search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-server: Remove duplicate logic
[samba4-gss.git] / source3 / winbindd / winbindd_cm.c
blobef7b70f400f619b7fb740635c489d2d16935b819
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon connection manager
5
6 Copyright (C) Tim Potter 2001
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Gerald (Jerry) Carter 2003-2005.
9 Copyright (C) Volker Lendecke 2004-2005
10 Copyright (C) Jeremy Allison 2006
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 /*
27 We need to manage connections to domain controllers without having to
28 mess up the main winbindd code with other issues. The aim of the
29 connection manager is to:
30
31 - make connections to domain controllers and cache them
32 - re-establish connections when networks or servers go down
33 - centralise the policy on connection timeouts, domain controller
34 selection etc
35 - manage re-entrancy for when winbindd becomes able to handle
36 multiple outstanding rpc requests
37
38 Why not have connection management as part of the rpc layer like tng?
39 Good question. This code may morph into libsmb/rpc_cache.c or something
40 like that but at the moment it's simply staying as part of winbind. I
41 think the TNG architecture of forcing every user of the rpc layer to use
42 the connection caching system is a bad idea. It should be an optional
43 method of using the routines.
44
45 The TNG design is quite good but I disagree with some aspects of the
46 implementation. -tpot
47
48 */
49
50 /*
51 TODO:
52
53 - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
54 moved down into another function.
55
56 - Take care when destroying cli_structs as they can be shared between
57 various sam handles.
58
59 */
60
61 #include "includes.h"
62 #include "winbindd.h"
63 #include "libsmb/namequery.h"
64 #include "../libcli/auth/libcli_auth.h"
65 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
66 #include "rpc_client/cli_pipe.h"
67 #include "rpc_client/cli_netlogon.h"
68 #include "../librpc/gen_ndr/ndr_samr_c.h"
69 #include "../librpc/gen_ndr/ndr_lsa_c.h"
70 #include "rpc_client/cli_lsarpc.h"
71 #include "../librpc/gen_ndr/ndr_dssetup_c.h"
72 #include "libads/sitename_cache.h"
73 #include "libsmb/libsmb.h"
74 #include "libsmb/clidgram.h"
75 #include "ads.h"
76 #include "secrets.h"
77 #include "../libcli/security/security.h"
78 #include "passdb.h"
79 #include "messages.h"
80 #include "auth/gensec/gensec.h"
81 #include "../libcli/smb/smbXcli_base.h"
82 #include "libcli/auth/netlogon_creds_cli.h"
83 #include "auth.h"
84 #include "rpc_server/rpc_ncacn_np.h"
85 #include "auth/credentials/credentials.h"
86 #include "lib/param/param.h"
87 #include "lib/gencache.h"
88 #include "lib/util/string_wrappers.h"
89 #include "lib/global_contexts.h"
90 #include "librpc/gen_ndr/ndr_winbind_c.h"
91
92 #undef DBGC_CLASS
93 #define DBGC_CLASS DBGC_WINBIND
94
95 struct dc_name_ip {
96 fstring name;
97 struct sockaddr_storage ss;
98 };
99
100 extern struct winbindd_methods reconnect_methods;
101
102 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc);
103 static void set_dc_type_and_flags( struct winbindd_domain *domain );
104 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain );
105 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
106 struct dc_name_ip **dcs, int *num_dcs,
107 uint32_t request_flags);
108
109 void winbind_msg_domain_offline(struct messaging_context *msg_ctx,
110 void *private_data,
111 uint32_t msg_type,
112 struct server_id server_id,
113 DATA_BLOB *data)
114 {
115 const char *domain_name = (const char *)data->data;
116 struct winbindd_domain *domain;
117
118 domain = find_domain_from_name_noinit(domain_name);
119 if (domain == NULL) {
120 DBG_DEBUG("Domain %s not found!\n", domain_name);
121 return;
122 }
123
124 DBG_DEBUG("Domain %s was %s, change to offline now.\n",
125 domain_name,
126 domain->online ? "online" : "offline");
127
128 domain->online = false;
129 }
130
131 void winbind_msg_domain_online(struct messaging_context *msg_ctx,
132 void *private_data,
133 uint32_t msg_type,
134 struct server_id server_id,
135 DATA_BLOB *data)
136 {
137 const char *domain_name = (const char *)data->data;
138 struct winbindd_domain *domain;
139
140 domain = find_domain_from_name_noinit(domain_name);
141 if (domain == NULL) {
142 return;
143 }
144
145 SMB_ASSERT(wb_child_domain() == NULL);
146
147 DBG_DEBUG("Domain %s was %s, marking as online now!\n",
148 domain_name,
149 domain->online ? "online" : "offline");
150
151 domain->online = true;
152 }
153
154 /****************************************************************
155 Set domain offline and also add handler to put us back online
156 if we detect a DC.
157 ****************************************************************/
158
159 void set_domain_offline(struct winbindd_domain *domain)
160 {
161 pid_t parent_pid = getppid();
162
163 DEBUG(10,("set_domain_offline: called for domain %s\n",
164 domain->name ));
165
166 if (domain->internal) {
167 DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
168 domain->name ));
169 return;
170 }
171
172 domain->online = False;
173
174 /* Offline domains are always initialized. They're
175 re-initialized when they go back online. */
176
177 domain->initialized = True;
178
179 /* Send a message to the parent that the domain is offline. */
180 if (parent_pid > 1 && !domain->internal) {
181 messaging_send_buf(global_messaging_context(),
182 pid_to_procid(parent_pid),
183 MSG_WINBIND_DOMAIN_OFFLINE,
184 (uint8_t *)domain->name,
185 strlen(domain->name) + 1);
186 }
187
188 /* Send an offline message to the idmap child when our
189 primary domain goes offline */
190 if ( domain->primary ) {
191 pid_t idmap_pid = idmap_child_pid();
192
193 if (idmap_pid != 0) {
194 messaging_send_buf(global_messaging_context(),
195 pid_to_procid(idmap_pid),
196 MSG_WINBIND_OFFLINE,
197 (const uint8_t *)domain->name,
198 strlen(domain->name)+1);
199 }
200 }
201
202 return;
203 }
204
205 /****************************************************************
206 Set domain online - if allowed.
207 ****************************************************************/
208
209 static void set_domain_online(struct winbindd_domain *domain)
210 {
211 pid_t parent_pid = getppid();
212
213 DEBUG(10,("set_domain_online: called for domain %s\n",
214 domain->name ));
215
216 if (domain->internal) {
217 DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
218 domain->name ));
219 return;
220 }
221
222 if (get_global_winbindd_state_offline()) {
223 DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
224 domain->name ));
225 return;
226 }
227
228 winbindd_set_locator_kdc_envs(domain);
229
230 /* If we are waiting to get a krb5 ticket, trigger immediately. */
231 ccache_regain_all_now();
232
233 /* Ok, we're out of any startup mode now... */
234 domain->startup = False;
235
236 if (domain->online == False) {
237 /* We were offline - now we're online. We default to
238 using the MS-RPC backend if we started offline,
239 and if we're going online for the first time we
240 should really re-initialize the backends and the
241 checks to see if we're talking to an AD or NT domain.
242 */
243
244 domain->initialized = False;
245
246 /* 'reconnect_methods' is the MS-RPC backend. */
247 if (domain->backend == &reconnect_methods) {
248 domain->backend = NULL;
249 }
250 }
251
252 domain->online = True;
253
254 /* Send a message to the parent that the domain is online. */
255 if (parent_pid > 1 && !domain->internal) {
256 messaging_send_buf(global_messaging_context(),
257 pid_to_procid(parent_pid),
258 MSG_WINBIND_DOMAIN_ONLINE,
259 (uint8_t *)domain->name,
260 strlen(domain->name) + 1);
261 }
262
263 /* Send an online message to the idmap child when our
264 primary domain comes online */
265
266 if ( domain->primary ) {
267 pid_t idmap_pid = idmap_child_pid();
268
269 if (idmap_pid != 0) {
270 messaging_send_buf(global_messaging_context(),
271 pid_to_procid(idmap_pid),
272 MSG_WINBIND_ONLINE,
273 (const uint8_t *)domain->name,
274 strlen(domain->name)+1);
275 }
276 }
277
278 return;
279 }
280
281 /****************************************************************
282 Requested to set a domain online.
283 ****************************************************************/
284
285 void set_domain_online_request(struct winbindd_domain *domain)
286 {
287 NTSTATUS status;
288
289 SMB_ASSERT(wb_child_domain() || idmap_child());
290
291 DEBUG(10,("set_domain_online_request: called for domain %s\n",
292 domain->name ));
293
294 if (get_global_winbindd_state_offline()) {
295 DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
296 domain->name ));
297 return;
298 }
299
300 if (domain->internal) {
301 DEBUG(10, ("set_domain_online_request: Internal domains are "
302 "always online\n"));
303 return;
304 }
305
306 /*
307 * This call takes care of setting the online flag to true if we
308 * connected, or tell the parent to ping us back if false. Bypasses
309 * online check so always does network calls.
