search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
winbindd: fix horrible mis-indentation of toplvl braces in getgrsid_sid2gid_recv
[Samba.git] / source / winbindd / winbindd_cm.c
blob14e4237cae0f26ac51fa31f4dc20fbacf0277ef7
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon connection manager
5
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Gerald (Jerry) Carter 2003-2005.
9 Copyright (C) Volker Lendecke 2004-2005
10 Copyright (C) Jeremy Allison 2006
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27 We need to manage connections to domain controllers without having to
28 mess up the main winbindd code with other issues. The aim of the
29 connection manager is to:
30
31 - make connections to domain controllers and cache them
32 - re-establish connections when networks or servers go down
33 - centralise the policy on connection timeouts, domain controller
34 selection etc
35 - manage re-entrancy for when winbindd becomes able to handle
36 multiple outstanding rpc requests
37
38 Why not have connection management as part of the rpc layer like tng?
39 Good question. This code may morph into libsmb/rpc_cache.c or something
40 like that but at the moment it's simply staying as part of winbind. I
41 think the TNG architecture of forcing every user of the rpc layer to use
42 the connection caching system is a bad idea. It should be an optional
43 method of using the routines.
44
45 The TNG design is quite good but I disagree with some aspects of the
46 implementation. -tpot
47
48 */
49
50 /*
51 TODO:
52
53 - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
54 moved down into another function.
55
56 - Take care when destroying cli_structs as they can be shared between
57 various sam handles.
58
59 */
60
61 #include "includes.h"
62 #include "winbindd.h"
63
64 #undef DBGC_CLASS
65 #define DBGC_CLASS DBGC_WINBIND
66
67 struct dc_name_ip {
68 fstring name;
69 struct sockaddr_storage ss;
70 };
71
72 extern struct winbindd_methods reconnect_methods;
73 extern bool override_logfile;
74
75 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
76 static void set_dc_type_and_flags( struct winbindd_domain *domain );
77 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
78 struct dc_name_ip **dcs, int *num_dcs);
79
80 /****************************************************************
81 Child failed to find DC's. Reschedule check.
82 ****************************************************************/
83
84 static void msg_failed_to_go_online(struct messaging_context *msg,
85 void *private_data,
86 uint32_t msg_type,
87 struct server_id server_id,
88 DATA_BLOB *data)
89 {
90 struct winbindd_domain *domain;
91 const char *domainname = (const char *)data->data;
92
93 if (data->data == NULL || data->length == 0) {
94 return;
95 }
96
97 DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
98
99 for (domain = domain_list(); domain; domain = domain->next) {
100 if (domain->internal) {
101 continue;
102 }
103
104 if (strequal(domain->name, domainname)) {
105 if (domain->online) {
106 /* We're already online, ignore. */
107 DEBUG(5,("msg_fail_to_go_online: domain %s "
108 "already online.\n", domainname));
109 continue;
110 }
111
112 /* Reschedule the online check. */
113 set_domain_offline(domain);
114 break;
115 }
116 }
117 }
118
119 /****************************************************************
120 Actually cause a reconnect from a message.
121 ****************************************************************/
122
123 static void msg_try_to_go_online(struct messaging_context *msg,
124 void *private_data,
125 uint32_t msg_type,
126 struct server_id server_id,
127 DATA_BLOB *data)
128 {
129 struct winbindd_domain *domain;
130 const char *domainname = (const char *)data->data;
131
132 if (data->data == NULL || data->length == 0) {
133 return;
134 }
135
136 DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
137
138 for (domain = domain_list(); domain; domain = domain->next) {
139 if (domain->internal) {
140 continue;
141 }
142
143 if (strequal(domain->name, domainname)) {
144
145 if (domain->online) {
146 /* We're already online, ignore. */
147 DEBUG(5,("msg_try_to_go_online: domain %s "
148 "already online.\n", domainname));
149 continue;
150 }
151
152 /* This call takes care of setting the online
153 flag to true if we connected, or re-adding
154 the offline handler if false. Bypasses online
155 check so always does network calls. */
156
157 init_dc_connection_network(domain);
158 break;
159 }
160 }
161 }
162
163 /****************************************************************
164 Fork a child to try and contact a DC. Do this as contacting a
165 DC requires blocking lookups and we don't want to block our
166 parent.
167 ****************************************************************/
168
169 static bool fork_child_dc_connect(struct winbindd_domain *domain)
170 {
171 struct dc_name_ip *dcs = NULL;
172 int num_dcs = 0;
173 TALLOC_CTX *mem_ctx = NULL;
174 pid_t child_pid;
175 pid_t parent_pid = sys_getpid();
176
177 /* Stop zombies */
178 CatchChild();
179
180 child_pid = sys_fork();
181
182 if (child_pid == -1) {
183 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
184 return False;
185 }
186
187 if (child_pid != 0) {
188 /* Parent */
189 messaging_register(winbind_messaging_context(), NULL,
190 MSG_WINBIND_TRY_TO_GO_ONLINE,
191 msg_try_to_go_online);
192 messaging_register(winbind_messaging_context(), NULL,
193 MSG_WINBIND_FAILED_TO_GO_ONLINE,
194 msg_failed_to_go_online);
195 return True;
196 }
197
198 /* Child. */
199
200 /* Leave messages blocked - we will never process one. */
201
202 if (!reinit_after_fork(winbind_messaging_context(), true)) {
203 DEBUG(0,("reinit_after_fork() failed\n"));
204 _exit(0);
205 }
206
207 close_conns_after_fork();
208
209 if (!override_logfile) {
210 char *logfile;
211 if (asprintf(&logfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) > 0) {
212 lp_set_logfile(logfile);
213 SAFE_FREE(logfile);
214 reopen_logs();
215 }
216 }
217
218 mem_ctx = talloc_init("fork_child_dc_connect");
219 if (!mem_ctx) {
220 DEBUG(0,("talloc_init failed.\n"));
221 _exit(0);
222 }
223
224 if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
225 /* Still offline ? Can't find DC's. */
226 messaging_send_buf(winbind_messaging_context(),
227 pid_to_procid(parent_pid),
228 MSG_WINBIND_FAILED_TO_GO_ONLINE,
229 (uint8 *)domain->name,
230 strlen(domain->name)+1);
231 _exit(0);
232 }
233
234 /* We got a DC. Send a message to our parent to get it to
235 try and do the same. */
236
237 messaging_send_buf(winbind_messaging_context(),
238 pid_to_procid(parent_pid),
239 MSG_WINBIND_TRY_TO_GO_ONLINE,
240 (uint8 *)domain->name,
241 strlen(domain->name)+1);
242 _exit(0);
243 }
244
245 /****************************************************************
246 Handler triggered if we're offline to try and detect a DC.
247 ****************************************************************/
248
249 static void check_domain_online_handler(struct event_context *ctx,
250 struct timed_event *te,
251 const struct timeval *now,
252 void *private_data)
253 {
254 struct winbindd_domain *domain =
255 (struct winbindd_domain *)private_data;
256
257 DEBUG(10,("check_domain_online_handler: called for domain "
258 "%s (online = %s)\n", domain->name,
259 domain->online ? "True" : "False" ));
260
261 TALLOC_FREE(domain->check_online_event);
262
263 /* Are we still in "startup" mode ? */
264
265 if (domain->startup && (now->tv_sec > domain->startup_time + 30)) {
266 /* No longer in "startup" mode. */
267 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
268 domain->name ));
269 domain->startup = False;
270 }
271
272 /* We've been told to stay offline, so stay
273 that way. */
274
275 if (get_global_winbindd_state_offline()) {
276 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
277 domain->name ));
278 return;
279 }
280
281 /* Fork a child to test if it can contact a DC.
282 If it can then send ourselves a message to
283 cause a reconnect. */
284
285 fork_child_dc_connect(domain);
286 }
287
288 /****************************************************************
289 If we're still offline setup the timeout check.
290 ****************************************************************/
291
292 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
293 {
294 int wbc = lp_winbind_cache_time();
295
296 if (domain->startup) {
297 domain->check_online_timeout = 10;
298 } else if (domain->check_online_timeout < wbc) {
299 domain->check_online_timeout = wbc;
300 }
301 }
302
303 /****************************************************************
304 Set domain offline and also add handler to put us back online
305 if we detect a DC.
