This allows the AD DC to be picked up correctly and gives the correct DNS name.
To ensure no confusion, we also always init it with the full DNS name.
It also means that, aside from the BUILTIN domain the initialized
flag is set only in one place, which will help when we add more details
to the domain structure in the future.
This in turn allows kerberos authentication against winbindd on the AD DC.
Andrew Bartlett
Change-Id: Idc829cfe5f2e867c87107b49275b17f294821dcd
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
if (domain->internal) {
domain->backend = &builtin_passdb_methods;
- domain->initialized = True;
+ }
+
+ if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
+ domain->initialized = true;
}
if (strequal(domain->name, get_global_sam_name()) &&
sid_check_is_our_sam(&domain->sid)) {
domain->backend = &sam_passdb_methods;
- domain->initialized = True;
}
if ( !domain->initialized ) {
#include "../libcli/smb/smbXcli_base.h"
#include "lib/param/loadparm.h"
#include "libcli/auth/netlogon_creds_cli.h"
+#include "auth.h"
+#include "rpc_server/rpc_ncacn_np.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
return ret;
}
+NTSTATUS wb_open_internal_pipe(TALLOC_CTX *mem_ctx,
+ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **ret_pipe)
+{
+ struct rpc_pipe_client *cli = NULL;
+ const struct auth_session_info *session_info;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+
+ session_info = get_session_info_system();
+ SMB_ASSERT(session_info != NULL);
+
+ /* create a connection to the specified pipe */
+ if (lp_parm_bool(-1, "winbindd", "use external pipes", false)) {
+ status = rpc_pipe_open_interface(mem_ctx,
+ table,
+ session_info,
+ NULL,
+ winbind_messaging_context(),
+ &cli);
+ } else {
+ status = rpc_pipe_open_internal(mem_ctx,
+ &table->syntax_id,
+ session_info,
+ NULL,
+ winbind_messaging_context(),
+ &cli);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("open_internal_pipe: Could not connect to %s pipe: %s\n",
+ table->name, nt_errstr(status)));
+ return status;
+ }
+
+ if (ret_pipe) {
+ *ret_pipe = cli;
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
struct winbindd_cm_conn *new_conn)
{
NTSTATUS result;
/* Internal connections never use the network. */
- if (domain->internal) {
- domain->initialized = True;
- return NT_STATUS_OK;
+ if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
- if (connection_ok(domain)) {
+ /* Still ask the internal LSA and SAMR server about the local domain */
+ if (domain->internal || connection_ok(domain)) {
if (!domain->initialized) {
set_dc_type_and_flags(domain);
}
NTSTATUS init_dc_connection(struct winbindd_domain *domain)
{
- if (domain->internal) {
+ if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
union dssetup_DsRoleInfo info;
union lsa_PolicyInformation *lsa_info = NULL;
- if (!connection_ok(domain)) {
+ if (!domain->internal && !connection_ok(domain)) {
return;
}
DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
- status = cli_rpc_pipe_open_noauth(domain->conn.cli,
- &ndr_table_dssetup,
- &cli);
+ if (domain->internal) {
+ status = wb_open_internal_pipe(mem_ctx,
+ &ndr_table_dssetup,
+ &cli);
+ } else {
+ status = cli_rpc_pipe_open_noauth(domain->conn.cli,
+ &ndr_table_dssetup,
+ &cli);
+ }
if (!NT_STATUS_IS_OK(status)) {
DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
}
no_dssetup:
- status = cli_rpc_pipe_open_noauth(domain->conn.cli,
- &ndr_table_lsarpc, &cli);
-
+ if (domain->internal) {
+ status = wb_open_internal_pipe(mem_ctx,
+ &ndr_table_lsarpc,
+ &cli);
+ } else {
+ status = cli_rpc_pipe_open_noauth(domain->conn.cli,
+ &ndr_table_lsarpc, &cli);
+ }
if (!NT_STATUS_IS_OK(status)) {
DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
"PI_LSARPC on domain %s: (%s)\n",
{
/* we always have to contact our primary domain */
- if ( domain->primary ) {
+ if ( domain->primary || domain->internal) {
DEBUG(10,("set_dc_type_and_flags: setting up flags for "
- "primary domain\n"));
+ "primary or internal domain\n"));
