search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-server: Clean up connection tracking functions
[samba4-gss.git] / source3 / utils / net_util.c
blob5039902bc5e98032e99da8725afa94e225d642c9
1 /*
2 * Unix SMB/CIFS implementation.
3 * Helper routines for net
4 * Copyright (C) Volker Lendecke 2006
5 * Copyright (C) Kai Blin 2008
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21
22 #include "includes.h"
23 #include "utils/net.h"
24 #include "libsmb/namequery.h"
25 #include "rpc_client/cli_pipe.h"
26 #include "../librpc/gen_ndr/ndr_lsa_c.h"
27 #include "rpc_client/cli_lsarpc.h"
28 #include "../librpc/gen_ndr/ndr_dssetup_c.h"
29 #include "secrets.h"
30 #include "../libcli/security/security.h"
31 #include "libsmb/libsmb.h"
32 #include "lib/param/param.h"
33 #include "auth/gensec/gensec.h"
34 #include "libcli/auth/netlogon_creds_cli.h"
35 #include "lib/cmdline/cmdline.h"
36
37 NTSTATUS net_rpc_lookup_name(struct net_context *c,
38 TALLOC_CTX *mem_ctx, struct cli_state *cli,
39 const char *name, const char **ret_domain,
40 const char **ret_name, struct dom_sid *ret_sid,
41 enum lsa_SidType *ret_type)
42 {
43 struct rpc_pipe_client *lsa_pipe = NULL;
44 struct policy_handle pol;
45 NTSTATUS status, result;
46 const char **dom_names;
47 struct dom_sid *sids;
48 enum lsa_SidType *types;
49 struct dcerpc_binding_handle *b;
50
51 ZERO_STRUCT(pol);
52
53 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
54 &lsa_pipe);
55 if (!NT_STATUS_IS_OK(status)) {
56 d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
57 return status;
58 }
59
60 b = lsa_pipe->binding_handle;
61
62 status = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, false,
63 SEC_FLAG_MAXIMUM_ALLOWED,
64 &pol);
65 if (!NT_STATUS_IS_OK(status)) {
66 d_fprintf(stderr, "open_policy %s: %s\n", _("failed"),
67 nt_errstr(status));
68 return status;
69 }
70
71 status = rpccli_lsa_lookup_names(lsa_pipe, mem_ctx, &pol, 1,
72 &name, &dom_names, 1, &sids, &types);
73
74 if (!NT_STATUS_IS_OK(status)) {
75 /* This can happen easily, don't log an error */
76 goto done;
77 }
78
79 if (ret_domain != NULL) {
80 *ret_domain = dom_names[0];
81 }
82 if (ret_name != NULL) {
83 *ret_name = talloc_strdup(mem_ctx, name);
84 }
85 if (ret_sid != NULL) {
86 sid_copy(ret_sid, &sids[0]);
87 }
88 if (ret_type != NULL) {
89 *ret_type = types[0];
90 }
91
92 done:
93 if (is_valid_policy_hnd(&pol)) {
94 dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
95 }
96 TALLOC_FREE(lsa_pipe);
97
98 return status;
99 }
100
101 /****************************************************************************
102 Connect to \\server\service.
103 ****************************************************************************/
104
105 NTSTATUS connect_to_service(struct net_context *c,
106 struct cli_state **cli_ctx,
107 const struct sockaddr_storage *server_ss,
108 const char *server_name,
109 const char *service_name,
110 const char *service_type)
111 {
112 NTSTATUS nt_status;
113 int flags = 0;
114
115 if (strequal(service_type, "IPC")) {
116 flags |= CLI_FULL_CONNECTION_IPC;
117 }
118
119 nt_status = cli_full_connection_creds(c,
120 cli_ctx,
121 NULL,
122 server_name,
123 server_ss,
124 c->opt_port,
125 service_name,
126 service_type,
127 c->creds,
128 flags);
129 if (!NT_STATUS_IS_OK(nt_status)) {
130 d_fprintf(stderr, _("Could not connect to server %s\n"),
131 server_name);
132
133 /* Display a nicer message depending on the result */
134
135 if (NT_STATUS_V(nt_status) ==
136 NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
137 d_fprintf(stderr,
138 _("The username or password was not "
139 "correct.\n"));
140
141 if (NT_STATUS_V(nt_status) ==
142 NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
143 d_fprintf(stderr, _("The account was locked out.\n"));
144
145 if (NT_STATUS_V(nt_status) ==
146 NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
147 d_fprintf(stderr, _("The account was disabled.\n"));
148 return nt_status;
149 }
150
151 return nt_status;
152 }
153
154 /****************************************************************************
