2001-10-05 04:20:06 +04:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
2001-10-05 04:20:06 +04:00
Winbind daemon connection manager
2005-06-09 02:10:34 +04:00
Copyright ( C ) Tim Potter 2001
Copyright ( C ) Andrew Bartlett 2002
Copyright ( C ) Gerald ( Jerry ) Carter 2003 - 2005.
Copyright ( C ) Volker Lendecke 2004 - 2005
2006-12-07 02:14:15 +03:00
Copyright ( C ) Jeremy Allison 2006
2001-10-05 04:20:06 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
2001-11-28 02:48:44 +03:00
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
2001-10-05 04:20:06 +04:00
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
/*
We need to manage connections to domain controllers without having to
mess up the main winbindd code with other issues . The aim of the
connection manager is to :
- make connections to domain controllers and cache them
- re - establish connections when networks or servers go down
- centralise the policy on connection timeouts , domain controller
2001-11-28 02:48:44 +03:00
selection etc
2001-10-05 04:20:06 +04:00
- manage re - entrancy for when winbindd becomes able to handle
2001-11-28 02:48:44 +03:00
multiple outstanding rpc requests
2001-10-05 04:20:06 +04:00
Why not have connection management as part of the rpc layer like tng ?
Good question . This code may morph into libsmb / rpc_cache . c or something
2001-11-28 02:48:44 +03:00
like that but at the moment it ' s simply staying as part of winbind . I
2001-10-05 04:20:06 +04:00
think the TNG architecture of forcing every user of the rpc layer to use
2001-11-28 02:48:44 +03:00
the connection caching system is a bad idea . It should be an optional
2001-11-15 09:55:56 +03:00
method of using the routines .
2001-10-05 04:20:06 +04:00
The TNG design is quite good but I disagree with some aspects of the
implementation . - tpot
*/
/*
TODO :
- I ' m pretty annoyed by all the make_nmb_name ( ) stuff . It should be
moved down into another function .
2001-10-08 04:34:14 +04:00
- Take care when destroying cli_structs as they can be shared between
various sam handles .
2001-10-05 04:20:06 +04:00
*/
2003-11-12 04:51:10 +03:00
# include "includes.h"
2001-10-05 04:20:06 +04:00
# include "winbindd.h"
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_WINBIND
2006-12-13 01:41:42 +03:00
struct dc_name_ip {
fstring name ;
struct in_addr ip ;
} ;
2006-12-18 23:37:26 +03:00
extern struct winbindd_methods reconnect_methods ;
extern BOOL override_logfile ;
2006-12-07 02:14:15 +03:00
static NTSTATUS init_dc_connection_network ( struct winbindd_domain * domain ) ;
2006-10-06 21:33:57 +04:00
static void set_dc_type_and_flags ( struct winbindd_domain * domain ) ;
2006-12-13 01:41:42 +03:00
static BOOL get_dcs ( TALLOC_CTX * mem_ctx , const struct winbindd_domain * domain ,
struct dc_name_ip * * dcs , int * num_dcs ) ;
2006-09-07 01:43:31 +04:00
2006-12-07 02:14:15 +03:00
/****************************************************************
2006-12-13 01:41:42 +03:00
Child failed to find DC ' s . Reschedule check .
2006-12-07 02:14:15 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
r21064: The core of this patch is
void message_register(int msg_type,
void (*fn)(int msg_type, struct process_id pid,
- void *buf, size_t len))
+ void *buf, size_t len,
+ void *private_data),
+ void *private_data)
{
struct dispatch_fns *dfn;
So this adds a (so far unused) private pointer that is passed from
message_register to the message handler. A prerequisite to implement a tiny
samba4-API compatible wrapper around our messaging system. That itself is
necessary for the Samba4 notify system.
Yes, I know, I could import the whole Samba4 messaging system, but I want to
do it step by step and I think getting notify in is more important in this
step.
Volker
(This used to be commit c8ae60ed65dcce9660ee39c75488f2838cf9a28b)
2007-01-31 01:22:06 +03:00
static void msg_failed_to_go_online ( int msg_type , struct process_id src ,
void * buf , size_t len , void * private_data )
2006-12-07 02:14:15 +03:00
{
2006-12-13 01:41:42 +03:00
struct winbindd_domain * domain ;
const char * domainname = ( const char * ) buf ;
2006-12-07 08:48:01 +03:00
2006-12-13 01:41:42 +03:00
if ( buf = = NULL | | len = = 0 ) {
return ;
}
DEBUG ( 5 , ( " msg_fail_to_go_online: received for domain %s. \n " , domainname ) ) ;
for ( domain = domain_list ( ) ; domain ; domain = domain - > next ) {
if ( domain - > internal ) {
continue ;
2006-12-07 02:14:15 +03:00
}
2006-12-13 01:41:42 +03:00
if ( strequal ( domain - > name , domainname ) ) {
if ( domain - > online ) {
/* We're already online, ignore. */
DEBUG ( 5 , ( " msg_fail_to_go_online: domain %s "
" already online. \n " , domainname ) ) ;
continue ;
}
/* Reschedule the online check. */
set_domain_offline ( domain ) ;
break ;
}
}
}
/****************************************************************
Actually cause a reconnect from a message .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
r21064: The core of this patch is
void message_register(int msg_type,
void (*fn)(int msg_type, struct process_id pid,
- void *buf, size_t len))
+ void *buf, size_t len,
+ void *private_data),
+ void *private_data)
{
struct dispatch_fns *dfn;
So this adds a (so far unused) private pointer that is passed from
message_register to the message handler. A prerequisite to implement a tiny
samba4-API compatible wrapper around our messaging system. That itself is
necessary for the Samba4 notify system.
Yes, I know, I could import the whole Samba4 messaging system, but I want to
do it step by step and I think getting notify in is more important in this
step.
Volker
(This used to be commit c8ae60ed65dcce9660ee39c75488f2838cf9a28b)
2007-01-31 01:22:06 +03:00
static void msg_try_to_go_online ( int msg_type , struct process_id src ,
void * buf , size_t len , void * private_data )
2006-12-13 01:41:42 +03:00
{
struct winbindd_domain * domain ;
const char * domainname = ( const char * ) buf ;
if ( buf = = NULL | | len = = 0 ) {
return ;
}
DEBUG ( 5 , ( " msg_try_to_go_online: received for domain %s. \n " , domainname ) ) ;
for ( domain = domain_list ( ) ; domain ; domain = domain - > next ) {
if ( domain - > internal ) {
continue ;
}
if ( strequal ( domain - > name , domainname ) ) {
if ( domain - > online ) {
/* We're already online, ignore. */
DEBUG ( 5 , ( " msg_try_to_go_online: domain %s "
" already online. \n " , domainname ) ) ;
continue ;
}
/* This call takes care of setting the online
flag to true if we connected , or re - adding
the offline handler if false . Bypasses online
check so always does network calls . */
init_dc_connection_network ( domain ) ;
break ;
}
}
}
/****************************************************************
Fork a child to try and contact a DC . Do this as contacting a
DC requires blocking lookups and we don ' t want to block our
parent .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static BOOL fork_child_dc_connect ( struct winbindd_domain * domain )
{
struct dc_name_ip * dcs = NULL ;
int num_dcs = 0 ;
TALLOC_CTX * mem_ctx = NULL ;
pid_t child_pid ;
pid_t parent_pid = sys_getpid ( ) ;
/* Stop zombies */
CatchChild ( ) ;
message_block ( ) ;
child_pid = sys_fork ( ) ;
if ( child_pid = = - 1 ) {
DEBUG ( 0 , ( " fork_child_dc_connect: Could not fork: %s \n " , strerror ( errno ) ) ) ;
message_unblock ( ) ;
return False ;
}
if ( child_pid ! = 0 ) {
/* Parent */
r21064: The core of this patch is
void message_register(int msg_type,
void (*fn)(int msg_type, struct process_id pid,
- void *buf, size_t len))
+ void *buf, size_t len,
+ void *private_data),
+ void *private_data)
{
struct dispatch_fns *dfn;
So this adds a (so far unused) private pointer that is passed from
message_register to the message handler. A prerequisite to implement a tiny
samba4-API compatible wrapper around our messaging system. That itself is
necessary for the Samba4 notify system.
Yes, I know, I could import the whole Samba4 messaging system, but I want to
do it step by step and I think getting notify in is more important in this
step.
Volker
(This used to be commit c8ae60ed65dcce9660ee39c75488f2838cf9a28b)
2007-01-31 01:22:06 +03:00
message_register ( MSG_WINBIND_TRY_TO_GO_ONLINE ,
msg_try_to_go_online , NULL ) ;
message_register ( MSG_WINBIND_FAILED_TO_GO_ONLINE ,
msg_failed_to_go_online , NULL ) ;
2006-12-13 01:41:42 +03:00
message_unblock ( ) ;
return True ;
}
/* Child. */
/* Leave messages blocked - we will never process one. */
/* tdb needs special fork handling */
if ( tdb_reopen_all ( 1 ) = = - 1 ) {
DEBUG ( 0 , ( " tdb_reopen_all failed. \n " ) ) ;
_exit ( 0 ) ;
2006-12-07 02:14:15 +03:00
}
2006-12-13 01:41:42 +03:00
close_conns_after_fork ( ) ;
if ( ! override_logfile ) {
2007-01-26 18:58:10 +03:00
pstring logfile ;
pstr_sprintf ( logfile , " %s/log.winbindd-dc-connect " , dyn_LOGFILEBASE ) ;
lp_set_logfile ( logfile ) ;
2006-12-13 01:41:42 +03:00
reopen_logs ( ) ;
}
mem_ctx = talloc_init ( " fork_child_dc_connect " ) ;
if ( ! mem_ctx ) {
DEBUG ( 0 , ( " talloc_init failed. \n " ) ) ;
_exit ( 0 ) ;
}
if ( ( ! get_dcs ( mem_ctx , domain , & dcs , & num_dcs ) ) | | ( num_dcs = = 0 ) ) {
/* Still offline ? Can't find DC's. */
message_send_pid ( pid_to_procid ( parent_pid ) , MSG_WINBIND_FAILED_TO_GO_ONLINE ,
domain - > name ,
strlen ( domain - > name ) + 1 , False ) ;
_exit ( 0 ) ;
}
/* We got a DC. Send a message to our parent to get it to
try and do the same . */
message_send_pid ( pid_to_procid ( parent_pid ) , MSG_WINBIND_TRY_TO_GO_ONLINE ,
domain - > name ,
strlen ( domain - > name ) + 1 , False ) ;
_exit ( 0 ) ;
2006-12-07 02:14:15 +03:00
}
2006-09-07 01:43:31 +04:00
/****************************************************************
Handler triggered if we ' re offline to try and detect a DC .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-01-17 15:59:14 +03:00
static void check_domain_online_handler ( struct event_context * ctx ,
struct timed_event * te ,
2006-09-07 01:43:31 +04:00
const struct timeval * now ,
void * private_data )
{
struct winbindd_domain * domain =
( struct winbindd_domain * ) private_data ;
DEBUG ( 10 , ( " check_domain_online_handler: called for domain %s \n " ,
domain - > name ) ) ;
if ( domain - > check_online_event ) {
TALLOC_FREE ( domain - > check_online_event ) ;
}
2006-09-28 22:08:03 +04:00
/* Are we still in "startup" mode ? */
if ( domain - > startup & & ( now - > tv_sec > domain - > startup_time + 30 ) ) {
/* No longer in "startup" mode. */
DEBUG ( 10 , ( " check_domain_online_handler: domain %s no longer in 'startup' mode. \n " ,
domain - > name ) ) ;
domain - > startup = False ;
}
2006-09-07 01:43:31 +04:00
/* We've been told to stay offline, so stay
that way . */
if ( get_global_winbindd_state_offline ( ) ) {
DEBUG ( 10 , ( " check_domain_online_handler: domain %s remaining globally offline \n " ,
domain - > name ) ) ;
return ;
}
2006-12-13 01:41:42 +03:00
/* Fork a child to test if it can contact a DC.
If it can then send ourselves a message to
cause a reconnect . */
2006-12-07 02:14:15 +03:00
2006-12-13 01:41:42 +03:00
fork_child_dc_connect ( domain ) ;
}
/****************************************************************
2006-12-13 04:11:29 +03:00
If we ' re still offline setup the timeout check .