310 */
311 status = init_dc_connection_network(domain, true);
312 DBG_DEBUG("init_dc_connection_network(), returned %s, called for "
313 "domain %s (online = %s)\n",
314 nt_errstr(status),
315 domain->name,
316 domain->online ? "true" : "false");
317 }
318
319 /****************************************************************
320 Add -ve connection cache entries for domain and realm.
321 ****************************************************************/
322
323 static void winbind_add_failed_connection_entry(
324 const struct winbindd_domain *domain,
325 const char *server,
326 NTSTATUS result)
327 {
328 add_failed_connection_entry(domain->name, server, result);
329 /* If this was the saf name for the last thing we talked to,
330 remove it. */
331 saf_delete(domain->name);
332 if (domain->alt_name != NULL) {
333 add_failed_connection_entry(domain->alt_name, server, result);
334 saf_delete(domain->alt_name);
335 }
336 winbindd_unset_locator_kdc_env(domain);
337 }
338
339 /* Choose between anonymous or authenticated connections. We need to use
340 an authenticated connection if DCs have the RestrictAnonymous registry
341 entry set > 0, or the "Additional restrictions for anonymous
342 connections" set in the win2k Local Security Policy.
343
344 Caller to free() result in domain, username, password
345 */
346
347 static void cm_get_ipc_userpass(char **username, char **domain, char **password)
348 {
349 *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
350 *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
351 *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
352
353 if (*username && **username) {
354
355 if (!*domain || !**domain)
356 *domain = smb_xstrdup(lp_workgroup());
357
358 if (!*password || !**password)
359 *password = smb_xstrdup("");
360
361 DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
362 *domain, *username));
363
364 } else {
365 DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
366 *username = smb_xstrdup("");
367 *domain = smb_xstrdup("");
368 *password = smb_xstrdup("");
369 }
370 }
371
372 static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx,
373 struct cli_credentials **_creds)
374 {
375
376 TALLOC_CTX *frame = talloc_stackframe();
377 NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
378 struct loadparm_context *lp_ctx;
379 char *username = NULL;
380 char *netbios_domain = NULL;
381 char *password = NULL;
382 struct cli_credentials *creds = NULL;
383 bool ok;
384
385 cm_get_ipc_userpass(&username, &netbios_domain, &password);
386
387 lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
388 if (lp_ctx == NULL) {
389 DEBUG(1, ("loadparm_init_s3 failed\n"));
390 status = NT_STATUS_INTERNAL_ERROR;
391 goto fail;
392 }
393
394 creds = cli_credentials_init(mem_ctx);
395 if (creds == NULL) {
396 status = NT_STATUS_NO_MEMORY;
397 goto fail;
398 }
399
400 ok = cli_credentials_set_conf(creds, lp_ctx);
401 if (!ok) {
402 status = NT_STATUS_INTERNAL_ERROR;
403 goto fail;
404 }
405
406 cli_credentials_set_kerberos_state(creds,
407 CRED_USE_KERBEROS_DISABLED,
408 CRED_SPECIFIED);
409
410 ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
411 if (!ok) {
412 status = NT_STATUS_NO_MEMORY;
413 goto fail;
414 }
415
416 ok = cli_credentials_set_username(creds, username, CRED_SPECIFIED);
417 if (!ok) {
418 status = NT_STATUS_NO_MEMORY;
419 goto fail;
420 }
421
422 ok = cli_credentials_set_password(creds, password, CRED_SPECIFIED);
423 if (!ok) {
424 status = NT_STATUS_NO_MEMORY;
425 goto fail;
426 }
427
428 *_creds = creds;
429 creds = NULL;
430 status = NT_STATUS_OK;
431 fail:
432 TALLOC_FREE(creds);
433 SAFE_FREE(username);
434 SAFE_FREE(netbios_domain);
435 SAFE_FREE(password);
436 TALLOC_FREE(frame);
437 return status;
438 }
439
440 static bool cm_is_ipc_credentials(struct cli_credentials *creds)
441 {
442 TALLOC_CTX *frame = talloc_stackframe();
443 char *ipc_account = NULL;
444 char *ipc_domain = NULL;
445 char *ipc_password = NULL;
446 const char *creds_account = NULL;
447 const char *creds_domain = NULL;
448 const char *creds_password = NULL;
449 bool ret = false;
450
451 cm_get_ipc_userpass(&ipc_account, &ipc_domain, &ipc_password);
452
453 creds_account = cli_credentials_get_username(creds);
454 creds_domain = cli_credentials_get_domain(creds);
455 creds_password = cli_credentials_get_password(creds);
456
457 if (!strequal(ipc_domain, creds_domain)) {
458 goto done;
459 }
460
461 if (!strequal(ipc_account, creds_account)) {
462 goto done;
463 }
464
465 if (!strcsequal(ipc_password, creds_password)) {
466 goto done;
467 }
468
469 ret = true;
470 done:
471 SAFE_FREE(ipc_account);
472 SAFE_FREE(ipc_domain);
473 SAFE_FREE(ipc_password);
474 TALLOC_FREE(frame);
475 return ret;
476 }
477
478 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
479 fstring dcname,
480 struct sockaddr_storage *dc_ss,
481 uint32_t request_flags)
482 {
483 struct winbindd_domain *our_domain = NULL;
484 struct rpc_pipe_client *netlogon_pipe = NULL;
485 NTSTATUS result;
486 WERROR werr;
487 TALLOC_CTX *mem_ctx;
488 unsigned int orig_timeout;
489 const char *tmp = NULL;
490 const char *p;
491 struct dcerpc_binding_handle *b;
492
493 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
494 * moment.... */
495
496 if (IS_DC) {
497 return False;
498 }
499
500 if (domain->primary) {
501 return False;
502 }
503
504 our_domain = find_our_domain();
505
506 if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
507 return False;
508 }
509
510 result = cm_connect_netlogon(our_domain, &netlogon_pipe);
511 if (!NT_STATUS_IS_OK(result)) {
512 talloc_destroy(mem_ctx);
513 return False;
514 }
515
516 b = netlogon_pipe->binding_handle;
517
518 /* This call can take a long time - allow the server to time out.
519 35 seconds should do it. */
520
521 orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
522
523 if (our_domain->active_directory) {
524 struct netr_DsRGetDCNameInfo *domain_info = NULL;
525
526 /*
527 * TODO request flags are not respected in the server
528 * (and in some cases, like REQUIRE_PDC, causes an error)
529 */
530 result = dcerpc_netr_DsRGetDCName(b,
531 mem_ctx,
532 our_domain->dcname,
533 domain->name,
534 NULL,
535 NULL,
536 request_flags|DS_RETURN_DNS_NAME,
537 &domain_info,
538 &werr);
539 if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
540 tmp = talloc_strdup(
541 mem_ctx, domain_info->dc_unc);
542 if (tmp == NULL) {
543 DBG_ERR("talloc_strdup failed for dc_unc[%s]\n",
544 domain_info->dc_unc);
545 talloc_destroy(mem_ctx);
546 return false;
547 }
548 if (domain->alt_name == NULL) {
549 domain->alt_name = talloc_strdup(domain,
550 domain_info->domain_name);
551 if (domain->alt_name == NULL) {
552 DBG_ERR("talloc_strdup failed for "
553 "domain_info->domain_name[%s]\n",
554 domain_info->domain_name);
555 talloc_destroy(mem_ctx);
556 return false;
557 }
558 }
559 if (domain->forest_name == NULL) {
560 domain->forest_name = talloc_strdup(domain,
561 domain_info->forest_name);
562 if (domain->forest_name == NULL) {
563 DBG_ERR("talloc_strdup failed for "
564 "domain_info->forest_name[%s]\n",
565 domain_info->forest_name);
566 talloc_destroy(mem_ctx);
567 return false;
568 }
569 }
570 }
571 } else {
572 result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
573 our_domain->dcname,
574 domain->name,
575 &tmp,
576 &werr);
577 }
578
579 /* And restore our original timeout. */
580 rpccli_set_timeout(netlogon_pipe, orig_timeout);
581
582 if (!NT_STATUS_IS_OK(result)) {
583 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
584 nt_errstr(result)));
585 talloc_destroy(mem_ctx);
586 return false;
587 }
588
589 if (!W_ERROR_IS_OK(werr)) {
590 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
591 win_errstr(werr)));
592 talloc_destroy(mem_ctx);
593 return false;
594 }
595
596 /* dcerpc_netr_GetAnyDCName gives us a name with \\ */
597 p = strip_hostname(tmp);
598
599 fstrcpy(dcname, p);
600
601 talloc_destroy(mem_ctx);
602
603 DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
604
605 if (!resolve_name(dcname, dc_ss, 0x20, true)) {
606 return False;
607 }
608
609 return True;
610 }
611
612 /**
613 * Helper function to assemble trust password and account name
614 */
615 NTSTATUS winbindd_get_trust_credentials(struct winbindd_domain *domain,
616 TALLOC_CTX *mem_ctx,
617 bool netlogon,
618 bool allow_ipc_fallback,
619 struct cli_credentials **_creds)
620 {
621 const struct winbindd_domain *creds_domain = NULL;
622 struct cli_credentials *creds;
623 NTSTATUS status;
624 bool force_machine_account = false;
625
626 /* If we are a DC and this is not our own domain */
627
628 if (!domain->active_directory) {
629 if (!netlogon) {
630 /*
631 * For non active directory domains
632 * we can only use NTLMSSP for SMB.