155 Connect to \\server\ipc$.
156 ****************************************************************************/
157
158 NTSTATUS connect_to_ipc(struct net_context *c,
159 struct cli_state **cli_ctx,
160 const struct sockaddr_storage *server_ss,
161 const char *server_name)
162 {
163 return connect_to_service(c, cli_ctx, server_ss, server_name, "IPC$",
164 "IPC");
165 }
166
167 /****************************************************************************
168 Connect to \\server\ipc$ anonymously.
169 ****************************************************************************/
170
171 NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
172 struct cli_state **cli_ctx,
173 const struct sockaddr_storage *server_ss,
174 const char *server_name)
175 {
176 NTSTATUS nt_status;
177 struct cli_credentials *anon_creds = NULL;
178
179 anon_creds = cli_credentials_init_anon(c);
180 if (anon_creds == NULL) {
181 DBG_ERR("cli_credentials_init_anon() failed\n");
182 return NT_STATUS_NO_MEMORY;
183 }
184
185 nt_status = cli_full_connection_creds(c,
186 cli_ctx,
187 c->opt_requester_name,
188 server_name,
189 server_ss,
190 c->opt_port,
191 "IPC$",
192 "IPC",
193 anon_creds,
194 CLI_FULL_CONNECTION_IPC);
195
196 if (NT_STATUS_IS_OK(nt_status)) {
197 return nt_status;
198 } else {
199 DEBUG(1,("Cannot connect to server (anonymously). Error was %s\n", nt_errstr(nt_status)));
200 return nt_status;
201 }
202 }
203
204 /**
205 * Connect a server and open a given pipe
206 *
207 * @param cli_dst A cli_state
208 * @param pipe The pipe to open
209 * @param got_pipe boolean that stores if we got a pipe
210 *
211 * @return Normal NTSTATUS return.
212 **/
213 NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
214 struct rpc_pipe_client **pp_pipe_hnd,
215 const struct ndr_interface_table *table)
216 {
217 NTSTATUS nt_status;
218 char *server_name = SMB_STRDUP("127.0.0.1");
219 struct cli_state *cli_tmp = NULL;
220 struct rpc_pipe_client *pipe_hnd = NULL;
221
222 if (server_name == NULL) {
223 return NT_STATUS_NO_MEMORY;
224 }
225
226 if (c->opt_destination) {
227 SAFE_FREE(server_name);
228 if ((server_name = SMB_STRDUP(c->opt_destination)) == NULL) {
229 return NT_STATUS_NO_MEMORY;
230 }
231 }
232
233 /* make a connection to a named pipe */
234 nt_status = connect_to_ipc(c, &cli_tmp, NULL, server_name);
235 if (!NT_STATUS_IS_OK(nt_status)) {
236 SAFE_FREE(server_name);
237 return nt_status;
238 }
239
240 nt_status = cli_rpc_pipe_open_noauth(cli_tmp, table,
241 &pipe_hnd);
242 if (!NT_STATUS_IS_OK(nt_status)) {
243 DEBUG(0, ("couldn't not initialize pipe\n"));
244 cli_shutdown(cli_tmp);
245 SAFE_FREE(server_name);
246 return nt_status;
247 }
248
249 *cli_dst = cli_tmp;
250 *pp_pipe_hnd = pipe_hnd;
251 SAFE_FREE(server_name);
252
253 return nt_status;
254 }
255
256 /****************************************************************************
