search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug #9016 - Connection to outbound trusted domain goes offline.
[Samba.git] / source3 / winbindd / winbindd_cm.c
blobf1e4204115471d0383bbaae5cf3bf1e4517d8479
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon connection manager
5
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Gerald (Jerry) Carter 2003-2005.
9 Copyright (C) Volker Lendecke 2004-2005
10 Copyright (C) Jeremy Allison 2006
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27 We need to manage connections to domain controllers without having to
28 mess up the main winbindd code with other issues. The aim of the
29 connection manager is to:
30
31 - make connections to domain controllers and cache them
32 - re-establish connections when networks or servers go down
33 - centralise the policy on connection timeouts, domain controller
34 selection etc
35 - manage re-entrancy for when winbindd becomes able to handle
36 multiple outstanding rpc requests
37
38 Why not have connection management as part of the rpc layer like tng?
39 Good question. This code may morph into libsmb/rpc_cache.c or something
40 like that but at the moment it's simply staying as part of winbind. I
41 think the TNG architecture of forcing every user of the rpc layer to use
42 the connection caching system is a bad idea. It should be an optional
43 method of using the routines.
44
45 The TNG design is quite good but I disagree with some aspects of the
46 implementation. -tpot
47
48 */
49
50 /*
51 TODO:
52
53 - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
54 moved down into another function.
55
56 - Take care when destroying cli_structs as they can be shared between
57 various sam handles.
58
59 */
60
61 #include "includes.h"
62 #include "winbindd.h"
63 #include "../libcli/auth/libcli_auth.h"
64 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
65 #include "rpc_client/cli_pipe.h"
66 #include "rpc_client/cli_netlogon.h"
67 #include "../librpc/gen_ndr/ndr_samr_c.h"
68 #include "../librpc/gen_ndr/ndr_lsa_c.h"
69 #include "rpc_client/cli_lsarpc.h"
70 #include "../librpc/gen_ndr/ndr_dssetup_c.h"
71 #include "libads/sitename_cache.h"
72 #include "libsmb/libsmb.h"
73 #include "libsmb/clidgram.h"
74 #include "ads.h"
75 #include "secrets.h"
76 #include "../libcli/security/security.h"
77 #include "passdb.h"
78 #include "messages.h"
79 #include "auth/gensec/gensec.h"
80 #include "../libcli/smb/smbXcli_base.h"
81
82 #undef DBGC_CLASS
83 #define DBGC_CLASS DBGC_WINBIND
84
85 struct dc_name_ip {
86 fstring name;
87 struct sockaddr_storage ss;
88 };
89
90 extern struct winbindd_methods reconnect_methods;
91 extern bool override_logfile;
92
93 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
94 static void set_dc_type_and_flags( struct winbindd_domain *domain );
95 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
96 struct dc_name_ip **dcs, int *num_dcs);
97
98 /****************************************************************
99 Child failed to find DC's. Reschedule check.
100 ****************************************************************/
101
102 static void msg_failed_to_go_online(struct messaging_context *msg,
103 void *private_data,
104 uint32_t msg_type,
105 struct server_id server_id,
106 DATA_BLOB *data)
107 {
108 struct winbindd_domain *domain;
109 const char *domainname = (const char *)data->data;
110
111 if (data->data == NULL || data->length == 0) {
112 return;
113 }
114
115 DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
116
117 for (domain = domain_list(); domain; domain = domain->next) {
118 if (domain->internal) {
119 continue;
120 }
121
122 if (strequal(domain->name, domainname)) {
123 if (domain->online) {
124 /* We're already online, ignore. */
125 DEBUG(5,("msg_fail_to_go_online: domain %s "
126 "already online.\n", domainname));
127 continue;
128 }
129
130 /* Reschedule the online check. */
131 set_domain_offline(domain);
132 break;
133 }
134 }
135 }
136
137 /****************************************************************
138 Actually cause a reconnect from a message.
139 ****************************************************************/
140
141 static void msg_try_to_go_online(struct messaging_context *msg,
142 void *private_data,
143 uint32_t msg_type,
144 struct server_id server_id,
145 DATA_BLOB *data)
146 {
147 struct winbindd_domain *domain;
148 const char *domainname = (const char *)data->data;
149
150 if (data->data == NULL || data->length == 0) {
151 return;
152 }
153
154 DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
155
156 for (domain = domain_list(); domain; domain = domain->next) {
157 if (domain->internal) {
158 continue;
159 }
160
161 if (strequal(domain->name, domainname)) {
162
163 if (domain->online) {
164 /* We're already online, ignore. */
165 DEBUG(5,("msg_try_to_go_online: domain %s "
166 "already online.\n", domainname));
167 continue;
168 }
169
170 /* This call takes care of setting the online
171 flag to true if we connected, or re-adding
172 the offline handler if false. Bypasses online
173 check so always does network calls. */
174
175 init_dc_connection_network(domain);
176 break;
177 }
178 }
179 }
180
181 /****************************************************************
182 Fork a child to try and contact a DC. Do this as contacting a
183 DC requires blocking lookups and we don't want to block our
184 parent.
185 ****************************************************************/
186
187 static bool fork_child_dc_connect(struct winbindd_domain *domain)
188 {
189 struct dc_name_ip *dcs = NULL;
190 int num_dcs = 0;
191 TALLOC_CTX *mem_ctx = NULL;
192 pid_t parent_pid = getpid();
193 char *lfile = NULL;
194 NTSTATUS status;
195
196 if (domain->dc_probe_pid != (pid_t)-1) {
197 /*
198 * We might already have a DC probe
199 * child working, check.
200 */
201 if (process_exists_by_pid(domain->dc_probe_pid)) {
202 DEBUG(10,("fork_child_dc_connect: pid %u already "
203 "checking for DC's.\n",
204 (unsigned int)domain->dc_probe_pid));
205 return true;
206 }
207 domain->dc_probe_pid = (pid_t)-1;
208 }
209
210 domain->dc_probe_pid = fork();
211
212 if (domain->dc_probe_pid == (pid_t)-1) {
213 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
214 return False;
215 }
216
217 if (domain->dc_probe_pid != (pid_t)0) {
218 /* Parent */
219 messaging_register(winbind_messaging_context(), NULL,
220 MSG_WINBIND_TRY_TO_GO_ONLINE,
221 msg_try_to_go_online);
222 messaging_register(winbind_messaging_context(), NULL,
223 MSG_WINBIND_FAILED_TO_GO_ONLINE,
224 msg_failed_to_go_online);
225 return True;
226 }
227
228 /* Child. */
229
230 /* Leave messages blocked - we will never process one. */
231
232 if (!override_logfile) {
233 if (asprintf(&lfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) == -1) {
234 DEBUG(0, ("fork_child_dc_connect: out of memory.\n"));
235 _exit(1);
236 }
237 }
238
239 status = winbindd_reinit_after_fork(NULL, lfile);
240 if (!NT_STATUS_IS_OK(status)) {
241 DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n",
242 nt_errstr(status)));
243 messaging_send_buf(winbind_messaging_context(),
244 pid_to_procid(parent_pid),
245 MSG_WINBIND_FAILED_TO_GO_ONLINE,
246 (uint8 *)domain->name,
247 strlen(domain->name)+1);
248 _exit(1);
249 }
250 SAFE_FREE(lfile);
251
252 mem_ctx = talloc_init("fork_child_dc_connect");
253 if (!mem_ctx) {
254 DEBUG(0,("talloc_init failed.\n"));
255 messaging_send_buf(winbind_messaging_context(),
256 pid_to_procid(parent_pid),
257 MSG_WINBIND_FAILED_TO_GO_ONLINE,
258 (uint8 *)domain->name,
259 strlen(domain->name)+1);
260 _exit(1);
261 }
262
263 if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
264 /* Still offline ? Can't find DC's. */
265 messaging_send_buf(winbind_messaging_context(),
266 pid_to_procid(parent_pid),
267 MSG_WINBIND_FAILED_TO_GO_ONLINE,
268 (uint8 *)domain->name,
269 strlen(domain->name)+1);
270 _exit(0);
271 }
272
273 /* We got a DC. Send a message to our parent to get it to
274 try and do the same. */
275
276 messaging_send_buf(winbind_messaging_context(),
277 pid_to_procid(parent_pid),
278 MSG_WINBIND_TRY_TO_GO_ONLINE,
279 (uint8 *)domain->name,
280 strlen(domain->name)+1);
281 _exit(0);
282 }
283
284 /****************************************************************
285 Handler triggered if we're offline to try and detect a DC.
286 ****************************************************************/
287
288 static void check_domain_online_handler(struct event_context *ctx,
289 struct timed_event *te,
290 struct timeval now,
291 void *private_data)
292 {
293 struct winbindd_domain *domain =
294 (struct winbindd_domain *)private_data;
295
296 DEBUG(10,("check_domain_online_handler: called for domain "
297 "%s (online = %s)\n", domain->name,
298 domain->online ? "True" : "False" ));
299
300 TALLOC_FREE(domain->check_online_event);
301
302 /* Are we still in "startup" mode ? */
303
304 if (domain->startup && (time_mono(NULL) > domain->startup_time + 30)) {
305 /* No longer in "startup" mode. */
306 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
307 domain->name ));
308 domain->startup = False;
309 }
310
311 /* We've been told to stay offline, so stay
312 that way. */
313
314 if (get_global_winbindd_state_offline()) {
315 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
316 domain->name ));
317 return;
318 }
319
320 /* Fork a child to test if it can contact a DC.
321 If it can then send ourselves a message to
322 cause a reconnect. */
323
324 fork_child_dc_connect(domain);
325 }
326
327 /****************************************************************
328 If we're still offline setup the timeout check.
329 ****************************************************************/
330
331 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
332 {
333 int wbr = lp_winbind_reconnect_delay();
334
335 if (domain->startup) {
336 domain->check_online_timeout = 10;
337 } else if (domain->check_online_timeout < wbr) {
338 domain->check_online_timeout = wbr;
339 }
340 }
341
342 /****************************************************************
343 Set domain offline and also add handler to put us back online
344 if we detect a DC.