633 *
634 * But the trust account is not allowed
635 * to use SMB with NTLMSSP.
636 */
637 force_machine_account = true;
638 }
639 }
640
641 if (IS_DC && !force_machine_account) {
642 creds_domain = domain;
643 } else {
644 creds_domain = find_our_domain();
645 if (creds_domain == NULL) {
646 return NT_STATUS_INVALID_SERVER_STATE;
647 }
648 }
649
650 status = pdb_get_trust_credentials(creds_domain->name,
651 creds_domain->alt_name,
652 mem_ctx,
653 &creds);
654 if (!NT_STATUS_IS_OK(status)) {
655 goto ipc_fallback;
656 }
657
658 if (creds_domain != domain) {
659 /*
660 * We can only use schannel against a direct trust
661 */
662 cli_credentials_set_secure_channel_type(creds,
663 SEC_CHAN_NULL);
664 }
665
666 *_creds = creds;
667 return NT_STATUS_OK;
668
669 ipc_fallback:
670 if (netlogon) {
671 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
672 }
673
674 if (!allow_ipc_fallback) {
675 return status;
676 }
677
678 status = cm_get_ipc_credentials(mem_ctx, &creds);
679 if (!NT_STATUS_IS_OK(status)) {
680 return status;
681 }
682
683 *_creds = creds;
684 return NT_STATUS_OK;
685 }
686
687 /************************************************************************
688 Given a fd with a just-connected TCP connection to a DC, open a connection
689 to the pipe.
690 ************************************************************************/
691
692 static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
693 const int sockfd,
694 const char *controller,
695 struct cli_state **cli,
696 bool *retry)
697 {
698 bool try_ipc_auth = false;
699 const char *machine_principal = NULL;
700 const char *machine_realm = NULL;
701 const char *machine_account = NULL;
702 const char *machine_domain = NULL;
703 int flags = 0;
704 struct cli_credentials *creds = NULL;
705
706 struct named_mutex *mutex;
707
708 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
709 NTSTATUS tmp_status;
710 NTSTATUS tcon_status = NT_STATUS_NETWORK_NAME_DELETED;
711
712 enum smb_signing_setting smb_sign_client_connections = lp_client_ipc_signing();
713
714 if (IS_DC) {
715 if (domain->secure_channel_type == SEC_CHAN_NULL) {
716 /*
717 * Make sure we don't even try to
718 * connect to a foreign domain
719 * without a direct outbound trust.
720 */
721 close(sockfd);
722 return NT_STATUS_NO_TRUST_LSA_SECRET;
723 }
724
725 /*
726 * As AD DC we only use netlogon and lsa
727 * using schannel over an anonymous transport
728 * (ncacn_ip_tcp or ncacn_np).
729 *
730 * Currently we always establish the SMB connection,
731 * even if we don't use it, because we later use ncacn_ip_tcp.
732 *
733 * As we won't use the SMB connection there's no
734 * need to try kerberos. And NT4 domains expect
735 * an anonymous IPC$ connection anyway.
736 */
737 smb_sign_client_connections = SMB_SIGNING_OFF;
738 }
739
740 if (smb_sign_client_connections == SMB_SIGNING_DEFAULT) {
741 /*
742 * If we are connecting to our own AD domain, require
743 * smb signing to disrupt MITM attacks
744 */
745 if (domain->primary && lp_security() == SEC_ADS) {
746 smb_sign_client_connections = SMB_SIGNING_REQUIRED;
747 /*
748 * If we are in or are an AD domain and connecting to another
749 * AD domain in our forest
750 * then require smb signing to disrupt MITM attacks
751 */
752 } else if ((lp_security() == SEC_ADS)
753 && domain->active_directory
754 && (domain->domain_trust_attribs
755 & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)) {
756 smb_sign_client_connections = SMB_SIGNING_REQUIRED;
757 }
758 }
759
760 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
761 controller, domain->name ));
762
763 *retry = True;
764
765 mutex = grab_named_mutex(talloc_tos(), controller,
766 WINBIND_SERVER_MUTEX_WAIT_TIME);
767 if (mutex == NULL) {
768 close(sockfd);
769 DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
770 controller));
771 result = NT_STATUS_POSSIBLE_DEADLOCK;
772 goto done;
773 }
774
775 /*
776 * cm_prepare_connection() is responsible that sockfd does not leak.
777 * Once cli_state_create() returns with success, the
778 * smbXcli_conn_destructor() makes sure that close(sockfd) is finally
779 * called. Till that, close(sockfd) must be called on every unsuccessful
780 * return.
781 */
782 *cli = cli_state_create(NULL, sockfd, controller,
783 smb_sign_client_connections, flags);
784 if (*cli == NULL) {
785 close(sockfd);
786 DEBUG(1, ("Could not cli_initialize\n"));
787 result = NT_STATUS_NO_MEMORY;
788 goto done;
789 }
790
791 cli_set_timeout(*cli, 10000); /* 10 seconds */
792
793 set_socket_options(sockfd, lp_socket_options());
794
795 result = smbXcli_negprot((*cli)->conn,
796 (*cli)->timeout,
797 lp_client_ipc_min_protocol(),
798 lp_client_ipc_max_protocol(),
799 NULL,
800 NULL,
801 NULL);
802
803 if (!NT_STATUS_IS_OK(result)) {
804 DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
805 goto done;
806 }
807
808 if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
809 smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
810 try_ipc_auth = true;
811 } else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
812 try_ipc_auth = true;
813 } else if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
814 /*
815 * If we are forcing on SMB signing, then we must
816 * require authentication unless this is a one-way
817 * trust, and we have no stored user/password
818 */
819 try_ipc_auth = true;
820 }
821
822 if (IS_DC) {
823 /*
824 * As AD DC we only use netlogon and lsa
825 * using schannel over an anonymous transport
826 * (ncacn_ip_tcp or ncacn_np).
827 *
828 * Currently we always establish the SMB connection,
829 * even if we don't use it, because we later use ncacn_ip_tcp.
830 *
831 * As we won't use the SMB connection there's no
832 * need to try kerberos. And NT4 domains expect
833 * an anonymous IPC$ connection anyway.
