/*
Unix SMB/CIFS implementation.
Winbind daemon connection manager
Copyright (C) Tim Potter 2001
Copyright (C) Andrew Bartlett 2002
Copyright (C) Gerald (Jerry) Carter 2003-2005.
Copyright (C) Volker Lendecke 2004-2005
Copyright (C) Jeremy Allison 2006
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
*/
/*
We need to manage connections to domain controllers without having to
mess up the main winbindd code with other issues. The aim of the
connection manager is to:
- make connections to domain controllers and cache them
- re-establish connections when networks or servers go down
- centralise the policy on connection timeouts, domain controller
selection etc
- manage re-entrancy for when winbindd becomes able to handle
multiple outstanding rpc requests
Why not have connection management as part of the rpc layer like tng?
Good question. This code may morph into libsmb/rpc_cache.c or something
like that but at the moment it's simply staying as part of winbind. I
think the TNG architecture of forcing every user of the rpc layer to use
the connection caching system is a bad idea. It should be an optional
method of using the routines.
The TNG design is quite good but I disagree with some aspects of the
implementation. -tpot
*/
/*
TODO:
- I'm pretty annoyed by all the make_nmb_name() stuff. It should be
moved down into another function.
- Take care when destroying cli_structs as they can be shared between
various sam handles.
*/
#include "includes.h"
#include "winbindd.h"
#include "../libcli/auth/libcli_auth.h"
#include "../librpc/gen_ndr/ndr_netlogon_c.h"
#include "rpc_client/cli_pipe.h"
#include "rpc_client/cli_netlogon.h"
#include "../librpc/gen_ndr/ndr_samr_c.h"
#include "../librpc/gen_ndr/ndr_lsa_c.h"
#include "rpc_client/cli_lsarpc.h"
#include "../librpc/gen_ndr/ndr_dssetup_c.h"
#include "libads/sitename_cache.h"
#include "libsmb/libsmb.h"
#include "libsmb/clidgram.h"
#include "ads.h"
#include "secrets.h"
#include "../libcli/security/security.h"
#include "passdb.h"
#include "messages.h"
#include "auth/gensec/gensec.h"
#include "../libcli/smb/smbXcli_base.h"
#include "libcli/auth/netlogon_creds_cli.h"
#include "auth.h"
#include "rpc_server/rpc_ncacn_np.h"
#include "auth/credentials/credentials.h"
#include "lib/param/param.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
struct dc_name_ip {
fstring name;
struct sockaddr_storage ss;
};
extern struct winbindd_methods reconnect_methods;
extern bool override_logfile;
static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc);
static void set_dc_type_and_flags( struct winbindd_domain *domain );
static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain );
static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
struct dc_name_ip **dcs, int *num_dcs);
/****************************************************************
Child failed to find DC's. Reschedule check.
****************************************************************/
static void msg_failed_to_go_online(struct messaging_context *msg,
void *private_data,
uint32_t msg_type,
struct server_id server_id,
DATA_BLOB *data)
{
struct winbindd_domain *domain;
const char *domainname = (const char *)data->data;
if (data->data == NULL || data->length == 0) {
return;
}
DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname));
for (domain = domain_list(); domain; domain = domain->next) {
if (domain->internal) {
continue;
}
if (strequal(domain->name, domainname)) {
if (domain->online) {
/* We're already online, ignore. */
DEBUG(5,("msg_fail_to_go_online: domain %s "
"already online.\n", domainname));
continue;
}
/* Reschedule the online check. */
set_domain_offline(domain);
break;
}
}
}
/****************************************************************
Actually cause a reconnect from a message.
****************************************************************/
static void msg_try_to_go_online(struct messaging_context *msg,
void *private_data,
uint32_t msg_type,
struct server_id server_id,
DATA_BLOB *data)
{
struct winbindd_domain *domain;
const char *domainname = (const char *)data->data;
if (data->data == NULL || data->length == 0) {
return;
}
DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname));
for (domain = domain_list(); domain; domain = domain->next) {
if (domain->internal) {
continue;
}
if (strequal(domain->name, domainname)) {
if (domain->online) {
/* We're already online, ignore. */
DEBUG(5,("msg_try_to_go_online: domain %s "
"already online.\n", domainname));
continue;
}
/* This call takes care of setting the online
flag to true if we connected, or re-adding
the offline handler if false. Bypasses online
check so always does network calls. */
init_dc_connection_network(domain, true);
break;
}
}
}
/****************************************************************
Fork a child to try and contact a DC. Do this as contacting a
DC requires blocking lookups and we don't want to block our
parent.
****************************************************************/
static bool fork_child_dc_connect(struct winbindd_domain *domain)
{
struct dc_name_ip *dcs = NULL;
int num_dcs = 0;
TALLOC_CTX *mem_ctx = NULL;
pid_t parent_pid = getpid();
char *lfile = NULL;
NTSTATUS status;
if (domain->dc_probe_pid != (pid_t)-1) {
/*
* We might already have a DC probe
* child working, check.
*/
if (process_exists_by_pid(domain->dc_probe_pid)) {
DEBUG(10,("fork_child_dc_connect: pid %u already "
"checking for DC's.\n",
(unsigned int)domain->dc_probe_pid));
return true;
}
domain->dc_probe_pid = (pid_t)-1;
}
domain->dc_probe_pid = fork();
if (domain->dc_probe_pid == (pid_t)-1) {
DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
return False;
}
if (domain->dc_probe_pid != (pid_t)0) {
/* Parent */
messaging_register(winbind_messaging_context(), NULL,
MSG_WINBIND_TRY_TO_GO_ONLINE,
msg_try_to_go_online);
messaging_register(winbind_messaging_context(), NULL,
MSG_WINBIND_FAILED_TO_GO_ONLINE,
msg_failed_to_go_online);
return True;
}
/* Child. */
/* Leave messages blocked - we will never process one. */
if (!override_logfile) {
if (asprintf(&lfile, "%s/log.winbindd-dc-connect", get_dyn_LOGFILEBASE()) == -1) {
DEBUG(0, ("fork_child_dc_connect: out of memory.\n"));
_exit(1);
}
}
status = winbindd_reinit_after_fork(NULL, lfile);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n",
nt_errstr(status)));
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(parent_pid),
MSG_WINBIND_FAILED_TO_GO_ONLINE,
(const uint8_t *)domain->name,
strlen(domain->name)+1);
_exit(1);
}
SAFE_FREE(lfile);
mem_ctx = talloc_init("fork_child_dc_connect");
if (!mem_ctx) {
DEBUG(0,("talloc_init failed.\n"));
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(parent_pid),
MSG_WINBIND_FAILED_TO_GO_ONLINE,
(const uint8_t *)domain->name,
strlen(domain->name)+1);
_exit(1);
}
if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) {
/* Still offline ? Can't find DC's. */
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(parent_pid),
MSG_WINBIND_FAILED_TO_GO_ONLINE,
(const uint8_t *)domain->name,
strlen(domain->name)+1);
_exit(0);
}
/* We got a DC. Send a message to our parent to get it to
try and do the same. */
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(parent_pid),
MSG_WINBIND_TRY_TO_GO_ONLINE,
(const uint8_t *)domain->name,
strlen(domain->name)+1);
_exit(0);
}
/****************************************************************
Handler triggered if we're offline to try and detect a DC.
****************************************************************/
static void check_domain_online_handler(struct tevent_context *ctx,
struct tevent_timer *te,
struct timeval now,
void *private_data)
{
struct winbindd_domain *domain =
(struct winbindd_domain *)private_data;
DEBUG(10,("check_domain_online_handler: called for domain "
"%s (online = %s)\n", domain->name,
domain->online ? "True" : "False" ));
TALLOC_FREE(domain->check_online_event);
/* Are we still in "startup" mode ? */
if (domain->startup && (time_mono(NULL) > domain->startup_time + 30)) {
/* No longer in "startup" mode. */
DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n",
domain->name ));
domain->startup = False;
}
/* We've been told to stay offline, so stay
that way. */
if (get_global_winbindd_state_offline()) {
DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n",
domain->name ));
return;
}
/* Fork a child to test if it can contact a DC.
If it can then send ourselves a message to
cause a reconnect. */
fork_child_dc_connect(domain);
}
/****************************************************************
If we're still offline setup the timeout check.
****************************************************************/
static void calc_new_online_timeout_check(struct winbindd_domain *domain)
{
int wbr = lp_winbind_reconnect_delay();
if (domain->startup) {
domain->check_online_timeout = 10;
} else if (domain->check_online_timeout < wbr) {
domain->check_online_timeout = wbr;
}
}
void winbind_msg_domain_offline(struct messaging_context *msg_ctx,
void *private_data,
uint32_t msg_type,
struct server_id server_id,
DATA_BLOB *data)
{
const char *domain_name = (const char *)data->data;
struct winbindd_domain *domain;
domain = find_domain_from_name_noinit(domain_name);
if (domain == NULL) {
return;
}
domain->online = false;
DEBUG(10, ("Domain %s is marked as offline now.\n",
domain_name));
}
void winbind_msg_domain_online(struct messaging_context *msg_ctx,
void *private_data,
uint32_t msg_type,
struct server_id server_id,
DATA_BLOB *data)
{
const char *domain_name = (const char *)data->data;
struct winbindd_domain *domain;
domain = find_domain_from_name_noinit(domain_name);
if (domain == NULL) {
return;
}
domain->online = true;
DEBUG(10, ("Domain %s is marked as online now.\n",
domain_name));
}
/****************************************************************
Set domain offline and also add handler to put us back online
if we detect a DC.
