search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Change uint_t to unsigned int in lib/talloc
[Samba/fernandojvsilva.git] / source3 / winbindd / winbindd_cm.c
blob479602a9b4d54855a265c0413cdc22df8494b3dc
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon connection manager
5
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Gerald (Jerry) Carter 2003-2005.
9 Copyright (C) Volker Lendecke 2004-2005
10 Copyright (C) Jeremy Allison 2006
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27 We need to manage connections to domain controllers without having to
28 mess up the main winbindd code with other issues. The aim of the
29 connection manager is to:
30
31 - make connections to domain controllers and cache them
32 - re-establish connections when networks or servers go down
33 - centralise the policy on connection timeouts, domain controller
34 selection etc
35 - manage re-entrancy for when winbindd becomes able to handle
36 multiple outstanding rpc requests
37
38 Why not have connection management as part of the rpc layer like tng?
39 Good question. This code may morph into libsmb/rpc_cache.c or something
40 like that but at the moment it's simply staying as part of winbind. I
41 think the TNG architecture of forcing every user of the rpc layer to use
42 the connection caching system is a bad idea. It should be an optional
43 method of using the routines.
44
45 The TNG design is quite good but I disagree with some aspects of the
46 implementation. -tpot
47
48 */
49
50 /*
51 TODO:
52
53 - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
54 moved down into another function.
55
56 - Take care when destroying cli_structs as they can be shared between
57 various sam handles.
58
59 */
60
61 #include "includes.h"
62 #include "winbindd.h"
63 #include "../libcli/auth/libcli_auth.h"
64 #include "../librpc/gen_ndr/cli_netlogon.h"
65 #include "../librpc/gen_ndr/cli_samr.h"
66 #include "../librpc/gen_ndr/cli_lsa.h"
67 #include "../librpc/gen_ndr/cli_dssetup.h"
68
69 #undef DBGC_CLASS
70 #define DBGC_CLASS DBGC_WINBIND
71
72 struct dc_name_ip {
73 fstring name;
74 struct sockaddr_storage ss;
75 };
76
77 extern struct winbindd_methods reconnect_methods;
78 extern bool override_logfile;
79
80 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
81 static void set_dc_type_and_flags( struct winbindd_domain *domain );
82 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
83 struct dc_name_ip **dcs, int *num_dcs);
84
85 /****************************************************************
86 Child failed to find DC's. Reschedule check.
87 ****************************************************************/
88
89 static void msg_failed_to_go_online(struct messaging_context *msg,
90 void *private_data,
91 uint32_t msg_type,
92 struct server_id server_id,
93 DATA_BLOB *data)
94 {
95 struct winbindd_domain *domain;
96 const char *domainname = (const char *)data->data;
97
98 if (data->data == NULL || data->length == 0) {
99 return;
100 }
101
102 DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
103
104 for (domain = domain_list(); domain; domain = domain->next) {
105 if (domain->internal) {
106 continue;
107 }
108
109 if (strequal(domain->name, domainname)) {
110 if (domain->online) {
111 /* We're already online, ignore. */
112 DEBUG(5,("msg_fail_to_go_online: domain %s "
113 "already online.\n", domainname));
114 continue;
115 }
116
117 /* Reschedule the online check. */
118 set_domain_offline(domain);
119 break;
120 }
121 }
122 }
123
124 /****************************************************************
125 Actually cause a reconnect from a message.
126 ****************************************************************/
127
128 static void msg_try_to_go_online(struct messaging_context *msg,
129 void *private_data,
130 uint32_t msg_type,
131 struct server_id server_id,
132 DATA_BLOB *data)
133 {
134 struct winbindd_domain *domain;
135 const char *domainname = (const char *)data->data;
136
137 if (data->data == NULL || data->length == 0) {
138 return;
139 }
140
141 DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
142
143 for (domain = domain_list(); domain; domain = domain->next) {
144 if (domain->internal) {
145 continue;
146 }
147
148 if (strequal(domain->name, domainname)) {
149
150 if (domain->online) {
151 /* We're already online, ignore. */
152 DEBUG(5,("msg_try_to_go_online: domain %s "
153 "already online.\n", domainname));
154 continue;
155 }
156
157 /* This call takes care of setting the online
158 flag to true if we connected, or re-adding
159 the offline handler if false. Bypasses online
160 check so always does network calls. */
161
162 init_dc_connection_network(domain);
163 break;
164 }
165 }
166 }
167
168 /****************************************************************
169 Fork a child to try and contact a DC. Do this as contacting a
170 DC requires blocking lookups and we don't want to block our
171 parent.
172 ****************************************************************/
173
174 static bool fork_child_dc_connect(struct winbindd_domain *domain)
175 {
176 struct dc_name_ip *dcs = NULL;
177 int num_dcs = 0;
178 TALLOC_CTX *mem_ctx = NULL;
179 pid_t parent_pid = sys_getpid();
180 char *lfile = NULL;
181
182 /* Stop zombies */
183 CatchChild();
184
185 if (domain->dc_probe_pid != (pid_t)-1) {
186 /*
187 * We might already have a DC probe
188 * child working, check.
189 */
190 if (process_exists_by_pid(domain->dc_probe_pid)) {
191 DEBUG(10,("fork_child_dc_connect: pid %u already "
192 "checking for DC's.\n",
193 (unsigned int)domain->dc_probe_pid));
194 return true;
195 }
196 domain->dc_probe_pid = (pid_t)-1;
197 }
198
199 domain->dc_probe_pid = sys_fork();
200
201 if (domain->dc_probe_pid == (pid_t)-1) {
202 DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
203 return False;
204 }
205
206 if (domain->dc_probe_pid != (pid_t)0) {
207 /* Parent */
208 messaging_register(winbind_messaging_context(), NULL,
209 MSG_WINBIND_TRY_TO_GO_ONLINE,
210 msg_try_to_go_online);
211 messaging_register(winbind_messaging_context(), NULL,
212 MSG_WINBIND_FAILED_TO_GO_ONLINE,
213 msg_failed_to_go_online);
214 return True;
215 }
216
217 /* Child. */
218
219 /* Leave messages blocked - we will never process one. */
220
221 if (!override_logfile) {
222 if (asprintf(&lfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) == -1) {
223 DEBUG(0, ("fork_child_dc_connect: out of memory.\n"));
224 _exit(1);
225 }
226 }
227
228 if (!winbindd_reinit_after_fork(lfile)) {
229 messaging_send_buf(winbind_messaging_context(),
230 pid_to_procid(parent_pid),
231 MSG_WINBIND_FAILED_TO_GO_ONLINE,
232 (uint8 *)domain->name,
233 strlen(domain->name)+1);
234 _exit(1);
235 }
236 SAFE_FREE(lfile);
237
238 mem_ctx = talloc_init("fork_child_dc_connect");
239 if (!mem_ctx) {
240 DEBUG(0,("talloc_init failed.\n"));
241 messaging_send_buf(winbind_messaging_context(),
242 pid_to_procid(parent_pid),
243 MSG_WINBIND_FAILED_TO_GO_ONLINE,
244 (uint8 *)domain->name,
245 strlen(domain->name)+1);
246 _exit(1);
247 }
248
249 if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
250 /* Still offline ? Can't find DC's. */
251 messaging_send_buf(winbind_messaging_context(),
252 pid_to_procid(parent_pid),
253 MSG_WINBIND_FAILED_TO_GO_ONLINE,
254 (uint8 *)domain->name,
255 strlen(domain->name)+1);
256 _exit(0);
257 }
258
259 /* We got a DC. Send a message to our parent to get it to
260 try and do the same. */
261
262 messaging_send_buf(winbind_messaging_context(),
263 pid_to_procid(parent_pid),
264 MSG_WINBIND_TRY_TO_GO_ONLINE,
265 (uint8 *)domain->name,
266 strlen(domain->name)+1);
267 _exit(0);
268 }
269
270 /****************************************************************
271 Handler triggered if we're offline to try and detect a DC.
272 ****************************************************************/
273
274 static void check_domain_online_handler(struct event_context *ctx,
275 struct timed_event *te,
276 struct timeval now,
277 void *private_data)
278 {
279 struct winbindd_domain *domain =
280 (struct winbindd_domain *)private_data;
281
282 DEBUG(10,("check_domain_online_handler: called for domain "
283 "%s (online = %s)\n", domain->name,
284 domain->online ? "True" : "False" ));
285
286 TALLOC_FREE(domain->check_online_event);
287
288 /* Are we still in "startup" mode ? */
289
290 if (domain->startup && (now.tv_sec > domain->startup_time + 30)) {
291 /* No longer in "startup" mode. */
292 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
293 domain->name ));
294 domain->startup = False;
295 }
296
297 /* We've been told to stay offline, so stay
298 that way. */
299
300 if (get_global_winbindd_state_offline()) {
301 DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
302 domain->name ));
303 return;
304 }
305
306 /* Fork a child to test if it can contact a DC.
307 If it can then send ourselves a message to
308 cause a reconnect. */
309
310 fork_child_dc_connect(domain);
311 }
312
313 /****************************************************************
314 If we're still offline setup the timeout check.
315 ****************************************************************/
316
317 static void calc_new_online_timeout_check(struct winbindd_domain *domain)
318 {
319 int wbr = lp_winbind_reconnect_delay();
320
321 if (domain->startup) {
322 domain->check_online_timeout = 10;
323 } else if (domain->check_online_timeout < wbr) {
324 domain->check_online_timeout = wbr;
325 }
326 }
327
328 /****************************************************************
329 Set domain offline and also add handler to put us back online
330 if we detect a DC.
