2 Unix SMB/CIFS implementation.
4 Winbind daemon connection manager
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Gerald (Jerry) Carter 2003-2005.
9 Copyright (C) Volker Lendecke 2004-2005
10 Copyright (C) Jeremy Allison 2006
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 We need to manage connections to domain controllers without having to
28 mess up the main winbindd code with other issues. The aim of the
29 connection manager is to:
31 - make connections to domain controllers and cache them
32 - re-establish connections when networks or servers go down
33 - centralise the policy on connection timeouts, domain controller
35 - manage re-entrancy for when winbindd becomes able to handle
36 multiple outstanding rpc requests
38 Why not have connection management as part of the rpc layer like tng?
39 Good question. This code may morph into libsmb/rpc_cache.c or something
40 like that but at the moment it's simply staying as part of winbind. I
41 think the TNG architecture of forcing every user of the rpc layer to use
42 the connection caching system is a bad idea. It should be an optional
43 method of using the routines.
45 The TNG design is quite good but I disagree with some aspects of the
53 - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
54 moved down into another function.
56 - Take care when destroying cli_structs as they can be shared between
63 #include "libsmb/namequery.h"
64 #include "../libcli/auth/libcli_auth.h"
65 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
66 #include "rpc_client/cli_pipe.h"
67 #include "rpc_client/cli_netlogon.h"
68 #include "../librpc/gen_ndr/ndr_samr_c.h"
69 #include "../librpc/gen_ndr/ndr_lsa_c.h"
70 #include "rpc_client/cli_lsarpc.h"
71 #include "../librpc/gen_ndr/ndr_dssetup_c.h"
72 #include "libads/sitename_cache.h"
73 #include "libsmb/libsmb.h"
74 #include "libsmb/clidgram.h"
77 #include "../libcli/security/security.h"
80 #include "auth/gensec/gensec.h"
81 #include "../libcli/smb/smbXcli_base.h"
82 #include "libcli/auth/netlogon_creds_cli.h"
84 #include "rpc_server/rpc_ncacn_np.h"
85 #include "auth/credentials/credentials.h"
86 #include "lib/param/param.h"
87 #include "lib/gencache.h"
88 #include "lib/util/string_wrappers.h"
89 #include "lib/global_contexts.h"
90 #include "librpc/gen_ndr/ndr_winbind_c.h"
93 #define DBGC_CLASS DBGC_WINBIND
97 struct sockaddr_storage ss;
100 extern struct winbindd_methods reconnect_methods;
102 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc);
103 static void set_dc_type_and_flags( struct winbindd_domain *domain );
104 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain );
105 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
106 struct dc_name_ip **dcs, int *num_dcs,
107 uint32_t request_flags);
109 void winbind_msg_domain_offline(struct messaging_context *msg_ctx,
112 struct server_id server_id,
115 const char *domain_name = (const char *)data->data;
116 struct winbindd_domain *domain;
118 domain = find_domain_from_name_noinit(domain_name);
119 if (domain == NULL) {
120 DBG_DEBUG("Domain %s not found!\n", domain_name);
124 DBG_DEBUG("Domain %s was %s, change to offline now.\n",
126 domain->online ? "online" : "offline");
128 domain->online = false;
131 void winbind_msg_domain_online(struct messaging_context *msg_ctx,
134 struct server_id server_id,
137 const char *domain_name = (const char *)data->data;
138 struct winbindd_domain *domain;
140 domain = find_domain_from_name_noinit(domain_name);
141 if (domain == NULL) {
145 SMB_ASSERT(wb_child_domain() == NULL);
147 DBG_DEBUG("Domain %s was %s, marking as online now!\n",
149 domain->online ? "online" : "offline");
151 domain->online = true;
154 /****************************************************************
155 Set domain offline and also add handler to put us back online
157 ****************************************************************/
159 void set_domain_offline(struct winbindd_domain *domain)
161 pid_t parent_pid = getppid();
163 DEBUG(10,("set_domain_offline: called for domain %s\n",
166 if (domain->internal) {
167 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
172 domain->online = False;
174 /* Offline domains are always initialized. They're
175 re-initialized when they go back online. */
177 domain->initialized = True;
179 /* Send a message to the parent that the domain is offline. */
180 if (parent_pid > 1 && !domain->internal) {
181 messaging_send_buf(global_messaging_context(),
182 pid_to_procid(parent_pid),
183 MSG_WINBIND_DOMAIN_OFFLINE,
184 (uint8_t *)domain->name,
185 strlen(domain->name) + 1);
188 /* Send an offline message to the idmap child when our
189 primary domain goes offline */
190 if ( domain->primary ) {
191 pid_t idmap_pid = idmap_child_pid();
193 if (idmap_pid != 0) {
194 messaging_send_buf(global_messaging_context(),
195 pid_to_procid(idmap_pid),
197 (const uint8_t *)domain->name,
198 strlen(domain->name)+1);
205 /****************************************************************
206 Set domain online - if allowed.
207 ****************************************************************/
209 static void set_domain_online(struct winbindd_domain *domain)
211 pid_t parent_pid = getppid();
213 DEBUG(10,("set_domain_online: called for domain %s\n",
216 if (domain->internal) {
217 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
222 if (get_global_winbindd_state_offline()) {
223 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
228 winbindd_set_locator_kdc_envs(domain);
230 /* If we are waiting to get a krb5 ticket, trigger immediately. */
231 ccache_regain_all_now();
233 /* Ok, we're out of any startup mode now... */
234 domain->startup = False;
236 if (domain->online == False) {
237 /* We were offline - now we're online. We default to
238 using the MS-RPC backend if we started offline,
239 and if we're going online for the first time we
240 should really re-initialize the backends and the
241 checks to see if we're talking to an AD or NT domain.
244 domain->initialized = False;
246 /* 'reconnect_methods' is the MS-RPC backend. */
247 if (domain->backend == &reconnect_methods) {
248 domain->backend = NULL;
252 domain->online = True;
254 /* Send a message to the parent that the domain is online. */
255 if (parent_pid > 1 && !domain->internal) {
256 messaging_send_buf(global_messaging_context(),
257 pid_to_procid(parent_pid),
258 MSG_WINBIND_DOMAIN_ONLINE,
259 (uint8_t *)domain->name,
260 strlen(domain->name) + 1);
263 /* Send an online message to the idmap child when our
264 primary domain comes online */
266 if ( domain->primary ) {
267 pid_t idmap_pid = idmap_child_pid();
269 if (idmap_pid != 0) {
270 messaging_send_buf(global_messaging_context(),
271 pid_to_procid(idmap_pid),
273 (const uint8_t *)domain->name,
274 strlen(domain->name)+1);
281 /****************************************************************
282 Requested to set a domain online.
283 ****************************************************************/
285 void set_domain_online_request(struct winbindd_domain *domain)
289 SMB_ASSERT(wb_child_domain() || idmap_child());
291 DEBUG(10,("set_domain_online_request: called for domain %s\n",
294 if (get_global_winbindd_state_offline()) {
295 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
300 if (domain->internal) {
301 DEBUG(10, ("set_domain_online_request: Internal domains are "
307 * This call takes care of setting the online flag to true if we
308 * connected, or tell the parent to ping us back if false. Bypasses
309 * online check so always does network calls.
311 status = init_dc_connection_network(domain, true);
312 DBG_DEBUG("init_dc_connection_network(), returned %s, called for "
313 "domain %s (online = %s)\n",
316 domain->online ? "true" : "false");
319 /****************************************************************
320 Add -ve connection cache entries for domain and realm.
321 ****************************************************************/
323 static void winbind_add_failed_connection_entry(
324 const struct winbindd_domain *domain,
328 add_failed_connection_entry(domain->name, server, result);
329 /* If this was the saf name for the last thing we talked to,
331 saf_delete(domain->name);
332 if (domain->alt_name != NULL) {
333 add_failed_connection_entry(domain->alt_name, server, result);
334 saf_delete(domain->alt_name);
336 winbindd_unset_locator_kdc_env(domain);
339 /* Choose between anonymous or authenticated connections. We need to use
340 an authenticated connection if DCs have the RestrictAnonymous registry
341 entry set > 0, or the "Additional restrictions for anonymous
342 connections" set in the win2k Local Security Policy.