2006-12-13 01:41:42 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void calc_new_online_timeout_check ( struct winbindd_domain * domain )
{
int wbc = lp_winbind_cache_time ( ) ;
if ( domain - > startup ) {
domain - > check_online_timeout = 10 ;
} else if ( domain - > check_online_timeout < wbc ) {
domain - > check_online_timeout = wbc ;
}
2006-09-07 01:43:31 +04:00
}
/****************************************************************
Set domain offline and also add handler to put us back online
if we detect a DC .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void set_domain_offline ( struct winbindd_domain * domain )
{
DEBUG ( 10 , ( " set_domain_offline: called for domain %s \n " ,
domain - > name ) ) ;
if ( domain - > check_online_event ) {
TALLOC_FREE ( domain - > check_online_event ) ;
}
2006-10-10 08:00:42 +04:00
if ( domain - > internal ) {
DEBUG ( 3 , ( " set_domain_offline: domain %s is internal - logic error. \n " ,
domain - > name ) ) ;
return ;
}
2006-09-07 01:43:31 +04:00
domain - > online = False ;
2006-12-07 02:14:15 +03:00
/* Offline domains are always initialized. They're
re - initialized when they go back online . */
domain - > initialized = True ;
2006-09-07 01:43:31 +04:00
/* We only add the timeout handler that checks and
allows us to go back online when we ' ve not
been told to remain offline . */
if ( get_global_winbindd_state_offline ( ) ) {
DEBUG ( 10 , ( " set_domain_offline: domain %s remaining globally offline \n " ,
domain - > name ) ) ;
return ;
}
2006-09-28 22:08:03 +04:00
/* If we're in statup mode, check again in 10 seconds, not in
lp_winbind_cache_time ( ) seconds ( which is 5 mins by default ) . */
2006-12-07 08:48:01 +03:00
calc_new_online_timeout_check ( domain ) ;
2006-12-07 02:14:15 +03:00
2007-01-20 00:29:46 +03:00
domain - > check_online_event = event_add_timed ( winbind_event_context ( ) ,
NULL ,
2006-12-07 02:14:15 +03:00
timeval_current_ofs ( domain - > check_online_timeout , 0 ) ,
2006-09-07 01:43:31 +04:00
" check_domain_online_handler " ,
check_domain_online_handler ,
domain ) ;
/* The above *has* to succeed for winbindd to work. */
if ( ! domain - > check_online_event ) {
smb_panic ( " set_domain_offline: failed to add online handler. \n " ) ;
}
DEBUG ( 10 , ( " set_domain_offline: added event handler for domain %s \n " ,
domain - > name ) ) ;
}
/****************************************************************
Set domain online - if allowed .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-09-14 13:11:30 +04:00
static void set_domain_online ( struct winbindd_domain * domain )
2006-09-07 01:43:31 +04:00
{
2006-09-13 17:55:19 +04:00
struct timeval now ;
2006-09-07 05:07:43 +04:00
DEBUG ( 10 , ( " set_domain_online: called for domain %s \n " ,
2006-09-07 01:43:31 +04:00
domain - > name ) ) ;
2006-10-10 08:00:42 +04:00
if ( domain - > internal ) {
2007-02-19 20:47:50 +03:00
DEBUG ( 3 , ( " set_domain_online: domain %s is internal - logic error. \n " ,
2006-10-10 08:00:42 +04:00
domain - > name ) ) ;
return ;
}
2006-09-07 01:43:31 +04:00
if ( get_global_winbindd_state_offline ( ) ) {
DEBUG ( 10 , ( " set_domain_online: domain %s remaining globally offline \n " ,
domain - > name ) ) ;
return ;
}
2006-09-13 17:55:19 +04:00
/* If we are waiting to get a krb5 ticket, trigger immediately. */
GetTimeOfDay ( & now ) ;
2007-01-17 15:59:14 +03:00
set_event_dispatch_time ( winbind_event_context ( ) ,
" krb5_ticket_gain_handler " , now ) ;
2006-09-28 22:08:03 +04:00
/* Ok, we're out of any startup mode now... */
domain - > startup = False ;
2006-10-06 06:04:57 +04:00
2006-10-06 21:33:57 +04:00
if ( domain - > online = = False ) {
/* We were offline - now we're online. We default to
using the MS - RPC backend if we started offline ,
and if we ' re going online for the first time we
should really re - initialize the backends and the
checks to see if we ' re talking to an AD or NT domain .
*/
domain - > initialized = False ;
/* 'reconnect_methods' is the MS-RPC backend. */
if ( domain - > backend = = & reconnect_methods ) {
domain - > backend = NULL ;
}
2006-10-06 06:04:57 +04:00
}
2006-10-06 21:33:57 +04:00
2006-12-07 02:14:15 +03:00
/* Ensure we have no online timeout checks. */
domain - > check_online_timeout = 0 ;
if ( domain - > check_online_event ) {
TALLOC_FREE ( domain - > check_online_event ) ;
}
2006-12-13 01:41:42 +03:00
/* Ensure we ignore any pending child messages. */
message_deregister ( MSG_WINBIND_TRY_TO_GO_ONLINE ) ;
message_deregister ( MSG_WINBIND_FAILED_TO_GO_ONLINE ) ;
2006-10-06 21:33:57 +04:00
domain - > online = True ;
2006-09-07 01:43:31 +04:00
}
2006-09-14 13:11:30 +04:00
/****************************************************************
2006-09-14 18:26:33 +04:00
Requested to set a domain online .
2006-09-14 13:11:30 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void set_domain_online_request ( struct winbindd_domain * domain )
{
2006-12-19 03:48:39 +03:00
struct timeval tev ;
2006-09-14 13:11:30 +04:00
DEBUG ( 10 , ( " set_domain_online_request: called for domain %s \n " ,
domain - > name ) ) ;
if ( get_global_winbindd_state_offline ( ) ) {
DEBUG ( 10 , ( " set_domain_online_request: domain %s remaining globally offline \n " ,
domain - > name ) ) ;
return ;
}
2006-09-14 18:26:33 +04:00
/* We've been told it's safe to go online and
2006-09-28 22:08:03 +04:00
try and connect to a DC . But I don ' t believe it
because network manager seems to lie .
2006-09-14 18:26:33 +04:00
Wait at least 5 seconds . Heuristics suck . . . */
2006-09-14 13:11:30 +04:00
2006-09-14 18:26:33 +04:00
if ( ! domain - > check_online_event ) {
2006-12-19 03:48:39 +03:00
/* If we've come from being globally offline we
don ' t have a check online event handler set .
We need to add one now we ' re trying to go
back online . */
2006-09-14 13:11:30 +04:00
2006-12-19 03:48:39 +03:00
DEBUG ( 10 , ( " set_domain_online_request: domain %s was globally offline. \n " ,
domain - > name ) ) ;
2006-09-28 22:08:03 +04:00
2007-01-20 00:29:46 +03:00
domain - > check_online_event = event_add_timed ( winbind_event_context ( ) ,
NULL ,
timeval_current_ofs ( 5 , 0 ) ,
" check_domain_online_handler " ,
check_domain_online_handler ,
domain ) ;
2007-01-19 23:05:02 +03:00
/* The above *has* to succeed for winbindd to work. */
if ( ! domain - > check_online_event ) {
smb_panic ( " set_domain_online_request: failed to add online handler. \n " ) ;
}
2006-09-14 13:11:30 +04:00
}
2006-12-19 03:48:39 +03:00
GetTimeOfDay ( & tev ) ;
/* Go into "startup" mode again. */
domain - > startup_time = tev . tv_sec ;
domain - > startup = True ;
tev . tv_sec + = 5 ;
2007-01-17 15:59:14 +03:00
2007-01-19 23:05:02 +03:00
set_event_dispatch_time ( winbind_event_context ( ) , " check_domain_online_handler " , tev ) ;
2006-09-14 13:11:30 +04:00
}
2006-09-07 01:43:31 +04:00
/****************************************************************
Add - ve connection cache entries for domain and realm .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void winbind_add_failed_connection_entry ( const struct winbindd_domain * domain ,
const char * server ,
NTSTATUS result )
{
add_failed_connection_entry ( domain - > name , server , result ) ;
2006-09-07 07:44:05 +04:00
/* If this was the saf name for the last thing we talked to,
remove it . */
2006-11-17 02:48:46 +03:00
saf_delete ( domain - > name ) ;
2006-09-07 01:43:31 +04:00
if ( * domain - > alt_name ) {
add_failed_connection_entry ( domain - > alt_name , server , result ) ;
2006-11-17 02:48:46 +03:00
saf_delete ( domain - > alt_name ) ;
2006-09-07 01:43:31 +04:00
}
}
2005-07-27 21:30:23 +04:00
2001-12-11 08:19:15 +03:00
/* Choose between anonymous or authenticated connections. We need to use
an authenticated connection if DCs have the RestrictAnonymous registry
entry set > 0 , or the " Additional restrictions for anonymous
2002-02-15 16:28:59 +03:00
connections " set in the win2k Local Security Policy.
Caller to free ( ) result in domain , username , password
*/
2001-12-11 08:19:15 +03:00
2002-02-15 16:28:59 +03:00
static void cm_get_ipc_userpass ( char * * username , char * * domain , char * * password )
2001-12-11 08:19:15 +03:00
{
2006-08-16 21:14:16 +04:00
* username = ( char * ) secrets_fetch ( SECRETS_AUTH_USER , NULL ) ;
* domain = ( char * ) secrets_fetch ( SECRETS_AUTH_DOMAIN , NULL ) ;
* password = ( char * ) secrets_fetch ( SECRETS_AUTH_PASSWORD , NULL ) ;
2002-02-15 16:28:59 +03:00
if ( * username & & * * username ) {
2002-11-02 04:06:10 +03:00
if ( ! * domain | | ! * * domain )
2002-02-15 16:28:59 +03:00
* domain = smb_xstrdup ( lp_workgroup ( ) ) ;
2002-11-02 04:06:10 +03:00
if ( ! * password | | ! * * password )
* password = smb_xstrdup ( " " ) ;
2005-04-01 02:02:38 +04:00
DEBUG ( 3 , ( " cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s \\ %s] \n " ,
2002-11-02 04:06:10 +03:00
* domain , * username ) ) ;
2002-02-15 16:28:59 +03:00
} else {
2005-04-01 02:02:38 +04:00
DEBUG ( 3 , ( " cm_get_ipc_userpass: No auth-user defined \n " ) ) ;
2002-02-15 16:28:59 +03:00
* username = smb_xstrdup ( " " ) ;
* domain = smb_xstrdup ( " " ) ;
* password = smb_xstrdup ( " " ) ;
}
2001-12-11 08:19:15 +03:00
}
2004-04-20 06:37:49 +04:00
static BOOL get_dc_name_via_netlogon ( const struct winbindd_domain * domain ,
fstring dcname , struct in_addr * dc_ip )
{
2006-01-30 20:47:24 +03:00
struct winbindd_domain * our_domain = NULL ;
struct rpc_pipe_client * netlogon_pipe = NULL ;
2004-04-20 06:37:49 +04:00
NTSTATUS result ;
2006-10-06 20:13:10 +04:00
WERROR werr ;
2004-04-20 06:37:49 +04:00
TALLOC_CTX * mem_ctx ;
2006-10-07 01:35:26 +04:00
unsigned int orig_timeout ;
2004-04-20 06:37:49 +04:00
fstring tmp ;
char * p ;
2005-06-09 02:10:34 +04:00
/* Hmmmm. We can only open one connection to the NETLOGON pipe at the
* moment . . . . */
2005-09-30 21:13:37 +04:00
if ( IS_DC ) {
2004-04-20 06:37:49 +04:00
return False ;
2005-09-30 21:13:37 +04:00
}
2004-04-20 06:37:49 +04:00
2005-09-30 21:13:37 +04:00
if ( domain - > primary ) {
2004-04-20 06:37:49 +04:00
return False ;
2005-09-30 21:13:37 +04:00
}
2004-04-20 06:37:49 +04:00
2005-06-09 02:10:34 +04:00
our_domain = find_our_domain ( ) ;
2004-04-20 06:37:49 +04:00
2005-09-30 21:13:37 +04:00
if ( ( mem_ctx = talloc_init ( " get_dc_name_via_netlogon " ) ) = = NULL ) {
2004-04-20 06:37:49 +04:00
return False ;
2005-06-09 02:10:34 +04:00
}
2005-09-30 21:13:37 +04:00
result = cm_connect_netlogon ( our_domain , & netlogon_pipe ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
2006-12-16 04:32:57 +03:00
talloc_destroy ( mem_ctx ) ;
2004-04-20 06:37:49 +04:00
return False ;
2005-09-30 21:13:37 +04:00
}
2004-04-20 06:37:49 +04:00
2006-10-07 01:35:26 +04:00
/* This call can take a long time - allow the server to time out.