345 ****************************************************************/
346
347 void set_domain_offline(struct winbindd_domain *domain)
348 {
349 DEBUG(10,("set_domain_offline: called for domain %s\n",
350 domain->name ));
351
352 TALLOC_FREE(domain->check_online_event);
353
354 if (domain->internal) {
355 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
356 domain->name ));
357 return;
358 }
359
360 domain->online = False;
361
362 /* Offline domains are always initialized. They're
363 re-initialized when they go back online. */
364
365 domain->initialized = True;
366
367 /* We only add the timeout handler that checks and
368 allows us to go back online when we've not
369 been told to remain offline. */
370
371 if (get_global_winbindd_state_offline()) {
372 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
373 domain->name ));
374 return;
375 }
376
377 /* If we're in startup mode, check again in 10 seconds, not in
378 lp_winbind_reconnect_delay() seconds (which is 30 seconds by default). */
379
380 calc_new_online_timeout_check(domain);
381
382 domain->check_online_event = event_add_timed(winbind_event_context(),
383 NULL,
384 timeval_current_ofs(domain->check_online_timeout,0),
385 check_domain_online_handler,
386 domain);
387
388 /* The above *has* to succeed for winbindd to work. */
389 if (!domain->check_online_event) {
390 smb_panic("set_domain_offline: failed to add online handler");
391 }
392
393 DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
394 domain->name ));
395
396 /* Send an offline message to the idmap child when our
397 primary domain goes offline */
398
399 if ( domain->primary ) {
400 struct winbindd_child *idmap = idmap_child();
401
402 if ( idmap->pid != 0 ) {
403 messaging_send_buf(winbind_messaging_context(),
404 pid_to_procid(idmap->pid),
405 MSG_WINBIND_OFFLINE,
406 (uint8 *)domain->name,
407 strlen(domain->name)+1);
408 }
409 }
410
411 return;
412 }
413
414 /****************************************************************
415 Set domain online - if allowed.
416 ****************************************************************/
417
418 static void set_domain_online(struct winbindd_domain *domain)
419 {
420 DEBUG(10,("set_domain_online: called for domain %s\n",
421 domain->name ));
422
423 if (domain->internal) {
424 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
425 domain->name ));
426 return;
427 }
428
429 if (get_global_winbindd_state_offline()) {
430 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
431 domain->name ));
432 return;
433 }
434
435 winbindd_set_locator_kdc_envs(domain);
436
437 /* If we are waiting to get a krb5 ticket, trigger immediately. */
438 ccache_regain_all_now();
439
440 /* Ok, we're out of any startup mode now... */
441 domain->startup = False;
442
443 if (domain->online == False) {
444 /* We were offline - now we're online. We default to
445 using the MS-RPC backend if we started offline,
446 and if we're going online for the first time we
447 should really re-initialize the backends and the
448 checks to see if we're talking to an AD or NT domain.
449 */
450
451 domain->initialized = False;
452
453 /* 'reconnect_methods' is the MS-RPC backend. */
454 if (domain->backend == &reconnect_methods) {
455 domain->backend = NULL;
456 }
457 }
458
459 /* Ensure we have no online timeout checks. */
460 domain->check_online_timeout = 0;
461 TALLOC_FREE(domain->check_online_event);
462
463 /* Ensure we ignore any pending child messages. */
464 messaging_deregister(winbind_messaging_context(),
465 MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
466 messaging_deregister(winbind_messaging_context(),
467 MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
468
469 domain->online = True;
470
471 /* Send an online message to the idmap child when our
472 primary domain comes online */
473
474 if ( domain->primary ) {
475 struct winbindd_child *idmap = idmap_child();
476
477 if ( idmap->pid != 0 ) {
478 messaging_send_buf(winbind_messaging_context(),
479 pid_to_procid(idmap->pid),
480 MSG_WINBIND_ONLINE,
481 (uint8 *)domain->name,
482 strlen(domain->name)+1);
483 }
484 }
485
486 return;
487 }
488
489 /****************************************************************
490 Requested to set a domain online.
491 ****************************************************************/
492
493 void set_domain_online_request(struct winbindd_domain *domain)
494 {
495 struct timeval tev;
496
497 DEBUG(10,("set_domain_online_request: called for domain %s\n",
498 domain->name ));
499
500 if (get_global_winbindd_state_offline()) {
501 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
502 domain->name ));
503 return;
504 }
505
506 if (domain->internal) {
507 DEBUG(10, ("set_domain_online_request: Internal domains are "
508 "always online\n"));
509 return;
510 }
511
512 /* We've been told it's safe to go online and
513 try and connect to a DC. But I don't believe it
514 because network manager seems to lie.
515 Wait at least 5 seconds. Heuristics suck... */
516
517
518 GetTimeOfDay(&tev);
519
520 /* Go into "startup" mode again. */
521 domain->startup_time = time_mono(NULL);
522 domain->startup = True;
523
524 tev.tv_sec += 5;
525
526 if (!domain->check_online_event) {
527 /* If we've come from being globally offline we
528 don't have a check online event handler set.
529 We need to add one now we're trying to go
530 back online. */
531
532 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
533 domain->name ));
534 }
535
536 TALLOC_FREE(domain->check_online_event);
537
538 domain->check_online_event = event_add_timed(winbind_event_context(),
539 NULL,
540 tev,
541 check_domain_online_handler,
542 domain);
543
544 /* The above *has* to succeed for winbindd to work. */
545 if (!domain->check_online_event) {
546 smb_panic("set_domain_online_request: failed to add online handler");
547 }
548 }
549
550 /****************************************************************
551 Add -ve connection cache entries for domain and realm.
552 ****************************************************************/
553
554 static void winbind_add_failed_connection_entry(
555 const struct winbindd_domain *domain,
556 const char *server,
557 NTSTATUS result)
558 {
559 add_failed_connection_entry(domain->name, server, result);
560 /* If this was the saf name for the last thing we talked to,
561 remove it. */
562 saf_delete(domain->name);
563 if (*domain->alt_name) {
564 add_failed_connection_entry(domain->alt_name, server, result);
565 saf_delete(domain->alt_name);
566 }
567 winbindd_unset_locator_kdc_env(domain);
568 }
569
570 /* Choose between anonymous or authenticated connections. We need to use
571 an authenticated connection if DCs have the RestrictAnonymous registry
572 entry set > 0, or the "Additional restrictions for anonymous
573 connections" set in the win2k Local Security Policy.
574
575 Caller to free() result in domain, username, password
576 */
577
578 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
579 {
580 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
581 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
582 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
583
584 if (*username && **username) {
585
586 if (!*domain || !**domain)
587 *domain = smb_xstrdup(lp_workgroup());
588
589 if (!*password || !**password)
590 *password = smb_xstrdup("");
591
592 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
593 *domain, *username));
594
595 } else {
596 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
597 *username = smb_xstrdup("");
598 *domain = smb_xstrdup("");
599 *password = smb_xstrdup("");
600 }
601 }
602
603 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
604 fstring dcname,
605 struct sockaddr_storage *dc_ss)
606 {
607 struct winbindd_domain *our_domain = NULL;
608 struct rpc_pipe_client *netlogon_pipe = NULL;
609 NTSTATUS result;
610 WERROR werr;
611 TALLOC_CTX *mem_ctx;
612 unsigned int orig_timeout;
613 const char *tmp = NULL;
614 const char *p;
615 struct dcerpc_binding_handle *b;
616
617 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
618 * moment.... */
619
620 if (IS_DC) {
621 return False;
622 }
623
624 if (domain->primary) {
625 return False;
626 }
627
628 our_domain = find_our_domain();
629
630 if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
631 return False;
632 }
633
634 result = cm_connect_netlogon(our_domain, &netlogon_pipe);
635 if (!NT_STATUS_IS_OK(result)) {
636 talloc_destroy(mem_ctx);
637 return False;
638 }
639
640 b = netlogon_pipe->binding_handle;
641
642 /* This call can take a long time - allow the server to time out.
643 35 seconds should do it. */
644
645 orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
646
647 if (our_domain->active_directory) {
648 struct netr_DsRGetDCNameInfo *domain_info = NULL;
649
650 result = dcerpc_netr_DsRGetDCName(b,
651 mem_ctx,
652 our_domain->dcname,
653 domain->name,
654 NULL,
655 NULL,
656 DS_RETURN_DNS_NAME,
657 &domain_info,
658 &werr);
659 if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
660 tmp = talloc_strdup(
661 mem_ctx, domain_info->dc_unc);
662 if (tmp == NULL) {
663 DEBUG(0, ("talloc_strdup failed\n"));
664 talloc_destroy(mem_ctx);
665 return false;
666 }
667 if (strlen(domain->alt_name) == 0) {
668 fstrcpy(domain->alt_name,
669 domain_info->domain_name);
670 }
671 if (strlen(domain->forest_name) == 0) {
672 fstrcpy(domain->forest_name,
673 domain_info->forest_name);
674 }
675 }
676 } else {
677 result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
678 our_domain->dcname,
679 domain->name,
680 &tmp,
681 &werr);
682 }
683
684 /* And restore our original timeout. */
685 rpccli_set_timeout(netlogon_pipe, orig_timeout);
686
687 if (!NT_STATUS_IS_OK(result)) {
688 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
689 nt_errstr(result)));
690 talloc_destroy(mem_ctx);
691 return false;
692 }
693
694 if (!W_ERROR_IS_OK(werr)) {
695 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
696 win_errstr(werr)));
697 talloc_destroy(mem_ctx);
698 return false;
699 }
700
701 /* dcerpc_netr_GetAnyDCName gives us a name with \\ */
702 p = strip_hostname(tmp);
703
704 fstrcpy(dcname, p);
705
706 talloc_destroy(mem_ctx);
707
708 DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
709
710 if (!resolve_name(dcname, dc_ss, 0x20, true)) {
711 return False;
712 }
713
714 return True;
715 }
716
717 /**
718 * Helper function to assemble trust password and account name
719 */
720 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
721 char **machine_password,
722 char **machine_account,
723 char **machine_krb5_principal)
724 {
725 const char *account_name;
726 const char *name = NULL;
727
728 /* If we are a DC and this is not our own domain */
729
730 if (IS_DC) {
731 name = domain->name;
732 } else {
733 struct winbindd_domain *our_domain = find_our_domain();
734
735 if (!our_domain)
736 return NT_STATUS_INVALID_SERVER_STATE;
737
738 name = our_domain->name;
739 }
740
741 if (!get_trust_pw_clear(name, machine_password,
742 &account_name, NULL))
743 {
744 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
745 }
746
747 if ((machine_account != NULL) &&
748 (asprintf(machine_account, "%s$", account_name) == -1))
749 {
750 return NT_STATUS_NO_MEMORY;
751 }
752
753 /* For now assume our machine account only exists in our domain */
754
755 if (machine_krb5_principal != NULL)
756 {
757 struct winbindd_domain *our_domain = find_our_domain();
758
759 if (!our_domain) {
760 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
761 }
762
763 if (asprintf(machine_krb5_principal, "%s$@%s",
764 account_name, our_domain->alt_name) == -1)
765 {
766 return NT_STATUS_NO_MEMORY;
767 }
768
769 strupper_m(*machine_krb5_principal);
770 }
771
772 return NT_STATUS_OK;
773 }
774
775 /************************************************************************
776 Given a fd with a just-connected TCP connection to a DC, open a connection
777 to the pipe.