834 */
835 try_ipc_auth = false;
836 }
837
838 if (try_ipc_auth) {
839 result = winbindd_get_trust_credentials(domain,
840 talloc_tos(),
841 false, /* netlogon */
842 true, /* ipc_fallback */
843 &creds);
844 if (!NT_STATUS_IS_OK(result)) {
845 DBG_WARNING("winbindd_get_trust_credentials(%s) "
846 "failed: %s\n",
847 domain->name,
848 nt_errstr(result));
849 goto done;
850 }
851 } else {
852 /*
853 * Without SPNEGO or NTLMSSP (perhaps via SMB2) we
854 * would try and authentication with our machine
855 * account password and fail. This is very rare in
856 * the modern world however
857 */
858 creds = cli_credentials_init_anon(talloc_tos());
859 if (creds == NULL) {
860 result = NT_STATUS_NO_MEMORY;
861 DEBUG(1, ("cli_credentials_init_anon(%s) failed: %s\n",
862 domain->name, nt_errstr(result)));
863 goto done;
864 }
865 }
866
867 machine_principal = cli_credentials_get_principal(creds,
868 talloc_tos());
869 machine_realm = cli_credentials_get_realm(creds);
870 machine_account = cli_credentials_get_username(creds);
871 machine_domain = cli_credentials_get_domain(creds);
872
873 DEBUG(5, ("connecting to %s (%s, %s) with account [%s\\%s] principal "
874 "[%s] and realm [%s]\n",
875 controller, domain->name, domain->alt_name,
876 machine_domain, machine_account,
877 machine_principal, machine_realm));
878
879 if (cli_credentials_is_anonymous(creds)) {
880 goto anon_fallback;
881 }
882
883 winbindd_set_locator_kdc_envs(domain);
884
885 result = cli_session_setup_creds(*cli, creds);
886 if (NT_STATUS_IS_OK(result)) {
887 goto session_setup_done;
888 }
889
890 DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
891 controller,
892 cli_credentials_get_unparsed_name(creds, talloc_tos()),
893 nt_errstr(result)));
894
895 /*
896 * If we are not going to validate the connection
897 * with SMB signing, then allow us to fall back to
898 * anonymous
899 */
900 if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
901 || NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
902 || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
903 || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_COMPUTER_NAME)
904 || NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_DOMAIN)
905 || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
906 || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
907 {
908 if (!cm_is_ipc_credentials(creds)) {
909 goto ipc_fallback;
910 }
911
912 if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
913 goto done;
914 }
915
916 goto anon_fallback;
917 }
918
919 goto done;
920
921 ipc_fallback:
922 TALLOC_FREE(creds);
923 tmp_status = cm_get_ipc_credentials(talloc_tos(), &creds);
924 if (!NT_STATUS_IS_OK(tmp_status)) {
925 result = tmp_status;
926 goto done;
927 }
928
929 if (cli_credentials_is_anonymous(creds)) {
930 goto anon_fallback;
931 }
932
933 machine_account = cli_credentials_get_username(creds);
934 machine_domain = cli_credentials_get_domain(creds);
935
936 DEBUG(5, ("connecting to %s from %s using NTLMSSP with username "
937 "[%s]\\[%s]\n", controller, lp_netbios_name(),
938 machine_domain, machine_account));
939
940 result = cli_session_setup_creds(*cli, creds);
941 if (NT_STATUS_IS_OK(result)) {
942 goto session_setup_done;
943 }
944
945 DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
946 controller,
947 cli_credentials_get_unparsed_name(creds, talloc_tos()),
948 nt_errstr(result)));
949
950 /*
951 * If we are not going to validate the connection
952 * with SMB signing, then allow us to fall back to
953 * anonymous
954 */
955 if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
956 || NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
957 || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
958 || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_COMPUTER_NAME)
959 || NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_DOMAIN)
960 || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
961 || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
962 {
963 goto anon_fallback;
964 }
965
966 goto done;
967
968 anon_fallback:
969 TALLOC_FREE(creds);
970
971 if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
972 goto done;
973 }
974
975 /* Fall back to anonymous connection, this might fail later */
976 DEBUG(5,("cm_prepare_connection: falling back to anonymous "
977 "connection for DC %s\n",
978 controller ));
979
980 result = cli_session_setup_anon(*cli);
981 if (NT_STATUS_IS_OK(result)) {
982 DEBUG(5, ("Connected anonymously\n"));
983 goto session_setup_done;
984 }
985
986 DEBUG(1, ("anonymous session setup to %s failed with %s\n",
987 controller, nt_errstr(result)));
988
989 /* We can't session setup */
990 goto done;
991
992 session_setup_done:
993 TALLOC_FREE(creds);
994
995 /*
996 * This should be a short term hack until
997 * dynamic re-authentication is implemented.
998 *
999 * See Bug 9175 - winbindd doesn't recover from
1000 * NT_STATUS_NETWORK_SESSION_EXPIRED
1001 */
1002 if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
1003 smbXcli_session_set_disconnect_expired((*cli)->smb2.session);
1004 }
1005
1006 result = cli_tree_connect(*cli, "IPC$", "IPC", NULL);
1007 if (!NT_STATUS_IS_OK(result)) {
1008 DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
1009 goto done;
1010 }
1011 tcon_status = result;
1012
1013 /* cache the server name for later connections */
1014
1015 saf_store(domain->name, controller);
1016 if (domain->alt_name) {
1017 saf_store(domain->alt_name, controller);
1018 }
1019
1020 winbindd_set_locator_kdc_envs(domain);
1021
1022 TALLOC_FREE(mutex);
1023 *retry = False;
1024
1025 result = NT_STATUS_OK;
1026
1027 done:
1028 TALLOC_FREE(mutex);
1029 TALLOC_FREE(creds);
1030
1031 if (NT_STATUS_IS_OK(result)) {
1032 result = tcon_status;
1033 }
1034
1035 if (!NT_STATUS_IS_OK(result)) {
1036 DEBUG(1, ("Failed to prepare SMB connection to %s: %s\n",
1037 controller, nt_errstr(result)));
1038 winbind_add_failed_connection_entry(domain, controller, result);
1039 if ((*cli) != NULL) {
1040 cli_shutdown(*cli);
1041 *cli = NULL;
1042 }
1043 }
1044
1045 return result;
1046 }
1047
1048 /*******************************************************************
1049 Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
1050 array.
1051
1052 Keeps the list unique by not adding duplicate entries.
1053
1054 @param[in] mem_ctx talloc memory context to allocate from
1055 @param[in] domain_name domain of the DC
1056 @param[in] dcname name of the DC to add to the list
1057 @param[in] pss Internet address and port pair to add to the list
1058 @param[in,out] dcs array of dc_name_ip structures to add to
1059 @param[in,out] num_dcs number of dcs returned in the dcs array
1060 @return true if the list was added to, false otherwise
1061 *******************************************************************/
1062
1063 static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
1064 const char *dcname, struct sockaddr_storage *pss,
1065 struct dc_name_ip **dcs, int *num)
1066 {
1067 int i = 0;
1068
1069 if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
1070 DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
1071 return False;
1072 }
1073
1074 /* Make sure there's no duplicates in the list */
1075 for (i=0; i<*num; i++)
1076 if (sockaddr_equal(
1077 (struct sockaddr *)(void *)&(*dcs)[i].ss,
1078 (struct sockaddr *)(void *)pss))
1079 return False;
1080
1081 *dcs = talloc_realloc(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
1082
1083 if (*dcs == NULL)
1084 return False;
1085
1086 fstrcpy((*dcs)[*num].name, dcname);
1087 (*dcs)[*num].ss = *pss;
1088 *num += 1;
1089 return True;
1090 }
1091
1092 static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
1093 struct sockaddr_storage *pss, uint16_t port,
1094 struct sockaddr_storage **addrs, int *num)
1095 {
1096 *addrs = talloc_realloc(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
1097
1098 if (*addrs == NULL) {
1099 *num = 0;
1100 return False;
1101 }
1102
1103 (*addrs)[*num] = *pss;
1104 set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
1105
1106 *num += 1;
1107 return True;
1108 }
1109
1110 #ifdef HAVE_ADS
1111 static bool dcip_check_name_ads(const struct winbindd_domain *domain,
1112 struct samba_sockaddr *sa,
1113 uint32_t request_flags,
1114 TALLOC_CTX *mem_ctx,
1115 char **namep)
1116 {
1117 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1118 char *name = NULL;
1119 ADS_STRUCT *ads = NULL;
1120 ADS_STATUS ads_status;
1121 char addr[INET6_ADDRSTRLEN];
1122
1123 print_sockaddr(addr, sizeof(addr), &sa->u.ss);
1124 D_DEBUG("Trying to figure out the DC name for domain '%s' at IP '%s'.\n",
1125 domain->name,
1126 addr);
1127
1128 ads = ads_init(tmp_ctx,
1129 domain->alt_name,
1130 domain->name,
1131 addr,
1132 ADS_SASL_PLAIN);
1133 if (ads == NULL) {
1134 ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1135 goto out;
1136 }
1137 ads->config.flags |= request_flags;
1138 ads->server.no_fallback = true;
1139
1140 ads_status = ads_connect_cldap_only(ads);
1141 if (!ADS_ERR_OK(ads_status)) {
1142 goto out;
1143 }
1144
1145 /* We got a cldap packet. */
1146 name = talloc_strdup(tmp_ctx, ads->config.ldap_server_name);
1147 if (name == NULL) {
1148 ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1149 goto out;
1150 }
1151 namecache_store(name, 0x20, 1, sa);
1152
1153 DBG_DEBUG("CLDAP flags = 0x%"PRIx32"\n", ads->config.flags);
1154
1155 if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
1156 if (ads_closest_dc(ads)) {
1157 char *sitename = sitename_fetch(tmp_ctx,
1158 ads->config.realm);
1159
1160 /* We're going to use this KDC for this realm/domain.
