search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Allow reinit_after_fork to be called safely from within swat and other binaries that...
[Samba.git] / source / winbindd / winbindd_cm.c
bloba139b32f2d42e28ebb2967a873cb7845c61768a1
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon connection manager
5
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Gerald (Jerry) Carter 2003-2005.
9 Copyright (C) Volker Lendecke 2004-2005
10 Copyright (C) Jeremy Allison 2006
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27 We need to manage connections to domain controllers without having to
28 mess up the main winbindd code with other issues. The aim of the
29 connection manager is to:
30
31 - make connections to domain controllers and cache them
32 - re-establish connections when networks or servers go down
33 - centralise the policy on connection timeouts, domain controller
34 selection etc
35 - manage re-entrancy for when winbindd becomes able to handle
36 multiple outstanding rpc requests
37
38 Why not have connection management as part of the rpc layer like tng?
39 Good question. This code may morph into libsmb/rpc_cache.c or something
40 like that but at the moment it's simply staying as part of winbind. I
41 think the TNG architecture of forcing every user of the rpc layer to use
42 the connection caching system is a bad idea. It should be an optional
43 method of using the routines.
44
45 The TNG design is quite good but I disagree with some aspects of the
46 implementation. -tpot
47
48 */
49
50 /*
51 TODO:
52
53 - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
54 moved down into another function.
55
56 - Take care when destroying cli_structs as they can be shared between
57 various sam handles.
58
59 */
60
61 #include "includes.h"
62 #include "winbindd.h"
63
64 #undef DBGC_CLASS
65 #define DBGC_CLASS DBGC_WINBIND
66
67 struct dc_name_ip {
68 fstring name;
69 struct sockaddr_storage ss;
70 };
71
72 extern struct winbindd_methods reconnect_methods;
73 extern bool override_logfile;
74
75 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
76 static void set_dc_type_and_flags( struct winbindd_domain *domain );
77 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
78 struct dc_name_ip **dcs, int *num_dcs);
79
80 /****************************************************************
81 Child failed to find DC's. Reschedule check.
82 ****************************************************************/
83
84 static void msg_failed_to_go_online(struct messaging_context *msg,
85 void *private_data,
86 uint32_t msg_type,
87 struct server_id server_id,
88 DATA_BLOB *data)
89 {
90 struct winbindd_domain *domain;
91 const char *domainname = (const char *)data->data;
92
93 if (data->data == NULL || data->length == 0) {
94 return;
95 }
96
97 DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
98
99 for (domain = domain_list(); domain; domain = domain->next) {
100 if (domain->internal) {
101 continue;
102 }
103
104 if (strequal(domain->name, domainname)) {
105 if (domain->online) {
106 /* We're already online, ignore. */
107 DEBUG(5,("msg_fail_to_go_online: domain %s "
108 "already online.\n", domainname));
109 continue;
110 }
111
112 /* Reschedule the online check. */
113 set_domain_offline(domain);
114 break;
115 }
116 }
117 }
118
119 /****************************************************************
120 Actually cause a reconnect from a message.
121 ****************************************************************/
122
123 static void msg_try_to_go_online(struct messaging_context *msg,
124 void *private_data,
125 uint32_t msg_type,
126 struct server_id server_id,
127 DATA_BLOB *data)
128 {
129 struct winbindd_domain *domain;
130 const char *domainname = (const char *)data->data;
131
132 if (data->data == NULL || data->length == 0) {
133 return;
134 }
135
136 DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
137
138 for (domain = domain_list(); domain; domain = domain->next) {
139 if (domain->internal) {
140 continue;
141 }
142
143 if (strequal(domain->name, domainname)) {
144
145 if (domain->online) {
146 /* We're already online, ignore. */
147 DEBUG(5,("msg_try_to_go_online: domain %s "
148 "already online.\n", domainname));
149 continue;
150 }
151
152 /* This call takes care of setting the online
153 flag to true if we connected, or re-adding
154 the offline handler if false. Bypasses online
155 check so always does network calls. */
156
157 init_dc_connection_network(domain);
158 break;
159 }
160 }
161 }
162
163 /****************************************************************
164 Fork a child to try and contact a DC. Do this as contacting a
165 DC requires blocking lookups and we don't want to block our
166 parent.
167 ****************************************************************/
168
169 static bool fork_child_dc_connect(struct winbindd_domain *domain)
170 {
171 struct dc_name_ip *dcs = NULL;
172 int num_dcs = 0;
173 TALLOC_CTX *mem_ctx = NULL;
174 pid_t child_pid;
175 pid_t parent_pid = sys_getpid();
176 char *lfile = NULL;
177
178 /* Stop zombies */
179 CatchChild();
180
181 child_pid = sys_fork();
182
183 if (child_pid == -1) {
184 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
185 return False;
186 }
187
188 if (child_pid != 0) {
189 /* Parent */
190 messaging_register(winbind_messaging_context(), NULL,
191 MSG_WINBIND_TRY_TO_GO_ONLINE,
192 msg_try_to_go_online);
193 messaging_register(winbind_messaging_context(), NULL,
194 MSG_WINBIND_FAILED_TO_GO_ONLINE,
195 msg_failed_to_go_online);
196 return True;
197 }
198
199 /* Child. */
200
201 /* Leave messages blocked - we will never process one. */
202
203 if (!override_logfile) {
204 if (asprintf(&lfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) == -1) {
205 DEBUG(0, ("fork_child_dc_connect: out of memory!\n"));
206 _exit(1);
207 }
208 }
209
210 if (!winbindd_reinit_after_fork(lfile)) {
211 DEBUG(0,("reinit_after_fork() failed\n"));
212 messaging_send_buf(winbind_messaging_context(),
213 pid_to_procid(parent_pid),
214 MSG_WINBIND_FAILED_TO_GO_ONLINE,
215 (uint8 *)domain->name,
216 strlen(domain->name) + 1);
217 _exit(1);
218 }
219
220 SAFE_FREE(lfile);
221
222 mem_ctx = talloc_init("fork_child_dc_connect");
223 if (!mem_ctx) {
224 DEBUG(0,("talloc_init failed.\n"));
225 _exit(1);
226 }
227
228 if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
229 /* Still offline ? Can't find DC's. */
230 messaging_send_buf(winbind_messaging_context(),
231 pid_to_procid(parent_pid),
232 MSG_WINBIND_FAILED_TO_GO_ONLINE,
233 (uint8 *)domain->name,
234 strlen(domain->name)+1);
235 _exit(0);
236 }
237
238 /* We got a DC. Send a message to our parent to get it to
239 try and do the same. */
240
241 messaging_send_buf(winbind_messaging_context(),
242 pid_to_procid(parent_pid),
243 MSG_WINBIND_TRY_TO_GO_ONLINE,
244 (uint8 *)domain->name,
245 strlen(domain->name)+1);
246 _exit(0);
247 }
248
249 /****************************************************************
250 Handler triggered if we're offline to try and detect a DC.
251 ****************************************************************/
252
253 static void check_domain_online_handler(struct event_context *ctx,
254 struct timed_event *te,
255 const struct timeval *now,
256 void *private_data)
257 {
258 struct winbindd_domain *domain =
259 (struct winbindd_domain *)private_data;
260
261 DEBUG(10,("check_domain_online_handler: called for domain "
262 "%s (online = %s)\n", domain->name,
263 domain->online ? "True" : "False" ));
264
265 TALLOC_FREE(domain->check_online_event);
266
267 /* Are we still in "startup" mode ? */
268
269 if (domain->startup && (now->tv_sec > domain->startup_time + 30)) {
270 /* No longer in "startup" mode. */
271 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
272 domain->name ));
273 domain->startup = False;
274 }
275
276 /* We've been told to stay offline, so stay
277 that way. */
278
279 if (get_global_winbindd_state_offline()) {
280 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
281 domain->name ));
282 return;
283 }
284
285 /* Fork a child to test if it can contact a DC.
286 If it can then send ourselves a message to
287 cause a reconnect. */
288
289 fork_child_dc_connect(domain);
290 }
291
292 /****************************************************************
293 If we're still offline setup the timeout check.
294 ****************************************************************/
295
296 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
297 {
298 int wbc = lp_winbind_cache_time();
299
300 if (domain->startup) {
301 domain->check_online_timeout = 10;
302 } else if (domain->check_online_timeout < wbc) {
303 domain->check_online_timeout = wbc;
304 }
305 }
306
307 /****************************************************************
308 Set domain offline and also add handler to put us back online
309 if we detect a DC.