331 ****************************************************************/
332
333 void set_domain_offline(struct winbindd_domain *domain)
334 {
335 DEBUG(10,("set_domain_offline: called for domain %s\n",
336 domain->name ));
337
338 TALLOC_FREE(domain->check_online_event);
339
340 if (domain->internal) {
341 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
342 domain->name ));
343 return;
344 }
345
346 domain->online = False;
347
348 /* Offline domains are always initialized. They're
349 re-initialized when they go back online. */
350
351 domain->initialized = True;
352
353 /* We only add the timeout handler that checks and
354 allows us to go back online when we've not
355 been told to remain offline. */
356
357 if (get_global_winbindd_state_offline()) {
358 DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
359 domain->name ));
360 return;
361 }
362
363 /* If we're in startup mode, check again in 10 seconds, not in
364 lp_winbind_reconnect_delay() seconds (which is 30 seconds by default). */
365
366 calc_new_online_timeout_check(domain);
367
368 domain->check_online_event = event_add_timed(winbind_event_context(),
369 NULL,
370 timeval_current_ofs(domain->check_online_timeout,0),
371 check_domain_online_handler,
372 domain);
373
374 /* The above *has* to succeed for winbindd to work. */
375 if (!domain->check_online_event) {
376 smb_panic("set_domain_offline: failed to add online handler");
377 }
378
379 DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
380 domain->name ));
381
382 /* Send an offline message to the idmap child when our
383 primary domain goes offline */
384
385 if ( domain->primary ) {
386 struct winbindd_child *idmap = idmap_child();
387
388 if ( idmap->pid != 0 ) {
389 messaging_send_buf(winbind_messaging_context(),
390 pid_to_procid(idmap->pid),
391 MSG_WINBIND_OFFLINE,
392 (uint8 *)domain->name,
393 strlen(domain->name)+1);
394 }
395 }
396
397 return;
398 }
399
400 /****************************************************************
401 Set domain online - if allowed.
402 ****************************************************************/
403
404 static void set_domain_online(struct winbindd_domain *domain)
405 {
406 DEBUG(10,("set_domain_online: called for domain %s\n",
407 domain->name ));
408
409 if (domain->internal) {
410 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
411 domain->name ));
412 return;
413 }
414
415 if (get_global_winbindd_state_offline()) {
416 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
417 domain->name ));
418 return;
419 }
420
421 winbindd_set_locator_kdc_envs(domain);
422
423 /* If we are waiting to get a krb5 ticket, trigger immediately. */
424 ccache_regain_all_now();
425
426 /* Ok, we're out of any startup mode now... */
427 domain->startup = False;
428
429 if (domain->online == False) {
430 /* We were offline - now we're online. We default to
431 using the MS-RPC backend if we started offline,
432 and if we're going online for the first time we
433 should really re-initialize the backends and the
434 checks to see if we're talking to an AD or NT domain.
435 */
436
437 domain->initialized = False;
438
439 /* 'reconnect_methods' is the MS-RPC backend. */
440 if (domain->backend == &reconnect_methods) {
441 domain->backend = NULL;
442 }
443 }
444
445 /* Ensure we have no online timeout checks. */
446 domain->check_online_timeout = 0;
447 TALLOC_FREE(domain->check_online_event);
448
449 /* Ensure we ignore any pending child messages. */
450 messaging_deregister(winbind_messaging_context(),
451 MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
452 messaging_deregister(winbind_messaging_context(),
453 MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
454
455 domain->online = True;
456
457 /* Send an online message to the idmap child when our
458 primary domain comes online */
459
460 if ( domain->primary ) {
461 struct winbindd_child *idmap = idmap_child();
462
463 if ( idmap->pid != 0 ) {
464 messaging_send_buf(winbind_messaging_context(),
465 pid_to_procid(idmap->pid),
466 MSG_WINBIND_ONLINE,
467 (uint8 *)domain->name,
468 strlen(domain->name)+1);
469 }
470 }
471
472 return;
473 }
474
475 /****************************************************************
476 Requested to set a domain online.
477 ****************************************************************/
478
479 void set_domain_online_request(struct winbindd_domain *domain)
480 {
481 struct timeval tev;
482
483 DEBUG(10,("set_domain_online_request: called for domain %s\n",
484 domain->name ));
485
486 if (get_global_winbindd_state_offline()) {
487 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
488 domain->name ));
489 return;
490 }
491
492 if (domain->internal) {
493 DEBUG(10, ("set_domain_online_request: Internal domains are "
494 "always online\n"));
495 return;
496 }
497
498 /* We've been told it's safe to go online and
499 try and connect to a DC. But I don't believe it
500 because network manager seems to lie.
501 Wait at least 5 seconds. Heuristics suck... */
502
503
504 GetTimeOfDay(&tev);
505
506 /* Go into "startup" mode again. */
507 domain->startup_time = tev.tv_sec;
508 domain->startup = True;
509
510 tev.tv_sec += 5;
511
512 if (!domain->check_online_event) {
513 /* If we've come from being globally offline we
514 don't have a check online event handler set.
515 We need to add one now we're trying to go
516 back online. */
517
518 DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
519 domain->name ));
520 }
521
522 TALLOC_FREE(domain->check_online_event);
523
524 domain->check_online_event = event_add_timed(winbind_event_context(),
525 NULL,
526 tev,
527 check_domain_online_handler,
528 domain);
529
530 /* The above *has* to succeed for winbindd to work. */
531 if (!domain->check_online_event) {
532 smb_panic("set_domain_online_request: failed to add online handler");
533 }
534 }
535
536 /****************************************************************
537 Add -ve connection cache entries for domain and realm.
538 ****************************************************************/
539
540 void winbind_add_failed_connection_entry(const struct winbindd_domain *domain,
541 const char *server,
542 NTSTATUS result)
543 {
544 add_failed_connection_entry(domain->name, server, result);
545 /* If this was the saf name for the last thing we talked to,
546 remove it. */
547 saf_delete(domain->name);
548 if (*domain->alt_name) {
549 add_failed_connection_entry(domain->alt_name, server, result);
550 saf_delete(domain->alt_name);
551 }
552 winbindd_unset_locator_kdc_env(domain);
553 }
554
555 /* Choose between anonymous or authenticated connections. We need to use
556 an authenticated connection if DCs have the RestrictAnonymous registry
557 entry set > 0, or the "Additional restrictions for anonymous
558 connections" set in the win2k Local Security Policy.
559
560 Caller to free() result in domain, username, password
561 */
562
563 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
564 {
565 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
566 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
567 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
568
569 if (*username && **username) {
570
571 if (!*domain || !**domain)
572 *domain = smb_xstrdup(lp_workgroup());
573
574 if (!*password || !**password)
575 *password = smb_xstrdup("");
576
577 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
578 *domain, *username));
579
580 } else {
581 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
582 *username = smb_xstrdup("");
583 *domain = smb_xstrdup("");
584 *password = smb_xstrdup("");
585 }
586 }
587
588 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
589 fstring dcname,
590 struct sockaddr_storage *dc_ss)
591 {
592 struct winbindd_domain *our_domain = NULL;
593 struct rpc_pipe_client *netlogon_pipe = NULL;
594 NTSTATUS result;
595 WERROR werr;
596 TALLOC_CTX *mem_ctx;
597 unsigned int orig_timeout;
598 const char *tmp = NULL;
599 const char *p;
600
601 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
602 * moment.... */
603
604 if (IS_DC) {
605 return False;
606 }
607
608 if (domain->primary) {
609 return False;
610 }
611
612 our_domain = find_our_domain();
613
614 if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
615 return False;
616 }
617
618 result = cm_connect_netlogon(our_domain, &netlogon_pipe);
619 if (!NT_STATUS_IS_OK(result)) {
620 talloc_destroy(mem_ctx);
621 return False;
622 }
623
624 /* This call can take a long time - allow the server to time out.