set_dc_type_and_flags_connect( domain );
return;
}
void set_domain_offline(struct winbindd_domain *domain);
void set_domain_online_request(struct winbindd_domain *domain);
+
+struct ndr_interface_table;
+NTSTATUS wb_open_internal_pipe(TALLOC_CTX *mem_ctx,
+ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **ret_pipe);
void invalidate_cm_connection(struct winbindd_cm_conn *conn);
void close_conns_after_fork(void);
NTSTATUS init_dc_connection(struct winbindd_domain *domain);
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
-static NTSTATUS open_internal_samr_pipe(TALLOC_CTX *mem_ctx,
- struct rpc_pipe_client **samr_pipe)
-{
- struct rpc_pipe_client *cli = NULL;
- struct auth_session_info *session_info = NULL;
- NTSTATUS status;
-
- status = make_session_info_system(mem_ctx, &session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("open_samr_pipe: Could not create auth_session_info: %s\n",
- nt_errstr(status)));
- return status;
- }
-
- /* create a samr connection */
- if (lp_parm_bool(-1, "winbindd", "use external pipes", false)) {
- status = rpc_pipe_open_interface(mem_ctx,
- &ndr_table_samr,
- session_info,
- NULL,
- winbind_messaging_context(),
- &cli);
- } else {
- status = rpc_pipe_open_internal(mem_ctx,
- &ndr_table_samr.syntax_id,
- session_info,
- NULL,
- winbind_messaging_context(),
- &cli);
- }
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("open_samr_pipe: Could not connect to samr_pipe: %s\n",
- nt_errstr(status)));
- return status;
- }
-
- if (samr_pipe) {
- *samr_pipe = cli;
- }
-
- return NT_STATUS_OK;
-}
-
NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
struct winbindd_domain *domain,
struct rpc_pipe_client **samr_pipe,
struct policy_handle samr_connect_hnd;
struct dcerpc_binding_handle *b;
- status = open_internal_samr_pipe(mem_ctx, samr_pipe);
+ status = wb_open_internal_pipe(mem_ctx, &ndr_table_samr, samr_pipe);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return result;
}
-static NTSTATUS open_internal_lsa_pipe(TALLOC_CTX *mem_ctx,
- struct rpc_pipe_client **lsa_pipe)
-{
- struct rpc_pipe_client *cli = NULL;
- struct auth_session_info *session_info = NULL;
- NTSTATUS status;
-
- status = make_session_info_system(mem_ctx, &session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("open_lsa_pipe: Could not create auth_session_info: %s\n",
- nt_errstr(status)));
- return status;
- }
-
- /* create a lsa connection */
- if (lp_parm_bool(-1, "winbindd", "use external pipes", false)) {
- status = rpc_pipe_open_interface(mem_ctx,
- &ndr_table_lsarpc,
- session_info,
- NULL,
- winbind_messaging_context(),
- &cli);
- } else {
- status = rpc_pipe_open_internal(mem_ctx,
- &ndr_table_lsarpc.syntax_id,
- session_info,
- NULL,
- winbind_messaging_context(),
- &cli);
- }
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("open_lsa_pipe: Could not connect to lsa_pipe: %s\n",
- nt_errstr(status)));
- return status;
- }
-
- if (lsa_pipe) {
- *lsa_pipe = cli;
- }
-
- return NT_STATUS_OK;
-}
-
static NTSTATUS open_internal_lsa_conn(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client **lsa_pipe,
struct policy_handle *lsa_hnd)
{
NTSTATUS status;
- status = open_internal_lsa_pipe(mem_ctx, lsa_pipe);
+ status = wb_open_internal_pipe(mem_ctx, &ndr_table_lsarpc, lsa_pipe);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
}
- if (domain->internal) {
- domain->initialized = true;
- } else {
- init_dc_connection(domain);
- }
+ init_dc_connection(domain);
if (!domain->initialized) {
/* If we return error here we can't do any cached authentication,
/* Local SAM */
- (void)add_trusted_domain(get_global_sam_name(), NULL,
- &cache_methods, get_global_sam_sid());
-
+ if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
+ (void)add_trusted_domain(get_global_sam_name(), lp_dnsdomain(),
+ &cache_methods, get_global_sam_sid());
+ } else {
+ (void)add_trusted_domain(get_global_sam_name(), NULL,
+ &cache_methods, get_global_sam_sid());
+ }
/* Add ourselves as the first entry. */
if ( role == ROLE_DOMAIN_MEMBER ) {