306 ****************************************************************/
307
308 void set_domain_offline(struct winbindd_domain *domain)
309 {
310 DEBUG(10,("set_domain_offline: called for domain %s\n",
311 domain->name ));
312
313 TALLOC_FREE(domain->check_online_event);
314
315 if (domain->internal) {
316 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
317 domain->name ));
318 return;
319 }
320
321 domain->online = False;
322
323 /* Offline domains are always initialized. They're
324 re-initialized when they go back online. */
325
326 domain->initialized = True;
327
328 /* We only add the timeout handler that checks and
329 allows us to go back online when we've not
330 been told to remain offline. */
331
332 if (get_global_winbindd_state_offline()) {
333 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
334 domain->name ));
335 return;
336 }
337
338 /* If we're in statup mode, check again in 10 seconds, not in
339 lp_winbind_cache_time() seconds (which is 5 mins by default). */
340
341 calc_new_online_timeout_check(domain);
342
343 domain->check_online_event = event_add_timed(winbind_event_context(),
344 NULL,
345 timeval_current_ofs(domain->check_online_timeout,0),
346 "check_domain_online_handler",
347 check_domain_online_handler,
348 domain);
349
350 /* The above *has* to succeed for winbindd to work. */
351 if (!domain->check_online_event) {
352 smb_panic("set_domain_offline: failed to add online handler");
353 }
354
355 DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
356 domain->name ));
357
358 /* Send an offline message to the idmap child when our
359 primary domain goes offline */
360
361 if ( domain->primary ) {
362 struct winbindd_child *idmap = idmap_child();
363
364 if ( idmap->pid != 0 ) {
365 messaging_send_buf(winbind_messaging_context(),
366 pid_to_procid(idmap->pid),
367 MSG_WINBIND_OFFLINE,
368 (uint8 *)domain->name,
369 strlen(domain->name)+1);
370 }
371 }
372
373 return;
374 }
375
376 /****************************************************************
377 Set domain online - if allowed.
378 ****************************************************************/
379
380 static void set_domain_online(struct winbindd_domain *domain)
381 {
382 struct timeval now;
383
384 DEBUG(10,("set_domain_online: called for domain %s\n",
385 domain->name ));
386
387 if (domain->internal) {
388 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
389 domain->name ));
390 return;
391 }
392
393 if (get_global_winbindd_state_offline()) {
394 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
395 domain->name ));
396 return;
397 }
398
399 winbindd_set_locator_kdc_envs(domain);
400
401 /* If we are waiting to get a krb5 ticket, trigger immediately. */
402 GetTimeOfDay(&now);
403 set_event_dispatch_time(winbind_event_context(),
404 "krb5_ticket_gain_handler", now);
405
406 /* Ok, we're out of any startup mode now... */
407 domain->startup = False;
408
409 if (domain->online == False) {
410 /* We were offline - now we're online. We default to
411 using the MS-RPC backend if we started offline,
412 and if we're going online for the first time we
413 should really re-initialize the backends and the
414 checks to see if we're talking to an AD or NT domain.
415 */
416
417 domain->initialized = False;
418
419 /* 'reconnect_methods' is the MS-RPC backend. */
420 if (domain->backend == &reconnect_methods) {
421 domain->backend = NULL;
422 }
423 }
424
425 /* Ensure we have no online timeout checks. */
426 domain->check_online_timeout = 0;
427 TALLOC_FREE(domain->check_online_event);
428
429 /* Ensure we ignore any pending child messages. */
430 messaging_deregister(winbind_messaging_context(),
431 MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
432 messaging_deregister(winbind_messaging_context(),
433 MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
434
435 domain->online = True;
436
437 /* Send an online message to the idmap child when our
438 primary domain comes online */
439
440 if ( domain->primary ) {
441 struct winbindd_child *idmap = idmap_child();
442
443 if ( idmap->pid != 0 ) {
444 messaging_send_buf(winbind_messaging_context(),
445 pid_to_procid(idmap->pid),
446 MSG_WINBIND_ONLINE,
447 (uint8 *)domain->name,
448 strlen(domain->name)+1);
449 }
450 }
451
452 return;
453 }
454
455 /****************************************************************
456 Requested to set a domain online.
457 ****************************************************************/
458
459 void set_domain_online_request(struct winbindd_domain *domain)
460 {
461 struct timeval tev;
462
463 DEBUG(10,("set_domain_online_request: called for domain %s\n",
464 domain->name ));
465
466 if (get_global_winbindd_state_offline()) {
467 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
468 domain->name ));
469 return;
470 }
471
472 /* We've been told it's safe to go online and
473 try and connect to a DC. But I don't believe it
474 because network manager seems to lie.
475 Wait at least 5 seconds. Heuristics suck... */
476
477 if (!domain->check_online_event) {
478 /* If we've come from being globally offline we
479 don't have a check online event handler set.
480 We need to add one now we're trying to go
481 back online. */
482
483 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
484 domain->name ));
485
486 domain->check_online_event = event_add_timed(winbind_event_context(),
487 NULL,
488 timeval_current_ofs(5, 0),
489 "check_domain_online_handler",
490 check_domain_online_handler,
491 domain);
492
493 /* The above *has* to succeed for winbindd to work. */
494 if (!domain->check_online_event) {
495 smb_panic("set_domain_online_request: failed to add online handler");
496 }
497 }
498
499 GetTimeOfDay(&tev);
500
501 /* Go into "startup" mode again. */
502 domain->startup_time = tev.tv_sec;
503 domain->startup = True;
504
505 tev.tv_sec += 5;
506
507 set_event_dispatch_time(winbind_event_context(), "check_domain_online_handler", tev);
508 }
509
510 /****************************************************************
511 Add -ve connection cache entries for domain and realm.
512 ****************************************************************/
513
514 void winbind_add_failed_connection_entry(const struct winbindd_domain *domain,
515 const char *server,
516 NTSTATUS result)
517 {
518 add_failed_connection_entry(domain->name, server, result);
519 /* If this was the saf name for the last thing we talked to,
520 remove it. */
521 saf_delete(domain->name);
522 if (*domain->alt_name) {
523 add_failed_connection_entry(domain->alt_name, server, result);
524 saf_delete(domain->alt_name);
525 }
526 winbindd_unset_locator_kdc_env(domain);
527 }
528
529 /* Choose between anonymous or authenticated connections. We need to use
530 an authenticated connection if DCs have the RestrictAnonymous registry
531 entry set > 0, or the "Additional restrictions for anonymous
532 connections" set in the win2k Local Security Policy.
533
534 Caller to free() result in domain, username, password
535 */
536
537 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
538 {
539 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
540 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
541 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
542
543 if (*username && **username) {
544
545 if (!*domain || !**domain)
546 *domain = smb_xstrdup(lp_workgroup());
547
548 if (!*password || !**password)
549 *password = smb_xstrdup("");
550
551 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
552 *domain, *username));
553
554 } else {
555 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
556 *username = smb_xstrdup("");
557 *domain = smb_xstrdup("");
558 *password = smb_xstrdup("");
559 }
560 }
561
562 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
563 fstring dcname,
564 struct sockaddr_storage *dc_ss)
565 {
566 struct winbindd_domain *our_domain = NULL;
567 struct rpc_pipe_client *netlogon_pipe = NULL;
568 NTSTATUS result;
569 WERROR werr;
570 TALLOC_CTX *mem_ctx;
571 unsigned int orig_timeout;
572 const char *tmp = NULL;
573 const char *p;
574
575 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
576 * moment.... */
577
578 if (IS_DC) {
579 return False;
580 }
581
582 if (domain->primary) {
583 return False;
584 }
585
586 our_domain = find_our_domain();
587
588 if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
589 return False;
590 }
591
592 result = cm_connect_netlogon(our_domain, &netlogon_pipe);
593 if (!NT_STATUS_IS_OK(result)) {
594 talloc_destroy(mem_ctx);
595 return False;
596 }
597
598 /* This call can take a long time - allow the server to time out.