257 Use the local machine account (krb) and password for this session.
258 ****************************************************************************/
259
260 int net_use_krb_machine_account(struct net_context *c)
261 {
262 struct db_context *db_ctx = NULL;
263
264 if (!secrets_init()) {
265 d_fprintf(stderr,_("ERROR: Unable to open secrets database\n"));
266 exit(1);
267 }
268
269 db_ctx = secrets_db_ctx();
270
271 cli_credentials_set_machine_account_db_ctx(c->creds, c->lp_ctx, db_ctx);
272 c->explicit_credentials = true;
273 return 0;
274 }
275
276 bool net_find_server(struct net_context *c,
277 const char *domain,
278 unsigned flags,
279 struct sockaddr_storage *server_ss,
280 char **server_name)
281 {
282 const char *d = domain ? domain : c->opt_target_workgroup;
283
284 if (c->opt_host) {
285 *server_name = SMB_STRDUP(c->opt_host);
286 }
287
288 if (c->opt_have_ip) {
289 *server_ss = c->opt_dest_ip;
290 if (!*server_name) {
291 char addr[INET6_ADDRSTRLEN];
292 print_sockaddr(addr, sizeof(addr), &c->opt_dest_ip);
293 *server_name = SMB_STRDUP(addr);
294 }
295 } else if (*server_name) {
296 /* resolve the IP address */
297 if (!resolve_name(*server_name, server_ss, 0x20, false)) {
298 DEBUG(1,("Unable to resolve server name\n"));
299 return false;
300 }
301 } else if (flags & NET_FLAGS_PDC) {
302 fstring dc_name;
303 struct sockaddr_storage pdc_ss;
304
305 if (!get_pdc_ip(d, &pdc_ss)) {
306 DEBUG(1,("Unable to resolve PDC server address\n"));
307 return false;
308 }
309
310 if (is_zero_addr(&pdc_ss)) {
311 return false;
312 }
313
314 if (!name_status_find(d, 0x1b, 0x20, &pdc_ss, dc_name)) {
315 return false;
316 }
317
318 *server_name = SMB_STRDUP(dc_name);
319 *server_ss = pdc_ss;
320 } else if (flags & NET_FLAGS_DMB) {
321 struct sockaddr_storage msbrow_ss;
322 char addr[INET6_ADDRSTRLEN];
323
324 /* if (!resolve_name(MSBROWSE, &msbrow_ip, 1, false)) */
325 if (!resolve_name(d, &msbrow_ss, 0x1B, false)) {
326 DEBUG(1,("Unable to resolve domain browser via name lookup\n"));
327 return false;
328 }
329 *server_ss = msbrow_ss;
330 print_sockaddr(addr, sizeof(addr), server_ss);
331 *server_name = SMB_STRDUP(addr);
332 } else if (flags & NET_FLAGS_MASTER) {
333 struct sockaddr_storage brow_ss;
334 char addr[INET6_ADDRSTRLEN];
335 if (!resolve_name(d, &brow_ss, 0x1D, false)) {
336 /* go looking for workgroups */
337 DEBUG(1,("Unable to resolve master browser via name lookup\n"));
338 return false;
339 }
340 *server_ss = brow_ss;
341 print_sockaddr(addr, sizeof(addr), server_ss);
342 *server_name = SMB_STRDUP(addr);
343 } else if (!(flags & NET_FLAGS_LOCALHOST_DEFAULT_INSANE)) {
344 if (!interpret_string_addr(server_ss,
345 "127.0.0.1", AI_NUMERICHOST)) {
346 DEBUG(1,("Unable to resolve 127.0.0.1\n"));
347 return false;
348 }
349 *server_name = SMB_STRDUP("127.0.0.1");
350 }
351
352 if (!*server_name) {
353 DEBUG(1,("no server to connect to\n"));
354 return false;
355 }
356
357 return true;
358 }
359
360 bool net_find_pdc(struct sockaddr_storage *server_ss,
361 fstring server_name,
362 const char *domain_name)
363 {
364 if (!get_pdc_ip(domain_name, server_ss)) {
365 return false;
366 }
367 if (is_zero_addr(server_ss)) {
368 return false;
369 }
370
371 if (!name_status_find(domain_name, 0x1b, 0x20, server_ss, server_name)) {