625 35 seconds should do it. */
626
627 orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
628
629 if (our_domain->active_directory) {
630 struct netr_DsRGetDCNameInfo *domain_info = NULL;
631
632 result = rpccli_netr_DsRGetDCName(netlogon_pipe,
633 mem_ctx,
634 our_domain->dcname,
635 domain->name,
636 NULL,
637 NULL,
638 DS_RETURN_DNS_NAME,
639 &domain_info,
640 &werr);
641 if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
642 tmp = talloc_strdup(
643 mem_ctx, domain_info->dc_unc);
644 if (tmp == NULL) {
645 DEBUG(0, ("talloc_strdup failed\n"));
646 talloc_destroy(mem_ctx);
647 return false;
648 }
649 if (strlen(domain->alt_name) == 0) {
650 fstrcpy(domain->alt_name,
651 domain_info->domain_name);
652 }
653 if (strlen(domain->forest_name) == 0) {
654 fstrcpy(domain->forest_name,
655 domain_info->forest_name);
656 }
657 }
658 } else {
659 result = rpccli_netr_GetAnyDCName(netlogon_pipe, mem_ctx,
660 our_domain->dcname,
661 domain->name,
662 &tmp,
663 &werr);
664 }
665
666 /* And restore our original timeout. */
667 rpccli_set_timeout(netlogon_pipe, orig_timeout);
668
669 if (!NT_STATUS_IS_OK(result)) {
670 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
671 nt_errstr(result)));
672 talloc_destroy(mem_ctx);
673 return false;
674 }
675
676 if (!W_ERROR_IS_OK(werr)) {
677 DEBUG(10,("rpccli_netr_GetAnyDCName failed: %s\n",
678 win_errstr(werr)));
679 talloc_destroy(mem_ctx);
680 return false;
681 }
682
683 /* rpccli_netr_GetAnyDCName gives us a name with \\ */
684 p = strip_hostname(tmp);
685
686 fstrcpy(dcname, p);
687
688 talloc_destroy(mem_ctx);
689
690 DEBUG(10,("rpccli_netr_GetAnyDCName returned %s\n", dcname));
691
692 if (!resolve_name(dcname, dc_ss, 0x20, true)) {
693 return False;
694 }
695
696 return True;
697 }
698
699 /**
700 * Helper function to assemble trust password and account name
701 */
702 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
703 char **machine_password,
704 char **machine_account,
705 char **machine_krb5_principal)
706 {
707 const char *account_name;
708 const char *name = NULL;
709
710 /* If we are a DC and this is not our own domain */
711
712 if (IS_DC) {
713 name = domain->name;
714 } else {
715 struct winbindd_domain *our_domain = find_our_domain();
716
717 if (!our_domain)
718 return NT_STATUS_INVALID_SERVER_STATE;
719
720 name = our_domain->name;
721 }
722
723 if (!get_trust_pw_clear(name, machine_password,
724 &account_name, NULL))
725 {
726 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
727 }
728
729 if ((machine_account != NULL) &&
730 (asprintf(machine_account, "%s$", account_name) == -1))
731 {
732 return NT_STATUS_NO_MEMORY;
733 }
734
735 /* For now assume our machine account only exists in our domain */
736
737 if (machine_krb5_principal != NULL)
738 {
739 struct winbindd_domain *our_domain = find_our_domain();
740
741 if (!our_domain) {
742 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
743 }
744
745 if (asprintf(machine_krb5_principal, "%s$@%s",
746 account_name, our_domain->alt_name) == -1)
747 {
748 return NT_STATUS_NO_MEMORY;
749 }
750
751 strupper_m(*machine_krb5_principal);
752 }
753
754 return NT_STATUS_OK;
755 }
756
757 /************************************************************************
758 Given a fd with a just-connected TCP connection to a DC, open a connection
759 to the pipe.
760 ************************************************************************/
761
762 static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
763 const int sockfd,
764 const char *controller,
765 struct cli_state **cli,
766 bool *retry)
767 {
768 char *machine_password = NULL;
769 char *machine_krb5_principal = NULL;
770 char *machine_account = NULL;
771 char *ipc_username = NULL;
772 char *ipc_domain = NULL;
773 char *ipc_password = NULL;
774
775 struct named_mutex *mutex;
776
777 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
778
779 struct sockaddr peeraddr;
780 socklen_t peeraddr_len;
781
782 struct sockaddr_in *peeraddr_in =
783 (struct sockaddr_in *)(void *)&peeraddr;
784
785 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
786 controller, domain->name ));
787
788 *retry = True;
789
790 mutex = grab_named_mutex(talloc_tos(), controller,
791 WINBIND_SERVER_MUTEX_WAIT_TIME);
792 if (mutex == NULL) {
793 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
794 controller));
795 result = NT_STATUS_POSSIBLE_DEADLOCK;
796 goto done;
797 }
798
799 if ((*cli = cli_initialise()) == NULL) {
800 DEBUG(1, ("Could not cli_initialize\n"));
801 result = NT_STATUS_NO_MEMORY;
802 goto done;
803 }
804
805 (*cli)->timeout = 10000; /* 10 seconds */
806 (*cli)->fd = sockfd;
807 fstrcpy((*cli)->desthost, controller);
808 (*cli)->use_kerberos = True;
809
810 peeraddr_len = sizeof(peeraddr);
811
812 if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) ||
813 (peeraddr_len != sizeof(struct sockaddr_in)) ||
814 (peeraddr_in->sin_family != PF_INET))
815 {
816 DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
817 result = NT_STATUS_UNSUCCESSFUL;
818 goto done;
819 }
820
821 if (ntohs(peeraddr_in->sin_port) == 139) {
822 struct nmb_name calling;
823 struct nmb_name called;
824
825 make_nmb_name(&calling, global_myname(), 0x0);
826 make_nmb_name(&called, "*SMBSERVER", 0x20);
827
828 if (!cli_session_request(*cli, &calling, &called)) {
829 DEBUG(8, ("cli_session_request failed for %s\n",
830 controller));
831 result = NT_STATUS_UNSUCCESSFUL;
832 goto done;
833 }
834 }
835
836 result = cli_negprot(*cli);
837
838 if (!NT_STATUS_IS_OK(result)) {
839 DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
840 goto done;
841 }
842
843 if (!is_dc_trusted_domain_situation(domain->name) &&
844 (*cli)->protocol >= PROTOCOL_NT1 &&
845 (*cli)->capabilities & CAP_EXTENDED_SECURITY)
846 {
847 ADS_STATUS ads_status;
848
849 result = get_trust_creds(domain, &machine_password,
850 &machine_account,
851 &machine_krb5_principal);
852 if (!NT_STATUS_IS_OK(result)) {
853 goto anon_fallback;
854 }
855
856 if (lp_security() == SEC_ADS) {
857
858 /* Try a krb5 session */
859
860 (*cli)->use_kerberos = True;
861 DEBUG(5, ("connecting to %s from %s with kerberos principal "
862 "[%s] and realm [%s]\n", controller, global_myname(),
863 machine_krb5_principal, domain->alt_name));
864
865 winbindd_set_locator_kdc_envs(domain);
866
867 ads_status = cli_session_setup_spnego(*cli,
868 machine_krb5_principal,
869 machine_password,
870 lp_workgroup(),
871 domain->alt_name);
872
873 if (!ADS_ERR_OK(ads_status)) {
874 DEBUG(4,("failed kerberos session setup with %s\n",
875 ads_errstr(ads_status)));
876 }
877
878 result = ads_ntstatus(ads_status);
879 if (NT_STATUS_IS_OK(result)) {
880 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
881 result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
882 if (!NT_STATUS_IS_OK(result)) {
883 goto done;
884 }
885 goto session_setup_done;
886 }
887 }
888
889 /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
890 (*cli)->use_kerberos = False;
891
892 DEBUG(5, ("connecting to %s from %s with username "
893 "[%s]\\[%s]\n", controller, global_myname(),
894 lp_workgroup(), machine_account));
895
896 ads_status = cli_session_setup_spnego(*cli,
897 machine_account,
898 machine_password,
899 lp_workgroup(),
900 NULL);
901 if (!ADS_ERR_OK(ads_status)) {
902 DEBUG(4, ("authenticated session setup failed with %s\n",
903 ads_errstr(ads_status)));
904 }
905
906 result = ads_ntstatus(ads_status);
907 if (NT_STATUS_IS_OK(result)) {
908 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
909 result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
910 if (!NT_STATUS_IS_OK(result)) {
911 goto done;
912 }
913 goto session_setup_done;
914 }
915 }
916
917 /* Fall back to non-kerberos session setup with auth_user */
918
919 (*cli)->use_kerberos = False;
920
921 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
922
923 if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
924 (strlen(ipc_username) > 0)) {
925
926 /* Only try authenticated if we have a username */
927
928 DEBUG(5, ("connecting to %s from %s with username "
929 "[%s]\\[%s]\n", controller, global_myname(),
930 ipc_domain, ipc_username));
931
932 if (NT_STATUS_IS_OK(cli_session_setup(
933 *cli, ipc_username,
934 ipc_password, strlen(ipc_password)+1,
935 ipc_password, strlen(ipc_password)+1,
936 ipc_domain))) {
937 /* Successful logon with given username. */
938 result = cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
939 if (!NT_STATUS_IS_OK(result)) {
940 goto done;
941 }
942 goto session_setup_done;
943 } else {
944 DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
945 ipc_domain, ipc_username ));
946 }
947 }
948
949 anon_fallback:
950
951 /* Fall back to anonymous connection, this might fail later */
952 DEBUG(10,("cm_prepare_connection: falling back to anonymous "
953 "connection for DC %s\n",
954 controller ));
955
956 if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
957 NULL, 0, ""))) {
958 DEBUG(5, ("Connected anonymously\n"));
959 result = cli_init_creds(*cli, "", "", "");
960 if (!NT_STATUS_IS_OK(result)) {
961 goto done;
962 }
963 goto session_setup_done;
964 }
965
966 result = cli_nt_error(*cli);
967
968 if (NT_STATUS_IS_OK(result))
969 result = NT_STATUS_UNSUCCESSFUL;
970
971 /* We can't session setup */
972
973 goto done;
974
975 session_setup_done:
976
977 /* cache the server name for later connections */
978
979 saf_store( domain->name, (*cli)->desthost );
980 if (domain->alt_name && (*cli)->use_kerberos) {
981 saf_store( domain->alt_name, (*cli)->desthost );
982 }
983
984 winbindd_set_locator_kdc_envs(domain);
985
986 result = cli_tcon_andx(*cli, "IPC$", "IPC", "", 0);
987
988 if (!NT_STATUS_IS_OK(result)) {
989 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
990 goto done;
991 }
992
993 TALLOC_FREE(mutex);
994 *retry = False;
995
996 /* set the domain if empty; needed for schannel connections */
997 if ( !(*cli)->domain[0] ) {
998 result = cli_set_domain((*cli), domain->name);
999 if (!NT_STATUS_IS_OK(result)) {
1000 return result;
1001 }
1002 }
1003
1004 result = NT_STATUS_OK;
1005
1006 done:
1007 TALLOC_FREE(mutex);
1008 SAFE_FREE(machine_account);
1009 SAFE_FREE(machine_password);
1010 SAFE_FREE(machine_krb5_principal);
1011 SAFE_FREE(ipc_username);
1012 SAFE_FREE(ipc_domain);
1013 SAFE_FREE(ipc_password);
1014
1015 if (!NT_STATUS_IS_OK(result)) {
1016 winbind_add_failed_connection_entry(domain, controller, result);
1017 if ((*cli) != NULL) {
1018 cli_shutdown(*cli);
1019 *cli = NULL;
1020 }
1021 }
1022
1023 return result;
1024 }
1025
1026 /*******************************************************************
1027 Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
1028 array.