****************************************************************/
void set_domain_offline(struct winbindd_domain *domain)
{
pid_t parent_pid = getppid();
DEBUG(10,("set_domain_offline: called for domain %s\n",
domain->name ));
TALLOC_FREE(domain->check_online_event);
if (domain->internal) {
DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
domain->name ));
return;
}
domain->online = False;
/* Offline domains are always initialized. They're
re-initialized when they go back online. */
domain->initialized = True;
/* We only add the timeout handler that checks and
allows us to go back online when we've not
been told to remain offline. */
if (get_global_winbindd_state_offline()) {
DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n",
domain->name ));
return;
}
/* If we're in startup mode, check again in 10 seconds, not in
lp_winbind_reconnect_delay() seconds (which is 30 seconds by default). */
calc_new_online_timeout_check(domain);
domain->check_online_event = tevent_add_timer(winbind_event_context(),
NULL,
timeval_current_ofs(domain->check_online_timeout,0),
check_domain_online_handler,
domain);
/* The above *has* to succeed for winbindd to work. */
if (!domain->check_online_event) {
smb_panic("set_domain_offline: failed to add online handler");
}
DEBUG(10,("set_domain_offline: added event handler for domain %s\n",
domain->name ));
/* Send a message to the parent that the domain is offline. */
if (parent_pid > 1 && !domain->internal) {
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(parent_pid),
MSG_WINBIND_DOMAIN_OFFLINE,
(uint8 *)domain->name,
strlen(domain->name) + 1);
}
/* Send an offline message to the idmap child when our
primary domain goes offline */
if ( domain->primary ) {
struct winbindd_child *idmap = idmap_child();
if ( idmap->pid != 0 ) {
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(idmap->pid),
MSG_WINBIND_OFFLINE,
(const uint8_t *)domain->name,
strlen(domain->name)+1);
}
}
return;
}
/****************************************************************
Set domain online - if allowed.
****************************************************************/
static void set_domain_online(struct winbindd_domain *domain)
{
pid_t parent_pid = getppid();
DEBUG(10,("set_domain_online: called for domain %s\n",
domain->name ));
if (domain->internal) {
DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
domain->name ));
return;
}
if (get_global_winbindd_state_offline()) {
DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
domain->name ));
return;
}
winbindd_set_locator_kdc_envs(domain);
/* If we are waiting to get a krb5 ticket, trigger immediately. */
ccache_regain_all_now();
/* Ok, we're out of any startup mode now... */
domain->startup = False;
if (domain->online == False) {
/* We were offline - now we're online. We default to
using the MS-RPC backend if we started offline,
and if we're going online for the first time we
should really re-initialize the backends and the
checks to see if we're talking to an AD or NT domain.
*/
domain->initialized = False;
/* 'reconnect_methods' is the MS-RPC backend. */
if (domain->backend == &reconnect_methods) {
domain->backend = NULL;
}
}
/* Ensure we have no online timeout checks. */
domain->check_online_timeout = 0;
TALLOC_FREE(domain->check_online_event);
/* Ensure we ignore any pending child messages. */
messaging_deregister(winbind_messaging_context(),
MSG_WINBIND_TRY_TO_GO_ONLINE, NULL);
messaging_deregister(winbind_messaging_context(),
MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL);
domain->online = True;
/* Send a message to the parent that the domain is online. */
if (parent_pid > 1 && !domain->internal) {
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(parent_pid),
MSG_WINBIND_DOMAIN_ONLINE,
(uint8 *)domain->name,
strlen(domain->name) + 1);
}
/* Send an online message to the idmap child when our
primary domain comes online */
if ( domain->primary ) {
struct winbindd_child *idmap = idmap_child();
if ( idmap->pid != 0 ) {
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(idmap->pid),
MSG_WINBIND_ONLINE,
(const uint8_t *)domain->name,
strlen(domain->name)+1);
}
}
return;
}
/****************************************************************
Requested to set a domain online.
****************************************************************/
void set_domain_online_request(struct winbindd_domain *domain)
{
struct timeval tev;
DEBUG(10,("set_domain_online_request: called for domain %s\n",
domain->name ));
if (get_global_winbindd_state_offline()) {
DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
domain->name ));
return;
}
if (domain->internal) {
DEBUG(10, ("set_domain_online_request: Internal domains are "
"always online\n"));
return;
}
/* We've been told it's safe to go online and
try and connect to a DC. But I don't believe it
because network manager seems to lie.
Wait at least 5 seconds. Heuristics suck... */
GetTimeOfDay(&tev);
/* Go into "startup" mode again. */
domain->startup_time = time_mono(NULL);
domain->startup = True;
tev.tv_sec += 5;
if (!domain->check_online_event) {
/* If we've come from being globally offline we
don't have a check online event handler set.
We need to add one now we're trying to go
back online. */
DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n",
domain->name ));
}
TALLOC_FREE(domain->check_online_event);
domain->check_online_event = tevent_add_timer(winbind_event_context(),
NULL,
tev,
check_domain_online_handler,
domain);
/* The above *has* to succeed for winbindd to work. */
if (!domain->check_online_event) {
smb_panic("set_domain_online_request: failed to add online handler");
}
}
/****************************************************************
Add -ve connection cache entries for domain and realm.
****************************************************************/
static void winbind_add_failed_connection_entry(
const struct winbindd_domain *domain,
const char *server,
NTSTATUS result)
{
add_failed_connection_entry(domain->name, server, result);
/* If this was the saf name for the last thing we talked to,
remove it. */
saf_delete(domain->name);
if (domain->alt_name != NULL) {
add_failed_connection_entry(domain->alt_name, server, result);
saf_delete(domain->alt_name);
}
winbindd_unset_locator_kdc_env(domain);
}
/* Choose between anonymous or authenticated connections. We need to use
an authenticated connection if DCs have the RestrictAnonymous registry
entry set > 0, or the "Additional restrictions for anonymous
connections" set in the win2k Local Security Policy.
Caller to free() result in domain, username, password
*/
static void cm_get_ipc_userpass(char **username, char **domain, char **password)
{
*username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
*domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
*password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
if (*username && **username) {
if (!*domain || !**domain)
*domain = smb_xstrdup(lp_workgroup());
if (!*password || !**password)
*password = smb_xstrdup("");
DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
*domain, *username));
} else {
DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
*username = smb_xstrdup("");
*domain = smb_xstrdup("");
*password = smb_xstrdup("");
}
}
static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx,
struct cli_credentials **_creds)
{
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
struct loadparm_context *lp_ctx;
char *username = NULL;
char *netbios_domain = NULL;
char *password = NULL;
struct cli_credentials *creds = NULL;
bool ok;
cm_get_ipc_userpass(&username, &netbios_domain, &password);
lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
if (lp_ctx == NULL) {
DEBUG(1, ("loadparm_init_s3 failed\n"));
status = NT_STATUS_INTERNAL_ERROR;
goto fail;
}
creds = cli_credentials_init(mem_ctx);
if (creds == NULL) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
cli_credentials_set_conf(creds, lp_ctx);
cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
if (!ok) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
ok = cli_credentials_set_username(creds, username, CRED_SPECIFIED);
if (!ok) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
ok = cli_credentials_set_password(creds, password, CRED_SPECIFIED);
if (!ok) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
*_creds = creds;
creds = NULL;
status = NT_STATUS_OK;
fail:
TALLOC_FREE(creds);
SAFE_FREE(username);
SAFE_FREE(netbios_domain);
SAFE_FREE(password);
TALLOC_FREE(frame);
return status;
}
static bool cm_is_ipc_credentials(struct cli_credentials *creds)
{
TALLOC_CTX *frame = talloc_stackframe();
char *ipc_account = NULL;
char *ipc_domain = NULL;
char *ipc_password = NULL;
const char *creds_account = NULL;
const char *creds_domain = NULL;
const char *creds_password = NULL;
bool ret = false;
cm_get_ipc_userpass(&ipc_account, &ipc_domain, &ipc_password);
creds_account = cli_credentials_get_username(creds);
creds_domain = cli_credentials_get_domain(creds);
creds_password = cli_credentials_get_password(creds);
if (!strequal(ipc_domain, creds_domain)) {
goto done;
}
if (!strequal(ipc_account, creds_account)) {
goto done;
}
if (!strcsequal(ipc_password, creds_password)) {
goto done;
}
ret = true;
done:
SAFE_FREE(ipc_account);
SAFE_FREE(ipc_domain);
SAFE_FREE(ipc_password);
TALLOC_FREE(frame);
return ret;
}
static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
fstring dcname,
struct sockaddr_storage *dc_ss)
{
struct winbindd_domain *our_domain = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
NTSTATUS result;
WERROR werr;
TALLOC_CTX *mem_ctx;
unsigned int orig_timeout;
const char *tmp = NULL;
const char *p;
struct dcerpc_binding_handle *b;
/* Hmmmm. We can only open one connection to the NETLOGON pipe at the
* moment.... */
if (IS_DC) {
return False;
}
if (domain->primary) {
return False;
}
our_domain = find_our_domain();
if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
return False;
}
result = cm_connect_netlogon(our_domain, &netlogon_pipe);
if (!NT_STATUS_IS_OK(result)) {
talloc_destroy(mem_ctx);
return False;
}
b = netlogon_pipe->binding_handle;
/* This call can take a long time - allow the server to time out.
