search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added -e, --encrypt option to smbclient that immediately
[Samba/bb.git] / source / winbindd / winbindd_cm.c
blob33674d2cf70e12c929a77d0c80afbf542ed483ee
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon connection manager
5
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Gerald (Jerry) Carter 2003-2005.
9 Copyright (C) Volker Lendecke 2004-2005
10 Copyright (C) Jeremy Allison 2006
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27 We need to manage connections to domain controllers without having to
28 mess up the main winbindd code with other issues. The aim of the
29 connection manager is to:
30
31 - make connections to domain controllers and cache them
32 - re-establish connections when networks or servers go down
33 - centralise the policy on connection timeouts, domain controller
34 selection etc
35 - manage re-entrancy for when winbindd becomes able to handle
36 multiple outstanding rpc requests
37
38 Why not have connection management as part of the rpc layer like tng?
39 Good question. This code may morph into libsmb/rpc_cache.c or something
40 like that but at the moment it's simply staying as part of winbind. I
41 think the TNG architecture of forcing every user of the rpc layer to use
42 the connection caching system is a bad idea. It should be an optional
43 method of using the routines.
44
45 The TNG design is quite good but I disagree with some aspects of the
46 implementation. -tpot
47
48 */
49
50 /*
51 TODO:
52
53 - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
54 moved down into another function.
55
56 - Take care when destroying cli_structs as they can be shared between
57 various sam handles.
58
59 */
60
61 #include "includes.h"
62 #include "winbindd.h"
63
64 #undef DBGC_CLASS
65 #define DBGC_CLASS DBGC_WINBIND
66
67 struct dc_name_ip {
68 fstring name;
69 struct sockaddr_storage ss;
70 };
71
72 extern struct winbindd_methods reconnect_methods;
73 extern bool override_logfile;
74
75 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
76 static void set_dc_type_and_flags( struct winbindd_domain *domain );
77 static bool get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
78 struct dc_name_ip **dcs, int *num_dcs);
79
80 /****************************************************************
81 Child failed to find DC's. Reschedule check.
82 ****************************************************************/
83
84 static void msg_failed_to_go_online(struct messaging_context *msg,
85 void *private_data,
86 uint32_t msg_type,
87 struct server_id server_id,
88 DATA_BLOB *data)
89 {
90 struct winbindd_domain *domain;
91 const char *domainname = (const char *)data->data;
92
93 if (data->data == NULL || data->length == 0) {
94 return;
95 }
96
97 DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
98
99 for (domain = domain_list(); domain; domain = domain->next) {
100 if (domain->internal) {
101 continue;
102 }
103
104 if (strequal(domain->name, domainname)) {
105 if (domain->online) {
106 /* We're already online, ignore. */
107 DEBUG(5,("msg_fail_to_go_online: domain %s "
108 "already online.\n", domainname));
109 continue;
110 }
111
112 /* Reschedule the online check. */
113 set_domain_offline(domain);
114 break;
115 }
116 }
117 }
118
119 /****************************************************************
120 Actually cause a reconnect from a message.
121 ****************************************************************/
122
123 static void msg_try_to_go_online(struct messaging_context *msg,
124 void *private_data,
125 uint32_t msg_type,
126 struct server_id server_id,
127 DATA_BLOB *data)
128 {
129 struct winbindd_domain *domain;
130 const char *domainname = (const char *)data->data;
131
132 if (data->data == NULL || data->length == 0) {
133 return;
134 }
135
136 DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
137
138 for (domain = domain_list(); domain; domain = domain->next) {
139 if (domain->internal) {
140 continue;
141 }
142
143 if (strequal(domain->name, domainname)) {
144
145 if (domain->online) {
146 /* We're already online, ignore. */
147 DEBUG(5,("msg_try_to_go_online: domain %s "
148 "already online.\n", domainname));
149 continue;
150 }
151
152 /* This call takes care of setting the online
153 flag to true if we connected, or re-adding
154 the offline handler if false. Bypasses online
155 check so always does network calls. */
156
157 init_dc_connection_network(domain);
158 break;
159 }
160 }
161 }
162
163 /****************************************************************
164 Fork a child to try and contact a DC. Do this as contacting a
165 DC requires blocking lookups and we don't want to block our
166 parent.
167 ****************************************************************/
168
169 static bool fork_child_dc_connect(struct winbindd_domain *domain)
170 {
171 struct dc_name_ip *dcs = NULL;
172 int num_dcs = 0;
173 TALLOC_CTX *mem_ctx = NULL;
174 pid_t child_pid;
175 pid_t parent_pid = sys_getpid();
176
177 /* Stop zombies */
178 CatchChild();
179
180 child_pid = sys_fork();
181
182 if (child_pid == -1) {
183 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
184 return False;
185 }
186
187 if (child_pid != 0) {
188 /* Parent */
189 messaging_register(winbind_messaging_context(), NULL,
190 MSG_WINBIND_TRY_TO_GO_ONLINE,
191 msg_try_to_go_online);
192 messaging_register(winbind_messaging_context(), NULL,
193 MSG_WINBIND_FAILED_TO_GO_ONLINE,
194 msg_failed_to_go_online);
195 return True;
196 }
197
198 /* Child. */
199
200 /* Leave messages blocked - we will never process one. */
201
202 /* tdb needs special fork handling */
203 if (tdb_reopen_all(1) == -1) {
204 DEBUG(0,("tdb_reopen_all failed.\n"));
205 _exit(0);
206 }
207
208 close_conns_after_fork();
209
210 if (!override_logfile) {
211 char *logfile;
212 if (asprintf(&logfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) > 0) {
213 lp_set_logfile(logfile);
214 SAFE_FREE(logfile);
215 reopen_logs();
216 }
217 }
218
219 mem_ctx = talloc_init("fork_child_dc_connect");
220 if (!mem_ctx) {
221 DEBUG(0,("talloc_init failed.\n"));
222 _exit(0);
223 }
224
225 if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
226 /* Still offline ? Can't find DC's. */
227 messaging_send_buf(winbind_messaging_context(),
228 pid_to_procid(parent_pid),
229 MSG_WINBIND_FAILED_TO_GO_ONLINE,
230 (uint8 *)domain->name,
231 strlen(domain->name)+1);
232 _exit(0);
233 }
234
235 /* We got a DC. Send a message to our parent to get it to
236 try and do the same. */
237
238 messaging_send_buf(winbind_messaging_context(),
239 pid_to_procid(parent_pid),
240 MSG_WINBIND_TRY_TO_GO_ONLINE,
241 (uint8 *)domain->name,
242 strlen(domain->name)+1);
243 _exit(0);
244 }
245
246 /****************************************************************
247 Handler triggered if we're offline to try and detect a DC.
248 ****************************************************************/
249
250 static void check_domain_online_handler(struct event_context *ctx,
251 struct timed_event *te,
252 const struct timeval *now,
253 void *private_data)
254 {
255 struct winbindd_domain *domain =
256 (struct winbindd_domain *)private_data;
257
258 DEBUG(10,("check_domain_online_handler: called for domain "
259 "%s (online = %s)\n", domain->name,
260 domain->online ? "True" : "False" ));
261
262 TALLOC_FREE(domain->check_online_event);
263
264 /* Are we still in "startup" mode ? */
265
266 if (domain->startup && (now->tv_sec > domain->startup_time + 30)) {
267 /* No longer in "startup" mode. */
268 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
269 domain->name ));
270 domain->startup = False;
271 }
272
273 /* We've been told to stay offline, so stay
274 that way. */
275
276 if (get_global_winbindd_state_offline()) {
277 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
278 domain->name ));
279 return;
280 }
281
282 /* Fork a child to test if it can contact a DC.
283 If it can then send ourselves a message to
284 cause a reconnect. */
285
286 fork_child_dc_connect(domain);
287 }
288
289 /****************************************************************
290 If we're still offline setup the timeout check.
291 ****************************************************************/
292
293 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
294 {
295 int wbc = lp_winbind_cache_time();
296
297 if (domain->startup) {
298 domain->check_online_timeout = 10;
299 } else if (domain->check_online_timeout < wbc) {
300 domain->check_online_timeout = wbc;
301 }
302 }
303
304 /****************************************************************
305 Set domain offline and also add handler to put us back online
306 if we detect a DC.