344 Caller to free() result in domain, username, password
347 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
349 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
350 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
351 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
353 if (*username && **username) {
355 if (!*domain || !**domain)
356 *domain = smb_xstrdup(lp_workgroup());
358 if (!*password || !**password)
359 *password = smb_xstrdup("");
361 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
362 *domain, *username));
365 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
366 *username = smb_xstrdup("");
367 *domain = smb_xstrdup("");
368 *password = smb_xstrdup("");
372 static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx,
373 struct cli_credentials **_creds)
376 TALLOC_CTX *frame = talloc_stackframe();
377 NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
378 struct loadparm_context *lp_ctx;
379 char *username = NULL;
380 char *netbios_domain = NULL;
381 char *password = NULL;
382 struct cli_credentials *creds = NULL;
385 cm_get_ipc_userpass(&username, &netbios_domain, &password);
387 lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
388 if (lp_ctx == NULL) {
389 DEBUG(1, ("loadparm_init_s3 failed\n"));
390 status = NT_STATUS_INTERNAL_ERROR;
394 creds = cli_credentials_init(mem_ctx);
396 status = NT_STATUS_NO_MEMORY;
400 ok = cli_credentials_set_conf(creds, lp_ctx);
402 status = NT_STATUS_INTERNAL_ERROR;
406 cli_credentials_set_kerberos_state(creds,
407 CRED_USE_KERBEROS_DISABLED,
410 ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
412 status = NT_STATUS_NO_MEMORY;
416 ok = cli_credentials_set_username(creds, username, CRED_SPECIFIED);
418 status = NT_STATUS_NO_MEMORY;
422 ok = cli_credentials_set_password(creds, password, CRED_SPECIFIED);
424 status = NT_STATUS_NO_MEMORY;
430 status = NT_STATUS_OK;
434 SAFE_FREE(netbios_domain);
440 static bool cm_is_ipc_credentials(struct cli_credentials *creds)
442 TALLOC_CTX *frame = talloc_stackframe();
443 char *ipc_account = NULL;
444 char *ipc_domain = NULL;
445 char *ipc_password = NULL;
446 const char *creds_account = NULL;
447 const char *creds_domain = NULL;
448 const char *creds_password = NULL;
451 cm_get_ipc_userpass(&ipc_account, &ipc_domain, &ipc_password);
453 creds_account = cli_credentials_get_username(creds);
454 creds_domain = cli_credentials_get_domain(creds);
455 creds_password = cli_credentials_get_password(creds);
457 if (!strequal(ipc_domain, creds_domain)) {
461 if (!strequal(ipc_account, creds_account)) {
465 if (!strcsequal(ipc_password, creds_password)) {
471 SAFE_FREE(ipc_account);
472 SAFE_FREE(ipc_domain);
473 SAFE_FREE(ipc_password);
478 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
480 struct sockaddr_storage *dc_ss,
481 uint32_t request_flags)
483 struct winbindd_domain *our_domain = NULL;
484 struct rpc_pipe_client *netlogon_pipe = NULL;
488 unsigned int orig_timeout;
489 const char *tmp = NULL;
491 struct dcerpc_binding_handle *b;
493 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
500 if (domain->primary) {
504 our_domain = find_our_domain();
506 if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
510 result = cm_connect_netlogon(our_domain, &netlogon_pipe);
511 if (!NT_STATUS_IS_OK(result)) {
512 talloc_destroy(mem_ctx);
516 b = netlogon_pipe->binding_handle;
518 /* This call can take a long time - allow the server to time out.
519 35 seconds should do it. */
521 orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
523 if (our_domain->active_directory) {
524 struct netr_DsRGetDCNameInfo *domain_info = NULL;
527 * TODO request flags are not respected in the server
528 * (and in some cases, like REQUIRE_PDC, causes an error)
530 result = dcerpc_netr_DsRGetDCName(b,
536 request_flags|DS_RETURN_DNS_NAME,
539 if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
541 mem_ctx, domain_info->dc_unc);
543 DBG_ERR("talloc_strdup failed for dc_unc[%s]\n",
544 domain_info->dc_unc);
545 talloc_destroy(mem_ctx);
548 if (domain->alt_name == NULL) {
549 domain->alt_name = talloc_strdup(domain,
550 domain_info->domain_name);
551 if (domain->alt_name == NULL) {
552 DBG_ERR("talloc_strdup failed for "
553 "domain_info->domain_name[%s]\n",
554 domain_info->domain_name);
555 talloc_destroy(mem_ctx);
559 if (domain->forest_name == NULL) {
560 domain->forest_name = talloc_strdup(domain,
561 domain_info->forest_name);
562 if (domain->forest_name == NULL) {
563 DBG_ERR("talloc_strdup failed for "
564 "domain_info->forest_name[%s]\n",
565 domain_info->forest_name);
566 talloc_destroy(mem_ctx);
572 result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
579 /* And restore our original timeout. */
580 rpccli_set_timeout(netlogon_pipe, orig_timeout);
582 if (!NT_STATUS_IS_OK(result)) {
583 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
585 talloc_destroy(mem_ctx);
589 if (!W_ERROR_IS_OK(werr)) {
590 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
592 talloc_destroy(mem_ctx);
596 /* dcerpc_netr_GetAnyDCName gives us a name with \\ */
597 p = strip_hostname(tmp);
601 talloc_destroy(mem_ctx);
603 DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
605 if (!resolve_name(dcname, dc_ss, 0x20, true)) {
613 * Helper function to assemble trust password and account name
615 NTSTATUS winbindd_get_trust_credentials(struct winbindd_domain *domain,
618 bool allow_ipc_fallback,
619 struct cli_credentials **_creds)
621 const struct winbindd_domain *creds_domain = NULL;
622 struct cli_credentials *creds;
624 bool force_machine_account = false;
626 /* If we are a DC and this is not our own domain */
628 if (!domain->active_directory) {
631 * For non active directory domains
632 * we can only use NTLMSSP for SMB.
634 * But the trust account is not allowed
635 * to use SMB with NTLMSSP.
637 force_machine_account = true;
641 if (IS_DC && !force_machine_account) {
642 creds_domain = domain;
644 creds_domain = find_our_domain();
645 if (creds_domain == NULL) {
646 return NT_STATUS_INVALID_SERVER_STATE;
650 status = pdb_get_trust_credentials(creds_domain->name,
651 creds_domain->alt_name,
654 if (!NT_STATUS_IS_OK(status)) {
658 if (creds_domain != domain) {
660 * We can only use schannel against a direct trust
662 cli_credentials_set_secure_channel_type(creds,
671 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
674 if (!allow_ipc_fallback) {
678 status = cm_get_ipc_credentials(mem_ctx, &creds);
679 if (!NT_STATUS_IS_OK(status)) {
687 /************************************************************************
688 Given a fd with a just-connected TCP connection to a DC, open a connection
690 ************************************************************************/
692 static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
694 const char *controller,
695 struct cli_state **cli,
698 bool try_ipc_auth = false;
699 const char *machine_principal = NULL;
700 const char *machine_realm = NULL;
701 const char *machine_account = NULL;
702 const char *machine_domain = NULL;
704 struct cli_credentials *creds = NULL;
706 struct named_mutex *mutex;
708 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
710 NTSTATUS tcon_status = NT_STATUS_NETWORK_NAME_DELETED;
712 enum smb_signing_setting smb_sign_client_connections = lp_client_ipc_signing();
715 if (domain->secure_channel_type == SEC_CHAN_NULL) {
717 * Make sure we don't even try to
718 * connect to a foreign domain
719 * without a direct outbound trust.
722 return NT_STATUS_NO_TRUST_LSA_SECRET;
726 * As AD DC we only use netlogon and lsa
727 * using schannel over an anonymous transport
728 * (ncacn_ip_tcp or ncacn_np).
730 * Currently we always establish the SMB connection,
731 * even if we don't use it, because we later use ncacn_ip_tcp.
733 * As we won't use the SMB connection there's no
734 * need to try kerberos. And NT4 domains expect
735 * an anonymous IPC$ connection anyway.
737 smb_sign_client_connections = SMB_SIGNING_OFF;
740 if (smb_sign_client_connections == SMB_SIGNING_DEFAULT) {
742 * If we are connecting to our own AD domain, require
743 * smb signing to disrupt MITM attacks
745 if (domain->primary && lp_security() == SEC_ADS) {
746 smb_sign_client_connections = SMB_SIGNING_REQUIRED;
748 * If we are in or are an AD domain and connecting to another
749 * AD domain in our forest
750 * then require smb signing to disrupt MITM attacks
752 } else if ((lp_security() == SEC_ADS)
753 && domain->active_directory
754 && (domain->domain_trust_attribs
755 & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)) {
756 smb_sign_client_connections = SMB_SIGNING_REQUIRED;
760 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
761 controller, domain->name ));
765 mutex = grab_named_mutex(talloc_tos(), controller,
766 WINBIND_SERVER_MUTEX_WAIT_TIME);
769 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
771 result = NT_STATUS_POSSIBLE_DEADLOCK;
776 * cm_prepare_connection() is responsible that sockfd does not leak.
777 * Once cli_state_create() returns with success, the
778 * smbXcli_conn_destructor() makes sure that close(sockfd) is finally
779 * called. Till that, close(sockfd) must be called on every unsuccessful
782 *cli = cli_state_create(NULL, sockfd, controller,
783 smb_sign_client_connections, flags);
786 DEBUG(1, ("Could not cli_initialize\n"));
787 result = NT_STATUS_NO_MEMORY;
791 cli_set_timeout(*cli, 10000); /* 10 seconds */
793 set_socket_options(sockfd, lp_socket_options());
795 result = smbXcli_negprot((*cli)->conn,
797 lp_client_ipc_min_protocol(),
798 lp_client_ipc_max_protocol(),
803 if (!NT_STATUS_IS_OK(result)) {
804 DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
808 if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
809 smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
811 } else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
813 } else if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
815 * If we are forcing on SMB signing, then we must
816 * require authentication unless this is a one-way
817 * trust, and we have no stored user/password
824 * As AD DC we only use netlogon and lsa
825 * using schannel over an anonymous transport
826 * (ncacn_ip_tcp or ncacn_np).
828 * Currently we always establish the SMB connection,
829 * even if we don't use it, because we later use ncacn_ip_tcp.
831 * As we won't use the SMB connection there's no
832 * need to try kerberos. And NT4 domains expect
833 * an anonymous IPC$ connection anyway.
