diff options
author | Andrew Bartlett <abartlet@samba.org> | 2014-09-05 16:59:00 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2014-10-08 12:48:15 +0200 |
commit | ae72733874f474c24fdeb5d9bc718ddf9abf4b8f (patch) | |
tree | 109126e9ab4797912d091f285d3a868d1d31c253 /source3 | |
parent | e94422a8acf4a812ed19ddd63b42789df49a3f00 (diff) | |
download | samba-ae72733874f474c24fdeb5d9bc718ddf9abf4b8f.tar.gz |
s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we can
This is very helpful in the trusted domain situation, as we may not
have a two-way trust but we can use our domain trust account to set up
a connection to NETLOGON
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct 8 12:48:15 CEST 2014 on sn-devel-104
Diffstat (limited to 'source3')
-rw-r--r-- | source3/auth/auth_domain.c | 2 | ||||
-rw-r--r-- | source3/libnet/libnet_join.c | 4 | ||||
-rw-r--r-- | source3/rpc_client/cli_netlogon.c | 8 | ||||
-rw-r--r-- | source3/rpc_client/cli_netlogon.h | 2 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe_schannel.c | 2 | ||||
-rw-r--r-- | source3/rpcclient/rpcclient.c | 2 | ||||
-rw-r--r-- | source3/winbindd/winbindd_cm.c | 54 |
7 files changed, 59 insertions, 15 deletions
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 937841c29cc..373b596d69c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -148,7 +148,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret, return result; } - result = rpccli_setup_netlogon_creds(cli, + result = rpccli_setup_netlogon_creds(cli, NCACN_NP, netlogon_creds, false, /* force_reauth */ current_nt_hash, diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index e70e11a852d..be953aea79a 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -983,7 +983,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, return status; } - status = rpccli_setup_netlogon_creds(cli, + status = rpccli_setup_netlogon_creds(cli, NCACN_NP, netlogon_creds, true, /* force_reauth */ current_nt_hash, @@ -1444,7 +1444,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, return status; } - status = rpccli_setup_netlogon_creds(cli, + status = rpccli_setup_netlogon_creds(cli, NCACN_NP, netlogon_creds, true, /* force_reauth */ current_nt_hash, diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 7063351ef8a..a5ea02cfa84 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -125,6 +125,7 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer, } NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli, + enum dcerpc_transport_t transport, struct netlogon_creds_cli_context *netlogon_creds, bool force_reauth, struct samr_Password current_nt_hash, @@ -155,9 +156,10 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli, TALLOC_FREE(creds); } - status = cli_rpc_pipe_open_noauth(cli, - &ndr_table_netlogon, - &netlogon_pipe); + status = cli_rpc_pipe_open_noauth_transport(cli, + transport, + &ndr_table_netlogon, + &netlogon_pipe); if (!NT_STATUS_IS_OK(status)) { DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n", __FUNCTION__, diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h index fee08016d5d..cc4033e0804 100644 --- a/source3/rpc_client/cli_netlogon.h +++ b/source3/rpc_client/cli_netlogon.h @@ -27,6 +27,7 @@ struct cli_state; struct messaging_context; struct netlogon_creds_cli_context; struct dcerpc_binding_handle; +#include "librpc/rpc/rpc_common.h" /* The following definitions come from rpc_client/cli_netlogon.c */ @@ -39,6 +40,7 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer, TALLOC_CTX *mem_ctx, struct netlogon_creds_cli_context **netlogon_creds); NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli, + enum dcerpc_transport_t transport, struct netlogon_creds_cli_context *netlogon_creds, bool force_reauth, struct samr_Password current_nt_hash, diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c index a8423337cb5..7b53cf08bbb 100644 --- a/source3/rpc_client/cli_pipe_schannel.c +++ b/source3/rpc_client/cli_pipe_schannel.c @@ -90,7 +90,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, return status; } - status = rpccli_setup_netlogon_creds(cli, + status = rpccli_setup_netlogon_creds(cli, transport, netlogon_creds, false, /* force_reauth */ current_nt_hash, diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 7b190c15e1d..a573106d6e1 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -805,7 +805,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, return ntresult; } - ntresult = rpccli_setup_netlogon_creds(cli, + ntresult = rpccli_setup_netlogon_creds(cli, NCACN_NP, rpcclient_netlogon_creds, false, /* force_reauth */ current_nt_hash, diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 96c45775628..24ff1f7f903 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2947,6 +2947,8 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain, * we tried twice to connect via ncan_ip_tcp and schannel and * failed - maybe it is a trusted domain we can't connect to ? * do not try tcp next time - gd + * + * This also prevents NETLOGON over TCP */ domain->can_do_ncacn_ip_tcp = false; } @@ -2961,8 +2963,9 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain, session key stored in conn->netlogon_pipe->dc->sess_key. ****************************************************************************/ -NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, - struct rpc_pipe_client **cli) +static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, + enum dcerpc_transport_t transport, + struct rpc_pipe_client **cli) { struct messaging_context *msg_ctx = winbind_messaging_context(); struct winbindd_cm_conn *conn; @@ -3028,7 +3031,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, return result; } - result = rpccli_setup_netlogon_creds(conn->cli, + result = rpccli_setup_netlogon_creds(conn->cli, transport, conn->netlogon_creds, conn->netlogon_force_reauth, current_nt_hash, @@ -3066,9 +3069,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, invalidate_cm_connection(domain); return result; } - result = cli_rpc_pipe_open_noauth(conn->cli, - &ndr_table_netlogon, - &conn->netlogon_pipe); + result = cli_rpc_pipe_open_noauth_transport(conn->cli, + transport, + &ndr_table_netlogon, + &conn->netlogon_pipe); if (!NT_STATUS_IS_OK(result)) { invalidate_cm_connection(domain); return result; @@ -3084,7 +3088,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, */ result = cli_rpc_pipe_open_schannel_with_key( - conn->cli, &ndr_table_netlogon, NCACN_NP, + conn->cli, &ndr_table_netlogon, transport, domain->name, conn->netlogon_creds, &conn->netlogon_pipe); @@ -3100,6 +3104,42 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, return NT_STATUS_OK; } +/**************************************************************************** +Open a LSA connection to a DC, suiteable for LSA lookup calls. +****************************************************************************/ + +NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, + struct rpc_pipe_client **cli) +{ + NTSTATUS status; + + if (domain->active_directory && domain->can_do_ncacn_ip_tcp) { + status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli); + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || + NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) || + NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { + invalidate_cm_connection(domain); + status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli); + } + if (NT_STATUS_IS_OK(status)) { + return status; + } + + /* + * we tried twice to connect via ncan_ip_tcp and schannel and + * failed - maybe it is a trusted domain we can't connect to ? + * do not try tcp next time - gd + * + * This also prevents LSA over TCP + */ + domain->can_do_ncacn_ip_tcp = false; + } + + status = cm_connect_netlogon_transport(domain, NCACN_NP, cli); + + return status; +} + void winbind_msg_ip_dropped(struct messaging_context *msg_ctx, void *private_data, uint32_t msg_type, |