372 return false;
373 }
374
375 return true;
376 }
377
378 NTSTATUS net_make_ipc_connection(struct net_context *c, unsigned flags,
379 struct cli_state **pcli)
380 {
381 return net_make_ipc_connection_ex(c, c->opt_workgroup, NULL, NULL, flags, pcli);
382 }
383
384 NTSTATUS net_make_ipc_connection_ex(struct net_context *c ,const char *domain,
385 const char *server,
386 const struct sockaddr_storage *pss,
387 unsigned flags, struct cli_state **pcli)
388 {
389 char *server_name = NULL;
390 struct sockaddr_storage server_ss;
391 struct cli_state *cli = NULL;
392 NTSTATUS nt_status;
393
394 if ( !server || !pss ) {
395 if (!net_find_server(c, domain, flags, &server_ss,
396 &server_name)) {
397 d_fprintf(stderr, _("Unable to find a suitable server "
398 "for domain %s\n"), domain);
399 nt_status = NT_STATUS_UNSUCCESSFUL;
400 goto done;
401 }
402 } else {
403 server_name = SMB_STRDUP( server );
404 server_ss = *pss;
405 }
406
407 if (flags & NET_FLAGS_ANONYMOUS) {
408 nt_status = connect_to_ipc_anonymous(c, &cli, &server_ss,
409 server_name);
410 } else {
411 nt_status = connect_to_ipc(c, &cli, &server_ss,
412 server_name);
413 }
414
415 /* store the server in the affinity cache if it was a PDC */
416
417 if ( (flags & NET_FLAGS_PDC) && NT_STATUS_IS_OK(nt_status) )
418 saf_store(cli->server_domain, server_name);
419
420 SAFE_FREE(server_name);
421 if (!NT_STATUS_IS_OK(nt_status)) {
422 d_fprintf(stderr, _("Connection failed: %s\n"),
423 nt_errstr(nt_status));
424 cli = NULL;
425 } else if (c->opt_request_timeout) {
426 cli_set_timeout(cli, c->opt_request_timeout * 1000);
427 }
428
429 done:
430 if (pcli != NULL) {
431 *pcli = cli;
432 }
433 return nt_status;
434 }
435
436 /****************************************************************************
437 ****************************************************************************/
438
439 int net_run_function(struct net_context *c, int argc, const char **argv,
440 const char *whoami, struct functable *table)
441 {
442 int i;
443
444 if (argc != 0) {
445 for (i=0; table[i].funcname != NULL; i++) {
446 if (strcasecmp_m(argv[0], table[i].funcname) == 0)
447 return table[i].fn(c, argc-1, argv+1);
448 }
449 }
450
451 if (c->display_usage == false) {
452 d_fprintf(stderr, _("Invalid command: %s %s\n"), whoami,
453 (argc > 0)?argv[0]:"");
454 }
455 d_printf(_("Usage:\n"));
456 for (i=0; table[i].funcname != NULL; i++) {
457 if(c->display_usage == false)
458 d_printf("%s %-15s %s\n", whoami, table[i].funcname,
459 _(table[i].description));
460 else
461 d_printf("%s\n", _(table[i].usage));
462 }
463
464 return c->display_usage?0:-1;
465 }
466
467 void net_display_usage_from_functable(struct functable *table)
468 {
469 int i;
470 for (i=0; table[i].funcname != NULL; i++) {
471 d_printf("%s\n", _(table[i].usage));
472 }
473 }
474
475 void net_warn_member_options(void)
476 {
477 TALLOC_CTX *frame = talloc_stackframe();
478 struct loadparm_context *lp_ctx = NULL;
479
480 lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
481 if (lp_ctx != NULL) {
482 netlogon_creds_cli_warn_options(lp_ctx);
483 }
484
485 TALLOC_FREE(frame);
486 }
487
488 const char *net_share_type_str(int num_type)
489 {
490 switch(num_type) {
491 case 0: return _("Disk");