599 35 seconds should do it. */
600
601 orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000);
602
603 if (our_domain->active_directory) {
604 struct netr_DsRGetDCNameInfo *domain_info = NULL;
605
606 result = rpccli_netr_DsRGetDCName(netlogon_pipe,
607 mem_ctx,
608 our_domain->dcname,
609 domain->name,
610 NULL,
611 NULL,
612 DS_RETURN_DNS_NAME,
613 &domain_info,
614 &werr);
615 if (W_ERROR_IS_OK(werr)) {
616 tmp = talloc_strdup(
617 mem_ctx, domain_info->dc_unc);
618 if (tmp == NULL) {
619 DEBUG(0, ("talloc_strdup failed\n"));
620 talloc_destroy(mem_ctx);
621 return false;
622 }
623 if (strlen(domain->alt_name) == 0) {
624 fstrcpy(domain->alt_name,
625 domain_info->domain_name);
626 }
627 if (strlen(domain->forest_name) == 0) {
628 fstrcpy(domain->forest_name,
629 domain_info->forest_name);
630 }
631 }
632 } else {
633 result = rpccli_netr_GetAnyDCName(netlogon_pipe, mem_ctx,
634 our_domain->dcname,
635 domain->name,
636 &tmp,
637 &werr);
638 }
639
640 /* And restore our original timeout. */
641 cli_set_timeout(netlogon_pipe->cli, orig_timeout);
642
643 if (!NT_STATUS_IS_OK(result)) {
644 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
645 nt_errstr(result)));
646 talloc_destroy(mem_ctx);
647 return false;
648 }
649
650 if (!W_ERROR_IS_OK(werr)) {
651 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
652 dos_errstr(werr)));
653 talloc_destroy(mem_ctx);
654 return false;
655 }
656
657 /* rpccli_netr_GetAnyDCName gives us a name with \\ */
658 p = strip_hostname(tmp);
659
660 fstrcpy(dcname, p);
661
662 talloc_destroy(mem_ctx);
663
664 DEBUG(10,("rpccli_netr_GetAnyDCName returned %s\n", dcname));
665
666 if (!resolve_name(dcname, dc_ss, 0x20)) {
667 return False;
668 }
669
670 return True;
671 }
672
673 /**
674 * Helper function to assemble trust password and account name
675 */
676 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
677 char **machine_password,
678 char **machine_account,
679 char **machine_krb5_principal)
680 {
681 const char *account_name;
682 const char *name = NULL;
683
684 /* If we are a DC and this is not our own domain */
685
686 if (IS_DC) {
687 name = domain->name;
688 } else {
689 struct winbindd_domain *our_domain = find_our_domain();
690
691 if (!our_domain)
692 return NT_STATUS_INVALID_SERVER_STATE;
693
694 name = our_domain->name;
695 }
696
697 if (!get_trust_pw_clear(name, machine_password,
698 &account_name, NULL))
699 {
700 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
701 }
702
703 if ((machine_account != NULL) &&
704 (asprintf(machine_account, "%s$", account_name) == -1))
705 {
706 return NT_STATUS_NO_MEMORY;
707 }
708
709 /* For now assume our machine account only exists in our domain */
710
711 if (machine_krb5_principal != NULL)
712 {
713 if (asprintf(machine_krb5_principal, "%s$@%s",
714 account_name, lp_realm()) == -1)
715 {
716 return NT_STATUS_NO_MEMORY;
717 }
718
719 strupper_m(*machine_krb5_principal);
720 }
721
722 return NT_STATUS_OK;
723 }
724
725 /************************************************************************
726 Given a fd with a just-connected TCP connection to a DC, open a connection
727 to the pipe.
728 ************************************************************************/
729
730 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
731 const int sockfd,
732 const char *controller,
733 struct cli_state **cli,
734 bool *retry)
735 {
736 char *machine_password = NULL;
737 char *machine_krb5_principal = NULL;
738 char *machine_account = NULL;
739 char *ipc_username = NULL;
740 char *ipc_domain = NULL;
741 char *ipc_password = NULL;
742
743 struct named_mutex *mutex;
744
745 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
746
747 struct sockaddr peeraddr;
748 socklen_t peeraddr_len;
749
750 struct sockaddr_in *peeraddr_in = (struct sockaddr_in *)&peeraddr;
751
752 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
753 controller, domain->name ));
754
755 *retry = True;
756
757 mutex = grab_named_mutex(talloc_tos(), controller,
758 WINBIND_SERVER_MUTEX_WAIT_TIME);
759 if (mutex == NULL) {
760 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
761 controller));
762 result = NT_STATUS_POSSIBLE_DEADLOCK;
763 goto done;
764 }
765
766 if ((*cli = cli_initialise()) == NULL) {
767 DEBUG(1, ("Could not cli_initialize\n"));
768 result = NT_STATUS_NO_MEMORY;
769 goto done;
770 }
771
772 (*cli)->timeout = 10000; /* 10 seconds */
773 (*cli)->fd = sockfd;
774 fstrcpy((*cli)->desthost, controller);
775 (*cli)->use_kerberos = True;
776
777 peeraddr_len = sizeof(peeraddr);
778
779 if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) ||
780 (peeraddr_len != sizeof(struct sockaddr_in)) ||
781 (peeraddr_in->sin_family != PF_INET))
782 {
783 DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
784 result = NT_STATUS_UNSUCCESSFUL;
785 goto done;
786 }
787
788 if (ntohs(peeraddr_in->sin_port) == 139) {
789 struct nmb_name calling;
790 struct nmb_name called;
791
792 make_nmb_name(&calling, global_myname(), 0x0);
793 make_nmb_name(&called, "*SMBSERVER", 0x20);
794
795 if (!cli_session_request(*cli, &calling, &called)) {
796 DEBUG(8, ("cli_session_request failed for %s\n",
797 controller));
798 result = NT_STATUS_UNSUCCESSFUL;
799 goto done;
800 }
801 }
802
803 cli_setup_signing_state(*cli, Undefined);
804
805 if (!cli_negprot(*cli)) {
806 DEBUG(1, ("cli_negprot failed\n"));
807 result = NT_STATUS_UNSUCCESSFUL;
808 goto done;
809 }
810
811 if (!is_trusted_domain_situation(domain->name) &&
812 (*cli)->protocol >= PROTOCOL_NT1 &&
813 (*cli)->capabilities & CAP_EXTENDED_SECURITY)
814 {
815 ADS_STATUS ads_status;
816
817 result = get_trust_creds(domain, &machine_password,
818 &machine_account,
819 &machine_krb5_principal);
820 if (!NT_STATUS_IS_OK(result)) {
821 goto anon_fallback;
822 }
823
824 if (lp_security() == SEC_ADS) {
825
826 /* Try a krb5 session */
827
828 (*cli)->use_kerberos = True;
829 DEBUG(5, ("connecting to %s from %s with kerberos principal "
830 "[%s] and realm [%s]\n", controller, global_myname(),
831 machine_krb5_principal, domain->alt_name));
832
833 winbindd_set_locator_kdc_envs(domain);
834
835 ads_status = cli_session_setup_spnego(*cli,
836 machine_krb5_principal,
837 machine_password,
838 lp_workgroup(),
839 domain->name);
840
841 if (!ADS_ERR_OK(ads_status)) {
842 DEBUG(4,("failed kerberos session setup with %s\n",
843 ads_errstr(ads_status)));
844 }
845
846 result = ads_ntstatus(ads_status);
847 if (NT_STATUS_IS_OK(result)) {
848 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
849 cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
850 goto session_setup_done;
851 }
852 }
853
854 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
855 (*cli)->use_kerberos = False;
856
857 DEBUG(5, ("connecting to %s from %s with username "
858 "[%s]\\[%s]\n", controller, global_myname(),
859 lp_workgroup(), machine_account));
860
861 ads_status = cli_session_setup_spnego(*cli,
862 machine_account,
863 machine_password,
864 lp_workgroup(),
865 NULL);
866 if (!ADS_ERR_OK(ads_status)) {
867 DEBUG(4, ("authenticated session setup failed with %s\n",
868 ads_errstr(ads_status)));
869 }
870
871 result = ads_ntstatus(ads_status);
872 if (NT_STATUS_IS_OK(result)) {
873 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
874 cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
875 goto session_setup_done;
876 }
877 }
878
879 /* Fall back to non-kerberos session setup with auth_user */
880
881 (*cli)->use_kerberos = False;
882
883 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
884
885 if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
886 (strlen(ipc_username) > 0)) {
887
888 /* Only try authenticated if we have a username */
889
890 DEBUG(5, ("connecting to %s from %s with username "
891 "[%s]\\[%s]\n", controller, global_myname(),
892 ipc_domain, ipc_username));
893
894 if (NT_STATUS_IS_OK(cli_session_setup(
895 *cli, ipc_username,
896 ipc_password, strlen(ipc_password)+1,
897 ipc_password, strlen(ipc_password)+1,
898 ipc_domain))) {
899 /* Successful logon with given username. */
900 cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
901 goto session_setup_done;
902 } else {
903 DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
904 ipc_domain, ipc_username ));
905 }
906 }
907
908 anon_fallback:
909
910 /* Fall back to anonymous connection, this might fail later */
911 DEBUG(10,("cm_prepare_connection: falling back to anonymous "
912 "connection for DC %s\n",
913 controller ));
914
915 if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
916 NULL, 0, ""))) {
917 DEBUG(5, ("Connected anonymously\n"));
918 cli_init_creds(*cli, "", "", "");
919 goto session_setup_done;
920 }
921
922 result = cli_nt_error(*cli);
923
924 if (NT_STATUS_IS_OK(result))
925 result = NT_STATUS_UNSUCCESSFUL;
926
927 /* We can't session setup */
928
929 goto done;
930
931 session_setup_done:
932
933 /* cache the server name for later connections */
934
935 saf_store( domain->name, (*cli)->desthost );
936 if (domain->alt_name && (*cli)->use_kerberos) {
937 saf_store( domain->alt_name, (*cli)->desthost );
938 }
939
940 winbindd_set_locator_kdc_envs(domain);
941
942 if (!cli_send_tconX(*cli, "IPC$", "IPC", "", 0)) {
943
944 result = cli_nt_error(*cli);
945
946 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
947
948 if (NT_STATUS_IS_OK(result))
949 result = NT_STATUS_UNSUCCESSFUL;
950
951 goto done;
952 }
953
954 TALLOC_FREE(mutex);
955 *retry = False;
956
957 /* set the domain if empty; needed for schannel connections */
958 if ( !*(*cli)->domain ) {
959 fstrcpy( (*cli)->domain, domain->name );
960 }
961
962 result = NT_STATUS_OK;
963
964 done:
965 TALLOC_FREE(mutex);
966 SAFE_FREE(machine_account);
967 SAFE_FREE(machine_password);
968 SAFE_FREE(machine_krb5_principal);
969 SAFE_FREE(ipc_username);
970 SAFE_FREE(ipc_domain);
971 SAFE_FREE(ipc_password);
972
973 if (!NT_STATUS_IS_OK(result)) {
974 winbind_add_failed_connection_entry(domain, controller, result);
975 if ((*cli) != NULL) {
976 cli_shutdown(*cli);
977 *cli = NULL;
978 }
979 }
980
981 return result;
982 }
983
984 /*******************************************************************
985 Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
986 array.