307 ****************************************************************/
308
309 void set_domain_offline(struct winbindd_domain *domain)
310 {
311 DEBUG(10,("set_domain_offline: called for domain %s\n",
312 domain->name ));
313
314 TALLOC_FREE(domain->check_online_event);
315
316 if (domain->internal) {
317 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
318 domain->name ));
319 return;
320 }
321
322 domain->online = False;
323
324 /* Offline domains are always initialized. They're
325 re-initialized when they go back online. */
326
327 domain->initialized = True;
328
329 /* We only add the timeout handler that checks and
330 allows us to go back online when we've not
331 been told to remain offline. */
332
333 if (get_global_winbindd_state_offline()) {
334 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
335 domain->name ));
336 return;
337 }
338
339 /* If we're in statup mode, check again in 10 seconds, not in
340 lp_winbind_cache_time() seconds (which is 5 mins by default). */
341
342 calc_new_online_timeout_check(domain);
343
344 domain->check_online_event = event_add_timed(winbind_event_context(),
345 NULL,
346 timeval_current_ofs(domain->check_online_timeout,0),
347 "check_domain_online_handler",
348 check_domain_online_handler,
349 domain);
350
351 /* The above *has* to succeed for winbindd to work. */
352 if (!domain->check_online_event) {
353 smb_panic("set_domain_offline: failed to add online handler");
354 }
355
356 DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
357 domain->name ));
358
359 /* Send an offline message to the idmap child when our
360 primary domain goes offline */
361
362 if ( domain->primary ) {
363 struct winbindd_child *idmap = idmap_child();
364
365 if ( idmap->pid != 0 ) {
366 messaging_send_buf(winbind_messaging_context(),
367 pid_to_procid(idmap->pid),
368 MSG_WINBIND_OFFLINE,
369 (uint8 *)domain->name,
370 strlen(domain->name)+1);
371 }
372 }
373
374 return;
375 }
376
377 /****************************************************************
378 Set domain online - if allowed.
379 ****************************************************************/
380
381 static void set_domain_online(struct winbindd_domain *domain)
382 {
383 struct timeval now;
384
385 DEBUG(10,("set_domain_online: called for domain %s\n",
386 domain->name ));
387
388 if (domain->internal) {
389 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
390 domain->name ));
391 return;
392 }
393
394 if (get_global_winbindd_state_offline()) {
395 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
396 domain->name ));
397 return;
398 }
399
400 winbindd_set_locator_kdc_envs(domain);
401
402 /* If we are waiting to get a krb5 ticket, trigger immediately. */
403 GetTimeOfDay(&now);
404 set_event_dispatch_time(winbind_event_context(),
405 "krb5_ticket_gain_handler", now);
406
407 /* Ok, we're out of any startup mode now... */
408 domain->startup = False;
409
410 if (domain->online == False) {
411 /* We were offline - now we're online. We default to
412 using the MS-RPC backend if we started offline,
413 and if we're going online for the first time we
414 should really re-initialize the backends and the
415 checks to see if we're talking to an AD or NT domain.
416 */
417
418 domain->initialized = False;
419
420 /* 'reconnect_methods' is the MS-RPC backend. */
421 if (domain->backend == &reconnect_methods) {
422 domain->backend = NULL;
423 }
424 }
425
426 /* Ensure we have no online timeout checks. */
427 domain->check_online_timeout = 0;
428 TALLOC_FREE(domain->check_online_event);
429
430 /* Ensure we ignore any pending child messages. */
431 messaging_deregister(winbind_messaging_context(),
432 MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
433 messaging_deregister(winbind_messaging_context(),
434 MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
435
436 domain->online = True;
437
438 /* Send an online message to the idmap child when our
439 primary domain comes online */
440
441 if ( domain->primary ) {
442 struct winbindd_child *idmap = idmap_child();
443
444 if ( idmap->pid != 0 ) {
445 messaging_send_buf(winbind_messaging_context(),
446 pid_to_procid(idmap->pid),
447 MSG_WINBIND_ONLINE,
448 (uint8 *)domain->name,
449 strlen(domain->name)+1);
450 }
451 }
452
453 return;
454 }
455
456 /****************************************************************
457 Requested to set a domain online.
458 ****************************************************************/
459
460 void set_domain_online_request(struct winbindd_domain *domain)
461 {
462 struct timeval tev;
463
464 DEBUG(10,("set_domain_online_request: called for domain %s\n",
465 domain->name ));
466
467 if (get_global_winbindd_state_offline()) {
468 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
469 domain->name ));
470 return;
471 }
472
473 /* We've been told it's safe to go online and
474 try and connect to a DC. But I don't believe it
475 because network manager seems to lie.
476 Wait at least 5 seconds. Heuristics suck... */
477
478 if (!domain->check_online_event) {
479 /* If we've come from being globally offline we
480 don't have a check online event handler set.
481 We need to add one now we're trying to go
482 back online. */
483
484 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
485 domain->name ));
486
487 domain->check_online_event = event_add_timed(winbind_event_context(),
488 NULL,
489 timeval_current_ofs(5, 0),
490 "check_domain_online_handler",
491 check_domain_online_handler,
492 domain);
493
494 /* The above *has* to succeed for winbindd to work. */
495 if (!domain->check_online_event) {
496 smb_panic("set_domain_online_request: failed to add online handler");
497 }
498 }
499
500 GetTimeOfDay(&tev);
501
502 /* Go into "startup" mode again. */
503 domain->startup_time = tev.tv_sec;
504 domain->startup = True;
505
506 tev.tv_sec += 5;
507
508 set_event_dispatch_time(winbind_event_context(), "check_domain_online_handler", tev);
509 }
510
511 /****************************************************************
512 Add -ve connection cache entries for domain and realm.
513 ****************************************************************/
514
515 void winbind_add_failed_connection_entry(const struct winbindd_domain *domain,
516 const char *server,
517 NTSTATUS result)
518 {
519 add_failed_connection_entry(domain->name, server, result);
520 /* If this was the saf name for the last thing we talked to,
521 remove it. */
522 saf_delete(domain->name);
523 if (*domain->alt_name) {
524 add_failed_connection_entry(domain->alt_name, server, result);
525 saf_delete(domain->alt_name);
526 }
527 winbindd_unset_locator_kdc_env(domain);
528 }
529
530 /* Choose between anonymous or authenticated connections. We need to use
531 an authenticated connection if DCs have the RestrictAnonymous registry
532 entry set > 0, or the "Additional restrictions for anonymous
533 connections" set in the win2k Local Security Policy.
534
535 Caller to free() result in domain, username, password
536 */
537
538 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
539 {
540 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
541 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
542 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
543
544 if (*username && **username) {
545
546 if (!*domain || !**domain)
547 *domain = smb_xstrdup(lp_workgroup());
548
549 if (!*password || !**password)
550 *password = smb_xstrdup("");
551
552 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
553 *domain, *username));
554
555 } else {
556 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
557 *username = smb_xstrdup("");
558 *domain = smb_xstrdup("");
559 *password = smb_xstrdup("");
560 }
561 }
562
563 static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain,
564 fstring dcname,
565 struct sockaddr_storage *dc_ss)
566 {
567 struct winbindd_domain *our_domain = NULL;
568 struct rpc_pipe_client *netlogon_pipe = NULL;
569 NTSTATUS result;
570 WERROR werr;
571 TALLOC_CTX *mem_ctx;
572 unsigned int orig_timeout;
573 char *tmp = NULL;
574 char *p;
575
576 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
577 * moment.... */
578
579 if (IS_DC) {
580 return False;
581 }
582
583 if (domain->primary) {
584 return False;
585 }
586
587 our_domain = find_our_domain();
588
589 if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
590 return False;
591 }
592
593 result = cm_connect_netlogon(our_domain, &netlogon_pipe);
594 if (!NT_STATUS_IS_OK(result)) {
595 talloc_destroy(mem_ctx);
596 return False;
597 }
598
599 /* This call can take a long time - allow the server to time out.
600 35 seconds should do it. */
601
602 orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000);
603
604 werr = rpccli_netlogon_getanydcname(netlogon_pipe, mem_ctx, our_domain->dcname,
605 domain->name, &tmp);
606
607 /* And restore our original timeout. */
608 cli_set_timeout(netlogon_pipe->cli, orig_timeout);
609
610 talloc_destroy(mem_ctx);
611
612 if (!W_ERROR_IS_OK(werr)) {
613 DEBUG(10, ("rpccli_netlogon_getanydcname failed: %s\n",
614 dos_errstr(werr)));
615 return False;
616 }
617
618 /* cli_netlogon_getanydcname gives us a name with \\ */
619 p = tmp;
620 if (*p == '\\') {
621 p+=1;
622 }
623 if (*p == '\\') {
624 p+=1;
625 }
626
627 fstrcpy(dcname, p);
628
629 DEBUG(10, ("rpccli_netlogon_getanydcname returned %s\n", dcname));
630
631 if (!resolve_name(dcname, dc_ss, 0x20)) {
632 return False;
633 }
634
635 return True;
636 }
637
638 /**
639 * Helper function to assemble trust password and account name
640 */
641 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
642 char **machine_password,
643 char **machine_account,
644 char **machine_krb5_principal)
645 {
646 const char *account_name;
647
648 if (!get_trust_pw_clear(domain->name, machine_password,
649 &account_name, NULL))
650 {
651 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
652 }
653
654 if ((machine_account != NULL) &&
655 (asprintf(machine_account, "%s$", account_name) == -1))
656 {
657 return NT_STATUS_NO_MEMORY;
658 }
659
660 /* this is at least correct when domain is our domain,
661 * which is the only case, when this is currently used: */
662 if ((machine_krb5_principal != NULL) &&
663 (asprintf(machine_krb5_principal, "%s$@%s", account_name,
664 domain->alt_name) == -1))
665 {
666 return NT_STATUS_NO_MEMORY;
667 }
668
669 return NT_STATUS_OK;
670 }
671
672 /************************************************************************
673 Given a fd with a just-connected TCP connection to a DC, open a connection
674 to the pipe.