1029
1030 Keeps the list unique by not adding duplicate entries.
1031
1032 @param[in] mem_ctx talloc memory context to allocate from
1033 @param[in] domain_name domain of the DC
1034 @param[in] dcname name of the DC to add to the list
1035 @param[in] pss Internet address and port pair to add to the list
1036 @param[in,out] dcs array of dc_name_ip structures to add to
1037 @param[in,out] num_dcs number of dcs returned in the dcs array
1038 @return true if the list was added to, false otherwise
1039 *******************************************************************/
1040
1041 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1042 const char *dcname, struct sockaddr_storage *pss,
1043 struct dc_name_ip **dcs, int *num)
1044 {
1045 int i = 0;
1046
1047 if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1048 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1049 return False;
1050 }
1051
1052 /* Make sure there's no duplicates in the list */
1053 for (i=0; i<*num; i++)
1054 if (sockaddr_equal(
1055 (struct sockaddr *)(void *)&(*dcs)[i].ss,
1056 (struct sockaddr *)(void *)pss))
1057 return False;
1058
1059 *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1060
1061 if (*dcs == NULL)
1062 return False;
1063
1064 fstrcpy((*dcs)[*num].name, dcname);
1065 (*dcs)[*num].ss = *pss;
1066 *num += 1;
1067 return True;
1068 }
1069
1070 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1071 struct sockaddr_storage *pss, uint16 port,
1072 struct sockaddr_storage **addrs, int *num)
1073 {
1074 *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1075
1076 if (*addrs == NULL) {
1077 *num = 0;
1078 return False;
1079 }
1080
1081 (*addrs)[*num] = *pss;
1082 set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
1083
1084 *num += 1;
1085 return True;
1086 }
1087
1088 /*******************************************************************
1089 convert an ip to a name
1090 *******************************************************************/
1091
1092 static bool dcip_to_name(TALLOC_CTX *mem_ctx,
1093 const struct winbindd_domain *domain,
1094 struct sockaddr_storage *pss,
1095 fstring name )
1096 {
1097 struct ip_service ip_list;
1098 uint32_t nt_version = NETLOGON_NT_VERSION_1;
1099
1100 ip_list.ss = *pss;
1101 ip_list.port = 0;
1102
1103 #ifdef WITH_ADS
1104 /* For active directory servers, try to get the ldap server name.
1105 None of these failures should be considered critical for now */
1106
1107 if (lp_security() == SEC_ADS) {
1108 ADS_STRUCT *ads;
1109 ADS_STATUS ads_status;
1110 char addr[INET6_ADDRSTRLEN];
1111
1112 print_sockaddr(addr, sizeof(addr), pss);
1113
1114 ads = ads_init(domain->alt_name, domain->name, addr);
1115 ads->auth.flags |= ADS_AUTH_NO_BIND;
1116
1117 ads_status = ads_connect(ads);
1118 if (ADS_ERR_OK(ads_status)) {
1119 /* We got a cldap packet. */
1120 fstrcpy(name, ads->config.ldap_server_name);
1121 namecache_store(name, 0x20, 1, &ip_list);
1122
1123 DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
1124
1125 if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1126 if (ads_closest_dc(ads)) {
1127 char *sitename = sitename_fetch(ads->config.realm);
1128
1129 /* We're going to use this KDC for this realm/domain.
1130 If we are using sites, then force the krb5 libs
1131 to use this KDC. */
1132
1133 create_local_private_krb5_conf_for_domain(domain->alt_name,
1134 domain->name,
1135 sitename,
1136 pss);
1137
1138 SAFE_FREE(sitename);
1139 } else {
1140 /* use an off site KDC */
1141 create_local_private_krb5_conf_for_domain(domain->alt_name,
1142 domain->name,
1143 NULL,
1144 pss);
1145 }
1146 winbindd_set_locator_kdc_envs(domain);
1147
1148 /* Ensure we contact this DC also. */
1149 saf_store( domain->name, name);
1150 saf_store( domain->alt_name, name);
1151 }
1152
1153 ads_destroy( &ads );
1154 return True;
1155 }
1156
1157 ads_destroy( &ads );
1158 }
1159 #endif
1160
1161 /* try GETDC requests next */
1162
1163 if (send_getdc_request(mem_ctx, winbind_messaging_context(),
1164 pss, domain->name, &domain->sid,
1165 nt_version)) {
1166 const char *dc_name = NULL;
1167 int i;
1168 smb_msleep(100);
1169 for (i=0; i<5; i++) {
1170 if (receive_getdc_response(mem_ctx, pss, domain->name,
1171 &nt_version,
1172 &dc_name, NULL)) {
1173 fstrcpy(name, dc_name);
1174 namecache_store(name, 0x20, 1, &ip_list);
1175 return True;
1176 }
1177 smb_msleep(500);
1178 }
1179 }
1180
1181 /* try node status request */
1182
1183 if ( name_status_find(domain->name, 0x1c, 0x20, pss, name) ) {
1184 namecache_store(name, 0x20, 1, &ip_list);
1185 return True;
1186 }
1187 return False;
1188 }
1189
1190 /*******************************************************************
1191 Retrieve a list of IP addresses for domain controllers.
1192
1193 The array is sorted in the preferred connection order.
1194
1195 @param[in] mem_ctx talloc memory context to allocate from
1196 @param[in] domain domain to retrieve DCs for
1197 @param[out] dcs array of dcs that will be returned
1198 @param[out] num_dcs number of dcs returned in the dcs array
1199 @return always true
1200 *******************************************************************/
1201
1202 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1203 struct dc_name_ip **dcs, int *num_dcs)
1204 {
1205 fstring dcname;
1206 struct sockaddr_storage ss;
1207 struct ip_service *ip_list = NULL;
1208 int iplist_size = 0;
1209 int i;
1210 bool is_our_domain;
1211 enum security_types sec = (enum security_types)lp_security();
1212
1213 is_our_domain = strequal(domain->name, lp_workgroup());
1214
1215 /* If not our domain, get the preferred DC, by asking our primary DC */
1216 if ( !is_our_domain
1217 && get_dc_name_via_netlogon(domain, dcname, &ss)
1218 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1219 num_dcs) )
1220 {
1221 char addr[INET6_ADDRSTRLEN];
1222 print_sockaddr(addr, sizeof(addr), &ss);
1223 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1224 dcname, addr));
1225 return True;
1226 }
1227
1228 if (sec == SEC_ADS) {
1229 char *sitename = NULL;
1230
1231 /* We need to make sure we know the local site before
1232 doing any DNS queries, as this will restrict the
1233 get_sorted_dc_list() call below to only fetching
1234 DNS records for the correct site. */
1235
1236 /* Find any DC to get the site record.