987
988 Keeps the list unique by not adding duplicate entries.
989
990 @param[in] mem_ctx talloc memory context to allocate from
991 @param[in] domain_name domain of the DC
992 @param[in] dcname name of the DC to add to the list
993 @param[in] pss Internet address and port pair to add to the list
994 @param[in,out] dcs array of dc_name_ip structures to add to
995 @param[in,out] num_dcs number of dcs returned in the dcs array
996 @return true if the list was added to, false otherwise
997 *******************************************************************/
998
999 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1000 const char *dcname, struct sockaddr_storage *pss,
1001 struct dc_name_ip **dcs, int *num)
1002 {
1003 int i = 0;
1004
1005 if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1006 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1007 return False;
1008 }
1009
1010 /* Make sure there's no duplicates in the list */
1011 for (i=0; i<*num; i++)
1012 if (sockaddr_equal(&(*dcs)[i].ss, pss))
1013 return False;
1014
1015 *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1016
1017 if (*dcs == NULL)
1018 return False;
1019
1020 fstrcpy((*dcs)[*num].name, dcname);
1021 (*dcs)[*num].ss = *pss;
1022 *num += 1;
1023 return True;
1024 }
1025
1026 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1027 struct sockaddr_storage *pss, uint16 port,
1028 struct sockaddr_storage **addrs, int *num)
1029 {
1030 *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1031
1032 if (*addrs == NULL) {
1033 *num = 0;
1034 return False;
1035 }
1036
1037 (*addrs)[*num] = *pss;
1038 set_sockaddr_port(&(*addrs)[*num], port);
1039
1040 *num += 1;
1041 return True;
1042 }
1043
1044 /*******************************************************************
1045 convert an ip to a name
1046 *******************************************************************/
1047
1048 static bool dcip_to_name(TALLOC_CTX *mem_ctx,
1049 const struct winbindd_domain *domain,
1050 struct sockaddr_storage *pss,
1051 fstring name )
1052 {
1053 struct ip_service ip_list;
1054 uint32_t nt_version = NETLOGON_VERSION_1;
1055
1056 ip_list.ss = *pss;
1057 ip_list.port = 0;
1058
1059 #ifdef WITH_ADS
1060 /* For active directory servers, try to get the ldap server name.
1061 None of these failures should be considered critical for now */
1062
1063 if (lp_security() == SEC_ADS) {
1064 ADS_STRUCT *ads;
1065 char addr[INET6_ADDRSTRLEN];
1066
1067 print_sockaddr(addr, sizeof(addr), pss);
1068
1069 ads = ads_init(domain->alt_name, domain->name, NULL);
1070 ads->auth.flags |= ADS_AUTH_NO_BIND;
1071
1072 if (ads_try_connect(ads, addr)) {
1073 /* We got a cldap packet. */
1074 fstrcpy(name, ads->config.ldap_server_name);
1075 namecache_store(name, 0x20, 1, &ip_list);
1076
1077 DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1078
1079 if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1080 if (ads_closest_dc(ads)) {
1081 char *sitename = sitename_fetch(ads->config.realm);
1082
1083 /* We're going to use this KDC for this realm/domain.
1084 If we are using sites, then force the krb5 libs
1085 to use this KDC. */
1086
1087 create_local_private_krb5_conf_for_domain(domain->alt_name,
1088 domain->name,
1089 sitename,
1090 pss);
1091
1092 SAFE_FREE(sitename);
1093 } else {
1094 /* use an off site KDC */
1095 create_local_private_krb5_conf_for_domain(domain->alt_name,
1096 domain->name,
1097 NULL,
1098 pss);
1099 }
1100 winbindd_set_locator_kdc_envs(domain);
1101
1102 /* Ensure we contact this DC also. */
1103 saf_store( domain->name, name);
1104 saf_store( domain->alt_name, name);
1105 }
1106
1107 ads_destroy( &ads );
1108 return True;
1109 }
1110
1111 ads_destroy( &ads );
1112 }
1113 #endif
1114
1115 /* try GETDC requests next */
1116
1117 if (send_getdc_request(mem_ctx, winbind_messaging_context(),
1118 pss, domain->name, &domain->sid,
1119 nt_version)) {
1120 const char *dc_name = NULL;
1121 int i;
1122 smb_msleep(100);
1123 for (i=0; i<5; i++) {
1124 if (receive_getdc_response(mem_ctx, pss, domain->name,
1125 &nt_version,
1126 &dc_name, NULL)) {
1127 fstrcpy(name, dc_name);
1128 namecache_store(name, 0x20, 1, &ip_list);
1129 return True;
1130 }
1131 smb_msleep(500);
1132 }
1133 }
1134
1135 /* try node status request */
1136
1137 if ( name_status_find(domain->name, 0x1c, 0x20, pss, name) ) {
1138 namecache_store(name, 0x20, 1, &ip_list);
1139 return True;
1140 }
1141 return False;
1142 }
1143
1144 /*******************************************************************
1145 Retrieve a list of IP addresses for domain controllers.
1146
1147 The array is sorted in the preferred connection order.
1148
1149 @param[in] mem_ctx talloc memory context to allocate from
1150 @param[in] domain domain to retrieve DCs for
1151 @param[out] dcs array of dcs that will be returned
1152 @param[out] num_dcs number of dcs returned in the dcs array
1153 @return always true
1154 *******************************************************************/
1155
1156 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1157 struct dc_name_ip **dcs, int *num_dcs)
1158 {
1159 fstring dcname;
1160 struct sockaddr_storage ss;
1161 struct ip_service *ip_list = NULL;
1162 int iplist_size = 0;
1163 int i;
1164 bool is_our_domain;
1165 enum security_types sec = (enum security_types)lp_security();
1166
1167 is_our_domain = strequal(domain->name, lp_workgroup());
1168
1169 /* If not our domain, get the preferred DC, by asking our primary DC */
1170 if ( !is_our_domain
1171 && get_dc_name_via_netlogon(domain, dcname, &ss)
1172 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1173 num_dcs) )
1174 {
1175 char addr[INET6_ADDRSTRLEN];
1176 print_sockaddr(addr, sizeof(addr), &ss);
1177 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1178 dcname, addr));
1179 return True;
1180 }
1181
1182 if (sec == SEC_ADS) {
1183 char *sitename = NULL;
1184
1185 /* We need to make sure we know the local site before
1186 doing any DNS queries, as this will restrict the
1187 get_sorted_dc_list() call below to only fetching
1188 DNS records for the correct site. */
1189
1190 /* Find any DC to get the site record.