835 try_ipc_auth = false;
839 result = winbindd_get_trust_credentials(domain,
841 false, /* netlogon */
842 true, /* ipc_fallback */
844 if (!NT_STATUS_IS_OK(result)) {
845 DBG_WARNING("winbindd_get_trust_credentials(%s) "
853 * Without SPNEGO or NTLMSSP (perhaps via SMB2) we
854 * would try and authentication with our machine
855 * account password and fail. This is very rare in
856 * the modern world however
858 creds = cli_credentials_init_anon(talloc_tos());
860 result = NT_STATUS_NO_MEMORY;
861 DEBUG(1, ("cli_credentials_init_anon(%s) failed: %s\n",
862 domain->name, nt_errstr(result)));
867 machine_principal = cli_credentials_get_principal(creds,
869 machine_realm = cli_credentials_get_realm(creds);
870 machine_account = cli_credentials_get_username(creds);
871 machine_domain = cli_credentials_get_domain(creds);
873 DEBUG(5, ("connecting to %s (%s, %s) with account [%s\\%s] principal "
874 "[%s] and realm [%s]\n",
875 controller, domain->name, domain->alt_name,
876 machine_domain, machine_account,
877 machine_principal, machine_realm));
879 if (cli_credentials_is_anonymous(creds)) {
883 winbindd_set_locator_kdc_envs(domain);
885 result = cli_session_setup_creds(*cli, creds);
886 if (NT_STATUS_IS_OK(result)) {
887 goto session_setup_done;
890 DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
892 cli_credentials_get_unparsed_name(creds, talloc_tos()),
896 * If we are not going to validate the connection
897 * with SMB signing, then allow us to fall back to
900 if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
901 || NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
902 || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
903 || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_COMPUTER_NAME)
904 || NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_DOMAIN)
905 || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
906 || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
908 if (!cm_is_ipc_credentials(creds)) {
912 if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
923 tmp_status = cm_get_ipc_credentials(talloc_tos(), &creds);
924 if (!NT_STATUS_IS_OK(tmp_status)) {
929 if (cli_credentials_is_anonymous(creds)) {
933 machine_account = cli_credentials_get_username(creds);
934 machine_domain = cli_credentials_get_domain(creds);
936 DEBUG(5, ("connecting to %s from %s using NTLMSSP with username "
937 "[%s]\\[%s]\n", controller, lp_netbios_name(),
938 machine_domain, machine_account));
940 result = cli_session_setup_creds(*cli, creds);
941 if (NT_STATUS_IS_OK(result)) {
942 goto session_setup_done;
945 DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
947 cli_credentials_get_unparsed_name(creds, talloc_tos()),
951 * If we are not going to validate the connection
952 * with SMB signing, then allow us to fall back to
955 if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
956 || NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
957 || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
958 || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_COMPUTER_NAME)
959 || NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_DOMAIN)
960 || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
961 || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
971 if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
975 /* Fall back to anonymous connection, this might fail later */
976 DEBUG(5,("cm_prepare_connection: falling back to anonymous "
977 "connection for DC %s\n",
980 result = cli_session_setup_anon(*cli);
981 if (NT_STATUS_IS_OK(result)) {
982 DEBUG(5, ("Connected anonymously\n"));
983 goto session_setup_done;
986 DEBUG(1, ("anonymous session setup to %s failed with %s\n",
987 controller, nt_errstr(result)));
989 /* We can't session setup */
996 * This should be a short term hack until
997 * dynamic re-authentication is implemented.
999 * See Bug 9175 - winbindd doesn't recover from
1000 * NT_STATUS_NETWORK_SESSION_EXPIRED
1002 if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
1003 smbXcli_session_set_disconnect_expired((*cli)->smb2.session);
1006 result = cli_tree_connect(*cli, "IPC$", "IPC", NULL);
1007 if (!NT_STATUS_IS_OK(result)) {
1008 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
1011 tcon_status = result;
1013 /* cache the server name for later connections */
1015 saf_store(domain->name, controller);
1016 if (domain->alt_name) {
1017 saf_store(domain->alt_name, controller);
1020 winbindd_set_locator_kdc_envs(domain);
1025 result = NT_STATUS_OK;
1031 if (NT_STATUS_IS_OK(result)) {
1032 result = tcon_status;
1035 if (!NT_STATUS_IS_OK(result)) {
1036 DEBUG(1, ("Failed to prepare SMB connection to %s: %s\n",
1037 controller, nt_errstr(result)));
1038 winbind_add_failed_connection_entry(domain, controller, result);
1039 if ((*cli) != NULL) {
1048 /*******************************************************************
1049 Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
1052 Keeps the list unique by not adding duplicate entries.
1054 @param[in] mem_ctx talloc memory context to allocate from
1055 @param[in] domain_name domain of the DC
1056 @param[in] dcname name of the DC to add to the list
1057 @param[in] pss Internet address and port pair to add to the list
1058 @param[in,out] dcs array of dc_name_ip structures to add to
1059 @param[in,out] num_dcs number of dcs returned in the dcs array
1060 @return true if the list was added to, false otherwise
1061 *******************************************************************/
1063 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1064 const char *dcname, struct sockaddr_storage *pss,
1065 struct dc_name_ip **dcs, int *num)
1069 if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1070 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1074 /* Make sure there's no duplicates in the list */
1075 for (i=0; i<*num; i++)
1077 (struct sockaddr *)(void *)&(*dcs)[i].ss,
1078 (struct sockaddr *)(void *)pss))
1081 *dcs = talloc_realloc(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1086 fstrcpy((*dcs)[*num].name, dcname);
1087 (*dcs)[*num].ss = *pss;
1092 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1093 struct sockaddr_storage *pss, uint16_t port,
1094 struct sockaddr_storage **addrs, int *num)
1096 *addrs = talloc_realloc(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1098 if (*addrs == NULL) {
1103 (*addrs)[*num] = *pss;
1104 set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
1111 static bool dcip_check_name_ads(const struct winbindd_domain *domain,
1112 struct samba_sockaddr *sa,
1113 uint32_t request_flags,
1114 TALLOC_CTX *mem_ctx,
1117 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1119 ADS_STRUCT *ads = NULL;
1120 ADS_STATUS ads_status;
1121 char addr[INET6_ADDRSTRLEN];
1123 print_sockaddr(addr, sizeof(addr), &sa->u.ss);
1124 D_DEBUG("Trying to figure out the DC name for domain '%s' at IP '%s'.\n",
1128 ads = ads_init(tmp_ctx,
1134 ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1137 ads->config.flags |= request_flags;
1138 ads->server.no_fallback = true;
1140 ads_status = ads_connect_cldap_only(ads);
1141 if (!ADS_ERR_OK(ads_status)) {
1145 /* We got a cldap packet. */
1146 name = talloc_strdup(tmp_ctx, ads->config.ldap_server_name);
1148 ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1151 namecache_store(name, 0x20, 1, sa);
1153 DBG_DEBUG("CLDAP flags = 0x%"PRIx32"\n", ads->config.flags);
1155 if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1156 if (ads_closest_dc(ads)) {
1157 char *sitename = sitename_fetch(tmp_ctx,
1160 /* We're going to use this KDC for this realm/domain.
1161 If we are using sites, then force the krb5 libs
1164 create_local_private_krb5_conf_for_domain(domain->alt_name,
1169 TALLOC_FREE(sitename);
1171 /* use an off site KDC */
1172 create_local_private_krb5_conf_for_domain(domain->alt_name,
1177 winbindd_set_locator_kdc_envs(domain);
1179 /* Ensure we contact this DC also. */
1180 saf_store(domain->name, name);
1181 saf_store(domain->alt_name, name);
1184 D_DEBUG("DC name for domain '%s' at IP '%s' is '%s'\n",
1188 *namep = talloc_move(mem_ctx, &name);
1191 TALLOC_FREE(tmp_ctx);
1193 return ADS_ERR_OK(ads_status) ? true : false;
1197 /*******************************************************************
1198 convert an ip to a name
1199 For an AD Domain, it checks the requirements of the request flags.
1200 *******************************************************************/
1202 static bool dcip_check_name(TALLOC_CTX *mem_ctx,
1203 const struct winbindd_domain *domain,
1204 struct sockaddr_storage *pss,
1205 char **name, uint32_t request_flags)
1207 struct samba_sockaddr sa = {0};
1208 uint32_t nt_version = NETLOGON_NT_VERSION_1;
1210 const char *dc_name;
1213 bool is_ad_domain = false;
1215 bool ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
1221 /* For active directory servers, try to get the ldap server name.
1222 None of these failures should be considered critical for now */
1224 if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
1225 is_ad_domain = true;
1226 } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1227 is_ad_domain = domain->active_directory;
1231 return dcip_check_name_ads(domain,
1240 size_t len = strlen(lp_netbios_name());
1241 char my_acct_name[len+2];
1243 snprintf(my_acct_name,
1244 sizeof(my_acct_name),
1248 status = nbt_getdc(global_messaging_context(), 10, &sa.u.ss,
1249 domain->name, &domain->sid,
1250 my_acct_name, ACB_WSTRUST,
1251 nt_version, mem_ctx, &nt_version,
1254 if (NT_STATUS_IS_OK(status)) {
1255 *name = talloc_strdup(mem_ctx, dc_name);
1256 if (*name == NULL) {
1259 namecache_store(*name, 0x20, 1, &sa);
1263 /* try node status request */
1265 if (name_status_find(domain->name, 0x1c, 0x20, &sa.u.ss, nbtname) ) {
1266 namecache_store(nbtname, 0x20, 1, &sa);
1269 *name = talloc_strdup(mem_ctx, nbtname);
1270 if (*name == NULL) {
1280 /*******************************************************************
1281 Retrieve a list of IP addresses for domain controllers.
1283 The array is sorted in the preferred connection order.
1285 @param[in] mem_ctx talloc memory context to allocate from
1286 @param[in] domain domain to retrieve DCs for
1287 @param[out] dcs array of dcs that will be returned
1288 @param[out] num_dcs number of dcs returned in the dcs array
1290 *******************************************************************/
1292 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1293 struct dc_name_ip **dcs, int *num_dcs,
1294 uint32_t request_flags)
1297 struct sockaddr_storage ss;
1298 struct samba_sockaddr *sa_list = NULL;
1299 size_t salist_size = 0;
1302 enum security_types sec = (enum security_types)lp_security();
1304 is_our_domain = strequal(domain->name, lp_workgroup());
1306 /* If not our domain, get the preferred DC, by asking our primary DC */
1308 && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags)
1309 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1312 char addr[INET6_ADDRSTRLEN];
1313 print_sockaddr(addr, sizeof(addr), &ss);
1314 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1319 if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
1320 char *sitename = NULL;
1322 /* We need to make sure we know the local site before
1323 doing any DNS queries, as this will restrict the
1324 get_sorted_dc_list() call below to only fetching
1325 DNS records for the correct site. */
1327 /* Find any DC to get the site record.