778 ************************************************************************/
779
780 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
781 const int sockfd,
782 const char *controller,
783 struct cli_state **cli,
784 bool *retry)
785 {
786 bool try_spnego = false;
787 bool try_ipc_auth = false;
788 char *machine_password = NULL;
789 char *machine_krb5_principal = NULL;
790 char *machine_account = NULL;
791 char *ipc_username = NULL;
792 char *ipc_domain = NULL;
793 char *ipc_password = NULL;
794 int flags = 0;
795 uint16_t sec_mode = 0;
796
797 struct named_mutex *mutex;
798
799 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
800
801 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
802 controller, domain->name ));
803
804 *retry = True;
805
806 mutex = grab_named_mutex(talloc_tos(), controller,
807 WINBIND_SERVER_MUTEX_WAIT_TIME);
808 if (mutex == NULL) {
809 close(sockfd);
810 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
811 controller));
812 result = NT_STATUS_POSSIBLE_DEADLOCK;
813 goto done;
814 }
815
816 flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
817
818 *cli = cli_state_create(NULL, sockfd,
819 controller, domain->alt_name,
820 SMB_SIGNING_DEFAULT, flags);
821 if (*cli == NULL) {
822 close(sockfd);
823 DEBUG(1, ("Could not cli_initialize\n"));
824 result = NT_STATUS_NO_MEMORY;
825 goto done;
826 }
827
828 cli_set_timeout(*cli, 10000); /* 10 seconds */
829
830 result = smbXcli_negprot((*cli)->conn, (*cli)->timeout, PROTOCOL_CORE,
831 PROTOCOL_SMB2_02);
832
833 if (!NT_STATUS_IS_OK(result)) {
834 DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
835 goto done;
836 }
837
838 if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
839 smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
840 try_spnego = true;
841 } else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
842 try_spnego = true;
843 }
844
845 if (!is_dc_trusted_domain_situation(domain->name) && try_spnego) {
846 result = get_trust_creds(domain, &machine_password,
847 &machine_account,
848 &machine_krb5_principal);
849 if (!NT_STATUS_IS_OK(result)) {
850 goto anon_fallback;
851 }
852
853 if (lp_security() == SEC_ADS) {
854
855 /* Try a krb5 session */
856
857 (*cli)->use_kerberos = True;
858 DEBUG(5, ("connecting to %s from %s with kerberos principal "
859 "[%s] and realm [%s]\n", controller, lp_netbios_name(),
860 machine_krb5_principal, domain->alt_name));
861
862 winbindd_set_locator_kdc_envs(domain);
863
864 result = cli_session_setup(*cli,
865 machine_krb5_principal,
866 machine_password,
867 strlen(machine_password)+1,
868 machine_password,
869 strlen(machine_password)+1,
870 lp_workgroup());
871
872 if (!NT_STATUS_IS_OK(result)) {
873 DEBUG(4,("failed kerberos session setup with %s\n",
874 nt_errstr(result)));
875 }
876
877 if (NT_STATUS_IS_OK(result)) {
878 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
879 result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
880 if (!NT_STATUS_IS_OK(result)) {
881 goto done;
882 }
883 goto session_setup_done;
884 }
885 }
886
887 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
888 (*cli)->use_kerberos = False;
889
890 DEBUG(5, ("connecting to %s from %s with username "
891 "[%s]\\[%s]\n", controller, lp_netbios_name(),
892 lp_workgroup(), machine_account));
893
894 result = cli_session_setup(*cli,
895 machine_account,
896 machine_password,
897 strlen(machine_password)+1,
898 machine_password,
899 strlen(machine_password)+1,
900 lp_workgroup());
901 if (!NT_STATUS_IS_OK(result)) {
902 DEBUG(4, ("authenticated session setup failed with %s\n",
903 nt_errstr(result)));
904 }
905
906 if (NT_STATUS_IS_OK(result)) {
907 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
908 result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
909 if (!NT_STATUS_IS_OK(result)) {
910 goto done;
911 }
912 goto session_setup_done;
913 }
914 }
915
916 /* Fall back to non-kerberos session setup with auth_user */
917
918 (*cli)->use_kerberos = False;
919
920 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
921
922 sec_mode = smb1cli_conn_server_security_mode((*cli)->conn);
923
924 try_ipc_auth = false;
925 if (try_spnego) {
926 try_ipc_auth = true;
927 } else if (sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
928 try_ipc_auth = true;
929 }
930
931 if (try_ipc_auth && (strlen(ipc_username) > 0)) {
932
933 /* Only try authenticated if we have a username */
934
935 DEBUG(5, ("connecting to %s from %s with username "
936 "[%s]\\[%s]\n", controller, lp_netbios_name(),
937 ipc_domain, ipc_username));
938
939 if (NT_STATUS_IS_OK(cli_session_setup(
940 *cli, ipc_username,
941 ipc_password, strlen(ipc_password)+1,
942 ipc_password, strlen(ipc_password)+1,
943 ipc_domain))) {
944 /* Successful logon with given username. */
945 result = cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
946 if (!NT_STATUS_IS_OK(result)) {
947 goto done;
948 }
949 goto session_setup_done;
950 } else {
951 DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
952 ipc_domain, ipc_username ));
953 }
954 }
955
956 anon_fallback:
957
958 /* Fall back to anonymous connection, this might fail later */
959 DEBUG(10,("cm_prepare_connection: falling back to anonymous "
960 "connection for DC %s\n",
961 controller ));
962
963 result = cli_session_setup(*cli, "", NULL, 0, NULL, 0, "");
964 if (NT_STATUS_IS_OK(result)) {
965 DEBUG(5, ("Connected anonymously\n"));
966 result = cli_init_creds(*cli, "", "", "");
967 if (!NT_STATUS_IS_OK(result)) {
968 goto done;
969 }
970 goto session_setup_done;
971 }
972
973 /* We can't session setup */
974 goto done;
975
976 session_setup_done:
977
978 /* cache the server name for later connections */
979
980 saf_store(domain->name, controller);
981 if (domain->alt_name && (*cli)->use_kerberos) {
982 saf_store(domain->alt_name, controller);
983 }
984
985 winbindd_set_locator_kdc_envs(domain);
986
987 result = cli_tree_connect(*cli, "IPC$", "IPC", "", 0);
988
989 if (!NT_STATUS_IS_OK(result)) {
990 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
991 goto done;
992 }
993
994 TALLOC_FREE(mutex);
995 *retry = False;
996
997 /* set the domain if empty; needed for schannel connections */
998 if ( !(*cli)->domain[0] ) {
999 result = cli_set_domain((*cli), domain->name);
1000 if (!NT_STATUS_IS_OK(result)) {
1001 return result;
1002 }
1003 }
1004
1005 result = NT_STATUS_OK;
1006
1007 done:
1008 TALLOC_FREE(mutex);
1009 SAFE_FREE(machine_account);
1010 SAFE_FREE(machine_password);
1011 SAFE_FREE(machine_krb5_principal);
1012 SAFE_FREE(ipc_username);
1013 SAFE_FREE(ipc_domain);
1014 SAFE_FREE(ipc_password);
1015
1016 if (!NT_STATUS_IS_OK(result)) {
1017 winbind_add_failed_connection_entry(domain, controller, result);
1018 if ((*cli) != NULL) {
1019 cli_shutdown(*cli);
1020 *cli = NULL;
1021 }
1022 }
1023
1024 return result;
1025 }
1026
1027 /*******************************************************************
1028 Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
1029 array.
1030
1031 Keeps the list unique by not adding duplicate entries.
1032
1033 @param[in] mem_ctx talloc memory context to allocate from
1034 @param[in] domain_name domain of the DC
1035 @param[in] dcname name of the DC to add to the list
1036 @param[in] pss Internet address and port pair to add to the list
1037 @param[in,out] dcs array of dc_name_ip structures to add to
1038 @param[in,out] num_dcs number of dcs returned in the dcs array
1039 @return true if the list was added to, false otherwise
1040 *******************************************************************/
1041
1042 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1043 const char *dcname, struct sockaddr_storage *pss,
1044 struct dc_name_ip **dcs, int *num)
1045 {
1046 int i = 0;
1047
1048 if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1049 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1050 return False;
1051 }
1052
1053 /* Make sure there's no duplicates in the list */
1054 for (i=0; i<*num; i++)
1055 if (sockaddr_equal(
1056 (struct sockaddr *)(void *)&(*dcs)[i].ss,
1057 (struct sockaddr *)(void *)pss))
1058 return False;
1059
1060 *dcs = talloc_realloc(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1061
1062 if (*dcs == NULL)
1063 return False;
1064
1065 fstrcpy((*dcs)[*num].name, dcname);
1066 (*dcs)[*num].ss = *pss;
1067 *num += 1;
1068 return True;
1069 }
1070
1071 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1072 struct sockaddr_storage *pss, uint16 port,
1073 struct sockaddr_storage **addrs, int *num)
1074 {
1075 *addrs = talloc_realloc(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1076
1077 if (*addrs == NULL) {
1078 *num = 0;
1079 return False;
1080 }
1081
1082 (*addrs)[*num] = *pss;
1083 set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
1084
1085 *num += 1;
1086 return True;
1087 }
1088
1089 /*******************************************************************
1090 convert an ip to a name
1091 *******************************************************************/
1092
1093 static bool dcip_to_name(TALLOC_CTX *mem_ctx,
1094 const struct winbindd_domain *domain,
1095 struct sockaddr_storage *pss,
1096 fstring name )
1097 {
1098 struct ip_service ip_list;
1099 uint32_t nt_version = NETLOGON_NT_VERSION_1;
1100 NTSTATUS status;
1101 const char *dc_name;
1102
1103 ip_list.ss = *pss;
1104 ip_list.port = 0;
1105
1106 #ifdef HAVE_ADS
1107 /* For active directory servers, try to get the ldap server name.