1237 We deliberately don't care about the
1238 return here. */
1239
1240 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1241
1242 sitename = sitename_fetch(domain->alt_name);
1243 if (sitename) {
1244
1245 /* Do the site-specific AD dns lookup first. */
1246 get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
1247 &iplist_size, True);
1248
1249 /* Add ips to the DC array. We don't look up the name
1250 of the DC in this function, but we fill in the char*
1251 of the ip now to make the failed connection cache
1252 work */
1253 for ( i=0; i<iplist_size; i++ ) {
1254 char addr[INET6_ADDRSTRLEN];
1255 print_sockaddr(addr, sizeof(addr),
1256 &ip_list[i].ss);
1257 add_one_dc_unique(mem_ctx,
1258 domain->name,
1259 addr,
1260 &ip_list[i].ss,
1261 dcs,
1262 num_dcs);
1263 }
1264
1265 SAFE_FREE(ip_list);
1266 SAFE_FREE(sitename);
1267 iplist_size = 0;
1268 }
1269
1270 /* Now we add DCs from the main AD DNS lookup. */
1271 get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
1272 &iplist_size, True);
1273
1274 for ( i=0; i<iplist_size; i++ ) {
1275 char addr[INET6_ADDRSTRLEN];
1276 print_sockaddr(addr, sizeof(addr),
1277 &ip_list[i].ss);
1278 add_one_dc_unique(mem_ctx,
1279 domain->name,
1280 addr,
1281 &ip_list[i].ss,
1282 dcs,
1283 num_dcs);
1284 }
1285
1286 SAFE_FREE(ip_list);
1287 iplist_size = 0;
1288 }
1289
1290 /* Try standard netbios queries if no ADS */
1291 if (*num_dcs == 0) {
1292 get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
1293 False);
1294
1295 for ( i=0; i<iplist_size; i++ ) {
1296 char addr[INET6_ADDRSTRLEN];
1297 print_sockaddr(addr, sizeof(addr),
1298 &ip_list[i].ss);
1299 add_one_dc_unique(mem_ctx,
1300 domain->name,
1301 addr,
1302 &ip_list[i].ss,
1303 dcs,
1304 num_dcs);
1305 }
1306
1307 SAFE_FREE(ip_list);
1308 iplist_size = 0;
1309 }
1310
1311 return True;
1312 }
1313
1314 /*******************************************************************
1315 Find and make a connection to a DC in the given domain.
1316
1317 @param[in] mem_ctx talloc memory context to allocate from
1318 @param[in] domain domain to find a dc in
1319 @param[out] dcname NetBIOS or FQDN of DC that's connected to
1320 @param[out] pss DC Internet address and port
1321 @param[out] fd fd of the open socket connected to the newly found dc
1322 @return true when a DC connection is made, false otherwise
1323 *******************************************************************/
1324
1325 static bool find_new_dc(TALLOC_CTX *mem_ctx,
1326 struct winbindd_domain *domain,
1327 fstring dcname, struct sockaddr_storage *pss, int *fd)
1328 {
1329 struct dc_name_ip *dcs = NULL;
1330 int num_dcs = 0;
1331
1332 const char **dcnames = NULL;
1333 int num_dcnames = 0;
1334
1335 struct sockaddr_storage *addrs = NULL;
1336 int num_addrs = 0;
1337
1338 int i, fd_index;
1339
1340 *fd = -1;
1341
1342 again:
1343 if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
1344 return False;
1345
1346 for (i=0; i<num_dcs; i++) {
1347
1348 if (!add_string_to_array(mem_ctx, dcs[i].name,
1349 &dcnames, &num_dcnames)) {
1350 return False;
1351 }
1352 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 445,
1353 &addrs, &num_addrs)) {
1354 return False;
1355 }
1356
1357 if (!add_string_to_array(mem_ctx, dcs[i].name,
1358 &dcnames, &num_dcnames)) {
1359 return False;
1360 }
1361 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 139,
1362 &addrs, &num_addrs)) {
1363 return False;
1364 }
1365 }
1366
1367 if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1368 return False;
1369
1370 if ((addrs == NULL) || (dcnames == NULL))
1371 return False;
1372
1373 /* 5 second timeout. */
1374 if (!open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) {
1375 for (i=0; i<num_dcs; i++) {
1376 char ab[INET6_ADDRSTRLEN];
1377 print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1378 DEBUG(10, ("find_new_dc: open_any_socket_out failed for "
1379 "domain %s address %s. Error was %s\n",
1380 domain->name, ab, strerror(errno) ));
1381 winbind_add_failed_connection_entry(domain,
1382 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1383 }
1384 return False;
1385 }
1386
1387 *pss = addrs[fd_index];
1388
1389 if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1390 /* Ok, we've got a name for the DC */
1391 fstrcpy(dcname, dcnames[fd_index]);
1392 return True;
1393 }
1394
1395 /* Try to figure out the name */
1396 if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
1397 return True;
1398 }
1399
1400 /* We can not continue without the DC's name */
1401 winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1402 NT_STATUS_UNSUCCESSFUL);
1403
1404 /* Throw away all arrays as we're doing this again. */
1405 TALLOC_FREE(dcs);
1406 num_dcs = 0;
1407
1408 TALLOC_FREE(dcnames);
1409 num_dcnames = 0;
1410
1411 TALLOC_FREE(addrs);
1412 num_addrs = 0;
1413
1414 close(*fd);
1415 *fd = -1;
1416
1417 goto again;
1418 }
1419
1420 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1421 struct winbindd_cm_conn *new_conn)
1422 {
1423 TALLOC_CTX *mem_ctx;
1424 NTSTATUS result;
1425 char *saf_servername = saf_fetch( domain->name );
1426 int retries;
1427
1428 if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1429 SAFE_FREE(saf_servername);
1430 set_domain_offline(domain);
1431 return NT_STATUS_NO_MEMORY;
1432 }
1433
1434 /* we have to check the server affinity cache here since
1435 later we selecte a DC based on response time and not preference */
1436
1437 /* Check the negative connection cache
1438 before talking to it. It going down may have
1439 triggered the reconnection. */
1440
1441 if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
1442
1443 DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
1444 saf_servername, domain->name ));
1445
1446 /* convert an ip address to a name */
1447 if (is_ipaddress( saf_servername ) ) {
1448 fstring saf_name;
1449 struct sockaddr_storage ss;
1450
1451 if (!interpret_string_addr(&ss, saf_servername,
1452 AI_NUMERICHOST)) {
1453 return NT_STATUS_UNSUCCESSFUL;
1454 }
1455 if (dcip_to_name(mem_ctx, domain, &ss, saf_name )) {
1456 fstrcpy( domain->dcname, saf_name );
1457 } else {
1458 winbind_add_failed_connection_entry(
1459 domain, saf_servername,
1460 NT_STATUS_UNSUCCESSFUL);
1461 }
1462 } else {
1463 fstrcpy( domain->dcname, saf_servername );
1464 }
1465
1466 SAFE_FREE( saf_servername );
1467 }
1468
1469 for (retries = 0; retries < 3; retries++) {
1470 int fd = -1;
1471 bool retry = False;
1472
1473 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1474
1475 DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
1476 domain->dcname, domain->name ));
1477
1478 if (*domain->dcname
1479 && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
1480 && (resolve_name(domain->dcname, &domain->dcaddr, 0x20, true)))
1481 {
1482 struct sockaddr_storage *addrs = NULL;
1483 int num_addrs = 0;
1484 int dummy = 0;
1485
1486 if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 445, &addrs, &num_addrs)) {
1487 set_domain_offline(domain);
1488 talloc_destroy(mem_ctx);
1489 return NT_STATUS_NO_MEMORY;
1490 }
1491 if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 139, &addrs, &num_addrs)) {
1492 set_domain_offline(domain);
1493 talloc_destroy(mem_ctx);
1494 return NT_STATUS_NO_MEMORY;
1495 }
1496
1497 /* 5 second timeout. */
1498 if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) {
1499 fd = -1;
1500 }
1501 }
1502
1503 if ((fd == -1)
1504 && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd))
1505 {
1506 /* This is the one place where we will
1507 set the global winbindd offline state
1508 to true, if a "WINBINDD_OFFLINE" entry
1509 is found in the winbindd cache. */
1510 set_global_winbindd_state_offline();
1511 break;
1512 }
1513
1514 new_conn->cli = NULL;
1515
1516 result = cm_prepare_connection(domain, fd, domain->dcname,
1517 &new_conn->cli, &retry);
1518
1519 if (!retry)
1520 break;
1521 }
1522
1523 if (NT_STATUS_IS_OK(result)) {
1524
1525 winbindd_set_locator_kdc_envs(domain);
1526
1527 if (domain->online == False) {
1528 /* We're changing state from offline to online. */
1529 set_global_winbindd_state_online();
1530 }
1531 set_domain_online(domain);
1532 } else {
1533 /* Ensure we setup the retry handler. */
1534 set_domain_offline(domain);
1535 }
1536
1537 talloc_destroy(mem_ctx);
1538 return result;
1539 }
1540
1541 /* Close down all open pipes on a connection. */
1542
1543 void invalidate_cm_connection(struct winbindd_cm_conn *conn)
1544 {
1545 /* We're closing down a possibly dead
1546 connection. Don't have impossibly long (10s) timeouts. */
1547
1548 if (conn->cli) {
1549 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1550 }
1551
1552 if (conn->samr_pipe != NULL) {
1553 TALLOC_FREE(conn->samr_pipe);
1554 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1555 if (conn->cli) {
1556 cli_set_timeout(conn->cli, 500);
1557 }
1558 }
1559
1560 if (conn->lsa_pipe != NULL) {
1561 TALLOC_FREE(conn->lsa_pipe);
1562 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1563 if (conn->cli) {
1564 cli_set_timeout(conn->cli, 500);
1565 }
1566 }
1567
1568 if (conn->lsa_pipe_tcp != NULL) {
1569 TALLOC_FREE(conn->lsa_pipe_tcp);
1570 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1571 if (conn->cli) {
1572 cli_set_timeout(conn->cli, 500);
1573 }
1574 }
1575
1576 if (conn->netlogon_pipe != NULL) {
1577 TALLOC_FREE(conn->netlogon_pipe);
1578 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1579 if (conn->cli) {
1580 cli_set_timeout(conn->cli, 500);
1581 }
1582 }
1583
1584 if (conn->cli) {
1585 cli_shutdown(conn->cli);
1586 }
1587
1588 conn->cli = NULL;
1589 }
1590
1591 void close_conns_after_fork(void)
1592 {
1593 struct winbindd_domain *domain;
1594
1595 for (domain = domain_list(); domain; domain = domain->next) {
1596 if (domain->conn.cli == NULL)
1597 continue;
1598
1599 if (domain->conn.cli->fd == -1)
1600 continue;
1601
1602 close(domain->conn.cli->fd);
1603 domain->conn.cli->fd = -1;
1604 }
1605 }
1606
1607 static bool connection_ok(struct winbindd_domain *domain)
1608 {
1609 if (domain->conn.cli == NULL) {
1610 DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
1611 "cli!\n", domain->dcname, domain->name));
1612 return False;
1613 }
1614
1615 if (!domain->conn.cli->initialised) {
1616 DEBUG(3, ("connection_ok: Connection to %s for domain %s was never "
1617 "initialised!\n", domain->dcname, domain->name));
1618 return False;
1619 }
1620
1621 if (domain->conn.cli->fd == -1) {
1622 DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was "
1623 "never started (fd == -1)\n",
1624 domain->dcname, domain->name));
1625 return False;
1626 }
1627
1628 if (domain->online == False) {
1629 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1630 return False;
1631 }
1632
1633 return True;
1634 }
1635
1636 /* Initialize a new connection up to the RPC BIND.