310 ****************************************************************/
311
312 void set_domain_offline(struct winbindd_domain *domain)
313 {
314 DEBUG(10,("set_domain_offline: called for domain %s\n",
315 domain->name ));
316
317 TALLOC_FREE(domain->check_online_event);
318
319 if (domain->internal) {
320 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
321 domain->name ));
322 return;
323 }
324
325 domain->online = False;
326
327 /* Offline domains are always initialized. They're
328 re-initialized when they go back online. */
329
330 domain->initialized = True;
331
332 /* We only add the timeout handler that checks and
333 allows us to go back online when we've not
334 been told to remain offline. */
335
336 if (get_global_winbindd_state_offline()) {
337 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
338 domain->name ));
339 return;
340 }
341
342 /* If we're in statup mode, check again in 10 seconds, not in
343 lp_winbind_cache_time() seconds (which is 5 mins by default). */
344
345 calc_new_online_timeout_check(domain);
346
347 domain->check_online_event = event_add_timed(winbind_event_context(),
348 NULL,
349 timeval_current_ofs(domain->check_online_timeout,0),
350 "check_domain_online_handler",
351 check_domain_online_handler,
352 domain);
353
354 /* The above *has* to succeed for winbindd to work. */
355 if (!domain->check_online_event) {
356 smb_panic("set_domain_offline: failed to add online handler");
357 }
358
359 DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
360 domain->name ));
361
362 /* Send an offline message to the idmap child when our
363 primary domain goes offline */
364
365 if ( domain->primary ) {
366 struct winbindd_child *idmap = idmap_child();
367
368 if ( idmap->pid != 0 ) {
369 messaging_send_buf(winbind_messaging_context(),
370 pid_to_procid(idmap->pid),
371 MSG_WINBIND_OFFLINE,
372 (uint8 *)domain->name,
373 strlen(domain->name)+1);
374 }
375 }
376
377 return;
378 }
379
380 /****************************************************************
381 Set domain online - if allowed.
382 ****************************************************************/
383
384 void ccache_regain_all_now(void);
385
386 static void set_domain_online(struct winbindd_domain *domain)
387 {
388
389 DEBUG(10,("set_domain_online: called for domain %s\n",
390 domain->name ));
391
392 if (domain->internal) {
393 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
394 domain->name ));
395 return;
396 }
397
398 if (get_global_winbindd_state_offline()) {
399 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
400 domain->name ));
401 return;
402 }
403
404 winbindd_set_locator_kdc_envs(domain);
405
406 /* If we are waiting to get a krb5 ticket, trigger immediately. */
407 ccache_regain_all_now();
408
409 /* Ok, we're out of any startup mode now... */
410 domain->startup = False;
411
412 if (domain->online == False) {
413 /* We were offline - now we're online. We default to
414 using the MS-RPC backend if we started offline,
415 and if we're going online for the first time we
416 should really re-initialize the backends and the
417 checks to see if we're talking to an AD or NT domain.
418 */
419
420 domain->initialized = False;
421
422 /* 'reconnect_methods' is the MS-RPC backend. */
423 if (domain->backend == &reconnect_methods) {
424 domain->backend = NULL;
425 }
426 }
427
428 /* Ensure we have no online timeout checks. */
429 domain->check_online_timeout = 0;
430 TALLOC_FREE(domain->check_online_event);
431
432 /* Ensure we ignore any pending child messages. */
433 messaging_deregister(winbind_messaging_context(),
434 MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
435 messaging_deregister(winbind_messaging_context(),
436 MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
437
438 domain->online = True;
439
440 /* Send an online message to the idmap child when our
441 primary domain comes online */
442
443 if ( domain->primary ) {
444 struct winbindd_child *idmap = idmap_child();
445
446 if ( idmap->pid != 0 ) {
447 messaging_send_buf(winbind_messaging_context(),
448 pid_to_procid(idmap->pid),
449 MSG_WINBIND_ONLINE,
450 (uint8 *)domain->name,
451 strlen(domain->name)+1);
452 }
453 }
454
455 return;
456 }
457
458 /****************************************************************
459 Requested to set a domain online.
460 ****************************************************************/
461
462 void set_domain_online_request(struct winbindd_domain *domain)
463 {
464 struct timeval tev;
465
466 DEBUG(10,("set_domain_online_request: called for domain %s\n",
467 domain->name ));
468
469 if (get_global_winbindd_state_offline()) {
470 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
471 domain->name ));
472 return;
473 }
474
475 /* We've been told it's safe to go online and
476 try and connect to a DC. But I don't believe it
477 because network manager seems to lie.
478 Wait at least 5 seconds. Heuristics suck... */
479
480 GetTimeOfDay(&tev);
481
482 /* Go into "startup" mode again. */
483 domain->startup_time = tev.tv_sec;
484 domain->startup = True;
485
486 tev.tv_sec += 5;
487 if (!domain->check_online_event) {
488 /* If we've come from being globally offline we
489 don't have a check online event handler set.
490 We need to add one now we're trying to go
491 back online. */
492 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
493 domain->name ));
494 }
495
496 TALLOC_FREE(domain->check_online_event);
497
498 domain->check_online_event = event_add_timed(winbind_event_context(),
499 NULL,
500 tev,
501 "check_domain_online_handler",
502 check_domain_online_handler,
503 domain);
504
505 /* The above *has* to succeed for winbindd to work. */
506 if (!domain->check_online_event) {
507 smb_panic("set_domain_online_request: failed to add online handler");
508 }
509 }
510
511 /****************************************************************
512 Add -ve connection cache entries for domain and realm.
513 ****************************************************************/
514
515 void winbind_add_failed_connection_entry(const struct winbindd_domain *domain,
516 const char *server,
517 NTSTATUS result)
518 {
519 add_failed_connection_entry(domain->name, server, result);
520 /* If this was the saf name for the last thing we talked to,
521 remove it. */
522 saf_delete(domain->name);
523 if (*domain->alt_name) {
524 add_failed_connection_entry(domain->alt_name, server, result);
525 saf_delete(domain->alt_name);
526 }
527 winbindd_unset_locator_kdc_env(domain);
528 }
529
530 /* Choose between anonymous or authenticated connections. We need to use
531 an authenticated connection if DCs have the RestrictAnonymous registry
532 entry set > 0, or the "Additional restrictions for anonymous
533 connections" set in the win2k Local Security Policy.
534
535 Caller to free() result in domain, username, password
536 */
537
538 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
539 {
540 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
541 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
542 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
543
544 if (*username && **username) {
545
546 if (!*domain || !**domain)
547 *domain = smb_xstrdup(lp_workgroup());
548
549 if (!*password || !**password)
550 *password = smb_xstrdup("");
551
552 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
553 *domain, *username));
554
555 } else {
556 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
557 *username = smb_xstrdup("");
558 *domain = smb_xstrdup("");
559 *password = smb_xstrdup("");
560 }
561 }
562
563 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
564 fstring dcname,
565 struct sockaddr_storage *dc_ss)
566 {
567 struct winbindd_domain *our_domain = NULL;
568 struct rpc_pipe_client *netlogon_pipe = NULL;
569 NTSTATUS result;
570 WERROR werr;
571 TALLOC_CTX *mem_ctx;
572 unsigned int orig_timeout;
573 const char *tmp = NULL;
574 const char *p;
575
576 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
577 * moment.... */
578
579 if (IS_DC) {
580 return False;
581 }
582
583 if (domain->primary) {
584 return False;
585 }
586
587 our_domain = find_our_domain();
588
589 if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
590 return False;
591 }
592
593 result = cm_connect_netlogon(our_domain, &netlogon_pipe);
594 if (!NT_STATUS_IS_OK(result)) {
595 talloc_destroy(mem_ctx);
596 return False;
597 }
598
599 /* This call can take a long time - allow the server to time out.