1108 None of these failures should be considered critical for now */
1109
1110 if (lp_security() == SEC_ADS) {
1111 ADS_STRUCT *ads;
1112 ADS_STATUS ads_status;
1113 char addr[INET6_ADDRSTRLEN];
1114
1115 print_sockaddr(addr, sizeof(addr), pss);
1116
1117 ads = ads_init(domain->alt_name, domain->name, addr);
1118 ads->auth.flags |= ADS_AUTH_NO_BIND;
1119
1120 ads_status = ads_connect(ads);
1121 if (ADS_ERR_OK(ads_status)) {
1122 /* We got a cldap packet. */
1123 fstrcpy(name, ads->config.ldap_server_name);
1124 namecache_store(name, 0x20, 1, &ip_list);
1125
1126 DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1127
1128 if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1129 if (ads_closest_dc(ads)) {
1130 char *sitename = sitename_fetch(ads->config.realm);
1131
1132 /* We're going to use this KDC for this realm/domain.
1133 If we are using sites, then force the krb5 libs
1134 to use this KDC. */
1135
1136 create_local_private_krb5_conf_for_domain(domain->alt_name,
1137 domain->name,
1138 sitename,
1139 pss,
1140 name);
1141
1142 SAFE_FREE(sitename);
1143 } else {
1144 /* use an off site KDC */
1145 create_local_private_krb5_conf_for_domain(domain->alt_name,
1146 domain->name,
1147 NULL,
1148 pss,
1149 name);
1150 }
1151 winbindd_set_locator_kdc_envs(domain);
1152
1153 /* Ensure we contact this DC also. */
1154 saf_store( domain->name, name);
1155 saf_store( domain->alt_name, name);
1156 }
1157
1158 ads_destroy( &ads );
1159 return True;
1160 }
1161
1162 ads_destroy( &ads );
1163 return false;
1164 }
1165 #endif
1166
1167 status = nbt_getdc(winbind_messaging_context(), 10, pss, domain->name,
1168 &domain->sid, nt_version, mem_ctx, &nt_version,
1169 &dc_name, NULL);
1170 if (NT_STATUS_IS_OK(status)) {
1171 fstrcpy(name, dc_name);
1172 namecache_store(name, 0x20, 1, &ip_list);
1173 return True;
1174 }
1175
1176 /* try node status request */
1177
1178 if ( name_status_find(domain->name, 0x1c, 0x20, pss, name) ) {
1179 namecache_store(name, 0x20, 1, &ip_list);
1180 return True;
1181 }
1182 return False;
1183 }
1184
1185 /*******************************************************************
1186 Retrieve a list of IP addresses for domain controllers.
1187
1188 The array is sorted in the preferred connection order.
1189
1190 @param[in] mem_ctx talloc memory context to allocate from
1191 @param[in] domain domain to retrieve DCs for
1192 @param[out] dcs array of dcs that will be returned
1193 @param[out] num_dcs number of dcs returned in the dcs array
1194 @return always true
1195 *******************************************************************/
1196
1197 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1198 struct dc_name_ip **dcs, int *num_dcs)
1199 {
1200 fstring dcname;
1201 struct sockaddr_storage ss;
1202 struct ip_service *ip_list = NULL;
1203 int iplist_size = 0;
1204 int i;
1205 bool is_our_domain;
1206 enum security_types sec = (enum security_types)lp_security();
1207
1208 is_our_domain = strequal(domain->name, lp_workgroup());
1209
1210 /* If not our domain, get the preferred DC, by asking our primary DC */
1211 if ( !is_our_domain
1212 && get_dc_name_via_netlogon(domain, dcname, &ss)
1213 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1214 num_dcs) )
1215 {
1216 char addr[INET6_ADDRSTRLEN];
1217 print_sockaddr(addr, sizeof(addr), &ss);
1218 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1219 dcname, addr));
1220 return True;
1221 }
1222
1223 if (sec == SEC_ADS) {
1224 char *sitename = NULL;
1225
1226 /* We need to make sure we know the local site before
1227 doing any DNS queries, as this will restrict the
1228 get_sorted_dc_list() call below to only fetching
1229 DNS records for the correct site. */
1230
1231 /* Find any DC to get the site record.
1232 We deliberately don't care about the
1233 return here. */
1234
1235 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1236
1237 sitename = sitename_fetch(domain->alt_name);
1238 if (sitename) {
1239
1240 /* Do the site-specific AD dns lookup first. */
1241 get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
1242 &iplist_size, True);
1243
1244 /* Add ips to the DC array. We don't look up the name
1245 of the DC in this function, but we fill in the char*
1246 of the ip now to make the failed connection cache
1247 work */
1248 for ( i=0; i<iplist_size; i++ ) {
1249 char addr[INET6_ADDRSTRLEN];
1250 print_sockaddr(addr, sizeof(addr),
1251 &ip_list[i].ss);
1252 add_one_dc_unique(mem_ctx,
1253 domain->name,
1254 addr,
1255 &ip_list[i].ss,
1256 dcs,
1257 num_dcs);
1258 }
1259
1260 SAFE_FREE(ip_list);
1261 SAFE_FREE(sitename);
1262 iplist_size = 0;
1263 }
1264
1265 /* Now we add DCs from the main AD DNS lookup. */
1266 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1267 &iplist_size, True);
1268
1269 for ( i=0; i<iplist_size; i++ ) {
1270 char addr[INET6_ADDRSTRLEN];
1271 print_sockaddr(addr, sizeof(addr),
1272 &ip_list[i].ss);
1273 add_one_dc_unique(mem_ctx,
1274 domain->name,
1275 addr,
1276 &ip_list[i].ss,
1277 dcs,
1278 num_dcs);
1279 }
1280
1281 SAFE_FREE(ip_list);
1282 iplist_size = 0;
1283 }
1284
1285 /* Try standard netbios queries if no ADS */
1286 if (*num_dcs == 0) {
1287 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
1288 False);
1289
1290 for ( i=0; i<iplist_size; i++ ) {
1291 char addr[INET6_ADDRSTRLEN];
1292 print_sockaddr(addr, sizeof(addr),
1293 &ip_list[i].ss);
1294 add_one_dc_unique(mem_ctx,
1295 domain->name,
1296 addr,
1297 &ip_list[i].ss,
1298 dcs,
1299 num_dcs);
1300 }
1301
1302 SAFE_FREE(ip_list);
1303 iplist_size = 0;
1304 }
1305
1306 return True;