1637 Bypass online status check so always does network calls. */
1638
1639 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
1640 {
1641 NTSTATUS result;
1642
1643 /* Internal connections never use the network. */
1644 if (domain->internal) {
1645 domain->initialized = True;
1646 return NT_STATUS_OK;
1647 }
1648
1649 if (connection_ok(domain)) {
1650 if (!domain->initialized) {
1651 set_dc_type_and_flags(domain);
1652 }
1653 return NT_STATUS_OK;
1654 }
1655
1656 invalidate_cm_connection(&domain->conn);
1657
1658 result = cm_open_connection(domain, &domain->conn);
1659
1660 if (NT_STATUS_IS_OK(result) && !domain->initialized) {
1661 set_dc_type_and_flags(domain);
1662 }
1663
1664 return result;
1665 }
1666
1667 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
1668 {
1669 if (domain->initialized && !domain->online) {
1670 /* We check for online status elsewhere. */
1671 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1672 }
1673
1674 return init_dc_connection_network(domain);
1675 }
1676
1677 /******************************************************************************
1678 Set the trust flags (direction and forest location) for a domain
1679 ******************************************************************************/
1680
1681 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
1682 {
1683 struct winbindd_domain *our_domain;
1684 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1685 struct netr_DomainTrustList trusts;
1686 int i;
1687 uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
1688 NETR_TRUST_FLAG_OUTBOUND |
1689 NETR_TRUST_FLAG_INBOUND);
1690 struct rpc_pipe_client *cli;
1691 TALLOC_CTX *mem_ctx = NULL;
1692
1693 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
1694
1695 /* Our primary domain doesn't need to worry about trust flags.
1696 Force it to go through the network setup */
1697 if ( domain->primary ) {
1698 return False;
1699 }
1700
1701 our_domain = find_our_domain();
1702
1703 if ( !connection_ok(our_domain) ) {
1704 DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));
1705 return False;
1706 }
1707
1708 /* This won't work unless our domain is AD */
1709
1710 if ( !our_domain->active_directory ) {
1711 return False;
1712 }
1713
1714 /* Use DsEnumerateDomainTrusts to get us the trust direction
1715 and type */
1716
1717 result = cm_connect_netlogon(our_domain, &cli);
1718
1719 if (!NT_STATUS_IS_OK(result)) {
1720 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
1721 "a connection to %s for PIPE_NETLOGON (%s)\n",
1722 domain->name, nt_errstr(result)));
1723 return False;
1724 }
1725
1726 if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) {
1727 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n"));
1728 return False;
1729 }
1730
1731 result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1732 cli->desthost,
1733 flags,
1734 &trusts,
1735 NULL);
1736 if (!NT_STATUS_IS_OK(result)) {
1737 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
1738 "failed to query trusted domain list: %s\n",
1739 nt_errstr(result)));
1740 talloc_destroy(mem_ctx);
1741 return false;
1742 }
1743
1744 /* Now find the domain name and get the flags */
1745
1746 for ( i=0; i<trusts.count; i++ ) {
1747 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
1748 domain->domain_flags = trusts.array[i].trust_flags;
1749 domain->domain_type = trusts.array[i].trust_type;
1750 domain->domain_trust_attribs = trusts.array[i].trust_attributes;
1751
1752 if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL )
1753 domain->active_directory = True;
1754
1755 /* This flag is only set if the domain is *our*
1756 primary domain and the primary domain is in
1757 native mode */
1758
1759 domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
1760
1761 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
1762 "native mode.\n", domain->name,
1763 domain->native_mode ? "" : "NOT "));
1764
1765 DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
1766 "running active directory.\n", domain->name,
1767 domain->active_directory ? "" : "NOT "));
1768
1769
1770 domain->initialized = True;
1771
1772 if ( !winbindd_can_contact_domain( domain) )
1773 domain->internal = True;
1774
1775 break;
1776 }
1777 }
1778
1779 talloc_destroy( mem_ctx );
1780
1781 return domain->initialized;
1782 }
1783
1784 /******************************************************************************
1785 We can 'sense' certain things about the DC by it's replies to certain
1786 questions.
1787
1788 This tells us if this particular remote server is Active Directory, and if it
1789 is native mode.
1790 ******************************************************************************/
1791
1792 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
1793 {
1794 NTSTATUS result;
1795 WERROR werr;
1796 TALLOC_CTX *mem_ctx = NULL;
1797 struct rpc_pipe_client *cli = NULL;
1798 struct policy_handle pol;
1799 union dssetup_DsRoleInfo info;
1800 union lsa_PolicyInformation *lsa_info = NULL;
1801
1802 if (!connection_ok(domain)) {
1803 return;
1804 }
1805
1806 mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
1807 domain->name);
1808 if (!mem_ctx) {
1809 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
1810 return;
1811 }
1812
1813 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
1814
1815 result = cli_rpc_pipe_open_noauth(domain->conn.cli,
1816 &ndr_table_dssetup.syntax_id,
1817 &cli);
1818
1819 if (!NT_STATUS_IS_OK(result)) {
1820 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1821 "PI_DSSETUP on domain %s: (%s)\n",
1822 domain->name, nt_errstr(result)));
1823
1824 /* if this is just a non-AD domain we need to continue
1825 * identifying so that we can in the end return with
1826 * domain->initialized = True - gd */
1827
1828 goto no_dssetup;
1829 }
1830
1831 result = rpccli_dssetup_DsRoleGetPrimaryDomainInformation(cli, mem_ctx,
1832 DS_ROLE_BASIC_INFORMATION,
1833 &info,
1834 &werr);
1835 TALLOC_FREE(cli);
1836
1837 if (!NT_STATUS_IS_OK(result)) {
1838 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
1839 "on domain %s failed: (%s)\n",
1840 domain->name, nt_errstr(result)));
1841
1842 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
1843 * every opcode on the DSSETUP pipe, continue with
1844 * no_dssetup mode here as well to get domain->initialized
1845 * set - gd */
1846
1847 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
1848 goto no_dssetup;
1849 }
1850
1851 TALLOC_FREE(mem_ctx);
1852 return;
1853 }
1854
1855 if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
1856 !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
1857 domain->native_mode = True;
1858 } else {
1859 domain->native_mode = False;
1860 }
1861
1862 no_dssetup:
1863 result = cli_rpc_pipe_open_noauth(domain->conn.cli,
1864 &ndr_table_lsarpc.syntax_id, &cli);
1865
1866 if (!NT_STATUS_IS_OK(result)) {
1867 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
1868 "PI_LSARPC on domain %s: (%s)\n",
1869 domain->name, nt_errstr(result)));
1870 TALLOC_FREE(cli);
1871 TALLOC_FREE(mem_ctx);
1872 return;
1873 }
1874
1875 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
1876 SEC_FLAG_MAXIMUM_ALLOWED, &pol);
1877
1878 if (NT_STATUS_IS_OK(result)) {
1879 /* This particular query is exactly what Win2k clients use
1880 to determine that the DC is active directory */
1881 result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,
1882 &pol,
1883 LSA_POLICY_INFO_DNS,
1884 &lsa_info);
1885 }
1886
1887 if (NT_STATUS_IS_OK(result)) {
1888 domain->active_directory = True;
1889
1890 if (lsa_info->dns.name.string) {
1891 fstrcpy(domain->name, lsa_info->dns.name.string);
1892 }
1893
1894 if (lsa_info->dns.dns_domain.string) {
1895 fstrcpy(domain->alt_name,
1896 lsa_info->dns.dns_domain.string);
1897 }
1898
1899 /* See if we can set some domain trust flags about
1900 ourself */
1901
1902 if (lsa_info->dns.dns_forest.string) {
1903 fstrcpy(domain->forest_name,
1904 lsa_info->dns.dns_forest.string);
1905
1906 if (strequal(domain->forest_name, domain->alt_name)) {
1907 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
1908 }
1909 }
1910
1911 if (lsa_info->dns.sid) {
1912 sid_copy(&domain->sid, lsa_info->dns.sid);
1913 }
1914 } else {
1915 domain->active_directory = False;
1916
1917 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
1918 SEC_FLAG_MAXIMUM_ALLOWED,
1919 &pol);
1920
1921 if (!NT_STATUS_IS_OK(result)) {
1922 goto done;
1923 }
1924
1925 result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,
1926 &pol,
1927 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
1928 &lsa_info);
1929
1930 if (NT_STATUS_IS_OK(result)) {
1931
1932 if (lsa_info->account_domain.name.string) {
1933 fstrcpy(domain->name,
1934 lsa_info->account_domain.name.string);
1935 }
1936
1937 if (lsa_info->account_domain.sid) {
1938 sid_copy(&domain->sid, lsa_info->account_domain.sid);
1939 }
1940 }
1941 }
1942 done:
1943
1944 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
1945 domain->name, domain->native_mode ? "" : "NOT "));
1946
1947 DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
1948 domain->name, domain->active_directory ? "" : "NOT "));
1949
1950 domain->can_do_ncacn_ip_tcp = domain->active_directory;
1951
1952 TALLOC_FREE(cli);
1953
1954 TALLOC_FREE(mem_ctx);
1955
1956 domain->initialized = True;