1191 We deliberately don't care about the
1192 return here. */
1193
1194 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1195
1196 sitename = sitename_fetch(domain->alt_name);
1197 if (sitename) {
1198
1199 /* Do the site-specific AD dns lookup first. */
1200 get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
1201 &iplist_size, True);
1202
1203 /* Add ips to the DC array. We don't look up the name
1204 of the DC in this function, but we fill in the char*
1205 of the ip now to make the failed connection cache
1206 work */
1207 for ( i=0; i<iplist_size; i++ ) {
1208 char addr[INET6_ADDRSTRLEN];
1209 print_sockaddr(addr, sizeof(addr),
1210 &ip_list[i].ss);
1211 add_one_dc_unique(mem_ctx,
1212 domain->name,
1213 addr,
1214 &ip_list[i].ss,
1215 dcs,
1216 num_dcs);
1217 }
1218
1219 SAFE_FREE(ip_list);
1220 SAFE_FREE(sitename);
1221 iplist_size = 0;
1222 }
1223
1224 /* Now we add DCs from the main AD DNS lookup. */
1225 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1226 &iplist_size, True);
1227
1228 for ( i=0; i<iplist_size; i++ ) {
1229 char addr[INET6_ADDRSTRLEN];
1230 print_sockaddr(addr, sizeof(addr),
1231 &ip_list[i].ss);
1232 add_one_dc_unique(mem_ctx,
1233 domain->name,
1234 addr,
1235 &ip_list[i].ss,
1236 dcs,
1237 num_dcs);
1238 }
1239
1240 SAFE_FREE(ip_list);
1241 iplist_size = 0;
1242 }
1243
1244 /* Try standard netbios queries if no ADS */
1245 if (*num_dcs == 0) {
1246 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
1247 False);
1248
1249 for ( i=0; i<iplist_size; i++ ) {
1250 char addr[INET6_ADDRSTRLEN];
1251 print_sockaddr(addr, sizeof(addr),
1252 &ip_list[i].ss);
1253 add_one_dc_unique(mem_ctx,
1254 domain->name,
1255 addr,
1256 &ip_list[i].ss,
1257 dcs,
1258 num_dcs);
1259 }
1260
1261 SAFE_FREE(ip_list);
1262 iplist_size = 0;
1263 }
1264
1265 return True;
1266 }
1267
1268 /*******************************************************************
1269 Find and make a connection to a DC in the given domain.
1270
1271 @param[in] mem_ctx talloc memory context to allocate from
1272 @param[in] domain domain to find a dc in
1273 @param[out] dcname NetBIOS or FQDN of DC that's connected to
1274 @param[out] pss DC Internet address and port
1275 @param[out] fd fd of the open socket connected to the newly found dc
1276 @return true when a DC connection is made, false otherwise
1277 *******************************************************************/
1278
1279 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1280 struct winbindd_domain *domain,
1281 fstring dcname, struct sockaddr_storage *pss, int *fd)
1282 {
1283 struct dc_name_ip *dcs = NULL;
1284 int num_dcs = 0;
1285
1286 const char **dcnames = NULL;
1287 int num_dcnames = 0;
1288
1289 struct sockaddr_storage *addrs = NULL;
1290 int num_addrs = 0;
1291
1292 int i, fd_index;
1293
1294 *fd = -1;
1295
1296 again:
1297 if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1298 return False;
1299
1300 for (i=0; i<num_dcs; i++) {
1301
1302 if (!add_string_to_array(mem_ctx, dcs[i].name,
1303 &dcnames, &num_dcnames)) {
1304 return False;
1305 }
1306 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 445,
1307 &addrs, &num_addrs)) {
1308 return False;
1309 }
1310
1311 if (!add_string_to_array(mem_ctx, dcs[i].name,
1312 &dcnames, &num_dcnames)) {
1313 return False;
1314 }
1315 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 139,
1316 &addrs, &num_addrs)) {
1317 return False;
1318 }
1319 }
1320
1321 if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1322 return False;
1323
1324 if ((addrs == NULL) || (dcnames == NULL))
1325 return False;
1326
1327 /* 5 second timeout. */
1328 if (!open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) {
1329 for (i=0; i<num_dcs; i++) {
1330 char ab[INET6_ADDRSTRLEN];
1331 print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1332 DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
1333 "domain %s address %s. Error was %s\n",
1334 domain->name, ab, strerror(errno) ));
1335 winbind_add_failed_connection_entry(domain,
1336 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1337 }
1338 return False;
1339 }
1340
1341 *pss = addrs[fd_index];
1342
1343 if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1344 /* Ok, we've got a name for the DC */
1345 fstrcpy(dcname, dcnames[fd_index]);
1346 return True;
1347 }
1348
1349 /* Try to figure out the name */
1350 if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
1351 return True;
1352 }
1353
1354 /* We can not continue without the DC's name */
1355 winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1356 NT_STATUS_UNSUCCESSFUL);
1357
1358 /* Throw away all arrays as we're doing this again. */
1359 TALLOC_FREE(dcs);
1360 num_dcs = 0;
1361
1362 TALLOC_FREE(dcnames);
1363 num_dcnames = 0;
1364
1365 TALLOC_FREE(addrs);
1366 num_addrs = 0;
1367
1368 close(*fd);
1369 *fd = -1;
1370
1371 goto again;
1372 }
1373
1374 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1375 struct winbindd_cm_conn *new_conn)
1376 {
1377 TALLOC_CTX *mem_ctx;
1378 NTSTATUS result;
1379 char *saf_servername = saf_fetch( domain->name );
1380 int retries;
1381
1382 if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1383 SAFE_FREE(saf_servername);
1384 set_domain_offline(domain);
1385 return NT_STATUS_NO_MEMORY;
1386 }
1387
1388 /* we have to check the server affinity cache here since
1389 later we selecte a DC based on response time and not preference */
1390
1391 /* Check the negative connection cache
1392 before talking to it. It going down may have
1393 triggered the reconnection. */
1394
1395 if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1396
1397 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1398 saf_servername, domain->name ));
1399
1400 /* convert an ip address to a name */
1401 if (is_ipaddress( saf_servername ) ) {
1402 fstring saf_name;
1403 struct sockaddr_storage ss;
1404
1405 if (!interpret_string_addr(&ss, saf_servername,
1406 AI_NUMERICHOST)) {
1407 return NT_STATUS_UNSUCCESSFUL;
1408 }
1409 if (dcip_to_name(mem_ctx, domain, &ss, saf_name )) {
1410 fstrcpy( domain->dcname, saf_name );
1411 } else {
1412 winbind_add_failed_connection_entry(
1413 domain, saf_servername,
1414 NT_STATUS_UNSUCCESSFUL);
1415 }
1416 } else {
1417 fstrcpy( domain->dcname, saf_servername );
1418 }
1419
1420 SAFE_FREE( saf_servername );
1421 }
1422
1423 for (retries = 0; retries < 3; retries++) {
1424 int fd = -1;
1425 bool retry = False;
1426
1427 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1428
1429 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1430 domain->dcname, domain->name ));
1431
1432 if (*domain->dcname
1433 && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1434 && (resolve_name(domain->dcname, &domain->dcaddr, 0x20)))
1435 {
1436 struct sockaddr_storage *addrs = NULL;
1437 int num_addrs = 0;
1438 int dummy = 0;
1439
1440 if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 445, &addrs, &num_addrs)) {
1441 set_domain_offline(domain);
1442 talloc_destroy(mem_ctx);
1443 return NT_STATUS_NO_MEMORY;
1444 }
1445 if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 139, &addrs, &num_addrs)) {
1446 set_domain_offline(domain);
1447 talloc_destroy(mem_ctx);
1448 return NT_STATUS_NO_MEMORY;
1449 }
1450
1451 /* 5 second timeout. */
1452 if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) {
1453 fd = -1;
1454 }
1455 }
1456
1457 if ((fd == -1)
1458 && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd))
1459 {
1460 /* This is the one place where we will
1461 set the global winbindd offline state
1462 to true, if a "WINBINDD_OFFLINE" entry
1463 is found in the winbindd cache. */
1464 set_global_winbindd_state_offline();
