s3: Add "smbcontrol winbindd ip-dropped <local-ip>"

[metze/samba/wip.git] / source3 / winbindd / winbindd_cm.c
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c

index ed0a33a5f22cc9610734551616716d6f0d15c27f..ece68f1a1d3f55f0fbf16649792883e83ce2d8d9 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -174,9 +174,6 @@ static bool fork_child_dc_connect(struct winbindd_domain *domain)
         pid_t parent_pid = sys_getpid();
         char *lfile = NULL;
  
-       /* Stop zombies */
-       CatchChild();
-
         if (domain->dc_probe_pid != (pid_t)-1) {
                 /*
                  * We might already have a DC probe
@@ -856,7 +853,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
                                                               machine_krb5_principal, 
                                                               machine_password,
                                                               lp_workgroup(),
-                                                             domain->name);
+                                                             domain->alt_name);
  
                         if (!ADS_ERR_OK(ads_status)) {
                                 DEBUG(4,("failed kerberos session setup with %s\n",
@@ -1551,6 +1548,14 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
                 }
         }
  
+       if (conn->lsa_pipe_tcp != NULL) {
+               TALLOC_FREE(conn->lsa_pipe_tcp);
+               /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+               if (conn->cli) {
+                       cli_set_timeout(conn->cli, 500);
+               }
+       }
+
         if (conn->netlogon_pipe != NULL) {
                 TALLOC_FREE(conn->netlogon_pipe);
                 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
@@ -1584,21 +1589,11 @@ void close_conns_after_fork(void)
  
  static bool connection_ok(struct winbindd_domain *domain)
  {
-       if (domain->conn.cli == NULL) {
-               DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL "
-                         "cli!\n", domain->dcname, domain->name));
-               return False;
-       }
-
-       if (!domain->conn.cli->initialised) {
-               DEBUG(3, ("connection_ok: Connection to %s for domain %s was never "
-                         "initialised!\n", domain->dcname, domain->name));
-               return False;
-       }
+       bool ok;
  
-       if (domain->conn.cli->fd == -1) {
-               DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was "
-                         "never started (fd == -1)\n", 
+       ok = cli_state_is_connected(domain->conn.cli);
+       if (!ok) {
+               DEBUG(3, ("connection_ok: Connection to %s for domain %s is not connected\n",
                           domain->dcname, domain->name));
                 return False;
         }
@@ -1624,6 +1619,12 @@ static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
                 return NT_STATUS_OK;
         }
  
+       if (!winbindd_can_contact_domain(domain)) {
+               invalidate_cm_connection(&domain->conn);
+               domain->initialized = True;
+               return NT_STATUS_OK;
+       }
+
         if (connection_ok(domain)) {
                 if (!domain->initialized) {
                         set_dc_type_and_flags(domain);
@@ -1652,6 +1653,23 @@ NTSTATUS init_dc_connection(struct winbindd_domain *domain)
         return init_dc_connection_network(domain);
  }
  
+static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain)
+{
+       NTSTATUS status;
+
+       status = init_dc_connection(domain);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       if (!domain->internal && domain->conn.cli == NULL) {
+               /* happens for trusted domains without inbound trust */
+               return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
+       }
+
+       return NT_STATUS_OK;
+}
+
  /******************************************************************************
   Set the trust flags (direction and forest location) for a domain
  ******************************************************************************/
@@ -1747,9 +1765,6 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
  
                         domain->initialized = True;
  
-                       if ( !winbindd_can_contact_domain( domain) )
-                               domain->internal = True;
-
                         break;
                 }               
         }
@@ -1851,7 +1866,7 @@ no_dssetup:
         }
  
         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
-                                        SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
+                                        SEC_FLAG_MAXIMUM_ALLOWED, &pol);
  
         if (NT_STATUS_IS_OK(result)) {
                 /* This particular query is exactly what Win2k clients use 
@@ -1893,7 +1908,7 @@ no_dssetup:
                 domain->active_directory = False;
  
                 result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
-                                               SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                               SEC_FLAG_MAXIMUM_ALLOWED,
                                                 &pol);
  
                 if (!NT_STATUS_IS_OK(result)) {
@@ -1925,6 +1940,8 @@ done:
         DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
                   domain->name, domain->active_directory ? "" : "NOT "));
  
+       domain->can_do_ncacn_ip_tcp = domain->active_directory;
+
         TALLOC_FREE(cli);
  
         TALLOC_FREE(mem_ctx);
@@ -1999,17 +2016,18 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
         char *machine_account = NULL;
         char *domain_name = NULL;
  
-       result = init_dc_connection(domain);
+       result = init_dc_connection_rpc(domain);
         if (!NT_STATUS_IS_OK(result)) {
                 return result;
         }
  
         conn = &domain->conn;
  
-       if (conn->samr_pipe != NULL) {
+       if (rpccli_is_connected(conn->samr_pipe)) {
                 goto done;
         }
  
+       TALLOC_FREE(conn->samr_pipe);
  