492 case 1: return _("Print");
493 case 2: return _("Dev");
494 case 3: return _("IPC");
495 default: return _("Unknown");
496 }
497 }
498
499 static NTSTATUS net_scan_dc_noad(struct net_context *c,
500 struct cli_state *cli,
501 struct net_dc_info *dc_info)
502 {
503 TALLOC_CTX *mem_ctx = talloc_tos();
504 struct rpc_pipe_client *pipe_hnd = NULL;
505 struct dcerpc_binding_handle *b;
506 NTSTATUS status, result;
507 struct policy_handle pol;
508 union lsa_PolicyInformation *info;
509
510 ZERO_STRUCTP(dc_info);
511 ZERO_STRUCT(pol);
512
513 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
514 &pipe_hnd);
515 if (!NT_STATUS_IS_OK(status)) {
516 return status;
517 }
518
519 b = pipe_hnd->binding_handle;
520
521 status = dcerpc_lsa_open_policy(b, mem_ctx,
522 false,
523 SEC_FLAG_MAXIMUM_ALLOWED,
524 &pol,
525 &result);
526 if (!NT_STATUS_IS_OK(status)) {
527 goto done;
528 }
529 if (!NT_STATUS_IS_OK(result)) {
530 status = result;
531 goto done;
532 }
533
534 status = dcerpc_lsa_QueryInfoPolicy(b, mem_ctx,
535 &pol,
536 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
537 &info,
538 &result);
539 if (!NT_STATUS_IS_OK(status)) {
540 goto done;
541 }
542 if (!NT_STATUS_IS_OK(result)) {
543 status = result;
544 goto done;
545 }
546
547 dc_info->netbios_domain_name = talloc_strdup(mem_ctx, info->account_domain.name.string);
548 if (dc_info->netbios_domain_name == NULL) {
549 status = NT_STATUS_NO_MEMORY;
550 goto done;
551 }
552
553 done:
554 if (is_valid_policy_hnd(&pol)) {
555 dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
556 }
557
558 TALLOC_FREE(pipe_hnd);
559
560 return status;
561 }
562
563 NTSTATUS net_scan_dc(struct net_context *c,
564 struct cli_state *cli,
565 struct net_dc_info *dc_info)
566 {
567 TALLOC_CTX *mem_ctx = talloc_tos();
568 struct rpc_pipe_client *dssetup_pipe = NULL;
569 struct dcerpc_binding_handle *dssetup_handle = NULL;
570 union dssetup_DsRoleInfo info;
571 NTSTATUS status;
572 WERROR werr;
573
574 ZERO_STRUCTP(dc_info);
575
576 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup,
577 &dssetup_pipe);
578 if (!NT_STATUS_IS_OK(status)) {
579 DEBUG(10,("net_scan_dc: failed to open dssetup pipe with %s, "
580 "retrying with lsa pipe\n", nt_errstr(status)));
581 return net_scan_dc_noad(c, cli, dc_info);
582 }
583 dssetup_handle = dssetup_pipe->binding_handle;
584
585 status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(dssetup_handle, mem_ctx,
586 DS_ROLE_BASIC_INFORMATION,
587 &info,
588 &werr);
589 TALLOC_FREE(dssetup_pipe);
590
591 if (NT_STATUS_IS_OK(status)) {
592 status = werror_to_ntstatus(werr);
593 }
594 if (!NT_STATUS_IS_OK(status)) {
595 return status;
596 }
597
598 dc_info->is_dc = (info.basic.role & (DS_ROLE_PRIMARY_DC|DS_ROLE_BACKUP_DC));
599 dc_info->is_pdc = (info.basic.role & DS_ROLE_PRIMARY_DC);
600 dc_info->is_ad = (info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING);
601 dc_info->is_mixed_mode = (info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE);
602 dc_info->netbios_domain_name = talloc_strdup(mem_ctx, info.basic.domain);
603 dc_info->dns_domain_name = talloc_strdup(mem_ctx, info.basic.dns_domain);
604 dc_info->forest_name = talloc_strdup(mem_ctx, info.basic.forest);
605
606 return NT_STATUS_OK;
607 }
GSS-enabled samba4