35 seconds should do it . */
orig_timeout = cli_set_timeout ( netlogon_pipe - > cli , 35000 ) ;
2006-10-06 20:13:10 +04:00
werr = rpccli_netlogon_getdcname ( netlogon_pipe , mem_ctx , our_domain - > dcname ,
2005-06-09 02:10:34 +04:00
domain - > name , tmp ) ;
2004-04-20 06:37:49 +04:00
2006-10-07 01:35:26 +04:00
/* And restore our original timeout. */
cli_set_timeout ( netlogon_pipe - > cli , orig_timeout ) ;
2004-04-20 06:37:49 +04:00
talloc_destroy ( mem_ctx ) ;
2006-10-06 20:13:10 +04:00
if ( ! W_ERROR_IS_OK ( werr ) ) {
2005-10-27 15:01:29 +04:00
DEBUG ( 10 , ( " rpccli_netlogon_getdcname failed: %s \n " ,
2006-10-06 20:13:10 +04:00
dos_errstr ( werr ) ) ) ;
2004-04-20 06:37:49 +04:00
return False ;
2005-10-27 15:01:29 +04:00
}
2004-04-20 06:37:49 +04:00
/* cli_netlogon_getdcname gives us a name with \\ */
p = tmp ;
2005-09-30 21:13:37 +04:00
if ( * p = = ' \\ ' ) {
p + = 1 ;
}
if ( * p = = ' \\ ' ) {
p + = 1 ;
}
2004-04-20 06:37:49 +04:00
fstrcpy ( dcname , p ) ;
2005-10-27 15:01:29 +04:00
DEBUG ( 10 , ( " rpccli_netlogon_getdcname returned %s \n " , dcname ) ) ;
2005-09-30 21:13:37 +04:00
if ( ! resolve_name ( dcname , dc_ip , 0x20 ) ) {
2004-04-20 06:37:49 +04:00
return False ;
2005-09-30 21:13:37 +04:00
}
2004-04-20 06:37:49 +04:00
return True ;
}
2004-11-18 14:57:49 +03:00
/************************************************************************
Given a fd with a just - connected TCP connection to a DC , open a connection
to the pipe .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-02-15 16:28:59 +03:00
2004-11-18 14:57:49 +03:00
static NTSTATUS cm_prepare_connection ( const struct winbindd_domain * domain ,
const int sockfd ,
const char * controller ,
struct cli_state * * cli ,
BOOL * retry )
2001-10-05 04:20:06 +04:00
{
2005-09-30 21:13:37 +04:00
char * machine_password , * machine_krb5_principal , * machine_account ;
2004-11-18 14:57:49 +03:00
char * ipc_username , * ipc_domain , * ipc_password ;
2002-02-15 16:28:59 +03:00
2004-11-18 14:57:49 +03:00
BOOL got_mutex ;
2001-11-15 22:40:00 +03:00
2004-11-18 14:57:49 +03:00
NTSTATUS result = NT_STATUS_UNSUCCESSFUL ;
2002-10-02 03:07:12 +04:00
2004-11-18 14:57:49 +03:00
struct sockaddr peeraddr ;
socklen_t peeraddr_len ;
2004-04-20 06:37:49 +04:00
2004-11-18 14:57:49 +03:00
struct sockaddr_in * peeraddr_in = ( struct sockaddr_in * ) & peeraddr ;
2004-04-20 06:37:49 +04:00
2006-09-07 20:51:17 +04:00
DEBUG ( 10 , ( " cm_prepare_connection: connecting to DC %s for domain %s \n " ,
controller , domain - > name ) ) ;
2004-11-18 14:57:49 +03:00
machine_password = secrets_fetch_machine_password ( lp_workgroup ( ) , NULL ,
NULL ) ;
2003-08-20 02:47:10 +04:00
2005-09-30 21:13:37 +04:00
if ( asprintf ( & machine_account , " %s$ " , global_myname ( ) ) = = - 1 ) {
SAFE_FREE ( machine_password ) ;
return NT_STATUS_NO_MEMORY ;
}
2004-11-18 14:57:49 +03:00
if ( asprintf ( & machine_krb5_principal , " %s$@%s " , global_myname ( ) ,
lp_realm ( ) ) = = - 1 ) {
2005-09-30 21:13:37 +04:00
SAFE_FREE ( machine_account ) ;
2003-08-20 02:47:10 +04:00
SAFE_FREE ( machine_password ) ;
return NT_STATUS_NO_MEMORY ;
}
2001-10-05 04:20:06 +04:00
2003-08-20 02:47:10 +04:00
cm_get_ipc_userpass ( & ipc_username , & ipc_domain , & ipc_password ) ;
2001-10-05 04:20:06 +04:00
2004-11-18 14:57:49 +03:00
* retry = True ;
got_mutex = secrets_named_mutex ( controller ,
WINBIND_SERVER_MUTEX_WAIT_TIME ) ;
if ( ! got_mutex ) {
2005-12-12 17:08:42 +03:00
DEBUG ( 0 , ( " cm_prepare_connection: mutex grab failed for %s \n " ,
2004-11-18 14:57:49 +03:00
controller ) ) ;
result = NT_STATUS_POSSIBLE_DEADLOCK ;
goto done ;
}
2006-07-11 22:01:26 +04:00
if ( ( * cli = cli_initialise ( ) ) = = NULL ) {
2004-11-18 14:57:49 +03:00
DEBUG ( 1 , ( " Could not cli_initialize \n " ) ) ;
result = NT_STATUS_NO_MEMORY ;
goto done ;
}
( * cli ) - > timeout = 10000 ; /* 10 seconds */
( * cli ) - > fd = sockfd ;
fstrcpy ( ( * cli ) - > desthost , controller ) ;
( * cli ) - > use_kerberos = True ;
peeraddr_len = sizeof ( peeraddr ) ;
if ( ( getpeername ( ( * cli ) - > fd , & peeraddr , & peeraddr_len ) ! = 0 ) | |
( peeraddr_len ! = sizeof ( struct sockaddr_in ) ) | |
( peeraddr_in - > sin_family ! = PF_INET ) )
2005-01-06 20:50:51 +03:00
{
DEBUG ( 0 , ( " cm_prepare_connection: %s \n " , strerror ( errno ) ) ) ;
2006-05-26 16:28:55 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
2004-11-18 14:57:49 +03:00
goto done ;
2005-01-06 20:50:51 +03:00
}
2004-11-18 14:57:49 +03:00
if ( ntohs ( peeraddr_in - > sin_port ) = = 139 ) {
struct nmb_name calling ;
struct nmb_name called ;
make_nmb_name ( & calling , global_myname ( ) , 0x0 ) ;
make_nmb_name ( & called , " *SMBSERVER " , 0x20 ) ;
if ( ! cli_session_request ( * cli , & calling , & called ) ) {
DEBUG ( 8 , ( " cli_session_request failed for %s \n " ,
controller ) ) ;
2006-05-26 16:28:55 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
2004-11-18 14:57:49 +03:00
goto done ;
2003-01-16 23:08:26 +03:00
}
2004-11-18 14:57:49 +03:00
}
2003-08-20 02:47:10 +04:00
2004-11-18 14:57:49 +03:00
cli_setup_signing_state ( * cli , Undefined ) ;
2003-08-20 08:25:09 +04:00
2004-11-18 14:57:49 +03:00
if ( ! cli_negprot ( * cli ) ) {
DEBUG ( 1 , ( " cli_negprot failed \n " ) ) ;
2006-05-26 16:28:55 +04:00
result = NT_STATUS_UNSUCCESSFUL ;
2004-11-18 14:57:49 +03:00
goto done ;
}
2003-08-20 08:25:09 +04:00
2005-09-30 21:13:37 +04:00
if ( ( * cli ) - > protocol > = PROTOCOL_NT1 & & ( * cli ) - > capabilities & CAP_EXTENDED_SECURITY ) {
2004-11-18 14:57:49 +03:00
ADS_STATUS ads_status ;
2005-09-30 21:13:37 +04:00
if ( lp_security ( ) = = SEC_ADS ) {
/* Try a krb5 session */
( * cli ) - > use_kerberos = True ;
DEBUG ( 5 , ( " connecting to %s from %s with kerberos principal "
" [%s] \n " , controller , global_myname ( ) ,
machine_krb5_principal ) ) ;
ads_status = cli_session_setup_spnego ( * cli ,
machine_krb5_principal ,
machine_password ,
lp_workgroup ( ) ) ;
if ( ! ADS_ERR_OK ( ads_status ) ) {
DEBUG ( 4 , ( " failed kerberos session setup with %s \n " ,
ads_errstr ( ads_status ) ) ) ;
}
result = ads_ntstatus ( ads_status ) ;
if ( NT_STATUS_IS_OK ( result ) ) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
cli_init_creds ( * cli , machine_account , lp_workgroup ( ) , machine_password ) ;
goto session_setup_done ;
}
}
/* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
( * cli ) - > use_kerberos = False ;
DEBUG ( 5 , ( " connecting to %s from %s with username "
" [%s] \\ [%s] \n " , controller , global_myname ( ) ,
2006-04-03 23:08:23 +04:00
lp_workgroup ( ) , machine_account ) ) ;
2004-11-18 14:57:49 +03:00
ads_status = cli_session_setup_spnego ( * cli ,
2005-09-30 21:13:37 +04:00
machine_account ,
2004-11-18 14:57:49 +03:00
machine_password ,
lp_workgroup ( ) ) ;
2005-09-30 21:13:37 +04:00
if ( ! ADS_ERR_OK ( ads_status ) ) {
DEBUG ( 4 , ( " authenticated session setup failed with %s \n " ,
ads_errstr ( ads_status ) ) ) ;
}
2004-11-18 14:57:49 +03:00
result = ads_ntstatus ( ads_status ) ;
2005-09-30 21:13:37 +04:00
if ( NT_STATUS_IS_OK ( result ) ) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
cli_init_creds ( * cli , machine_account , lp_workgroup ( ) , machine_password ) ;
goto session_setup_done ;
}
2004-11-18 14:57:49 +03:00
}
2003-08-20 08:25:09 +04:00
2004-11-18 14:57:49 +03:00
/* Fall back to non-kerberos session setup */
( * cli ) - > use_kerberos = False ;
if ( ( ( ( * cli ) - > sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE ) ! = 0 ) & &
( strlen ( ipc_username ) > 0 ) ) {
/* Only try authenticated if we have a username */
DEBUG ( 5 , ( " connecting to %s from %s with username "
" [%s] \\ [%s] \n " , controller , global_myname ( ) ,
ipc_domain , ipc_username ) ) ;
2006-08-16 21:14:16 +04:00
if ( NT_STATUS_IS_OK ( cli_session_setup (
* cli , ipc_username ,
ipc_password , strlen ( ipc_password ) + 1 ,
ipc_password , strlen ( ipc_password ) + 1 ,
ipc_domain ) ) ) {
2005-09-30 21:13:37 +04:00
/* Successful logon with given username. */
cli_init_creds ( * cli , ipc_username , ipc_domain , ipc_password ) ;
2004-11-18 14:57:49 +03:00
goto session_setup_done ;
2005-09-30 21:13:37 +04:00
} else {
DEBUG ( 4 , ( " authenticated session setup with user %s \\ %s failed. \n " ,
ipc_domain , ipc_username ) ) ;
2003-08-20 02:47:10 +04:00
}
2004-11-18 14:57:49 +03:00
}
/* Fall back to anonymous connection, this might fail later */
2006-08-16 21:14:16 +04:00
if ( NT_STATUS_IS_OK ( cli_session_setup ( * cli , " " , NULL , 0 ,
NULL , 0 , " " ) ) ) {
2004-11-18 14:57:49 +03:00
DEBUG ( 5 , ( " Connected anonymously \n " ) ) ;
2005-09-30 21:13:37 +04:00
cli_init_creds ( * cli , " " , " " , " " ) ;
2004-11-18 14:57:49 +03:00
goto session_setup_done ;
}
result = cli_nt_error ( * cli ) ;
if ( NT_STATUS_IS_OK ( result ) )
result = NT_STATUS_UNSUCCESSFUL ;
2003-08-20 02:47:10 +04:00
2004-11-18 14:57:49 +03:00
/* We can't session setup */
goto done ;
session_setup_done :
2006-02-04 00:19:24 +03:00
/* cache the server name for later connections */
2006-02-15 21:45:25 +03:00
saf_store ( domain - > name , ( * cli ) - > desthost ) ;
2006-09-06 01:11:08 +04:00
if ( domain - > alt_name & & ( * cli ) - > use_kerberos ) {
2006-09-05 10:32:46 +04:00
saf_store ( domain - > alt_name , ( * cli ) - > desthost ) ;
}
2006-02-04 00:19:24 +03:00
2004-11-18 14:57:49 +03:00
if ( ! cli_send_tconX ( * cli , " IPC$ " , " IPC " , " " , 0 ) ) {
result = cli_nt_error ( * cli ) ;
DEBUG ( 1 , ( " failed tcon_X with %s \n " , nt_errstr ( result ) ) ) ;
2002-10-17 21:10:24 +04:00
if ( NT_STATUS_IS_OK ( result ) )
2004-11-18 14:57:49 +03:00
result = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2002-10-17 21:10:24 +04:00
}
2001-10-05 04:20:06 +04:00
2004-11-18 14:57:49 +03:00
secrets_named_mutex_release ( controller ) ;
got_mutex = False ;
* retry = False ;
2004-06-03 22:00:22 +04:00
2004-11-18 14:57:49 +03:00
/* set the domain if empty; needed for schannel connections */
2005-09-30 21:13:37 +04:00
if ( ! * ( * cli ) - > domain ) {
2004-11-18 14:57:49 +03:00
fstrcpy ( ( * cli ) - > domain , domain - > name ) ;
2005-09-30 21:13:37 +04:00
}
2004-11-18 14:57:49 +03:00
