#include "includes.h"
#include "winbindd/winbindd.h"
#include "winbindd/winbindd_proto.h"
-#include "librpc/gen_ndr/srv_wbint.h"
-
-void _wbint_Ping(pipes_struct *p, struct wbint_Ping *r)
+#include "rpc_client/cli_pipe.h"
+#include "ntdomain.h"
+#include "librpc/gen_ndr/srv_winbind.h"
+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
+#include "../librpc/gen_ndr/ndr_lsa_c.h"
+#include "idmap.h"
+#include "../libcli/security/security.h"
+#include "../libcli/auth/netlogon_creds_cli.h"
+#include "passdb.h"
+#include "../source4/dsdb/samdb/samdb.h"
+
+void _wbint_Ping(struct pipes_struct *p, struct wbint_Ping *r)
{
*r->out.out_data = r->in.in_data;
}
-NTSTATUS _wbint_LookupSid(pipes_struct *p, struct wbint_LookupSid *r)
+static bool reset_cm_connection_on_error(struct winbindd_domain *domain,
+ NTSTATUS status)
+{
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
+ invalidate_cm_connection(domain);
+ /* We invalidated the connection. */
+ return true;
+ }
+ return false;
+}
+
+NTSTATUS _wbint_LookupSid(struct pipes_struct *p, struct wbint_LookupSid *r)
{
struct winbindd_domain *domain = wb_child_domain();
char *dom_name;
status = domain->methods->sid_to_name(domain, p->mem_ctx, r->in.sid,
&dom_name, &name, &type);
+ reset_cm_connection_on_error(domain, status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
}
-NTSTATUS _wbint_LookupName(pipes_struct *p, struct wbint_LookupName *r)
+NTSTATUS _wbint_LookupSids(struct pipes_struct *p, struct wbint_LookupSids *r)
{
struct winbindd_domain *domain = wb_child_domain();
+ struct lsa_RefDomainList *domains = r->out.domains;
+ NTSTATUS status;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- return domain->methods->name_to_sid(
- domain, p->mem_ctx, r->in.domain, r->in.name, r->in.flags,
- r->out.sid, r->out.type);
+ /*
+ * This breaks the winbindd_domain->methods abstraction: This
+ * is only called for remote domains, and both winbindd_msrpc
+ * and winbindd_ad call into lsa_lookupsids anyway. Caching is
+ * done at the wbint RPC layer.
+ */
+ status = rpc_lookup_sids(p->mem_ctx, domain, r->in.sids,
+ &domains, &r->out.names);
+
+ if (domains != NULL) {
+ r->out.domains = domains;
+ }
+
+ reset_cm_connection_on_error(domain, status);
+ return status;
}
-NTSTATUS _wbint_Sid2Uid(pipes_struct *p, struct wbint_Sid2Uid *r)
+NTSTATUS _wbint_LookupName(struct pipes_struct *p, struct wbint_LookupName *r)
{
- uid_t uid;
+ struct winbindd_domain *domain = wb_child_domain();
NTSTATUS status;
- status = idmap_sid_to_uid(r->in.dom_name ? r->in.dom_name : "",
- r->in.sid, &uid);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- *r->out.uid = uid;
- return NT_STATUS_OK;
+
+ status = domain->methods->name_to_sid(
+ domain, p->mem_ctx, r->in.domain, r->in.name, r->in.flags,
+ r->out.sid, r->out.type);
+ reset_cm_connection_on_error(domain, status);
+ return status;
}
-NTSTATUS _wbint_Sid2Gid(pipes_struct *p, struct wbint_Sid2Gid *r)
+NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p,
+ struct wbint_Sids2UnixIDs *r)
{
- gid_t gid;
- NTSTATUS status;
+ uint32_t i, j;
+ struct id_map *ids = NULL;
+ struct id_map **id_ptrs = NULL;
+ struct dom_sid *sids = NULL;
+ uint32_t *id_idx = NULL;
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
+
+ for (i=0; i<r->in.domains->count; i++) {
+ struct lsa_DomainInfo *d = &r->in.domains->domains[i];
+ struct idmap_domain *dom;
+ uint32_t num_ids;
+
+ dom = idmap_find_domain_with_sid(d->name.string, d->sid);
+ if (dom == NULL) {
+ DEBUG(10, ("idmap domain %s:%s not found\n",
+ d->name.string, sid_string_dbg(d->sid)));
+ continue;
+ }
- status = idmap_sid_to_gid(r->in.dom_name ? r->in.dom_name : "",
- r->in.sid, &gid);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ num_ids = 0;
+
+ for (j=0; j<r->in.ids->num_ids; j++) {
+ if (r->in.ids->ids[j].domain_index == i) {
+ num_ids += 1;
+ }
+ }
+
+ ids = talloc_realloc(talloc_tos(), ids,
+ struct id_map, num_ids);
+ if (ids == NULL) {
+ goto nomem;
+ }
+ id_ptrs = talloc_realloc(talloc_tos(), id_ptrs,
+ struct id_map *, num_ids+1);
+ if (id_ptrs == NULL) {
+ goto nomem;
+ }
+ id_idx = talloc_realloc(talloc_tos(), id_idx,
+ uint32_t, num_ids);
+ if (id_idx == NULL) {
+ goto nomem;
+ }
+ sids = talloc_realloc(talloc_tos(), sids,
+ struct dom_sid, num_ids);
+ if (sids == NULL) {
+ goto nomem;
+ }
+
+ num_ids = 0;
+
+ /*
+ * Convert the input data into a list of
+ * id_map structs suitable for handing in
+ * to the idmap sids_to_unixids method.
+ */
+ for (j=0; j<r->in.ids->num_ids; j++) {
+ struct wbint_TransID *id = &r->in.ids->ids[j];
+
+ if (id->domain_index != i) {
+ continue;
+ }
+ id_idx[num_ids] = j;
+ id_ptrs[num_ids] = &ids[num_ids];
+
+ ids[num_ids].sid = &sids[num_ids];
+ sid_compose(ids[num_ids].sid, d->sid, id->rid);
+ ids[num_ids].xid.type = id->type;
+ ids[num_ids].status = ID_UNKNOWN;
+ num_ids += 1;
+ }
+ id_ptrs[num_ids] = NULL;
+
+ status = dom->methods->sids_to_unixids(dom, id_ptrs);
+ DEBUG(10, ("sids_to_unixids returned %s\n",
+ nt_errstr(status)));
+
+ /*
+ * Extract the results for handing them back to the caller.