1328 We deliberately don't care about the
1331 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1333 sitename = sitename_fetch(mem_ctx, domain->alt_name);
1336 /* Do the site-specific AD dns lookup first. */
1337 (void)get_sorted_dc_list(mem_ctx,
1344 /* Add ips to the DC array. We don't look up the name
1345 of the DC in this function, but we fill in the char*
1346 of the ip now to make the failed connection cache
1348 for ( i=0; i<salist_size; i++ ) {
1349 char addr[INET6_ADDRSTRLEN];
1350 print_sockaddr(addr, sizeof(addr),
1352 add_one_dc_unique(mem_ctx,
1360 TALLOC_FREE(sa_list);
1361 TALLOC_FREE(sitename);
1365 /* Now we add DCs from the main AD DNS lookup. */
1366 (void)get_sorted_dc_list(mem_ctx,
1373 for ( i=0; i<salist_size; i++ ) {
1374 char addr[INET6_ADDRSTRLEN];
1375 print_sockaddr(addr, sizeof(addr),
1377 add_one_dc_unique(mem_ctx,
1385 TALLOC_FREE(sa_list);
1389 /* Try standard netbios queries if no ADS and fall back to DNS queries
1390 * if alt_name is available */
1391 if (*num_dcs == 0) {
1392 (void)get_sorted_dc_list(mem_ctx,
1398 if (salist_size == 0) {
1399 if (domain->alt_name != NULL) {
1400 (void)get_sorted_dc_list(mem_ctx,
1409 for ( i=0; i<salist_size; i++ ) {
1410 char addr[INET6_ADDRSTRLEN];
1411 print_sockaddr(addr, sizeof(addr),
1413 add_one_dc_unique(mem_ctx,
1421 TALLOC_FREE(sa_list);
1428 static bool connect_preferred_dc(TALLOC_CTX *mem_ctx,
1429 struct winbindd_domain *domain,
1430 uint32_t request_flags,
1433 char *saf_servername = NULL;
1438 * We have to check the server affinity cache here since later we select
1439 * a DC based on response time and not preference.
1441 if (domain->force_dc) {
1442 saf_servername = domain->dcname;
1444 saf_servername = saf_fetch(mem_ctx, domain->name);
1448 * Check the negative connection cache before talking to it. It going
1449 * down may have triggered the reconnection.
1451 if (saf_servername != NULL) {
1452 status = check_negative_conn_cache(domain->name,
1454 if (!NT_STATUS_IS_OK(status)) {
1455 saf_servername = NULL;
1459 if (saf_servername != NULL) {
1460 DBG_DEBUG("saf_servername is '%s' for domain %s\n",
1461 saf_servername, domain->name);
1463 /* convert an ip address to a name */
1464 if (is_ipaddress(saf_servername)) {
1465 ok = interpret_string_addr(&domain->dcaddr,
1472 ok = resolve_name(saf_servername,
1481 TALLOC_FREE(domain->dcname);
1482 ok = dcip_check_name(domain,
1492 if (domain->dcname == NULL) {
1496 status = check_negative_conn_cache(domain->name, domain->dcname);
1497 if (!NT_STATUS_IS_OK(status)) {
1501 status = smbsock_connect(&domain->dcaddr, 0,
1504 if (!NT_STATUS_IS_OK(status)) {
1505 winbind_add_failed_connection_entry(domain,
1507 NT_STATUS_UNSUCCESSFUL);
1513 winbind_add_failed_connection_entry(domain,
1515 NT_STATUS_UNSUCCESSFUL);
1520 /*******************************************************************
1521 Find and make a connection to a DC in the given domain.
1523 @param[in] mem_ctx talloc memory context to allocate from
1524 @param[in] domain domain to find a dc in
1525 @param[out] fd fd of the open socket connected to the newly found dc
1526 @return true when a DC connection is made, false otherwise
1527 *******************************************************************/
1529 static bool find_dc(TALLOC_CTX *mem_ctx,
1530 struct winbindd_domain *domain,
1531 uint32_t request_flags,
1534 struct dc_name_ip *dcs = NULL;
1537 const char **dcnames = NULL;
1538 size_t num_dcnames = 0;
1540 struct sockaddr_storage *addrs = NULL;
1551 D_NOTICE("First try to connect to the closest DC (using server "
1552 "affinity cache). If this fails, try to lookup the DC using "
1553 "DNS afterwards.\n");
1554 ok = connect_preferred_dc(mem_ctx, domain, request_flags, fd);
1559 if (domain->force_dc) {
1564 D_DEBUG("Retrieving a list of IP addresses for DCs.\n");
1565 if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs, request_flags) || (num_dcs == 0))
1568 D_DEBUG("Retrieved IP addresses for %d DCs.\n", num_dcs);
1569 for (i=0; i<num_dcs; i++) {
1571 if (!add_string_to_array(mem_ctx, dcs[i].name,
1572 &dcnames, &num_dcnames)) {
1575 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, TCP_SMB_PORT,
1576 &addrs, &num_addrs)) {
1581 if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1584 if ((addrs == NULL) || (dcnames == NULL))
1587 D_DEBUG("Trying to establish a connection to one of the %d DCs "
1588 "(timeout of 10 sec for each DC).\n",
1590 status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL,
1591 num_addrs, 0, 10, fd, &fd_index, NULL);
1592 if (!NT_STATUS_IS_OK(status)) {
1593 for (i=0; i<num_dcs; i++) {
1594 char ab[INET6_ADDRSTRLEN];
1595 print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1596 DBG_DEBUG("smbsock_any_connect failed for "
1597 "domain %s address %s. Error was %s\n",
1598 domain->name, ab, nt_errstr(status));
1599 winbind_add_failed_connection_entry(domain,
1600 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1604 D_NOTICE("Successfully connected to DC '%s'.\n", dcs[fd_index].name);
1606 domain->dcaddr = addrs[fd_index];
1608 if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1609 /* Ok, we've got a name for the DC */
1610 TALLOC_FREE(domain->dcname);
1611 domain->dcname = talloc_strdup(domain, dcnames[fd_index]);
1612 if (domain->dcname == NULL) {
1618 /* Try to figure out the name */
1619 TALLOC_FREE(domain->dcname);
1620 ok = dcip_check_name(domain,
1629 /* We can not continue without the DC's name */
1630 winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1631 NT_STATUS_UNSUCCESSFUL);
1633 /* Throw away all arrays as we're doing this again. */
1637 TALLOC_FREE(dcnames);
1649 * This should not be an infinite loop, since get_dcs() will not return
1650 * the DC added to the negative connection cache in the above
1651 * winbind_add_failed_connection_entry() call.
1656 static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name)
1658 return talloc_asprintf_strupper_m(mem_ctx, "CURRENT_DCNAME/%s",
1662 static void store_current_dc_in_gencache(const char *domain_name,
1663 const char *dc_name,
1664 struct cli_state *cli)
1666 char addr[INET6_ADDRSTRLEN];
1670 if (!cli_state_is_connected(cli)) {
1674 print_sockaddr(addr, sizeof(addr),
1675 smbXcli_conn_remote_sockaddr(cli->conn));
1677 key = current_dc_key(talloc_tos(), domain_name);
1682 value = talloc_asprintf(talloc_tos(), "%s %s", addr, dc_name);
1683 if (value == NULL) {
1687 gencache_set(key, value, 0x7fffffff);
1693 bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx,
1694 const char *domain_name,
1695 char **p_dc_name, char **p_dc_ip)
1700 char *dc_name = NULL;
1703 key = current_dc_key(talloc_tos(), domain_name);
1707 if (!gencache_get(key, mem_ctx, &value, NULL)) {
1710 p = strchr(value, ' ');
1714 dc_ip = talloc_strndup(mem_ctx, value, p - value);
1715 if (dc_ip == NULL) {
1718 dc_name = talloc_strdup(mem_ctx, p+1);
1719 if (dc_name == NULL) {
1723 if (p_dc_ip != NULL) {
1727 if (p_dc_name != NULL) {
1728 *p_dc_name = dc_name;
1733 TALLOC_FREE(dc_name);
1740 NTSTATUS wb_open_internal_pipe(TALLOC_CTX *mem_ctx,
1741 const struct ndr_interface_table *table,
1742 struct rpc_pipe_client **ret_pipe)
1744 struct rpc_pipe_client *cli = NULL;
1745 const struct auth_session_info *session_info = NULL;
1746 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1749 session_info = get_session_info_system();
1750 SMB_ASSERT(session_info != NULL);
1752 status = rpc_pipe_open_local_np(
1753 mem_ctx, table, NULL, NULL, NULL, NULL, session_info, &cli);
1754 if (!NT_STATUS_IS_OK(status)) {
1762 return NT_STATUS_OK;
1765 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1766 struct winbindd_cm_conn *new_conn,
1769 TALLOC_CTX *mem_ctx;
1770 NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1772 uint32_t request_flags = need_rw_dc ? DS_WRITABLE_REQUIRED : 0;
1775 bool seal_pipes = true;
1777 if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1778 set_domain_offline(domain);
1779 return NT_STATUS_NO_MEMORY;
1782 D_NOTICE("Creating connection to domain controller. This is a start of "
1783 "a new connection or a DC failover. The failover only happens "
1784 "if the domain has more than one DC. We will try to connect 3 "
1785 "times at most.\n");
1786 for (retries = 0; retries < 3; retries++) {
1789 D_DEBUG("Attempt %d/3: DC '%s' of domain '%s'.\n",
1791 domain->dcname ? domain->dcname : "",
1794 found_dc = find_dc(mem_ctx, domain, request_flags, &fd);
1796 /* This is the one place where we will
1797 set the global winbindd offline state
1798 to true, if a "WINBINDD_OFFLINE" entry
1799 is found in the winbindd cache. */
1800 set_global_winbindd_state_offline();
1801 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1805 new_conn->cli = NULL;
1807 result = cm_prepare_connection(domain, fd, domain->dcname,
1808 &new_conn->cli, &retry);
1809 if (NT_STATUS_IS_OK(result)) {
1817 if (!NT_STATUS_IS_OK(result)) {
1818 /* Ensure we setup the retry handler. */
1819 set_domain_offline(domain);
1823 winbindd_set_locator_kdc_envs(domain);
1825 if (domain->online == False) {
1826 /* We're changing state from offline to online. */
1827 set_global_winbindd_state_online();
1829 set_domain_online(domain);
1832 * Much as I hate global state, this seems to be the point
1833 * where we can be certain that we have a proper connection to
1834 * a DC. wbinfo --dc-info needs that information, store it in
1835 * gencache with a looong timeout. This will need revisiting
1836 * once we start to connect to multiple DCs, wbcDcInfo is
1837 * already prepared for that.