result = NT_STATUS_OK ;
done :
2005-09-30 21:13:37 +04:00
if ( got_mutex ) {
2004-11-18 14:57:49 +03:00
secrets_named_mutex_release ( controller ) ;
2005-09-30 21:13:37 +04:00
}
2004-11-18 14:57:49 +03:00
2005-09-30 21:13:37 +04:00
SAFE_FREE ( machine_account ) ;
2004-11-18 14:57:49 +03:00
SAFE_FREE ( machine_password ) ;
SAFE_FREE ( machine_krb5_principal ) ;
2002-02-15 16:28:59 +03:00
SAFE_FREE ( ipc_username ) ;
SAFE_FREE ( ipc_domain ) ;
SAFE_FREE ( ipc_password ) ;
2001-11-15 06:33:12 +03:00
2006-05-26 16:28:55 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
2006-09-07 01:43:31 +04:00
winbind_add_failed_connection_entry ( domain , controller , result ) ;
2006-05-26 16:28:55 +04:00
if ( ( * cli ) ! = NULL ) {
cli_shutdown ( * cli ) ;
* cli = NULL ;
}
2005-09-30 21:13:37 +04:00
}
2004-11-18 14:57:49 +03:00
return result ;
}
static BOOL add_one_dc_unique ( TALLOC_CTX * mem_ctx , const char * domain_name ,
const char * dcname , struct in_addr ip ,
struct dc_name_ip * * dcs , int * num )
{
2005-10-27 15:01:29 +04:00
if ( ! NT_STATUS_IS_OK ( check_negative_conn_cache ( domain_name , dcname ) ) ) {
DEBUG ( 10 , ( " DC %s was in the negative conn cache \n " , dcname ) ) ;
2004-11-18 14:57:49 +03:00
return False ;
2005-10-27 15:01:29 +04:00
}
2004-11-18 14:57:49 +03:00
2004-12-07 21:25:53 +03:00
* dcs = TALLOC_REALLOC_ARRAY ( mem_ctx , * dcs , struct dc_name_ip , ( * num ) + 1 ) ;
2004-11-18 14:57:49 +03:00
if ( * dcs = = NULL )
return False ;
fstrcpy ( ( * dcs ) [ * num ] . name , dcname ) ;
( * dcs ) [ * num ] . ip = ip ;
* num + = 1 ;
return True ;
}
static BOOL add_sockaddr_to_array ( TALLOC_CTX * mem_ctx ,
struct in_addr ip , uint16 port ,
struct sockaddr_in * * addrs , int * num )
{
2004-12-07 21:25:53 +03:00
* addrs = TALLOC_REALLOC_ARRAY ( mem_ctx , * addrs , struct sockaddr_in , ( * num ) + 1 ) ;
2004-11-18 14:57:49 +03:00
2006-12-09 05:58:18 +03:00
if ( * addrs = = NULL ) {
* num = 0 ;
2004-11-18 14:57:49 +03:00
return False ;
2006-12-09 05:58:18 +03:00
}
2004-11-18 14:57:49 +03:00
( * addrs ) [ * num ] . sin_family = PF_INET ;
putip ( ( char * ) & ( ( * addrs ) [ * num ] . sin_addr ) , ( char * ) & ip ) ;
( * addrs ) [ * num ] . sin_port = htons ( port ) ;
* num + = 1 ;
return True ;
}
2005-06-09 02:10:34 +04:00
static void mailslot_name ( struct in_addr dc_ip , fstring name )
{
fstr_sprintf ( name , " \\ MAILSLOT \\ NET \\ GETDC%X " , dc_ip . s_addr ) ;
}
static BOOL send_getdc_request ( struct in_addr dc_ip ,
const char * domain_name ,
const DOM_SID * sid )
{
pstring outbuf ;
char * p ;
fstring my_acct_name ;
fstring my_mailslot ;
mailslot_name ( dc_ip , my_mailslot ) ;
memset ( outbuf , ' \0 ' , sizeof ( outbuf ) ) ;
p = outbuf ;
SCVAL ( p , 0 , SAMLOGON ) ;
p + + ;
SCVAL ( p , 0 , 0 ) ; /* Count pointer ... */
p + + ;
SIVAL ( p , 0 , 0 ) ; /* The sender's token ... */
p + = 2 ;
p + = dos_PutUniCode ( p , global_myname ( ) , sizeof ( pstring ) , True ) ;
fstr_sprintf ( my_acct_name , " %s$ " , global_myname ( ) ) ;
p + = dos_PutUniCode ( p , my_acct_name , sizeof ( pstring ) , True ) ;
memcpy ( p , my_mailslot , strlen ( my_mailslot ) + 1 ) ;
p + = strlen ( my_mailslot ) + 1 ;
SIVAL ( p , 0 , 0x80 ) ;
p + = 4 ;
SIVAL ( p , 0 , sid_size ( sid ) ) ;
p + = 4 ;
p = ALIGN4 ( p , outbuf ) ;
sid_linearize ( p , sid_size ( sid ) , sid ) ;
p + = sid_size ( sid ) ;
SIVAL ( p , 0 , 1 ) ;
SSVAL ( p , 4 , 0xffff ) ;
SSVAL ( p , 6 , 0xffff ) ;
p + = 8 ;
return cli_send_mailslot ( False , " \\ MAILSLOT \\ NET \\ NTLOGON " , 0 ,
outbuf , PTR_DIFF ( p , outbuf ) ,
global_myname ( ) , 0 , domain_name , 0x1c ,
dc_ip ) ;
}
static BOOL receive_getdc_response ( struct in_addr dc_ip ,
const char * domain_name ,
fstring dc_name )
{
struct packet_struct * packet ;
fstring my_mailslot ;
char * buf , * p ;
fstring dcname , user , domain ;
int len ;
mailslot_name ( dc_ip , my_mailslot ) ;
packet = receive_unexpected ( DGRAM_PACKET , 0 , my_mailslot ) ;
if ( packet = = NULL ) {
DEBUG ( 5 , ( " Did not receive packet for %s \n " , my_mailslot ) ) ;
return False ;
}
DEBUG ( 5 , ( " Received packet for %s \n " , my_mailslot ) ) ;
buf = packet - > packet . dgram . data ;
len = packet - > packet . dgram . datasize ;
if ( len < 70 ) {
/* 70 is a completely arbitrary value to make sure
the SVAL below does not read uninitialized memory */
DEBUG ( 3 , ( " GetDC got short response \n " ) ) ;
return False ;
}
/* This should be (buf-4)+SVAL(buf-4, smb_vwv12)... */
p = buf + SVAL ( buf , smb_vwv10 ) ;
if ( CVAL ( p , 0 ) ! = SAMLOGON_R ) {
DEBUG ( 8 , ( " GetDC got invalid response type %d \n " , CVAL ( p , 0 ) ) ) ;
return False ;
}
p + = 2 ;
pull_ucs2 ( buf , dcname , p , sizeof ( dcname ) , PTR_DIFF ( buf + len , p ) ,
STR_TERMINATE | STR_NOALIGN ) ;
p = skip_unibuf ( p , PTR_DIFF ( buf + len , p ) ) ;
pull_ucs2 ( buf , user , p , sizeof ( dcname ) , PTR_DIFF ( buf + len , p ) ,
STR_TERMINATE | STR_NOALIGN ) ;
p = skip_unibuf ( p , PTR_DIFF ( buf + len , p ) ) ;
pull_ucs2 ( buf , domain , p , sizeof ( dcname ) , PTR_DIFF ( buf + len , p ) ,
STR_TERMINATE | STR_NOALIGN ) ;
p = skip_unibuf ( p , PTR_DIFF ( buf + len , p ) ) ;
if ( ! strequal ( domain , domain_name ) ) {
DEBUG ( 3 , ( " GetDC: Expected domain %s, got %s \n " ,
domain_name , domain ) ) ;
return False ;
}
p = dcname ;
if ( * p = = ' \\ ' ) p + = 1 ;
if ( * p = = ' \\ ' ) p + = 1 ;
fstrcpy ( dc_name , p ) ;
DEBUG ( 10 , ( " GetDC gave name %s for domain %s \n " ,
dc_name , domain ) ) ;
return True ;
}
2005-02-11 17:31:14 +03:00
/*******************************************************************
convert an ip to a name
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-21 03:43:21 +03:00
static BOOL dcip_to_name ( const struct winbindd_domain * domain , struct in_addr ip , fstring name )
2004-11-18 14:57:49 +03:00
{
2006-03-28 17:34:13 +04:00
struct ip_service ip_list ;
ip_list . ip = ip ;
ip_list . port = 0 ;
2005-06-09 02:10:34 +04:00
2006-08-31 05:20:21 +04:00
# ifdef WITH_ADS
/* For active directory servers, try to get the ldap server name.
None of these failures should be considered critical for now */
2006-09-03 07:46:07 +04:00
if ( lp_security ( ) = = SEC_ADS ) {
2006-08-31 05:20:21 +04:00
ADS_STRUCT * ads ;
2006-12-21 03:43:21 +03:00
ads = ads_init ( domain - > alt_name , domain - > name , NULL ) ;
2006-08-31 05:20:21 +04:00
ads - > auth . flags | = ADS_AUTH_NO_BIND ;
if ( ads_try_connect ( ads , inet_ntoa ( ip ) ) ) {
/* We got a cldap packet. */
fstrcpy ( name , ads - > config . ldap_server_name ) ;
namecache_store ( name , 0x20 , 1 , & ip_list ) ;
2006-09-02 05:23:08 +04:00
DEBUG ( 10 , ( " dcip_to_name: flags = 0x%x \n " , ( unsigned int ) ads - > config . flags ) ) ;
2006-10-04 19:05:00 +04:00
2006-12-21 03:43:21 +03:00
if ( domain - > primary & & ( ads - > config . flags & ADS_KDC ) & & ads_closest_dc ( ads ) ) {
2007-01-18 12:58:57 +03:00
char * sitename = sitename_fetch ( ads - > config . realm ) ;
2007-01-17 21:25:35 +03:00
2006-08-31 05:20:21 +04:00
/* We're going to use this KDC for this realm/domain.
If we are using sites , then force the krb5 libs
to use this KDC . */
2006-12-21 03:43:21 +03:00
create_local_private_krb5_conf_for_domain ( domain - > alt_name ,
domain - > name ,
2007-01-17 21:25:35 +03:00
sitename ,
2006-08-31 05:20:21 +04:00
ip ) ;
2006-09-15 18:18:52 +04:00
2007-01-17 21:25:35 +03:00
SAFE_FREE ( sitename ) ;
2006-09-15 18:18:52 +04:00
/* Ensure we contact this DC also. */
2006-12-21 03:43:21 +03:00
saf_store ( domain - > name , name ) ;
saf_store ( domain - > alt_name , name ) ;
2006-08-31 05:20:21 +04:00
}
2006-10-04 19:05:00 +04:00
2006-08-31 05:20:21 +04:00
ads_destroy ( & ads ) ;
return True ;
}
ads_destroy ( & ads ) ;
}
# endif
/* try GETDC requests next */
2005-06-09 02:10:34 +04:00
2006-12-21 03:43:21 +03:00
if ( send_getdc_request ( ip , domain - > name , & domain - > sid ) ) {
2005-10-22 01:46:49 +04:00
int i ;
smb_msleep ( 100 ) ;
for ( i = 0 ; i < 5 ; i + + ) {
2006-12-21 03:43:21 +03:00
if ( receive_getdc_response ( ip , domain - > name , name ) ) {
2006-03-28 17:34:13 +04:00
namecache_store ( name , 0x20 , 1 , & ip_list ) ;
2006-05-26 16:28:55 +04:00
return True ;
2006-03-28 17:34:13 +04:00
}
2005-10-22 01:46:49 +04:00
smb_msleep ( 500 ) ;
}
2005-06-09 02:10:34 +04:00
}
/* try node status request */
2004-11-18 14:57:49 +03:00
2006-12-21 03:43:21 +03:00
if ( name_status_find ( domain - > name , 0x1c , 0x20 , ip , name ) ) {
2006-03-28 17:34:13 +04:00
namecache_store ( name , 0x20 , 1 , & ip_list ) ;
2006-05-26 16:28:55 +04:00
return True ;
2006-03-28 17:34:13 +04:00
}
2006-05-26 16:28:55 +04:00
return False ;
2004-11-18 14:57:49 +03:00
}
2005-02-11 17:31:14 +03:00
/*******************************************************************
Retreive a list of IP address for domain controllers . Fill in
the dcs [ ] with results .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-11-18 14:57:49 +03:00
static BOOL get_dcs ( TALLOC_CTX * mem_ctx , const struct winbindd_domain * domain ,
struct dc_name_ip * * dcs , int * num_dcs )
{
fstring dcname ;
2005-02-11 17:31:14 +03:00
struct in_addr ip ;
struct ip_service * ip_list = NULL ;
int iplist_size = 0 ;
int i ;
BOOL is_our_domain ;
2006-08-30 22:48:49 +04:00
enum security_types sec = ( enum security_types ) lp_security ( ) ;
2004-11-18 14:57:49 +03:00
is_our_domain = strequal ( domain - > name , lp_workgroup ( ) ) ;
2005-02-11 17:31:14 +03:00
if ( ! is_our_domain
& & get_dc_name_via_netlogon ( domain , dcname , & ip )
& & add_one_dc_unique ( mem_ctx , domain - > name , dcname , ip , dcs , num_dcs ) )
{
2005-10-27 15:01:29 +04:00
DEBUG ( 10 , ( " Retrieved DC %s at %s via netlogon \n " ,
dcname , inet_ntoa ( ip ) ) ) ;
2005-02-11 17:31:14 +03:00
return True ;
2004-11-18 14:57:49 +03:00
}
2006-08-30 22:48:49 +04:00
if ( sec = = SEC_ADS ) {
2007-01-17 21:25:35 +03:00
char * sitename = NULL ;
2006-08-30 22:48:49 +04:00
/* We need to make sure we know the local site before
doing any DNS queries , as this will restrict the
get_sorted_dc_list ( ) call below to only fetching
DNS records for the correct site . */
/* Find any DC to get the site record.