675 ************************************************************************/
676
677 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
678 const int sockfd,
679 const char *controller,
680 struct cli_state **cli,
681 bool *retry)
682 {
683 char *machine_password = NULL;
684 char *machine_krb5_principal = NULL;
685 char *machine_account = NULL;
686 char *ipc_username = NULL;
687 char *ipc_domain = NULL;
688 char *ipc_password = NULL;
689
690 bool got_mutex;
691
692 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
693
694 struct sockaddr peeraddr;
695 socklen_t peeraddr_len;
696
697 struct sockaddr_in *peeraddr_in = (struct sockaddr_in *)&peeraddr;
698
699 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
700 controller, domain->name ));
701
702 *retry = True;
703
704 got_mutex = secrets_named_mutex(controller,
705 WINBIND_SERVER_MUTEX_WAIT_TIME);
706
707 if (!got_mutex) {
708 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
709 controller));
710 result = NT_STATUS_POSSIBLE_DEADLOCK;
711 goto done;
712 }
713
714 if ((*cli = cli_initialise()) == NULL) {
715 DEBUG(1, ("Could not cli_initialize\n"));
716 result = NT_STATUS_NO_MEMORY;
717 goto done;
718 }
719
720 (*cli)->timeout = 10000; /* 10 seconds */
721 (*cli)->fd = sockfd;
722 fstrcpy((*cli)->desthost, controller);
723 (*cli)->use_kerberos = True;
724
725 peeraddr_len = sizeof(peeraddr);
726
727 if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) ||
728 (peeraddr_len != sizeof(struct sockaddr_in)) ||
729 (peeraddr_in->sin_family != PF_INET))
730 {
731 DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
732 result = NT_STATUS_UNSUCCESSFUL;
733 goto done;
734 }
735
736 if (ntohs(peeraddr_in->sin_port) == 139) {
737 struct nmb_name calling;
738 struct nmb_name called;
739
740 make_nmb_name(&calling, global_myname(), 0x0);
741 make_nmb_name(&called, "*SMBSERVER", 0x20);
742
743 if (!cli_session_request(*cli, &calling, &called)) {
744 DEBUG(8, ("cli_session_request failed for %s\n",
745 controller));
746 result = NT_STATUS_UNSUCCESSFUL;
747 goto done;
748 }
749 }
750
751 cli_setup_signing_state(*cli, Undefined);
752
753 if (!cli_negprot(*cli)) {
754 DEBUG(1, ("cli_negprot failed\n"));
755 result = NT_STATUS_UNSUCCESSFUL;
756 goto done;
757 }
758
759 if (!is_trusted_domain_situation(domain->name) &&
760 (*cli)->protocol >= PROTOCOL_NT1 &&
761 (*cli)->capabilities & CAP_EXTENDED_SECURITY)
762 {
763 ADS_STATUS ads_status;
764
765 result = get_trust_creds(domain, &machine_password,
766 &machine_account,
767 &machine_krb5_principal);
768 if (!NT_STATUS_IS_OK(result)) {
769 goto done;
770 }
771
772 if (lp_security() == SEC_ADS) {
773
774 /* Try a krb5 session */
775
776 (*cli)->use_kerberos = True;
777 DEBUG(5, ("connecting to %s from %s with kerberos principal "
778 "[%s]\n", controller, global_myname(),
779 machine_krb5_principal));
780
781 winbindd_set_locator_kdc_envs(domain);
782
783 ads_status = cli_session_setup_spnego(*cli,
784 machine_krb5_principal,
785 machine_password,
786 domain->name);
787
788 if (!ADS_ERR_OK(ads_status)) {
789 DEBUG(4,("failed kerberos session setup with %s\n",
790 ads_errstr(ads_status)));
791 }
792
793 result = ads_ntstatus(ads_status);
794 if (NT_STATUS_IS_OK(result)) {
795 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
796 cli_init_creds(*cli, machine_account, domain->name, machine_password);
797 goto session_setup_done;
798 }
799 }
800
801 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
802 (*cli)->use_kerberos = False;
803
804 DEBUG(5, ("connecting to %s from %s with username "
805 "[%s]\\[%s]\n", controller, global_myname(),
806 domain->name, machine_account));
807
808 ads_status = cli_session_setup_spnego(*cli,
809 machine_account,
810 machine_password,
811 domain->name);
812 if (!ADS_ERR_OK(ads_status)) {
813 DEBUG(4, ("authenticated session setup failed with %s\n",
814 ads_errstr(ads_status)));
815 }
816
817 result = ads_ntstatus(ads_status);
818 if (NT_STATUS_IS_OK(result)) {
819 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
820 cli_init_creds(*cli, machine_account, domain->name, machine_password);
821 goto session_setup_done;
822 }
823 }
824
825 /* Fall back to non-kerberos session setup with auth_user */
826
827 (*cli)->use_kerberos = False;
828
829 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
830
831 if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
832 (strlen(ipc_username) > 0)) {
833
834 /* Only try authenticated if we have a username */
835
836 DEBUG(5, ("connecting to %s from %s with username "
837 "[%s]\\[%s]\n", controller, global_myname(),
838 ipc_domain, ipc_username));
839
840 if (NT_STATUS_IS_OK(cli_session_setup(
841 *cli, ipc_username,
842 ipc_password, strlen(ipc_password)+1,
843 ipc_password, strlen(ipc_password)+1,
844 ipc_domain))) {
845 /* Successful logon with given username. */
846 cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
847 goto session_setup_done;
848 } else {
849 DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
850 ipc_domain, ipc_username ));
851 }
852 }
853
854 /* Fall back to anonymous connection, this might fail later */
855
856 if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
857 NULL, 0, ""))) {
858 DEBUG(5, ("Connected anonymously\n"));
859 cli_init_creds(*cli, "", "", "");
860 goto session_setup_done;
861 }
862
863 result = cli_nt_error(*cli);
864
865 if (NT_STATUS_IS_OK(result))
866 result = NT_STATUS_UNSUCCESSFUL;
867
868 /* We can't session setup */
869
870 goto done;
871
872 session_setup_done:
873
874 /* cache the server name for later connections */
875
876 saf_store( domain->name, (*cli)->desthost );
877 if (domain->alt_name && (*cli)->use_kerberos) {
878 saf_store( domain->alt_name, (*cli)->desthost );
879 }
880
881 winbindd_set_locator_kdc_envs(domain);
882
883 if (!cli_send_tconX(*cli, "IPC$", "IPC", "", 0)) {
884
885 result = cli_nt_error(*cli);
886
887 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
888
889 if (NT_STATUS_IS_OK(result))
890 result = NT_STATUS_UNSUCCESSFUL;
891
892 goto done;
893 }
894
895 secrets_named_mutex_release(controller);
896 got_mutex = False;
897 *retry = False;
898
899 /* set the domain if empty; needed for schannel connections */
900 if ( !*(*cli)->domain ) {
901 fstrcpy( (*cli)->domain, domain->name );
902 }
903
904 result = NT_STATUS_OK;
905
906 done:
907 if (got_mutex) {
908 secrets_named_mutex_release(controller);
909 }
910
911 SAFE_FREE(machine_account);
912 SAFE_FREE(machine_password);
913 SAFE_FREE(machine_krb5_principal);
914 SAFE_FREE(ipc_username);
915 SAFE_FREE(ipc_domain);
916 SAFE_FREE(ipc_password);
917
918 if (!NT_STATUS_IS_OK(result)) {
919 winbind_add_failed_connection_entry(domain, controller, result);
920 if ((*cli) != NULL) {
921 cli_shutdown(*cli);
922 *cli = NULL;
923 }
924 }
925
926 return result;
927 }
928
929 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
930 const char *dcname, struct sockaddr_storage *pss,
931 struct dc_name_ip **dcs, int *num)
932 {
933 if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
934 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
935 return False;
936 }
937
938 *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
939
940 if (*dcs == NULL)
941 return False;
942
943 fstrcpy((*dcs)[*num].name, dcname);
944 (*dcs)[*num].ss = *pss;