+ */
+ for (j=0; j<num_ids; j++) {
+ struct wbint_TransID *id = &r->in.ids->ids[id_idx[j]];
+
+ if (ids[j].status != ID_MAPPED) {
+ id->xid.id = UINT32_MAX;
+ id->xid.type = ID_TYPE_NOT_SPECIFIED;
+ continue;
+ }
+
+ id->xid = ids[j].xid;
+ }
}
- *r->out.gid = gid;
- return NT_STATUS_OK;
+ status = NT_STATUS_OK;
+nomem:
+ TALLOC_FREE(ids);
+ TALLOC_FREE(id_ptrs);
+ TALLOC_FREE(id_idx);
+ TALLOC_FREE(sids);
+ return status;
}
-NTSTATUS _wbint_Uid2Sid(pipes_struct *p, struct wbint_Uid2Sid *r)
+NTSTATUS _wbint_Uid2Sid(struct pipes_struct *p, struct wbint_Uid2Sid *r)
{
- return idmap_uid_to_sid(r->in.dom_name ? r->in.dom_name : "",
- r->out.sid, r->in.uid);
+ return idmap_uid_to_sid(r->out.sid, r->in.uid);
}
-NTSTATUS _wbint_Gid2Sid(pipes_struct *p, struct wbint_Gid2Sid *r)
+NTSTATUS _wbint_Gid2Sid(struct pipes_struct *p, struct wbint_Gid2Sid *r)
{
- return idmap_gid_to_sid(r->in.dom_name ? r->in.dom_name : "",
- r->out.sid, r->in.gid);
+ return idmap_gid_to_sid(r->out.sid, r->in.gid);
}
-NTSTATUS _wbint_AllocateUid(pipes_struct *p, struct wbint_AllocateUid *r)
+NTSTATUS _wbint_AllocateUid(struct pipes_struct *p, struct wbint_AllocateUid *r)
{
struct unixid xid;
NTSTATUS status;
return NT_STATUS_OK;
}
-NTSTATUS _wbint_AllocateGid(pipes_struct *p, struct wbint_AllocateGid *r)
+NTSTATUS _wbint_AllocateGid(struct pipes_struct *p, struct wbint_AllocateGid *r)
{
struct unixid xid;
NTSTATUS status;
return NT_STATUS_OK;
}
-NTSTATUS _wbint_QueryUser(pipes_struct *p, struct wbint_QueryUser *r)
+NTSTATUS _wbint_QueryUser(struct pipes_struct *p, struct wbint_QueryUser *r)
{
struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS status;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- return domain->methods->query_user(domain, p->mem_ctx, r->in.sid,
- r->out.info);
+ status = domain->methods->query_user(domain, p->mem_ctx, r->in.sid,
+ r->out.info);
+ reset_cm_connection_on_error(domain, status);
+ return status;
}
-NTSTATUS _wbint_LookupUserAliases(pipes_struct *p,
+NTSTATUS _wbint_LookupUserAliases(struct pipes_struct *p,
struct wbint_LookupUserAliases *r)
{
struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS status;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- return domain->methods->lookup_useraliases(
+ status = domain->methods->lookup_useraliases(
domain, p->mem_ctx, r->in.sids->num_sids, r->in.sids->sids,
&r->out.rids->num_rids, &r->out.rids->rids);
+ reset_cm_connection_on_error(domain, status);
+ return status;
}
-NTSTATUS _wbint_LookupUserGroups(pipes_struct *p,
+NTSTATUS _wbint_LookupUserGroups(struct pipes_struct *p,
struct wbint_LookupUserGroups *r)
{
struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS status;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- return domain->methods->lookup_usergroups(
+ status = domain->methods->lookup_usergroups(
domain, p->mem_ctx, r->in.sid,
&r->out.sids->num_sids, &r->out.sids->sids);
+ reset_cm_connection_on_error(domain, status);
+ return status;
}
-NTSTATUS _wbint_QuerySequenceNumber(pipes_struct *p,
+NTSTATUS _wbint_QuerySequenceNumber(struct pipes_struct *p,
struct wbint_QuerySequenceNumber *r)
{
struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS status;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- return domain->methods->sequence_number(domain, r->out.sequence);
+ status = domain->methods->sequence_number(domain, r->out.sequence);
+ reset_cm_connection_on_error(domain, status);
+ return status;
}
-NTSTATUS _wbint_LookupGroupMembers(pipes_struct *p,
+NTSTATUS _wbint_LookupGroupMembers(struct pipes_struct *p,
struct wbint_LookupGroupMembers *r)
{
struct winbindd_domain *domain = wb_child_domain();
status = domain->methods->lookup_groupmem(
domain, p->mem_ctx, r->in.sid, r->in.type,
&num_names, &sid_mem, &names, &name_types);
+ reset_cm_connection_on_error(domain, status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
}
-NTSTATUS _wbint_QueryUserList(pipes_struct *p, struct wbint_QueryUserList *r)
+NTSTATUS _wbint_QueryUserList(struct pipes_struct *p,
+ struct wbint_QueryUserList *r)
{
struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS status;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- return domain->methods->query_user_list(
+ status = domain->methods->query_user_list(
domain, p->mem_ctx, &r->out.users->num_userinfos,
&r->out.users->userinfos);
+ reset_cm_connection_on_error(domain, status);
+ return status;
}
-NTSTATUS _wbint_QueryGroupList(pipes_struct *p, struct wbint_QueryGroupList *r)
+NTSTATUS _wbint_QueryGroupList(struct pipes_struct *p,
+ struct wbint_QueryGroupList *r)
{
struct winbindd_domain *domain = wb_child_domain();
- uint32_t i, num_groups;
- struct acct_info *groups;
+ uint32_t i;
+ uint32_t num_local_groups = 0;
+ struct wb_acct_info *local_groups = NULL;
+ uint32_t num_dom_groups = 0;
+ struct wb_acct_info *dom_groups = NULL;
+ uint32_t ti = 0;
+ uint64_t num_total = 0;
struct wbint_Principal *result;
NTSTATUS status;
+ bool include_local_groups = false;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
+ switch (lp_server_role()) {
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ if (domain->internal) {
+ /*
+ * we want to include local groups
+ * for BUILTIN and WORKGROUP
+ */
+ include_local_groups = true;
+ }
+ break;
+ default:
+ /*
+ * We might include local groups in more
+ * setups later, but that requires more work
+ * elsewhere.