1307 }
1308
1309 /*******************************************************************
1310 Find and make a connection to a DC in the given domain.
1311
1312 @param[in] mem_ctx talloc memory context to allocate from
1313 @param[in] domain domain to find a dc in
1314 @param[out] dcname NetBIOS or FQDN of DC that's connected to
1315 @param[out] pss DC Internet address and port
1316 @param[out] fd fd of the open socket connected to the newly found dc
1317 @return true when a DC connection is made, false otherwise
1318 *******************************************************************/
1319
1320 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1321 struct winbindd_domain *domain,
1322 fstring dcname, struct sockaddr_storage *pss, int *fd)
1323 {
1324 struct dc_name_ip *dcs = NULL;
1325 int num_dcs = 0;
1326
1327 const char **dcnames = NULL;
1328 int num_dcnames = 0;
1329
1330 struct sockaddr_storage *addrs = NULL;
1331 int num_addrs = 0;
1332
1333 int i;
1334 size_t fd_index;
1335
1336 NTSTATUS status;
1337
1338 *fd = -1;
1339
1340 again:
1341 if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1342 return False;
1343
1344 for (i=0; i<num_dcs; i++) {
1345
1346 if (!add_string_to_array(mem_ctx, dcs[i].name,
1347 &dcnames, &num_dcnames)) {
1348 return False;
1349 }
1350 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, TCP_SMB_PORT,
1351 &addrs, &num_addrs)) {
1352 return False;
1353 }
1354 }
1355
1356 if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1357 return False;
1358
1359 if ((addrs == NULL) || (dcnames == NULL))
1360 return False;
1361
1362 status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL,
1363 num_addrs, 0, 10, fd, &fd_index, NULL);
1364 if (!NT_STATUS_IS_OK(status)) {
1365 for (i=0; i<num_dcs; i++) {
1366 char ab[INET6_ADDRSTRLEN];
1367 print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1368 DEBUG(10, ("find_new_dc: smbsock_any_connect failed for "
1369 "domain %s address %s. Error was %s\n",
1370 domain->name, ab, nt_errstr(status) ));
1371 winbind_add_failed_connection_entry(domain,
1372 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1373 }
1374 return False;
1375 }
1376
1377 *pss = addrs[fd_index];
1378
1379 if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1380 /* Ok, we've got a name for the DC */
1381 fstrcpy(dcname, dcnames[fd_index]);
1382 return True;
1383 }
1384
1385 /* Try to figure out the name */
1386 if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
1387 return True;
1388 }
1389
1390 /* We can not continue without the DC's name */
1391 winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1392 NT_STATUS_UNSUCCESSFUL);
1393
1394 /* Throw away all arrays as we're doing this again. */
1395 TALLOC_FREE(dcs);
1396 num_dcs = 0;
1397
1398 TALLOC_FREE(dcnames);
1399 num_dcnames = 0;
1400
1401 TALLOC_FREE(addrs);
1402 num_addrs = 0;
1403
1404 close(*fd);
1405 *fd = -1;
1406
1407 goto again;
1408 }
1409
1410 static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name)
1411 {
1412 return talloc_asprintf_strupper_m(mem_ctx, "CURRENT_DCNAME/%s",
1413 domain_name);
1414 }
1415
1416 static void store_current_dc_in_gencache(const char *domain_name,
1417 const char *dc_name,
1418 struct cli_state *cli)
1419 {
1420 char addr[INET6_ADDRSTRLEN];
1421 char *key = NULL;
1422 char *value = NULL;
1423
1424 if (!cli_state_is_connected(cli)) {
1425 return;
1426 }
1427
1428 print_sockaddr(addr, sizeof(addr),
1429 smbXcli_conn_remote_sockaddr(cli->conn));
1430
1431 key = current_dc_key(talloc_tos(), domain_name);
1432 if (key == NULL) {
1433 goto done;
1434 }
1435
1436 value = talloc_asprintf(talloc_tos(), "%s %s", addr, dc_name);
1437 if (value == NULL) {
1438 goto done;
1439 }
1440
1441 gencache_set(key, value, 0x7fffffff);
1442 done:
1443 TALLOC_FREE(value);
1444 TALLOC_FREE(key);
1445 }
1446
1447 bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx,
1448 const char *domain_name,
1449 char **p_dc_name, char **p_dc_ip)
1450 {
1451 char *key, *value, *p;
1452 bool ret = false;
1453 char *dc_name = NULL;
1454 char *dc_ip = NULL;
1455
1456 key = current_dc_key(talloc_tos(), domain_name);
1457 if (key == NULL) {
1458 goto done;
1459 }
1460 if (!gencache_get(key, &value, NULL)) {
1461 goto done;
1462 }
1463 p = strchr(value, ' ');
1464 if (p == NULL) {
1465 goto done;
1466 }
1467 dc_ip = talloc_strndup(mem_ctx, value, p - value);
1468 if (dc_ip == NULL) {
1469 goto done;
1470 }
1471 dc_name = talloc_strdup(mem_ctx, p+1);
1472 if (dc_name == NULL) {
1473 goto done;
1474 }
1475
1476 if (p_dc_ip != NULL) {
1477 *p_dc_ip = dc_ip;
1478 dc_ip = NULL;
1479 }
1480 if (p_dc_name != NULL) {
1481 *p_dc_name = dc_name;
1482 dc_name = NULL;
1483 }
1484 ret = true;
1485 done:
1486 TALLOC_FREE(dc_name);
1487 TALLOC_FREE(dc_ip);
1488 TALLOC_FREE(key);
1489 return ret;
1490 }
1491
1492 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1493 struct winbindd_cm_conn *new_conn)
1494 {
1495 TALLOC_CTX *mem_ctx;
1496 NTSTATUS result;
1497 char *saf_servername = saf_fetch( domain->name );
1498 int retries;
1499
1500 if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1501 SAFE_FREE(saf_servername);
1502 set_domain_offline(domain);
1503 return NT_STATUS_NO_MEMORY;
1504 }
1505
1506 /* we have to check the server affinity cache here since
1507 later we select a DC based on response time and not preference */
1508
1509 /* Check the negative connection cache
1510 before talking to it. It going down may have
1511 triggered the reconnection. */
1512
1513 if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1514
1515 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1516 saf_servername, domain->name ));
1517
1518 /* convert an ip address to a name */
1519 if (is_ipaddress( saf_servername ) ) {
1520 fstring saf_name;
1521 struct sockaddr_storage ss;
1522
1523 if (!interpret_string_addr(&ss, saf_servername,
1524 AI_NUMERICHOST)) {
1525 return NT_STATUS_UNSUCCESSFUL;
1526 }
1527 if (dcip_to_name(mem_ctx, domain, &ss, saf_name )) {
1528 strlcpy(domain->dcname, saf_name, sizeof(domain->dcname));
1529 } else {
1530 winbind_add_failed_connection_entry(
1531 domain, saf_servername,
1532 NT_STATUS_UNSUCCESSFUL);
1533 }
1534 } else {
1535 fstrcpy( domain->dcname, saf_servername );
1536 }
1537
1538 SAFE_FREE( saf_servername );
1539 }
1540
1541 for (retries = 0; retries < 3; retries++) {
1542 int fd = -1;
1543 bool retry = False;
1544
1545 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1546
1547 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1548 domain->dcname, domain->name ));
1549
1550 if (*domain->dcname
1551 && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1552 && (resolve_name(domain->dcname, &domain->dcaddr, 0x20, true)))
1553 {
1554 NTSTATUS status;
1555
1556 status = smbsock_connect(&domain->dcaddr, 0,
1557 NULL, -1, NULL, -1,
1558 &fd, NULL, 10);
1559 if (!NT_STATUS_IS_OK(status)) {
1560 fd = -1;
1561 }
1562 }
1563
1564 if ((fd == -1)
1565 && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd))
1566 {
1567 /* This is the one place where we will
1568 set the global winbindd offline state
1569 to true, if a "WINBINDD_OFFLINE" entry
1570 is found in the winbindd cache. */
1571 set_global_winbindd_state_offline();
1572 break;
1573 }
1574
1575 new_conn->cli = NULL;
1576
1577 result = cm_prepare_connection(domain, fd, domain->dcname,
1578 &new_conn->cli, &retry);
1579
1580 if (!retry)
1581 break;
1582 }
1583
1584 if (NT_STATUS_IS_OK(result)) {
1585
1586 winbindd_set_locator_kdc_envs(domain);
1587
1588 if (domain->online == False) {
1589 /* We're changing state from offline to online. */
1590 set_global_winbindd_state_online();
1591 }
1592 set_domain_online(domain);
1593
1594 /*
1595 * Much as I hate global state, this seems to be the point
1596 * where we can be certain that we have a proper connection to
1597 * a DC. wbinfo --dc-info needs that information, store it in
1598 * gencache with a looong timeout. This will need revisiting
1599 * once we start to connect to multiple DCs, wbcDcInfo is
1600 * already prepared for that.
1601 */
1602 store_current_dc_in_gencache(domain->name, domain->dcname,
1603 new_conn->cli);
1604 } else {
1605 /* Ensure we setup the retry handler. */
1606 set_domain_offline(domain);
1607 }
1608
1609 talloc_destroy(mem_ctx);
1610 return result;
1611 }
1612
1613 /* Close down all open pipes on a connection. */
1614
1615 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1616 {
1617 NTSTATUS result;
1618
1619 /* We're closing down a possibly dead
1620 connection. Don't have impossibly long (10s) timeouts. */
1621
1622 if (conn->cli) {
1623 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1624 }
1625
1626 if (conn->samr_pipe != NULL) {
1627 if (is_valid_policy_hnd(&conn->sam_connect_handle)) {
1628 dcerpc_samr_Close(conn->samr_pipe->binding_handle,
1629 talloc_tos(),
1630 &conn->sam_connect_handle,
1631 &result);
1632 }
1633 TALLOC_FREE(conn->samr_pipe);
1634 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1635 if (conn->cli) {
1636 cli_set_timeout(conn->cli, 500);
1637 }
1638 }
1639
1640 if (conn->lsa_pipe != NULL) {
1641 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1642 dcerpc_lsa_Close(conn->lsa_pipe->binding_handle,
1643 talloc_tos(),
1644 &conn->lsa_policy,
1645 &result);
1646 }
1647 TALLOC_FREE(conn->lsa_pipe);
1648 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1649 if (conn->cli) {
1650 cli_set_timeout(conn->cli, 500);
1651 }
1652 }
1653
1654 if (conn->lsa_pipe_tcp != NULL) {
1655 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1656 dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle,
1657 talloc_tos(),
1658 &conn->lsa_policy,
1659 &result);
1660 }
1661 TALLOC_FREE(conn->lsa_pipe_tcp);
1662 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1663 if (conn->cli) {
1664 cli_set_timeout(conn->cli, 500);
1665 }
1666 }
1667
1668 if (conn->netlogon_pipe != NULL) {
1669 TALLOC_FREE(conn->netlogon_pipe);
1670 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1671 if (conn->cli) {
1672 cli_set_timeout(conn->cli, 500);
1673 }
1674 }
1675
1676 if (conn->cli) {
1677 cli_shutdown(conn->cli);
1678 }
1679
1680 conn->cli = NULL;
1681 }
1682
1683 void close_conns_after_fork(void)
1684 {
1685 struct winbindd_domain *domain;
1686 struct winbindd_cli_state *cli_state;
1687
1688 for (domain = domain_list(); domain; domain = domain->next) {
1689 /*
1690 * first close the low level SMB TCP connection
1691 * so that we don't generate any SMBclose
1692 * requests in invalidate_cm_connection()
1693 */
1694 if (cli_state_is_connected(domain->conn.cli)) {
1695 smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
1696 }
1697
1698 invalidate_cm_connection(&domain->conn);
1699 }
1700
1701 for (cli_state = winbindd_client_list();
1702 cli_state != NULL;
1703 cli_state = cli_state->next) {
1704 if (cli_state->sock >= 0) {
1705 close(cli_state->sock);
1706 cli_state->sock = -1;
1707 }
1708 }
1709 }
1710
1711 static bool connection_ok(struct winbindd_domain *domain)
1712 {
1713 bool ok;
1714
1715 ok = cli_state_is_connected(domain->conn.cli);
1716 if (!ok) {
1717 DEBUG(3, ("connection_ok: Connection to %s for domain %s is not connected\n",
1718 domain->dcname, domain->name));
1719 return False;
1720 }
1721
1722 if (domain->online == False) {
1723 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1724 return False;
1725 }
1726
1727 return True;
1728 }
1729
1730 /* Initialize a new connection up to the RPC BIND.