35 seconds should do it. */
orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
if (our_domain->active_directory) {
struct netr_DsRGetDCNameInfo *domain_info = NULL;
result = dcerpc_netr_DsRGetDCName(b,
mem_ctx,
our_domain->dcname,
domain->name,
NULL,
NULL,
DS_RETURN_DNS_NAME,
&domain_info,
&werr);
if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
tmp = talloc_strdup(
mem_ctx, domain_info->dc_unc);
if (tmp == NULL) {
DEBUG(0, ("talloc_strdup failed\n"));
talloc_destroy(mem_ctx);
return false;
}
if (domain->alt_name == NULL) {
domain->alt_name = talloc_strdup(domain,
domain_info->domain_name);
if (domain->alt_name == NULL) {
DEBUG(0, ("talloc_strdup failed\n"));
talloc_destroy(mem_ctx);
return false;
}
}
if (domain->forest_name == NULL) {
domain->forest_name = talloc_strdup(domain,
domain_info->forest_name);
if (domain->forest_name == NULL) {
DEBUG(0, ("talloc_strdup failed\n"));
talloc_destroy(mem_ctx);
return false;
}
}
}
} else {
result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
our_domain->dcname,
domain->name,
&tmp,
&werr);
}
/* And restore our original timeout. */
rpccli_set_timeout(netlogon_pipe, orig_timeout);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
nt_errstr(result)));
talloc_destroy(mem_ctx);
return false;
}
if (!W_ERROR_IS_OK(werr)) {
DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
win_errstr(werr)));
talloc_destroy(mem_ctx);
return false;
}
/* dcerpc_netr_GetAnyDCName gives us a name with \\ */
p = strip_hostname(tmp);
fstrcpy(dcname, p);
talloc_destroy(mem_ctx);
DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
if (!resolve_name(dcname, dc_ss, 0x20, true)) {
return False;
}
return True;
}
/**
* Helper function to assemble trust password and account name
*/
static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
bool netlogon,
struct cli_credentials **_creds)
{
const struct winbindd_domain *creds_domain = NULL;
struct cli_credentials *creds;
NTSTATUS status;
bool force_machine_account = false;
/* If we are a DC and this is not our own domain */
if (!domain->active_directory) {
if (!netlogon) {
/*
* For non active directory domains
* we can only use NTLMSSP for SMB.
*
* But the trust account is not allowed
* to use SMB with NTLMSSP.
*/
force_machine_account = true;
}
}
if (IS_DC && !force_machine_account) {
creds_domain = domain;
} else {
creds_domain = find_our_domain();
if (creds_domain == NULL) {
return NT_STATUS_INVALID_SERVER_STATE;
}
}
status = pdb_get_trust_credentials(creds_domain->name,
creds_domain->alt_name,
mem_ctx,
&creds);
if (!NT_STATUS_IS_OK(status)) {
goto ipc_fallback;
}
if (domain->primary && lp_security() == SEC_ADS) {
cli_credentials_set_kerberos_state(creds,
CRED_AUTO_USE_KERBEROS);
} else if (domain->active_directory) {
cli_credentials_set_kerberos_state(creds,
CRED_MUST_USE_KERBEROS);
} else {
cli_credentials_set_kerberos_state(creds,
CRED_DONT_USE_KERBEROS);
}
if (creds_domain != domain) {
/*
* We can only use schannel against a direct trust
*/
cli_credentials_set_secure_channel_type(creds,
SEC_CHAN_NULL);
}
*_creds = creds;
return NT_STATUS_OK;
ipc_fallback:
if (netlogon) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
status = cm_get_ipc_credentials(mem_ctx, &creds);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
*_creds = creds;
return NT_STATUS_OK;
}
/************************************************************************
Given a fd with a just-connected TCP connection to a DC, open a connection
to the pipe.
************************************************************************/
static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
const int sockfd,
const char *controller,
struct cli_state **cli,
bool *retry)
{
bool try_ipc_auth = false;
const char *machine_password = NULL;
const char *machine_krb5_principal = NULL;
const char *machine_account = NULL;
const char *machine_domain = NULL;
int flags = 0;
struct cli_credentials *creds = NULL;
enum credentials_use_kerberos krb5_state;
struct named_mutex *mutex;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
enum smb_signing_setting smb_sign_client_connections = lp_client_signing();
if (smb_sign_client_connections == SMB_SIGNING_DEFAULT) {
/*
* If we are connecting to our own AD domain, require
* smb signing to disrupt MITM attacks
*/
if (domain->primary && lp_security() == SEC_ADS) {
smb_sign_client_connections = SMB_SIGNING_REQUIRED;
/*
* If we are in or are an AD domain and connecting to another
* AD domain in our forest
* then require smb signing to disrupt MITM attacks
*/
} else if ((lp_security() == SEC_ADS ||
lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
&& domain->active_directory
&& (domain->domain_trust_attribs
& LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)) {
smb_sign_client_connections = SMB_SIGNING_REQUIRED;
}
}
DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
controller, domain->name ));
*retry = True;
mutex = grab_named_mutex(talloc_tos(), controller,
WINBIND_SERVER_MUTEX_WAIT_TIME);
if (mutex == NULL) {
close(sockfd);
DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
controller));
result = NT_STATUS_POSSIBLE_DEADLOCK;
goto done;
}
flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
*cli = cli_state_create(NULL, sockfd,
controller, domain->alt_name,
smb_sign_client_connections, flags);
if (*cli == NULL) {
close(sockfd);
DEBUG(1, ("Could not cli_initialize\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
cli_set_timeout(*cli, 10000); /* 10 seconds */
result = smbXcli_negprot((*cli)->conn, (*cli)->timeout,
lp_client_min_protocol(),
lp_winbindd_max_protocol());
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
goto done;
}
if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
try_ipc_auth = true;
} else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
try_ipc_auth = true;
} else if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
/*
* If we are forcing on SMB signing, then we must
* require authentication unless this is a one-way
* trust, and we have no stored user/password
*/
try_ipc_auth = true;
}
if (try_ipc_auth) {
result = get_trust_credentials(domain, talloc_tos(), false, &creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("get_trust_credentials(%s) failed: %s\n",
domain->name, nt_errstr(result)));
goto done;
}
} else {
/*
* Without SPNEGO or NTLMSSP (perhaps via SMB2) we
* would try and authentication with our machine
* account password and fail. This is very rare in
* the modern world however
*/
creds = cli_credentials_init_anon(talloc_tos());
if (creds == NULL) {
result = NT_STATUS_NO_MEMORY;
DEBUG(1, ("cli_credentials_init_anon(%s) failed: %s\n",
domain->name, nt_errstr(result)));
goto done;
}
}
krb5_state = cli_credentials_get_kerberos_state(creds);
machine_krb5_principal = cli_credentials_get_principal(creds,
talloc_tos());
if (machine_krb5_principal == NULL) {
krb5_state = CRED_DONT_USE_KERBEROS;
}
machine_account = cli_credentials_get_username(creds);
machine_password = cli_credentials_get_password(creds);
machine_domain = cli_credentials_get_domain(creds);
if (krb5_state != CRED_DONT_USE_KERBEROS) {
/* Try a krb5 session */
(*cli)->use_kerberos = True;
DEBUG(5, ("connecting to %s from %s with kerberos principal "
"[%s] and realm [%s]\n", controller, lp_netbios_name(),
machine_krb5_principal, domain->alt_name));
winbindd_set_locator_kdc_envs(domain);
result = cli_session_setup(*cli,
machine_krb5_principal,
machine_password,
strlen(machine_password)+1,
machine_password,
strlen(machine_password)+1,
machine_domain);
if (NT_STATUS_IS_OK(result)) {
goto session_setup_done;
}
DEBUG(4,("failed kerberos session setup with %s\n",
nt_errstr(result)));
}
if (krb5_state != CRED_MUST_USE_KERBEROS) {
/* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
(*cli)->use_kerberos = False;
DEBUG(5, ("connecting to %s from %s using NTLMSSP with username "
"[%s]\\[%s]\n", controller, lp_netbios_name(),
machine_domain, machine_account));
result = cli_session_setup(*cli,
machine_account,
machine_password,
strlen(machine_password)+1,
machine_password,
strlen(machine_password)+1,
machine_domain);
}
if (NT_STATUS_IS_OK(result)) {
goto session_setup_done;
}
/*
* If we are not going to validiate the conneciton
* with SMB signing, then allow us to fall back to
* anonymous
*/
if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
|| NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
|| NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
|| NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
|| NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
{
if (cli_credentials_is_anonymous(creds)) {
goto done;
}
if (!cm_is_ipc_credentials(creds)) {
goto ipc_fallback;
}
if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
goto done;
}
goto anon_fallback;
}
DEBUG(4, ("authenticated session setup failed with %s\n",
nt_errstr(result)));
goto done;
ipc_fallback:
result = cm_get_ipc_credentials(talloc_tos(), &creds);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
if (cli_credentials_is_anonymous(creds)) {
TALLOC_FREE(creds);
goto anon_fallback;
}
machine_account = cli_credentials_get_username(creds);
machine_password = cli_credentials_get_password(creds);
machine_domain = cli_credentials_get_domain(creds);
/* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the ipc creds. */
(*cli)->use_kerberos = False;
DEBUG(5, ("connecting to %s from %s using NTLMSSP with username "
"[%s]\\[%s]\n", controller, lp_netbios_name(),
machine_domain, machine_account));
result = cli_session_setup(*cli,
machine_account,
machine_password,
strlen(machine_password)+1,
machine_password,
strlen(machine_password)+1,
machine_domain);
if (NT_STATUS_IS_OK(result)) {
goto session_setup_done;
}
/*
* If we are not going to validiate the conneciton
* with SMB signing, then allow us to fall back to
* anonymous
*/
if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
|| NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
|| NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
|| NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
|| NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
{
goto anon_fallback;
}
DEBUG(4, ("authenticated session setup failed with %s\n",
nt_errstr(result)));
goto done;
anon_fallback:
if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
goto done;
}
/* Fall back to anonymous connection, this might fail later */
DEBUG(10,("cm_prepare_connection: falling back to anonymous "
"connection for DC %s\n",
controller ));
(*cli)->use_kerberos = False;
result = cli_session_setup(*cli, "", "", 0, "", 0, "");
if (NT_STATUS_IS_OK(result)) {
DEBUG(5, ("Connected anonymously\n"));
goto session_setup_done;
}
/* We can't session setup */
goto done;
session_setup_done:
/*
* This should be a short term hack until
* dynamic re-authentication is implemented.