1161 If we are using sites, then force the krb5 libs
1162 to use this KDC. */
1163
1164 create_local_private_krb5_conf_for_domain(domain->alt_name,
1165 domain->name,
1166 sitename,
1167 &sa->u.ss);
1168
1169 TALLOC_FREE(sitename);
1170 } else {
1171 /* use an off site KDC */
1172 create_local_private_krb5_conf_for_domain(domain->alt_name,
1173 domain->name,
1174 NULL,
1175 &sa->u.ss);
1176 }
1177 winbindd_set_locator_kdc_envs(domain);
1178
1179 /* Ensure we contact this DC also. */
1180 saf_store(domain->name, name);
1181 saf_store(domain->alt_name, name);
1182 }
1183
1184 D_DEBUG("DC name for domain '%s' at IP '%s' is '%s'\n",
1185 domain->name,
1186 addr,
1187 name);
1188 *namep = talloc_move(mem_ctx, &name);
1189
1190 out:
1191 TALLOC_FREE(tmp_ctx);
1192
1193 return ADS_ERR_OK(ads_status) ? true : false;
1194 }
1195 #endif
1196
1197 /*******************************************************************
1198 convert an ip to a name
1199 For an AD Domain, it checks the requirements of the request flags.
1200 *******************************************************************/
1201
1202 static bool dcip_check_name(TALLOC_CTX *mem_ctx,
1203 const struct winbindd_domain *domain,
1204 const struct sockaddr_storage *pss,
1205 char **name, uint32_t request_flags)
1206 {
1207 struct samba_sockaddr sa = {0};
1208 uint32_t nt_version = NETLOGON_NT_VERSION_1;
1209 NTSTATUS status;
1210 const char *dc_name;
1211 fstring nbtname;
1212 #ifdef HAVE_ADS
1213 bool is_ad_domain = false;
1214 #endif
1215 bool ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
1216 if (!ok) {
1217 return false;
1218 }
1219
1220 #ifdef HAVE_ADS
1221 /* For active directory servers, try to get the ldap server name.
1222 None of these failures should be considered critical for now */
1223
1224 if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
1225 is_ad_domain = true;
1226 } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1227 is_ad_domain = domain->active_directory;
1228 }
1229
1230 if (is_ad_domain) {
1231 return dcip_check_name_ads(domain,
1232 &sa,
1233 request_flags,
1234 mem_ctx,
1235 name);
1236 }
1237 #endif
1238
1239 {
1240 size_t len = strlen(lp_netbios_name());
1241 char my_acct_name[len+2];
1242
1243 snprintf(my_acct_name,
1244 sizeof(my_acct_name),
1245 "%s$",
1246 lp_netbios_name());
1247
1248 status = nbt_getdc(global_messaging_context(), 10, &sa.u.ss,
1249 domain->name, &domain->sid,
1250 my_acct_name, ACB_WSTRUST,
1251 nt_version, mem_ctx, &nt_version,
1252 &dc_name, NULL);
1253 }
1254 if (NT_STATUS_IS_OK(status)) {
1255 *name = talloc_strdup(mem_ctx, dc_name);
1256 if (*name == NULL) {
1257 return false;
1258 }
1259 namecache_store(*name, 0x20, 1, &sa);
1260 return True;
1261 }
1262
1263 /* try node status request */
1264
1265 if (name_status_find(domain->name, 0x1c, 0x20, &sa.u.ss, nbtname) ) {
1266 namecache_store(nbtname, 0x20, 1, &sa);
1267
1268 if (name != NULL) {
1269 *name = talloc_strdup(mem_ctx, nbtname);
1270 if (*name == NULL) {
1271 return false;
1272 }
1273 }
1274
1275 return true;
1276 }
1277 return False;
1278 }
1279
1280 /*******************************************************************
1281 Retrieve a list of IP addresses for domain controllers.
1282
1283 The array is sorted in the preferred connection order.
1284
1285 @param[in] mem_ctx talloc memory context to allocate from
1286 @param[in] domain domain to retrieve DCs for
1287 @param[out] dcs array of dcs that will be returned
1288 @param[out] num_dcs number of dcs returned in the dcs array
1289 @return always true
1290 *******************************************************************/
1291
1292 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
1293 struct dc_name_ip **dcs, int *num_dcs,
1294 uint32_t request_flags)
1295 {
1296 fstring dcname;
1297 struct sockaddr_storage ss;
1298 struct samba_sockaddr *sa_list = NULL;
1299 size_t salist_size = 0;
1300 size_t i;
1301 bool is_our_domain;
1302 enum security_types sec = (enum security_types)lp_security();
1303
1304 is_our_domain = strequal(domain->name, lp_workgroup());
1305
1306 /* If not our domain, get the preferred DC, by asking our primary DC */
1307 if ( !is_our_domain
1308 && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags)
1309 && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
1310 num_dcs) )
1311 {
1312 char addr[INET6_ADDRSTRLEN];
1313 print_sockaddr(addr, sizeof(addr), &ss);
1314 DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
1315 dcname, addr));
1316 return True;
1317 }
1318
1319 if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
1320 char *sitename = NULL;
1321
1322 /* We need to make sure we know the local site before
1323 doing any DNS queries, as this will restrict the
1324 get_sorted_dc_list() call below to only fetching
1325 DNS records for the correct site. */
1326
1327 /* Find any DC to get the site record.
1328 We deliberately don't care about the
1329 return here. */
1330
1331 get_dc_name(domain->name, domain->alt_name, dcname, &ss);
1332
1333 sitename = sitename_fetch(mem_ctx, domain->alt_name);
1334 if (sitename) {
1335
1336 /* Do the site-specific AD dns lookup first. */
1337 (void)get_sorted_dc_list(mem_ctx,
1338 domain->alt_name,
1339 sitename,
1340 &sa_list,
1341 &salist_size,
1342 true);
1343
1344 /* Add ips to the DC array. We don't look up the name
1345 of the DC in this function, but we fill in the char*
1346 of the ip now to make the failed connection cache
1347 work */
1348 for ( i=0; i<salist_size; i++ ) {
1349 char addr[INET6_ADDRSTRLEN];
1350 print_sockaddr(addr, sizeof(addr),
1351 &sa_list[i].u.ss);
1352 add_one_dc_unique(mem_ctx,
1353 domain->name,
1354 addr,
1355 &sa_list[i].u.ss,
1356 dcs,
1357 num_dcs);
1358 }
1359
1360 TALLOC_FREE(sa_list);
1361 TALLOC_FREE(sitename);
1362 salist_size = 0;
1363 }
1364
1365 /* Now we add DCs from the main AD DNS lookup. */
1366 (void)get_sorted_dc_list(mem_ctx,
1367 domain->alt_name,
1368 NULL,
1369 &sa_list,
1370 &salist_size,
1371 true);
1372
1373 for ( i=0; i<salist_size; i++ ) {
1374 char addr[INET6_ADDRSTRLEN];
1375 print_sockaddr(addr, sizeof(addr),
1376 &sa_list[i].u.ss);
1377 add_one_dc_unique(mem_ctx,
1378 domain->name,
1379 addr,
1380 &sa_list[i].u.ss,
1381 dcs,
1382 num_dcs);
1383 }
1384
1385 TALLOC_FREE(sa_list);
1386 salist_size = 0;
1387 }
1388
1389 /* Try standard netbios queries if no ADS and fall back to DNS queries
1390 * if alt_name is available */
1391 if (*num_dcs == 0) {
1392 (void)get_sorted_dc_list(mem_ctx,
1393 domain->name,
1394 NULL,
1395 &sa_list,
1396 &salist_size,
1397 false);
1398 if (salist_size == 0) {
1399 if (domain->alt_name != NULL) {
1400 (void)get_sorted_dc_list(mem_ctx,
1401 domain->alt_name,
1402 NULL,
1403 &sa_list,
1404 &salist_size,
1405 true);
1406 }
1407 }
1408
1409 for ( i=0; i<salist_size; i++ ) {
1410 char addr[INET6_ADDRSTRLEN];
1411 print_sockaddr(addr, sizeof(addr),
1412 &sa_list[i].u.ss);
1413 add_one_dc_unique(mem_ctx,
1414 domain->name,
1415 addr,
1416 &sa_list[i].u.ss,
1417 dcs,
1418 num_dcs);
1419 }
1420
1421 TALLOC_FREE(sa_list);
1422 salist_size = 0;
1423 }
1424
1425 return True;
1426 }
1427
1428 static bool connect_preferred_dc(TALLOC_CTX *mem_ctx,
1429 struct winbindd_domain *domain,
1430 uint32_t request_flags,
1431 int *fd)
1432 {
1433 char *saf_servername = NULL;
1434 NTSTATUS status;
1435 bool ok;
1436
1437 /*
1438 * We have to check the server affinity cache here since later we select
1439 * a DC based on response time and not preference.