+ */
+ break;
+ }
+
+ if (include_local_groups) {
+ status = domain->methods->enum_local_groups(domain, talloc_tos(),
+ &num_local_groups,
+ &local_groups);
+ reset_cm_connection_on_error(domain, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
status = domain->methods->enum_dom_groups(domain, talloc_tos(),
- &num_groups, &groups);
+ &num_dom_groups,
+ &dom_groups);
+ reset_cm_connection_on_error(domain, status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ num_total = num_local_groups + num_dom_groups;
+ if (num_total > UINT32_MAX) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
result = talloc_array(r->out.groups, struct wbint_Principal,
- num_groups);
+ num_total);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
- for (i=0; i<num_groups; i++) {
- sid_compose(&result[i].sid, &domain->sid, groups[i].rid);
- result[i].type = SID_NAME_DOM_GRP;
- result[i].name = talloc_strdup(result, groups[i].acct_name);
- if (result[i].name == NULL) {
+ for (i = 0; i < num_local_groups; i++) {
+ struct wb_acct_info *lg = &local_groups[i];
+ struct wbint_Principal *rg = &result[ti++];
+
+ sid_compose(&rg->sid, &domain->sid, lg->rid);
+ rg->type = SID_NAME_ALIAS;
+ rg->name = talloc_strdup(result, lg->acct_name);
+ if (rg->name == NULL) {
+ TALLOC_FREE(result);
+ TALLOC_FREE(dom_groups);
+ TALLOC_FREE(local_groups);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ num_local_groups = 0;
+ TALLOC_FREE(local_groups);
+
+ for (i = 0; i < num_dom_groups; i++) {
+ struct wb_acct_info *dg = &dom_groups[i];
+ struct wbint_Principal *rg = &result[ti++];
+
+ sid_compose(&rg->sid, &domain->sid, dg->rid);
+ rg->type = SID_NAME_DOM_GRP;
+ rg->name = talloc_strdup(result, dg->acct_name);
+ if (rg->name == NULL) {
TALLOC_FREE(result);
- TALLOC_FREE(groups);
+ TALLOC_FREE(dom_groups);
+ TALLOC_FREE(local_groups);
return NT_STATUS_NO_MEMORY;
}
}
+ num_dom_groups = 0;
+ TALLOC_FREE(dom_groups);
- r->out.groups->num_principals = num_groups;
+ r->out.groups->num_principals = ti;
r->out.groups->principals = result;
+
return NT_STATUS_OK;
}
-NTSTATUS _wbint_DsGetDcName(pipes_struct *p, struct wbint_DsGetDcName *r)
+NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r)
{
struct winbindd_domain *domain = wb_child_domain();
struct rpc_pipe_client *netlogon_pipe;
NTSTATUS status;
WERROR werr;
unsigned int orig_timeout;
+ struct dcerpc_binding_handle *b;
if (domain == NULL) {
return dsgetdcname(p->mem_ctx, winbind_messaging_context(),
status = cm_connect_netlogon(domain, &netlogon_pipe);
+ reset_cm_connection_on_error(domain, status);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Can't contact the NETLOGON pipe\n"));
return status;
}
+ b = netlogon_pipe->binding_handle;
+
/* This call can take a long time - allow the server to time out.
35 seconds should do it. */
orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
if (domain->active_directory) {
- status = rpccli_netr_DsRGetDCName(
- netlogon_pipe, p->mem_ctx, domain->dcname,
+ status = dcerpc_netr_DsRGetDCName(b,
+ p->mem_ctx, domain->dcname,
r->in.domain_name, NULL, r->in.domain_guid,
r->in.flags, r->out.dc_info, &werr);
if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) {
goto done;
}
+ if (reset_cm_connection_on_error(domain, status)) {
+ /* Re-initialize. */
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+
+ reset_cm_connection_on_error(domain, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("Can't contact the NETLOGON pipe\n"));
+ return status;
+ }
+
+ b = netlogon_pipe->binding_handle;
+
+ /* This call can take a long time - allow the server to time out.