600 35 seconds should do it. */
601
602 orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000);
603
604 if (our_domain->active_directory) {
605 struct netr_DsRGetDCNameInfo *domain_info = NULL;
606
607 result = rpccli_netr_DsRGetDCName(netlogon_pipe,
608 mem_ctx,
609 our_domain->dcname,
610 domain->name,
611 NULL,
612 NULL,
613 DS_RETURN_DNS_NAME,
614 &domain_info,
615 &werr);
616 if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
617 tmp = talloc_strdup(
618 mem_ctx, domain_info->dc_unc);
619 if (tmp == NULL) {
620 DEBUG(0, ("talloc_strdup failed\n"));
621 talloc_destroy(mem_ctx);
622 return false;
623 }
624 if (strlen(domain->alt_name) == 0) {
625 fstrcpy(domain->alt_name,
626 domain_info->domain_name);
627 }
628 if (strlen(domain->forest_name) == 0) {
629 fstrcpy(domain->forest_name,
630 domain_info->forest_name);
631 }
632 }
633 } else {
634 result = rpccli_netr_GetAnyDCName(netlogon_pipe, mem_ctx,
635 our_domain->dcname,
636 domain->name,
637 &tmp,
638 &werr);
639 }
640
641 /* And restore our original timeout. */
642 cli_set_timeout(netlogon_pipe->cli, orig_timeout);
643
644 if (!NT_STATUS_IS_OK(result)) {
645 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
646 nt_errstr(result)));
647 talloc_destroy(mem_ctx);
648 return false;
649 }
650
651 if (!W_ERROR_IS_OK(werr)) {
652 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
653 dos_errstr(werr)));
654 talloc_destroy(mem_ctx);
655 return false;
656 }
657
658 /* rpccli_netr_GetAnyDCName gives us a name with \\ */
659 p = strip_hostname(tmp);
660
661 fstrcpy(dcname, p);
662
663 talloc_destroy(mem_ctx);
664
665 DEBUG(10,("rpccli_netr_GetAnyDCName returned %s\n", dcname));
666
667 if (!resolve_name(dcname, dc_ss, 0x20)) {
668 return False;
669 }
670
671 return True;
672 }
673
674 /**
675 * Helper function to assemble trust password and account name
676 */
677 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
678 char **machine_password,
679 char **machine_account,
680 char **machine_krb5_principal)
681 {
682 const char *account_name;
683 const char *name = NULL;
684
685 /* If we are a DC and this is not our own domain */
686
687 if (IS_DC) {
688 name = domain->name;
689 } else {
690 struct winbindd_domain *our_domain = find_our_domain();
691
692 if (!our_domain)
693 return NT_STATUS_INVALID_SERVER_STATE;
694
695 name = our_domain->name;
696 }
697
698 if (!get_trust_pw_clear(name, machine_password,
699 &account_name, NULL))
700 {
701 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
702 }
703
704 if ((machine_account != NULL) &&
705 (asprintf(machine_account, "%s$", account_name) == -1))
706 {
707 return NT_STATUS_NO_MEMORY;
708 }
709
710 /* For now assume our machine account only exists in our domain */
711
712 if (machine_krb5_principal != NULL)
713 {
714 if (asprintf(machine_krb5_principal, "%s$@%s",
715 account_name, lp_realm()) == -1)
716 {
717 return NT_STATUS_NO_MEMORY;
718 }
719
720 strupper_m(*machine_krb5_principal);
721 }
722
723 return NT_STATUS_OK;
724 }
725
726 /************************************************************************
727 Given a fd with a just-connected TCP connection to a DC, open a connection
728 to the pipe.
729 ************************************************************************/
730
731 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
732 const int sockfd,
733 const char *controller,
734 struct cli_state **cli,
735 bool *retry)
736 {
737 char *machine_password = NULL;
738 char *machine_krb5_principal = NULL;
739 char *machine_account = NULL;
740 char *ipc_username = NULL;
741 char *ipc_domain = NULL;
742 char *ipc_password = NULL;
743
744 struct named_mutex *mutex;
745
746 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
747
748 struct sockaddr peeraddr;
749 socklen_t peeraddr_len;
750
751 struct sockaddr_in *peeraddr_in = (struct sockaddr_in *)&peeraddr;
752
753 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
754 controller, domain->name ));
755
756 *retry = True;
757
758 mutex = grab_named_mutex(talloc_tos(), controller,
759 WINBIND_SERVER_MUTEX_WAIT_TIME);
760 if (mutex == NULL) {
761 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
762 controller));
763 result = NT_STATUS_POSSIBLE_DEADLOCK;
764 goto done;
765 }
766
767 if ((*cli = cli_initialise()) == NULL) {
768 DEBUG(1, ("Could not cli_initialize\n"));
769 result = NT_STATUS_NO_MEMORY;
770 goto done;
771 }
772
773 (*cli)->timeout = 10000; /* 10 seconds */
774 (*cli)->fd = sockfd;
775 fstrcpy((*cli)->desthost, controller);
776 (*cli)->use_kerberos = True;
777
778 peeraddr_len = sizeof(peeraddr);
779
780 if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) ||
781 (peeraddr_len != sizeof(struct sockaddr_in)) ||
782 (peeraddr_in->sin_family != PF_INET))
783 {
784 DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
785 result = NT_STATUS_UNSUCCESSFUL;
786 goto done;
787 }
788
789 if (ntohs(peeraddr_in->sin_port) == 139) {
790 struct nmb_name calling;
791 struct nmb_name called;
792
793 make_nmb_name(&calling, global_myname(), 0x0);
794 make_nmb_name(&called, "*SMBSERVER", 0x20);
795
796 if (!cli_session_request(*cli, &calling, &called)) {
797 DEBUG(8, ("cli_session_request failed for %s\n",
798 controller));
799 result = NT_STATUS_UNSUCCESSFUL;
800 goto done;
801 }
802 }
803
804 cli_setup_signing_state(*cli, Undefined);
805
806 if (!cli_negprot(*cli)) {
807 DEBUG(1, ("cli_negprot failed\n"));
808 result = NT_STATUS_UNSUCCESSFUL;
809 goto done;
810 }
811
812 if (!is_trusted_domain_situation(domain->name) &&
813 (*cli)->protocol >= PROTOCOL_NT1 &&
814 (*cli)->capabilities & CAP_EXTENDED_SECURITY)
815 {
816 ADS_STATUS ads_status;
817
818 result = get_trust_creds(domain, &machine_password,
819 &machine_account,
820 &machine_krb5_principal);
821 if (!NT_STATUS_IS_OK(result)) {
822 goto anon_fallback;
823 }
824
825 if (lp_security() == SEC_ADS) {
826
827 /* Try a krb5 session */
828
829 (*cli)->use_kerberos = True;
830 DEBUG(5, ("connecting to %s from %s with kerberos principal "
831 "[%s] and realm [%s]\n", controller, global_myname(),
832 machine_krb5_principal, domain->alt_name));
833
834 winbindd_set_locator_kdc_envs(domain);
835
836 ads_status = cli_session_setup_spnego(*cli,
837 machine_krb5_principal,
838 machine_password,
839 lp_workgroup(),
840 domain->name);
841
842 if (!ADS_ERR_OK(ads_status)) {
843 DEBUG(4,("failed kerberos session setup with %s\n",
844 ads_errstr(ads_status)));
845 }
846
847 result = ads_ntstatus(ads_status);
848 if (NT_STATUS_IS_OK(result)) {
849 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
850 cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
851 goto session_setup_done;
852 }
853 }
854
855 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
856 (*cli)->use_kerberos = False;
857
858 DEBUG(5, ("connecting to %s from %s with username "
859 "[%s]\\[%s]\n", controller, global_myname(),
860 lp_workgroup(), machine_account));
861
862 ads_status = cli_session_setup_spnego(*cli,
863 machine_account,
864 machine_password,
865 lp_workgroup(),
866 NULL);
867 if (!ADS_ERR_OK(ads_status)) {
868 DEBUG(4, ("authenticated session setup failed with %s\n",
869 ads_errstr(ads_status)));
870 }
871
872 result = ads_ntstatus(ads_status);
873 if (NT_STATUS_IS_OK(result)) {
874 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
875 cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
876 goto session_setup_done;
877 }
878 }
879
880 /* Fall back to non-kerberos session setup with auth_user */
881
882 (*cli)->use_kerberos = False;
883
884 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
885
886 if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
887 (strlen(ipc_username) > 0)) {
888
889 /* Only try authenticated if we have a username */
890
891 DEBUG(5, ("connecting to %s from %s with username "
892 "[%s]\\[%s]\n", controller, global_myname(),
893 ipc_domain, ipc_username));
894
895 if (NT_STATUS_IS_OK(cli_session_setup(
896 *cli, ipc_username,
897 ipc_password, strlen(ipc_password)+1,
898 ipc_password, strlen(ipc_password)+1,
899 ipc_domain))) {
900 /* Successful logon with given username. */
901 cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
902 goto session_setup_done;
903 } else {
904 DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
905 ipc_domain, ipc_username ));
906 }
907 }
908
909 anon_fallback:
910
911 /* Fall back to anonymous connection, this might fail later */
912 DEBUG(10,("cm_prepare_connection: falling back to anonymous "
913 "connection for DC %s\n",
914 controller ));
915
916 if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
917 NULL, 0, ""))) {
918 DEBUG(5, ("Connected anonymously\n"));
919 cli_init_creds(*cli, "", "", "");
920 goto session_setup_done;
921 }
922
923 result = cli_nt_error(*cli);
924
925 if (NT_STATUS_IS_OK(result))
926 result = NT_STATUS_UNSUCCESSFUL;
927
928 /* We can't session setup */
929
930 goto done;
931
932 session_setup_done:
933
934 /* cache the server name for later connections */
935
936 saf_store( domain->name, (*cli)->desthost );
937 if (domain->alt_name && (*cli)->use_kerberos) {
938 saf_store( domain->alt_name, (*cli)->desthost );
939 }
940
941 winbindd_set_locator_kdc_envs(domain);
942
943 if (!cli_send_tconX(*cli, "IPC$", "IPC", "", 0)) {
944
945 result = cli_nt_error(*cli);
946
947 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
948
949 if (NT_STATUS_IS_OK(result))
950 result = NT_STATUS_UNSUCCESSFUL;
951
952 goto done;
953 }
954
955 TALLOC_FREE(mutex);
956 *retry = False;
957
958 /* set the domain if empty; needed for schannel connections */
959 if ( !*(*cli)->domain ) {
960 fstrcpy( (*cli)->domain, domain->name );
961 }
962
963 result = NT_STATUS_OK;
964
965 done:
966 TALLOC_FREE(mutex);
967 SAFE_FREE(machine_account);
968 SAFE_FREE(machine_password);
969 SAFE_FREE(machine_krb5_principal);
970 SAFE_FREE(ipc_username);
971 SAFE_FREE(ipc_domain);
972 SAFE_FREE(ipc_password);
973
974 if (!NT_STATUS_IS_OK(result)) {
975 winbind_add_failed_connection_entry(domain, controller, result);
976 if ((*cli) != NULL) {
977 cli_shutdown(*cli);
978 *cli = NULL;
979 }
980 }
981
982 return result;
983 }
984
985 /*******************************************************************
986 Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
987 array.