1731 Bypass online status check so always does network calls. */
1732
1733 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1734 {
1735 NTSTATUS result;
1736
1737 /* Internal connections never use the network. */
1738 if (domain->internal) {
1739 domain->initialized = True;
1740 return NT_STATUS_OK;
1741 }
1742
1743 if (connection_ok(domain)) {
1744 if (!domain->initialized) {
1745 set_dc_type_and_flags(domain);
1746 }
1747 return NT_STATUS_OK;
1748 }
1749
1750 invalidate_cm_connection(&domain->conn);
1751
1752 result = cm_open_connection(domain, &domain->conn);
1753
1754 if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1755 set_dc_type_and_flags(domain);
1756 }
1757
1758 return result;
1759 }
1760
1761 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1762 {
1763 if (domain->internal) {
1764 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1765 }
1766
1767 if (domain->initialized && !domain->online) {
1768 /* We check for online status elsewhere. */
1769 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1770 }
1771
1772 return init_dc_connection_network(domain);
1773 }
1774
1775 static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain)
1776 {
1777 NTSTATUS status;
1778
1779 status = init_dc_connection(domain);
1780 if (!NT_STATUS_IS_OK(status)) {
1781 return status;
1782 }
1783
1784 if (!domain->internal && domain->conn.cli == NULL) {
1785 /* happens for trusted domains without inbound trust */
1786 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
1787 }
1788
1789 return NT_STATUS_OK;
1790 }
1791
1792 /******************************************************************************
1793 Set the trust flags (direction and forest location) for a domain
1794 ******************************************************************************/
1795
1796 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1797 {
1798 struct winbindd_domain *our_domain;
1799 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1800 WERROR werr;
1801 struct netr_DomainTrustList trusts;
1802 int i;
1803 uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
1804 NETR_TRUST_FLAG_OUTBOUND |
1805 NETR_TRUST_FLAG_INBOUND);
1806 struct rpc_pipe_client *cli;
1807 TALLOC_CTX *mem_ctx = NULL;
1808 struct dcerpc_binding_handle *b;
1809
1810 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1811
1812 /* Our primary domain doesn't need to worry about trust flags.
1813 Force it to go through the network setup */
1814 if ( domain->primary ) {
1815 return False;
1816 }
1817
1818 our_domain = find_our_domain();
1819
1820 if ( !connection_ok(our_domain) ) {
1821 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));
1822 return False;
1823 }
1824
1825 /* This won't work unless our domain is AD */
1826
1827 if ( !our_domain->active_directory ) {
1828 return False;
1829 }
1830
1831 /* Use DsEnumerateDomainTrusts to get us the trust direction
1832 and type */
1833
1834 result = cm_connect_netlogon(our_domain, &cli);
1835
1836 if (!NT_STATUS_IS_OK(result)) {
1837 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1838 "a connection to %s for PIPE_NETLOGON (%s)\n",
1839 domain->name, nt_errstr(result)));
1840 return False;
1841 }
1842
1843 b = cli->binding_handle;
1844
1845 if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
1846 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
1847 return False;
1848 }
1849
1850 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1851 cli->desthost,
1852 flags,
1853 &trusts,
1854 &werr);
1855 if (!NT_STATUS_IS_OK(result)) {
1856 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
1857 "failed to query trusted domain list: %s\n",
1858 nt_errstr(result)));
1859 talloc_destroy(mem_ctx);
1860 return false;
1861 }
1862 if (!W_ERROR_IS_OK(werr)) {
1863 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
1864 "failed to query trusted domain list: %s\n",
1865 win_errstr(werr)));
1866 talloc_destroy(mem_ctx);
1867 return false;
1868 }
1869
1870 /* Now find the domain name and get the flags */
1871
1872 for ( i=0; i<trusts.count; i++ ) {
1873 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
1874 domain->domain_flags = trusts.array[i].trust_flags;
1875 domain->domain_type = trusts.array[i].trust_type;
1876 domain->domain_trust_attribs = trusts.array[i].trust_attributes;
1877
1878 if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL )
1879 domain->active_directory = True;
1880
1881 /* This flag is only set if the domain is *our*
1882 primary domain and the primary domain is in
1883 native mode */
1884
1885 domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
1886
1887 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
1888 "native mode.\n", domain->name,
1889 domain->native_mode ? "" : "NOT "));
1890
1891 DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
1892 "running active directory.\n", domain->name,
1893 domain->active_directory ? "" : "NOT "));
1894
1895 domain->can_do_ncacn_ip_tcp = domain->active_directory;
1896 domain->can_do_validation6 = domain->active_directory;
1897
1898 domain->initialized = True;
1899
1900 break;
1901 }
1902 }
1903
1904 talloc_destroy( mem_ctx );
1905
1906 return domain->initialized;
1907 }
1908
1909 /******************************************************************************
1910 We can 'sense' certain things about the DC by it's replies to certain
1911 questions.
1912
1913 This tells us if this particular remote server is Active Directory, and if it
1914 is native mode.
1915 ******************************************************************************/
1916
1917 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
1918 {
1919 NTSTATUS status, result;
1920 WERROR werr;
1921 TALLOC_CTX *mem_ctx = NULL;
1922 struct rpc_pipe_client *cli = NULL;
1923 struct policy_handle pol;
1924 union dssetup_DsRoleInfo info;
1925 union lsa_PolicyInformation *lsa_info = NULL;
1926
1927 if (!connection_ok(domain)) {
1928 return;
1929 }
1930
1931 mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
1932 domain->name);
1933 if (!mem_ctx) {
1934 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
1935 return;
1936 }
1937
1938 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
1939
1940 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
1941 &ndr_table_dssetup.syntax_id,
1942 &cli);
1943
1944 if (!NT_STATUS_IS_OK(status)) {
1945 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1946 "PI_DSSETUP on domain %s: (%s)\n",
1947 domain->name, nt_errstr(status)));
1948
1949 /* if this is just a non-AD domain we need to continue
1950 * identifying so that we can in the end return with
1951 * domain->initialized = True - gd */
1952
1953 goto no_dssetup;
1954 }
1955
1956 status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
1957 DS_ROLE_BASIC_INFORMATION,
1958 &info,
1959 &werr);
1960 TALLOC_FREE(cli);
1961
1962 if (NT_STATUS_IS_OK(status)) {
1963 result = werror_to_ntstatus(werr);
1964 }
1965 if (!NT_STATUS_IS_OK(status)) {
1966 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
1967 "on domain %s failed: (%s)\n",
1968 domain->name, nt_errstr(status)));
1969
1970 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
1971 * every opcode on the DSSETUP pipe, continue with
1972 * no_dssetup mode here as well to get domain->initialized
1973 * set - gd */
1974
1975 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1976 goto no_dssetup;
1977 }
1978
1979 TALLOC_FREE(mem_ctx);
1980 return;
1981 }
1982
1983 if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
1984 !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
1985 domain->native_mode = True;
1986 } else {
1987 domain->native_mode = False;
1988 }
1989
1990 no_dssetup:
1991 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
1992 &ndr_table_lsarpc.syntax_id, &cli);
1993
1994 if (!NT_STATUS_IS_OK(status)) {
1995 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1996 "PI_LSARPC on domain %s: (%s)\n",
1997 domain->name, nt_errstr(status)));
1998 TALLOC_FREE(cli);
1999 TALLOC_FREE(mem_ctx);
2000 return;
2001 }
2002
2003 status = rpccli_lsa_open_policy2(cli, mem_ctx, True,
2004 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
2005
2006 if (NT_STATUS_IS_OK(status)) {
2007 /* This particular query is exactly what Win2k clients use
2008 to determine that the DC is active directory */
2009 status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx,
2010 &pol,
2011 LSA_POLICY_INFO_DNS,
2012 &lsa_info,
2013 &result);
2014 }
2015
2016 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2017 domain->active_directory = True;
2018
2019 if (lsa_info->dns.name.string) {
2020 fstrcpy(domain->name, lsa_info->dns.name.string);
2021 }
2022
2023 if (lsa_info->dns.dns_domain.string) {
2024 fstrcpy(domain->alt_name,
2025 lsa_info->dns.dns_domain.string);
2026 }
2027
2028 /* See if we can set some domain trust flags about
2029 ourself */
2030
2031 if (lsa_info->dns.dns_forest.string) {
2032 fstrcpy(domain->forest_name,
2033 lsa_info->dns.dns_forest.string);
2034
2035 if (strequal(domain->forest_name, domain->alt_name)) {
2036 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
2037 }
2038 }
2039
2040 if (lsa_info->dns.sid) {
2041 sid_copy(&domain->sid, lsa_info->dns.sid);
2042 }
2043 } else {
2044 domain->active_directory = False;
2045
2046 status = rpccli_lsa_open_policy(cli, mem_ctx, True,
2047 SEC_FLAG_MAXIMUM_ALLOWED,
2048 &pol);
2049
2050 if (!NT_STATUS_IS_OK(status)) {
2051 goto done;
2052 }
2053
2054 status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx,
2055 &pol,
2056 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
2057 &lsa_info,
2058 &result);
2059 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2060
2061 if (lsa_info->account_domain.name.string) {
2062 fstrcpy(domain->name,
2063 lsa_info->account_domain.name.string);
2064 }
2065
2066 if (lsa_info->account_domain.sid) {
2067 sid_copy(&domain->sid, lsa_info->account_domain.sid);
2068 }
2069 }
2070 }
2071 done:
2072
2073 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
2074 domain->name, domain->native_mode ? "" : "NOT "));
2075
2076 DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
2077 domain->name, domain->active_directory ? "" : "NOT "));
2078
2079 domain->can_do_ncacn_ip_tcp = domain->active_directory;
2080 domain->can_do_validation6 = domain->active_directory;
2081
2082 TALLOC_FREE(cli);
2083
2084 TALLOC_FREE(mem_ctx);
2085
2086 domain->initialized = True;