945 *num += 1;
946 return True;
947 }
948
949 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
950 struct sockaddr_storage *pss, uint16 port,
951 struct sockaddr_storage **addrs, int *num)
952 {
953 *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
954
955 if (*addrs == NULL) {
956 *num = 0;
957 return False;
958 }
959
960 (*addrs)[*num] = *pss;
961 set_sockaddr_port(&(*addrs)[*num], port);
962
963 *num += 1;
964 return True;
965 }
966
967 static void mailslot_name(struct in_addr dc_ip, fstring name)
968 {
969 fstr_sprintf(name, "\\MAILSLOT\\NET\\GETDC%X", dc_ip.s_addr);
970 }
971
972 static bool send_getdc_request(struct sockaddr_storage *dc_ss,
973 const char *domain_name,
974 const DOM_SID *sid)
975 {
976 char outbuf[1024];
977 struct in_addr dc_ip;
978 char *p;
979 fstring my_acct_name;
980 fstring my_mailslot;
981 size_t sid_size;
982
983 if (dc_ss->ss_family != AF_INET) {
984 return false;
985 }
986
987 dc_ip = ((struct sockaddr_in *)dc_ss)->sin_addr;
988 mailslot_name(dc_ip, my_mailslot);
989
990 memset(outbuf, '\0', sizeof(outbuf));
991
992 p = outbuf;
993
994 SCVAL(p, 0, SAMLOGON);
995 p++;
996
997 SCVAL(p, 0, 0); /* Count pointer ... */
998 p++;
999
1000 SIVAL(p, 0, 0); /* The sender's token ... */
1001 p += 2;
1002
1003 p += dos_PutUniCode(p, global_myname(),
1004 sizeof(outbuf) - PTR_DIFF(p, outbuf), True);
1005 fstr_sprintf(my_acct_name, "%s$", global_myname());
1006 p += dos_PutUniCode(p, my_acct_name,
1007 sizeof(outbuf) - PTR_DIFF(p, outbuf), True);
1008
1009 if (strlen(my_mailslot)+1 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) {
1010 return false;
1011 }
1012
1013 memcpy(p, my_mailslot, strlen(my_mailslot)+1);
1014 p += strlen(my_mailslot)+1;
1015
1016 if (sizeof(outbuf) - PTR_DIFF(p, outbuf) < 8) {
1017 return false;
1018 }
1019
1020 SIVAL(p, 0, 0x80);
1021 p+=4;
1022
1023 sid_size = ndr_size_dom_sid(sid, 0);
1024
1025 SIVAL(p, 0, sid_size);
1026 p+=4;
1027
1028 p = ALIGN4(p, outbuf);
1029 if (PTR_DIFF(p, outbuf) > sizeof(outbuf)) {
1030 return false;
1031 }
1032
1033 if (sid_size + 8 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) {
1034 return false;
1035 }
1036 sid_linearize(p, sizeof(outbuf) - PTR_DIFF(p, outbuf), sid);
1037
1038 p += sid_size;
1039
1040 SIVAL(p, 0, 1);
1041 SSVAL(p, 4, 0xffff);
1042 SSVAL(p, 6, 0xffff);
1043 p+=8;
1044
1045 return cli_send_mailslot(winbind_messaging_context(),
1046 False, "\\MAILSLOT\\NET\\NTLOGON", 0,
1047 outbuf, PTR_DIFF(p, outbuf),
1048 global_myname(), 0, domain_name, 0x1c,
1049 dc_ss);
1050 }
1051
1052 static bool receive_getdc_response(struct sockaddr_storage *dc_ss,
1053 const char *domain_name,
1054 fstring dc_name)
1055 {
1056 struct packet_struct *packet;
1057 fstring my_mailslot;
1058 char *buf, *p;
1059 fstring dcname, user, domain;
1060 int len;
1061 struct in_addr dc_ip;
1062
1063 if (dc_ss->ss_family != AF_INET) {
1064 return false;
1065 }
1066 dc_ip = ((struct sockaddr_in *)dc_ss)->sin_addr;
1067 mailslot_name(dc_ip, my_mailslot);
1068
1069 packet = receive_unexpected(DGRAM_PACKET, 0, my_mailslot);
1070
1071 if (packet == NULL) {
1072 DEBUG(5, ("Did not receive packet for %s\n", my_mailslot));
1073 return False;
1074 }
1075
1076 DEBUG(5, ("Received packet for %s\n", my_mailslot));
1077
1078 buf = packet->packet.dgram.data;
1079 len = packet->packet.dgram.datasize;
1080
1081 if (len < 70) {
1082 /* 70 is a completely arbitrary value to make sure
1083 the SVAL below does not read uninitialized memory */
1084 DEBUG(3, ("GetDC got short response\n"));
1085 return False;
1086 }
1087
1088 /* This should be (buf-4)+SVAL(buf-4, smb_vwv12)... */
1089 p = buf+SVAL(buf, smb_vwv10);
1090
1091 if (CVAL(p,0) != SAMLOGON_R) {
1092 DEBUG(8, ("GetDC got invalid response type %d\n", CVAL(p, 0)));
1093 return False;
1094 }
1095
1096 p+=2;
1097 pull_ucs2(buf, dcname, p, sizeof(dcname), PTR_DIFF(buf+len, p),
1098 STR_TERMINATE|STR_NOALIGN);
1099 p = skip_unibuf(p, PTR_DIFF(buf+len, p));
1100 pull_ucs2(buf, user, p, sizeof(dcname), PTR_DIFF(buf+len, p),
1101 STR_TERMINATE|STR_NOALIGN);
1102 p = skip_unibuf(p, PTR_DIFF(buf+len, p));
1103 pull_ucs2(buf, domain, p, sizeof(dcname), PTR_DIFF(buf+len, p),
1104 STR_TERMINATE|STR_NOALIGN);
1105 p = skip_unibuf(p, PTR_DIFF(buf+len, p));
1106
1107 if (!strequal(domain, domain_name)) {
1108 DEBUG(3, ("GetDC: Expected domain %s, got %s\n",
1109 domain_name, domain));
1110 return False;
1111 }
1112
1113 p = dcname;
1114 if (*p == '\\') p += 1;
1115 if (*p == '\\') p += 1;
1116
1117 fstrcpy(dc_name, p);
1118
1119 DEBUG(10, ("GetDC gave name %s for domain %s\n",
1120 dc_name, domain));
1121
1122 return True;
1123 }
1124
1125 /*******************************************************************
1126 convert an ip to a name
1127 *******************************************************************/
1128
1129 static bool dcip_to_name(const struct winbindd_domain *domain,
1130 struct sockaddr_storage *pss,
1131 fstring name )
1132 {
1133 struct ip_service ip_list;
1134
1135 ip_list.ss = *pss;
1136 ip_list.port = 0;
1137
1138 #ifdef WITH_ADS
1139 /* For active directory servers, try to get the ldap server name.
1140 None of these failures should be considered critical for now */
1141
1142 if (lp_security() == SEC_ADS) {
1143 ADS_STRUCT *ads;
1144 char addr[INET6_ADDRSTRLEN];
1145
1146 print_sockaddr(addr, sizeof(addr), pss);
1147
1148 ads = ads_init(domain->alt_name, domain->name, NULL);
1149 ads->auth.flags |= ADS_AUTH_NO_BIND;
1150
1151 if (ads_try_connect(ads, addr)) {
1152 /* We got a cldap packet. */
1153 fstrcpy(name, ads->config.ldap_server_name);
1154 namecache_store(name, 0x20, 1, &ip_list);
1155
1156 DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1157
1158 if (domain->primary && (ads->config.flags & ADS_KDC)) {
1159 if (ads_closest_dc(ads)) {
1160 char *sitename = sitename_fetch(ads->config.realm);
1161
1162 /* We're going to use this KDC for this realm/domain.
1163 If we are using sites, then force the krb5 libs
1164 to use this KDC. */
1165
1166 create_local_private_krb5_conf_for_domain(domain->alt_name,
1167 domain->name,
1168 sitename,
1169 pss);
1170
1171 SAFE_FREE(sitename);
1172 } else {
1173 /* use an off site KDC */
1174 create_local_private_krb5_conf_for_domain(domain->alt_name,
1175 domain->name,
1176 NULL,
1177 pss);
1178 }
1179 winbindd_set_locator_kdc_envs(domain);
1180
1181 /* Ensure we contact this DC also. */
1182 saf_store( domain->name, name);
1183 saf_store( domain->alt_name, name);
1184 }
1185
1186 ads_destroy( &ads );
1187 return True;
1188 }
1189
1190 ads_destroy( &ads );
1191 }
1192 #endif
1193
1194 /* try GETDC requests next */
1195
1196 if (send_getdc_request(pss, domain->name, &domain->sid)) {
1197 int i;
1198 smb_msleep(100);
1199 for (i=0; i<5; i++) {
1200 if (receive_getdc_response(pss, domain->name, name)) {
1201 namecache_store(name, 0x20, 1, &ip_list);
1202 return True;
1203 }
1204 smb_msleep(500);
1205 }
1206 }
1207
1208 /* try node status request */
1209
1210 if ( name_status_find(domain->name, 0x1c, 0x20, pss, name) ) {
1211 namecache_store(name, 0x20, 1, &ip_list);
1212 return True;
1213 }
1214 return False;
1215 }
1216
1217 /*******************************************************************
1218 Retreive a list of IP address for domain controllers. Fill in
1219 the dcs[] with results.