1839 store_current_dc_in_gencache(domain->name, domain->dcname,
1842 seal_pipes = lp_winbind_sealed_pipes();
1843 seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
1848 new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1850 new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1854 talloc_destroy(mem_ctx);
1858 /* Close down all open pipes on a connection. */
1860 void invalidate_cm_connection(struct winbindd_domain *domain)
1863 struct winbindd_cm_conn *conn = &domain->conn;
1865 domain->sequence_number = DOM_SEQUENCE_NONE;
1866 domain->last_seq_check = 0;
1867 domain->last_status = NT_STATUS_SERVER_DISABLED;
1869 /* We're closing down a possibly dead
1870 connection. Don't have impossibly long (10s) timeouts. */
1873 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1876 if (conn->samr_pipe != NULL) {
1877 if (is_valid_policy_hnd(&conn->sam_connect_handle)) {
1878 dcerpc_samr_Close(conn->samr_pipe->binding_handle,
1880 &conn->sam_connect_handle,
1883 TALLOC_FREE(conn->samr_pipe);
1884 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1886 cli_set_timeout(conn->cli, 500);
1890 if (conn->lsa_pipe != NULL) {
1891 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1892 dcerpc_lsa_Close(conn->lsa_pipe->binding_handle,
1897 TALLOC_FREE(conn->lsa_pipe);
1898 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1900 cli_set_timeout(conn->cli, 500);
1904 if (conn->lsa_pipe_tcp != NULL) {
1905 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1906 dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle,
1911 TALLOC_FREE(conn->lsa_pipe_tcp);
1912 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1914 cli_set_timeout(conn->cli, 500);
1918 if (conn->netlogon_pipe != NULL) {
1919 TALLOC_FREE(conn->netlogon_pipe);
1920 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1922 cli_set_timeout(conn->cli, 500);
1926 conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1927 TALLOC_FREE(conn->netlogon_creds_ctx);
1930 cli_shutdown(conn->cli);
1936 void close_conns_after_fork(void)
1938 struct winbindd_domain *domain;
1939 struct winbindd_cli_state *cli_state;
1941 for (domain = domain_list(); domain; domain = domain->next) {
1943 * first close the low level SMB TCP connection
1944 * so that we don't generate any SMBclose
1945 * requests in invalidate_cm_connection()
1947 if (cli_state_is_connected(domain->conn.cli)) {
1948 smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
1951 invalidate_cm_connection(domain);
1954 for (cli_state = winbindd_client_list();
1956 cli_state = cli_state->next) {
1957 if (cli_state->sock >= 0) {
1958 close(cli_state->sock);
1959 cli_state->sock = -1;
1964 static bool connection_ok(struct winbindd_domain *domain)
1968 ok = cli_state_is_connected(domain->conn.cli);
1970 DEBUG(3, ("connection_ok: Connection to %s for domain %s is not connected\n",
1971 domain->dcname, domain->name));
1975 if (!domain->online) {
1976 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1983 /* Initialize a new connection up to the RPC BIND.
1984 Bypass online status check so always does network calls. */
1986 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc)
1989 bool skip_connection = domain->internal;
1990 if (need_rw_dc && domain->rodc) {
1991 skip_connection = false;
1994 /* Internal connections never use the network. */
1995 if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
1996 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1999 /* Still ask the internal LSA and SAMR server about the local domain */
2000 if (skip_connection || connection_ok(domain)) {
2001 if (!domain->initialized) {
2002 set_dc_type_and_flags(domain);
2004 return NT_STATUS_OK;
2007 invalidate_cm_connection(domain);
2009 if (!domain->primary && !domain->initialized) {
2011 * Before we connect to a trust, work out if it is an
2012 * AD domain by asking our own domain.
2014 set_dc_type_and_flags_trustinfo(domain);
2017 result = cm_open_connection(domain, &domain->conn, need_rw_dc);
2019 if (NT_STATUS_IS_OK(result) && !domain->initialized) {
2020 set_dc_type_and_flags(domain);
2026 NTSTATUS init_dc_connection(struct winbindd_domain *domain, bool need_rw_dc)
2028 if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
2029 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2032 SMB_ASSERT(wb_child_domain() || idmap_child());
2034 return init_dc_connection_network(domain, need_rw_dc);
2037 static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain, bool need_rw_dc)
2041 status = init_dc_connection(domain, need_rw_dc);
2042 if (!NT_STATUS_IS_OK(status)) {
2046 if (!domain->internal && domain->conn.cli == NULL) {
2047 /* happens for trusted domains without inbound trust */
2048 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2051 return NT_STATUS_OK;
2054 /******************************************************************************
2055 Set the trust flags (direction and forest location) for a domain
2056 ******************************************************************************/
2058 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
2060 struct winbindd_domain *our_domain;
2061 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2063 struct netr_DomainTrustList trusts;
2065 uint32_t flags = (NETR_TRUST_FLAG_IN_FOREST |
2066 NETR_TRUST_FLAG_OUTBOUND |
2067 NETR_TRUST_FLAG_INBOUND);
2068 struct rpc_pipe_client *cli;
2069 TALLOC_CTX *mem_ctx = NULL;
2070 struct dcerpc_binding_handle *b;
2074 * On a DC we loaded all trusts
2075 * from configuration and never learn
2081 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
2083 /* Our primary domain doesn't need to worry about trust flags.
2084 Force it to go through the network setup */
2085 if ( domain->primary ) {
2089 mem_ctx = talloc_stackframe();
2090 our_domain = find_our_domain();
2091 if (our_domain->internal) {
2092 result = init_dc_connection(our_domain, false);
2093 if (!NT_STATUS_IS_OK(result)) {
2094 DEBUG(3,("set_dc_type_and_flags_trustinfo: "
2095 "Not able to make a connection to our domain: %s\n",
2096 nt_errstr(result)));
2097 TALLOC_FREE(mem_ctx);
2102 /* This won't work unless our domain is AD */
2103 if ( !our_domain->active_directory ) {
2104 TALLOC_FREE(mem_ctx);
2108 if (our_domain->internal) {
2109 result = wb_open_internal_pipe(mem_ctx, &ndr_table_netlogon, &cli);
2110 } else if (!connection_ok(our_domain)) {
2111 DEBUG(3,("set_dc_type_and_flags_trustinfo: "
2112 "No connection to our domain!\n"));
2113 TALLOC_FREE(mem_ctx);
2116 result = cm_connect_netlogon(our_domain, &cli);
2119 if (!NT_STATUS_IS_OK(result)) {
2120 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
2121 "a connection to %s for PIPE_NETLOGON (%s)\n",
2122 domain->name, nt_errstr(result)));
2123 TALLOC_FREE(mem_ctx);
2126 b = cli->binding_handle;
2128 /* Use DsEnumerateDomainTrusts to get us the trust direction and type. */
2129 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
2134 if (!NT_STATUS_IS_OK(result)) {
2135 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2136 "failed to query trusted domain list: %s\n",
2137 nt_errstr(result)));
2138 TALLOC_FREE(mem_ctx);
2141 if (!W_ERROR_IS_OK(werr)) {
2142 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2143 "failed to query trusted domain list: %s\n",
2145 TALLOC_FREE(mem_ctx);
2149 /* Now find the domain name and get the flags */
2151 for ( i=0; i<trusts.count; i++ ) {
2152 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
2153 domain->domain_flags = trusts.array[i].trust_flags;
2154 domain->domain_type = trusts.array[i].trust_type;
2155 domain->domain_trust_attribs = trusts.array[i].trust_attributes;
2157 if ( domain->domain_type == LSA_TRUST_TYPE_UPLEVEL )
2158 domain->active_directory = True;
2160 /* This flag is only set if the domain is *our*
2161 primary domain and the primary domain is in
2164 domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
2166 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
2167 "native mode.\n", domain->name,
2168 domain->native_mode ? "" : "NOT "));
2170 DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
2171 "running active directory.\n", domain->name,
2172 domain->active_directory ? "" : "NOT "));
2174 domain->can_do_ncacn_ip_tcp = domain->active_directory;
2176 domain->initialized = True;
2182 TALLOC_FREE(mem_ctx);
2184 return domain->initialized;
2187 /******************************************************************************
2188 We can 'sense' certain things about the DC by it's replies to certain
2191 This tells us if this particular remote server is Active Directory, and if it
2193 ******************************************************************************/
2195 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
2197 NTSTATUS status, result;
2198 NTSTATUS close_status = NT_STATUS_UNSUCCESSFUL;
2200 TALLOC_CTX *mem_ctx = NULL;
2201 struct rpc_pipe_client *cli = NULL;
2202 struct policy_handle pol = { .handle_type = 0 };
2203 union dssetup_DsRoleInfo info;
2204 union lsa_PolicyInformation *lsa_info = NULL;
2205 union lsa_revision_info out_revision_info = {
2210 uint32_t out_version = 0;
2212 if (!domain->internal && !connection_ok(domain)) {
2216 mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
2219 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