+ 35 seconds should do it. */
+
+ orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
+ }
}
/*
}
if (r->in.flags & DS_PDC_REQUIRED) {
- status = rpccli_netr_GetDcName(
- netlogon_pipe, p->mem_ctx, domain->dcname,
+ status = dcerpc_netr_GetDcName(b,
+ p->mem_ctx, domain->dcname,
r->in.domain_name, &dc_info->dc_unc, &werr);
} else {
- status = rpccli_netr_GetAnyDCName(
- netlogon_pipe, p->mem_ctx, domain->dcname,
+ status = dcerpc_netr_GetAnyDCName(b,
+ p->mem_ctx, domain->dcname,
r->in.domain_name, &dc_info->dc_unc, &werr);
}
+ reset_cm_connection_on_error(domain, status);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("rpccli_netr_Get[Any]DCName failed: %s\n",
+ DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
nt_errstr(status)));
goto done;
}
if (!W_ERROR_IS_OK(werr)) {
- DEBUG(10, ("rpccli_netr_Get[Any]DCName failed: %s\n",
+ DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
win_errstr(werr)));
status = werror_to_ntstatus(werr);
goto done;
return status;
}
-NTSTATUS _wbint_LookupRids(pipes_struct *p, struct wbint_LookupRids *r)
+NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r)
{
struct winbindd_domain *domain = wb_child_domain();
char *domain_name;
}
status = domain->methods->rids_to_names(
- domain, talloc_tos(), &domain->sid, r->in.rids->rids,
+ domain, talloc_tos(), r->in.domain_sid, r->in.rids->rids,
r->in.rids->num_rids, &domain_name, &names, &types);
+ reset_cm_connection_on_error(domain, status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ *r->out.domain_name = talloc_move(r->out.domain_name, &domain_name);
+
result = talloc_array(p->mem_ctx, struct wbint_Principal,
r->in.rids->num_rids);
if (result == NULL) {
}
for (i=0; i<r->in.rids->num_rids; i++) {
- sid_compose(&result[i].sid, &domain->sid, r->in.rids->rids[i]);
+ sid_compose(&result[i].sid, r->in.domain_sid,
+ r->in.rids->rids[i]);
result[i].type = types[i];
result[i].name = talloc_move(result, &names[i]);
}
return NT_STATUS_OK;
}
-NTSTATUS _wbint_CheckMachineAccount(pipes_struct *p,
+NTSTATUS _wbint_CheckMachineAccount(struct pipes_struct *p,
struct wbint_CheckMachineAccount *r)
{
struct winbindd_domain *domain;
int num_retries = 0;
NTSTATUS status;
-again:
domain = wb_child_domain();
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- invalidate_cm_connection(&domain->conn);
+again:
+ invalidate_cm_connection(domain);
+ domain->conn.netlogon_force_reauth = true;
{
struct rpc_pipe_client *netlogon_pipe;
return status;
}
-NTSTATUS _wbint_ChangeMachineAccount(pipes_struct *p,
+NTSTATUS _wbint_ChangeMachineAccount(struct pipes_struct *p,
struct wbint_ChangeMachineAccount *r)
{
+ struct messaging_context *msg_ctx = winbind_messaging_context();
struct winbindd_domain *domain;
- int num_retries = 0;
NTSTATUS status;
struct rpc_pipe_client *netlogon_pipe;
- TALLOC_CTX *tmp_ctx;
-again:
domain = wb_child_domain();
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- invalidate_cm_connection(&domain->conn);
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+ goto done;
+ }
- {
- status = cm_connect_netlogon(domain, &netlogon_pipe);
+ status = trust_pw_change(domain->conn.netlogon_creds,
+ msg_ctx,
+ netlogon_pipe->binding_handle,
+ domain->name,
+ true); /* force */
+
+ /* Pass back result code - zero for success, other values for
+ specific failures. */
+
+ DEBUG(3,("domain %s secret %s\n", domain->name,
+ NT_STATUS_IS_OK(status) ? "changed" : "unchanged"));
+
+ done:
+ DEBUG(NT_STATUS_IS_OK(status) ? 5 : 2,
+ ("Changing the trust account password for domain %s returned %s\n",
+ domain->name, nt_errstr(status)));
+
+ return status;
+}
+
+NTSTATUS _wbint_PingDc(struct pipes_struct *p, struct wbint_PingDc *r)
+{
+ NTSTATUS status;
+ struct winbindd_domain *domain;
+ struct rpc_pipe_client *netlogon_pipe;
+ union netr_CONTROL_QUERY_INFORMATION info;
+ WERROR werr;
+ fstring logon_server;
+ struct dcerpc_binding_handle *b;
+ bool retry = false;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- /* There is a race condition between fetching the trust account
- password and the periodic machine password change. So it's
- possible that the trust account password has been changed on us.
- We are returned NT_STATUS_ACCESS_DENIED if this happens. */
+reconnect:
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ reset_cm_connection_on_error(domain, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
-#define MAX_RETRIES 3
+ b = netlogon_pipe->binding_handle;
+
+ fstr_sprintf(logon_server, "\\\\%s", domain->dcname);
+ *r->out.dcname = talloc_strdup(p->mem_ctx, domain->dcname);
+ if (*r->out.dcname == NULL) {
+ DEBUG(2, ("Could not allocate memory\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * This provokes a WERR_NOT_SUPPORTED error message. This is
+ * documented in the wspp docs. I could not get a successful
+ * call to work, but the main point here is testing that the
+ * netlogon pipe works.
+ */
+ status = dcerpc_netr_LogonControl(b, p->mem_ctx,
+ logon_server, NETLOGON_CONTROL_QUERY,
+ 2, &info, &werr);
+
+ if (!dcerpc_binding_handle_is_connected(b) && !retry) {
+ DEBUG(10, ("Session might have expired. "
+ "Reconnect and retry once.\n"));
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto reconnect;
+ }
+
+ reset_cm_connection_on_error(domain, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("dcerpc_netr_LogonControl failed: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ if (!W_ERROR_EQUAL(werr, WERR_NOT_SUPPORTED)) {
+ DEBUG(2, ("dcerpc_netr_LogonControl returned %s, expected "
+ "WERR_NOT_SUPPORTED\n",
+ win_errstr(werr)));
+ return werror_to_ntstatus(werr);