988
989 Keeps the list unique by not adding duplicate entries.
990
991 @param[in] mem_ctx talloc memory context to allocate from
992 @param[in] domain_name domain of the DC
993 @param[in] dcname name of the DC to add to the list
994 @param[in] pss Internet address and port pair to add to the list
995 @param[in,out] dcs array of dc_name_ip structures to add to
996 @param[in,out] num_dcs number of dcs returned in the dcs array
997 @return true if the list was added to, false otherwise
998 *******************************************************************/
999
1000 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1001 const char *dcname, struct sockaddr_storage *pss,
1002 struct dc_name_ip **dcs, int *num)
1003 {
1004 int i = 0;
1005
1006 if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1007 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1008 return False;
1009 }
1010
1011 /* Make sure there's no duplicates in the list */
1012 for (i=0; i<*num; i++)
1013 if (sockaddr_equal(&(*dcs)[i].ss, pss))
1014 return False;
1015
1016 *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1017
1018 if (*dcs == NULL)
1019 return False;
1020
1021 fstrcpy((*dcs)[*num].name, dcname);
1022 (*dcs)[*num].ss = *pss;
1023 *num += 1;
1024 return True;
1025 }
1026
1027 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1028 struct sockaddr_storage *pss, uint16 port,
1029 struct sockaddr_storage **addrs, int *num)
1030 {
1031 *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1032
1033 if (*addrs == NULL) {
1034 *num = 0;
1035 return False;
1036 }
1037
1038 (*addrs)[*num] = *pss;
1039 set_sockaddr_port(&(*addrs)[*num], port);
1040
1041 *num += 1;
1042 return True;
1043 }
1044
1045 /*******************************************************************
1046 convert an ip to a name
1047 *******************************************************************/
1048
1049 static bool dcip_to_name(TALLOC_CTX *mem_ctx,
1050 const struct winbindd_domain *domain,
1051 struct sockaddr_storage *pss,
1052 fstring name )
1053 {
1054 struct ip_service ip_list;
1055 uint32_t nt_version = NETLOGON_VERSION_1;
1056
1057 ip_list.ss = *pss;
1058 ip_list.port = 0;
1059
1060 #ifdef WITH_ADS
1061 /* For active directory servers, try to get the ldap server name.
1062 None of these failures should be considered critical for now */
1063
1064 if (lp_security() == SEC_ADS) {
1065 ADS_STRUCT *ads;
1066 char addr[INET6_ADDRSTRLEN];
1067
1068 print_sockaddr(addr, sizeof(addr), pss);
1069
1070 ads = ads_init(domain->alt_name, domain->name, NULL);
1071 ads->auth.flags |= ADS_AUTH_NO_BIND;
1072
1073 if (ads_try_connect(ads, addr)) {
1074 /* We got a cldap packet. */
1075 fstrcpy(name, ads->config.ldap_server_name);
1076 namecache_store(name, 0x20, 1, &ip_list);
1077
1078 DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1079
1080 if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1081 if (ads_closest_dc(ads)) {
1082 char *sitename = sitename_fetch(ads->config.realm);
1083
1084 /* We're going to use this KDC for this realm/domain.
1085 If we are using sites, then force the krb5 libs
1086 to use this KDC. */
1087
1088 create_local_private_krb5_conf_for_domain(domain->alt_name,
1089 domain->name,
1090 sitename,
1091 pss);
1092
1093 SAFE_FREE(sitename);
1094 } else {
1095 /* use an off site KDC */
1096 create_local_private_krb5_conf_for_domain(domain->alt_name,
1097 domain->name,
1098 NULL,
1099 pss);
1100 }
1101 winbindd_set_locator_kdc_envs(domain);
1102
1103 /* Ensure we contact this DC also. */
1104 saf_store( domain->name, name);
1105 saf_store( domain->alt_name, name);
1106 }
1107
1108 ads_destroy( &ads );
1109 return True;
1110 }
1111
1112 ads_destroy( &ads );
1113 }
1114 #endif
1115
1116 /* try GETDC requests next */
1117
1118 if (send_getdc_request(mem_ctx, winbind_messaging_context(),
1119 pss, domain->name, &domain->sid,
1120 nt_version)) {
1121 const char *dc_name = NULL;
1122 int i;
1123 smb_msleep(100);
1124 for (i=0; i<5; i++) {
1125 if (receive_getdc_response(mem_ctx, pss, domain->name,
1126 &nt_version,
1127 &dc_name, NULL)) {
1128 fstrcpy(name, dc_name);
1129 namecache_store(name, 0x20, 1, &ip_list);
1130 return True;
1131 }
1132 smb_msleep(500);
1133 }
1134 }
1135
1136 /* try node status request */
1137
1138 if ( name_status_find(domain->name, 0x1c, 0x20, pss, name) ) {
1139 namecache_store(name, 0x20, 1, &ip_list);
1140 return True;
1141 }
1142 return False;
1143 }
1144
1145 /*******************************************************************
1146 Retrieve a list of IP addresses for domain controllers.
1147
1148 The array is sorted in the preferred connection order.
1149
1150 @param[in] mem_ctx talloc memory context to allocate from
1151 @param[in] domain domain to retrieve DCs for
1152 @param[out] dcs array of dcs that will be returned
1153 @param[out] num_dcs number of dcs returned in the dcs array
1154 @return always true
1155 *******************************************************************/
1156
1157 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1158 struct dc_name_ip **dcs, int *num_dcs)
1159 {
1160 fstring dcname;
1161 struct sockaddr_storage ss;
1162 struct ip_service *ip_list = NULL;
1163 int iplist_size = 0;
1164 int i;
1165 bool is_our_domain;
1166 enum security_types sec = (enum security_types)lp_security();
1167
1168 is_our_domain = strequal(domain->name, lp_workgroup());
1169
1170 /* If not our domain, get the preferred DC, by asking our primary DC */
1171 if ( !is_our_domain
1172 && get_dc_name_via_netlogon(domain, dcname, &ss)
1173 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1174 num_dcs) )
1175 {
1176 char addr[INET6_ADDRSTRLEN];
1177 print_sockaddr(addr, sizeof(addr), &ss);
1178 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1179 dcname, addr));
1180 return True;
1181 }
1182
1183 if (sec == SEC_ADS) {
1184 char *sitename = NULL;
1185
1186 /* We need to make sure we know the local site before
1187 doing any DNS queries, as this will restrict the
1188 get_sorted_dc_list() call below to only fetching
1189 DNS records for the correct site. */
1190
1191 /* Find any DC to get the site record.