2223 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
2225 if (domain->internal) {
2226 status = wb_open_internal_pipe(mem_ctx,
2230 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2235 if (!NT_STATUS_IS_OK(status)) {
2236 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2237 "PI_DSSETUP on domain %s: (%s)\n",
2238 domain->name, nt_errstr(status)));
2240 /* if this is just a non-AD domain we need to continue
2241 * identifying so that we can in the end return with
2242 * domain->initialized = True - gd */
2247 status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
2248 DS_ROLE_BASIC_INFORMATION,
2253 if (NT_STATUS_IS_OK(status)) {
2254 result = werror_to_ntstatus(werr);
2256 if (!NT_STATUS_IS_OK(status)) {
2257 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
2258 "on domain %s failed: (%s)\n",
2259 domain->name, nt_errstr(status)));
2261 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
2262 * every opcode on the DSSETUP pipe, continue with
2263 * no_dssetup mode here as well to get domain->initialized
2266 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
2270 TALLOC_FREE(mem_ctx);
2274 if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
2275 !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
2276 domain->native_mode = True;
2278 domain->native_mode = False;
2282 if (domain->internal) {
2283 status = wb_open_internal_pipe(mem_ctx,
2287 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2288 &ndr_table_lsarpc, &cli);
2290 if (!NT_STATUS_IS_OK(status)) {
2291 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2292 "PI_LSARPC on domain %s: (%s)\n",
2293 domain->name, nt_errstr(status)));
2295 TALLOC_FREE(mem_ctx);
2299 status = dcerpc_lsa_open_policy_fallback(cli->binding_handle,
2301 cli->srv_name_slash,
2303 SEC_FLAG_MAXIMUM_ALLOWED,
2309 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2310 /* This particular query is exactly what Win2k clients use
2311 to determine that the DC is active directory */
2312 status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx,
2314 LSA_POLICY_INFO_DNS,
2320 * If the status and result will not be OK we will fallback to
2323 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2324 domain->active_directory = True;
2326 if (lsa_info->dns.name.string) {
2327 if (!strequal(domain->name, lsa_info->dns.name.string))
2329 DEBUG(1, ("set_dc_type_and_flags_connect: DC "
2330 "for domain %s claimed it was a DC "
2331 "for domain %s, refusing to "
2334 lsa_info->dns.name.string));
2336 TALLOC_FREE(mem_ctx);
2339 talloc_free(domain->name);
2340 domain->name = talloc_strdup(domain,
2341 lsa_info->dns.name.string);
2342 if (domain->name == NULL) {
2347 if (lsa_info->dns.dns_domain.string) {
2348 if (domain->alt_name != NULL &&
2349 !strequal(domain->alt_name,
2350 lsa_info->dns.dns_domain.string))
2352 DEBUG(1, ("set_dc_type_and_flags_connect: DC "
2353 "for domain %s (%s) claimed it was "
2354 "a DC for domain %s, refusing to "
2356 domain->alt_name, domain->name,
2357 lsa_info->dns.dns_domain.string));
2359 TALLOC_FREE(mem_ctx);
2362 talloc_free(domain->alt_name);
2364 talloc_strdup(domain,
2365 lsa_info->dns.dns_domain.string);
2366 if (domain->alt_name == NULL) {
2371 /* See if we can set some domain trust flags about
2374 if (lsa_info->dns.dns_forest.string) {
2375 talloc_free(domain->forest_name);
2376 domain->forest_name =
2377 talloc_strdup(domain,
2378 lsa_info->dns.dns_forest.string);
2379 if (domain->forest_name == NULL) {
2383 if (strequal(domain->forest_name, domain->alt_name)) {
2384 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
2388 if (lsa_info->dns.sid) {
2389 if (!is_null_sid(&domain->sid) &&
2390 !dom_sid_equal(&domain->sid,
2393 struct dom_sid_buf buf1, buf2;
2394 DEBUG(1, ("set_dc_type_and_flags_connect: DC "
2395 "for domain %s (%s) claimed it was "
2396 "a DC for domain %s, refusing to "
2398 dom_sid_str_buf(&domain->sid, &buf1),
2400 dom_sid_str_buf(lsa_info->dns.sid,
2403 TALLOC_FREE(mem_ctx);
2406 sid_copy(&domain->sid, lsa_info->dns.sid);
2409 domain->active_directory = False;
2411 status = rpccli_lsa_open_policy(cli, mem_ctx, True,
2412 SEC_FLAG_MAXIMUM_ALLOWED,
2415 if (!NT_STATUS_IS_OK(status)) {
2419 status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx,
2421 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
2424 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2426 if (lsa_info->account_domain.name.string) {
2427 if (!strequal(domain->name,
2428 lsa_info->account_domain.name.string))
2431 ("set_dc_type_and_flags_connect: "
2432 "DC for domain %s claimed it was"
2433 " a DC for domain %s, refusing "
2434 "to initialize\n", domain->name,
2436 account_domain.name.string));
2438 TALLOC_FREE(mem_ctx);
2441 talloc_free(domain->name);
2443 talloc_strdup(domain,
2444 lsa_info->account_domain.name.string);
2447 if (lsa_info->account_domain.sid) {
2448 if (!is_null_sid(&domain->sid) &&
2449 !dom_sid_equal(&domain->sid,
2450 lsa_info->account_domain.sid))
2452 struct dom_sid_buf buf1, buf2;
2454 ("set_dc_type_and_flags_connect: "
2455 "DC for domain %s (%s) claimed "
2456 "it was a DC for domain %s, "
2457 "refusing to initialize\n",
2459 &domain->sid, &buf1),
2462 lsa_info->account_domain.sid,
2465 TALLOC_FREE(mem_ctx);
2468 sid_copy(&domain->sid, lsa_info->account_domain.sid);
2473 if (is_valid_policy_hnd(&pol)) {
2474 dcerpc_lsa_Close(cli->binding_handle,
2480 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
2481 domain->name, domain->native_mode ? "" : "NOT "));
2483 DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
2484 domain->name, domain->active_directory ? "" : "NOT "));
2486 domain->can_do_ncacn_ip_tcp = domain->active_directory;
2490 TALLOC_FREE(mem_ctx);
2492 domain->initialized = True;
2495 /**********************************************************************
2496 Set the domain_flags (trust attributes, domain operating modes, etc...
2497 ***********************************************************************/
2499 static void set_dc_type_and_flags( struct winbindd_domain *domain )
2503 * On a DC we loaded all trusts
2504 * from configuration and never learn
2510 /* we always have to contact our primary domain */
2512 if ( domain->primary || domain->internal) {
2513 DEBUG(10,("set_dc_type_and_flags: setting up flags for "
2514 "primary or internal domain\n"));
2515 set_dc_type_and_flags_connect( domain );
2519 /* Use our DC to get the information if possible */
2521 if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
2522 /* Otherwise, fallback to contacting the
2524 set_dc_type_and_flags_connect( domain );
2532 /**********************************************************************
2533 ***********************************************************************/
2535 static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
2536 struct netlogon_creds_cli_context **ppdc)
2538 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2539 struct rpc_pipe_client *netlogon_pipe;
2543 if ((!IS_DC) && (!domain->primary)) {
2544 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2547 if (domain->conn.netlogon_creds_ctx != NULL) {
2548 *ppdc = domain->conn.netlogon_creds_ctx;
2549 return NT_STATUS_OK;
2552 result = cm_connect_netlogon_secure(domain, &netlogon_pipe, ppdc);
2553 if (!NT_STATUS_IS_OK(result)) {
2557 return NT_STATUS_OK;
2560 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2562 struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
2564 struct winbindd_cm_conn *conn;
2565 NTSTATUS status, result;
2566 struct netlogon_creds_cli_context *p_creds;
2567 struct cli_credentials *creds = NULL;
2568 bool retry = false; /* allow one retry attempt for expired session */
2569 const char *remote_name = NULL;
2570 const struct sockaddr_storage *remote_sockaddr = NULL;
2571 bool sealed_pipes = true;
2572 bool strong_key = true;
2574 if (sid_check_is_our_sam(&domain->sid)) {
2575 if (domain->rodc == false || need_rw_dc == false) {
2576 return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
2582 * In theory we should not use SAMR within
2583 * winbindd at all, but that's a larger task to
2584 * remove this and avoid breaking existing
2587 * At least as AD DC we have the restriction
2588 * to avoid SAMR against trusted domains,
2589 * as there're no existing setups.
2591 return NT_STATUS_REQUEST_NOT_ACCEPTED;
2595 status = init_dc_connection_rpc(domain, need_rw_dc);
2596 if (!NT_STATUS_IS_OK(status)) {
2600 conn = &domain->conn;
2602 if (rpccli_is_connected(conn->samr_pipe)) {
2606 TALLOC_FREE(conn->samr_pipe);
2609 * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
2610 * sign and sealed pipe using the machine account password by
2611 * preference. If we can't - try schannel, if that fails, try
2615 result = winbindd_get_trust_credentials(domain,
2617 false, /* netlogon */
2618 true, /* ipc_fallback */
2620 if (!NT_STATUS_IS_OK(result)) {
2621 DEBUG(10, ("cm_connect_sam: No user available for "
2622 "domain %s, trying schannel\n", domain->name));
2626 if (cli_credentials_is_anonymous(creds)) {
2630 remote_name = smbXcli_conn_remote_name(conn->cli->conn);
2631 remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn);
2634 * We have an authenticated connection. Use a SPNEGO
2635 * authenticated SAMR pipe with sign & seal.