+ }
+
+ DEBUG(5, ("winbindd_dual_ping_dc succeeded\n"));
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _winbind_DsrUpdateReadOnlyServerDnsRecords(struct pipes_struct *p,
+ struct winbind_DsrUpdateReadOnlyServerDnsRecords *r)
+{
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe;
- if ((num_retries < MAX_RETRIES)
- && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
- num_retries++;
- goto again;
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
goto done;
}
- tmp_ctx = talloc_new(p->mem_ctx);
-
- status = trust_pw_find_change_and_store_it(netlogon_pipe,
- tmp_ctx,
- domain->name);
- talloc_destroy(tmp_ctx);
+ status = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords(domain->conn.netlogon_creds,
+ netlogon_pipe->binding_handle,
+ r->in.site_name,
+ r->in.dns_ttl,
+ r->in.dns_names);
/* Pass back result code - zero for success, other values for
specific failures. */
- DEBUG(3,("domain %s secret %s\n", domain->name,
+ DEBUG(3,("DNS records for domain %s %s\n", domain->name,
NT_STATUS_IS_OK(status) ? "changed" : "unchanged"));
done:
DEBUG(NT_STATUS_IS_OK(status) ? 5 : 2,
- ("Changing the trust account password for domain %s returned %s\n",
+ ("Update of DNS records via RW DC %s returned %s\n",
domain->name, nt_errstr(status)));
return status;
}
+NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
+ struct winbind_SamLogon *r)
+{
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+ DATA_BLOB lm_response, nt_response;
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ /* TODO: Handle interactive logons here */
+ if (r->in.validation_level != 3 ||
+ r->in.logon.network == NULL ||
+ (r->in.logon_level != NetlogonNetworkInformation
+ && r->in.logon_level != NetlogonNetworkTransitiveInformation)) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+
+ lm_response = data_blob_talloc(p->mem_ctx, r->in.logon.network->lm.data, r->in.logon.network->lm.length);
+ nt_response = data_blob_talloc(p->mem_ctx, r->in.logon.network->nt.data, r->in.logon.network->nt.length);
+
+ status = winbind_dual_SamLogon(domain, p->mem_ctx,
+ r->in.logon.network->identity_info.parameter_control,
+ r->in.logon.network->identity_info.account_name.string,
+ r->in.logon.network->identity_info.domain_name.string,
+ r->in.logon.network->identity_info.workstation.string,
+ r->in.logon.network->challenge,
+ lm_response, nt_response, &r->out.validation.sam3);
+ return status;
+}
-NTSTATUS _wbint_SetMapping(pipes_struct *p, struct wbint_SetMapping *r)
+static WERROR _winbind_LogonControl_REDISCOVER(struct pipes_struct *p,
+ struct winbindd_domain *domain,
+ struct winbind_LogonControl *r)
{
- struct id_map map;
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netr_NETLOGON_INFO_2 *info2 = NULL;
+ WERROR check_result = WERR_INTERNAL_ERROR;
- map.sid = r->in.sid;
- map.xid.id = r->in.id;
- map.status = ID_MAPPED;
+ info2 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_2);
+ if (info2 == NULL) {
+ return WERR_NOMEM;
+ }
- switch (r->in.type) {
- case WBINT_ID_TYPE_UID:
- map.xid.type = ID_TYPE_UID;
- break;
- case WBINT_ID_TYPE_GID:
- map.xid.type = ID_TYPE_GID;
- break;
- default:
- return NT_STATUS_INVALID_PARAMETER;
+ if (domain->internal) {
+ check_result = WERR_OK;
+ goto check_return;
+ }
+
+ /*
+ * For now we just force a reconnect
+ *
+ * TODO: take care of the optional '\dcname'
+ */
+ invalidate_cm_connection(domain);
+ domain->conn.netlogon_force_reauth = true;
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ reset_cm_connection_on_error(domain, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("%s: domain[%s/%s] cm_connect_netlogon() returned %s\n",
+ __func__, domain->name, domain->alt_name,
+ nt_errstr(status)));
+ /*
+ * Here we return a top level error!
+ * This is different than TC_QUERY or TC_VERIFY.
+ */
+ return ntstatus_to_werror(status);
+ }
+ check_result = WERR_OK;
+
+check_return:
+ info2->pdc_connection_status = WERR_OK;
+ if (domain->dcname != NULL) {
+ info2->flags |= NETLOGON_HAS_IP;
+ info2->flags |= NETLOGON_HAS_TIMESERV;
+ info2->trusted_dc_name = talloc_asprintf(info2, "\\\\%s",
+ domain->dcname);
+ if (info2->trusted_dc_name == NULL) {
+ return WERR_NOMEM;
+ }
+ } else {
+ info2->trusted_dc_name = talloc_strdup(info2, "");
+ if (info2->trusted_dc_name == NULL) {
+ return WERR_NOMEM;
+ }
+ }
+ info2->tc_connection_status = check_result;
+
+ if (!W_ERROR_IS_OK(info2->pdc_connection_status)) {
+ DEBUG(2, ("%s: domain[%s/%s] dcname[%s] "
+ "pdc_connection[%s] tc_connection[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname,
+ win_errstr(info2->pdc_connection_status),
+ win_errstr(info2->tc_connection_status)));
}
- return idmap_set_mapping(&map);
+ r->out.query->info2 = info2;
+
+ DEBUG(5, ("%s: succeeded.\n", __func__));
+ return WERR_OK;
}
-NTSTATUS _wbint_RemoveMapping(pipes_struct *p, struct wbint_RemoveMapping *r)
+static WERROR _winbind_LogonControl_TC_QUERY(struct pipes_struct *p,
+ struct winbindd_domain *domain,
+ struct winbind_LogonControl *r)
{
- struct id_map map;
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netr_NETLOGON_INFO_2 *info2 = NULL;
+ WERROR check_result = WERR_INTERNAL_ERROR;
- map.sid = r->in.sid;
- map.xid.id = r->in.id;
- map.status = ID_MAPPED;
+ info2 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_2);
+ if (info2 == NULL) {
+ return WERR_NOMEM;
+ }
- switch (r->in.type) {
- case WBINT_ID_TYPE_UID:
- map.xid.type = ID_TYPE_UID;
- break;
- case WBINT_ID_TYPE_GID:
- map.xid.type = ID_TYPE_GID;
- break;
- default:
- return NT_STATUS_INVALID_PARAMETER;
+ if (domain->internal) {