*
* See Bug 9175 - winbindd doesn't recover from
* NT_STATUS_NETWORK_SESSION_EXPIRED
*/
if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
smbXcli_session_set_disconnect_expired((*cli)->smb2.session);
}
result = cli_tree_connect(*cli, "IPC$", "IPC", "", 0);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
goto done;
}
/* cache the server name for later connections */
saf_store(domain->name, controller);
if (domain->alt_name && (*cli)->use_kerberos) {
saf_store(domain->alt_name, controller);
}
winbindd_set_locator_kdc_envs(domain);
TALLOC_FREE(mutex);
*retry = False;
result = NT_STATUS_OK;
done:
TALLOC_FREE(mutex);
if (!NT_STATUS_IS_OK(result)) {
winbind_add_failed_connection_entry(domain, controller, result);
if ((*cli) != NULL) {
cli_shutdown(*cli);
*cli = NULL;
}
}
return result;
}
/*******************************************************************
Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
array.
Keeps the list unique by not adding duplicate entries.
@param[in] mem_ctx talloc memory context to allocate from
@param[in] domain_name domain of the DC
@param[in] dcname name of the DC to add to the list
@param[in] pss Internet address and port pair to add to the list
@param[in,out] dcs array of dc_name_ip structures to add to
@param[in,out] num_dcs number of dcs returned in the dcs array
@return true if the list was added to, false otherwise
*******************************************************************/
static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
const char *dcname, struct sockaddr_storage *pss,
struct dc_name_ip **dcs, int *num)
{
int i = 0;
if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
return False;
}
/* Make sure there's no duplicates in the list */
for (i=0; i<*num; i++)
if (sockaddr_equal(
(struct sockaddr *)(void *)&(*dcs)[i].ss,
(struct sockaddr *)(void *)pss))
return False;
*dcs = talloc_realloc(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
if (*dcs == NULL)
return False;
fstrcpy((*dcs)[*num].name, dcname);
(*dcs)[*num].ss = *pss;
*num += 1;
return True;
}
static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
struct sockaddr_storage *pss, uint16 port,
struct sockaddr_storage **addrs, int *num)
{
*addrs = talloc_realloc(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
if (*addrs == NULL) {
*num = 0;
return False;
}
(*addrs)[*num] = *pss;
set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
*num += 1;
return True;
}
/*******************************************************************
convert an ip to a name
*******************************************************************/
static bool dcip_to_name(TALLOC_CTX *mem_ctx,
const struct winbindd_domain *domain,
struct sockaddr_storage *pss,
char **name)
{
struct ip_service ip_list;
uint32_t nt_version = NETLOGON_NT_VERSION_1;
NTSTATUS status;
const char *dc_name;
fstring nbtname;
#ifdef HAVE_ADS
bool is_ad_domain = false;
#endif
ip_list.ss = *pss;
ip_list.port = 0;
#ifdef HAVE_ADS
/* For active directory servers, try to get the ldap server name.
None of these failures should be considered critical for now */
if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
is_ad_domain = true;
} else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
is_ad_domain = domain->active_directory;
}
if (is_ad_domain) {
ADS_STRUCT *ads;
ADS_STATUS ads_status;
char addr[INET6_ADDRSTRLEN];
print_sockaddr(addr, sizeof(addr), pss);
ads = ads_init(domain->alt_name, domain->name, addr);
ads->auth.flags |= ADS_AUTH_NO_BIND;
ads_status = ads_connect(ads);
if (ADS_ERR_OK(ads_status)) {
/* We got a cldap packet. */
*name = talloc_strdup(mem_ctx,
ads->config.ldap_server_name);
if (*name == NULL) {
return false;
}
namecache_store(*name, 0x20, 1, &ip_list);
DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags));
if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
if (ads_closest_dc(ads)) {
char *sitename = sitename_fetch(mem_ctx, ads->config.realm);
/* We're going to use this KDC for this realm/domain.
If we are using sites, then force the krb5 libs
to use this KDC. */
create_local_private_krb5_conf_for_domain(domain->alt_name,
domain->name,
sitename,
pss);
TALLOC_FREE(sitename);
} else {
/* use an off site KDC */
create_local_private_krb5_conf_for_domain(domain->alt_name,
domain->name,
NULL,
pss);
}
winbindd_set_locator_kdc_envs(domain);
/* Ensure we contact this DC also. */
saf_store(domain->name, *name);
saf_store(domain->alt_name, *name);
}
ads_destroy( &ads );
return True;
}
ads_destroy( &ads );
return false;
}
#endif
status = nbt_getdc(winbind_messaging_context(), 10, pss, domain->name,
&domain->sid, nt_version, mem_ctx, &nt_version,
&dc_name, NULL);
if (NT_STATUS_IS_OK(status)) {
*name = talloc_strdup(mem_ctx, dc_name);
if (*name == NULL) {
return false;
}
namecache_store(*name, 0x20, 1, &ip_list);
return True;
}
/* try node status request */
if (name_status_find(domain->name, 0x1c, 0x20, pss, nbtname) ) {
namecache_store(nbtname, 0x20, 1, &ip_list);
if (name != NULL) {
*name = talloc_strdup(mem_ctx, nbtname);
if (*name == NULL) {
return false;
}
}
return true;
}
return False;
}
/*******************************************************************
Retrieve a list of IP addresses for domain controllers.
The array is sorted in the preferred connection order.
@param[in] mem_ctx talloc memory context to allocate from
@param[in] domain domain to retrieve DCs for
@param[out] dcs array of dcs that will be returned
@param[out] num_dcs number of dcs returned in the dcs array
@return always true
*******************************************************************/
static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
struct dc_name_ip **dcs, int *num_dcs)
{
fstring dcname;
struct sockaddr_storage ss;
struct ip_service *ip_list = NULL;
int iplist_size = 0;
int i;
bool is_our_domain;
enum security_types sec = (enum security_types)lp_security();
is_our_domain = strequal(domain->name, lp_workgroup());
/* If not our domain, get the preferred DC, by asking our primary DC */
if ( !is_our_domain
&& get_dc_name_via_netlogon(domain, dcname, &ss)
&& add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
num_dcs) )
{
char addr[INET6_ADDRSTRLEN];
print_sockaddr(addr, sizeof(addr), &ss);
DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
dcname, addr));
return True;
}
if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
char *sitename = NULL;
/* We need to make sure we know the local site before
doing any DNS queries, as this will restrict the
get_sorted_dc_list() call below to only fetching
DNS records for the correct site. */
/* Find any DC to get the site record.
We deliberately don't care about the
return here. */
get_dc_name(domain->name, domain->alt_name, dcname, &ss);
sitename = sitename_fetch(mem_ctx, domain->alt_name);
if (sitename) {
/* Do the site-specific AD dns lookup first. */
get_sorted_dc_list(domain->alt_name, sitename, &ip_list,
&iplist_size, True);
/* Add ips to the DC array. We don't look up the name
of the DC in this function, but we fill in the char*
of the ip now to make the failed connection cache
work */
for ( i=0; iname,
addr,
&ip_list[i].ss,
dcs,
num_dcs);
}
SAFE_FREE(ip_list);
TALLOC_FREE(sitename);
iplist_size = 0;
}
/* Now we add DCs from the main AD DNS lookup. */
get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
&iplist_size, True);
for ( i=0; iname,
addr,
&ip_list[i].ss,
dcs,
num_dcs);
}
SAFE_FREE(ip_list);
iplist_size = 0;
}
/* Try standard netbios queries if no ADS and fall back to DNS queries
* if alt_name is available */
if (*num_dcs == 0) {
get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size,
false);
if (iplist_size == 0) {
if (domain->alt_name != NULL) {
get_sorted_dc_list(domain->alt_name, NULL, &ip_list,
&iplist_size, true);
}
}
for ( i=0; iname,
addr,
&ip_list[i].ss,
dcs,
num_dcs);
}
SAFE_FREE(ip_list);
iplist_size = 0;
}
return True;
}
/*******************************************************************
Find and make a connection to a DC in the given domain.