2637 status = cli_rpc_pipe_open_with_creds(conn->cli,
2640 DCERPC_AUTH_TYPE_SPNEGO,
2647 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
2649 invalidate_cm_connection(domain);
2654 if (!NT_STATUS_IS_OK(status)) {
2655 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2656 "pipe for domain %s using NTLMSSP "
2657 "authenticated pipe: user %s. Error was "
2658 "%s\n", domain->name,
2659 cli_credentials_get_unparsed_name(creds, talloc_tos()),
2660 nt_errstr(status)));
2664 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2665 "domain %s using NTLMSSP authenticated "
2666 "pipe: user %s\n", domain->name,
2667 cli_credentials_get_unparsed_name(creds, talloc_tos())));
2669 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2670 conn->samr_pipe->desthost,
2671 SEC_FLAG_MAXIMUM_ALLOWED,
2672 &conn->sam_connect_handle,
2675 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
2676 invalidate_cm_connection(domain);
2677 TALLOC_FREE(conn->samr_pipe);
2682 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2685 if (NT_STATUS_IS_OK(status)) {
2689 DEBUG(10,("cm_connect_sam: ntlmssp-sealed dcerpc_samr_Connect2 "
2690 "failed for domain %s, error was %s. Trying schannel\n",
2691 domain->name, nt_errstr(status) ));
2692 TALLOC_FREE(conn->samr_pipe);
2696 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2698 status = cm_get_schannel_creds(domain, &p_creds);
2699 if (!NT_STATUS_IS_OK(status)) {
2700 /* If this call fails - conn->cli can now be NULL ! */
2701 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2702 "for domain %s (error %s), trying anon\n",
2704 nt_errstr(status) ));
2708 status = cli_rpc_pipe_open_schannel_with_creds(
2709 conn->cli, &ndr_table_samr, NCACN_NP, p_creds,
2714 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
2716 invalidate_cm_connection(domain);
2721 if (!NT_STATUS_IS_OK(status)) {
2722 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2723 "domain %s using schannel. Error was %s\n",
2724 domain->name, nt_errstr(status) ));
2727 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2728 "schannel.\n", domain->name ));
2730 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2731 conn->samr_pipe->desthost,
2732 SEC_FLAG_MAXIMUM_ALLOWED,
2733 &conn->sam_connect_handle,
2736 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
2737 invalidate_cm_connection(domain);
2738 TALLOC_FREE(conn->samr_pipe);
2743 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2746 if (NT_STATUS_IS_OK(status)) {
2749 DEBUG(10,("cm_connect_sam: schannel-sealed dcerpc_samr_Connect2 failed "
2750 "for domain %s, error was %s. Trying anonymous\n",
2751 domain->name, nt_errstr(status) ));
2752 TALLOC_FREE(conn->samr_pipe);
2756 sealed_pipes = lp_winbind_sealed_pipes();
2757 sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
2760 strong_key = lp_require_strong_key();
2761 strong_key = lp_parm_bool(-1, "require strong key",
2765 /* Finally fall back to anonymous. */
2766 if (sealed_pipes || strong_key) {
2767 status = NT_STATUS_DOWNGRADE_DETECTED;
2768 DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
2769 "without connection level security, "
2770 "must set 'winbind sealed pipes:%s = false' and "
2771 "'require strong key:%s = false' to proceed: %s\n",
2772 domain->name, domain->name, domain->name,
2773 nt_errstr(status)));
2776 status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
2779 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
2781 invalidate_cm_connection(domain);
2786 if (!NT_STATUS_IS_OK(status)) {
2790 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2791 conn->samr_pipe->desthost,
2792 SEC_FLAG_MAXIMUM_ALLOWED,
2793 &conn->sam_connect_handle,
2796 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
2797 invalidate_cm_connection(domain);
2798 TALLOC_FREE(conn->samr_pipe);
2803 if (!NT_STATUS_IS_OK(status)) {
2804 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2805 "for domain %s Error was %s\n",
2806 domain->name, nt_errstr(status) ));
2809 if (!NT_STATUS_IS_OK(result)) {
2811 DEBUG(10,("cm_connect_sam: dcerpc_samr_Connect2 failed "
2812 "for domain %s Error was %s\n",
2813 domain->name, nt_errstr(result)));
2818 status = dcerpc_samr_OpenDomain(conn->samr_pipe->binding_handle,
2820 &conn->sam_connect_handle,
2821 SEC_FLAG_MAXIMUM_ALLOWED,
2823 &conn->sam_domain_handle,
2825 if (!NT_STATUS_IS_OK(status)) {
2832 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
2834 * if we got access denied, we might just have no access rights
2835 * to talk to the remote samr server server (e.g. when we are a
2836 * PDC and we are connecting a w2k8 pdc via an interdomain
2837 * trust). In that case do not invalidate the whole connection
2840 TALLOC_FREE(conn->samr_pipe);
2841 ZERO_STRUCT(conn->sam_domain_handle);
2843 } else if (!NT_STATUS_IS_OK(status)) {
2844 invalidate_cm_connection(domain);
2848 *cli = conn->samr_pipe;
2849 *sam_handle = conn->sam_domain_handle;
2853 /**********************************************************************
2854 open an schanneld ncacn_ip_tcp connection to LSA
2855 ***********************************************************************/
2857 static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
2858 TALLOC_CTX *mem_ctx,
2859 struct rpc_pipe_client **cli)
2861 struct winbindd_cm_conn *conn;
2862 struct netlogon_creds_cli_context *p_creds = NULL;
2864 const char *remote_name = NULL;
2865 const struct sockaddr_storage *remote_sockaddr = NULL;
2867 DEBUG(10,("cm_connect_lsa_tcp\n"));
2869 status = init_dc_connection_rpc(domain, false);
2870 if (!NT_STATUS_IS_OK(status)) {
2874 conn = &domain->conn;
2877 * rpccli_is_connected handles more error cases
2879 if (rpccli_is_connected(conn->lsa_pipe_tcp) &&
2880 conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
2881 conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
2885 TALLOC_FREE(conn->lsa_pipe_tcp);
2887 status = cm_get_schannel_creds(domain, &p_creds);
2888 if (!NT_STATUS_IS_OK(status)) {
2892 remote_name = smbXcli_conn_remote_name(conn->cli->conn);
2893 remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn);
2895 status = cli_rpc_pipe_open_schannel_with_creds(
2902 &conn->lsa_pipe_tcp);
2903 if (!NT_STATUS_IS_OK(status)) {
2904 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
2905 nt_errstr(status)));
2910 if (!NT_STATUS_IS_OK(status)) {
2911 TALLOC_FREE(conn->lsa_pipe_tcp);
2915 *cli = conn->lsa_pipe_tcp;
2920 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2921 struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
2923 struct winbindd_cm_conn *conn;
2924 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2925 struct netlogon_creds_cli_context *p_creds;
2926 struct cli_credentials *creds = NULL;
2927 bool retry = false; /* allow one retry attempt for expired session */
2928 const char *remote_name = NULL;
2929 const struct sockaddr_storage *remote_sockaddr = NULL;
2930 bool sealed_pipes = true;
2931 bool strong_key = true;
2934 result = init_dc_connection_rpc(domain, false);
2935 if (!NT_STATUS_IS_OK(result))
2938 conn = &domain->conn;
2940 if (rpccli_is_connected(conn->lsa_pipe)) {
2944 TALLOC_FREE(conn->lsa_pipe);
2948 * Make sure we only use schannel as AD DC.
2953 result = winbindd_get_trust_credentials(domain,
2955 false, /* netlogon */
2956 true, /* ipc_fallback */
2958 if (!NT_STATUS_IS_OK(result)) {
2959 DEBUG(10, ("cm_connect_lsa: No user available for "
2960 "domain %s, trying schannel\n", domain->name));
2964 if (cli_credentials_is_anonymous(creds)) {
2968 remote_name = smbXcli_conn_remote_name(conn->cli->conn);
2969 remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn);
2972 * We have an authenticated connection. Use a SPNEGO
2973 * authenticated LSA pipe with sign & seal.
2975 result = cli_rpc_pipe_open_with_creds
2976 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
2977 DCERPC_AUTH_TYPE_SPNEGO,
2984 if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
2986 invalidate_cm_connection(domain);
2991 if (!NT_STATUS_IS_OK(result)) {
2992 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2993 "domain %s using NTLMSSP authenticated pipe: user "
2994 "%s. Error was %s. Trying schannel.\n",
2996 cli_credentials_get_unparsed_name(creds, talloc_tos()),
2997 nt_errstr(result)));
3001 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
3002 "NTLMSSP authenticated pipe: user %s\n",
3003 domain->name, cli_credentials_get_unparsed_name(creds, talloc_tos())));
3005 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
3006 SEC_FLAG_MAXIMUM_ALLOWED,
3008 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
3009 invalidate_cm_connection(domain);
3010 TALLOC_FREE(conn->lsa_pipe);
3015 if (NT_STATUS_IS_OK(result)) {
3019 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
3022 TALLOC_FREE(conn->lsa_pipe);
3026 /* Fall back to schannel if it's a W2K pre-SP1 box. */
3028 result = cm_get_schannel_creds(domain, &p_creds);
3029 if (!NT_STATUS_IS_OK(result)) {
3030 /* If this call fails - conn->cli can now be NULL ! */
3031 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
3032 "for domain %s (error %s), trying anon\n",
3034 nt_errstr(result) ));
3039 result = cli_rpc_pipe_open_schannel_with_creds(
3040 conn->cli, &ndr_table_lsarpc, NCACN_NP, p_creds,
3045 if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
3047 invalidate_cm_connection(domain);
3052 if (!NT_STATUS_IS_OK(result)) {
3053 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
3054 "domain %s using schannel. Error was %s\n",
3055 domain->name, nt_errstr(result) ));
3058 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
3059 "schannel.\n", domain->name ));
3061 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
3062 SEC_FLAG_MAXIMUM_ALLOWED,
3065 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
3066 invalidate_cm_connection(domain);
3067 TALLOC_FREE(conn->lsa_pipe);
3072 if (NT_STATUS_IS_OK(result)) {
3078 * Make sure we only use schannel as AD DC.