1465 break;
1466 }
1467
1468 new_conn->cli = NULL;
1469
1470 result = cm_prepare_connection(domain, fd, domain->dcname,
1471 &new_conn->cli, &retry);
1472
1473 if (!retry)
1474 break;
1475 }
1476
1477 if (NT_STATUS_IS_OK(result)) {
1478
1479 winbindd_set_locator_kdc_envs(domain);
1480
1481 if (domain->online == False) {
1482 /* We're changing state from offline to online. */
1483 set_global_winbindd_state_online();
1484 }
1485 set_domain_online(domain);
1486 } else {
1487 /* Ensure we setup the retry handler. */
1488 set_domain_offline(domain);
1489 }
1490
1491 talloc_destroy(mem_ctx);
1492 return result;
1493 }
1494
1495 /* Close down all open pipes on a connection. */
1496
1497 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1498 {
1499 /* We're closing down a possibly dead
1500 connection. Don't have impossibly long (10s) timeouts. */
1501
1502 if (conn->cli) {
1503 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1504 }
1505
1506 if (conn->samr_pipe != NULL) {
1507 if (!cli_rpc_pipe_close(conn->samr_pipe)) {
1508 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1509 if (conn->cli) {
1510 cli_set_timeout(conn->cli, 500);
1511 }
1512 }
1513 conn->samr_pipe = NULL;
1514 }
1515
1516 if (conn->lsa_pipe != NULL) {
1517 if (!cli_rpc_pipe_close(conn->lsa_pipe)) {
1518 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1519 if (conn->cli) {
1520 cli_set_timeout(conn->cli, 500);
1521 }
1522 }
1523 conn->lsa_pipe = NULL;
1524 }
1525
1526 if (conn->netlogon_pipe != NULL) {
1527 if (!cli_rpc_pipe_close(conn->netlogon_pipe)) {
1528 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1529 if (conn->cli) {
1530 cli_set_timeout(conn->cli, 500);
1531 }
1532 }
1533 conn->netlogon_pipe = NULL;
1534 }
1535
1536 if (conn->cli) {
1537 cli_shutdown(conn->cli);
1538 }
1539
1540 conn->cli = NULL;
1541 }
1542
1543 void close_conns_after_fork(void)
1544 {
1545 struct winbindd_domain *domain;
1546
1547 for (domain = domain_list(); domain; domain = domain->next) {
1548 if (domain->conn.cli == NULL)
1549 continue;
1550
1551 if (domain->conn.cli->fd == -1)
1552 continue;
1553
1554 close(domain->conn.cli->fd);
1555 domain->conn.cli->fd = -1;
1556 }
1557 }
1558
1559 static bool connection_ok(struct winbindd_domain *domain)
1560 {
1561 if (domain->conn.cli == NULL) {
1562 DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
1563 "cli!\n", domain->dcname, domain->name));
1564 return False;
1565 }
1566
1567 if (!domain->conn.cli->initialised) {
1568 DEBUG(3, ("connection_ok: Connection to %s for domain %s was never "
1569 "initialised!\n", domain->dcname, domain->name));
1570 return False;
1571 }
1572
1573 if (domain->conn.cli->fd == -1) {
1574 DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was "
1575 "never started (fd == -1)\n",
1576 domain->dcname, domain->name));
1577 return False;
1578 }
1579
1580 if (domain->online == False) {
1581 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1582 return False;
1583 }
1584
1585 return True;
1586 }
1587
1588 /* Initialize a new connection up to the RPC BIND.
1589 Bypass online status check so always does network calls. */
1590
1591 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1592 {
1593 NTSTATUS result;
1594
1595 /* Internal connections never use the network. */
1596 if (domain->internal) {
1597 domain->initialized = True;
1598 return NT_STATUS_OK;
1599 }
1600
1601 if (connection_ok(domain)) {
1602 if (!domain->initialized) {
1603 set_dc_type_and_flags(domain);
1604 }
1605 return NT_STATUS_OK;
1606 }
1607
1608 invalidate_cm_connection(&domain->conn);
1609
1610 result = cm_open_connection(domain, &domain->conn);
1611
1612 if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1613 set_dc_type_and_flags(domain);
1614 }
1615
1616 return result;
1617 }
1618
1619 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1620 {
1621 if (domain->initialized && !domain->online) {
1622 /* We check for online status elsewhere. */
1623 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1624 }
1625
1626 return init_dc_connection_network(domain);
1627 }
1628
1629 /******************************************************************************
1630 Set the trust flags (direction and forest location) for a domain
1631 ******************************************************************************/
1632
1633 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1634 {
1635 struct winbindd_domain *our_domain;
1636 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1637 struct netr_DomainTrustList trusts;
1638 int i;
1639 uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
1640 NETR_TRUST_FLAG_OUTBOUND |
1641 NETR_TRUST_FLAG_INBOUND);
1642 struct rpc_pipe_client *cli;
1643 TALLOC_CTX *mem_ctx = NULL;
1644
1645 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1646
1647 /* Our primary domain doesn't need to worry about trust flags.
1648 Force it to go through the network setup */
1649 if ( domain->primary ) {
1650 return False;
1651 }
1652
1653 our_domain = find_our_domain();
1654
1655 if ( !connection_ok(our_domain) ) {
1656 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));
1657 return False;
1658 }
1659
1660 /* This won't work unless our domain is AD */
1661
1662 if ( !our_domain->active_directory ) {
1663 return False;
1664 }
1665
1666 /* Use DsEnumerateDomainTrusts to get us the trust direction
1667 and type */
1668
1669 result = cm_connect_netlogon(our_domain, &cli);
1670
1671 if (!NT_STATUS_IS_OK(result)) {
1672 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1673 "a connection to %s for PIPE_NETLOGON (%s)\n",
1674 domain->name, nt_errstr(result)));
1675 return False;
1676 }
1677
1678 if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
1679 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
1680 return False;
1681 }
1682
1683 result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1684 cli->cli->desthost,
1685 flags,
1686 &trusts,
1687 NULL);
1688 if (!NT_STATUS_IS_OK(result)) {
1689 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
1690 "failed to query trusted domain list: %s\n",
1691 nt_errstr(result)));
1692 talloc_destroy(mem_ctx);
1693 return false;
1694 }
1695
1696 /* Now find the domain name and get the flags */
1697
1698 for ( i=0; i<trusts.count; i++ ) {
1699 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
1700 domain->domain_flags = trusts.array[i].trust_flags;
1701 domain->domain_type = trusts.array[i].trust_type;
1702 domain->domain_trust_attribs = trusts.array[i].trust_attributes;
1703
1704 if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL )
1705 domain->active_directory = True;
1706
1707 /* This flag is only set if the domain is *our*
1708 primary domain and the primary domain is in
1709 native mode */
1710
1711 domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
1712
1713 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
1714 "native mode.\n", domain->name,
1715 domain->native_mode ? "" : "NOT "));
1716
1717 DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
1718 "running active directory.\n", domain->name,
1719 domain->active_directory ? "" : "NOT "));
1720
1721
1722 domain->initialized = True;
1723
1724 if ( !winbindd_can_contact_domain( domain) )
1725 domain->internal = True;
1726
1727 break;
1728 }
1729 }
1730
1731 talloc_destroy( mem_ctx );
1732
1733 return domain->initialized;
1734 }
1735
1736 /******************************************************************************
1737 We can 'sense' certain things about the DC by it's replies to certain
1738 questions.
1739
1740 This tells us if this particular remote server is Active Directory, and if it
1741 is native mode.