+ check_result = WERR_OK;
+ goto check_return;
}
- return idmap_remove_mapping(&map);
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ reset_cm_connection_on_error(domain, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
+ nt_errstr(status)));
+ check_result = ntstatus_to_werror(status);
+ goto check_return;
+ }
+ check_result = WERR_OK;
+
+check_return:
+ info2->pdc_connection_status = WERR_OK;
+ if (domain->dcname != NULL) {
+ info2->flags |= NETLOGON_HAS_IP;
+ info2->flags |= NETLOGON_HAS_TIMESERV;
+ info2->trusted_dc_name = talloc_asprintf(info2, "\\\\%s",
+ domain->dcname);
+ if (info2->trusted_dc_name == NULL) {
+ return WERR_NOMEM;
+ }
+ } else {
+ info2->trusted_dc_name = talloc_strdup(info2, "");
+ if (info2->trusted_dc_name == NULL) {
+ return WERR_NOMEM;
+ }
+ }
+ info2->tc_connection_status = check_result;
+
+ if (!W_ERROR_IS_OK(info2->pdc_connection_status)) {
+ DEBUG(2, ("%s: domain[%s/%s] dcname[%s] "
+ "pdc_connection[%s] tc_connection[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname,
+ win_errstr(info2->pdc_connection_status),
+ win_errstr(info2->tc_connection_status)));
+ }
+
+ r->out.query->info2 = info2;
+
+ DEBUG(5, ("%s: succeeded.\n", __func__));
+ return WERR_OK;
}
-NTSTATUS _wbint_SetHWM(pipes_struct *p, struct wbint_SetHWM *r)
+static WERROR _winbind_LogonControl_TC_VERIFY(struct pipes_struct *p,
+ struct winbindd_domain *domain,
+ struct winbind_LogonControl *r)
{
- struct unixid id;
+ TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
+ NTSTATUS result;
+ struct lsa_String trusted_domain_name = {};
+ struct lsa_StringLarge trusted_domain_name_l = {};
+ struct rpc_pipe_client *local_lsa_pipe = NULL;
+ struct policy_handle local_lsa_policy = {};
+ struct dcerpc_binding_handle *local_lsa = NULL;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct cli_credentials *creds = NULL;
+ struct samr_Password *cur_nt_hash = NULL;
+ uint32_t trust_attributes = 0;
+ struct samr_Password new_owf_password = {};
+ int cmp_new = -1;
+ struct samr_Password old_owf_password = {};
+ int cmp_old = -1;
+ const struct lsa_TrustDomainInfoInfoEx *local_tdo = NULL;
+ bool fetch_fti = false;
+ struct lsa_ForestTrustInformation *new_fti = NULL;
+ struct netr_TrustInfo *trust_info = NULL;
+ struct netr_NETLOGON_INFO_2 *info2 = NULL;
+ struct dcerpc_binding_handle *b = NULL;
+ WERROR check_result = WERR_INTERNAL_ERROR;
+ WERROR verify_result = WERR_INTERNAL_ERROR;
+ bool retry = false;
+
+ trusted_domain_name.string = domain->name;
+ trusted_domain_name_l.string = domain->name;
+
+ info2 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_2);
+ if (info2 == NULL) {
+ TALLOC_FREE(frame);
+ return WERR_NOMEM;
+ }
- id.id = r->in.id;
+ if (domain->internal) {
+ check_result = WERR_OK;
+ goto check_return;
+ }
- switch (id.type) {
- case WBINT_ID_TYPE_UID:
- id.type = ID_TYPE_UID;
- status = idmap_set_uid_hwm(&id);
- break;
- case ID_TYPE_GID:
- id.type = ID_TYPE_GID;
- status = idmap_set_gid_hwm(&id);
- break;
+ status = pdb_get_trust_credentials(domain->name,
+ domain->alt_name,
+ frame,
+ &creds);
+ if (NT_STATUS_IS_OK(status)) {
+ cur_nt_hash = cli_credentials_get_nt_hash(creds, frame);
+ TALLOC_FREE(creds);
+ }
+
+ if (!domain->primary) {
+ union lsa_TrustedDomainInfo *tdi = NULL;
+
+ status = open_internal_lsa_conn(frame, &local_lsa_pipe,
+ &local_lsa_policy);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: open_internal_lsa_conn() failed - %s\n",
+ __location__, __func__, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ local_lsa = local_lsa_pipe->binding_handle;
+
+ status = dcerpc_lsa_QueryTrustedDomainInfoByName(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name,
+ LSA_TRUSTED_DOMAIN_INFO_INFO_EX,
+ &tdi, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) failed - %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ DEBUG(1,("%s:%s: domain[%s] not found via LSA, might be removed already.\n",
+ __location__, __func__, domain->name));
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (tdi == NULL) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName() "
+ "returned no trusted domain information\n",
+ __location__, __func__));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+
+ local_tdo = &tdi->info_ex;
+ trust_attributes = local_tdo->trust_attributes;
+ }
+
+ if (trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
+ struct lsa_ForestTrustInformation *old_fti = NULL;
+
+ status = dcerpc_lsa_lsaRQueryForestTrustInformation(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name,
+ LSA_FOREST_TRUST_DOMAIN_INFO,
+ &old_fti, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) failed %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_FOUND)) {
+ DEBUG(2,("%s: no forest trust information available for domain[%s] yet.\n",
+ __func__, domain->name));
+ old_fti = NULL;
+ fetch_fti = true;
+ result = NT_STATUS_OK;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+
+ TALLOC_FREE(old_fti);
+ }
+
+reconnect:
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ reset_cm_connection_on_error(domain, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
+ nt_errstr(status)));
+ check_result = ntstatus_to_werror(status);
+ goto check_return;
+ }
+ check_result = WERR_OK;
+ b = netlogon_pipe->binding_handle;
+
+ if (cur_nt_hash == NULL) {
+ verify_result = WERR_NO_TRUST_LSA_SECRET;
+ goto verify_return;
+ }
+
+ if (fetch_fti) {
+ status = netlogon_creds_cli_GetForestTrustInformation(domain->conn.netlogon_creds,
+ b, frame,
+ &new_fti);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+ status = NT_STATUS_NOT_SUPPORTED;