1192 We deliberately don't care about the
1193 return here. */
1194
1195 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1196
1197 sitename = sitename_fetch(domain->alt_name);
1198 if (sitename) {
1199
1200 /* Do the site-specific AD dns lookup first. */
1201 get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
1202 &iplist_size, True);
1203
1204 /* Add ips to the DC array. We don't look up the name
1205 of the DC in this function, but we fill in the char*
1206 of the ip now to make the failed connection cache
1207 work */
1208 for ( i=0; i<iplist_size; i++ ) {
1209 char addr[INET6_ADDRSTRLEN];
1210 print_sockaddr(addr, sizeof(addr),
1211 &ip_list[i].ss);
1212 add_one_dc_unique(mem_ctx,
1213 domain->name,
1214 addr,
1215 &ip_list[i].ss,
1216 dcs,
1217 num_dcs);
1218 }
1219
1220 SAFE_FREE(ip_list);
1221 SAFE_FREE(sitename);
1222 iplist_size = 0;
1223 }
1224
1225 /* Now we add DCs from the main AD DNS lookup. */
1226 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1227 &iplist_size, True);
1228
1229 for ( i=0; i<iplist_size; i++ ) {
1230 char addr[INET6_ADDRSTRLEN];
1231 print_sockaddr(addr, sizeof(addr),
1232 &ip_list[i].ss);
1233 add_one_dc_unique(mem_ctx,
1234 domain->name,
1235 addr,
1236 &ip_list[i].ss,
1237 dcs,
1238 num_dcs);
1239 }
1240
1241 SAFE_FREE(ip_list);
1242 iplist_size = 0;
1243 }
1244
1245 /* Try standard netbios queries if no ADS */
1246 if (*num_dcs == 0) {
1247 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
1248 False);
1249
1250 for ( i=0; i<iplist_size; i++ ) {
1251 char addr[INET6_ADDRSTRLEN];
1252 print_sockaddr(addr, sizeof(addr),
1253 &ip_list[i].ss);
1254 add_one_dc_unique(mem_ctx,
1255 domain->name,
1256 addr,
1257 &ip_list[i].ss,
1258 dcs,
1259 num_dcs);
1260 }
1261
1262 SAFE_FREE(ip_list);
1263 iplist_size = 0;
1264 }
1265
1266 return True;
1267 }
1268
1269 /*******************************************************************
1270 Find and make a connection to a DC in the given domain.
1271
1272 @param[in] mem_ctx talloc memory context to allocate from
1273 @param[in] domain domain to find a dc in
1274 @param[out] dcname NetBIOS or FQDN of DC that's connected to
1275 @param[out] pss DC Internet address and port
1276 @param[out] fd fd of the open socket connected to the newly found dc
1277 @return true when a DC connection is made, false otherwise
1278 *******************************************************************/
1279
1280 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1281 struct winbindd_domain *domain,
1282 fstring dcname, struct sockaddr_storage *pss, int *fd)
1283 {
1284 struct dc_name_ip *dcs = NULL;
1285 int num_dcs = 0;
1286
1287 const char **dcnames = NULL;
1288 int num_dcnames = 0;
1289
1290 struct sockaddr_storage *addrs = NULL;
1291 int num_addrs = 0;
1292
1293 int i, fd_index;
1294
1295 *fd = -1;
1296
1297 again:
1298 if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1299 return False;
1300
1301 for (i=0; i<num_dcs; i++) {
1302
1303 if (!add_string_to_array(mem_ctx, dcs[i].name,
1304 &dcnames, &num_dcnames)) {
1305 return False;
1306 }
1307 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 445,
1308 &addrs, &num_addrs)) {
1309 return False;
1310 }
1311
1312 if (!add_string_to_array(mem_ctx, dcs[i].name,
1313 &dcnames, &num_dcnames)) {
1314 return False;
1315 }
1316 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 139,
1317 &addrs, &num_addrs)) {
1318 return False;
1319 }
1320 }
1321
1322 if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1323 return False;
1324
1325 if ((addrs == NULL) || (dcnames == NULL))
1326 return False;
1327
1328 /* 5 second timeout. */
1329 if (!open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) {
1330 for (i=0; i<num_dcs; i++) {
1331 char ab[INET6_ADDRSTRLEN];
1332 print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1333 DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
1334 "domain %s address %s. Error was %s\n",
1335 domain->name, ab, strerror(errno) ));
1336 winbind_add_failed_connection_entry(domain,
1337 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1338 }
1339 return False;
1340 }
1341
1342 *pss = addrs[fd_index];
1343
1344 if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1345 /* Ok, we've got a name for the DC */
1346 fstrcpy(dcname, dcnames[fd_index]);
1347 return True;
1348 }
1349
1350 /* Try to figure out the name */
1351 if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
1352 return True;
1353 }
1354
1355 /* We can not continue without the DC's name */
1356 winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1357 NT_STATUS_UNSUCCESSFUL);
1358
1359 /* Throw away all arrays as we're doing this again. */
1360 TALLOC_FREE(dcs);
1361 num_dcs = 0;
1362
1363 TALLOC_FREE(dcnames);
1364 num_dcnames = 0;
1365
1366 TALLOC_FREE(addrs);
1367 num_addrs = 0;
1368
1369 close(*fd);
1370 *fd = -1;
1371
1372 goto again;
1373 }
1374
1375 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1376 struct winbindd_cm_conn *new_conn)
1377 {
1378 TALLOC_CTX *mem_ctx;
1379 NTSTATUS result;
1380 char *saf_servername = saf_fetch( domain->name );
1381 int retries;
1382
1383 if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1384 SAFE_FREE(saf_servername);
1385 set_domain_offline(domain);
1386 return NT_STATUS_NO_MEMORY;
1387 }
1388
1389 /* we have to check the server affinity cache here since
1390 later we selecte a DC based on response time and not preference */
1391
1392 /* Check the negative connection cache
1393 before talking to it. It going down may have
1394 triggered the reconnection. */
1395
1396 if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1397
1398 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1399 saf_servername, domain->name ));
1400
1401 /* convert an ip address to a name */
1402 if (is_ipaddress( saf_servername ) ) {
1403 fstring saf_name;
1404 struct sockaddr_storage ss;
1405
1406 if (!interpret_string_addr(&ss, saf_servername,
1407 AI_NUMERICHOST)) {
1408 return NT_STATUS_UNSUCCESSFUL;
1409 }
1410 if (dcip_to_name(mem_ctx, domain, &ss, saf_name )) {
1411 fstrcpy( domain->dcname, saf_name );
1412 } else {
1413 winbind_add_failed_connection_entry(
1414 domain, saf_servername,
1415 NT_STATUS_UNSUCCESSFUL);
1416 }
1417 } else {
1418 fstrcpy( domain->dcname, saf_servername );
1419 }
1420
1421 SAFE_FREE( saf_servername );
1422 }
1423
1424 for (retries = 0; retries < 3; retries++) {
1425 int fd = -1;
1426 bool retry = False;
1427
1428 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1429
1430 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1431 domain->dcname, domain->name ));
1432
1433 if (*domain->dcname
1434 && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1435 && (resolve_name(domain->dcname, &domain->dcaddr, 0x20)))
1436 {
1437 struct sockaddr_storage *addrs = NULL;
1438 int num_addrs = 0;
1439 int dummy = 0;
1440
1441 if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 445, &addrs, &num_addrs)) {
1442 set_domain_offline(domain);
1443 talloc_destroy(mem_ctx);
1444 return NT_STATUS_NO_MEMORY;
1445 }
1446 if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 139, &addrs, &num_addrs)) {
1447 set_domain_offline(domain);
1448 talloc_destroy(mem_ctx);
1449 return NT_STATUS_NO_MEMORY;
1450 }
1451
1452 /* 5 second timeout. */
1453 if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) {
1454 fd = -1;
1455 }
1456 }
1457
1458 if ((fd == -1)
1459 && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd))
1460 {
1461 /* This is the one place where we will
1462 set the global winbindd offline state
1463 to true, if a "WINBINDD_OFFLINE" entry
1464 is found in the winbindd cache. */
1465 set_global_winbindd_state_offline();