1742 ******************************************************************************/
1743
1744 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
1745 {
1746 NTSTATUS result;
1747 WERROR werr;
1748 TALLOC_CTX *mem_ctx = NULL;
1749 struct rpc_pipe_client *cli;
1750 POLICY_HND pol;
1751 union dssetup_DsRoleInfo info;
1752 union lsa_PolicyInformation *lsa_info = NULL;
1753
1754 if (!connection_ok(domain)) {
1755 return;
1756 }
1757
1758 mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
1759 domain->name);
1760 if (!mem_ctx) {
1761 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
1762 return;
1763 }
1764
1765 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
1766
1767 cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_DSSETUP,
1768 &result);
1769
1770 if (cli == NULL) {
1771 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1772 "PI_DSSETUP on domain %s: (%s)\n",
1773 domain->name, nt_errstr(result)));
1774
1775 /* if this is just a non-AD domain we need to continue
1776 * identifying so that we can in the end return with
1777 * domain->initialized = True - gd */
1778
1779 goto no_dssetup;
1780 }
1781
1782 result = rpccli_dssetup_DsRoleGetPrimaryDomainInformation(cli, mem_ctx,
1783 DS_ROLE_BASIC_INFORMATION,
1784 &info,
1785 &werr);
1786 cli_rpc_pipe_close(cli);
1787
1788 if (!NT_STATUS_IS_OK(result)) {
1789 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
1790 "on domain %s failed: (%s)\n",
1791 domain->name, nt_errstr(result)));
1792
1793 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
1794 * every opcode on the DSSETUP pipe, continue with
1795 * no_dssetup mode here as well to get domain->initialized
1796 * set - gd */
1797
1798 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
1799 goto no_dssetup;
1800 }
1801
1802 TALLOC_FREE(mem_ctx);
1803 return;
1804 }
1805
1806 if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
1807 !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
1808 domain->native_mode = True;
1809 } else {
1810 domain->native_mode = False;
1811 }
1812
1813 no_dssetup:
1814 cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result);
1815
1816 if (cli == NULL) {
1817 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1818 "PI_LSARPC on domain %s: (%s)\n",
1819 domain->name, nt_errstr(result)));
1820 cli_rpc_pipe_close(cli);
1821 TALLOC_FREE(mem_ctx);
1822 return;
1823 }
1824
1825 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
1826 SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
1827
1828 if (NT_STATUS_IS_OK(result)) {
1829 /* This particular query is exactly what Win2k clients use
1830 to determine that the DC is active directory */
1831 result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,
1832 &pol,
1833 LSA_POLICY_INFO_DNS,
1834 &lsa_info);
1835 }
1836
1837 if (NT_STATUS_IS_OK(result)) {
1838 domain->active_directory = True;
1839
1840 if (lsa_info->dns.name.string) {
1841 fstrcpy(domain->name, lsa_info->dns.name.string);
1842 }
1843
1844 if (lsa_info->dns.dns_domain.string) {
1845 fstrcpy(domain->alt_name,
1846 lsa_info->dns.dns_domain.string);
1847 }
1848
1849 /* See if we can set some domain trust flags about
1850 ourself */
1851
1852 if (lsa_info->dns.dns_forest.string) {
1853 fstrcpy(domain->forest_name,
1854 lsa_info->dns.dns_forest.string);
1855
1856 if (strequal(domain->forest_name, domain->alt_name)) {
1857 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
1858 }
1859 }
1860
1861 if (lsa_info->dns.sid) {
1862 sid_copy(&domain->sid, lsa_info->dns.sid);
1863 }
1864 } else {
1865 domain->active_directory = False;
1866
1867 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
1868 SEC_RIGHTS_MAXIMUM_ALLOWED,
1869 &pol);
1870
1871 if (!NT_STATUS_IS_OK(result)) {
1872 goto done;
1873 }
1874
1875 result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,
1876 &pol,
1877 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
1878 &lsa_info);
1879
1880 if (NT_STATUS_IS_OK(result)) {
1881
1882 if (lsa_info->account_domain.name.string) {
1883 fstrcpy(domain->name,
1884 lsa_info->account_domain.name.string);
1885 }
1886
1887 if (lsa_info->account_domain.sid) {
1888 sid_copy(&domain->sid, lsa_info->account_domain.sid);
1889 }
1890 }
1891 }
1892 done:
1893
1894 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
1895 domain->name, domain->native_mode ? "" : "NOT "));
1896
1897 DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
1898 domain->name, domain->active_directory ? "" : "NOT "));
1899
1900 cli_rpc_pipe_close(cli);
1901
1902 TALLOC_FREE(mem_ctx);
1903
1904 domain->initialized = True;
1905 }
1906
1907 /**********************************************************************
1908 Set the domain_flags (trust attributes, domain operating modes, etc...
1909 ***********************************************************************/
1910
1911 static void set_dc_type_and_flags( struct winbindd_domain *domain )
1912 {
1913 /* we always have to contact our primary domain */
1914
1915 if ( domain->primary ) {
1916 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
1917 "primary domain\n"));
1918 set_dc_type_and_flags_connect( domain );
1919 return;
1920 }
1921
1922 /* Use our DC to get the information if possible */
1923
1924 if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
1925 /* Otherwise, fallback to contacting the
1926 domain directly */
1927 set_dc_type_and_flags_connect( domain );
1928 }
1929
1930 return;
1931 }
1932
1933
1934
1935 /**********************************************************************
1936 ***********************************************************************/
1937
1938 static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain,
1939 struct dcinfo **ppdc)
1940 {
1941 NTSTATUS result;
1942 struct rpc_pipe_client *netlogon_pipe;
1943
1944 if (lp_client_schannel() == False) {
1945 return False;
1946 }
1947
1948 result = cm_connect_netlogon(domain, &netlogon_pipe);
1949 if (!NT_STATUS_IS_OK(result)) {
1950 return False;
1951 }
1952
1953 /* Return a pointer to the struct dcinfo from the
1954 netlogon pipe. */
1955
1956 if (!domain->conn.netlogon_pipe->dc) {
1957 return false;
1958 }
1959
1960 *ppdc = domain->conn.netlogon_pipe->dc;
1961 return True;
1962 }
1963
1964 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
1965 struct rpc_pipe_client **cli, POLICY_HND *sam_handle)
1966 {
1967 struct winbindd_cm_conn *conn;
1968 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1969 fstring conn_pwd;
1970 struct dcinfo *p_dcinfo;
1971 char *machine_password = NULL;
1972 char *machine_account = NULL;
1973 char *domain_name = NULL;
1974
1975 result = init_dc_connection(domain);
1976 if (!NT_STATUS_IS_OK(result)) {
1977 return result;
1978 }
1979
1980 conn = &domain->conn;
1981
1982 if (conn->samr_pipe != NULL) {
1983 goto done;
1984 }
1985
1986
1987 /*
1988 * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
1989 * sign and sealed pipe using the machine account password by
1990 * preference. If we can't - try schannel, if that fails, try
1991 * anonymous.
1992 */
1993
1994 pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
1995 if ((conn->cli->user_name[0] == '\0') ||
1996 (conn->cli->domain[0] == '\0') ||
1997 (conn_pwd[0] == '\0'))
1998 {
1999 result = get_trust_creds(domain, &machine_password,
2000 &machine_account, NULL);
2001 if (!NT_STATUS_IS_OK(result)) {
2002 DEBUG(10, ("cm_connect_sam: No no user available for "
2003 "domain %s, trying schannel\n", conn->cli->domain));
2004 goto schannel;
2005 }
2006 domain_name = domain->name;
2007 } else {
2008 machine_password = SMB_STRDUP(conn_pwd);
2009 machine_account = SMB_STRDUP(conn->cli->user_name);
2010 domain_name = conn->cli->domain;
2011 }
2012
2013 if (!machine_password || !machine_account) {
2014 result = NT_STATUS_NO_MEMORY;
2015 goto done;
2016 }
2017
2018 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2019 authenticated SAMR pipe with sign & seal. */
2020 conn->samr_pipe =
2021 cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
2022 PIPE_AUTH_LEVEL_PRIVACY,
2023 domain_name,
2024 machine_account,
2025 machine_password, &result);
2026
2027 if (conn->samr_pipe == NULL) {
2028 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2029 "pipe for domain %s using NTLMSSP "
2030 "authenticated pipe: user %s\\%s. Error was "
2031 "%s\n", domain->name, domain_name,
2032 machine_account, nt_errstr(result)));
2033 goto schannel;
2034 }
2035
2036 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2037 "domain %s using NTLMSSP authenticated "
2038 "pipe: user %s\\%s\n", domain->name,
2039 domain_name, machine_account));
2040
2041 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2042 conn->samr_pipe->cli->desthost,
2043 SEC_RIGHTS_MAXIMUM_ALLOWED,
2044 &conn->sam_connect_handle);
2045 if (NT_STATUS_IS_OK(result)) {
2046 goto open_domain;
2047 }
2048 DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_Connect2 "
2049 "failed for domain %s, error was %s. Trying schannel\n",
2050 domain->name, nt_errstr(result) ));
2051 cli_rpc_pipe_close(conn->samr_pipe);
2052
2053 schannel:
2054
2055 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2056
2057 if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
2058 /* If this call fails - conn->cli can now be NULL ! */
2059 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2060 "for domain %s, trying anon\n", domain->name));
