
2567
2568 *cli = conn->lsa_pipe_tcp;
2569
2570 return status;
2571 }
2572
2573 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2574 struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
2575 {
2576 struct winbindd_cm_conn *conn;
2577 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2578 struct netlogon_creds_CredentialState *p_creds;
2579
2580 result = init_dc_connection_rpc(domain);
2581 if (!NT_STATUS_IS_OK(result))
2582 return result;
2583
2584 conn = &domain->conn;
2585
2586 if (rpccli_is_connected(conn->lsa_pipe)) {
2587 goto done;
2588 }
2589
2590 TALLOC_FREE(conn->lsa_pipe);
2591
2592 if ((conn->cli->user_name[0] == '\0') ||
2593 (conn->cli->domain[0] == '\0') ||
2594 (conn->cli->password == NULL || conn->cli->password[0] == '\0')) {
2595 DEBUG(10, ("cm_connect_lsa: No no user available for "
2596 "domain %s, trying schannel\n", conn->cli->domain));
2597 goto schannel;
2598 }
2599
2600 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2601 * authenticated LSA pipe with sign & seal. */
2602 result = cli_rpc_pipe_open_spnego
2603 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
2604 GENSEC_OID_NTLMSSP,
2605 DCERPC_AUTH_LEVEL_PRIVACY,
2606 smbXcli_conn_remote_name(conn->cli->conn),
2607 conn->cli->domain, conn->cli->user_name, conn->cli->password,
2608 &conn->lsa_pipe);
2609
2610 if (!NT_STATUS_IS_OK(result)) {
2611 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2612 "domain %s using NTLMSSP authenticated pipe: user "
2613 "%s\\%s. Error was %s. Trying schannel.\n",
2614 domain->name, conn->cli->domain,
2615 conn->cli->user_name, nt_errstr(result)));
2616 goto schannel;
2617 }
2618
2619 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2620 "NTLMSSP authenticated pipe: user %s\\%s\n",
2621 domain->name, conn->cli->domain, conn->cli->user_name ));
2622
2623 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2624 SEC_FLAG_MAXIMUM_ALLOWED,
2625 &conn->lsa_policy);
2626 if (NT_STATUS_IS_OK(result)) {
2627 goto done;
2628 }
2629
2630 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2631 "schannel\n"));
2632
2633 TALLOC_FREE(conn->lsa_pipe);
2634
2635 schannel:
2636
2637 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2638
2639 result = cm_get_schannel_creds(domain, &p_creds);
2640 if (!NT_STATUS_IS_OK(result)) {
2641 /* If this call fails - conn->cli can now be NULL ! */
2642 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2643 "for domain %s (error %s), trying anon\n",
2644 domain->name,
2645 nt_errstr(result) ));
2646 goto anonymous;
2647 }
2648 result = cli_rpc_pipe_open_schannel_with_key
2649 (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
2650 DCERPC_AUTH_LEVEL_PRIVACY,
2651 domain->name, &p_creds, &conn->lsa_pipe);
2652
2653 if (!NT_STATUS_IS_OK(result)) {
2654 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2655 "domain %s using schannel. Error was %s\n",
2656 domain->name, nt_errstr(result) ));
2657 goto anonymous;
2658 }
2659 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2660 "schannel.\n", domain->name ));
2661
2662 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2663 SEC_FLAG_MAXIMUM_ALLOWED,
2664 &conn->lsa_policy);
2665 if (NT_STATUS_IS_OK(result)) {
2666 goto done;
2667 }
2668
2669 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2670 "anonymous\n"));
2671
2672 TALLOC_FREE(conn->lsa_pipe);
2673
2674 anonymous:
2675
2676 result = cli_rpc_pipe_open_noauth(conn->cli,
2677 &ndr_table_lsarpc.syntax_id,
2678 &conn->lsa_pipe);
2679 if (!NT_STATUS_IS_OK(result)) {
2680 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2681 goto done;
2682 }
2683
2684 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2685 SEC_FLAG_MAXIMUM_ALLOWED,
2686 &conn->lsa_policy);
2687 done:
2688 if (!NT_STATUS_IS_OK(result)) {
2689 invalidate_cm_connection(conn);
2690 return result;
2691 }
2692
2693 *cli = conn->lsa_pipe;
2694 *lsa_policy = conn->lsa_policy;
2695 return result;
2696 }
2697
2698 /****************************************************************************