We deliberately don ' t care about the
return here . */
2007-01-17 21:25:35 +03:00
2007-01-31 23:05:48 +03:00
get_dc_name ( domain - > name , domain - > alt_name , dcname , & ip ) ;
2004-11-18 14:57:49 +03:00
2007-01-31 23:05:48 +03:00
sitename = sitename_fetch ( domain - > alt_name ) ;
2007-01-17 22:11:45 +03:00
if ( sitename ) {
2007-01-17 21:25:35 +03:00
2007-01-17 22:11:45 +03:00
/* Do the site-specific AD dns lookup first. */
get_sorted_dc_list ( domain - > alt_name , sitename , & ip_list , & iplist_size , True ) ;
2007-01-17 21:25:35 +03:00
2007-01-17 22:11:45 +03:00
for ( i = 0 ; i < iplist_size ; i + + ) {
add_one_dc_unique ( mem_ctx , domain - > name , inet_ntoa ( ip_list [ i ] . ip ) ,
ip_list [ i ] . ip , dcs , num_dcs ) ;
}
2007-01-17 21:25:35 +03:00
2007-01-17 22:11:45 +03:00
SAFE_FREE ( ip_list ) ;
SAFE_FREE ( sitename ) ;
iplist_size = 0 ;
}
2007-01-17 21:25:35 +03:00
/* Now we add DCs from the main AD dns lookup. */
get_sorted_dc_list ( domain - > alt_name , NULL , & ip_list , & iplist_size , True ) ;
for ( i = 0 ; i < iplist_size ; i + + ) {
add_one_dc_unique ( mem_ctx , domain - > name , inet_ntoa ( ip_list [ i ] . ip ) ,
ip_list [ i ] . ip , dcs , num_dcs ) ;
}
2006-09-15 20:03:11 +04:00
}
2004-11-18 14:57:49 +03:00
2006-09-15 20:03:11 +04:00
/* try standard netbios queries if no ADS */
2004-11-18 14:57:49 +03:00
2007-01-17 21:25:35 +03:00
if ( iplist_size = = 0 ) {
get_sorted_dc_list ( domain - > name , NULL , & ip_list , & iplist_size , False ) ;
}
2004-11-18 14:57:49 +03:00
2005-06-09 02:10:34 +04:00
/* FIXME!! this is where we should re-insert the GETDC requests --jerry */
2005-02-11 17:31:14 +03:00
/* now add to the dc array. We'll wait until the last minute
to look up the name of the DC . But we fill in the char * for
the ip now in to make the failed connection cache work */
2005-01-14 15:17:18 +03:00
2005-02-11 17:31:14 +03:00
for ( i = 0 ; i < iplist_size ; i + + ) {
add_one_dc_unique ( mem_ctx , domain - > name , inet_ntoa ( ip_list [ i ] . ip ) ,
ip_list [ i ] . ip , dcs , num_dcs ) ;
2002-02-15 16:28:59 +03:00
}
2001-11-15 22:40:00 +03:00
2005-02-11 17:31:14 +03:00
SAFE_FREE ( ip_list ) ;
2004-11-18 14:57:49 +03:00
return True ;
}
static BOOL find_new_dc ( TALLOC_CTX * mem_ctx ,
const struct winbindd_domain * domain ,
fstring dcname , struct sockaddr_in * addr , int * fd )
{
struct dc_name_ip * dcs = NULL ;
int num_dcs = 0 ;
2005-02-11 17:31:14 +03:00
const char * * dcnames = NULL ;
2004-11-18 14:57:49 +03:00
int num_dcnames = 0 ;
struct sockaddr_in * addrs = NULL ;
int num_addrs = 0 ;
int i , fd_index ;
2006-05-26 16:28:55 +04:00
again :
2004-11-18 14:57:49 +03:00
if ( ! get_dcs ( mem_ctx , domain , & dcs , & num_dcs ) | | ( num_dcs = = 0 ) )
return False ;
for ( i = 0 ; i < num_dcs ; i + + ) {
2006-12-09 05:58:18 +03:00
if ( ! add_string_to_array ( mem_ctx , dcs [ i ] . name ,
& dcnames , & num_dcnames ) ) {
return False ;
}
if ( ! add_sockaddr_to_array ( mem_ctx , dcs [ i ] . ip , 445 ,
& addrs , & num_addrs ) ) {
return False ;
}
2004-11-18 14:57:49 +03:00
2006-12-09 05:58:18 +03:00
if ( ! add_string_to_array ( mem_ctx , dcs [ i ] . name ,
& dcnames , & num_dcnames ) ) {
return False ;
}
if ( ! add_sockaddr_to_array ( mem_ctx , dcs [ i ] . ip , 139 ,
& addrs , & num_addrs ) ) {
return False ;
}
2004-11-18 14:57:49 +03:00
}
if ( ( num_dcnames = = 0 ) | | ( num_dcnames ! = num_addrs ) )
return False ;
2006-06-19 23:41:56 +04:00
if ( ( addrs = = NULL ) | | ( dcnames = = NULL ) )
return False ;
2006-09-06 23:02:39 +04:00
/* 5 second timeout. */
if ( ! open_any_socket_out ( addrs , num_addrs , 5000 , & fd_index , fd ) )
2005-02-11 17:31:14 +03:00
{
2004-11-18 14:57:49 +03:00
for ( i = 0 ; i < num_dcs ; i + + ) {
2006-09-14 18:26:33 +04:00
DEBUG ( 10 , ( " find_new_dc: open_any_socket_out failed for "
2006-09-15 18:05:28 +04:00
" domain %s address %s. Error was %s \n " ,
domain - > name , inet_ntoa ( dcs [ i ] . ip ) , strerror ( errno ) ) ) ;
2006-09-07 01:43:31 +04:00
winbind_add_failed_connection_entry ( domain ,
2005-02-11 17:31:14 +03:00
dcs [ i ] . name , NT_STATUS_UNSUCCESSFUL ) ;
2004-11-18 14:57:49 +03:00
}
return False ;
}
* addr = addrs [ fd_index ] ;
2006-05-26 16:28:55 +04:00
if ( * dcnames [ fd_index ] ! = ' \0 ' & & ! is_ipaddress ( dcnames [ fd_index ] ) ) {
/* Ok, we've got a name for the DC */
2005-02-11 17:31:14 +03:00
fstrcpy ( dcname , dcnames [ fd_index ] ) ;
2006-05-26 16:28:55 +04:00
return True ;
}
2005-02-11 17:31:14 +03:00
2006-05-26 16:28:55 +04:00
/* Try to figure out the name */
2006-12-21 03:43:21 +03:00
if ( dcip_to_name ( domain , addr - > sin_addr , dcname ) ) {
2006-05-26 16:28:55 +04:00
return True ;
}
/* We can not continue without the DC's name */
2006-09-07 01:43:31 +04:00
winbind_add_failed_connection_entry ( domain , dcs [ fd_index ] . name ,
2006-05-26 16:28:55 +04:00
NT_STATUS_UNSUCCESSFUL ) ;
goto again ;
2004-11-18 14:57:49 +03:00
}
static NTSTATUS cm_open_connection ( struct winbindd_domain * domain ,
struct winbindd_cm_conn * new_conn )
{
TALLOC_CTX * mem_ctx ;
NTSTATUS result ;
2006-02-04 00:19:24 +03:00
char * saf_servername = saf_fetch ( domain - > name ) ;
2004-11-18 14:57:49 +03:00
int retries ;
2006-09-03 03:06:21 +04:00
if ( ( mem_ctx = talloc_init ( " cm_open_connection " ) ) = = NULL ) {
SAFE_FREE ( saf_servername ) ;
2006-09-07 01:43:31 +04:00
set_domain_offline ( domain ) ;
2004-11-18 14:57:49 +03:00
return NT_STATUS_NO_MEMORY ;
2006-09-03 03:06:21 +04:00
}
2004-11-18 14:57:49 +03:00
2006-02-04 00:19:24 +03:00
/* we have to check the server affinity cache here since
later we selecte a DC based on response time and not preference */
2006-09-03 03:06:21 +04:00
/* Check the negative connection cache
before talking to it . It going down may have
triggered the reconnection . */
if ( saf_servername & & NT_STATUS_IS_OK ( check_negative_conn_cache ( domain - > name , saf_servername ) ) ) {
2006-09-07 20:51:17 +04:00
DEBUG ( 10 , ( " cm_open_connection: saf_servername is '%s' for domain %s \n " ,
saf_servername , domain - > name ) ) ;
2006-02-04 00:19:24 +03:00
/* convert an ip address to a name */
2006-09-03 03:06:21 +04:00
if ( is_ipaddress ( saf_servername ) ) {
2006-02-04 00:19:24 +03:00
fstring saf_name ;
struct in_addr ip ;
ip = * interpret_addr2 ( saf_servername ) ;
2006-12-21 03:43:21 +03:00
if ( dcip_to_name ( domain , ip , saf_name ) ) {
2006-05-26 16:28:55 +04:00
fstrcpy ( domain - > dcname , saf_name ) ;
} else {
2006-09-07 01:43:31 +04:00
winbind_add_failed_connection_entry (
domain , saf_servername ,
2006-05-26 16:28:55 +04:00
NT_STATUS_UNSUCCESSFUL ) ;
}
2006-09-03 03:06:21 +04:00
} else {
2006-02-04 00:19:24 +03:00
fstrcpy ( domain - > dcname , saf_servername ) ;
}
SAFE_FREE ( saf_servername ) ;
}
2004-11-18 14:57:49 +03:00
for ( retries = 0 ; retries < 3 ; retries + + ) {
int fd = - 1 ;
2005-09-30 21:13:37 +04:00
BOOL retry = False ;
2004-11-18 14:57:49 +03:00
result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND ;
2006-09-07 20:51:17 +04:00
DEBUG ( 10 , ( " cm_open_connection: dcname is '%s' for domain %s \n " ,
domain - > dcname , domain - > name ) ) ;
if ( * domain - > dcname
2006-02-04 01:19:41 +03:00
& & NT_STATUS_IS_OK ( check_negative_conn_cache ( domain - > name , domain - > dcname ) )
& & ( resolve_name ( domain - > dcname , & domain - > dcaddr . sin_addr , 0x20 ) ) )
2006-02-04 00:19:24 +03:00
{
struct sockaddr_in * addrs = NULL ;
int num_addrs = 0 ;
int dummy = 0 ;
2006-12-09 05:58:18 +03:00
if ( ! add_sockaddr_to_array ( mem_ctx , domain - > dcaddr . sin_addr , 445 , & addrs , & num_addrs ) ) {
set_domain_offline ( domain ) ;
2006-12-16 04:32:57 +03:00
talloc_destroy ( mem_ctx ) ;
2006-12-09 05:58:18 +03:00
return NT_STATUS_NO_MEMORY ;
}
if ( ! add_sockaddr_to_array ( mem_ctx , domain - > dcaddr . sin_addr , 139 , & addrs , & num_addrs ) ) {
set_domain_offline ( domain ) ;
2006-12-16 04:32:57 +03:00
talloc_destroy ( mem_ctx ) ;
2006-12-09 05:58:18 +03:00
return NT_STATUS_NO_MEMORY ;
}
2006-02-04 00:19:24 +03:00
2006-09-06 23:02:39 +04:00
/* 5 second timeout. */
if ( ! open_any_socket_out ( addrs , num_addrs , 5000 , & dummy , & fd ) ) {
2004-11-18 14:57:49 +03:00
fd = - 1 ;
}
}
2006-02-04 00:19:24 +03:00
if ( ( fd = = - 1 )
2006-02-04 01:19:41 +03:00
& & ! find_new_dc ( mem_ctx , domain , domain - > dcname , & domain - > dcaddr , & fd ) )
2006-02-04 00:19:24 +03:00
{
2006-02-04 01:19:41 +03:00
/* This is the one place where we will
set the global winbindd offline state
to true , if a " WINBINDD_OFFLINE " entry
is found in the winbindd cache . */
set_global_winbindd_state_offline ( ) ;
2004-11-18 14:57:49 +03:00
break ;
2006-02-04 00:19:24 +03:00
}
2004-11-18 14:57:49 +03:00
new_conn - > cli = NULL ;
2005-06-09 02:10:34 +04:00
result = cm_prepare_connection ( domain , fd , domain - > dcname ,