@param[in] mem_ctx talloc memory context to allocate from
@param[in] domain domain to find a dc in
@param[out] dcname NetBIOS or FQDN of DC that's connected to
@param[out] pss DC Internet address and port
@param[out] fd fd of the open socket connected to the newly found dc
@return true when a DC connection is made, false otherwise
*******************************************************************/
static bool find_new_dc(TALLOC_CTX *mem_ctx,
struct winbindd_domain *domain,
char **dcname, struct sockaddr_storage *pss, int *fd)
{
struct dc_name_ip *dcs = NULL;
int num_dcs = 0;
const char **dcnames = NULL;
size_t num_dcnames = 0;
struct sockaddr_storage *addrs = NULL;
int num_addrs = 0;
int i;
size_t fd_index;
NTSTATUS status;
*fd = -1;
again:
if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0))
return False;
for (i=0; iname, ab, nt_errstr(status) ));
winbind_add_failed_connection_entry(domain,
dcs[i].name, NT_STATUS_UNSUCCESSFUL);
}
return False;
}
*pss = addrs[fd_index];
if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
/* Ok, we've got a name for the DC */
*dcname = talloc_strdup(mem_ctx, dcnames[fd_index]);
if (*dcname == NULL) {
return false;
}
return true;
}
/* Try to figure out the name */
if (dcip_to_name(mem_ctx, domain, pss, dcname)) {
return True;
}
/* We can not continue without the DC's name */
winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
NT_STATUS_UNSUCCESSFUL);
/* Throw away all arrays as we're doing this again. */
TALLOC_FREE(dcs);
num_dcs = 0;
TALLOC_FREE(dcnames);
num_dcnames = 0;
TALLOC_FREE(addrs);
num_addrs = 0;
close(*fd);
*fd = -1;
goto again;
}
static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name)
{
return talloc_asprintf_strupper_m(mem_ctx, "CURRENT_DCNAME/%s",
domain_name);
}
static void store_current_dc_in_gencache(const char *domain_name,
const char *dc_name,
struct cli_state *cli)
{
char addr[INET6_ADDRSTRLEN];
char *key = NULL;
char *value = NULL;
if (!cli_state_is_connected(cli)) {
return;
}
print_sockaddr(addr, sizeof(addr),
smbXcli_conn_remote_sockaddr(cli->conn));
key = current_dc_key(talloc_tos(), domain_name);
if (key == NULL) {
goto done;
}
value = talloc_asprintf(talloc_tos(), "%s %s", addr, dc_name);
if (value == NULL) {
goto done;
}
gencache_set(key, value, 0x7fffffff);
done:
TALLOC_FREE(value);
TALLOC_FREE(key);
}
bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx,
const char *domain_name,
char **p_dc_name, char **p_dc_ip)
{
char *key, *p;
char *value = NULL;
bool ret = false;
char *dc_name = NULL;
char *dc_ip = NULL;
key = current_dc_key(talloc_tos(), domain_name);
if (key == NULL) {
goto done;
}
if (!gencache_get(key, mem_ctx, &value, NULL)) {
goto done;
}
p = strchr(value, ' ');
if (p == NULL) {
goto done;
}
dc_ip = talloc_strndup(mem_ctx, value, p - value);
if (dc_ip == NULL) {
goto done;
}
dc_name = talloc_strdup(mem_ctx, p+1);
if (dc_name == NULL) {
goto done;
}
if (p_dc_ip != NULL) {
*p_dc_ip = dc_ip;
dc_ip = NULL;
}
if (p_dc_name != NULL) {
*p_dc_name = dc_name;
dc_name = NULL;
}
ret = true;
done:
TALLOC_FREE(dc_name);
TALLOC_FREE(dc_ip);
TALLOC_FREE(key);
TALLOC_FREE(value);
return ret;
}
NTSTATUS wb_open_internal_pipe(TALLOC_CTX *mem_ctx,
const struct ndr_interface_table *table,
struct rpc_pipe_client **ret_pipe)
{
struct rpc_pipe_client *cli = NULL;
const struct auth_session_info *session_info;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
session_info = get_session_info_system();
SMB_ASSERT(session_info != NULL);
/* create a connection to the specified pipe */
if (lp_parm_bool(-1, "winbindd", "use external pipes", false)) {
status = rpc_pipe_open_interface(mem_ctx,
table,
session_info,
NULL,
winbind_messaging_context(),
&cli);
} else {
status = rpc_pipe_open_internal(mem_ctx,
&table->syntax_id,
session_info,
NULL,
winbind_messaging_context(),
&cli);
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("open_internal_pipe: Could not connect to %s pipe: %s\n",
table->name, nt_errstr(status)));
return status;
}
if (ret_pipe) {
*ret_pipe = cli;
}
return NT_STATUS_OK;
}
static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
struct winbindd_cm_conn *new_conn)
{
TALLOC_CTX *mem_ctx;
NTSTATUS result;
char *saf_servername;
int retries;
if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
set_domain_offline(domain);
return NT_STATUS_NO_MEMORY;
}
saf_servername = saf_fetch(mem_ctx, domain->name );
/* we have to check the server affinity cache here since
later we select a DC based on response time and not preference */
/* Check the negative connection cache
before talking to it. It going down may have
triggered the reconnection. */
if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) {
DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n",
saf_servername, domain->name ));
/* convert an ip address to a name */
if (is_ipaddress( saf_servername ) ) {
char *dcname = NULL;
struct sockaddr_storage ss;
if (!interpret_string_addr(&ss, saf_servername,
AI_NUMERICHOST)) {
TALLOC_FREE(mem_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
if (dcip_to_name(mem_ctx, domain, &ss, &dcname)) {
domain->dcname = talloc_strdup(domain,
dcname);
if (domain->dcname == NULL) {
TALLOC_FREE(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
} else {
winbind_add_failed_connection_entry(
domain, saf_servername,
NT_STATUS_UNSUCCESSFUL);
}
} else {
domain->dcname = talloc_strdup(domain, saf_servername);
if (domain->dcname == NULL) {
TALLOC_FREE(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
}
}
for (retries = 0; retries < 3; retries++) {
int fd = -1;
bool retry = False;
char *dcname = NULL;
result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n",
domain->dcname ? domain->dcname : "", domain->name ));
if (domain->dcname != NULL
&& NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname))
&& (resolve_name(domain->dcname, &domain->dcaddr, 0x20, true)))
{
NTSTATUS status;
status = smbsock_connect(&domain->dcaddr, 0,
NULL, -1, NULL, -1,
&fd, NULL, 10);
if (!NT_STATUS_IS_OK(status)) {
fd = -1;
}
}
if ((fd == -1) &&
!find_new_dc(mem_ctx, domain, &dcname, &domain->dcaddr, &fd))
{
/* This is the one place where we will
set the global winbindd offline state
to true, if a "WINBINDD_OFFLINE" entry
is found in the winbindd cache. */
set_global_winbindd_state_offline();
break;
}
if (dcname != NULL) {
talloc_free(domain->dcname);
domain->dcname = talloc_move(domain, &dcname);
if (domain->dcname == NULL) {
result = NT_STATUS_NO_MEMORY;
break;
}
}
new_conn->cli = NULL;
result = cm_prepare_connection(domain, fd, domain->dcname,
&new_conn->cli, &retry);
if (!NT_STATUS_IS_OK(result)) {
/* Don't leak the smb connection socket */
close(fd);
}
if (!retry)
break;
}
if (NT_STATUS_IS_OK(result)) {
bool seal_pipes = true;
winbindd_set_locator_kdc_envs(domain);
if (domain->online == False) {
/* We're changing state from offline to online. */
set_global_winbindd_state_online();
}
set_domain_online(domain);
/*
* Much as I hate global state, this seems to be the point
* where we can be certain that we have a proper connection to
* a DC. wbinfo --dc-info needs that information, store it in
* gencache with a looong timeout. This will need revisiting
* once we start to connect to multiple DCs, wbcDcInfo is
* already prepared for that.
*/
store_current_dc_in_gencache(domain->name, domain->dcname,
new_conn->cli);
seal_pipes = lp_winbind_sealed_pipes();
seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
domain->name,
seal_pipes);
if (seal_pipes) {
new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
} else {
new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
}
} else {
/* Ensure we setup the retry handler. */
set_domain_offline(domain);
}
talloc_destroy(mem_ctx);
return result;
}
/* Close down all open pipes on a connection. */
void invalidate_cm_connection(struct winbindd_domain *domain)
{
NTSTATUS result;
struct winbindd_cm_conn *conn = &domain->conn;
/* We're closing down a possibly dead
connection. Don't have impossibly long (10s) timeouts. */
if (conn->cli) {
cli_set_timeout(conn->cli, 1000); /* 1 second. */
}
if (conn->samr_pipe != NULL) {
if (is_valid_policy_hnd(&conn->sam_connect_handle)) {
dcerpc_samr_Close(conn->samr_pipe->binding_handle,
talloc_tos(),
&conn->sam_connect_handle,
&result);
}
TALLOC_FREE(conn->samr_pipe);
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
if (conn->cli) {
cli_set_timeout(conn->cli, 500);
}
}
if (conn->lsa_pipe != NULL) {
if (is_valid_policy_hnd(&conn->lsa_policy)) {
dcerpc_lsa_Close(conn->lsa_pipe->binding_handle,
talloc_tos(),
&conn->lsa_policy,
&result);
}
TALLOC_FREE(conn->lsa_pipe);
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
if (conn->cli) {
cli_set_timeout(conn->cli, 500);
}
}
if (conn->lsa_pipe_tcp != NULL) {
if (is_valid_policy_hnd(&conn->lsa_policy)) {
dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle,
talloc_tos(),
&conn->lsa_policy,
&result);
}
TALLOC_FREE(conn->lsa_pipe_tcp);
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
if (conn->cli) {
cli_set_timeout(conn->cli, 500);
}
}
if (conn->netlogon_pipe != NULL) {
TALLOC_FREE(conn->netlogon_pipe);
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
if (conn->cli) {
cli_set_timeout(conn->cli, 500);
}
}
conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
conn->netlogon_force_reauth = false;
conn->netlogon_flags = 0;
TALLOC_FREE(conn->netlogon_creds);
if (conn->cli) {
cli_shutdown(conn->cli);
}
conn->cli = NULL;
}
void close_conns_after_fork(void)
{
struct winbindd_domain *domain;
struct winbindd_cli_state *cli_state;
for (domain = domain_list(); domain; domain = domain->next) {
/*
* first close the low level SMB TCP connection
* so that we don't generate any SMBclose
* requests in invalidate_cm_connection()
*/
if (cli_state_is_connected(domain->conn.cli)) {
smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
}
invalidate_cm_connection(domain);
}
for (cli_state = winbindd_client_list();
cli_state != NULL;
cli_state = cli_state->next) {
if (cli_state->sock >= 0) {
close(cli_state->sock);
cli_state->sock = -1;
}
}
}
static bool connection_ok(struct winbindd_domain *domain)
{
bool ok;
ok = cli_state_is_connected(domain->conn.cli);
if (!ok) {
DEBUG(3, ("connection_ok: Connection to %s for domain %s is not connected\n",
domain->dcname, domain->name));
return False;
}
if (domain->online == False) {
DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
return False;
}
return True;
}
/* Initialize a new connection up to the RPC BIND.