2699 Open a LSA connection to a DC, suiteable for LSA lookup calls.
2700 ****************************************************************************/
2701
2702 NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
2703 TALLOC_CTX *mem_ctx,
2704 struct rpc_pipe_client **cli,
2705 struct policy_handle *lsa_policy)
2706 {
2707 NTSTATUS status;
2708
2709 if (domain->can_do_ncacn_ip_tcp) {
2710 status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
2711 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
2712 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
2713 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
2714 invalidate_cm_connection(&domain->conn);
2715 status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
2716 }
2717 if (NT_STATUS_IS_OK(status)) {
2718 return status;
2719 }
2720
2721 /*
2722 * we tried twice to connect via ncan_ip_tcp and schannel and
2723 * failed - maybe it is a trusted domain we can't connect to ?
2724 * do not try tcp next time - gd
2725 */
2726 domain->can_do_ncacn_ip_tcp = false;
2727 }
2728
2729 status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);
2730
2731 return status;
2732 }
2733
2734 /****************************************************************************
2735 Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2736 session key stored in conn->netlogon_pipe->dc->sess_key.
2737 ****************************************************************************/
2738
2739 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2740 struct rpc_pipe_client **cli)
2741 {
2742 struct winbindd_cm_conn *conn;
2743 NTSTATUS result;
2744
2745 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
2746 uint8_t mach_pwd[16];
2747 enum netr_SchannelType sec_chan_type;
2748 const char *account_name;
2749 struct rpc_pipe_client *netlogon_pipe = NULL;
2750
2751 *cli = NULL;
2752
2753 result = init_dc_connection_rpc(domain);
2754 if (!NT_STATUS_IS_OK(result)) {
2755 return result;
2756 }
2757
2758 conn = &domain->conn;
2759
2760 if (rpccli_is_connected(conn->netlogon_pipe)) {
2761 *cli = conn->netlogon_pipe;
2762 return NT_STATUS_OK;
2763 }
2764
2765 TALLOC_FREE(conn->netlogon_pipe);
2766
2767 result = cli_rpc_pipe_open_noauth(conn->cli,
2768 &ndr_table_netlogon.syntax_id,
2769 &netlogon_pipe);
2770 if (!NT_STATUS_IS_OK(result)) {
2771 return result;
2772 }
2773
2774 if ((!IS_DC) && (!domain->primary)) {
2775 /* Clear the schannel request bit and drop down */
2776 neg_flags &= ~NETLOGON_NEG_SCHANNEL;
2777 goto no_schannel;
2778 }
2779
2780 if (lp_client_schannel() != False) {
2781 neg_flags |= NETLOGON_NEG_SCHANNEL;
2782 }
2783
2784 if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
2785 &sec_chan_type))
2786 {
2787 TALLOC_FREE(netlogon_pipe);
2788 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2789 }
2790
2791 result = rpccli_netlogon_setup_creds(
2792 netlogon_pipe,
2793 domain->dcname, /* server name. */
2794 domain->name, /* domain name */
2795 lp_netbios_name(), /* client name */
2796 account_name, /* machine account */
2797 mach_pwd, /* machine password */
2798 sec_chan_type, /* from get_trust_pw */
2799 &neg_flags);
2800
2801 if (!NT_STATUS_IS_OK(result)) {
2802 TALLOC_FREE(netlogon_pipe);
2803 return result;
2804 }
2805
2806 if ((lp_client_schannel() == True) &&
2807 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2808 DEBUG(3, ("Server did not offer schannel\n"));
2809 TALLOC_FREE(netlogon_pipe);
2810 return NT_STATUS_ACCESS_DENIED;
2811 }
2812
2813 no_schannel:
2814 if ((lp_client_schannel() == False) ||
2815 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2816 /*
2817 * NetSamLogonEx only works for schannel
2818 */
2819 domain->can_do_samlogon_ex = False;
2820
2821 /* We're done - just keep the existing connection to NETLOGON
2822 * open */
2823 conn->netlogon_pipe = netlogon_pipe;
2824 *cli = conn->netlogon_pipe;
2825 return NT_STATUS_OK;
2826 }
2827
2828 /* Using the credentials from the first pipe, open a signed and sealed
2829 second netlogon pipe. The session key is stored in the schannel
2830 part of the new pipe auth struct.