3083 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
3086 TALLOC_FREE(conn->lsa_pipe);
3092 * Make sure we only use schannel as AD DC.
3097 sealed_pipes = lp_winbind_sealed_pipes();
3098 sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
3101 strong_key = lp_require_strong_key();
3102 strong_key = lp_parm_bool(-1, "require strong key",
3106 /* Finally fall back to anonymous. */
3107 if (sealed_pipes || strong_key) {
3108 result = NT_STATUS_DOWNGRADE_DETECTED;
3109 DEBUG(1, ("Unwilling to make LSA connection to domain %s "
3110 "without connection level security, "
3111 "must set 'winbind sealed pipes:%s = false' and "
3112 "'require strong key:%s = false' to proceed: %s\n",
3113 domain->name, domain->name, domain->name,
3114 nt_errstr(result)));
3118 result = cli_rpc_pipe_open_noauth(conn->cli,
3122 if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
3124 invalidate_cm_connection(domain);
3129 if (!NT_STATUS_IS_OK(result)) {
3133 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
3134 SEC_FLAG_MAXIMUM_ALLOWED,
3137 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
3138 invalidate_cm_connection(domain);
3139 TALLOC_FREE(conn->lsa_pipe);
3145 if (!NT_STATUS_IS_OK(result)) {
3146 invalidate_cm_connection(domain);
3150 *cli = conn->lsa_pipe;
3151 *lsa_policy = conn->lsa_policy;
3155 /****************************************************************************
3156 Open a LSA connection to a DC, suitable for LSA lookup calls.
3157 ****************************************************************************/
3159 NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
3160 TALLOC_CTX *mem_ctx,
3161 struct rpc_pipe_client **cli,
3162 struct policy_handle *lsa_policy)
3166 if (domain->can_do_ncacn_ip_tcp) {
3167 status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
3168 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
3169 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
3170 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
3171 invalidate_cm_connection(domain);
3172 status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
3174 if (NT_STATUS_IS_OK(status)) {
3179 * we tried twice to connect via ncan_ip_tcp and schannel and
3180 * failed - maybe it is a trusted domain we can't connect to ?
3181 * do not try tcp next time - gd
3183 * This also prevents NETLOGON over TCP
3185 domain->can_do_ncacn_ip_tcp = false;
3188 status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);
3193 /****************************************************************************
3194 Open the netlogon pipe to this DC.
3195 ****************************************************************************/
3197 static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
3198 enum dcerpc_transport_t transport,
3199 struct rpc_pipe_client **cli)
3201 struct messaging_context *msg_ctx = global_messaging_context();
3202 struct winbindd_cm_conn *conn;
3204 enum netr_SchannelType sec_chan_type;
3205 struct cli_credentials *creds = NULL;
3210 if (domain->secure_channel_type == SEC_CHAN_NULL) {
3212 * Make sure we don't even try to
3213 * connect to a foreign domain
3214 * without a direct outbound trust.
3216 return NT_STATUS_NO_TRUST_LSA_SECRET;
3220 result = init_dc_connection_rpc(domain, domain->rodc);
3221 if (!NT_STATUS_IS_OK(result)) {
3225 conn = &domain->conn;
3227 if (rpccli_is_connected(conn->netlogon_pipe)) {
3228 *cli = conn->netlogon_pipe;
3229 return NT_STATUS_OK;
3232 TALLOC_FREE(conn->netlogon_pipe);
3233 TALLOC_FREE(conn->netlogon_creds_ctx);
3235 result = winbindd_get_trust_credentials(domain,
3237 true, /* netlogon */
3238 false, /* ipc_fallback */
3240 if (!NT_STATUS_IS_OK(result)) {
3241 DBG_DEBUG("No user available for domain %s when trying "
3242 "schannel\n", domain->name);
3243 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3246 if (cli_credentials_is_anonymous(creds)) {
3247 DBG_WARNING("get_trust_credential only gave anonymous for %s, "
3248 "unable to make get NETLOGON credentials\n",
3250 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3253 sec_chan_type = cli_credentials_get_secure_channel_type(creds);
3254 if (sec_chan_type == SEC_CHAN_NULL) {
3255 const char *remote_name =
3256 smbXcli_conn_remote_name(conn->cli->conn);
3257 const struct sockaddr_storage *remote_sockaddr =
3258 smbXcli_conn_remote_sockaddr(conn->cli->conn);
3260 if (transport == NCACN_IP_TCP) {
3261 DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
3262 "for %s, deny NCACN_IP_TCP and let the "
3263 "caller fallback to NCACN_NP.\n",
3265 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3268 DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
3269 "fallback to noauth on NCACN_NP.\n",
3272 result = cli_rpc_pipe_open_noauth_transport(
3275 &ndr_table_netlogon,
3278 &conn->netlogon_pipe);
3279 if (!NT_STATUS_IS_OK(result)) {
3280 invalidate_cm_connection(domain);
3284 *cli = conn->netlogon_pipe;
3285 return NT_STATUS_OK;
3288 result = rpccli_create_netlogon_creds_ctx(creds,
3292 &conn->netlogon_creds_ctx);
3293 if (!NT_STATUS_IS_OK(result)) {
3294 DEBUG(1, ("rpccli_create_netlogon_creds failed for %s, "
3295 "unable to create NETLOGON credentials: %s\n",
3296 domain->name, nt_errstr(result)));
3300 result = rpccli_connect_netlogon(
3301 conn->cli, transport,
3302 conn->netlogon_creds_ctx, conn->netlogon_force_reauth, creds,
3303 &conn->netlogon_pipe);
3304 conn->netlogon_force_reauth = false;
3305 if (!NT_STATUS_IS_OK(result)) {
3306 DBG_DEBUG("rpccli_connect_netlogon failed: %s\n",
3311 *cli = conn->netlogon_pipe;
3312 return NT_STATUS_OK;
3315 /****************************************************************************
3316 Open a NETLOGON connection to a DC, suitable for SamLogon calls.
3317 ****************************************************************************/
3319 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
3320 struct rpc_pipe_client **cli)
3324 status = init_dc_connection_rpc(domain, domain->rodc);
3325 if (!NT_STATUS_IS_OK(status)) {
3329 if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
3330 status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
3331 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
3332 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
3333 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
3334 invalidate_cm_connection(domain);
3335 status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
3337 if (NT_STATUS_IS_OK(status)) {
3342 * we tried twice to connect via ncan_ip_tcp and schannel and
3343 * failed - maybe it is a trusted domain we can't connect to ?
3344 * do not try tcp next time - gd
3346 * This also prevents LSA over TCP
3348 domain->can_do_ncacn_ip_tcp = false;
3351 status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
3352 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
3354 * SMB2 session expired, needs reauthentication. Drop
3355 * connection and retry.
3357 invalidate_cm_connection(domain);
3358 status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
3364 NTSTATUS cm_connect_netlogon_secure(struct winbindd_domain *domain,
3365 struct rpc_pipe_client **cli,
3366 struct netlogon_creds_cli_context **ppdc)
3370 if (domain->secure_channel_type == SEC_CHAN_NULL) {
3371 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3374 status = cm_connect_netlogon(domain, cli);
3375 if (!NT_STATUS_IS_OK(status)) {
3379 if (domain->conn.netlogon_creds_ctx == NULL) {
3380 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
3383 *ppdc = domain->conn.netlogon_creds_ctx;
3384 return NT_STATUS_OK;
3387 void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
3390 struct server_id server_id,
3393 struct winbindd_domain *domain;
3394 char *freeit = NULL;
3398 || (data->data == NULL)
3399 || (data->length == 0)
3400 || (data->data[data->length-1] != '\0')) {
3401 DEBUG(1, ("invalid msg_ip_dropped message: not a valid "
3406 addr = (char *)data->data;
3407 DEBUG(10, ("IP %s dropped\n", addr));
3409 if (!is_ipaddress(addr)) {
3412 * Some code sends us ip addresses with the /netmask
3415 slash = strchr(addr, '/');
3416 if (slash == NULL) {
3417 DEBUG(1, ("invalid msg_ip_dropped message: %s\n",
3421 freeit = talloc_strndup(talloc_tos(), addr, slash-addr);
3422 if (freeit == NULL) {
3423 DEBUG(1, ("talloc failed\n"));
3427 DEBUG(10, ("Stripped /netmask to IP %s\n", addr));
3430 for (domain = domain_list(); domain != NULL; domain = domain->next) {
3431 char sockaddr[INET6_ADDRSTRLEN];
3433 if (!cli_state_is_connected(domain->conn.cli)) {
3437 print_sockaddr(sockaddr, sizeof(sockaddr),
3438 smbXcli_conn_local_sockaddr(domain->conn.cli->conn));
3440 if (strequal(sockaddr, addr)) {
3441 smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
3444 TALLOC_FREE(freeit);
3447 void winbind_msg_disconnect_dc(struct messaging_context *msg_ctx,
3450 struct server_id server_id,
3453 struct winbindd_domain *domain;
3455 for (domain = domain_list(); domain; domain = domain->next) {
3456 if (domain->internal) {
3459 invalidate_cm_connection(domain);
git.samba.org / samba.git / blob