1466 break;
1467 }
1468
1469 new_conn->cli = NULL;
1470
1471 result = cm_prepare_connection(domain, fd, domain->dcname,
1472 &new_conn->cli, &retry);
1473
1474 if (!retry)
1475 break;
1476 }
1477
1478 if (NT_STATUS_IS_OK(result)) {
1479
1480 winbindd_set_locator_kdc_envs(domain);
1481
1482 if (domain->online == False) {
1483 /* We're changing state from offline to online. */
1484 set_global_winbindd_state_online();
1485 }
1486 set_domain_online(domain);
1487 } else {
1488 /* Ensure we setup the retry handler. */
1489 set_domain_offline(domain);
1490 }
1491
1492 talloc_destroy(mem_ctx);
1493 return result;
1494 }
1495
1496 /* Close down all open pipes on a connection. */
1497
1498 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1499 {
1500 /* We're closing down a possibly dead
1501 connection. Don't have impossibly long (10s) timeouts. */
1502
1503 if (conn->cli) {
1504 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1505 }
1506
1507 if (conn->samr_pipe != NULL) {
1508 if (!cli_rpc_pipe_close(conn->samr_pipe)) {
1509 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1510 if (conn->cli) {
1511 cli_set_timeout(conn->cli, 500);
1512 }
1513 }
1514 conn->samr_pipe = NULL;
1515 }
1516
1517 if (conn->lsa_pipe != NULL) {
1518 if (!cli_rpc_pipe_close(conn->lsa_pipe)) {
1519 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1520 if (conn->cli) {
1521 cli_set_timeout(conn->cli, 500);
1522 }
1523 }
1524 conn->lsa_pipe = NULL;
1525 }
1526
1527 if (conn->netlogon_pipe != NULL) {
1528 if (!cli_rpc_pipe_close(conn->netlogon_pipe)) {
1529 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1530 if (conn->cli) {
1531 cli_set_timeout(conn->cli, 500);
1532 }
1533 }
1534 conn->netlogon_pipe = NULL;
1535 }
1536
1537 if (conn->cli) {
1538 cli_shutdown(conn->cli);
1539 }
1540
1541 conn->cli = NULL;
1542 }
1543
1544 void close_conns_after_fork(void)
1545 {
1546 struct winbindd_domain *domain;
1547
1548 for (domain = domain_list(); domain; domain = domain->next) {
1549 if (domain->conn.cli == NULL)
1550 continue;
1551
1552 if (domain->conn.cli->fd == -1)
1553 continue;
1554
1555 close(domain->conn.cli->fd);
1556 domain->conn.cli->fd = -1;
1557 }
1558 }
1559
1560 static bool connection_ok(struct winbindd_domain *domain)
1561 {
1562 if (domain->conn.cli == NULL) {
1563 DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
1564 "cli!\n", domain->dcname, domain->name));
1565 return False;
1566 }
1567
1568 if (!domain->conn.cli->initialised) {
1569 DEBUG(3, ("connection_ok: Connection to %s for domain %s was never "
1570 "initialised!\n", domain->dcname, domain->name));
1571 return False;
1572 }
1573
1574 if (domain->conn.cli->fd == -1) {
1575 DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was "
1576 "never started (fd == -1)\n",
1577 domain->dcname, domain->name));
1578 return False;
1579 }
1580
1581 if (domain->online == False) {
1582 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1583 return False;
1584 }
1585
1586 return True;
1587 }
1588
1589 /* Initialize a new connection up to the RPC BIND.
1590 Bypass online status check so always does network calls. */
1591
1592 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1593 {
1594 NTSTATUS result;
1595
1596 /* Internal connections never use the network. */
1597 if (domain->internal) {
1598 domain->initialized = True;
1599 return NT_STATUS_OK;
1600 }
1601
1602 if (connection_ok(domain)) {
1603 if (!domain->initialized) {
1604 set_dc_type_and_flags(domain);
1605 }
1606 return NT_STATUS_OK;
1607 }
1608
1609 invalidate_cm_connection(&domain->conn);
1610
1611 result = cm_open_connection(domain, &domain->conn);
1612
1613 if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1614 set_dc_type_and_flags(domain);
1615 }
1616
1617 return result;
1618 }
1619
1620 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1621 {
1622 if (domain->initialized && !domain->online) {
1623 /* We check for online status elsewhere. */
1624 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1625 }
1626
1627 return init_dc_connection_network(domain);
1628 }
1629
1630 /******************************************************************************
1631 Set the trust flags (direction and forest location) for a domain
1632 ******************************************************************************/
1633
1634 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1635 {
1636 struct winbindd_domain *our_domain;
1637 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1638 struct netr_DomainTrustList trusts;
1639 int i;
1640 uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
1641 NETR_TRUST_FLAG_OUTBOUND |
1642 NETR_TRUST_FLAG_INBOUND);
1643 struct rpc_pipe_client *cli;
1644 TALLOC_CTX *mem_ctx = NULL;
1645
1646 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1647
1648 /* Our primary domain doesn't need to worry about trust flags.
1649 Force it to go through the network setup */
1650 if ( domain->primary ) {
1651 return False;
1652 }
1653
1654 our_domain = find_our_domain();
1655
1656 if ( !connection_ok(our_domain) ) {
1657 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));
1658 return False;
1659 }
1660
1661 /* This won't work unless our domain is AD */
1662
1663 if ( !our_domain->active_directory ) {
1664 return False;
1665 }
1666
1667 /* Use DsEnumerateDomainTrusts to get us the trust direction
1668 and type */
1669
1670 result = cm_connect_netlogon(our_domain, &cli);
1671
1672 if (!NT_STATUS_IS_OK(result)) {
1673 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1674 "a connection to %s for PIPE_NETLOGON (%s)\n",
1675 domain->name, nt_errstr(result)));
1676 return False;
1677 }
1678
1679 if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
1680 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
1681 return False;
1682 }
1683
1684 result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1685 cli->cli->desthost,
1686 flags,
1687 &trusts,
1688 NULL);
1689 if (!NT_STATUS_IS_OK(result)) {
1690 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
1691 "failed to query trusted domain list: %s\n",
1692 nt_errstr(result)));
1693 talloc_destroy(mem_ctx);
1694 return false;
1695 }
1696
1697 /* Now find the domain name and get the flags */
1698
1699 for ( i=0; i<trusts.count; i++ ) {
1700 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
1701 domain->domain_flags = trusts.array[i].trust_flags;
1702 domain->domain_type = trusts.array[i].trust_type;
1703 domain->domain_trust_attribs = trusts.array[i].trust_attributes;
1704
1705 if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL )
1706 domain->active_directory = True;
1707
1708 /* This flag is only set if the domain is *our*
1709 primary domain and the primary domain is in
1710 native mode */
1711
1712 domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
1713
1714 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
1715 "native mode.\n", domain->name,
1716 domain->native_mode ? "" : "NOT "));
1717
1718 DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
1719 "running active directory.\n", domain->name,
1720 domain->active_directory ? "" : "NOT "));
1721
1722
1723 domain->initialized = True;
1724
1725 if ( !winbindd_can_contact_domain( domain) )
1726 domain->internal = True;
1727
1728 break;
1729 }
1730 }
1731
1732 talloc_destroy( mem_ctx );
1733
1734 return domain->initialized;
1735 }
1736
1737 /******************************************************************************
1738 We can 'sense' certain things about the DC by it's replies to certain
1739 questions.
1740
1741 This tells us if this particular remote server is Active Directory, and if it
1742 is native mode.