1957 }
1958
1959 /**********************************************************************
1960 Set the domain_flags (trust attributes, domain operating modes, etc...
1961 ***********************************************************************/
1962
1963 static void set_dc_type_and_flags( struct winbindd_domain *domain )
1964 {
1965 /* we always have to contact our primary domain */
1966
1967 if ( domain->primary ) {
1968 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
1969 "primary domain\n"));
1970 set_dc_type_and_flags_connect( domain );
1971 return;
1972 }
1973
1974 /* Use our DC to get the information if possible */
1975
1976 if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
1977 /* Otherwise, fallback to contacting the
1978 domain directly */
1979 set_dc_type_and_flags_connect( domain );
1980 }
1981
1982 return;
1983 }
1984
1985
1986
1987 /**********************************************************************
1988 ***********************************************************************/
1989
1990 static bool cm_get_schannel_creds(struct winbindd_domain *domain,
1991 struct netlogon_creds_CredentialState **ppdc)
1992 {
1993 NTSTATUS result;
1994 struct rpc_pipe_client *netlogon_pipe;
1995
1996 if (lp_client_schannel() == False) {
1997 return False;
1998 }
1999
2000 result = cm_connect_netlogon(domain, &netlogon_pipe);
2001 if (!NT_STATUS_IS_OK(result)) {
2002 return False;
2003 }
2004
2005 /* Return a pointer to the struct netlogon_creds_CredentialState from the
2006 netlogon pipe. */
2007
2008 if (!domain->conn.netlogon_pipe->dc) {
2009 return false;
2010 }
2011
2012 *ppdc = domain->conn.netlogon_pipe->dc;
2013 return True;
2014 }
2015
2016 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2017 struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
2018 {
2019 struct winbindd_cm_conn *conn;
2020 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2021 struct netlogon_creds_CredentialState *p_creds;
2022 char *machine_password = NULL;
2023 char *machine_account = NULL;
2024 char *domain_name = NULL;
2025
2026 result = init_dc_connection(domain);
2027 if (!NT_STATUS_IS_OK(result)) {
2028 return result;
2029 }
2030
2031 conn = &domain->conn;
2032
2033 if (conn->samr_pipe != NULL) {
2034 goto done;
2035 }
2036
2037
2038 /*
2039 * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
2040 * sign and sealed pipe using the machine account password by
2041 * preference. If we can't - try schannel, if that fails, try
2042 * anonymous.
2043 */
2044
2045 if ((conn->cli->user_name[0] == '\0') ||
2046 (conn->cli->domain[0] == '\0') ||
2047 (conn->cli->password == NULL || conn->cli->password[0] == '\0'))
2048 {
2049 result = get_trust_creds(domain, &machine_password,
2050 &machine_account, NULL);
2051 if (!NT_STATUS_IS_OK(result)) {
2052 DEBUG(10, ("cm_connect_sam: No no user available for "
2053 "domain %s, trying schannel\n", conn->cli->domain));
2054 goto schannel;
2055 }
2056 domain_name = domain->name;
2057 } else {
2058 machine_password = SMB_STRDUP(conn->cli->password);
2059 machine_account = SMB_STRDUP(conn->cli->user_name);
2060 domain_name = conn->cli->domain;
2061 }
2062
2063 if (!machine_password || !machine_account) {
2064 result = NT_STATUS_NO_MEMORY;
2065 goto done;
2066 }
2067
2068 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2069 authenticated SAMR pipe with sign & seal. */
2070 result = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli,
2071 &ndr_table_samr.syntax_id,
2072 NCACN_NP,
2073 DCERPC_AUTH_LEVEL_PRIVACY,
2074 domain_name,
2075 machine_account,
2076 machine_password,
2077 &conn->samr_pipe);
2078
2079 if (!NT_STATUS_IS_OK(result)) {
2080 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2081 "pipe for domain %s using NTLMSSP "
2082 "authenticated pipe: user %s\\%s. Error was "
2083 "%s\n", domain->name, domain_name,
2084 machine_account, nt_errstr(result)));
2085 goto schannel;
2086 }
2087
2088 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2089 "domain %s using NTLMSSP authenticated "
2090 "pipe: user %s\\%s\n", domain->name,
2091 domain_name, machine_account));
2092
2093 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2094 conn->samr_pipe->desthost,
2095 SEC_FLAG_MAXIMUM_ALLOWED,
2096 &conn->sam_connect_handle);
2097 if (NT_STATUS_IS_OK(result)) {
2098 goto open_domain;
2099 }
2100 DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_Connect2 "
2101 "failed for domain %s, error was %s. Trying schannel\n",
2102 domain->name, nt_errstr(result) ));
2103 TALLOC_FREE(conn->samr_pipe);
2104
2105 schannel:
2106
2107 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2108
2109 if (!cm_get_schannel_creds(domain, &p_creds)) {
2110 /* If this call fails - conn->cli can now be NULL ! */
2111 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2112 "for domain %s, trying anon\n", domain->name));
2113 goto anonymous;
2114 }
2115 result = cli_rpc_pipe_open_schannel_with_key
2116 (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
2117 DCERPC_AUTH_LEVEL_PRIVACY,
2118 domain->name, &p_creds, &conn->samr_pipe);
2119
2120 if (!NT_STATUS_IS_OK(result)) {
2121 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2122 "domain %s using schannel. Error was %s\n",
2123 domain->name, nt_errstr(result) ));
2124 goto anonymous;
2125 }
2126 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2127 "schannel.\n", domain->name ));
2128
2129 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2130 conn->samr_pipe->desthost,
2131 SEC_FLAG_MAXIMUM_ALLOWED,
2132 &conn->sam_connect_handle);
2133 if (NT_STATUS_IS_OK(result)) {
2134 goto open_domain;
2135 }
2136 DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_Connect2 failed "
2137 "for domain %s, error was %s. Trying anonymous\n",
2138 domain->name, nt_errstr(result) ));
2139 TALLOC_FREE(conn->samr_pipe);
2140
2141 anonymous:
2142
2143 /* Finally fall back to anonymous. */
2144 result = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
2145 &conn->samr_pipe);
2146
2147 if (!NT_STATUS_IS_OK(result)) {
2148 goto done;
2149 }
2150
2151 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
2152 conn->samr_pipe->desthost,
2153 SEC_FLAG_MAXIMUM_ALLOWED,
2154 &conn->sam_connect_handle);
2155 if (!NT_STATUS_IS_OK(result)) {
2156 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2157 "for domain %s Error was %s\n",
2158 domain->name, nt_errstr(result) ));
2159 goto done;
2160 }
2161
2162 open_domain:
2163 result = rpccli_samr_OpenDomain(conn->samr_pipe,
2164 mem_ctx,
2165 &conn->sam_connect_handle,
2166 SEC_FLAG_MAXIMUM_ALLOWED,
2167 &domain->sid,
2168 &conn->sam_domain_handle);
2169
2170 done:
2171
2172 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
2173 /*
2174 * if we got access denied, we might just have no access rights
2175 * to talk to the remote samr server server (e.g. when we are a
2176 * PDC and we are connecting a w2k8 pdc via an interdomain
2177 * trust). In that case do not invalidate the whole connection
2178 * stack
2179 */
2180 TALLOC_FREE(conn->samr_pipe);
2181 ZERO_STRUCT(conn->sam_domain_handle);
2182 return result;
2183 } else if (!NT_STATUS_IS_OK(result)) {
2184 invalidate_cm_connection(conn);
2185 return result;
2186 }
2187
2188 *cli = conn->samr_pipe;
2189 *sam_handle = conn->sam_domain_handle;
2190 SAFE_FREE(machine_password);
2191 SAFE_FREE(machine_account);
2192 return result;
2193 }
2194
2195 /**********************************************************************
2196 open an schanneld ncacn_ip_tcp connection to LSA
2197 ***********************************************************************/
2198
2199 NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
2200 TALLOC_CTX *mem_ctx,
2201 struct rpc_pipe_client **cli)
2202 {
2203 struct winbindd_cm_conn *conn;
2204 NTSTATUS status;
2205
2206 DEBUG(10,("cm_connect_lsa_tcp\n"));
2207
2208 status = init_dc_connection(domain);
2209 if (!NT_STATUS_IS_OK(status)) {
2210 return status;
2211 }
2212
2213 conn = &domain->conn;
2214
2215 if (conn->lsa_pipe_tcp &&
2216 conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
2217 conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
2218 rpc_pipe_tcp_connection_ok(conn->lsa_pipe_tcp)) {