2061 goto anonymous;
2062 }
2063 conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key
2064 (conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY,
2065 domain->name, p_dcinfo, &result);
2066
2067 if (conn->samr_pipe == NULL) {
2068 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2069 "domain %s using schannel. Error was %s\n",
2070 domain->name, nt_errstr(result) ));
2071 goto anonymous;
2072 }
2073 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2074 "schannel.\n", domain->name ));
2075
2076 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2077 conn->samr_pipe->cli->desthost,
2078 SEC_RIGHTS_MAXIMUM_ALLOWED,
2079 &conn->sam_connect_handle);
2080 if (NT_STATUS_IS_OK(result)) {
2081 goto open_domain;
2082 }
2083 DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_Connect2 failed "
2084 "for domain %s, error was %s. Trying anonymous\n",
2085 domain->name, nt_errstr(result) ));
2086 cli_rpc_pipe_close(conn->samr_pipe);
2087
2088 anonymous:
2089
2090 /* Finally fall back to anonymous. */
2091 conn->samr_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR,
2092 &result);
2093
2094 if (conn->samr_pipe == NULL) {
2095 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2096 goto done;
2097 }
2098
2099 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2100 conn->samr_pipe->cli->desthost,
2101 SEC_RIGHTS_MAXIMUM_ALLOWED,
2102 &conn->sam_connect_handle);
2103 if (!NT_STATUS_IS_OK(result)) {
2104 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2105 "for domain %s Error was %s\n",
2106 domain->name, nt_errstr(result) ));
2107 goto done;
2108 }
2109
2110 open_domain:
2111 result = rpccli_samr_OpenDomain(conn->samr_pipe,
2112 mem_ctx,
2113 &conn->sam_connect_handle,
2114 SEC_RIGHTS_MAXIMUM_ALLOWED,
2115 &domain->sid,
2116 &conn->sam_domain_handle);
2117
2118 done:
2119
2120 if (!NT_STATUS_IS_OK(result)) {
2121 invalidate_cm_connection(conn);
2122 return result;
2123 }
2124
2125 *cli = conn->samr_pipe;
2126 *sam_handle = conn->sam_domain_handle;
2127 SAFE_FREE(machine_password);
2128 SAFE_FREE(machine_account);
2129 return result;
2130 }
2131
2132 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2133 struct rpc_pipe_client **cli, POLICY_HND *lsa_policy)
2134 {
2135 struct winbindd_cm_conn *conn;
2136 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2137 fstring conn_pwd;
2138 struct dcinfo *p_dcinfo;
2139
2140 result = init_dc_connection(domain);
2141 if (!NT_STATUS_IS_OK(result))
2142 return result;
2143
2144 conn = &domain->conn;
2145
2146 if (conn->lsa_pipe != NULL) {
2147 goto done;
2148 }
2149
2150 pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
2151 if ((conn->cli->user_name[0] == '\0') ||
2152 (conn->cli->domain[0] == '\0') ||
2153 (conn_pwd[0] == '\0')) {
2154 DEBUG(10, ("cm_connect_lsa: No no user available for "
2155 "domain %s, trying schannel\n", conn->cli->domain));
2156 goto schannel;
2157 }
2158
2159 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2160 * authenticated LSA pipe with sign & seal. */
2161 conn->lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp
2162 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
2163 conn->cli->domain, conn->cli->user_name, conn_pwd, &result);
2164
2165 if (conn->lsa_pipe == NULL) {
2166 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2167 "domain %s using NTLMSSP authenticated pipe: user "
2168 "%s\\%s. Error was %s. Trying schannel.\n",
2169 domain->name, conn->cli->domain,
2170 conn->cli->user_name, nt_errstr(result)));
2171 goto schannel;
2172 }
2173
2174 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2175 "NTLMSSP authenticated pipe: user %s\\%s\n",
2176 domain->name, conn->cli->domain, conn->cli->user_name ));
2177
2178 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2179 SEC_RIGHTS_MAXIMUM_ALLOWED,
2180 &conn->lsa_policy);
2181 if (NT_STATUS_IS_OK(result)) {
2182 goto done;
2183 }
2184
2185 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2186 "schannel\n"));
2187
2188 cli_rpc_pipe_close(conn->lsa_pipe);
2189
2190 schannel:
2191
2192 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2193
2194 if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
2195 /* If this call fails - conn->cli can now be NULL ! */
2196 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2197 "for domain %s, trying anon\n", domain->name));
2198 goto anonymous;
2199 }
2200 conn->lsa_pipe = cli_rpc_pipe_open_schannel_with_key
2201 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
2202 domain->name, p_dcinfo, &result);
2203
2204 if (conn->lsa_pipe == NULL) {
2205 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2206 "domain %s using schannel. Error was %s\n",
2207 domain->name, nt_errstr(result) ));
2208 goto anonymous;
2209 }
2210 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2211 "schannel.\n", domain->name ));
2212
2213 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2214 SEC_RIGHTS_MAXIMUM_ALLOWED,
2215 &conn->lsa_policy);
2216 if (NT_STATUS_IS_OK(result)) {
2217 goto done;
2218 }
2219
2220 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2221 "anonymous\n"));
2222
2223 cli_rpc_pipe_close(conn->lsa_pipe);
2224
2225 anonymous:
2226
2227 conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_LSARPC,
2228 &result);
2229 if (conn->lsa_pipe == NULL) {
2230 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2231 goto done;
2232 }
2233
2234 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2235 SEC_RIGHTS_MAXIMUM_ALLOWED,
2236 &conn->lsa_policy);
2237 done:
2238 if (!NT_STATUS_IS_OK(result)) {
2239 invalidate_cm_connection(conn);
2240 return result;
2241 }
2242
2243 *cli = conn->lsa_pipe;
2244 *lsa_policy = conn->lsa_policy;
2245 return result;
2246 }
2247
2248 /****************************************************************************
2249 Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2250 session key stored in conn->netlogon_pipe->dc->sess_key.
2251 ****************************************************************************/
2252
2253 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2254 struct rpc_pipe_client **cli)
2255 {
2256 struct winbindd_cm_conn *conn;
2257 NTSTATUS result;
2258
2259 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2260 uint8 mach_pwd[16];
2261 uint32 sec_chan_type;
2262 const char *account_name;
2263 struct rpc_pipe_client *netlogon_pipe = NULL;
2264
2265 *cli = NULL;
2266
2267 result = init_dc_connection(domain);
2268 if (!NT_STATUS_IS_OK(result)) {
2269 return result;
2270 }
2271
2272 conn = &domain->conn;
2273
2274 if (conn->netlogon_pipe != NULL) {
2275 *cli = conn->netlogon_pipe;
2276 return NT_STATUS_OK;
2277 }
2278
2279 netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
2280 &result);
2281 if (netlogon_pipe == NULL) {
2282 return result;
2283 }
2284
2285 if ((!IS_DC) && (!domain->primary)) {
2286 /* Clear the schannel request bit and drop down */
2287 neg_flags &= ~NETLOGON_NEG_SCHANNEL;
2288 goto no_schannel;
2289 }
2290
2291 if (lp_client_schannel() != False) {
2292 neg_flags |= NETLOGON_NEG_SCHANNEL;
2293 }
2294
2295 if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
2296 &sec_chan_type))
2297 {
2298 cli_rpc_pipe_close(netlogon_pipe);
2299 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2300 }
2301
2302 result = rpccli_netlogon_setup_creds(
2303 netlogon_pipe,
2304 domain->dcname, /* server name. */
2305 domain->name, /* domain name */
2306 global_myname(), /* client name */
2307 account_name, /* machine account */
2308 mach_pwd, /* machine password */
2309 sec_chan_type, /* from get_trust_pw */
2310 &neg_flags);
2311
2312 if (!NT_STATUS_IS_OK(result)) {
2313 cli_rpc_pipe_close(netlogon_pipe);
2314 return result;
2315 }
2316
2317 if ((lp_client_schannel() == True) &&
2318 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2319 DEBUG(3, ("Server did not offer schannel\n"));
2320 cli_rpc_pipe_close(netlogon_pipe);
2321 return NT_STATUS_ACCESS_DENIED;
2322 }
2323
2324 no_schannel:
2325 if ((lp_client_schannel() == False) ||
2326 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2327 /*
2328 * NetSamLogonEx only works for schannel
2329 */
2330 domain->can_do_samlogon_ex = False;
2331
2332 /* We're done - just keep the existing connection to NETLOGON
2333 * open */
2334 conn->netlogon_pipe = netlogon_pipe;
2335 *cli = conn->netlogon_pipe;
2336 return NT_STATUS_OK;
2337 }
2338
2339 /* Using the credentials from the first pipe, open a signed and sealed
2340 second netlogon pipe. The session key is stored in the schannel
2341 part of the new pipe auth struct.
2342 */
2343
2344 conn->netlogon_pipe =
2345 cli_rpc_pipe_open_schannel_with_key(conn->cli,
2346 PI_NETLOGON,
2347 PIPE_AUTH_LEVEL_PRIVACY,
2348 domain->name,
2349 netlogon_pipe->dc,
2350 &result);
2351
2352 /* We can now close the initial netlogon pipe. */
2353 cli_rpc_pipe_close(netlogon_pipe);
2354
2355 if (conn->netlogon_pipe == NULL) {
2356 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2357 "was %s\n", nt_errstr(result)));
2358
2359 /* make sure we return something besides OK */
2360 return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
2361 }
2362
2363 /*
2364 * Try NetSamLogonEx for AD domains
2365 */
2366 domain->can_do_samlogon_ex = domain->active_directory;
2367
2368 *cli = conn->netlogon_pipe;
2369 return NT_STATUS_OK;
2370 }
Samba GIT mirror