1220 *******************************************************************/
1221
1222 static bool get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
1223 struct dc_name_ip **dcs, int *num_dcs)
1224 {
1225 fstring dcname;
1226 struct sockaddr_storage ss;
1227 struct ip_service *ip_list = NULL;
1228 int iplist_size = 0;
1229 int i;
1230 bool is_our_domain;
1231 enum security_types sec = (enum security_types)lp_security();
1232
1233 is_our_domain = strequal(domain->name, lp_workgroup());
1234
1235 if ( !is_our_domain
1236 && get_dc_name_via_netlogon(domain, dcname, &ss)
1237 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, num_dcs) )
1238 {
1239 char addr[INET6_ADDRSTRLEN];
1240 print_sockaddr(addr, sizeof(addr), &ss);
1241 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1242 dcname, addr));
1243 return True;
1244 }
1245
1246 if (sec == SEC_ADS) {
1247 char *sitename = NULL;
1248
1249 /* We need to make sure we know the local site before
1250 doing any DNS queries, as this will restrict the
1251 get_sorted_dc_list() call below to only fetching
1252 DNS records for the correct site. */
1253
1254 /* Find any DC to get the site record.
1255 We deliberately don't care about the
1256 return here. */
1257
1258 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1259
1260 sitename = sitename_fetch(domain->alt_name);
1261 if (sitename) {
1262
1263 /* Do the site-specific AD dns lookup first. */
1264 get_sorted_dc_list(domain->alt_name, sitename, &ip_list, &iplist_size, True);
1265
1266 for ( i=0; i<iplist_size; i++ ) {
1267 char addr[INET6_ADDRSTRLEN];
1268 print_sockaddr(addr, sizeof(addr),
1269 &ip_list[i].ss);
1270 add_one_dc_unique(mem_ctx,
1271 domain->name,
1272 addr,
1273 &ip_list[i].ss,
1274 dcs,
1275 num_dcs);
1276 }
1277
1278 SAFE_FREE(ip_list);
1279 SAFE_FREE(sitename);
1280 iplist_size = 0;
1281 }
1282
1283 /* Now we add DCs from the main AD dns lookup. */
1284 get_sorted_dc_list(domain->alt_name, NULL, &ip_list, &iplist_size, True);
1285
1286 for ( i=0; i<iplist_size; i++ ) {
1287 char addr[INET6_ADDRSTRLEN];
1288 print_sockaddr(addr, sizeof(addr),
1289 &ip_list[i].ss);
1290 add_one_dc_unique(mem_ctx,
1291 domain->name,
1292 addr,
1293 &ip_list[i].ss,
1294 dcs,
1295 num_dcs);
1296 }
1297 }
1298
1299 /* try standard netbios queries if no ADS */
1300
1301 if (iplist_size==0) {
1302 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size, False);
1303 }
1304
1305 /* FIXME!! this is where we should re-insert the GETDC requests --jerry */
1306
1307 /* now add to the dc array. We'll wait until the last minute
1308 to look up the name of the DC. But we fill in the char* for
1309 the ip now in to make the failed connection cache work */
1310
1311 for ( i=0; i<iplist_size; i++ ) {
1312 char addr[INET6_ADDRSTRLEN];
1313 print_sockaddr(addr, sizeof(addr),
1314 &ip_list[i].ss);
1315 add_one_dc_unique(mem_ctx, domain->name, addr,
1316 &ip_list[i].ss, dcs, num_dcs);
1317 }
1318
1319 SAFE_FREE( ip_list );
1320
1321 return True;
1322 }
1323
1324 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1325 const struct winbindd_domain *domain,
1326 fstring dcname, struct sockaddr_storage *pss, int *fd)
1327 {
1328 struct dc_name_ip *dcs = NULL;
1329 int num_dcs = 0;
1330
1331 const char **dcnames = NULL;
1332 int num_dcnames = 0;
1333
1334 struct sockaddr_storage *addrs = NULL;
1335 int num_addrs = 0;
1336
1337 int i, fd_index;
1338
1339 again:
1340 if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1341 return False;
1342
1343 for (i=0; i<num_dcs; i++) {
1344
1345 if (!add_string_to_array(mem_ctx, dcs[i].name,
1346 &dcnames, &num_dcnames)) {
1347 return False;
1348 }
1349 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 445,
1350 &addrs, &num_addrs)) {
1351 return False;
1352 }
1353
1354 if (!add_string_to_array(mem_ctx, dcs[i].name,
1355 &dcnames, &num_dcnames)) {
1356 return False;
1357 }
1358 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 139,
1359 &addrs, &num_addrs)) {
1360 return False;
1361 }
1362 }
1363
1364 if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1365 return False;
1366
1367 if ((addrs == NULL) || (dcnames == NULL))
1368 return False;
1369
1370 /* 5 second timeout. */
1371 if (!open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) {
1372 for (i=0; i<num_dcs; i++) {
1373 char ab[INET6_ADDRSTRLEN];
1374 print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1375 DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
1376 "domain %s address %s. Error was %s\n",
1377 domain->name, ab, strerror(errno) ));
1378 winbind_add_failed_connection_entry(domain,
1379 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1380 }
1381 return False;
1382 }
1383
1384 *pss = addrs[fd_index];
1385
1386 if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1387 /* Ok, we've got a name for the DC */
1388 fstrcpy(dcname, dcnames[fd_index]);
1389 return True;
1390 }
1391
1392 /* Try to figure out the name */
1393 if (dcip_to_name(domain, pss, dcname)) {
1394 return True;
1395 }
1396
1397 /* We can not continue without the DC's name */
1398 winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1399 NT_STATUS_UNSUCCESSFUL);
1400 goto again;
1401 }
1402
1403 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1404 struct winbindd_cm_conn *new_conn)
1405 {
1406 TALLOC_CTX *mem_ctx;
1407 NTSTATUS result;
1408 char *saf_servername = saf_fetch( domain->name );
1409 int retries;
1410
1411 if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1412 SAFE_FREE(saf_servername);
1413 set_domain_offline(domain);
1414 return NT_STATUS_NO_MEMORY;
1415 }
1416
1417 /* we have to check the server affinity cache here since
1418 later we selecte a DC based on response time and not preference */
1419
1420 /* Check the negative connection cache
1421 before talking to it. It going down may have
1422 triggered the reconnection. */
1423
1424 if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1425
1426 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1427 saf_servername, domain->name ));
1428
1429 /* convert an ip address to a name */
1430 if (is_ipaddress( saf_servername ) ) {
1431 fstring saf_name;
1432 struct sockaddr_storage ss;
1433
1434 if (!interpret_string_addr(&ss, saf_servername,
1435 AI_NUMERICHOST)) {
1436 return NT_STATUS_UNSUCCESSFUL;
1437 }
1438 if (dcip_to_name( domain, &ss, saf_name )) {
1439 fstrcpy( domain->dcname, saf_name );
1440 } else {
1441 winbind_add_failed_connection_entry(
1442 domain, saf_servername,
1443 NT_STATUS_UNSUCCESSFUL);
1444 }
1445 } else {
1446 fstrcpy( domain->dcname, saf_servername );
1447 }
1448
1449 SAFE_FREE( saf_servername );
1450 }
1451
1452 for (retries = 0; retries < 3; retries++) {
1453 int fd = -1;
1454 bool retry = False;
1455
1456 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1457
1458 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1459 domain->dcname, domain->name ));
1460
1461 if (*domain->dcname
1462 && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1463 && (resolve_name(domain->dcname, &domain->dcaddr, 0x20)))
1464 {
1465 struct sockaddr_storage *addrs = NULL;
1466 int num_addrs = 0;
1467 int dummy = 0;
1468
1469 if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 445, &addrs, &num_addrs)) {
1470 set_domain_offline(domain);
1471 talloc_destroy(mem_ctx);
1472 return NT_STATUS_NO_MEMORY;
1473 }
1474 if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 139, &addrs, &num_addrs)) {
1475 set_domain_offline(domain);
1476 talloc_destroy(mem_ctx);
1477 return NT_STATUS_NO_MEMORY;
1478 }
1479
1480 /* 5 second timeout. */
1481 if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) {
1482 fd = -1;
1483 }
1484 }
1485
1486 if ((fd == -1)