& new_conn - > cli , & retry ) ;
2004-11-18 14:57:49 +03:00
if ( ! retry )
break ;
}
2006-02-04 01:19:41 +03:00
if ( NT_STATUS_IS_OK ( result ) ) {
if ( domain - > online = = False ) {
/* We're changing state from offline to online. */
set_global_winbindd_state_online ( ) ;
}
2006-09-07 01:43:31 +04:00
set_domain_online ( domain ) ;
} else {
/* Ensure we setup the retry handler. */
set_domain_offline ( domain ) ;
2006-02-04 01:19:41 +03:00
}
2004-11-18 14:57:49 +03:00
talloc_destroy ( mem_ctx ) ;
return result ;
2001-10-05 04:20:06 +04:00
}
2006-02-04 01:19:41 +03:00
/* Close down all open pipes on a connection. */
2001-10-27 08:48:22 +04:00
2005-06-09 02:10:34 +04:00
void invalidate_cm_connection ( struct winbindd_cm_conn * conn )
2001-10-27 08:48:22 +04:00
{
2006-09-06 23:02:39 +04:00
/* We're closing down a possibly dead
connection . Don ' t have impossibly long ( 10 s ) timeouts . */
if ( conn - > cli ) {
cli_set_timeout ( conn - > cli , 1000 ) ; /* 1 second. */
}
2005-06-09 02:10:34 +04:00
if ( conn - > samr_pipe ! = NULL ) {
2006-09-06 23:02:39 +04:00
if ( ! cli_rpc_pipe_close ( conn - > samr_pipe ) ) {
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
if ( conn - > cli ) {
cli_set_timeout ( conn - > cli , 500 ) ;
}
}
2005-06-09 02:10:34 +04:00
conn - > samr_pipe = NULL ;
2002-02-15 16:28:59 +03:00
}
2005-06-09 02:10:34 +04:00
if ( conn - > lsa_pipe ! = NULL ) {
2006-09-06 23:02:39 +04:00
if ( ! cli_rpc_pipe_close ( conn - > lsa_pipe ) ) {
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
if ( conn - > cli ) {
cli_set_timeout ( conn - > cli , 500 ) ;
}
}
2005-06-09 02:10:34 +04:00
conn - > lsa_pipe = NULL ;
2002-03-18 13:53:02 +03:00
}
2005-06-09 02:10:34 +04:00
if ( conn - > netlogon_pipe ! = NULL ) {
2006-09-06 23:02:39 +04:00
if ( ! cli_rpc_pipe_close ( conn - > netlogon_pipe ) ) {
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
if ( conn - > cli ) {
cli_set_timeout ( conn - > cli , 500 ) ;
}
}
2005-06-09 02:10:34 +04:00
conn - > netlogon_pipe = NULL ;
2002-02-11 04:29:07 +03:00
}
2001-10-27 08:48:22 +04:00
2005-09-30 21:13:37 +04:00
if ( conn - > cli ) {
2005-06-09 02:10:34 +04:00
cli_shutdown ( conn - > cli ) ;
2005-09-30 21:13:37 +04:00
}
2005-06-09 02:10:34 +04:00
conn - > cli = NULL ;
}
2001-10-05 04:20:06 +04:00
2005-06-09 02:10:34 +04:00
void close_conns_after_fork ( void )
2001-10-05 04:20:06 +04:00
{
2005-06-09 02:10:34 +04:00
struct winbindd_domain * domain ;
2003-05-15 00:48:48 +04:00
2005-06-09 02:10:34 +04:00
for ( domain = domain_list ( ) ; domain ; domain = domain - > next ) {
if ( domain - > conn . cli = = NULL )
continue ;
2003-05-08 12:02:52 +04:00
2005-06-09 02:10:34 +04:00
if ( domain - > conn . cli - > fd = = - 1 )
continue ;
2003-05-08 12:02:52 +04:00
2005-06-09 02:10:34 +04:00
close ( domain - > conn . cli - > fd ) ;
domain - > conn . cli - > fd = - 1 ;
}
}
2003-05-08 12:02:52 +04:00
2005-06-09 02:10:34 +04:00
static BOOL connection_ok ( struct winbindd_domain * domain )
2003-05-08 12:02:52 +04:00
{
2005-06-09 02:10:34 +04:00
if ( domain - > conn . cli = = NULL ) {
2006-09-14 13:11:30 +04:00
DEBUG ( 8 , ( " connection_ok: Connection to %s for domain %s has NULL "
2005-06-09 02:10:34 +04:00
" cli! \n " , domain - > dcname , domain - > name ) ) ;
return False ;
}
2003-05-08 12:02:52 +04:00
2005-06-09 02:10:34 +04:00
if ( ! domain - > conn . cli - > initialised ) {
2006-09-14 13:11:30 +04:00
DEBUG ( 3 , ( " connection_ok: Connection to %s for domain %s was never "
2005-06-09 02:10:34 +04:00
" initialised! \n " , domain - > dcname , domain - > name ) ) ;
return False ;
2002-02-15 16:28:59 +03:00
}
2003-05-08 12:02:52 +04:00
2005-06-09 02:10:34 +04:00
if ( domain - > conn . cli - > fd = = - 1 ) {
2006-09-14 13:11:30 +04:00
DEBUG ( 3 , ( " connection_ok: Connection to %s for domain %s has died or was "
2005-06-09 02:10:34 +04:00
" never started (fd == -1) \n " ,
domain - > dcname , domain - > name ) ) ;
return False ;
}
2001-10-05 04:20:06 +04:00
2006-09-14 13:11:30 +04:00
if ( domain - > online = = False ) {
DEBUG ( 3 , ( " connection_ok: Domain %s is offline \n " , domain - > name ) ) ;
return False ;
}
2005-06-09 02:10:34 +04:00
return True ;
}
2006-10-06 21:33:57 +04:00
2006-12-07 02:14:15 +03:00
/* Initialize a new connection up to the RPC BIND.
Bypass online status check so always does network calls . */
2003-05-08 12:02:52 +04:00
2006-12-07 02:14:15 +03:00
static NTSTATUS init_dc_connection_network ( struct winbindd_domain * domain )
2003-05-08 12:02:52 +04:00
{
2006-10-06 21:33:57 +04:00
NTSTATUS result ;
2006-10-10 08:00:42 +04:00
/* Internal connections never use the network. */
if ( domain - > internal ) {
domain - > initialized = True ;
return NT_STATUS_OK ;
}
2006-10-06 21:33:57 +04:00
if ( connection_ok ( domain ) ) {
if ( ! domain - > initialized ) {
set_dc_type_and_flags ( domain ) ;
}
2003-05-08 12:02:52 +04:00
return NT_STATUS_OK ;
2006-10-06 21:33:57 +04:00
}
2003-05-08 12:02:52 +04:00
2005-06-09 02:10:34 +04:00
invalidate_cm_connection ( & domain - > conn ) ;
2006-10-06 21:33:57 +04:00
result = cm_open_connection ( domain , & domain - > conn ) ;
if ( NT_STATUS_IS_OK ( result ) & & ! domain - > initialized ) {
set_dc_type_and_flags ( domain ) ;
}
return result ;
2003-05-08 12:02:52 +04:00
}
2002-10-05 01:42:04 +04:00
2006-12-07 02:14:15 +03:00
NTSTATUS init_dc_connection ( struct winbindd_domain * domain )
{
if ( domain - > initialized & & ! domain - > online ) {
/* We check for online status elsewhere. */
return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND ;
}
return init_dc_connection_network ( domain ) ;
}
2007-05-06 23:37:13 +04:00
/******************************************************************************
Set the trust flags ( direction and forest location ) for a domain
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static BOOL set_dc_type_and_flags_trustinfo ( struct winbindd_domain * domain )
{
struct winbindd_domain * our_domain ;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL ;
struct ds_domain_trust * domains = NULL ;
int count = 0 ;
int i ;
uint32 flags = ( DS_DOMAIN_IN_FOREST |
DS_DOMAIN_DIRECT_OUTBOUND |
DS_DOMAIN_DIRECT_INBOUND ) ;
struct rpc_pipe_client * cli ;
TALLOC_CTX * mem_ctx = NULL ;
DEBUG ( 5 , ( " set_dc_type_and_flags_trustinfo: domain %s \n " , domain - > name ) ) ;
/* Our primary domain doesn't need to worry about trust flags.
Force it to go through the network setup */
if ( domain - > primary ) {
return False ;
}
our_domain = find_our_domain ( ) ;
if ( ! connection_ok ( our_domain ) ) {
DEBUG ( 3 , ( " set_dc_type_and_flags_trustinfo: No connection to our domain! \n " ) ) ;
return False ;
}
/* This won't work unless our domain is AD */
if ( ! our_domain - > active_directory ) {
return False ;
}
/* Use DsEnumerateDomainTrusts to get us the trust direction
and type */
result = cm_connect_netlogon ( our_domain , & cli ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 5 , ( " set_dc_type_and_flags_trustinfo: Could not open "
" a connection to %s for PIPE_NETLOGON (%s) \n " ,
domain - > name , nt_errstr ( result ) ) ) ;
return False ;
}
if ( ( mem_ctx = talloc_init ( " set_dc_type_and_flags_trustinfo " ) ) = = NULL ) {
DEBUG ( 0 , ( " set_dc_type_and_flags_trustinfo: talloc_init() failed! \n " ) ) ;
return False ;
}
result = rpccli_ds_enum_domain_trusts ( cli , mem_ctx ,
cli - > cli - > desthost ,
flags , & domains ,
( unsigned int * ) & count ) ;
/* Now find the domain name and get the flags */
for ( i = 0 ; i < count ; i + + ) {
if ( strequal ( domain - > name , domains [ i ] . netbios_domain ) ) {
domain - > domain_flags = domains [ i ] . flags ;
domain - > domain_type = domains [ i ] . trust_type ;
domain - > domain_trust_attribs = domains [ i ] . trust_attributes ;
if ( domain - > domain_type = = DS_DOMAIN_TRUST_TYPE_UPLEVEL )
domain - > active_directory = True ;
/* This flag is only set if the domain is *our*
primary domain and the primary domain is in
native mode */
domain - > native_mode = ( domain - > domain_flags & DS_DOMAIN_NATIVE_MODE ) ;
DEBUG ( 5 , ( " set_dc_type_and_flags_trustinfo: domain %s is %sin "
" native mode. \n " , domain - > name ,
domain - > native_mode ? " " : " NOT " ) ) ;
DEBUG ( 5 , ( " set_dc_type_and_flags_trustinfo: domain %s is %s "
" running active directory. \n " , domain - > name ,
domain - > active_directory ? " " : " NOT " ) ) ;
domain - > initialized = True ;
if ( ! winbindd_can_contact_domain ( domain ) )
domain - > internal = True ;
break ;
}
}
talloc_destroy ( mem_ctx ) ;
return domain - > initialized ;
}
2005-10-27 15:16:36 +04:00
/******************************************************************************
We can ' sense ' certain things about the DC by it ' s replies to certain
questions .