1440 */
1441 if (domain->force_dc) {
1442 saf_servername = domain->dcname;
1443 } else {
1444 saf_servername = saf_fetch(mem_ctx, domain->name);
1445 }
1446
1447 /*
1448 * Check the negative connection cache before talking to it. It going
1449 * down may have triggered the reconnection.
1450 */
1451 if (saf_servername != NULL) {
1452 status = check_negative_conn_cache(domain->name,
1453 saf_servername);
1454 if (!NT_STATUS_IS_OK(status)) {
1455 saf_servername = NULL;
1456 }
1457 }
1458
1459 if (saf_servername != NULL) {
1460 DBG_DEBUG("saf_servername is '%s' for domain %s\n",
1461 saf_servername, domain->name);
1462
1463 /* convert an ip address to a name */
1464 if (is_ipaddress(saf_servername)) {
1465 ok = interpret_string_addr(&domain->dcaddr,
1466 saf_servername,
1467 AI_NUMERICHOST);
1468 if (!ok) {
1469 return false;
1470 }
1471 } else {
1472 ok = resolve_name(saf_servername,
1473 &domain->dcaddr,
1474 0x20,
1475 true);
1476 if (!ok) {
1477 goto fail;
1478 }
1479 }
1480
1481 TALLOC_FREE(domain->dcname);
1482 ok = dcip_check_name(domain,
1483 domain,
1484 &domain->dcaddr,
1485 &domain->dcname,
1486 request_flags);
1487 if (!ok) {
1488 goto fail;
1489 }
1490 }
1491
1492 if (domain->dcname == NULL) {
1493 return false;
1494 }
1495
1496 status = check_negative_conn_cache(domain->name, domain->dcname);
1497 if (!NT_STATUS_IS_OK(status)) {
1498 return false;
1499 }
1500
1501 status = smbsock_connect(&domain->dcaddr, 0,
1502 domain->dcname, -1, NULL, -1,
1503 fd, NULL, 10);
1504 if (!NT_STATUS_IS_OK(status)) {
1505 winbind_add_failed_connection_entry(domain,
1506 domain->dcname,
1507 NT_STATUS_UNSUCCESSFUL);
1508 return false;
1509 }
1510 return true;
1511
1512 fail:
1513 winbind_add_failed_connection_entry(domain,
1514 saf_servername,
1515 NT_STATUS_UNSUCCESSFUL);
1516 return false;
1517
1518 }
1519
1520 /*******************************************************************
1521 Find and make a connection to a DC in the given domain.
1522
1523 @param[in] mem_ctx talloc memory context to allocate from
1524 @param[in] domain domain to find a dc in
1525 @param[out] fd fd of the open socket connected to the newly found dc
1526 @return true when a DC connection is made, false otherwise
1527 *******************************************************************/
1528
1529 static bool find_dc(TALLOC_CTX *mem_ctx,
1530 struct winbindd_domain *domain,
1531 uint32_t request_flags,
1532 int *fd)
1533 {
1534 struct dc_name_ip *dcs = NULL;
1535 int num_dcs = 0;
1536
1537 const char **dcnames = NULL;
1538 size_t num_dcnames = 0;
1539
1540 struct sockaddr_storage *addrs = NULL;
1541 int num_addrs = 0;
1542
1543 int i;
1544 size_t fd_index;
1545
1546 NTSTATUS status;
1547 bool ok;
1548
1549 *fd = -1;
1550
1551 D_NOTICE("First try to connect to the closest DC (using server "
1552 "affinity cache). If this fails, try to lookup the DC using "
1553 "DNS afterwards.\n");
1554 ok = connect_preferred_dc(mem_ctx, domain, request_flags, fd);
1555 if (ok) {
1556 return true;
1557 }
1558
1559 if (domain->force_dc) {
1560 return false;
1561 }
1562
1563 again:
1564 D_DEBUG("Retrieving a list of IP addresses for DCs.\n");
1565 if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs, request_flags) || (num_dcs == 0))
1566 return False;
1567
1568 D_DEBUG("Retrieved IP addresses for %d DCs.\n", num_dcs);
1569 for (i=0; i<num_dcs; i++) {
1570
1571 if (!add_string_to_array(mem_ctx, dcs[i].name,
1572 &dcnames, &num_dcnames)) {
1573 return False;
1574 }
1575 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, TCP_SMB_PORT,
1576 &addrs, &num_addrs)) {
1577 return False;
1578 }
1579 }
1580
1581 if ((num_dcnames == 0) || (num_dcnames != num_addrs))
1582 return False;
1583
1584 if ((addrs == NULL) || (dcnames == NULL))
1585 return False;
1586
1587 D_DEBUG("Trying to establish a connection to one of the %d DCs "
1588 "(timeout of 10 sec for each DC).\n",
1589 num_dcs);
1590 status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL,
1591 num_addrs, 0, 10, fd, &fd_index, NULL);
1592 if (!NT_STATUS_IS_OK(status)) {
1593 for (i=0; i<num_dcs; i++) {
1594 char ab[INET6_ADDRSTRLEN];
1595 print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
1596 DBG_DEBUG("smbsock_any_connect failed for "
1597 "domain %s address %s. Error was %s\n",
1598 domain->name, ab, nt_errstr(status));
1599 winbind_add_failed_connection_entry(domain,
1600 dcs[i].name, NT_STATUS_UNSUCCESSFUL);
1601 }
1602 return False;
1603 }
1604 D_NOTICE("Successfully connected to DC '%s'.\n", dcs[fd_index].name);
1605
1606 domain->dcaddr = addrs[fd_index];
1607
1608 if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
1609 /* Ok, we've got a name for the DC */
1610 TALLOC_FREE(domain->dcname);
1611 domain->dcname = talloc_strdup(domain, dcnames[fd_index]);
1612 if (domain->dcname == NULL) {
1613 return false;
1614 }
1615 return true;
1616 }
1617
1618 /* Try to figure out the name */
1619 TALLOC_FREE(domain->dcname);
1620 ok = dcip_check_name(domain,
1621 domain,
1622 &domain->dcaddr,
1623 &domain->dcname,
1624 request_flags);
1625 if (ok) {
1626 return true;
1627 }
1628
1629 /* We can not continue without the DC's name */
1630 winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
1631 NT_STATUS_UNSUCCESSFUL);
1632
1633 /* Throw away all arrays as we're doing this again. */
1634 TALLOC_FREE(dcs);
1635 num_dcs = 0;
1636
1637 TALLOC_FREE(dcnames);
1638 num_dcnames = 0;
1639
1640 TALLOC_FREE(addrs);
1641 num_addrs = 0;
1642
1643 if (*fd != -1) {
1644 close(*fd);
1645 *fd = -1;
1646 }
1647
1648 /*
1649 * This should not be an infinite loop, since get_dcs() will not return
1650 * the DC added to the negative connection cache in the above
1651 * winbind_add_failed_connection_entry() call.