2831 */
2832
2833 result = cli_rpc_pipe_open_schannel_with_key(
2834 conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
2835 DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
2836 &conn->netlogon_pipe);
2837
2838 /* We can now close the initial netlogon pipe. */
2839 TALLOC_FREE(netlogon_pipe);
2840
2841 if (!NT_STATUS_IS_OK(result)) {
2842 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2843 "was %s\n", nt_errstr(result)));
2844
2845 invalidate_cm_connection(conn);
2846 return result;
2847 }
2848
2849 /*
2850 * Always try netr_LogonSamLogonEx. We will fall back for NT4
2851 * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
2852 * supported). We used to only try SamLogonEx for AD, but
2853 * Samba DCs can also do it. And because we don't distinguish
2854 * between Samba and NT4, always try it once.
2855 */
2856 domain->can_do_samlogon_ex = true;
2857
2858 *cli = conn->netlogon_pipe;
2859 return NT_STATUS_OK;
2860 }
2861
2862 void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
2863 void *private_data,
2864 uint32_t msg_type,
2865 struct server_id server_id,
2866 DATA_BLOB *data)
2867 {
2868 struct winbindd_domain *domain;
2869 char *freeit = NULL;
2870 char *addr;
2871
2872 if ((data == NULL)
2873 || (data->data == NULL)
2874 || (data->length == 0)
2875 || (data->data[data->length-1] != '\0')) {
2876 DEBUG(1, ("invalid msg_ip_dropped message: not a valid "
2877 "string\n"));
2878 return;
2879 }
2880
2881 addr = (char *)data->data;
2882 DEBUG(10, ("IP %s dropped\n", addr));
2883
2884 if (!is_ipaddress(addr)) {
2885 char *slash;
2886 /*
2887 * Some code sends us ip addresses with the /netmask
2888 * suffix
2889 */
2890 slash = strchr(addr, '/');
2891 if (slash == NULL) {
2892 DEBUG(1, ("invalid msg_ip_dropped message: %s",
2893 addr));
2894 return;
2895 }
2896 freeit = talloc_strndup(talloc_tos(), addr, slash-addr);
2897 if (freeit == NULL) {
2898 DEBUG(1, ("talloc failed\n"));
2899 return;
2900 }
2901 addr = freeit;
2902 DEBUG(10, ("Stripped /netmask to IP %s\n", addr));
2903 }
2904
2905 for (domain = domain_list(); domain != NULL; domain = domain->next) {
2906 char sockaddr[INET6_ADDRSTRLEN];
2907
2908 if (!cli_state_is_connected(domain->conn.cli)) {
2909 continue;
2910 }
2911
2912 print_sockaddr(sockaddr, sizeof(sockaddr),
2913 smbXcli_conn_local_sockaddr(domain->conn.cli->conn));
2914
2915 if (strequal(sockaddr, addr)) {
2916 smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
2917 }
2918 }
2919 TALLOC_FREE(freeit);
2920 }
Samba GIT mirror