2004-01-08 11:19:18 +03:00
2005-10-27 15:16:36 +04:00
This tells us if this particular remote server is Active Directory , and if it
is native mode .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-10-05 01:42:04 +04:00
2007-05-06 23:37:13 +04:00
static void set_dc_type_and_flags_connect ( struct winbindd_domain * domain )
2002-10-05 01:42:04 +04:00
{
NTSTATUS result ;
DS_DOMINFO_CTR ctr ;
2004-01-08 22:56:40 +03:00
TALLOC_CTX * mem_ctx = NULL ;
2005-06-09 02:10:34 +04:00
struct rpc_pipe_client * cli ;
POLICY_HND pol ;
2006-09-03 07:46:07 +04:00
2005-06-09 02:10:34 +04:00
char * domain_name = NULL ;
char * dns_name = NULL ;
2007-01-03 01:14:26 +03:00
char * forest_name = NULL ;
DOM_SID * dom_sid = NULL ;
2005-06-09 02:10:34 +04:00
2002-10-05 01:42:04 +04:00
ZERO_STRUCT ( ctr ) ;
2006-10-06 21:33:57 +04:00
if ( ! connection_ok ( domain ) ) {
2005-06-09 02:10:34 +04:00
return ;
}
2007-05-06 23:37:13 +04:00
DEBUG ( 5 , ( " set_dc_type_and_flags_connect: domain %s \n " , domain - > name ) ) ;
2006-10-06 21:33:57 +04:00
2005-10-27 15:16:36 +04:00
cli = cli_rpc_pipe_open_noauth ( domain - > conn . cli , PI_LSARPC_DS ,
& result ) ;
2005-06-09 02:10:34 +04:00
if ( cli = = NULL ) {
2007-05-06 23:37:13 +04:00
DEBUG ( 5 , ( " set_dc_type_and_flags_connect: Could not bind to "
2005-06-09 02:10:34 +04:00
" PI_LSARPC_DS on domain %s: (%s) \n " ,
2004-01-05 07:10:28 +03:00
domain - > name , nt_errstr ( result ) ) ) ;
2007-02-16 16:30:19 +03:00
/* if this is just a non-AD domain we need to continue
* identifying so that we can in the end return with
* domain - > initialized = True - gd */
goto no_lsarpc_ds ;
2002-10-05 01:42:04 +04:00
}
2005-06-09 02:10:34 +04:00
result = rpccli_ds_getprimarydominfo ( cli , cli - > cli - > mem_ctx ,
DsRolePrimaryDomainInfoBasic ,
& ctr ) ;
2005-09-30 21:13:37 +04:00
cli_rpc_pipe_close ( cli ) ;
2005-06-09 02:10:34 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
2007-05-06 23:37:13 +04:00
DEBUG ( 5 , ( " set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
2006-10-06 21:33:57 +04:00
" on domain %s failed: (%s) \n " ,
domain - > name , nt_errstr ( result ) ) ) ;
2005-06-09 02:10:34 +04:00
return ;
2002-10-05 01:42:04 +04:00
}
2005-06-09 02:10:34 +04:00
if ( ( ctr . basic - > flags & DSROLE_PRIMARY_DS_RUNNING ) & &
2006-10-06 21:33:57 +04:00
! ( ctr . basic - > flags & DSROLE_PRIMARY_DS_MIXED_MODE ) ) {
2004-01-08 11:19:18 +03:00
domain - > native_mode = True ;
2006-10-06 21:33:57 +04:00
} else {
domain - > native_mode = False ;
}
2002-10-05 01:42:04 +04:00
2007-02-16 16:30:19 +03:00
no_lsarpc_ds :
2005-09-30 21:13:37 +04:00
cli = cli_rpc_pipe_open_noauth ( domain - > conn . cli , PI_LSARPC , & result ) ;
2004-01-08 11:19:18 +03:00
2005-06-09 02:10:34 +04:00
if ( cli = = NULL ) {
2007-05-06 23:37:13 +04:00
DEBUG ( 5 , ( " set_dc_type_and_flags_connect: Could not bind to "
2006-10-06 21:33:57 +04:00
" PI_LSARPC on domain %s: (%s) \n " ,
domain - > name , nt_errstr ( result ) ) ) ;
cli_rpc_pipe_close ( cli ) ;
return ;
2005-06-09 02:10:34 +04:00
}
2004-01-08 11:19:18 +03:00
2005-06-09 02:10:34 +04:00
mem_ctx = talloc_init ( " set_dc_type_and_flags on domain %s \n " ,
domain - > name ) ;
if ( ! mem_ctx ) {
2007-05-06 23:37:13 +04:00
DEBUG ( 1 , ( " set_dc_type_and_flags_connect: talloc_init() failed \n " ) ) ;
2005-09-30 21:13:37 +04:00
cli_rpc_pipe_close ( cli ) ;
2005-06-09 02:10:34 +04:00
return ;
}
2004-01-08 11:19:18 +03:00
2005-06-09 02:10:34 +04:00
result = rpccli_lsa_open_policy2 ( cli , mem_ctx , True ,
SEC_RIGHTS_MAXIMUM_ALLOWED , & pol ) ;
2004-01-08 11:19:18 +03:00
2005-06-09 02:10:34 +04:00
if ( NT_STATUS_IS_OK ( result ) ) {
/* This particular query is exactly what Win2k clients use
to determine that the DC is active directory */
result = rpccli_lsa_query_info_policy2 ( cli , mem_ctx , & pol ,
12 , & domain_name ,
2007-01-03 01:14:26 +03:00
& dns_name , & forest_name ,
2005-06-09 02:10:34 +04:00
NULL , & dom_sid ) ;
}
if ( NT_STATUS_IS_OK ( result ) ) {
2006-10-06 21:33:57 +04:00
domain - > active_directory = True ;
2005-06-09 02:10:34 +04:00
if ( domain_name )
fstrcpy ( domain - > name , domain_name ) ;
if ( dns_name )
fstrcpy ( domain - > alt_name , dns_name ) ;
2007-01-03 01:14:26 +03:00
if ( forest_name )
fstrcpy ( domain - > forest_name , forest_name ) ;
2005-06-09 02:10:34 +04:00
if ( dom_sid )
sid_copy ( & domain - > sid , dom_sid ) ;
} else {
2006-10-06 21:33:57 +04:00
domain - > active_directory = False ;
2005-06-09 02:10:34 +04:00
result = rpccli_lsa_open_policy ( cli , mem_ctx , True ,
SEC_RIGHTS_MAXIMUM_ALLOWED ,
& pol ) ;
if ( ! NT_STATUS_IS_OK ( result ) )
goto done ;
result = rpccli_lsa_query_info_policy ( cli , mem_ctx ,
& pol , 5 , & domain_name ,
& dom_sid ) ;
2004-01-08 11:19:18 +03:00
if ( NT_STATUS_IS_OK ( result ) ) {
if ( domain_name )
fstrcpy ( domain - > name , domain_name ) ;
2003-06-21 08:05:01 +04:00
2004-01-08 11:19:18 +03:00
if ( dom_sid )
sid_copy ( & domain - > sid , dom_sid ) ;
}
}
done :
2005-02-11 17:31:14 +03:00
2007-05-06 23:37:13 +04:00
DEBUG ( 5 , ( " set_dc_type_and_flags_connect: domain %s is %sin native mode. \n " ,
2006-10-06 21:33:57 +04:00
domain - > name , domain - > native_mode ? " " : " NOT " ) ) ;
2007-05-06 23:37:13 +04:00
DEBUG ( 5 , ( " set_dc_type_and_flags_connect: domain %s is %srunning active directory. \n " ,
2006-10-06 21:33:57 +04:00
domain - > name , domain - > active_directory ? " " : " NOT " ) ) ;
2005-09-30 21:13:37 +04:00
cli_rpc_pipe_close ( cli ) ;
2002-10-05 01:42:04 +04:00
2004-01-08 11:19:18 +03:00
talloc_destroy ( mem_ctx ) ;
2004-04-20 06:37:49 +04:00
domain - > initialized = True ;
2002-10-05 01:42:04 +04:00
}
2007-05-06 23:37:13 +04:00
/**********************************************************************
Set the domain_flags ( trust attributes , domain operating modes , etc . . .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void set_dc_type_and_flags ( struct winbindd_domain * domain )
{
/* we always have to contact our primary domain */
if ( domain - > primary ) {
DEBUG ( 10 , ( " set_dc_type_and_flags: setting up flags for "
" primary domain \n " ) ) ;
set_dc_type_and_flags_connect ( domain ) ;
return ;
}
/* Use our DC to get the information if possible */
if ( ! set_dc_type_and_flags_trustinfo ( domain ) ) {
/* Otherwise, fallback to contacting the
domain directly */
set_dc_type_and_flags_connect ( domain ) ;
}
return ;
}
/**********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-10-27 15:16:36 +04:00
static BOOL cm_get_schannel_dcinfo ( struct winbindd_domain * domain ,
struct dcinfo * * ppdc )
2005-06-09 02:10:34 +04:00
{
2005-09-30 21:13:37 +04:00
NTSTATUS result ;
struct rpc_pipe_client * netlogon_pipe ;
2002-10-05 01:42:04 +04:00
2005-09-30 21:13:37 +04:00
if ( lp_client_schannel ( ) = = False ) {
2005-06-09 02:10:34 +04:00
return False ;
2005-09-30 21:13:37 +04:00
}
2002-10-05 01:42:04 +04:00
2005-09-30 21:13:37 +04:00
result = cm_connect_netlogon ( domain , & netlogon_pipe ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
return False ;
}
/* Return a pointer to the struct dcinfo from the
netlogon pipe . */
* ppdc = domain - > conn . netlogon_pipe - > dc ;
return True ;
2005-06-09 02:10:34 +04:00
}
2001-10-05 04:20:06 +04:00
2005-06-09 02:10:34 +04:00
NTSTATUS cm_connect_sam ( struct winbindd_domain * domain , TALLOC_CTX * mem_ctx ,
struct rpc_pipe_client * * cli , POLICY_HND * sam_handle )
2002-02-15 16:28:59 +03:00
{
struct winbindd_cm_conn * conn ;
2006-12-23 03:17:15 +03:00
NTSTATUS result = NT_STATUS_UNSUCCESSFUL ;
2005-10-27 16:51:24 +04:00
fstring conn_pwd ;
struct dcinfo * p_dcinfo ;
2001-10-05 04:20:06 +04:00
2005-06-09 02:10:34 +04:00
result = init_dc_connection ( domain ) ;
2005-09-30 21:13:37 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
2003-06-21 08:05:01 +04:00
return result ;
2005-09-30 21:13:37 +04:00
}
2002-04-04 06:39:57 +04:00
2005-06-09 02:10:34 +04:00
conn = & domain - > conn ;
2003-06-21 08:05:01 +04:00
2005-10-27 16:51:24 +04:00
if ( conn - > samr_pipe ! = NULL ) {
goto done ;
}
/*
* No SAMR pipe yet . Attempt to get an NTLMSSP SPNEGO authenticated
* sign and sealed pipe using the machine account password by
* preference . If we can ' t - try schannel , if that fails , try
* anonymous .
*/
pwd_get_cleartext ( & conn - > cli - > pwd , conn_pwd ) ;
if ( ( conn - > cli - > user_name [ 0 ] = = ' \0 ' ) | |
( conn - > cli - > domain [ 0 ] = = ' \0 ' ) | |
( conn_pwd [ 0 ] = = ' \0 ' ) ) {
DEBUG ( 10 , ( " cm_connect_sam: No no user available for "
" domain %s, trying schannel \n " , conn - > cli - > domain ) ) ;
goto schannel ;
}
/* We have an authenticated connection. Use a NTLMSSP SPNEGO
authenticated SAMR pipe with sign & seal . */
conn - > samr_pipe =
cli_rpc_pipe_open_spnego_ntlmssp ( conn - > cli , PI_SAMR ,
PIPE_AUTH_LEVEL_PRIVACY ,
conn - > cli - > domain ,
conn - > cli - > user_name ,
conn_pwd , & result ) ;
2005-06-09 02:10:34 +04:00
if ( conn - > samr_pipe = = NULL ) {
2005-10-27 16:51:24 +04:00
DEBUG ( 10 , ( " cm_connect_sam: failed to connect to SAMR "
" pipe for domain %s using NTLMSSP "
" authenticated pipe: user %s \\ %s. Error was "
" %s \n " , domain - > name , conn - > cli - > domain ,
conn - > cli - > user_name , nt_errstr ( result ) ) ) ;
goto schannel ;
}
2005-09-30 21:13:37 +04:00
2005-10-27 16:51:24 +04:00
DEBUG ( 10 , ( " cm_connect_sam: connected to SAMR pipe for "
" domain %s using NTLMSSP authenticated "
" pipe: user %s \\ %s \n " , domain - > name ,
conn - > cli - > domain , conn - > cli - > user_name ) ) ;
2005-09-30 21:13:37 +04:00
2005-10-27 16:51:24 +04:00
result = rpccli_samr_connect ( conn - > samr_pipe , mem_ctx ,
SEC_RIGHTS_MAXIMUM_ALLOWED ,
& conn - > sam_connect_handle ) ;
if ( NT_STATUS_IS_OK ( result ) ) {
goto open_domain ;
}
DEBUG ( 10 , ( " cm_connect_sam: ntlmssp-sealed rpccli_samr_connect "
" failed for domain %s, error was %s. Trying schannel \n " ,
domain - > name , nt_errstr ( result ) ) ) ;
cli_rpc_pipe_close ( conn - > samr_pipe ) ;
2001-10-05 04:20:06 +04:00
2005-10-27 16:51:24 +04:00
schannel :
2001-10-05 04:20:06 +04:00
2005-10-27 16:51:24 +04:00
/* Fall back to schannel if it's a W2K pre-SP1 box. */
if ( ! cm_get_schannel_dcinfo ( domain , & p_dcinfo ) ) {
2006-12-23 03:17:15 +03:00
/* If this call fails - conn->cli can now be NULL ! */
2005-10-27 16:51:24 +04:00
DEBUG ( 10 , ( " cm_connect_sam: Could not get schannel auth info "
2006-12-23 03:17:15 +03:00
" for domain %s, trying anon \n " , domain - > name ) ) ;
2005-10-27 16:51:24 +04:00
goto anonymous ;
}
conn - > samr_pipe = cli_rpc_pipe_open_schannel_with_key
( conn - > cli , PI_SAMR , PIPE_AUTH_LEVEL_PRIVACY ,
domain - > name , p_dcinfo , & result ) ;
if ( conn - > samr_pipe = = NULL ) {
DEBUG ( 10 , ( " cm_connect_sam: failed to connect to SAMR pipe for "
" domain %s using schannel. Error was %s \n " ,
domain - > name , nt_errstr ( result ) ) ) ;
goto anonymous ;
}
DEBUG ( 10 , ( " cm_connect_sam: connected to SAMR pipe for domain %s using "
" schannel. \n " , domain - > name ) ) ;
result = rpccli_samr_connect ( conn - > samr_pipe , mem_ctx ,
SEC_RIGHTS_MAXIMUM_ALLOWED ,
& conn - > sam_connect_handle ) ;