Bypass online status check so always does network calls. */
static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc)
{
NTSTATUS result;
bool skip_connection = domain->internal;
if (need_rw_dc && domain->rodc) {
skip_connection = false;
}
/* Internal connections never use the network. */
if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
/* Still ask the internal LSA and SAMR server about the local domain */
if (skip_connection || connection_ok(domain)) {
if (!domain->initialized) {
set_dc_type_and_flags(domain);
}
return NT_STATUS_OK;
}
invalidate_cm_connection(domain);
if (!domain->primary && !domain->initialized) {
/*
* Before we connect to a trust, work out if it is an
* AD domain by asking our own domain.
*/
set_dc_type_and_flags_trustinfo(domain);
}
result = cm_open_connection(domain, &domain->conn);
if (NT_STATUS_IS_OK(result) && !domain->initialized) {
set_dc_type_and_flags(domain);
}
return result;
}
NTSTATUS init_dc_connection(struct winbindd_domain *domain, bool need_rw_dc)
{
if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
if (domain->initialized && !domain->online) {
/* We check for online status elsewhere. */
return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
}
return init_dc_connection_network(domain, need_rw_dc);
}
static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain, bool need_rw_dc)
{
NTSTATUS status;
status = init_dc_connection(domain, need_rw_dc);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (!domain->internal && domain->conn.cli == NULL) {
/* happens for trusted domains without inbound trust */
return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
}
return NT_STATUS_OK;
}
/******************************************************************************
Set the trust flags (direction and forest location) for a domain
******************************************************************************/
static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
{
struct winbindd_domain *our_domain;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
WERROR werr;
struct netr_DomainTrustList trusts;
int i;
uint32 flags = (NETR_TRUST_FLAG_IN_FOREST |
NETR_TRUST_FLAG_OUTBOUND |
NETR_TRUST_FLAG_INBOUND);
struct rpc_pipe_client *cli;
TALLOC_CTX *mem_ctx = NULL;
struct dcerpc_binding_handle *b;
DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
/* Our primary domain doesn't need to worry about trust flags.
Force it to go through the network setup */
if ( domain->primary ) {
return False;
}
mem_ctx = talloc_stackframe();
our_domain = find_our_domain();
if (our_domain->internal) {
result = init_dc_connection(our_domain, false);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3,("set_dc_type_and_flags_trustinfo: "
"Not able to make a connection to our domain: %s\n",
nt_errstr(result)));
TALLOC_FREE(mem_ctx);
return false;
}
}
/* This won't work unless our domain is AD */
if ( !our_domain->active_directory ) {
TALLOC_FREE(mem_ctx);
return False;
}
if (our_domain->internal) {
result = wb_open_internal_pipe(mem_ctx, &ndr_table_netlogon, &cli);
} else if (!connection_ok(our_domain)) {
DEBUG(3,("set_dc_type_and_flags_trustinfo: "
"No connection to our domain!\n"));
TALLOC_FREE(mem_ctx);
return False;
} else {
result = cm_connect_netlogon(our_domain, &cli);
}
if (!NT_STATUS_IS_OK(result)) {
DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
"a connection to %s for PIPE_NETLOGON (%s)\n",
domain->name, nt_errstr(result)));
TALLOC_FREE(mem_ctx);
return False;
}
b = cli->binding_handle;
/* Use DsEnumerateDomainTrusts to get us the trust direction and type. */
result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
cli->desthost,
flags,
&trusts,
&werr);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0,("set_dc_type_and_flags_trustinfo: "
"failed to query trusted domain list: %s\n",
nt_errstr(result)));
TALLOC_FREE(mem_ctx);
return false;
}
if (!W_ERROR_IS_OK(werr)) {
DEBUG(0,("set_dc_type_and_flags_trustinfo: "
"failed to query trusted domain list: %s\n",
win_errstr(werr)));
TALLOC_FREE(mem_ctx);
return false;
}
/* Now find the domain name and get the flags */
for ( i=0; iname, trusts.array[i].netbios_name) ) {
domain->domain_flags = trusts.array[i].trust_flags;
domain->domain_type = trusts.array[i].trust_type;
domain->domain_trust_attribs = trusts.array[i].trust_attributes;
if ( domain->domain_type == LSA_TRUST_TYPE_UPLEVEL )
domain->active_directory = True;
/* This flag is only set if the domain is *our*
primary domain and the primary domain is in
native mode */
domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
"native mode.\n", domain->name,
domain->native_mode ? "" : "NOT "));
DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
"running active directory.\n", domain->name,
domain->active_directory ? "" : "NOT "));
domain->can_do_ncacn_ip_tcp = domain->active_directory;
domain->initialized = True;
break;
}
}
TALLOC_FREE(mem_ctx);
return domain->initialized;
}
/******************************************************************************
We can 'sense' certain things about the DC by it's replies to certain
questions.
This tells us if this particular remote server is Active Directory, and if it
is native mode.
******************************************************************************/
static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
{
NTSTATUS status, result;
WERROR werr;
TALLOC_CTX *mem_ctx = NULL;
struct rpc_pipe_client *cli = NULL;
struct policy_handle pol;
union dssetup_DsRoleInfo info;
union lsa_PolicyInformation *lsa_info = NULL;
if (!domain->internal && !connection_ok(domain)) {
return;
}
mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
domain->name);
if (!mem_ctx) {
DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
return;
}
DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
if (domain->internal) {
status = wb_open_internal_pipe(mem_ctx,
&ndr_table_dssetup,
&cli);
} else {
status = cli_rpc_pipe_open_noauth(domain->conn.cli,
&ndr_table_dssetup,
&cli);
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
"PI_DSSETUP on domain %s: (%s)\n",
domain->name, nt_errstr(status)));
/* if this is just a non-AD domain we need to continue
* identifying so that we can in the end return with
* domain->initialized = True - gd */
goto no_dssetup;
}
status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
DS_ROLE_BASIC_INFORMATION,
&info,
&werr);
TALLOC_FREE(cli);
if (NT_STATUS_IS_OK(status)) {
result = werror_to_ntstatus(werr);
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
"on domain %s failed: (%s)\n",
domain->name, nt_errstr(status)));
/* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
* every opcode on the DSSETUP pipe, continue with
* no_dssetup mode here as well to get domain->initialized
* set - gd */
if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
goto no_dssetup;
}
TALLOC_FREE(mem_ctx);
return;
}
if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
!(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
domain->native_mode = True;
} else {
domain->native_mode = False;
}
no_dssetup:
if (domain->internal) {
status = wb_open_internal_pipe(mem_ctx,
&ndr_table_lsarpc,
&cli);
} else {
status = cli_rpc_pipe_open_noauth(domain->conn.cli,
&ndr_table_lsarpc, &cli);
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
"PI_LSARPC on domain %s: (%s)\n",
domain->name, nt_errstr(status)));
TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
return;
}
status = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED, &pol);
if (NT_STATUS_IS_OK(status)) {
/* This particular query is exactly what Win2k clients use
to determine that the DC is active directory */
status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx,
&pol,
LSA_POLICY_INFO_DNS,
&lsa_info,
&result);
}
if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
domain->active_directory = True;
if (lsa_info->dns.name.string) {
if (!strequal(domain->name, lsa_info->dns.name.string))
{
DEBUG(1, ("set_dc_type_and_flags_connect: DC "
"for domain %s claimed it was a DC "
"for domain %s, refusing to "
"initialize\n",
domain->name,
lsa_info->dns.name.string));
TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
return;
}
talloc_free(domain->name);
domain->name = talloc_strdup(domain,
lsa_info->dns.name.string);
if (domain->name == NULL) {
goto done;
}
}
if (lsa_info->dns.dns_domain.string) {
if (domain->alt_name != NULL &&
!strequal(domain->alt_name,
lsa_info->dns.dns_domain.string))
{
DEBUG(1, ("set_dc_type_and_flags_connect: DC "
"for domain %s (%s) claimed it was "
"a DC for domain %s, refusing to "
"initialize\n",
domain->alt_name, domain->name,
lsa_info->dns.dns_domain.string));
TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
return;
}
talloc_free(domain->alt_name);
domain->alt_name =
talloc_strdup(domain,
lsa_info->dns.dns_domain.string);
if (domain->alt_name == NULL) {
goto done;
}
}
/* See if we can set some domain trust flags about
ourself */
if (lsa_info->dns.dns_forest.string) {
talloc_free(domain->forest_name);
domain->forest_name =
talloc_strdup(domain,
lsa_info->dns.dns_forest.string);
if (domain->forest_name == NULL) {
goto done;
}
if (strequal(domain->forest_name, domain->alt_name)) {
domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
}
}
if (lsa_info->dns.sid) {
if (!is_null_sid(&domain->sid) &&
!dom_sid_equal(&domain->sid,
lsa_info->dns.sid))
{
DEBUG(1, ("set_dc_type_and_flags_connect: DC "
"for domain %s (%s) claimed it was "
"a DC for domain %s, refusing to "
"initialize\n",
dom_sid_string(talloc_tos(),
&domain->sid),
domain->name,
dom_sid_string(talloc_tos(),
lsa_info->dns.sid)));
TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
return;
}
sid_copy(&domain->sid, lsa_info->dns.sid);
}
} else {
domain->active_directory = False;
status = rpccli_lsa_open_policy(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx,
&pol,
LSA_POLICY_INFO_ACCOUNT_DOMAIN,
&lsa_info,
&result);
if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
if (lsa_info->account_domain.name.string) {
if (!strequal(domain->name,
lsa_info->account_domain.name.string))
{
DEBUG(1,
("set_dc_type_and_flags_connect: "
"DC for domain %s claimed it was"
" a DC for domain %s, refusing "
"to initialize\n", domain->name,
lsa_info->
account_domain.name.string));
TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
return;
}
talloc_free(domain->name);
domain->name =
talloc_strdup(domain,
lsa_info->account_domain.name.string);
}
if (lsa_info->account_domain.sid) {
if (!is_null_sid(&domain->sid) &&
!dom_sid_equal(&domain->sid,
lsa_info->account_domain.sid))
{
DEBUG(1,
("set_dc_type_and_flags_connect: "
"DC for domain %s (%s) claimed "
"it was a DC for domain %s, "
"refusing to initialize\n",
dom_sid_string(talloc_tos(),
&domain->sid),
domain->name,
dom_sid_string(talloc_tos(),
lsa_info->account_domain.sid)));
TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
return;
}
sid_copy(&domain->sid, lsa_info->account_domain.sid);
}
}
}
done:
DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
domain->name, domain->native_mode ? "" : "NOT "));
DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
domain->name, domain->active_directory ? "" : "NOT "));
domain->can_do_ncacn_ip_tcp = domain->active_directory;
TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
domain->initialized = True;
}
/**********************************************************************
Set the domain_flags (trust attributes, domain operating modes, etc...