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ new_fti = NULL;
+ status = NT_STATUS_OK;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ if (!retry && dcerpc_binding_handle_is_connected(b)) {
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto reconnect;
+ }
+ DEBUG(2, ("netlogon_creds_cli_GetForestTrustInformation(%s)"
+ "failed: %s\n",
+ domain->name, nt_errstr(status)));
+ check_result = ntstatus_to_werror(status);
+ goto check_return;
+ }
+ }
+
+ if (new_fti != NULL) {
+ struct lsa_ForestTrustInformation old_fti = {};
+ struct lsa_ForestTrustInformation *merged_fti = NULL;
+ struct lsa_ForestTrustCollisionInfo *collision_info = NULL;
+
+ status = dsdb_trust_merge_forest_info(frame, local_tdo,
+ &old_fti, new_fti,
+ &merged_fti);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: dsdb_trust_merge_forest_info(%s) failed %s\n",
+ __location__, __func__,
+ domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(status);
+ }
+
+ status = dcerpc_lsa_lsaRSetForestTrustInformation(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name_l,
+ LSA_FOREST_TRUST_DOMAIN_INFO,
+ merged_fti,
+ 0, /* check_only=0 => store it! */
+ &collision_info,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRSetForestTrustInformation(%s) failed %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRSetForestTrustInformation(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(result);
+ }
+ }
+
+ status = netlogon_creds_cli_ServerGetTrustInfo(domain->conn.netlogon_creds,
+ b, frame,
+ &new_owf_password,
+ &old_owf_password,
+ &trust_info);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+ status = NT_STATUS_NOT_SUPPORTED;
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DEBUG(5, ("netlogon_creds_cli_ServerGetTrustInfo failed: %s\n",
+ nt_errstr(status)));
+ verify_result = WERR_OK;
+ goto verify_return;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ if (!retry && dcerpc_binding_handle_is_connected(b)) {
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto reconnect;
+ }
+ DEBUG(2, ("netlogon_creds_cli_ServerGetTrustInfo failed: %s\n",
+ nt_errstr(status)));
+
+ if (!dcerpc_binding_handle_is_connected(b)) {
+ check_result = ntstatus_to_werror(status);
+ goto check_return;
+ } else {
+ verify_result = ntstatus_to_werror(status);
+ goto verify_return;
+ }
+ }
+
+ if (trust_info != NULL && trust_info->count >= 1) {
+ uint32_t diff = trust_info->data[0] ^ trust_attributes;
+
+ if (diff & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
+ verify_result = WERR_DOMAIN_TRUST_INCONSISTENT;
+ goto verify_return;
+ }
+ }
+
+ cmp_new = memcmp(new_owf_password.hash,
+ cur_nt_hash->hash,
+ sizeof(cur_nt_hash->hash));
+ cmp_old = memcmp(old_owf_password.hash,
+ cur_nt_hash->hash,
+ sizeof(cur_nt_hash->hash));
+ if (cmp_new != 0 && cmp_old != 0) {
+ DEBUG(1,("%s:Error: credentials for domain[%s/%s] doesn't match "
+ "any password known to dcname[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname));
+ verify_result = WERR_WRONG_PASSWORD;
+ goto verify_return;
+ }
+
+ if (cmp_new != 0) {
+ DEBUG(2,("%s:Warning: credentials for domain[%s/%s] only match "
+ "against the old password known to dcname[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname));
+ }
+
+ verify_result = WERR_OK;
+ goto verify_return;
+
+check_return:
+ verify_result = check_result;
+verify_return:
+ info2->flags |= NETLOGON_VERIFY_STATUS_RETURNED;
+ info2->pdc_connection_status = verify_result;
+ if (domain->dcname != NULL) {
+ info2->flags |= NETLOGON_HAS_IP;
+ info2->flags |= NETLOGON_HAS_TIMESERV;
+ info2->trusted_dc_name = talloc_asprintf(info2, "\\\\%s",
+ domain->dcname);
+ if (info2->trusted_dc_name == NULL) {
+ TALLOC_FREE(frame);
+ return WERR_NOMEM;
+ }
+ } else {
+ info2->trusted_dc_name = talloc_strdup(info2, "");
+ if (info2->trusted_dc_name == NULL) {
+ TALLOC_FREE(frame);
+ return WERR_NOMEM;
+ }
+ }
+ info2->tc_connection_status = check_result;
+
+ if (!W_ERROR_IS_OK(info2->pdc_connection_status)) {
+ DEBUG(2, ("%s: domain[%s/%s] dcname[%s] "
+ "pdc_connection[%s] tc_connection[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname,
+ win_errstr(info2->pdc_connection_status),
+ win_errstr(info2->tc_connection_status)));
+ }
+
+ r->out.query->info2 = info2;
+
+ DEBUG(5, ("%s: succeeded.\n", __func__));
+ TALLOC_FREE(frame);
+ return WERR_OK;
+}
+
+static WERROR _winbind_LogonControl_CHANGE_PASSWORD(struct pipes_struct *p,
+ struct winbindd_domain *domain,
+ struct winbind_LogonControl *r)
+{
+ struct messaging_context *msg_ctx = winbind_messaging_context();
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe;
+ struct cli_credentials *creds = NULL;
+ struct samr_Password *cur_nt_hash = NULL;
+ struct netr_NETLOGON_INFO_1 *info1 = NULL;
+ struct dcerpc_binding_handle *b;
+ WERROR change_result = WERR_OK;
+ bool retry = false;
+
+ info1 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_1);
+ if (info1 == NULL) {
+ return WERR_NOMEM;
+ }
+
+ if (domain->internal) {
+ return WERR_NOT_SUPPORTED;
+ }
+
+ status = pdb_get_trust_credentials(domain->name,
+ domain->alt_name,
+ p->mem_ctx,
+ &creds);
+ if (NT_STATUS_IS_OK(status)) {
+ cur_nt_hash = cli_credentials_get_nt_hash(creds, p->mem_ctx);
+ TALLOC_FREE(creds);
+ }
+
+reconnect:
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ reset_cm_connection_on_error(domain, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("%s: domain[%s/%s] cm_connect_netlogon() returned %s\n",
+ __func__, domain->name, domain->alt_name,
+ nt_errstr(status)));
+ /*
+ * Here we return a top level error!
+ * This is different than TC_QUERY or TC_VERIFY.