1487 && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd))
1488 {
1489 /* This is the one place where we will
1490 set the global winbindd offline state
1491 to true, if a "WINBINDD_OFFLINE" entry
1492 is found in the winbindd cache. */
1493 set_global_winbindd_state_offline();
1494 break;
1495 }
1496
1497 new_conn->cli = NULL;
1498
1499 result = cm_prepare_connection(domain, fd, domain->dcname,
1500 &new_conn->cli, &retry);
1501
1502 if (!retry)
1503 break;
1504 }
1505
1506 if (NT_STATUS_IS_OK(result)) {
1507
1508 winbindd_set_locator_kdc_envs(domain);
1509
1510 if (domain->online == False) {
1511 /* We're changing state from offline to online. */
1512 set_global_winbindd_state_online();
1513 }
1514 set_domain_online(domain);
1515 } else {
1516 /* Ensure we setup the retry handler. */
1517 set_domain_offline(domain);
1518 }
1519
1520 talloc_destroy(mem_ctx);
1521 return result;
1522 }
1523
1524 /* Close down all open pipes on a connection. */
1525
1526 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1527 {
1528 /* We're closing down a possibly dead
1529 connection. Don't have impossibly long (10s) timeouts. */
1530
1531 if (conn->cli) {
1532 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1533 }
1534
1535 if (conn->samr_pipe != NULL) {
1536 if (!cli_rpc_pipe_close(conn->samr_pipe)) {
1537 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1538 if (conn->cli) {
1539 cli_set_timeout(conn->cli, 500);
1540 }
1541 }
1542 conn->samr_pipe = NULL;
1543 }
1544
1545 if (conn->lsa_pipe != NULL) {
1546 if (!cli_rpc_pipe_close(conn->lsa_pipe)) {
1547 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1548 if (conn->cli) {
1549 cli_set_timeout(conn->cli, 500);
1550 }
1551 }
1552 conn->lsa_pipe = NULL;
1553 }
1554
1555 if (conn->netlogon_pipe != NULL) {
1556 if (!cli_rpc_pipe_close(conn->netlogon_pipe)) {
1557 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1558 if (conn->cli) {
1559 cli_set_timeout(conn->cli, 500);
1560 }
1561 }
1562 conn->netlogon_pipe = NULL;
1563 }
1564
1565 if (conn->cli) {
1566 cli_shutdown(conn->cli);
1567 }
1568
1569 conn->cli = NULL;
1570 }
1571
1572 void close_conns_after_fork(void)
1573 {
1574 struct winbindd_domain *domain;
1575
1576 for (domain = domain_list(); domain; domain = domain->next) {
1577 if (domain->conn.cli == NULL)
1578 continue;
1579
1580 if (domain->conn.cli->fd == -1)
1581 continue;
1582
1583 close(domain->conn.cli->fd);
1584 domain->conn.cli->fd = -1;
1585 }
1586 }
1587
1588 static bool connection_ok(struct winbindd_domain *domain)
1589 {
1590 if (domain->conn.cli == NULL) {
1591 DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
1592 "cli!\n", domain->dcname, domain->name));
1593 return False;
1594 }
1595
1596 if (!domain->conn.cli->initialised) {
1597 DEBUG(3, ("connection_ok: Connection to %s for domain %s was never "
1598 "initialised!\n", domain->dcname, domain->name));
1599 return False;
1600 }
1601
1602 if (domain->conn.cli->fd == -1) {
1603 DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was "
1604 "never started (fd == -1)\n",
1605 domain->dcname, domain->name));
1606 return False;
1607 }
1608
1609 if (domain->online == False) {
1610 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1611 return False;
1612 }
1613
1614 return True;
1615 }
1616
1617 /* Initialize a new connection up to the RPC BIND.
1618 Bypass online status check so always does network calls. */
1619
1620 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1621 {
1622 NTSTATUS result;
1623
1624 /* Internal connections never use the network. */
1625 if (domain->internal) {
1626 domain->initialized = True;
1627 return NT_STATUS_OK;
1628 }
1629
1630 if (connection_ok(domain)) {
1631 if (!domain->initialized) {
1632 set_dc_type_and_flags(domain);
1633 }
1634 return NT_STATUS_OK;
1635 }
1636
1637 invalidate_cm_connection(&domain->conn);
1638
1639 result = cm_open_connection(domain, &domain->conn);
1640
1641 if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1642 set_dc_type_and_flags(domain);
1643 }
1644
1645 return result;
1646 }
1647
1648 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1649 {
1650 if (domain->initialized && !domain->online) {
1651 /* We check for online status elsewhere. */
1652 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1653 }
1654
1655 return init_dc_connection_network(domain);
1656 }
1657
1658 /******************************************************************************
1659 Set the trust flags (direction and forest location) for a domain
1660 ******************************************************************************/
1661
1662 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1663 {
1664 struct winbindd_domain *our_domain;
1665 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1666 struct ds_domain_trust *domains = NULL;
1667 int count = 0;
1668 int i;
1669 uint32 flags = (DS_DOMAIN_IN_FOREST |
1670 DS_DOMAIN_DIRECT_OUTBOUND |
1671 DS_DOMAIN_DIRECT_INBOUND);
1672 struct rpc_pipe_client *cli;
1673 TALLOC_CTX *mem_ctx = NULL;
1674
1675 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1676
1677 /* Our primary domain doesn't need to worry about trust flags.
1678 Force it to go through the network setup */
1679 if ( domain->primary ) {
1680 return False;
1681 }
1682
1683 our_domain = find_our_domain();
1684
1685 if ( !connection_ok(our_domain) ) {
1686 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));
1687 return False;
1688 }
1689
1690 /* This won't work unless our domain is AD */
1691
1692 if ( !our_domain->active_directory ) {
1693 return False;
1694 }
1695
1696 /* Use DsEnumerateDomainTrusts to get us the trust direction
1697 and type */
1698
1699 result = cm_connect_netlogon(our_domain, &cli);
1700
1701 if (!NT_STATUS_IS_OK(result)) {
1702 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1703 "a connection to %s for PIPE_NETLOGON (%s)\n",
1704 domain->name, nt_errstr(result)));
1705 return False;
1706 }
1707
1708 if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
1709 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
1710 return False;
1711 }
1712
1713 result = rpccli_ds_enum_domain_trusts(cli, mem_ctx,
1714 cli->cli->desthost,
1715 flags, &domains,
1716 (unsigned int *)&count);
1717
1718 /* Now find the domain name and get the flags */
1719
1720 for ( i=0; i<count; i++ ) {
1721 if ( strequal( domain->name, domains[i].netbios_domain ) ) {
1722 domain->domain_flags = domains[i].flags;
1723 domain->domain_type = domains[i].trust_type;
1724 domain->domain_trust_attribs = domains[i].trust_attributes;
1725
1726 if ( domain->domain_type == DS_DOMAIN_TRUST_TYPE_UPLEVEL )
1727 domain->active_directory = True;
1728
1729 /* This flag is only set if the domain is *our*
1730 primary domain and the primary domain is in
1731 native mode */
1732
1733 domain->native_mode = (domain->domain_flags & DS_DOMAIN_NATIVE_MODE);
1734
1735 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
1736 "native mode.\n", domain->name,
1737 domain->native_mode ? "" : "NOT "));
1738
1739 DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
1740 "running active directory.\n", domain->name,
1741 domain->active_directory ? "" : "NOT "));
1742
1743
1744 domain->initialized = True;
1745
1746 if ( !winbindd_can_contact_domain( domain) )
1747 domain->internal = True;
1748
1749 break;
1750 }
1751 }
1752
1753 talloc_destroy( mem_ctx );
1754
1755 return domain->initialized;
1756 }
1757
1758 /******************************************************************************
1759 We can 'sense' certain things about the DC by it's replies to certain
1760 questions.
1761
1762 This tells us if this particular remote server is Active Directory, and if it
1763 is native mode.