***********************************************************************/
static void set_dc_type_and_flags( struct winbindd_domain *domain )
{
/* we always have to contact our primary domain */
if ( domain->primary || domain->internal) {
DEBUG(10,("set_dc_type_and_flags: setting up flags for "
"primary or internal domain\n"));
set_dc_type_and_flags_connect( domain );
return;
}
/* Use our DC to get the information if possible */
if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
/* Otherwise, fallback to contacting the
domain directly */
set_dc_type_and_flags_connect( domain );
}
return;
}
/**********************************************************************
***********************************************************************/
static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
struct netlogon_creds_cli_context **ppdc)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct rpc_pipe_client *netlogon_pipe;
*ppdc = NULL;
if ((!IS_DC) && (!domain->primary)) {
return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
}
if (domain->conn.netlogon_creds != NULL) {
if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
}
*ppdc = domain->conn.netlogon_creds;
return NT_STATUS_OK;
}
result = cm_connect_netlogon(domain, &netlogon_pipe);
if (!NT_STATUS_IS_OK(result)) {
return result;
}
if (domain->conn.netlogon_creds == NULL) {
return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
}
if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
}
*ppdc = domain->conn.netlogon_creds;
return NT_STATUS_OK;
}
NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
bool need_rw_dc,
struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
{
struct winbindd_cm_conn *conn;
NTSTATUS status, result;
struct netlogon_creds_cli_context *p_creds;
struct cli_credentials *creds = NULL;
if (sid_check_is_our_sam(&domain->sid)) {
if (domain->rodc == false || need_rw_dc == false) {
return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
}
}
status = init_dc_connection_rpc(domain, need_rw_dc);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
conn = &domain->conn;
if (rpccli_is_connected(conn->samr_pipe)) {
goto done;
}
TALLOC_FREE(conn->samr_pipe);
/*
* No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
* sign and sealed pipe using the machine account password by
* preference. If we can't - try schannel, if that fails, try
* anonymous.
*/
result = get_trust_credentials(domain, talloc_tos(), false, &creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10, ("cm_connect_sam: No user available for "
"domain %s, trying schannel\n", domain->name));
goto schannel;
}
if (cli_credentials_is_anonymous(creds)) {
goto anonymous;
}
/*
* We have an authenticated connection. Use a SPNEGO
* authenticated SAMR pipe with sign & seal.
*/
status = cli_rpc_pipe_open_with_creds(conn->cli,
&ndr_table_samr,
NCACN_NP,
DCERPC_AUTH_TYPE_SPNEGO,
conn->auth_level,
smbXcli_conn_remote_name(conn->cli->conn),
creds,
&conn->samr_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
"pipe for domain %s using NTLMSSP "
"authenticated pipe: user %s. Error was "
"%s\n", domain->name,
cli_credentials_get_unparsed_name(creds, talloc_tos()),
nt_errstr(status)));
goto schannel;
}
DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
"domain %s using NTLMSSP authenticated "
"pipe: user %s\n", domain->name,
cli_credentials_get_unparsed_name(creds, talloc_tos())));
status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
conn->samr_pipe->desthost,
SEC_FLAG_MAXIMUM_ALLOWED,
&conn->sam_connect_handle,
&result);
if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
goto open_domain;
}
if (NT_STATUS_IS_OK(status)) {
status = result;
}
DEBUG(10,("cm_connect_sam: ntlmssp-sealed dcerpc_samr_Connect2 "
"failed for domain %s, error was %s. Trying schannel\n",
domain->name, nt_errstr(status) ));
TALLOC_FREE(conn->samr_pipe);
schannel:
/* Fall back to schannel if it's a W2K pre-SP1 box. */
status = cm_get_schannel_creds(domain, &p_creds);
if (!NT_STATUS_IS_OK(status)) {
/* If this call fails - conn->cli can now be NULL ! */
DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
"for domain %s (error %s), trying anon\n",
domain->name,
nt_errstr(status) ));
goto anonymous;
}
TALLOC_FREE(creds);
result = get_trust_credentials(domain, talloc_tos(), true, &creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10, ("cm_connect_sam: No user available for "
"domain %s (error %s), trying anon\n", domain->name,
nt_errstr(result)));
goto anonymous;
}
status = cli_rpc_pipe_open_schannel_with_creds
(conn->cli, &ndr_table_samr, NCACN_NP,
creds, p_creds, &conn->samr_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
"domain %s using schannel. Error was %s\n",
domain->name, nt_errstr(status) ));
goto anonymous;
}
DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
"schannel.\n", domain->name ));
status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
conn->samr_pipe->desthost,
SEC_FLAG_MAXIMUM_ALLOWED,
&conn->sam_connect_handle,
&result);
if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
goto open_domain;
}
if (NT_STATUS_IS_OK(status)) {
status = result;
}
DEBUG(10,("cm_connect_sam: schannel-sealed dcerpc_samr_Connect2 failed "
"for domain %s, error was %s. Trying anonymous\n",
domain->name, nt_errstr(status) ));
TALLOC_FREE(conn->samr_pipe);
anonymous:
/* Finally fall back to anonymous. */
if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
status = NT_STATUS_DOWNGRADE_DETECTED;
DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
"without connection level security, "
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
domain->name, nt_errstr(status)));
goto done;
}
status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
&conn->samr_pipe);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
conn->samr_pipe->desthost,
SEC_FLAG_MAXIMUM_ALLOWED,
&conn->sam_connect_handle,
&result);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
"for domain %s Error was %s\n",
domain->name, nt_errstr(status) ));
goto done;
}
if (!NT_STATUS_IS_OK(result)) {
status = result;
DEBUG(10,("cm_connect_sam: dcerpc_samr_Connect2 failed "
"for domain %s Error was %s\n",
domain->name, nt_errstr(result)));
goto done;
}
open_domain:
status = dcerpc_samr_OpenDomain(conn->samr_pipe->binding_handle,
mem_ctx,
&conn->sam_connect_handle,
SEC_FLAG_MAXIMUM_ALLOWED,
&domain->sid,
&conn->sam_domain_handle,
&result);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = result;
done:
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
/*
* if we got access denied, we might just have no access rights
* to talk to the remote samr server server (e.g. when we are a
* PDC and we are connecting a w2k8 pdc via an interdomain
* trust). In that case do not invalidate the whole connection
* stack
*/
TALLOC_FREE(conn->samr_pipe);
ZERO_STRUCT(conn->sam_domain_handle);
return status;
} else if (!NT_STATUS_IS_OK(status)) {
invalidate_cm_connection(domain);
return status;
}
*cli = conn->samr_pipe;
*sam_handle = conn->sam_domain_handle;
return status;
}
/**********************************************************************
open an schanneld ncacn_ip_tcp connection to LSA
***********************************************************************/
static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
struct rpc_pipe_client **cli)
{
struct winbindd_cm_conn *conn;
struct netlogon_creds_cli_context *p_creds = NULL;
struct cli_credentials *creds = NULL;
NTSTATUS status;
DEBUG(10,("cm_connect_lsa_tcp\n"));
status = init_dc_connection_rpc(domain, false);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
conn = &domain->conn;
if (conn->lsa_pipe_tcp &&
conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
rpccli_is_connected(conn->lsa_pipe_tcp)) {
goto done;
}
TALLOC_FREE(conn->lsa_pipe_tcp);
status = cm_get_schannel_creds(domain, &p_creds);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = get_trust_credentials(domain, talloc_tos(), true, &creds);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = cli_rpc_pipe_open_schannel_with_creds(conn->cli,
&ndr_table_lsarpc,
NCACN_IP_TCP,
creds,
p_creds,
&conn->lsa_pipe_tcp);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
nt_errstr(status)));
goto done;
}
done:
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(conn->lsa_pipe_tcp);
return status;
}
*cli = conn->lsa_pipe_tcp;
return status;
}
NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
{
struct winbindd_cm_conn *conn;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct netlogon_creds_cli_context *p_creds;
struct cli_credentials *creds = NULL;
result = init_dc_connection_rpc(domain, false);
if (!NT_STATUS_IS_OK(result))
return result;
conn = &domain->conn;
if (rpccli_is_connected(conn->lsa_pipe)) {
goto done;
}
TALLOC_FREE(conn->lsa_pipe);
result = get_trust_credentials(domain, talloc_tos(), false, &creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10, ("cm_connect_lsa: No user available for "
"domain %s, trying schannel\n", domain->name));
goto schannel;
}
if (cli_credentials_is_anonymous(creds)) {
goto anonymous;
}
/*
* We have an authenticated connection. Use a SPNEGO
* authenticated LSA pipe with sign & seal.