2219 goto done;
2220 }
2221
2222 TALLOC_FREE(conn->lsa_pipe_tcp);
2223
2224 status = cli_rpc_pipe_open_schannel(conn->cli,
2225 &ndr_table_lsarpc.syntax_id,
2226 NCACN_IP_TCP,
2227 DCERPC_AUTH_LEVEL_PRIVACY,
2228 domain->name,
2229 &conn->lsa_pipe_tcp);
2230 if (!NT_STATUS_IS_OK(status)) {
2231 DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n",
2232 nt_errstr(status)));
2233 goto done;
2234 }
2235
2236 done:
2237 if (!NT_STATUS_IS_OK(status)) {
2238 TALLOC_FREE(conn->lsa_pipe_tcp);
2239 return status;
2240 }
2241
2242 *cli = conn->lsa_pipe_tcp;
2243
2244 return status;
2245 }
2246
2247 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2248 struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
2249 {
2250 struct winbindd_cm_conn *conn;
2251 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2252 struct netlogon_creds_CredentialState *p_creds;
2253
2254 result = init_dc_connection(domain);
2255 if (!NT_STATUS_IS_OK(result))
2256 return result;
2257
2258 conn = &domain->conn;
2259
2260 if (conn->lsa_pipe != NULL) {
2261 goto done;
2262 }
2263
2264 if ((conn->cli->user_name[0] == '\0') ||
2265 (conn->cli->domain[0] == '\0') ||
2266 (conn->cli->password == NULL || conn->cli->password[0] == '\0')) {
2267 DEBUG(10, ("cm_connect_lsa: No no user available for "
2268 "domain %s, trying schannel\n", conn->cli->domain));
2269 goto schannel;
2270 }
2271
2272 /* We have an authenticated connection. Use a NTLMSSP SPNEGO
2273 * authenticated LSA pipe with sign & seal. */
2274 result = cli_rpc_pipe_open_spnego_ntlmssp
2275 (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
2276 DCERPC_AUTH_LEVEL_PRIVACY,
2277 conn->cli->domain, conn->cli->user_name, conn->cli->password,
2278 &conn->lsa_pipe);
2279
2280 if (!NT_STATUS_IS_OK(result)) {
2281 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2282 "domain %s using NTLMSSP authenticated pipe: user "
2283 "%s\\%s. Error was %s. Trying schannel.\n",
2284 domain->name, conn->cli->domain,
2285 conn->cli->user_name, nt_errstr(result)));
2286 goto schannel;
2287 }
2288
2289 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2290 "NTLMSSP authenticated pipe: user %s\\%s\n",
2291 domain->name, conn->cli->domain, conn->cli->user_name ));
2292
2293 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2294 SEC_FLAG_MAXIMUM_ALLOWED,
2295 &conn->lsa_policy);
2296 if (NT_STATUS_IS_OK(result)) {
2297 goto done;
2298 }
2299
2300 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2301 "schannel\n"));
2302
2303 TALLOC_FREE(conn->lsa_pipe);
2304
2305 schannel:
2306
2307 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2308
2309 if (!cm_get_schannel_creds(domain, &p_creds)) {
2310 /* If this call fails - conn->cli can now be NULL ! */
2311 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2312 "for domain %s, trying anon\n", domain->name));
2313 goto anonymous;
2314 }
2315 result = cli_rpc_pipe_open_schannel_with_key
2316 (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
2317 DCERPC_AUTH_LEVEL_PRIVACY,
2318 domain->name, &p_creds, &conn->lsa_pipe);
2319
2320 if (!NT_STATUS_IS_OK(result)) {
2321 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2322 "domain %s using schannel. Error was %s\n",
2323 domain->name, nt_errstr(result) ));
2324 goto anonymous;
2325 }
2326 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2327 "schannel.\n", domain->name ));
2328
2329 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2330 SEC_FLAG_MAXIMUM_ALLOWED,
2331 &conn->lsa_policy);
2332 if (NT_STATUS_IS_OK(result)) {
2333 goto done;
2334 }
2335
2336 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2337 "anonymous\n"));
2338
2339 TALLOC_FREE(conn->lsa_pipe);
2340
2341 anonymous:
2342
2343 result = cli_rpc_pipe_open_noauth(conn->cli,
2344 &ndr_table_lsarpc.syntax_id,
2345 &conn->lsa_pipe);
2346 if (!NT_STATUS_IS_OK(result)) {
2347 result = NT_STATUS_PIPE_NOT_AVAILABLE;
2348 goto done;
2349 }
2350
2351 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2352 SEC_FLAG_MAXIMUM_ALLOWED,
2353 &conn->lsa_policy);
2354 done:
2355 if (!NT_STATUS_IS_OK(result)) {
2356 invalidate_cm_connection(conn);
2357 return result;
2358 }
2359
2360 *cli = conn->lsa_pipe;
2361 *lsa_policy = conn->lsa_policy;
2362 return result;
2363 }
2364
2365 /****************************************************************************
2366 Open the netlogon pipe to this DC. Use schannel if specified in client conf.
2367 session key stored in conn->netlogon_pipe->dc->sess_key.
2368 ****************************************************************************/
2369
2370 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2371 struct rpc_pipe_client **cli)
2372 {
2373 struct winbindd_cm_conn *conn;
2374 NTSTATUS result;
2375
2376 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2377 uint8 mach_pwd[16];
2378 enum netr_SchannelType sec_chan_type;
2379 const char *account_name;
2380 struct rpc_pipe_client *netlogon_pipe = NULL;
2381
2382 *cli = NULL;
2383
2384 result = init_dc_connection(domain);
2385 if (!NT_STATUS_IS_OK(result)) {
2386 return result;
2387 }
2388
2389 conn = &domain->conn;
2390
2391 if (conn->netlogon_pipe != NULL) {
2392 *cli = conn->netlogon_pipe;
2393 return NT_STATUS_OK;
2394 }
2395
2396 result = cli_rpc_pipe_open_noauth(conn->cli,
2397 &ndr_table_netlogon.syntax_id,
2398 &netlogon_pipe);
2399 if (!NT_STATUS_IS_OK(result)) {
2400 return result;
2401 }
2402
2403 if ((!IS_DC) && (!domain->primary)) {
2404 /* Clear the schannel request bit and drop down */
2405 neg_flags &= ~NETLOGON_NEG_SCHANNEL;
2406 goto no_schannel;
2407 }
2408
2409 if (lp_client_schannel() != False) {
2410 neg_flags |= NETLOGON_NEG_SCHANNEL;
2411 }
2412
2413 if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
2414 &sec_chan_type))
2415 {
2416 TALLOC_FREE(netlogon_pipe);
2417 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2418 }
2419
2420 result = rpccli_netlogon_setup_creds(
2421 netlogon_pipe,
2422 domain->dcname, /* server name. */
2423 domain->name, /* domain name */
2424 global_myname(), /* client name */
2425 account_name, /* machine account */
2426 mach_pwd, /* machine password */
2427 sec_chan_type, /* from get_trust_pw */
2428 &neg_flags);
2429
2430 if (!NT_STATUS_IS_OK(result)) {
2431 TALLOC_FREE(netlogon_pipe);
2432 return result;
2433 }
2434
2435 if ((lp_client_schannel() == True) &&
2436 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2437 DEBUG(3, ("Server did not offer schannel\n"));
2438 TALLOC_FREE(netlogon_pipe);
2439 return NT_STATUS_ACCESS_DENIED;
2440 }
2441
2442 no_schannel:
2443 if ((lp_client_schannel() == False) ||
2444 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
2445 /*
2446 * NetSamLogonEx only works for schannel
2447 */
2448 domain->can_do_samlogon_ex = False;
2449
2450 /* We're done - just keep the existing connection to NETLOGON
2451 * open */
2452 conn->netlogon_pipe = netlogon_pipe;
2453 *cli = conn->netlogon_pipe;
2454 return NT_STATUS_OK;
2455 }
2456
2457 /* Using the credentials from the first pipe, open a signed and sealed
2458 second netlogon pipe. The session key is stored in the schannel
2459 part of the new pipe auth struct.
2460 */
2461
2462 result = cli_rpc_pipe_open_schannel_with_key(
2463 conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
2464 DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
2465 &conn->netlogon_pipe);
2466
2467 /* We can now close the initial netlogon pipe. */
2468 TALLOC_FREE(netlogon_pipe);
2469
2470 if (!NT_STATUS_IS_OK(result)) {
2471 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
2472 "was %s\n", nt_errstr(result)));
2473
2474 /* make sure we return something besides OK */
2475 return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
2476 }
2477
2478 /*
2479 * Always try netr_LogonSamLogonEx. We will fall back for NT4
2480 * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
2481 * supported). We used to only try SamLogonEx for AD, but
2482 * Samba DCs can also do it. And because we don't distinguish
2483 * between Samba and NT4, always try it once.
2484 */
2485 domain->can_do_samlogon_ex = true;
2486
2487 *cli = conn->netlogon_pipe;
2488 return NT_STATUS_OK;
2489 }
fernandojvsilva's samba4 branch