2087 }
2088
2089 /**********************************************************************
2090 Set the domain_flags (trust attributes, domain operating modes, etc...
2091 ***********************************************************************/
2092
2093 static void set_dc_type_and_flags( struct winbindd_domain *domain )
2094 {
2095 /* we always have to contact our primary domain */
2096
2097 if ( domain->primary ) {
2098 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
2099 "primary domain\n"));
2100 set_dc_type_and_flags_connect( domain );
2101 return;
2102 }
2103
2104 /* Use our DC to get the information if possible */
2105
2106 if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
2107 /* Otherwise, fallback to contacting the
2108 domain directly */
2109 set_dc_type_and_flags_connect( domain );
2110 }
2111
2112 return;
2113 }
2114
2115
2116
2117 /**********************************************************************
2118 ***********************************************************************/
2119
2120 static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
2121 struct netlogon_creds_CredentialState **ppdc)
2122 {
2123 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2124 struct rpc_pipe_client *netlogon_pipe;
2125
2126 if (lp_client_schannel() == False) {
2127 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2128 }
2129
2130 result = cm_connect_netlogon(domain, &netlogon_pipe);
2131 if (!NT_STATUS_IS_OK(result)) {
2132 return result;
2133 }
2134
2135 /* Return a pointer to the struct netlogon_creds_CredentialState from the
2136 netlogon pipe. */
2137
2138 if (!domain->conn.netlogon_pipe->dc) {
2139 return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
2140 }
2141
2142 *ppdc = domain->conn.netlogon_pipe->dc;
2143 return NT_STATUS_OK;
2144 }
2145
2146 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2147 struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
2148 {
2149 struct winbindd_cm_conn *conn;
2150 NTSTATUS status, result;
2151 struct netlogon_creds_CredentialState *p_creds;
2152 char *machine_password = NULL;
2153 char *machine_account = NULL;
2154 char *domain_name = NULL;
2155
2156 if (sid_check_is_our_sam(&domain->sid)) {
2157 return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
2158 }
2159
2160 status = init_dc_connection_rpc(domain);
2161 if (!NT_STATUS_IS_OK(status)) {
2162 return status;
2163 }
2164
2165 conn = &domain->conn;
2166
2167 if (rpccli_is_connected(conn->samr_pipe)) {
2168 goto done;
2169 }
2170
2171 TALLOC_FREE(conn->samr_pipe);
2172
2173 /*
2174 * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
2175 * sign and sealed pipe using the machine account password by
2176 * preference. If we can't - try schannel, if that fails, try
2177 * anonymous.
2178 */
2179
2180 if ((conn->cli->user_name[0] == '\0') ||
2181 (conn->cli->domain[0] == '\0') ||
2182 (conn->cli->password == NULL || conn->cli->password[0] == '\0'))
2183 {
2184 status = get_trust_creds(domain, &machine_password,
2185 &machine_account, NULL);
2186 if (!NT_STATUS_IS_OK(status)) {
2187 DEBUG(10, ("cm_connect_sam: No no user available for "
2188 "domain %s, trying schannel\n", conn->cli->domain));
2189 goto schannel;
2190 }
2191 domain_name = domain->name;
2192 } else {
2193 machine_password = SMB_STRDUP(conn->cli->password);
2194 machine_account = SMB_STRDUP(conn->cli->user_name);
2195 domain_name = conn->cli->domain;
2196 }
2197
2198 if (!machine_password || !machine_account) {
2199 status = NT_STATUS_NO_MEMORY;
2200 goto done;
2201 }
2202
2203 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2204 authenticated SAMR pipe with sign & seal. */
2205 status = cli_rpc_pipe_open_spnego(conn->cli,
2206 &ndr_table_samr,
2207 NCACN_NP,
2208 GENSEC_OID_NTLMSSP,
2209 DCERPC_AUTH_LEVEL_PRIVACY,
2210 smbXcli_conn_remote_name(conn->cli->conn),
2211 domain_name,
2212 machine_account,
2213 machine_password,
2214 &conn->samr_pipe);
2215
2216 if (!NT_STATUS_IS_OK(status)) {
2217 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2218 "pipe for domain %s using NTLMSSP "
2219 "authenticated pipe: user %s\\%s. Error was "
2220 "%s\n", domain->name, domain_name,
2221 machine_account, nt_errstr(status)));
2222 goto schannel;
2223 }
2224
2225 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2226 "domain %s using NTLMSSP authenticated "
2227 "pipe: user %s\\%s\n", domain->name,
2228 domain_name, machine_account));
2229
2230 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2231 conn->samr_pipe->desthost,
2232 SEC_FLAG_MAXIMUM_ALLOWED,
2233 &conn->sam_connect_handle,
2234 &result);
2235 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2236 goto open_domain;
2237 }
2238 if (NT_STATUS_IS_OK(status)) {
2239 status = result;
2240 }
2241
2242 DEBUG(10,("cm_connect_sam: ntlmssp-sealed dcerpc_samr_Connect2 "
2243 "failed for domain %s, error was %s. Trying schannel\n",
2244 domain->name, nt_errstr(status) ));
2245 TALLOC_FREE(conn->samr_pipe);
2246
2247 schannel:
2248
2249 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2250
2251 status = cm_get_schannel_creds(domain, &p_creds);
2252 if (!NT_STATUS_IS_OK(status)) {
2253 /* If this call fails - conn->cli can now be NULL ! */
2254 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2255 "for domain %s (error %s), trying anon\n",
2256 domain->name,
2257 nt_errstr(status) ));
2258 goto anonymous;
2259 }
2260 status = cli_rpc_pipe_open_schannel_with_key
2261 (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
2262 DCERPC_AUTH_LEVEL_PRIVACY,
2263 domain->name, &p_creds, &conn->samr_pipe);
2264
2265 if (!NT_STATUS_IS_OK(status)) {
2266 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2267 "domain %s using schannel. Error was %s\n",
2268 domain->name, nt_errstr(status) ));
2269 goto anonymous;
2270 }
2271 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2272 "schannel.\n", domain->name ));
2273
2274 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2275 conn->samr_pipe->desthost,
2276 SEC_FLAG_MAXIMUM_ALLOWED,
2277 &conn->sam_connect_handle,
2278 &result);
2279 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2280 goto open_domain;
2281 }
2282 if (NT_STATUS_IS_OK(status)) {
2283 status = result;
2284 }
2285 DEBUG(10,("cm_connect_sam: schannel-sealed dcerpc_samr_Connect2 failed "
2286 "for domain %s, error was %s. Trying anonymous\n",
2287 domain->name, nt_errstr(status) ));
2288 TALLOC_FREE(conn->samr_pipe);
2289
2290 anonymous:
2291
2292 /* Finally fall back to anonymous. */
2293 status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
2294 &conn->samr_pipe);
2295
2296 if (!NT_STATUS_IS_OK(status)) {
2297 goto done;
2298 }
2299
2300 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2301 conn->samr_pipe->desthost,
2302 SEC_FLAG_MAXIMUM_ALLOWED,
2303 &conn->sam_connect_handle,
2304 &result);
2305 if (!NT_STATUS_IS_OK(status)) {
2306 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2307 "for domain %s Error was %s\n",
2308 domain->name, nt_errstr(status) ));
2309 goto done;
2310 }
2311 if (!NT_STATUS_IS_OK(result)) {
2312 status = result;
2313 DEBUG(10,("cm_connect_sam: dcerpc_samr_Connect2 failed "
2314 "for domain %s Error was %s\n",
2315 domain->name, nt_errstr(result)));
2316 goto done;
2317 }
2318
2319 open_domain:
2320 status = dcerpc_samr_OpenDomain(conn->samr_pipe->binding_handle,
2321 mem_ctx,
2322 &conn->sam_connect_handle,
2323 SEC_FLAG_MAXIMUM_ALLOWED,
2324 &domain->sid,
2325 &conn->sam_domain_handle,
2326 &result);
2327 if (!NT_STATUS_IS_OK(status)) {
2328 goto done;
2329 }
2330
2331 status = result;
2332 done:
2333
2334 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
2335 /*
2336 * if we got access denied, we might just have no access rights
2337 * to talk to the remote samr server server (e.g. when we are a
2338 * PDC and we are connecting a w2k8 pdc via an interdomain
2339 * trust). In that case do not invalidate the whole connection
2340 * stack
2341 */
2342 TALLOC_FREE(conn->samr_pipe);
2343 ZERO_STRUCT(conn->sam_domain_handle);
2344 return status;
2345 } else if (!NT_STATUS_IS_OK(status)) {
2346 invalidate_cm_connection(conn);
2347 return status;
2348 }
2349
2350 *cli = conn->samr_pipe;
2351 *sam_handle = conn->sam_domain_handle;
2352 SAFE_FREE(machine_password);
2353 SAFE_FREE(machine_account);
2354 return status;
2355 }
2356
2357 /**********************************************************************
2358 open an schanneld ncacn_ip_tcp connection to LSA
2359 ***********************************************************************/
2360
2361 NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
2362 TALLOC_CTX *mem_ctx,
2363 struct rpc_pipe_client **cli)
2364 {
2365 struct winbindd_cm_conn *conn;
2366 struct netlogon_creds_CredentialState *creds;
2367 NTSTATUS status;
2368
2369 DEBUG(10,("cm_connect_lsa_tcp\n"));
2370
2371 status = init_dc_connection_rpc(domain);
2372 if (!NT_STATUS_IS_OK(status)) {
2373 return status;
2374 }
2375
2376 conn = &domain->conn;
2377
2378 if (conn->lsa_pipe_tcp &&
2379 conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
2380 conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
2381 rpccli_is_connected(conn->lsa_pipe_tcp)) {
2382 goto done;
2383 }
2384
2385 TALLOC_FREE(conn->lsa_pipe_tcp);
2386
2387 status = cm_get_schannel_creds(domain, &creds);
2388 if (!NT_STATUS_IS_OK(status)) {
2389 goto done;
2390 }
2391
2392 status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
2393 &ndr_table_lsarpc.syntax_id,
2394 NCACN_IP_TCP,
2395 DCERPC_AUTH_LEVEL_PRIVACY,
2396 domain->name,
2397 &creds,
2398 &conn->lsa_pipe_tcp);
2399 if (!NT_STATUS_IS_OK(status)) {