*/
result = cli_rpc_pipe_open_with_creds
(conn->cli, &ndr_table_lsarpc, NCACN_NP,
DCERPC_AUTH_TYPE_SPNEGO,
conn->auth_level,
smbXcli_conn_remote_name(conn->cli->conn),
creds,
&conn->lsa_pipe);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
"domain %s using NTLMSSP authenticated pipe: user "
"%s. Error was %s. Trying schannel.\n",
domain->name,
cli_credentials_get_unparsed_name(creds, talloc_tos()),
nt_errstr(result)));
goto schannel;
}
DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
"NTLMSSP authenticated pipe: user %s\n",
domain->name, cli_credentials_get_unparsed_name(creds, talloc_tos())));
result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&conn->lsa_policy);
if (NT_STATUS_IS_OK(result)) {
goto done;
}
DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
"schannel\n"));
TALLOC_FREE(conn->lsa_pipe);
schannel:
/* Fall back to schannel if it's a W2K pre-SP1 box. */
result = cm_get_schannel_creds(domain, &p_creds);
if (!NT_STATUS_IS_OK(result)) {
/* If this call fails - conn->cli can now be NULL ! */
DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
"for domain %s (error %s), trying anon\n",
domain->name,
nt_errstr(result) ));
goto anonymous;
}
TALLOC_FREE(creds);
result = get_trust_credentials(domain, talloc_tos(), true, &creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10, ("cm_connect_lsa: No user available for "
"domain %s (error %s), trying anon\n", domain->name,
nt_errstr(result)));
goto anonymous;
}
result = cli_rpc_pipe_open_schannel_with_creds
(conn->cli, &ndr_table_lsarpc, NCACN_NP,
creds, p_creds, &conn->lsa_pipe);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
"domain %s using schannel. Error was %s\n",
domain->name, nt_errstr(result) ));
goto anonymous;
}
DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
"schannel.\n", domain->name ));
result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&conn->lsa_policy);
if (NT_STATUS_IS_OK(result)) {
goto done;
}
DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
"anonymous\n"));
TALLOC_FREE(conn->lsa_pipe);
anonymous:
if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
result = NT_STATUS_DOWNGRADE_DETECTED;
DEBUG(1, ("Unwilling to make LSA connection to domain %s"
"without connection level security, "
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
domain->name, nt_errstr(result)));
goto done;
}
result = cli_rpc_pipe_open_noauth(conn->cli,
&ndr_table_lsarpc,
&conn->lsa_pipe);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&conn->lsa_policy);
done:
if (!NT_STATUS_IS_OK(result)) {
invalidate_cm_connection(domain);
return result;
}
*cli = conn->lsa_pipe;
*lsa_policy = conn->lsa_policy;
return result;
}
/****************************************************************************
Open a LSA connection to a DC, suiteable for LSA lookup calls.
****************************************************************************/
NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
struct rpc_pipe_client **cli,
struct policy_handle *lsa_policy)
{
NTSTATUS status;
if (domain->can_do_ncacn_ip_tcp) {
status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
invalidate_cm_connection(domain);
status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
}
if (NT_STATUS_IS_OK(status)) {
return status;
}
/*
* we tried twice to connect via ncan_ip_tcp and schannel and
* failed - maybe it is a trusted domain we can't connect to ?
* do not try tcp next time - gd
*
* This also prevents NETLOGON over TCP
*/
domain->can_do_ncacn_ip_tcp = false;
}
status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);
return status;
}
/****************************************************************************
Open the netlogon pipe to this DC. Use schannel if specified in client conf.
session key stored in conn->netlogon_pipe->dc->sess_key.
****************************************************************************/
static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
enum dcerpc_transport_t transport,
struct rpc_pipe_client **cli)
{
struct messaging_context *msg_ctx = winbind_messaging_context();
struct winbindd_cm_conn *conn;
NTSTATUS result;
enum netr_SchannelType sec_chan_type;
struct netlogon_creds_CredentialState *netlogon_creds = NULL;
struct cli_credentials *creds = NULL;
*cli = NULL;
result = init_dc_connection_rpc(domain, domain->rodc);
if (!NT_STATUS_IS_OK(result)) {
return result;
}
conn = &domain->conn;
if (rpccli_is_connected(conn->netlogon_pipe)) {
*cli = conn->netlogon_pipe;
return NT_STATUS_OK;
}
TALLOC_FREE(conn->netlogon_pipe);
conn->netlogon_flags = 0;
TALLOC_FREE(conn->netlogon_creds);
result = get_trust_credentials(domain, talloc_tos(), true, &creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10, ("cm_connect_sam: No user available for "
"domain %s when trying schannel\n", domain->name));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
if (cli_credentials_is_anonymous(creds)) {
DEBUG(1, ("get_trust_credential only gave anonymous for %s, unable to make get NETLOGON credentials\n",
domain->name));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
sec_chan_type = cli_credentials_get_secure_channel_type(creds);
if (sec_chan_type == SEC_CHAN_NULL) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
goto no_schannel;
}
result = rpccli_create_netlogon_creds_with_creds(creds,
domain->dcname,
msg_ctx,
domain,
&conn->netlogon_creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("rpccli_create_netlogon_creds failed for %s, "
"unable to create NETLOGON credentials: %s\n",
domain->name, nt_errstr(result)));
return result;
}
result = rpccli_setup_netlogon_creds_with_creds(conn->cli, transport,
conn->netlogon_creds,
conn->netlogon_force_reauth,
creds);
conn->netlogon_force_reauth = false;
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("rpccli_setup_netlogon_creds failed for %s, "
"unable to setup NETLOGON credentials: %s\n",
domain->name, nt_errstr(result)));
return result;
}
result = netlogon_creds_cli_get(conn->netlogon_creds,
talloc_tos(),
&netlogon_creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("netlogon_creds_cli_get failed for %s, "
"unable to get NETLOGON credentials: %s\n",
domain->name, nt_errstr(result)));
return result;
}
conn->netlogon_flags = netlogon_creds->negotiate_flags;
TALLOC_FREE(netlogon_creds);
no_schannel:
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
result = NT_STATUS_DOWNGRADE_DETECTED;
DEBUG(1, ("Unwilling to make connection to domain %s"
"without connection level security, "
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
domain->name, nt_errstr(result)));
invalidate_cm_connection(domain);
return result;
}
result = cli_rpc_pipe_open_noauth_transport(conn->cli,
transport,
&ndr_table_netlogon,
&conn->netlogon_pipe);
if (!NT_STATUS_IS_OK(result)) {
invalidate_cm_connection(domain);
return result;
}
*cli = conn->netlogon_pipe;
return NT_STATUS_OK;
}
/* Using the credentials from the first pipe, open a signed and sealed
second netlogon pipe. The session key is stored in the schannel
part of the new pipe auth struct.
*/
result = cli_rpc_pipe_open_schannel_with_creds(
conn->cli, &ndr_table_netlogon, transport,
creds,
conn->netlogon_creds,
&conn->netlogon_pipe);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
"was %s\n", nt_errstr(result)));
invalidate_cm_connection(domain);
return result;
}
*cli = conn->netlogon_pipe;
return NT_STATUS_OK;
}
/****************************************************************************
Open a LSA connection to a DC, suiteable for LSA lookup calls.
****************************************************************************/
NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
struct rpc_pipe_client **cli)
{
NTSTATUS status;
status = init_dc_connection_rpc(domain, domain->rodc);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
invalidate_cm_connection(domain);
status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
}
if (NT_STATUS_IS_OK(status)) {
return status;
}
/*
* we tried twice to connect via ncan_ip_tcp and schannel and
* failed - maybe it is a trusted domain we can't connect to ?
* do not try tcp next time - gd
*
* This also prevents LSA over TCP
*/
domain->can_do_ncacn_ip_tcp = false;
}
status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
return status;
}
void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
void *private_data,
uint32_t msg_type,
struct server_id server_id,
DATA_BLOB *data)
{
struct winbindd_domain *domain;
char *freeit = NULL;
char *addr;
if ((data == NULL)
|| (data->data == NULL)
|| (data->length == 0)
|| (data->data[data->length-1] != '\0')) {
DEBUG(1, ("invalid msg_ip_dropped message: not a valid "
"string\n"));
return;
}
addr = (char *)data->data;
DEBUG(10, ("IP %s dropped\n", addr));
if (!is_ipaddress(addr)) {
char *slash;
/*
* Some code sends us ip addresses with the /netmask
* suffix
*/
slash = strchr(addr, '/');
if (slash == NULL) {
DEBUG(1, ("invalid msg_ip_dropped message: %s",
addr));
return;
}
freeit = talloc_strndup(talloc_tos(), addr, slash-addr);
if (freeit == NULL) {
DEBUG(1, ("talloc failed\n"));
return;
}
addr = freeit;
DEBUG(10, ("Stripped /netmask to IP %s\n", addr));
}
for (domain = domain_list(); domain != NULL; domain = domain->next) {
char sockaddr[INET6_ADDRSTRLEN];
if (!cli_state_is_connected(domain->conn.cli)) {
continue;
}
print_sockaddr(sockaddr, sizeof(sockaddr),
smbXcli_conn_local_sockaddr(domain->conn.cli->conn));
if (strequal(sockaddr, addr)) {
smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
}
}
TALLOC_FREE(freeit);
}