+ */
+ return ntstatus_to_werror(status);
+ }
+ b = netlogon_pipe->binding_handle;
+
+ if (cur_nt_hash == NULL) {
+ change_result = WERR_NO_TRUST_LSA_SECRET;
+ goto change_return;
+ }
+ TALLOC_FREE(cur_nt_hash);
+
+ status = trust_pw_change(domain->conn.netlogon_creds,
+ msg_ctx, b, domain->name,
+ true); /* force */
+ if (!NT_STATUS_IS_OK(status)) {
+ if (!retry && dcerpc_binding_handle_is_connected(b)) {
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto reconnect;
+ }
+
+ DEBUG(1, ("trust_pw_change(%s): %s\n",
+ domain->name, nt_errstr(status)));
+
+ change_result = ntstatus_to_werror(status);
+ goto change_return;
+ }
+
+ change_result = WERR_OK;
+
+change_return:
+ info1->pdc_connection_status = change_result;
+
+ if (!W_ERROR_IS_OK(info1->pdc_connection_status)) {
+ DEBUG(2, ("%s: domain[%s/%s] dcname[%s] "
+ "pdc_connection[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname,
+ win_errstr(info1->pdc_connection_status)));
+ }
+
+ r->out.query->info1 = info1;
+
+ DEBUG(5, ("%s: succeeded.\n", __func__));
+ return WERR_OK;
+}
+
+WERROR _winbind_LogonControl(struct pipes_struct *p,
+ struct winbind_LogonControl *r)
+{
+ struct winbindd_domain *domain;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ switch (r->in.function_code) {
+ case NETLOGON_CONTROL_REDISCOVER:
+ if (r->in.level != 2) {
+ return WERR_INVALID_PARAMETER;
+ }
+ return _winbind_LogonControl_REDISCOVER(p, domain, r);
+ case NETLOGON_CONTROL_TC_QUERY:
+ if (r->in.level != 2) {
+ return WERR_INVALID_PARAMETER;
+ }
+ return _winbind_LogonControl_TC_QUERY(p, domain, r);
+ case NETLOGON_CONTROL_TC_VERIFY:
+ if (r->in.level != 2) {
+ return WERR_INVALID_PARAMETER;
+ }
+ return _winbind_LogonControl_TC_VERIFY(p, domain, r);
+ case NETLOGON_CONTROL_CHANGE_PASSWORD:
+ if (r->in.level != 1) {
+ return WERR_INVALID_PARAMETER;
+ }
+ return _winbind_LogonControl_CHANGE_PASSWORD(p, domain, r);
default:
- status = NT_STATUS_INVALID_PARAMETER;
break;
}
- return status;
+
+ DEBUG(4, ("%s: function_code[0x%x] not supported\n",
+ __func__, r->in.function_code));
+ return WERR_NOT_SUPPORTED;
+}
+
+WERROR _winbind_GetForestTrustInformation(struct pipes_struct *p,
+ struct winbind_GetForestTrustInformation *r)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status, result;
+ struct winbindd_domain *domain;
+ struct rpc_pipe_client *netlogon_pipe;
+ struct dcerpc_binding_handle *b;
+ bool retry = false;
+ struct lsa_String trusted_domain_name = {};
+ struct lsa_StringLarge trusted_domain_name_l = {};
+ union lsa_TrustedDomainInfo *tdi = NULL;
+ const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
+ struct lsa_ForestTrustInformation _old_fti = {};
+ struct lsa_ForestTrustInformation *old_fti = NULL;
+ struct lsa_ForestTrustInformation *new_fti = NULL;
+ struct lsa_ForestTrustInformation *merged_fti = NULL;
+ struct lsa_ForestTrustCollisionInfo *collision_info = NULL;
+ bool update_fti = false;
+ struct rpc_pipe_client *local_lsa_pipe;
+ struct policy_handle local_lsa_policy;
+ struct dcerpc_binding_handle *local_lsa = NULL;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ /*
+ * checking for domain->internal and domain->primary
+ * makes sure we only do some work when running as DC.
+ */
+
+ if (domain->internal) {
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ if (domain->primary) {
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ trusted_domain_name.string = domain->name;
+ trusted_domain_name_l.string = domain->name;
+
+ status = open_internal_lsa_conn(frame, &local_lsa_pipe,
+ &local_lsa_policy);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: open_internal_lsa_conn() failed - %s\n",
+ __location__, __func__, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ local_lsa = local_lsa_pipe->binding_handle;
+
+ status = dcerpc_lsa_QueryTrustedDomainInfoByName(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name,
+ LSA_TRUSTED_DOMAIN_INFO_INFO_EX,
+ &tdi, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) failed - %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ DEBUG(1,("%s:%s: domain[%s] not found via LSA, might be removed already.\n",
+ __location__, __func__, domain->name));
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (tdi == NULL) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName() "
+ "returned no trusted domain information\n",
+ __location__, __func__));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+
+ tdo = &tdi->info_ex;
+
+ if (!(tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)) {
+ DEBUG(2,("%s: tdo[%s/%s] is no forest trust attributes[0x%08X]\n",
+ __func__, tdo->netbios_name.string,
+ tdo->domain_name.string,
+ (unsigned)tdo->trust_attributes));
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ if (r->in.flags & ~DS_GFTI_UPDATE_TDO) {
+ TALLOC_FREE(frame);
+ return WERR_INVALID_FLAGS;
+ }
+
+reconnect:
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ reset_cm_connection_on_error(domain, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(status);
+ }
+ b = netlogon_pipe->binding_handle;
+
+ status = netlogon_creds_cli_GetForestTrustInformation(domain->conn.netlogon_creds,
+ b, p->mem_ctx,
+ &new_fti);
+ if (!NT_STATUS_IS_OK(status)) {
+ if (!retry && dcerpc_binding_handle_is_connected(b)) {
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto reconnect;
+ }
+ DEBUG(2, ("netlogon_creds_cli_GetForestTrustInformation(%s) failed: %s\n",
+ domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(status);
+ }
+
+ *r->out.forest_trust_info = new_fti;
+
+ if (r->in.flags & DS_GFTI_UPDATE_TDO) {
+ update_fti = true;
+ }
+
+ status = dcerpc_lsa_lsaRQueryForestTrustInformation(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name,
+ LSA_FOREST_TRUST_DOMAIN_INFO,
+ &old_fti, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) failed %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_FOUND)) {
+ DEBUG(2,("%s: no forest trust information available for domain[%s] yet.\n",
+ __func__, domain->name));
+ update_fti = true;
+ old_fti = &_old_fti;
+ result = NT_STATUS_OK;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+
+ if (old_fti == NULL) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRQueryForestTrustInformation() "
+ "returned success without returning forest trust information\n",
+ __location__, __func__));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+
+ if (!update_fti) {
+ goto done;
+ }
+
+ status = dsdb_trust_merge_forest_info(frame, tdo, old_fti, new_fti,
+ &merged_fti);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: dsdb_trust_merge_forest_info(%s) failed %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(status);
+ }
+
+ status = dcerpc_lsa_lsaRSetForestTrustInformation(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name_l,
+ LSA_FOREST_TRUST_DOMAIN_INFO,
+ merged_fti,
+ 0, /* check_only=0 => store it! */
+ &collision_info,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRSetForestTrustInformation(%s) failed %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRSetForestTrustInformation(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(result);
+ }
+
+done:
+ DEBUG(5, ("_winbind_GetForestTrustInformation succeeded\n"));
+ TALLOC_FREE(frame);
+ return WERR_OK;
}
git.samba.org / obnox / samba / samba-obnox.git / blobdiff