         /*
          * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
@@ -2045,6 +2063,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
            authenticated SAMR pipe with sign & seal. */
         result = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli,
                                                   &ndr_table_samr.syntax_id,
+                                                 NCACN_NP,
                                                   PIPE_AUTH_LEVEL_PRIVACY,
                                                   domain_name,
                                                   machine_account,
@@ -2067,7 +2086,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  
         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
                                       conn->samr_pipe->desthost,
-                                     SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                     SEC_FLAG_MAXIMUM_ALLOWED,
                                       &conn->sam_connect_handle);
         if (NT_STATUS_IS_OK(result)) {
                 goto open_domain;
@@ -2088,7 +2107,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
                 goto anonymous;
         }
         result = cli_rpc_pipe_open_schannel_with_key
-               (conn->cli, &ndr_table_samr.syntax_id, PIPE_AUTH_LEVEL_PRIVACY,
+               (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
+               PIPE_AUTH_LEVEL_PRIVACY,
                  domain->name, p_dcinfo, &conn->samr_pipe);
  
         if (!NT_STATUS_IS_OK(result)) {
@@ -2102,7 +2122,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  
         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
                                       conn->samr_pipe->desthost,
-                                     SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                     SEC_FLAG_MAXIMUM_ALLOWED,
                                       &conn->sam_connect_handle);
         if (NT_STATUS_IS_OK(result)) {
                 goto open_domain;
@@ -2124,7 +2144,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  
         result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,
                                       conn->samr_pipe->desthost,
-                                     SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                     SEC_FLAG_MAXIMUM_ALLOWED,
                                       &conn->sam_connect_handle);
         if (!NT_STATUS_IS_OK(result)) {
                 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
@@ -2137,13 +2157,24 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
         result = rpccli_samr_OpenDomain(conn->samr_pipe,
                                         mem_ctx,
                                         &conn->sam_connect_handle,
-                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                       SEC_FLAG_MAXIMUM_ALLOWED,
                                         &domain->sid,
                                         &conn->sam_domain_handle);
  
   done:
  
-       if (!NT_STATUS_IS_OK(result)) {
+       if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
+               /*
+                * if we got access denied, we might just have no access rights
+                * to talk to the remote samr server server (e.g. when we are a
+                * PDC and we are connecting a w2k8 pdc via an interdomain
+                * trust). In that case do not invalidate the whole connection
+                * stack
+                */
+               TALLOC_FREE(conn->samr_pipe);
+               ZERO_STRUCT(conn->sam_domain_handle);
+               return result;
+       } else if (!NT_STATUS_IS_OK(result)) {
                 invalidate_cm_connection(conn);
                 return result;
         }
@@ -2155,6 +2186,58 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
         return result;
  }
  
+/**********************************************************************
+ open an schanneld ncacn_ip_tcp connection to LSA
+***********************************************************************/
+
+NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
+                           TALLOC_CTX *mem_ctx,
+                           struct rpc_pipe_client **cli)
+{
+       struct winbindd_cm_conn *conn;
+       NTSTATUS status;
+
+       DEBUG(10,("cm_connect_lsa_tcp\n"));
+
+       status = init_dc_connection_rpc(domain);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       conn = &domain->conn;
+
+       if (conn->lsa_pipe_tcp &&
+           conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
+           conn->lsa_pipe_tcp->auth->auth_level == PIPE_AUTH_LEVEL_PRIVACY &&
+           rpccli_is_connected(conn->lsa_pipe_tcp)) {
+               goto done;
+       }
+
+       TALLOC_FREE(conn->lsa_pipe_tcp);
+
+       status = cli_rpc_pipe_open_schannel(conn->cli,
+                                           &ndr_table_lsarpc.syntax_id,
+                                           NCACN_IP_TCP,
+                                           PIPE_AUTH_LEVEL_PRIVACY,
+                                           domain->name,
+                                           &conn->lsa_pipe_tcp);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n",
+                       nt_errstr(status)));
+               goto done;
+       }
+
+ done:
+       if (!NT_STATUS_IS_OK(status)) {
+               TALLOC_FREE(conn->lsa_pipe_tcp);
+               return status;
+       }
+
+       *cli = conn->lsa_pipe_tcp;
+
+       return status;
+}
+
  NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
                         struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
  {
@@ -2162,16 +2245,18 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
         struct dcinfo *p_dcinfo;
  
-       result = init_dc_connection(domain);
+       result = init_dc_connection_rpc(domain);
         if (!NT_STATUS_IS_OK(result))
                 return result;
  
         conn = &domain->conn;
  
-       if (conn->lsa_pipe != NULL) {
+       if (rpccli_is_connected(conn->lsa_pipe)) {
                 goto done;
         }
  