2400 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
2401 nt_errstr(status)));
2402 goto done;
2403 }
2404
2405 done:
2406 if (!NT_STATUS_IS_OK(status)) {
2407 TALLOC_FREE(conn->lsa_pipe_tcp);
2408 return status;
2409 }
2410
2411 *cli = conn->lsa_pipe_tcp;
2412
2413 return status;
2414 }
2415
2416 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2417 struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
2418 {
2419 struct winbindd_cm_conn *conn;
2420 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2421 struct netlogon_creds_CredentialState *p_creds;
2422
2423 result = init_dc_connection_rpc(domain);
2424 if (!NT_STATUS_IS_OK(result))
2425 return result;
2426
2427 conn = &domain->conn;
2428
2429 if (rpccli_is_connected(conn->lsa_pipe)) {
2430 goto done;
2431 }
2432
2433 TALLOC_FREE(conn->lsa_pipe);
2434
2435 if ((conn->cli->user_name[0] == '\0') ||
2436 (conn->cli->domain[0] == '\0') ||
2437 (conn->cli->password == NULL || conn->cli->password[0] == '\0')) {
2438 DEBUG(10, ("cm_connect_lsa: No no user available for "
2439 "domain %s, trying schannel\n", conn->cli->domain));
2440 goto schannel;
2441 }
2442
2443 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2444 * authenticated LSA pipe with sign & seal. */
2445 result = cli_rpc_pipe_open_spnego
2446 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
2447 GENSEC_OID_NTLMSSP,
2448 DCERPC_AUTH_LEVEL_PRIVACY,
2449 smbXcli_conn_remote_name(conn->cli->conn),
2450 conn->cli->domain, conn->cli->user_name, conn->cli->password,
2451 &conn->lsa_pipe);
2452
2453 if (!NT_STATUS_IS_OK(result)) {
2454 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2455 "domain %s using NTLMSSP authenticated pipe: user "
2456 "%s\\%s. Error was %s. Trying schannel.\n",
2457 domain->name, conn->cli->domain,
2458 conn->cli->user_name, nt_errstr(result)));
2459 goto schannel;
2460 }
2461
2462 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2463 "NTLMSSP authenticated pipe: user %s\\%s\n",
2464 domain->name, conn->cli->domain, conn->cli->user_name ));
2465
2466 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2467 SEC_FLAG_MAXIMUM_ALLOWED,
2468 &conn->lsa_policy);
2469 if (NT_STATUS_IS_OK(result)) {
2470 goto done;
2471 }
2472
2473 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2474 "schannel\n"));
2475
2476 TALLOC_FREE(conn->lsa_pipe);
2477
2478 schannel:
2479
2480 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2481
2482 result = cm_get_schannel_creds(domain, &p_creds);
2483 if (!NT_STATUS_IS_OK(result)) {
2484 /* If this call fails - conn->cli can now be NULL ! */
2485 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2486 "for domain %s (error %s), trying anon\n",
2487 domain->name,
2488 nt_errstr(result) ));
2489 goto anonymous;
2490 }
2491 result = cli_rpc_pipe_open_schannel_with_key
2492 (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
2493 DCERPC_AUTH_LEVEL_PRIVACY,
2494 domain->name, &p_creds, &conn->lsa_pipe);
2495
2496 if (!NT_STATUS_IS_OK(result)) {
2497 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2498 "domain %s using schannel. Error was %s\n",
2499 domain->name, nt_errstr(result) ));
2500 goto anonymous;
2501 }
2502 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2503 "schannel.\n", domain->name ));
2504
2505 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2506 SEC_FLAG_MAXIMUM_ALLOWED,
2507 &conn->lsa_policy);
2508 if (NT_STATUS_IS_OK(result)) {
2509 goto done;
2510 }
2511
2512 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2513 "anonymous\n"));
2514
2515 TALLOC_FREE(conn->lsa_pipe);
2516
2517 anonymous:
2518
2519 result = cli_rpc_pipe_open_noauth(conn->cli,
2520 &ndr_table_lsarpc.syntax_id,
2521 &conn->lsa_pipe);
2522 if (!NT_STATUS_IS_OK(result)) {
2523 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2524 goto done;
2525 }
2526
2527 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2528 SEC_FLAG_MAXIMUM_ALLOWED,
2529 &conn->lsa_policy);
2530 done:
2531 if (!NT_STATUS_IS_OK(result)) {
2532 invalidate_cm_connection(conn);
2533 return result;
2534 }
2535
2536 *cli = conn->lsa_pipe;
2537 *lsa_policy = conn->lsa_policy;
2538 return result;
2539 }
2540
2541 /****************************************************************************
2542 Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2543 session key stored in conn->netlogon_pipe->dc->sess_key.
2544 ****************************************************************************/
2545
2546 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2547 struct rpc_pipe_client **cli)
2548 {
2549 struct winbindd_cm_conn *conn;
2550 NTSTATUS result;
2551
2552 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2553 uint8 mach_pwd[16];
2554 enum netr_SchannelType sec_chan_type;
2555 const char *account_name;
2556 struct rpc_pipe_client *netlogon_pipe = NULL;
2557
2558 *cli = NULL;
2559
2560 result = init_dc_connection_rpc(domain);
2561 if (!NT_STATUS_IS_OK(result)) {
2562 return result;
2563 }
2564
2565 conn = &domain->conn;
2566
2567 if (rpccli_is_connected(conn->netlogon_pipe)) {
2568 *cli = conn->netlogon_pipe;
2569 return NT_STATUS_OK;
2570 }
2571
2572 TALLOC_FREE(conn->netlogon_pipe);
2573
2574 result = cli_rpc_pipe_open_noauth(conn->cli,
2575 &ndr_table_netlogon.syntax_id,
2576 &netlogon_pipe);
2577 if (!NT_STATUS_IS_OK(result)) {
2578 return result;
2579 }
2580
2581 if ((!IS_DC) && (!domain->primary)) {
2582 /* Clear the schannel request bit and drop down */
2583 neg_flags &= ~NETLOGON_NEG_SCHANNEL;
2584 goto no_schannel;
2585 }
2586
2587 if (lp_client_schannel() != False) {
2588 neg_flags |= NETLOGON_NEG_SCHANNEL;
2589 }
2590
2591 if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
2592 &sec_chan_type))
2593 {
2594 TALLOC_FREE(netlogon_pipe);
2595 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2596 }
2597
2598 result = rpccli_netlogon_setup_creds(
2599 netlogon_pipe,
2600 domain->dcname, /* server name. */
2601 domain->name, /* domain name */
2602 lp_netbios_name(), /* client name */
2603 account_name, /* machine account */
2604 mach_pwd, /* machine password */
2605 sec_chan_type, /* from get_trust_pw */
2606 &neg_flags);
2607
2608 if (!NT_STATUS_IS_OK(result)) {
2609 TALLOC_FREE(netlogon_pipe);
2610 return result;
2611 }
2612
2613 if ((lp_client_schannel() == True) &&
2614 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2615 DEBUG(3, ("Server did not offer schannel\n"));
2616 TALLOC_FREE(netlogon_pipe);
2617 return NT_STATUS_ACCESS_DENIED;
2618 }
2619
2620 no_schannel:
2621 if ((lp_client_schannel() == False) ||
2622 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2623 /*
2624 * NetSamLogonEx only works for schannel
2625 */
2626 domain->can_do_samlogon_ex = False;
2627
2628 /* We're done - just keep the existing connection to NETLOGON
2629 * open */
2630 conn->netlogon_pipe = netlogon_pipe;
2631 *cli = conn->netlogon_pipe;
2632 return NT_STATUS_OK;
2633 }
2634
2635 /* Using the credentials from the first pipe, open a signed and sealed
2636 second netlogon pipe. The session key is stored in the schannel
2637 part of the new pipe auth struct.
2638 */
2639
2640 result = cli_rpc_pipe_open_schannel_with_key(
2641 conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
2642 DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
2643 &conn->netlogon_pipe);
2644
2645 /* We can now close the initial netlogon pipe. */
2646 TALLOC_FREE(netlogon_pipe);
2647
2648 if (!NT_STATUS_IS_OK(result)) {
2649 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2650 "was %s\n", nt_errstr(result)));
2651
2652 invalidate_cm_connection(conn);
2653 return result;
2654 }
2655
2656 /*
2657 * Always try netr_LogonSamLogonEx. We will fall back for NT4
2658 * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
2659 * supported). We used to only try SamLogonEx for AD, but
2660 * Samba DCs can also do it. And because we don't distinguish
2661 * between Samba and NT4, always try it once.
2662 */
2663 domain->can_do_samlogon_ex = true;
2664
2665 *cli = conn->netlogon_pipe;
2666 return NT_STATUS_OK;
2667 }
2668
2669 void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
2670 void *private_data,
2671 uint32_t msg_type,
2672 struct server_id server_id,
2673 DATA_BLOB *data)
2674 {
2675 struct winbindd_domain *domain;
2676 char *freeit = NULL;
2677 char *addr;
2678
2679 if ((data == NULL)
2680 || (data->data == NULL)
2681 || (data->length == 0)
2682 || (data->data[data->length-1] != '\0')) {
2683 DEBUG(1, ("invalid msg_ip_dropped message: not a valid "
2684 "string\n"));
2685 return;
2686 }
2687
2688 addr = (char *)data->data;
2689 DEBUG(10, ("IP %s dropped\n", addr));
2690
2691 if (!is_ipaddress(addr)) {
2692 char *slash;
2693 /*
2694 * Some code sends us ip addresses with the /netmask
2695 * suffix
2696 */
2697 slash = strchr(addr, '/');
2698 if (slash == NULL) {
2699 DEBUG(1, ("invalid msg_ip_dropped message: %s",
2700 addr));
2701 return;
2702 }
2703 freeit = talloc_strndup(talloc_tos(), addr, slash-addr);
2704 if (freeit == NULL) {
2705 DEBUG(1, ("talloc failed\n"));
2706 return;
2707 }
2708 addr = freeit;
2709 DEBUG(10, ("Stripped /netmask to IP %s\n", addr));
2710 }
2711
2712 for (domain = domain_list(); domain != NULL; domain = domain->next) {
2713 char sockaddr[INET6_ADDRSTRLEN];
2714
2715 if (!cli_state_is_connected(domain->conn.cli)) {
2716 continue;
2717 }
2718
2719 print_sockaddr(sockaddr, sizeof(sockaddr),
2720 smbXcli_conn_local_sockaddr(domain->conn.cli->conn));
2721
2722 if (strequal(sockaddr, addr)) {
2723 smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
2724 }
2725 }
2726 TALLOC_FREE(freeit);
2727 }
Samba GIT mirror