1743 ******************************************************************************/
1744
1745 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
1746 {
1747 NTSTATUS result;
1748 WERROR werr;
1749 TALLOC_CTX *mem_ctx = NULL;
1750 struct rpc_pipe_client *cli;
1751 POLICY_HND pol;
1752 union dssetup_DsRoleInfo info;
1753 union lsa_PolicyInformation *lsa_info = NULL;
1754
1755 if (!connection_ok(domain)) {
1756 return;
1757 }
1758
1759 mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
1760 domain->name);
1761 if (!mem_ctx) {
1762 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
1763 return;
1764 }
1765
1766 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
1767
1768 cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_DSSETUP,
1769 &result);
1770
1771 if (cli == NULL) {
1772 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1773 "PI_DSSETUP on domain %s: (%s)\n",
1774 domain->name, nt_errstr(result)));
1775
1776 /* if this is just a non-AD domain we need to continue
1777 * identifying so that we can in the end return with
1778 * domain->initialized = True - gd */
1779
1780 goto no_dssetup;
1781 }
1782
1783 result = rpccli_dssetup_DsRoleGetPrimaryDomainInformation(cli, mem_ctx,
1784 DS_ROLE_BASIC_INFORMATION,
1785 &info,
1786 &werr);
1787 cli_rpc_pipe_close(cli);
1788
1789 if (!NT_STATUS_IS_OK(result)) {
1790 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
1791 "on domain %s failed: (%s)\n",
1792 domain->name, nt_errstr(result)));
1793
1794 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
1795 * every opcode on the DSSETUP pipe, continue with
1796 * no_dssetup mode here as well to get domain->initialized
1797 * set - gd */
1798
1799 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
1800 goto no_dssetup;
1801 }
1802
1803 TALLOC_FREE(mem_ctx);
1804 return;
1805 }
1806
1807 if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
1808 !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
1809 domain->native_mode = True;
1810 } else {
1811 domain->native_mode = False;
1812 }
1813
1814 no_dssetup:
1815 cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result);
1816
1817 if (cli == NULL) {
1818 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1819 "PI_LSARPC on domain %s: (%s)\n",
1820 domain->name, nt_errstr(result)));
1821 cli_rpc_pipe_close(cli);
1822 TALLOC_FREE(mem_ctx);
1823 return;
1824 }
1825
1826 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
1827 SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
1828
1829 if (NT_STATUS_IS_OK(result)) {
1830 /* This particular query is exactly what Win2k clients use
1831 to determine that the DC is active directory */
1832 result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,
1833 &pol,
1834 LSA_POLICY_INFO_DNS,
1835 &lsa_info);
1836 }
1837
1838 if (NT_STATUS_IS_OK(result)) {
1839 domain->active_directory = True;
1840
1841 if (lsa_info->dns.name.string) {
1842 fstrcpy(domain->name, lsa_info->dns.name.string);
1843 }
1844
1845 if (lsa_info->dns.dns_domain.string) {
1846 fstrcpy(domain->alt_name,
1847 lsa_info->dns.dns_domain.string);
1848 }
1849
1850 /* See if we can set some domain trust flags about
1851 ourself */
1852
1853 if (lsa_info->dns.dns_forest.string) {
1854 fstrcpy(domain->forest_name,
1855 lsa_info->dns.dns_forest.string);
1856
1857 if (strequal(domain->forest_name, domain->alt_name)) {
1858 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
1859 }
1860 }
1861
1862 if (lsa_info->dns.sid) {
1863 sid_copy(&domain->sid, lsa_info->dns.sid);
1864 }
1865 } else {
1866 domain->active_directory = False;
1867
1868 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
1869 SEC_RIGHTS_MAXIMUM_ALLOWED,
1870 &pol);
1871
1872 if (!NT_STATUS_IS_OK(result)) {
1873 goto done;
1874 }
1875
1876 result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,
1877 &pol,
1878 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
1879 &lsa_info);
1880
1881 if (NT_STATUS_IS_OK(result)) {
1882
1883 if (lsa_info->account_domain.name.string) {
1884 fstrcpy(domain->name,
1885 lsa_info->account_domain.name.string);
1886 }
1887
1888 if (lsa_info->account_domain.sid) {
1889 sid_copy(&domain->sid, lsa_info->account_domain.sid);
1890 }
1891 }
1892 }
1893 done:
1894
1895 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
1896 domain->name, domain->native_mode ? "" : "NOT "));
1897
1898 DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
1899 domain->name, domain->active_directory ? "" : "NOT "));
1900
1901 cli_rpc_pipe_close(cli);
1902
1903 TALLOC_FREE(mem_ctx);
1904
1905 domain->initialized = True;
1906 }
1907
1908 /**********************************************************************
1909 Set the domain_flags (trust attributes, domain operating modes, etc...
1910 ***********************************************************************/
1911
1912 static void set_dc_type_and_flags( struct winbindd_domain *domain )
1913 {
1914 /* we always have to contact our primary domain */
1915
1916 if ( domain->primary ) {
1917 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
1918 "primary domain\n"));
1919 set_dc_type_and_flags_connect( domain );
1920 return;
1921 }
1922
1923 /* Use our DC to get the information if possible */
1924
1925 if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
1926 /* Otherwise, fallback to contacting the
1927 domain directly */
1928 set_dc_type_and_flags_connect( domain );
1929 }
1930
1931 return;
1932 }
1933
1934
1935
1936 /**********************************************************************
1937 ***********************************************************************/
1938
1939 static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain,
1940 struct dcinfo **ppdc)
1941 {
1942 NTSTATUS result;
1943 struct rpc_pipe_client *netlogon_pipe;
1944
1945 if (lp_client_schannel() == False) {
1946 return False;
1947 }
1948
1949 result = cm_connect_netlogon(domain, &netlogon_pipe);
1950 if (!NT_STATUS_IS_OK(result)) {
1951 return False;
1952 }
1953
1954 /* Return a pointer to the struct dcinfo from the
1955 netlogon pipe. */
1956
1957 if (!domain->conn.netlogon_pipe->dc) {
1958 return false;
1959 }
1960
1961 *ppdc = domain->conn.netlogon_pipe->dc;
1962 return True;
1963 }
1964
1965 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
1966 struct rpc_pipe_client **cli, POLICY_HND *sam_handle)
1967 {
1968 struct winbindd_cm_conn *conn;
1969 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1970 fstring conn_pwd;
1971 struct dcinfo *p_dcinfo;
1972 char *machine_password = NULL;
1973 char *machine_account = NULL;
1974 char *domain_name = NULL;
1975
1976 result = init_dc_connection(domain);
1977 if (!NT_STATUS_IS_OK(result)) {
1978 return result;
1979 }
1980
1981 conn = &domain->conn;
1982
1983 if (conn->samr_pipe != NULL) {
1984 goto done;
1985 }
1986
1987
1988 /*
1989 * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
1990 * sign and sealed pipe using the machine account password by
1991 * preference. If we can't - try schannel, if that fails, try
1992 * anonymous.
1993 */
1994
1995 pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
1996 if ((conn->cli->user_name[0] == '\0') ||
1997 (conn->cli->domain[0] == '\0') ||
1998 (conn_pwd[0] == '\0'))
1999 {
2000 result = get_trust_creds(domain, &machine_password,
2001 &machine_account, NULL);
2002 if (!NT_STATUS_IS_OK(result)) {
2003 DEBUG(10, ("cm_connect_sam: No no user available for "
2004 "domain %s, trying schannel\n", conn->cli->domain));
2005 goto schannel;
2006 }
2007 domain_name = domain->name;
2008 } else {
2009 machine_password = SMB_STRDUP(conn_pwd);
2010 machine_account = SMB_STRDUP(conn->cli->user_name);
2011 domain_name = conn->cli->domain;
2012 }
2013
2014 if (!machine_password || !machine_account) {
2015 result = NT_STATUS_NO_MEMORY;
2016 goto done;
2017 }
2018
2019 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2020 authenticated SAMR pipe with sign & seal. */
2021 conn->samr_pipe =
2022 cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
2023 PIPE_AUTH_LEVEL_PRIVACY,
2024 domain_name,
2025 machine_account,
2026 machine_password, &result);
2027
2028 if (conn->samr_pipe == NULL) {
2029 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2030 "pipe for domain %s using NTLMSSP "
2031 "authenticated pipe: user %s\\%s. Error was "
2032 "%s\n", domain->name, domain_name,
2033 machine_account, nt_errstr(result)));
2034 goto schannel;
2035 }
2036
2037 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2038 "domain %s using NTLMSSP authenticated "
2039 "pipe: user %s\\%s\n", domain->name,
2040 domain_name, machine_account));
2041
2042 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2043 conn->samr_pipe->cli->desthost,
2044 SEC_RIGHTS_MAXIMUM_ALLOWED,
2045 &conn->sam_connect_handle);
2046 if (NT_STATUS_IS_OK(result)) {
2047 goto open_domain;
2048 }
2049 DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_Connect2 "
2050 "failed for domain %s, error was %s. Trying schannel\n",
2051 domain->name, nt_errstr(result) ));
2052 cli_rpc_pipe_close(conn->samr_pipe);
2053
2054 schannel:
2055
2056 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2057
2058 if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
2059 /* If this call fails - conn->cli can now be NULL ! */
2060 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2061 "for domain %s, trying anon\n", domain->name));
