mirror of
https://github.com/samba-team/samba.git
synced 2025-03-27 22:50:26 +03:00
s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we can
This is very helpful in the trusted domain situation, as we may not have a two-way trust but we can use our domain trust account to set up a connection to NETLOGON Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Oct 8 12:48:15 CEST 2014 on sn-devel-104
This commit is contained in:
Andrew Bartlett
parent
e94422a8ac
commit
ae72733874
@ -22,6 +22,8 @@
|
||||
#ifndef __DEFAULT_LIBRPC_RPCCOMMON_H__
|
||||
#define __DEFAULT_LIBRPC_RPCCOMMON_H__
|
||||
|
||||
#include "gen_ndr/dcerpc.h"
|
||||
|
||||
struct dcerpc_binding_handle;
|
||||
struct GUID;
|
||||
struct ndr_interface_table;
|
||||
|
||||
@ -148,7 +148,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
|
||||
return result;
|
||||
}
|
||||
|
||||
result = rpccli_setup_netlogon_creds(cli,
|
||||
result = rpccli_setup_netlogon_creds(cli, NCACN_NP,
|
||||
netlogon_creds,
|
||||
false, /* force_reauth */
|
||||
current_nt_hash,
|
||||
|
||||
@ -983,7 +983,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
|
||||
return status;
|
||||
}
|
||||
|
||||
status = rpccli_setup_netlogon_creds(cli,
|
||||
status = rpccli_setup_netlogon_creds(cli, NCACN_NP,
|
||||
netlogon_creds,
|
||||
true, /* force_reauth */
|
||||
current_nt_hash,
|
||||
@ -1444,7 +1444,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
|
||||
return status;
|
||||
}
|
||||
|
||||
status = rpccli_setup_netlogon_creds(cli,
|
||||
status = rpccli_setup_netlogon_creds(cli, NCACN_NP,
|
||||
netlogon_creds,
|
||||
true, /* force_reauth */
|
||||
current_nt_hash,
|
||||
|
||||
@ -125,6 +125,7 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
|
||||
}
|
||||
|
||||
NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
|
||||
enum dcerpc_transport_t transport,
|
||||
struct netlogon_creds_cli_context *netlogon_creds,
|
||||
bool force_reauth,
|
||||
struct samr_Password current_nt_hash,
|
||||
@ -155,9 +156,10 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
|
||||
TALLOC_FREE(creds);
|
||||
}
|
||||
|
||||
status = cli_rpc_pipe_open_noauth(cli,
|
||||
&ndr_table_netlogon,
|
||||
&netlogon_pipe);
|
||||
status = cli_rpc_pipe_open_noauth_transport(cli,
|
||||
transport,
|
||||
&ndr_table_netlogon,
|
||||
&netlogon_pipe);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
|
||||
__FUNCTION__,
|
||||
|
||||
@ -27,6 +27,7 @@ struct cli_state;
|
||||
struct messaging_context;
|
||||
struct netlogon_creds_cli_context;
|
||||
struct dcerpc_binding_handle;
|
||||
#include "librpc/rpc/rpc_common.h"
|
||||
|
||||
/* The following definitions come from rpc_client/cli_netlogon.c */
|
||||
|
||||
@ -39,6 +40,7 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct netlogon_creds_cli_context **netlogon_creds);
|
||||
NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
|
||||
enum dcerpc_transport_t transport,
|
||||
struct netlogon_creds_cli_context *netlogon_creds,
|
||||
bool force_reauth,
|
||||
struct samr_Password current_nt_hash,
|
||||
|
||||
@ -90,7 +90,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
|
||||
return status;
|
||||
}
|
||||
|
||||
status = rpccli_setup_netlogon_creds(cli,
|
||||
status = rpccli_setup_netlogon_creds(cli, transport,
|
||||
netlogon_creds,
|
||||
false, /* force_reauth */
|
||||
current_nt_hash,
|
||||
|
||||
@ -805,7 +805,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
|
||||
return ntresult;
|
||||
}
|
||||
|
||||
ntresult = rpccli_setup_netlogon_creds(cli,
|
||||
ntresult = rpccli_setup_netlogon_creds(cli, NCACN_NP,
|
||||
rpcclient_netlogon_creds,
|
||||
false, /* force_reauth */
|
||||
current_nt_hash,
|
||||
|
||||
@ -2947,6 +2947,8 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
|
||||
* we tried twice to connect via ncan_ip_tcp and schannel and
|
||||
* failed - maybe it is a trusted domain we can't connect to ?
|
||||
* do not try tcp next time - gd
|
||||
*
|
||||
* This also prevents NETLOGON over TCP
|
||||
*/
|
||||
domain->can_do_ncacn_ip_tcp = false;
|
||||
}
|
||||
@ -2961,8 +2963,9 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
|
||||
session key stored in conn->netlogon_pipe->dc->sess_key.
|
||||
****************************************************************************/
|
||||
|
||||
NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
|
||||
struct rpc_pipe_client **cli)
|
||||
static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
|
||||
enum dcerpc_transport_t transport,
|
||||
struct rpc_pipe_client **cli)
|
||||
{
|
||||
struct messaging_context *msg_ctx = winbind_messaging_context();
|
||||
struct winbindd_cm_conn *conn;
|
||||
@ -3028,7 +3031,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
|
||||
return result;
|
||||
}
|
||||
|
||||
result = rpccli_setup_netlogon_creds(conn->cli,
|
||||
result = rpccli_setup_netlogon_creds(conn->cli, transport,
|
||||
conn->netlogon_creds,
|
||||
conn->netlogon_force_reauth,
|
||||
current_nt_hash,
|
||||
@ -3066,9 +3069,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
|
||||
invalidate_cm_connection(domain);
|
||||
return result;
|
||||
}
|
||||
result = cli_rpc_pipe_open_noauth(conn->cli,
|
||||
&ndr_table_netlogon,
|
||||
&conn->netlogon_pipe);
|
||||
result = cli_rpc_pipe_open_noauth_transport(conn->cli,
|
||||
transport,
|
||||
&ndr_table_netlogon,
|
||||
&conn->netlogon_pipe);
|
||||
if (!NT_STATUS_IS_OK(result)) {
|
||||
invalidate_cm_connection(domain);
|
||||
return result;
|
||||
@ -3084,7 +3088,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
|
||||
*/
|
||||
|
||||
result = cli_rpc_pipe_open_schannel_with_key(
|
||||
conn->cli, &ndr_table_netlogon, NCACN_NP,
|
||||
conn->cli, &ndr_table_netlogon, transport,
|
||||
domain->name,
|
||||
conn->netlogon_creds,
|
||||
&conn->netlogon_pipe);
|
||||
@ -3100,6 +3104,42 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Open a LSA connection to a DC, suiteable for LSA lookup calls.
|
||||
****************************************************************************/
|
||||
|
||||
NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
|
||||
struct rpc_pipe_client **cli)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
|
||||
status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
|
||||
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
|
||||
NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
|
||||
NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
|
||||
invalidate_cm_connection(domain);
|
||||
status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
|
||||
}
|
||||
if (NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
/*
|
||||
* we tried twice to connect via ncan_ip_tcp and schannel and
|
||||
* failed - maybe it is a trusted domain we can't connect to ?
|
||||
* do not try tcp next time - gd
|
||||
*
|
||||
* This also prevents LSA over TCP
|
||||
*/
|
||||
domain->can_do_ncacn_ip_tcp = false;
|
||||
}
|
||||
|
||||
status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
|
||||
void *private_data,
|
||||
uint32_t msg_type,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user