1764 ******************************************************************************/
1765
1766 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
1767 {
1768 NTSTATUS result;
1769 DS_DOMINFO_CTR ctr;
1770 TALLOC_CTX *mem_ctx = NULL;
1771 struct rpc_pipe_client *cli;
1772 POLICY_HND pol;
1773
1774 char *domain_name = NULL;
1775 char *dns_name = NULL;
1776 char *forest_name = NULL;
1777 DOM_SID *dom_sid = NULL;
1778
1779 ZERO_STRUCT( ctr );
1780
1781 if (!connection_ok(domain)) {
1782 return;
1783 }
1784
1785 mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
1786 domain->name);
1787 if (!mem_ctx) {
1788 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
1789 return;
1790 }
1791
1792 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
1793
1794 cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC_DS,
1795 &result);
1796
1797 if (cli == NULL) {
1798 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1799 "PI_LSARPC_DS on domain %s: (%s)\n",
1800 domain->name, nt_errstr(result)));
1801
1802 /* if this is just a non-AD domain we need to continue
1803 * identifying so that we can in the end return with
1804 * domain->initialized = True - gd */
1805
1806 goto no_lsarpc_ds;
1807 }
1808
1809 result = rpccli_ds_getprimarydominfo(cli, mem_ctx,
1810 DsRolePrimaryDomainInfoBasic,
1811 &ctr);
1812 cli_rpc_pipe_close(cli);
1813
1814 if (!NT_STATUS_IS_OK(result)) {
1815 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
1816 "on domain %s failed: (%s)\n",
1817 domain->name, nt_errstr(result)));
1818
1819 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
1820 * every opcode on the LSARPC_DS pipe, continue with
1821 * no_lsarpc_ds mode here as well to get domain->initialized
1822 * set - gd */
1823
1824 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
1825 goto no_lsarpc_ds;
1826 }
1827
1828 TALLOC_FREE(mem_ctx);
1829 return;
1830 }
1831
1832 if ((ctr.basic->flags & DSROLE_PRIMARY_DS_RUNNING) &&
1833 !(ctr.basic->flags & DSROLE_PRIMARY_DS_MIXED_MODE)) {
1834 domain->native_mode = True;
1835 } else {
1836 domain->native_mode = False;
1837 }
1838
1839 no_lsarpc_ds:
1840 cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result);
1841
1842 if (cli == NULL) {
1843 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1844 "PI_LSARPC on domain %s: (%s)\n",
1845 domain->name, nt_errstr(result)));
1846 cli_rpc_pipe_close(cli);
1847 TALLOC_FREE(mem_ctx);
1848 return;
1849 }
1850
1851 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
1852 SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
1853
1854 if (NT_STATUS_IS_OK(result)) {
1855 /* This particular query is exactly what Win2k clients use
1856 to determine that the DC is active directory */
1857 result = rpccli_lsa_query_info_policy2(cli, mem_ctx, &pol,
1858 12, &domain_name,
1859 &dns_name, &forest_name,
1860 NULL, &dom_sid);
1861 }
1862
1863 if (NT_STATUS_IS_OK(result)) {
1864 domain->active_directory = True;
1865
1866 if (domain_name)
1867 fstrcpy(domain->name, domain_name);
1868
1869 if (dns_name)
1870 fstrcpy(domain->alt_name, dns_name);
1871
1872 if ( forest_name )
1873 fstrcpy(domain->forest_name, forest_name);
1874
1875 if (dom_sid)
1876 sid_copy(&domain->sid, dom_sid);
1877 } else {
1878 domain->active_directory = False;
1879
1880 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
1881 SEC_RIGHTS_MAXIMUM_ALLOWED,
1882 &pol);
1883
1884 if (!NT_STATUS_IS_OK(result))
1885 goto done;
1886
1887 result = rpccli_lsa_query_info_policy(cli, mem_ctx,
1888 &pol, 5, &domain_name,
1889 &dom_sid);
1890
1891 if (NT_STATUS_IS_OK(result)) {
1892 if (domain_name)
1893 fstrcpy(domain->name, domain_name);
1894
1895 if (dom_sid)
1896 sid_copy(&domain->sid, dom_sid);
1897 }
1898 }
1899 done:
1900
1901 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
1902 domain->name, domain->native_mode ? "" : "NOT "));
1903
1904 DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
1905 domain->name, domain->active_directory ? "" : "NOT "));
1906
1907 cli_rpc_pipe_close(cli);
1908
1909 TALLOC_FREE(mem_ctx);
1910
1911 domain->initialized = True;
1912 }
1913
1914 /**********************************************************************
1915 Set the domain_flags (trust attributes, domain operating modes, etc...
1916 ***********************************************************************/
1917
1918 static void set_dc_type_and_flags( struct winbindd_domain *domain )
1919 {
1920 /* we always have to contact our primary domain */
1921
1922 if ( domain->primary ) {
1923 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
1924 "primary domain\n"));
1925 set_dc_type_and_flags_connect( domain );
1926 return;
1927 }
1928
1929 /* Use our DC to get the information if possible */
1930
1931 if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
1932 /* Otherwise, fallback to contacting the
1933 domain directly */
1934 set_dc_type_and_flags_connect( domain );
1935 }
1936
1937 return;
1938 }
1939
1940
1941
1942 /**********************************************************************
1943 ***********************************************************************/
1944
1945 static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain,
1946 struct dcinfo **ppdc)
1947 {
1948 NTSTATUS result;
1949 struct rpc_pipe_client *netlogon_pipe;
1950
1951 if (lp_client_schannel() == False) {
1952 return False;
1953 }
1954
1955 result = cm_connect_netlogon(domain, &netlogon_pipe);
1956 if (!NT_STATUS_IS_OK(result)) {
1957 return False;
1958 }
1959
1960 /* Return a pointer to the struct dcinfo from the
1961 netlogon pipe. */
1962
1963 *ppdc = domain->conn.netlogon_pipe->dc;
1964 return True;
1965 }
1966
1967 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
1968 struct rpc_pipe_client **cli, POLICY_HND *sam_handle)
1969 {
1970 struct winbindd_cm_conn *conn;
1971 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1972 fstring conn_pwd;
1973 struct dcinfo *p_dcinfo;
1974 char *machine_password = NULL;
1975 char *machine_account = NULL;
1976 char *domain_name = NULL;
1977
1978 result = init_dc_connection(domain);
1979 if (!NT_STATUS_IS_OK(result)) {
1980 return result;
1981 }
1982
1983 conn = &domain->conn;
1984
1985 if (conn->samr_pipe != NULL) {
1986 goto done;
1987 }
1988
1989 /*
1990 * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
1991 * sign and sealed pipe using the machine account password by
1992 * preference. If we can't - try schannel, if that fails, try
1993 * anonymous.
1994 */
1995
1996 pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
1997 if ((conn->cli->user_name[0] == '\0') ||
1998 (conn->cli->domain[0] == '\0') ||
1999 (conn_pwd[0] == '\0'))
2000 {
2001 result = get_trust_creds(domain, &machine_password,
2002 &machine_account, NULL);
2003 if (!NT_STATUS_IS_OK(result)) {
2004 DEBUG(10, ("cm_connect_sam: No no user available for "
2005 "domain %s, trying schannel\n", conn->cli->domain));
2006 goto schannel;
2007 }
2008 domain_name = domain->name;
2009 } else {
2010 machine_password = SMB_STRDUP(conn_pwd);
2011 machine_account = SMB_STRDUP(conn->cli->user_name);
2012 domain_name = conn->cli->domain;
2013 }
2014
2015 if (!machine_password || !machine_account) {
2016 result = NT_STATUS_NO_MEMORY;
2017 goto done;
2018 }
2019
2020 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2021 authenticated SAMR pipe with sign & seal. */
2022 conn->samr_pipe =
2023 cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
2024 PIPE_AUTH_LEVEL_PRIVACY,
2025 domain_name,
2026 machine_account,
2027 machine_password, &result);
2028
2029 if (conn->samr_pipe == NULL) {
2030 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2031 "pipe for domain %s using NTLMSSP "
2032 "authenticated pipe: user %s\\%s. Error was "
2033 "%s\n", domain->name, domain_name,
2034 machine_account, nt_errstr(result)));
2035 goto schannel;
2036 }
2037
2038 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2039 "domain %s using NTLMSSP authenticated "
2040 "pipe: user %s\\%s\n", domain->name,
2041 domain_name, machine_account));
2042
2043 result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
2044 SEC_RIGHTS_MAXIMUM_ALLOWED,
2045 &conn->sam_connect_handle);
2046 if (NT_STATUS_IS_OK(result)) {
2047 goto open_domain;
2048 }
2049 DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_connect "
2050 "failed for domain %s, error was %s. Trying schannel\n",
2051 domain->name, nt_errstr(result) ));
2052 cli_rpc_pipe_close(conn->samr_pipe);
2053
2054 schannel:
2055
2056 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2057
2058 if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
2059 /* If this call fails - conn->cli can now be NULL ! */
2060 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2061 "for domain %s, trying anon\n", domain->name));
2062 goto anonymous;
2063 }
2064 conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key
2065 (conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY,