1652 */
1653 goto again;
1654 }
1655
1656 static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name)
1657 {
1658 return talloc_asprintf_strupper_m(mem_ctx, "CURRENT_DCNAME/%s",
1659 domain_name);
1660 }
1661
1662 static void store_current_dc_in_gencache(const char *domain_name,
1663 const char *dc_name,
1664 const struct sockaddr_storage *dc_addr)
1665 {
1666 char addr[INET6_ADDRSTRLEN];
1667 char *key = NULL;
1668 char *value = NULL;
1669
1670 print_sockaddr(addr, sizeof(addr), dc_addr);
1671
1672 key = current_dc_key(talloc_tos(), domain_name);
1673 if (key == NULL) {
1674 goto done;
1675 }
1676
1677 value = talloc_asprintf(talloc_tos(), "%s %s", addr, dc_name);
1678 if (value == NULL) {
1679 goto done;
1680 }
1681
1682 gencache_set(key, value, 0x7fffffff);
1683 done:
1684 TALLOC_FREE(value);
1685 TALLOC_FREE(key);
1686 }
1687
1688 bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx,
1689 const char *domain_name,
1690 char **p_dc_name, char **p_dc_ip)
1691 {
1692 char *key, *p;
1693 char *value = NULL;
1694 bool ret = false;
1695 char *dc_name = NULL;
1696 char *dc_ip = NULL;
1697
1698 key = current_dc_key(talloc_tos(), domain_name);
1699 if (key == NULL) {
1700 goto done;
1701 }
1702 if (!gencache_get(key, mem_ctx, &value, NULL)) {
1703 goto done;
1704 }
1705 p = strchr(value, ' ');
1706 if (p == NULL) {
1707 goto done;
1708 }
1709 dc_ip = talloc_strndup(mem_ctx, value, p - value);
1710 if (dc_ip == NULL) {
1711 goto done;
1712 }
1713 dc_name = talloc_strdup(mem_ctx, p+1);
1714 if (dc_name == NULL) {
1715 goto done;
1716 }
1717
1718 if (p_dc_ip != NULL) {
1719 *p_dc_ip = dc_ip;
1720 dc_ip = NULL;
1721 }
1722 if (p_dc_name != NULL) {
1723 *p_dc_name = dc_name;
1724 dc_name = NULL;
1725 }
1726 ret = true;
1727 done:
1728 TALLOC_FREE(dc_name);
1729 TALLOC_FREE(dc_ip);
1730 TALLOC_FREE(key);
1731 TALLOC_FREE(value);
1732 return ret;
1733 }
1734
1735 NTSTATUS wb_open_internal_pipe(TALLOC_CTX *mem_ctx,
1736 const struct ndr_interface_table *table,
1737 struct rpc_pipe_client **ret_pipe)
1738 {
1739 struct rpc_pipe_client *cli = NULL;
1740 const struct auth_session_info *session_info = NULL;
1741 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1742
1743
1744 session_info = get_session_info_system();
1745 SMB_ASSERT(session_info != NULL);
1746
1747 status = rpc_pipe_open_local_np(
1748 mem_ctx, table, NULL, NULL, NULL, NULL, session_info, &cli);
1749 if (!NT_STATUS_IS_OK(status)) {
1750 return status;
1751 }
1752
1753 if (ret_pipe) {
1754 *ret_pipe = cli;
1755 }
1756
1757 return NT_STATUS_OK;
1758 }
1759
1760 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
1761 struct winbindd_cm_conn *new_conn,
1762 bool need_rw_dc)
1763 {
1764 TALLOC_CTX *mem_ctx;
1765 NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1766 int retries;
1767 uint32_t request_flags = need_rw_dc ? DS_WRITABLE_REQUIRED : 0;
1768 int fd = -1;
1769 bool retry = false;
1770 bool seal_pipes = true;
1771
1772 if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
1773 set_domain_offline(domain);
1774 return NT_STATUS_NO_MEMORY;
1775 }
1776
1777 D_NOTICE("Creating connection to domain controller. This is a start of "
1778 "a new connection or a DC failover. The failover only happens "
1779 "if the domain has more than one DC. We will try to connect 3 "
1780 "times at most.\n");
1781 for (retries = 0; retries < 3; retries++) {
1782 bool found_dc;
1783
1784 D_DEBUG("Attempt %d/3: DC '%s' of domain '%s'.\n",
1785 retries,
1786 domain->dcname ? domain->dcname : "",
1787 domain->name);
1788
1789 found_dc = find_dc(mem_ctx, domain, request_flags, &fd);
1790 if (!found_dc) {
1791 /* This is the one place where we will
1792 set the global winbindd offline state
1793 to true, if a "WINBINDD_OFFLINE" entry
1794 is found in the winbindd cache. */
1795 set_global_winbindd_state_offline();
1796 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1797 break;
1798 }
1799
1800 new_conn->cli = NULL;
1801
1802 result = cm_prepare_connection(domain, fd, domain->dcname,
1803 &new_conn->cli, &retry);
1804 if (NT_STATUS_IS_OK(result)) {
1805 break;
1806 }
1807 if (!retry) {
1808 break;
1809 }
1810 }
1811
1812 if (!NT_STATUS_IS_OK(result)) {
1813 /* Ensure we setup the retry handler. */
1814 set_domain_offline(domain);
1815 goto out;
1816 }
1817
1818 winbindd_set_locator_kdc_envs(domain);
1819
1820 if (domain->online == False) {
1821 /* We're changing state from offline to online. */
1822 set_global_winbindd_state_online();
1823 }
1824 set_domain_online(domain);
1825
1826 /*
1827 * Much as I hate global state, this seems to be the point
1828 * where we can be certain that we have a proper connection to
1829 * a DC. wbinfo --dc-info needs that information, store it in
1830 * gencache with a looong timeout. This will need revisiting
1831 * once we start to connect to multiple DCs, wbcDcInfo is
1832 * already prepared for that.
1833 */
1834 store_current_dc_in_gencache(domain->name,
1835 domain->dcname,
1836 &domain->dcaddr);
1837
1838 seal_pipes = lp_winbind_sealed_pipes();
1839 seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
1840 domain->name,
1841 seal_pipes);
1842
1843 if (seal_pipes) {
1844 new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1845 } else {
1846 new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1847 }
1848
1849 out:
1850 talloc_destroy(mem_ctx);
1851 return result;
1852 }
1853
1854 /* Close down all open pipes on a connection. */
1855
1856 void invalidate_cm_connection(struct winbindd_domain *domain)
1857 {
1858 NTSTATUS result;
1859 struct winbindd_cm_conn *conn = &domain->conn;
1860
1861 domain->sequence_number = DOM_SEQUENCE_NONE;
1862 domain->last_seq_check = 0;
1863 domain->last_status = NT_STATUS_SERVER_DISABLED;
1864
1865 /* We're closing down a possibly dead
1866 connection. Don't have impossibly long (10s) timeouts. */
1867
1868 if (conn->cli) {
1869 cli_set_timeout(conn->cli, 1000); /* 1 second. */
1870 }
1871
1872 if (conn->samr_pipe != NULL) {
1873 if (is_valid_policy_hnd(&conn->sam_connect_handle)) {
1874 dcerpc_samr_Close(conn->samr_pipe->binding_handle,
1875 talloc_tos(),
1876 &conn->sam_connect_handle,
1877 &result);
1878 }
1879 TALLOC_FREE(conn->samr_pipe);
1880 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1881 if (conn->cli) {
1882 cli_set_timeout(conn->cli, 500);
1883 }
1884 }
1885
1886 if (conn->lsa_pipe != NULL) {
1887 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1888 dcerpc_lsa_Close(conn->lsa_pipe->binding_handle,
1889 talloc_tos(),
1890 &conn->lsa_policy,
1891 &result);
1892 }
1893 TALLOC_FREE(conn->lsa_pipe);
1894 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1895 if (conn->cli) {
1896 cli_set_timeout(conn->cli, 500);
1897 }
1898 }
1899
1900 if (conn->lsa_pipe_tcp != NULL) {
1901 if (is_valid_policy_hnd(&conn->lsa_policy)) {
1902 dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle,
1903 talloc_tos(),
1904 &conn->lsa_policy,
1905 &result);
1906 }
1907 TALLOC_FREE(conn->lsa_pipe_tcp);
1908 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1909 if (conn->cli) {
1910 cli_set_timeout(conn->cli, 500);
1911 }
1912 }
1913
1914 if (conn->netlogon_pipe != NULL) {
1915 TALLOC_FREE(conn->netlogon_pipe);
1916 /* Ok, it must be dead. Drop timeout to 0.5 sec. */
1917 if (conn->cli) {
1918 cli_set_timeout(conn->cli, 500);
1919 }
1920 }
1921
1922 conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1923 TALLOC_FREE(conn->netlogon_creds_ctx);
1924
1925 if (conn->cli) {
1926 cli_shutdown(conn->cli);
1927 }
1928
1929 conn->cli = NULL;
1930 }
1931
1932 void close_conns_after_fork(void)
1933 {
1934 struct winbindd_domain *domain;
1935 struct winbindd_cli_state *cli_state;
1936
1937 for (domain = domain_list(); domain; domain = domain->next) {
1938 /*
1939 * first close the low level SMB TCP connection
1940 * so that we don't generate any SMBclose
1941 * requests in invalidate_cm_connection()
1942 */
1943 if (cli_state_is_connected(domain->conn.cli)) {
1944 smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
1945 }
1946
1947 invalidate_cm_connection(domain);
1948 }
1949
1950 for (cli_state = winbindd_client_list();
1951 cli_state != NULL;
1952 cli_state = cli_state->next) {
1953 if (cli_state->sock >= 0) {
1954 close(cli_state->sock);
1955 cli_state->sock = -1;
1956 }
1957 }
1958 }
1959
1960 static bool connection_ok(struct winbindd_domain *domain)
1961 {
1962 bool ok;
1963
1964 ok = cli_state_is_connected(domain->conn.cli);
1965 if (!ok) {
1966 DEBUG(3, ("connection_ok: Connection to %s for domain %s is not connected\n",
1967 domain->dcname, domain->name));
1968 return False;
1969 }
1970
1971 if (!domain->online) {
1972 DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
1973 return False;
1974 }
1975
1976 return True;
1977 }
1978
1979 /* Initialize a new connection up to the RPC BIND.