+       TALLOC_FREE(conn->lsa_pipe);
+
         if ((conn->cli->user_name[0] == '\0') ||
             (conn->cli->domain[0] == '\0') || 
             (conn->cli->password == NULL || conn->cli->password[0] == '\0')) {
@@ -2183,7 +2268,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
         /* We have an authenticated connection. Use a NTLMSSP SPNEGO
          * authenticated LSA pipe with sign & seal. */
         result = cli_rpc_pipe_open_spnego_ntlmssp
-               (conn->cli, &ndr_table_lsarpc.syntax_id,
+               (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
                  PIPE_AUTH_LEVEL_PRIVACY,
                  conn->cli->domain, conn->cli->user_name, conn->cli->password,
                  &conn->lsa_pipe);
@@ -2202,7 +2287,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
                   domain->name, conn->cli->domain, conn->cli->user_name ));
  
         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
-                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                       SEC_FLAG_MAXIMUM_ALLOWED,
                                         &conn->lsa_policy);
         if (NT_STATUS_IS_OK(result)) {
                 goto done;
@@ -2224,7 +2309,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
                 goto anonymous;
         }
         result = cli_rpc_pipe_open_schannel_with_key
-               (conn->cli, &ndr_table_lsarpc.syntax_id,
+               (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
                  PIPE_AUTH_LEVEL_PRIVACY,
                  domain->name, p_dcinfo, &conn->lsa_pipe);
  
@@ -2238,7 +2323,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
                   "schannel.\n", domain->name ));
  
         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
-                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                       SEC_FLAG_MAXIMUM_ALLOWED,
                                         &conn->lsa_policy);
         if (NT_STATUS_IS_OK(result)) {
                 goto done;
@@ -2260,7 +2345,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
         }
  
         result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
-                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                       SEC_FLAG_MAXIMUM_ALLOWED,
                                         &conn->lsa_policy);
   done:
         if (!NT_STATUS_IS_OK(result)) {
@@ -2292,18 +2377,20 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
  
         *cli = NULL;
  
-       result = init_dc_connection(domain);
+       result = init_dc_connection_rpc(domain);
         if (!NT_STATUS_IS_OK(result)) {
                 return result;
         }
  
         conn = &domain->conn;
  
-       if (conn->netlogon_pipe != NULL) {
+       if (rpccli_is_connected(conn->netlogon_pipe)) {
                 *cli = conn->netlogon_pipe;
                 return NT_STATUS_OK;
         }
  
+       TALLOC_FREE(conn->netlogon_pipe);
+
         result = cli_rpc_pipe_open_noauth(conn->cli,
                                           &ndr_table_netlogon.syntax_id,
                                           &netlogon_pipe);
@@ -2371,7 +2458,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
         */
  
         result = cli_rpc_pipe_open_schannel_with_key(
-               conn->cli, &ndr_table_netlogon.syntax_id,
+               conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
                 PIPE_AUTH_LEVEL_PRIVACY, domain->name, netlogon_pipe->dc,
                 &conn->netlogon_pipe);
  
@@ -2382,15 +2469,72 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
                           "was %s\n", nt_errstr(result)));
  
-               /* make sure we return something besides OK */
-               return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
+               invalidate_cm_connection(conn);
+               return result;
         }
  
         /*
-        * Try NetSamLogonEx for AD domains
+        * Always try netr_LogonSamLogonEx. We will fall back for NT4
+        * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
+        * supported). We used to only try SamLogonEx for AD, but
+        * Samba DCs can also do it. And because we don't distinguish
+        * between Samba and NT4, always try it once.
          */
-       domain->can_do_samlogon_ex = domain->active_directory;
+       domain->can_do_samlogon_ex = true;
  
         *cli = conn->netlogon_pipe;
         return NT_STATUS_OK;
  }
+
+void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
+                           void *private_data,
+                           uint32_t msg_type,
+                           struct server_id server_id,
+                           DATA_BLOB *data)
+{
+       struct winbindd_domain *domain;
+
+       if ((data == NULL)
+           || (data->data == NULL)
+           || (data->length == 0)
+           || (data->data[data->length-1] != '\0')
+           || !is_ipaddress((char *)data->data)) {
+               DEBUG(1, ("invalid msg_ip_dropped message\n"));
+               return;
+       }
+       for (domain = domain_list(); domain != NULL; domain = domain->next) {
+               char sockaddr[INET6_ADDRSTRLEN];
+               if (domain->conn.cli == NULL) {
+                       continue;
+               }
+               if (domain->conn.cli->fd == -1) {
+                       continue;
+               }
+               client_socket_addr(domain->conn.cli->fd, sockaddr,
+                                  sizeof(sockaddr));
+               if (strequal(sockaddr, (char *)data->data)) {
+                       close(domain->conn.cli->fd);
+                       domain->conn.cli->fd = -1;
+               }
+       }
+}
+
+extern struct winbindd_child *children;
+
+void winbind_msg_ip_dropped_parent(struct messaging_context *msg_ctx,
+                                  void *private_data,
+                                  uint32_t msg_type,
+                                  struct server_id server_id,
+                                  DATA_BLOB *data)
+{
+       struct winbindd_child *child;
+
+       winbind_msg_ip_dropped(msg_ctx, private_data, msg_type,
+                              server_id, data);
+
+
+       for (child = children; child != NULL; child = child->next) {
+               messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
+                                  msg_type, data->data, data->length);
+       }
+}