2066 domain->name, p_dcinfo, &result);
2067
2068 if (conn->samr_pipe == NULL) {
2069 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2070 "domain %s using schannel. Error was %s\n",
2071 domain->name, nt_errstr(result) ));
2072 goto anonymous;
2073 }
2074 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2075 "schannel.\n", domain->name ));
2076
2077 result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
2078 SEC_RIGHTS_MAXIMUM_ALLOWED,
2079 &conn->sam_connect_handle);
2080 if (NT_STATUS_IS_OK(result)) {
2081 goto open_domain;
2082 }
2083 DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_connect failed "
2084 "for domain %s, error was %s. Trying anonymous\n",
2085 domain->name, nt_errstr(result) ));
2086 cli_rpc_pipe_close(conn->samr_pipe);
2087
2088 anonymous:
2089
2090 /* Finally fall back to anonymous. */
2091 conn->samr_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR,
2092 &result);
2093
2094 if (conn->samr_pipe == NULL) {
2095 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2096 goto done;
2097 }
2098
2099 result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
2100 SEC_RIGHTS_MAXIMUM_ALLOWED,
2101 &conn->sam_connect_handle);
2102 if (!NT_STATUS_IS_OK(result)) {
2103 DEBUG(10,("cm_connect_sam: rpccli_samr_connect failed "
2104 "for domain %s Error was %s\n",
2105 domain->name, nt_errstr(result) ));
2106 goto done;
2107 }
2108
2109 open_domain:
2110 result = rpccli_samr_open_domain(conn->samr_pipe,
2111 mem_ctx,
2112 &conn->sam_connect_handle,
2113 SEC_RIGHTS_MAXIMUM_ALLOWED,
2114 &domain->sid,
2115 &conn->sam_domain_handle);
2116
2117 done:
2118
2119 if (!NT_STATUS_IS_OK(result)) {
2120 invalidate_cm_connection(conn);
2121 return result;
2122 }
2123
2124 *cli = conn->samr_pipe;
2125 *sam_handle = conn->sam_domain_handle;
2126 SAFE_FREE(machine_password);
2127 SAFE_FREE(machine_account);
2128 return result;
2129 }
2130
2131 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2132 struct rpc_pipe_client **cli, POLICY_HND *lsa_policy)
2133 {
2134 struct winbindd_cm_conn *conn;
2135 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2136 fstring conn_pwd;
2137 struct dcinfo *p_dcinfo;
2138
2139 result = init_dc_connection(domain);
2140 if (!NT_STATUS_IS_OK(result))
2141 return result;
2142
2143 conn = &domain->conn;
2144
2145 if (conn->lsa_pipe != NULL) {
2146 goto done;
2147 }
2148
2149 pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
2150 if ((conn->cli->user_name[0] == '\0') ||
2151 (conn->cli->domain[0] == '\0') ||
2152 (conn_pwd[0] == '\0')) {
2153 DEBUG(10, ("cm_connect_lsa: No no user available for "
2154 "domain %s, trying schannel\n", conn->cli->domain));
2155 goto schannel;
2156 }
2157
2158 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2159 * authenticated LSA pipe with sign & seal. */
2160 conn->lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp
2161 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
2162 conn->cli->domain, conn->cli->user_name, conn_pwd, &result);
2163
2164 if (conn->lsa_pipe == NULL) {
2165 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2166 "domain %s using NTLMSSP authenticated pipe: user "
2167 "%s\\%s. Error was %s. Trying schannel.\n",
2168 domain->name, conn->cli->domain,
2169 conn->cli->user_name, nt_errstr(result)));
2170 goto schannel;
2171 }
2172
2173 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2174 "NTLMSSP authenticated pipe: user %s\\%s\n",
2175 domain->name, conn->cli->domain, conn->cli->user_name ));
2176
2177 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2178 SEC_RIGHTS_MAXIMUM_ALLOWED,
2179 &conn->lsa_policy);
2180 if (NT_STATUS_IS_OK(result)) {
2181 goto done;
2182 }
2183
2184 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2185 "schannel\n"));
2186
2187 cli_rpc_pipe_close(conn->lsa_pipe);
2188
2189 schannel:
2190
2191 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2192
2193 if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) {
2194 /* If this call fails - conn->cli can now be NULL ! */
2195 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2196 "for domain %s, trying anon\n", domain->name));
2197 goto anonymous;
2198 }
2199 conn->lsa_pipe = cli_rpc_pipe_open_schannel_with_key
2200 (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY,
2201 domain->name, p_dcinfo, &result);
2202
2203 if (conn->lsa_pipe == NULL) {
2204 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2205 "domain %s using schannel. Error was %s\n",
2206 domain->name, nt_errstr(result) ));
2207 goto anonymous;
2208 }
2209 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2210 "schannel.\n", domain->name ));
2211
2212 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2213 SEC_RIGHTS_MAXIMUM_ALLOWED,
2214 &conn->lsa_policy);
2215 if (NT_STATUS_IS_OK(result)) {
2216 goto done;
2217 }
2218
2219 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2220 "anonymous\n"));
2221
2222 cli_rpc_pipe_close(conn->lsa_pipe);
2223
2224 anonymous:
2225
2226 conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_LSARPC,
2227 &result);
2228 if (conn->lsa_pipe == NULL) {
2229 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2230 goto done;
2231 }
2232
2233 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2234 SEC_RIGHTS_MAXIMUM_ALLOWED,
2235 &conn->lsa_policy);
2236 done:
2237 if (!NT_STATUS_IS_OK(result)) {
2238 invalidate_cm_connection(conn);
2239 return result;
2240 }
2241
2242 *cli = conn->lsa_pipe;
2243 *lsa_policy = conn->lsa_policy;
2244 return result;
2245 }
2246
2247 /****************************************************************************
2248 Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2249 session key stored in conn->netlogon_pipe->dc->sess_key.
2250 ****************************************************************************/
2251
2252 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2253 struct rpc_pipe_client **cli)
2254 {
2255 struct winbindd_cm_conn *conn;
2256 NTSTATUS result;
2257
2258 uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
2259 uint8 mach_pwd[16];
2260 uint32 sec_chan_type;
2261 const char *account_name;
2262 struct rpc_pipe_client *netlogon_pipe = NULL;
2263
2264 *cli = NULL;
2265
2266 result = init_dc_connection(domain);
2267 if (!NT_STATUS_IS_OK(result)) {
2268 return result;
2269 }
2270
2271 conn = &domain->conn;
2272
2273 if (conn->netlogon_pipe != NULL) {
2274 *cli = conn->netlogon_pipe;
2275 return NT_STATUS_OK;
2276 }
2277
2278 netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
2279 &result);
2280 if (netlogon_pipe == NULL) {
2281 return result;
2282 }
2283
2284 if ((!IS_DC) && (!domain->primary)) {
2285 /* Clear the schannel request bit and drop down */
2286 neg_flags &= ~NETLOGON_NEG_SCHANNEL;
2287 goto no_schannel;
2288 }
2289
2290 if (lp_client_schannel() != False) {
2291 neg_flags |= NETLOGON_NEG_SCHANNEL;
2292 }
2293
2294 if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
2295 &sec_chan_type))
2296 {
2297 cli_rpc_pipe_close(netlogon_pipe);
2298 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2299 }
2300
2301 result = rpccli_netlogon_setup_creds(
2302 netlogon_pipe,
2303 domain->dcname, /* server name. */
2304 domain->name, /* domain name */
2305 global_myname(), /* client name */
2306 account_name, /* machine account */
2307 mach_pwd, /* machine password */
2308 sec_chan_type, /* from get_trust_pw */
2309 &neg_flags);
2310
2311 if (!NT_STATUS_IS_OK(result)) {
2312 cli_rpc_pipe_close(netlogon_pipe);
2313 return result;
2314 }
2315
2316 if ((lp_client_schannel() == True) &&
2317 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2318 DEBUG(3, ("Server did not offer schannel\n"));
2319 cli_rpc_pipe_close(netlogon_pipe);
2320 return NT_STATUS_ACCESS_DENIED;
2321 }
2322
2323 no_schannel:
2324 if ((lp_client_schannel() == False) ||
2325 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2326 /* We're done - just keep the existing connection to NETLOGON
2327 * open */
2328 conn->netlogon_pipe = netlogon_pipe;
2329 *cli = conn->netlogon_pipe;
2330 return NT_STATUS_OK;
2331 }
2332
2333 /* Using the credentials from the first pipe, open a signed and sealed
2334 second netlogon pipe. The session key is stored in the schannel
2335 part of the new pipe auth struct.
2336 */
2337
2338 conn->netlogon_pipe =
2339 cli_rpc_pipe_open_schannel_with_key(conn->cli,
2340 PI_NETLOGON,
2341 PIPE_AUTH_LEVEL_PRIVACY,
2342 domain->name,
2343 netlogon_pipe->dc,
2344 &result);
2345
2346 /* We can now close the initial netlogon pipe. */
2347 cli_rpc_pipe_close(netlogon_pipe);
2348
2349 if (conn->netlogon_pipe == NULL) {
2350 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2351 "was %s\n", nt_errstr(result)));
2352
2353 /* make sure we return something besides OK */
2354 return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
2355 }
2356
2357 *cli = conn->netlogon_pipe;
2358 return NT_STATUS_OK;
2359 }