if ( NT_STATUS_IS_OK ( result ) ) {
goto open_domain ;
}
DEBUG ( 10 , ( " cm_connect_sam: schannel-sealed rpccli_samr_connect failed "
" for domain %s, error was %s. Trying anonymous \n " ,
domain - > name , nt_errstr ( result ) ) ) ;
cli_rpc_pipe_close ( conn - > samr_pipe ) ;
anonymous :
/* Finally fall back to anonymous. */
conn - > samr_pipe = cli_rpc_pipe_open_noauth ( conn - > cli , PI_SAMR ,
& result ) ;
if ( conn - > samr_pipe = = NULL ) {
result = NT_STATUS_PIPE_NOT_AVAILABLE ;
goto done ;
}
2001-10-05 04:20:06 +04:00
2005-10-27 16:51:24 +04:00
result = rpccli_samr_connect ( conn - > samr_pipe , mem_ctx ,
SEC_RIGHTS_MAXIMUM_ALLOWED ,
& conn - > sam_connect_handle ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 10 , ( " cm_connect_sam: rpccli_samr_connect failed "
" for domain %s Error was %s \n " ,
domain - > name , nt_errstr ( result ) ) ) ;
goto done ;
2005-06-09 02:10:34 +04:00
}
2001-10-05 04:20:06 +04:00
2005-10-27 16:51:24 +04:00
open_domain :
result = rpccli_samr_open_domain ( conn - > samr_pipe ,
mem_ctx ,
& conn - > sam_connect_handle ,
SEC_RIGHTS_MAXIMUM_ALLOWED ,
& domain - > sid ,
& conn - > sam_domain_handle ) ;
2005-06-09 02:10:34 +04:00
done :
2005-09-30 21:13:37 +04:00
2005-06-09 02:10:34 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
invalidate_cm_connection ( conn ) ;
2005-09-30 21:13:37 +04:00
return result ;
2005-06-09 02:10:34 +04:00
}
2003-06-21 08:05:01 +04:00
2005-06-09 02:10:34 +04:00
* cli = conn - > samr_pipe ;
* sam_handle = conn - > sam_domain_handle ;
return result ;
2001-10-05 04:20:06 +04:00
}
2005-06-09 02:10:34 +04:00
NTSTATUS cm_connect_lsa ( struct winbindd_domain * domain , TALLOC_CTX * mem_ctx ,
struct rpc_pipe_client * * cli , POLICY_HND * lsa_policy )
{
2001-11-15 22:40:00 +03:00
struct winbindd_cm_conn * conn ;
2006-12-23 03:17:15 +03:00
NTSTATUS result = NT_STATUS_UNSUCCESSFUL ;
2005-10-27 16:51:24 +04:00
fstring conn_pwd ;
struct dcinfo * p_dcinfo ;
2001-10-08 04:34:14 +04:00
2005-06-09 02:10:34 +04:00
result = init_dc_connection ( domain ) ;
if ( ! NT_STATUS_IS_OK ( result ) )
2003-06-21 08:05:01 +04:00
return result ;
2005-06-09 02:10:34 +04:00
conn = & domain - > conn ;
2001-10-08 04:34:14 +04:00
2005-10-27 16:51:24 +04:00
if ( conn - > lsa_pipe ! = NULL ) {
goto done ;
}
pwd_get_cleartext ( & conn - > cli - > pwd , conn_pwd ) ;
if ( ( conn - > cli - > user_name [ 0 ] = = ' \0 ' ) | |
( conn - > cli - > domain [ 0 ] = = ' \0 ' ) | |
( conn_pwd [ 0 ] = = ' \0 ' ) ) {
DEBUG ( 10 , ( " cm_connect_lsa: No no user available for "
" domain %s, trying schannel \n " , conn - > cli - > domain ) ) ;
goto schannel ;
}
/* We have an authenticated connection. Use a NTLMSSP SPNEGO
* authenticated LSA pipe with sign & seal . */
conn - > lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp
( conn - > cli , PI_LSARPC , PIPE_AUTH_LEVEL_PRIVACY ,
conn - > cli - > domain , conn - > cli - > user_name , conn_pwd , & result ) ;
2005-06-09 02:10:34 +04:00
if ( conn - > lsa_pipe = = NULL ) {
2005-10-27 16:51:24 +04:00
DEBUG ( 10 , ( " cm_connect_lsa: failed to connect to LSA pipe for "
" domain %s using NTLMSSP authenticated pipe: user "
" %s \\ %s. Error was %s. Trying schannel. \n " ,
domain - > name , conn - > cli - > domain ,
conn - > cli - > user_name , nt_errstr ( result ) ) ) ;
goto schannel ;
}
2005-09-30 21:13:37 +04:00
2005-10-27 16:51:24 +04:00
DEBUG ( 10 , ( " cm_connect_lsa: connected to LSA pipe for domain %s using "
" NTLMSSP authenticated pipe: user %s \\ %s \n " ,
domain - > name , conn - > cli - > domain , conn - > cli - > user_name ) ) ;
2001-10-08 04:34:14 +04:00
2005-10-27 16:51:24 +04:00
result = rpccli_lsa_open_policy ( conn - > lsa_pipe , mem_ctx , True ,
SEC_RIGHTS_MAXIMUM_ALLOWED ,
& conn - > lsa_policy ) ;
if ( NT_STATUS_IS_OK ( result ) ) {
goto done ;
}
2001-10-08 04:34:14 +04:00
2005-10-27 16:51:24 +04:00
DEBUG ( 10 , ( " cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
" schannel \n " ) ) ;
cli_rpc_pipe_close ( conn - > lsa_pipe ) ;
schannel :
/* Fall back to schannel if it's a W2K pre-SP1 box. */
if ( ! cm_get_schannel_dcinfo ( domain , & p_dcinfo ) ) {
2006-12-23 03:17:15 +03:00
/* If this call fails - conn->cli can now be NULL ! */
2006-02-09 13:17:38 +03:00
DEBUG ( 10 , ( " cm_connect_lsa: Could not get schannel auth info "
2006-12-23 03:17:15 +03:00
" for domain %s, trying anon \n " , domain - > name ) ) ;
2005-10-27 16:51:24 +04:00
goto anonymous ;
}
conn - > lsa_pipe = cli_rpc_pipe_open_schannel_with_key
( conn - > cli , PI_LSARPC , PIPE_AUTH_LEVEL_PRIVACY ,
domain - > name , p_dcinfo , & result ) ;
if ( conn - > lsa_pipe = = NULL ) {
DEBUG ( 10 , ( " cm_connect_lsa: failed to connect to LSA pipe for "
" domain %s using schannel. Error was %s \n " ,
domain - > name , nt_errstr ( result ) ) ) ;
goto anonymous ;
}
DEBUG ( 10 , ( " cm_connect_lsa: connected to LSA pipe for domain %s using "
" schannel. \n " , domain - > name ) ) ;
result = rpccli_lsa_open_policy ( conn - > lsa_pipe , mem_ctx , True ,
SEC_RIGHTS_MAXIMUM_ALLOWED ,
& conn - > lsa_policy ) ;
if ( NT_STATUS_IS_OK ( result ) ) {
goto done ;
}
DEBUG ( 10 , ( " cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
" anonymous \n " ) ) ;
cli_rpc_pipe_close ( conn - > lsa_pipe ) ;
anonymous :
conn - > lsa_pipe = cli_rpc_pipe_open_noauth ( conn - > cli , PI_LSARPC ,
& result ) ;
if ( conn - > lsa_pipe = = NULL ) {
result = NT_STATUS_PIPE_NOT_AVAILABLE ;
goto done ;
2005-06-09 02:10:34 +04:00
}
2001-10-08 04:34:14 +04:00
2005-10-27 16:51:24 +04:00
result = rpccli_lsa_open_policy ( conn - > lsa_pipe , mem_ctx , True ,
SEC_RIGHTS_MAXIMUM_ALLOWED ,
& conn - > lsa_policy ) ;
2005-06-09 02:10:34 +04:00
done :
if ( ! NT_STATUS_IS_OK ( result ) ) {
invalidate_cm_connection ( conn ) ;
2006-12-23 03:17:15 +03:00
return result ;
2005-06-09 02:10:34 +04:00
}
2003-06-21 08:05:01 +04:00
2005-06-09 02:10:34 +04:00
* cli = conn - > lsa_pipe ;
* lsa_policy = conn - > lsa_policy ;
return result ;
2001-10-05 04:20:06 +04:00
}
2005-09-30 21:13:37 +04:00
/****************************************************************************
Open the netlogon pipe to this DC . Use schannel if specified in client conf .
session key stored in conn - > netlogon_pipe - > dc - > sess_key .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-11-05 03:21:17 +03:00
2005-10-27 15:16:36 +04:00
NTSTATUS cm_connect_netlogon ( struct winbindd_domain * domain ,
struct rpc_pipe_client * * cli )
2005-06-09 02:10:34 +04:00
{
struct winbindd_cm_conn * conn ;
NTSTATUS result ;
2004-01-15 09:55:10 +03:00
2005-06-09 02:10:34 +04:00
uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS ;
uint8 mach_pwd [ 16 ] ;
uint32 sec_chan_type ;
const char * account_name ;
2006-01-30 20:47:24 +03:00
struct rpc_pipe_client * netlogon_pipe = NULL ;
* cli = NULL ;
2005-06-09 02:10:34 +04:00
result = init_dc_connection ( domain ) ;
2005-09-30 21:13:37 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
2003-05-08 12:02:52 +04:00
return result ;
2005-09-30 21:13:37 +04:00
}
2001-11-05 03:21:17 +03:00
2005-06-09 02:10:34 +04:00
conn = & domain - > conn ;
2001-11-05 03:21:17 +03:00
2005-06-09 02:10:34 +04:00
if ( conn - > netlogon_pipe ! = NULL ) {
* cli = conn - > netlogon_pipe ;
return NT_STATUS_OK ;
}
2001-11-14 09:18:13 +03:00
2005-09-30 21:13:37 +04:00
if ( ! get_trust_pw ( domain - > name , mach_pwd , & sec_chan_type ) ) {
2005-06-09 02:10:34 +04:00
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO ;
2005-09-30 21:13:37 +04:00
}
2001-11-14 09:18:13 +03:00
2005-10-27 15:16:36 +04:00
netlogon_pipe = cli_rpc_pipe_open_noauth ( conn - > cli , PI_NETLOGON ,
& result ) ;
2005-09-30 21:13:37 +04:00
if ( netlogon_pipe = = NULL ) {
return result ;
}
2001-11-14 09:18:13 +03:00
2005-09-30 21:13:37 +04:00
if ( lp_client_schannel ( ) ! = False ) {
2005-06-09 02:10:34 +04:00
neg_flags | = NETLOGON_NEG_SCHANNEL ;
2005-09-30 21:13:37 +04:00
}
2005-06-10 07:26:39 +04:00
/* if we are a DC and this is a trusted domain, then we need to use our
domain name in the net_req_auth2 ( ) request */
2005-09-30 21:13:37 +04:00
if ( IS_DC
2005-09-27 23:39:13 +04:00
& & ! strequal ( domain - > name , lp_workgroup ( ) )
& & lp_allow_trusted_domains ( ) )
{
2005-09-30 21:13:37 +04:00
account_name = lp_workgroup ( ) ;
} else {
2005-10-27 15:16:36 +04:00
account_name = domain - > primary ?
global_myname ( ) : domain - > name ;
2005-06-10 07:26:39 +04:00
}
2001-11-14 09:18:13 +03:00
2005-09-30 21:13:37 +04:00
if ( account_name = = NULL ) {
cli_rpc_pipe_close ( netlogon_pipe ) ;
2005-06-09 02:10:34 +04:00
return NT_STATUS_NO_MEMORY ;
2005-09-30 21:13:37 +04:00
}
2001-11-14 09:18:13 +03:00
2005-11-04 03:03:55 +03:00
result = rpccli_netlogon_setup_creds (
netlogon_pipe ,
2005-10-27 15:16:36 +04:00
domain - > dcname , /* server name. */
domain - > name , /* domain name */
2005-11-04 03:03:55 +03:00
global_myname ( ) , /* client name */
2005-10-27 15:16:36 +04:00
account_name , /* machine account */
mach_pwd , /* machine password */
sec_chan_type , /* from get_trust_pw */
& neg_flags ) ;
2003-06-11 02:11:30 +04:00
2005-09-30 21:13:37 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
cli_rpc_pipe_close ( netlogon_pipe ) ;
2005-06-09 02:10:34 +04:00
return result ;
}
2003-06-11 02:11:30 +04:00
2005-06-09 02:10:34 +04:00
if ( ( lp_client_schannel ( ) = = True ) & &
2005-09-30 21:13:37 +04:00
( ( neg_flags & NETLOGON_NEG_SCHANNEL ) = = 0 ) ) {
2005-06-09 02:10:34 +04:00
DEBUG ( 3 , ( " Server did not offer schannel \n " ) ) ;
2005-09-30 21:13:37 +04:00
cli_rpc_pipe_close ( netlogon_pipe ) ;
2005-06-09 02:10:34 +04:00
return NT_STATUS_ACCESS_DENIED ;
}
2003-06-11 02:11:30 +04:00
2005-06-09 02:10:34 +04:00
if ( ( lp_client_schannel ( ) = = False ) | |
2005-09-30 21:13:37 +04:00
( ( neg_flags & NETLOGON_NEG_SCHANNEL ) = = 0 ) ) {
2005-10-27 15:16:36 +04:00
/* We're done - just keep the existing connection to NETLOGON
* open */
2005-09-30 21:13:37 +04:00
conn - > netlogon_pipe = netlogon_pipe ;
2005-06-09 02:10:34 +04:00
* cli = conn - > netlogon_pipe ;
return NT_STATUS_OK ;
}
2003-06-11 02:11:30 +04:00
2005-09-30 21:13:37 +04:00
/* Using the credentials from the first pipe, open a signed and sealed
second netlogon pipe . The session key is stored in the schannel
part of the new pipe auth struct .
*/
2005-10-27 15:16:36 +04:00
conn - > netlogon_pipe =
cli_rpc_pipe_open_schannel_with_key ( conn - > cli ,
PI_NETLOGON ,
PIPE_AUTH_LEVEL_PRIVACY ,
domain - > name ,
netlogon_pipe - > dc ,
& result ) ;
2005-09-30 21:13:37 +04:00
/* We can now close the initial netlogon pipe. */
cli_rpc_pipe_close ( netlogon_pipe ) ;
2003-06-11 02:11:30 +04:00
2005-06-09 02:10:34 +04:00
if ( conn - > netlogon_pipe = = NULL ) {
2005-10-27 15:16:36 +04:00
DEBUG ( 3 , ( " Could not open schannel'ed NETLOGON pipe. Error "
" was %s \n " , nt_errstr ( result ) ) ) ;
2006-02-25 00:36:40 +03:00
/* make sure we return something besides OK */
return ! NT_STATUS_IS_OK ( result ) ? result : NT_STATUS_PIPE_NOT_AVAILABLE ;
2003-06-11 02:11:30 +04:00
}
2005-06-09 02:10:34 +04:00
* cli = conn - > netlogon_pipe ;
return NT_STATUS_OK ;
2003-06-11 02:11:30 +04:00
}