2062 goto anonymous;
2063 }
2064 conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key
2065 (conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY,
2066 domain->name, p_dcinfo, &result);
2067
2068 if (conn->samr_pipe == NULL) {
2069 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2070 "domain %s using schannel. Error was %s\n",
2071 domain->name, nt_errstr(result) ));
2072 goto anonymous;
2073 }
2074 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2075 "schannel.\n", domain->name ));
2076
2077 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2078 conn->samr_pipe->cli->desthost,
2079 SEC_RIGHTS_MAXIMUM_ALLOWED,
2080 &conn->sam_connect_handle);
2081 if (NT_STATUS_IS_OK(result)) {
2082 goto open_domain;
2083 }
2084 DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_Connect2 failed "
2085 "for domain %s, error was %s. Trying anonymous\n",
2086 domain->name, nt_errstr(result) ));
2087 cli_rpc_pipe_close(conn->samr_pipe);
2088
2089 anonymous:
2090
2091 /* Finally fall back to anonymous. */
2092 conn->samr_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR,
2093 &result);
2094
2095 if (conn->samr_pipe == NULL) {
2096 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2097 goto done;
2098 }
2099
2100 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2101 conn->samr_pipe->cli->desthost,
2102 SEC_RIGHTS_MAXIMUM_ALLOWED,
2103 &conn->sam_connect_handle);
2104 if (!NT_STATUS_IS_OK(result)) {
2105 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2106 "for domain %s Error was %s\n",
2107 domain->name, nt_errstr(result) ));
2108 goto done;
2109 }
2110
2111 open_domain:
2112 result = rpccli_samr_OpenDomain(conn->samr_pipe,
2113 mem_ctx,
2114 &conn->sam_connect_handle,
2115 SEC_RIGHTS_MAXIMUM_ALLOWED,
2116 &domain->sid,
2117 &conn->sam_domain_handle);
2118
2119 done:
2120
2121 if (!NT_STATUS_IS_OK(result)) {
2122 invalidate_cm_connection(conn);
2123 return result;
2124 }
2125
2126 *cli = conn->samr_pipe;
2127 *sam_handle = conn->sam_domain_handle;
2128 SAFE_FREE(machine_password);
2129 SAFE_FREE(machine_account);
2130 return result;
2131 }
2132
2133 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2134 struct rpc_pipe_client **cli, POLICY_HND *lsa_policy)
2135 {
2136 struct winbindd_cm_conn *conn;
2137 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2138 fstring conn_pwd;
2139 struct dcinfo *p_dcinfo;
2140
2141 result = init_dc_connection(domain);
2142 if (!NT_STATUS_IS_OK(result))
2143 return result;
2144
2145 conn = &domain->conn;
2146
2147 if (conn->lsa_pipe != NULL) {
2148 goto done;
2149 }
2150
2151 pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
2152 if ((conn->cli->user_name[0] == '\0') ||
2153 (conn->cli->domain[0] == '\0') ||
2154 (conn_pwd[0] == '\0')) {
2155 DEBUG(10, ("cm_connect_lsa: No no user available for "
2156 "domain %s, trying schannel\n", conn->cli->domain));
2157 goto schannel;
2158 }
2159
2160 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2161 * authenticated LSA pipe with sign & seal. */
2162 conn->lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp
2163 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
2164 conn->cli->domain, conn->cli->user_name, conn_pwd, &result);
2165
2166 if (conn->lsa_pipe == NULL) {
2167 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2168 "domain %s using NTLMSSP authenticated pipe: user "
2169 "%s\\%s. Error was %s. Trying schannel.\n",
2170 domain->name, conn->cli->domain,
2171 conn->cli->user_name, nt_errstr(result)));
2172 goto schannel;
2173 }
2174
2175 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2176 "NTLMSSP authenticated pipe: user %s\\%s\n",
2177 domain->name, conn->cli->domain, conn->cli->user_name ));
2178
2179 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2180 SEC_RIGHTS_MAXIMUM_ALLOWED,
2181 &conn->lsa_policy);
2182 if (NT_STATUS_IS_OK(result)) {
2183 goto done;
2184 }
2185
2186 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2187 "schannel\n"));
2188
2189 cli_rpc_pipe_close(conn->lsa_pipe);
2190
2191 schannel:
2192
2193 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2194
2195 if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
2196 /* If this call fails - conn->cli can now be NULL ! */
2197 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2198 "for domain %s, trying anon\n", domain->name));
2199 goto anonymous;
2200 }
2201 conn->lsa_pipe = cli_rpc_pipe_open_schannel_with_key
2202 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
2203 domain->name, p_dcinfo, &result);
2204
2205 if (conn->lsa_pipe == NULL) {
2206 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2207 "domain %s using schannel. Error was %s\n",
2208 domain->name, nt_errstr(result) ));
2209 goto anonymous;
2210 }
2211 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2212 "schannel.\n", domain->name ));
2213
2214 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2215 SEC_RIGHTS_MAXIMUM_ALLOWED,
2216 &conn->lsa_policy);
2217 if (NT_STATUS_IS_OK(result)) {
2218 goto done;
2219 }
2220
2221 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2222 "anonymous\n"));
2223
2224 cli_rpc_pipe_close(conn->lsa_pipe);
2225
2226 anonymous:
2227
2228 conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_LSARPC,
2229 &result);
2230 if (conn->lsa_pipe == NULL) {
2231 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2232 goto done;
2233 }
2234
2235 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2236 SEC_RIGHTS_MAXIMUM_ALLOWED,
2237 &conn->lsa_policy);
2238 done:
2239 if (!NT_STATUS_IS_OK(result)) {
2240 invalidate_cm_connection(conn);
2241 return result;
2242 }
2243
2244 *cli = conn->lsa_pipe;
2245 *lsa_policy = conn->lsa_policy;
2246 return result;
2247 }
2248
2249 /****************************************************************************
2250 Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2251 session key stored in conn->netlogon_pipe->dc->sess_key.
2252 ****************************************************************************/
2253
2254 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2255 struct rpc_pipe_client **cli)
2256 {
2257 struct winbindd_cm_conn *conn;
2258 NTSTATUS result;
2259
2260 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2261 uint8 mach_pwd[16];
2262 uint32 sec_chan_type;
2263 const char *account_name;
2264 struct rpc_pipe_client *netlogon_pipe = NULL;
2265
2266 *cli = NULL;
2267
2268 result = init_dc_connection(domain);
2269 if (!NT_STATUS_IS_OK(result)) {
2270 return result;
2271 }
2272
2273 conn = &domain->conn;
2274
2275 if (conn->netlogon_pipe != NULL) {
2276 *cli = conn->netlogon_pipe;
2277 return NT_STATUS_OK;
2278 }
2279
2280 netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
2281 &result);
2282 if (netlogon_pipe == NULL) {
2283 return result;
2284 }
2285
2286 if ((!IS_DC) && (!domain->primary)) {
2287 /* Clear the schannel request bit and drop down */
2288 neg_flags &= ~NETLOGON_NEG_SCHANNEL;
2289 goto no_schannel;
2290 }
2291
2292 if (lp_client_schannel() != False) {
2293 neg_flags |= NETLOGON_NEG_SCHANNEL;
2294 }
2295
2296 if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
2297 &sec_chan_type))
2298 {
2299 cli_rpc_pipe_close(netlogon_pipe);
2300 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2301 }
2302
2303 result = rpccli_netlogon_setup_creds(
2304 netlogon_pipe,
2305 domain->dcname, /* server name. */
2306 domain->name, /* domain name */
2307 global_myname(), /* client name */
2308 account_name, /* machine account */
2309 mach_pwd, /* machine password */
2310 sec_chan_type, /* from get_trust_pw */
2311 &neg_flags);
2312
2313 if (!NT_STATUS_IS_OK(result)) {
2314 cli_rpc_pipe_close(netlogon_pipe);
2315 return result;
2316 }
2317
2318 if ((lp_client_schannel() == True) &&
2319 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2320 DEBUG(3, ("Server did not offer schannel\n"));
2321 cli_rpc_pipe_close(netlogon_pipe);
2322 return NT_STATUS_ACCESS_DENIED;
2323 }
2324
2325 no_schannel:
2326 if ((lp_client_schannel() == False) ||
2327 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2328 /*
2329 * NetSamLogonEx only works for schannel
2330 */
2331 domain->can_do_samlogon_ex = False;
2332
2333 /* We're done - just keep the existing connection to NETLOGON
2334 * open */
2335 conn->netlogon_pipe = netlogon_pipe;
2336 *cli = conn->netlogon_pipe;
2337 return NT_STATUS_OK;
2338 }
2339
2340 /* Using the credentials from the first pipe, open a signed and sealed
2341 second netlogon pipe. The session key is stored in the schannel
2342 part of the new pipe auth struct.
2343 */
2344
2345 conn->netlogon_pipe =
2346 cli_rpc_pipe_open_schannel_with_key(conn->cli,
2347 PI_NETLOGON,
2348 PIPE_AUTH_LEVEL_PRIVACY,
2349 domain->name,
2350 netlogon_pipe->dc,
2351 &result);
2352
2353 /* We can now close the initial netlogon pipe. */
2354 cli_rpc_pipe_close(netlogon_pipe);
2355
2356 if (conn->netlogon_pipe == NULL) {
2357 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2358 "was %s\n", nt_errstr(result)));
2359
2360 /* make sure we return something besides OK */
2361 return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
2362 }
2363
2364 /*
2365 * Try NetSamLogonEx for AD domains
2366 */
2367 domain->can_do_samlogon_ex = domain->active_directory;
2368
2369 *cli = conn->netlogon_pipe;
2370 return NT_STATUS_OK;
2371 }
Samba GIT mirror