1980 Bypass online status check so always does network calls. */
1981
1982 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc)
1983 {
1984 NTSTATUS result;
1985 bool skip_connection = domain->internal;
1986 if (need_rw_dc && domain->rodc) {
1987 skip_connection = false;
1988 }
1989
1990 /* Internal connections never use the network. */
1991 if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
1992 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1993 }
1994
1995 /* Still ask the internal LSA and SAMR server about the local domain */
1996 if (skip_connection || connection_ok(domain)) {
1997 if (!domain->initialized) {
1998 set_dc_type_and_flags(domain);
1999 }
2000 return NT_STATUS_OK;
2001 }
2002
2003 invalidate_cm_connection(domain);
2004
2005 if (!domain->primary && !domain->initialized) {
2006 /*
2007 * Before we connect to a trust, work out if it is an
2008 * AD domain by asking our own domain.
2009 */
2010 set_dc_type_and_flags_trustinfo(domain);
2011 }
2012
2013 result = cm_open_connection(domain, &domain->conn, need_rw_dc);
2014
2015 if (NT_STATUS_IS_OK(result) && !domain->initialized) {
2016 set_dc_type_and_flags(domain);
2017 }
2018
2019 return result;
2020 }
2021
2022 NTSTATUS init_dc_connection(struct winbindd_domain *domain, bool need_rw_dc)
2023 {
2024 if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
2025 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2026 }
2027
2028 SMB_ASSERT(wb_child_domain() || idmap_child());
2029
2030 return init_dc_connection_network(domain, need_rw_dc);
2031 }
2032
2033 static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain, bool need_rw_dc)
2034 {
2035 NTSTATUS status;
2036
2037 status = init_dc_connection(domain, need_rw_dc);
2038 if (!NT_STATUS_IS_OK(status)) {
2039 return status;
2040 }
2041
2042 if (!domain->internal && domain->conn.cli == NULL) {
2043 /* happens for trusted domains without inbound trust */
2044 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2045 }
2046
2047 return NT_STATUS_OK;
2048 }
2049
2050 /******************************************************************************
2051 Set the trust flags (direction and forest location) for a domain
2052 ******************************************************************************/
2053
2054 static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
2055 {
2056 struct winbindd_domain *our_domain;
2057 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2058 WERROR werr;
2059 struct netr_DomainTrustList trusts;
2060 int i;
2061 uint32_t flags = (NETR_TRUST_FLAG_IN_FOREST |
2062 NETR_TRUST_FLAG_OUTBOUND |
2063 NETR_TRUST_FLAG_INBOUND);
2064 struct rpc_pipe_client *cli;
2065 TALLOC_CTX *mem_ctx = NULL;
2066 struct dcerpc_binding_handle *b;
2067
2068 if (IS_DC) {
2069 /*
2070 * On a DC we loaded all trusts
2071 * from configuration and never learn
2072 * new domains.
2073 */
2074 return true;
2075 }
2076
2077 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
2078
2079 /* Our primary domain doesn't need to worry about trust flags.
2080 Force it to go through the network setup */
2081 if ( domain->primary ) {
2082 return False;
2083 }
2084
2085 mem_ctx = talloc_stackframe();
2086 our_domain = find_our_domain();
2087 if (our_domain->internal) {
2088 result = init_dc_connection(our_domain, false);
2089 if (!NT_STATUS_IS_OK(result)) {
2090 DEBUG(3,("set_dc_type_and_flags_trustinfo: "
2091 "Not able to make a connection to our domain: %s\n",
2092 nt_errstr(result)));
2093 TALLOC_FREE(mem_ctx);
2094 return false;
2095 }
2096 }
2097
2098 /* This won't work unless our domain is AD */
2099 if ( !our_domain->active_directory ) {
2100 TALLOC_FREE(mem_ctx);
2101 return False;
2102 }
2103
2104 if (our_domain->internal) {
2105 result = wb_open_internal_pipe(mem_ctx, &ndr_table_netlogon, &cli);
2106 } else if (!connection_ok(our_domain)) {
2107 DEBUG(3,("set_dc_type_and_flags_trustinfo: "
2108 "No connection to our domain!\n"));
2109 TALLOC_FREE(mem_ctx);
2110 return False;
2111 } else {
2112 result = cm_connect_netlogon(our_domain, &cli);
2113 }
2114
2115 if (!NT_STATUS_IS_OK(result)) {
2116 DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
2117 "a connection to %s for PIPE_NETLOGON (%s)\n",
2118 domain->name, nt_errstr(result)));
2119 TALLOC_FREE(mem_ctx);
2120 return False;
2121 }
2122 b = cli->binding_handle;
2123
2124 /* Use DsEnumerateDomainTrusts to get us the trust direction and type. */
2125 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
2126 cli->desthost,
2127 flags,
2128 &trusts,
2129 &werr);
2130 if (!NT_STATUS_IS_OK(result)) {
2131 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2132 "failed to query trusted domain list: %s\n",
2133 nt_errstr(result)));
2134 TALLOC_FREE(mem_ctx);
2135 return false;
2136 }
2137 if (!W_ERROR_IS_OK(werr)) {
2138 DEBUG(0,("set_dc_type_and_flags_trustinfo: "
2139 "failed to query trusted domain list: %s\n",
2140 win_errstr(werr)));
2141 TALLOC_FREE(mem_ctx);
2142 return false;
2143 }
2144
2145 /* Now find the domain name and get the flags */
2146
2147 for ( i=0; i<trusts.count; i++ ) {
2148 if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
2149 domain->domain_flags = trusts.array[i].trust_flags;
2150 domain->domain_type = trusts.array[i].trust_type;
2151 domain->domain_trust_attribs = trusts.array[i].trust_attributes;
2152
2153 if ( domain->domain_type == LSA_TRUST_TYPE_UPLEVEL )
2154 domain->active_directory = True;
2155
2156 DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
2157 "running active directory.\n", domain->name,
2158 domain->active_directory ? "" : "NOT "));
2159
2160 domain->can_do_ncacn_ip_tcp = domain->active_directory;
2161
2162 domain->initialized = True;
2163
2164 break;
2165 }
2166 }
2167
2168 TALLOC_FREE(mem_ctx);
2169
2170 return domain->initialized;
2171 }
2172
2173 /******************************************************************************
2174 We can 'sense' certain things about the DC by it's replies to certain
2175 questions.
2176
2177 This tells us if this particular remote server is Active Directory, and if it
2178 is native mode.
2179 ******************************************************************************/
2180
2181 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
2182 {
2183 NTSTATUS status, result;
2184 NTSTATUS close_status = NT_STATUS_UNSUCCESSFUL;
2185 TALLOC_CTX *mem_ctx = NULL;
2186 struct rpc_pipe_client *cli = NULL;
2187 struct policy_handle pol = { .handle_type = 0 };
2188 union lsa_PolicyInformation *lsa_info = NULL;
2189 union lsa_revision_info out_revision_info = {
2190 .info1 = {
2191 .revision = 0,
2192 },
2193 };
2194 uint32_t out_version = 0;
2195
2196 if (!domain->internal && !connection_ok(domain)) {
2197 return;
2198 }
2199
2200 mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
2201 domain->name);
2202 if (!mem_ctx) {
2203 DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
2204 return;
2205 }
2206
2207 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
2208
2209 if (domain->internal) {
2210 status = wb_open_internal_pipe(mem_ctx,
2211 &ndr_table_lsarpc,
2212 &cli);
2213 } else {
2214 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
2215 &ndr_table_lsarpc, &cli);
2216 }
2217 if (!NT_STATUS_IS_OK(status)) {
2218 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
2219 "PI_LSARPC on domain %s: (%s)\n",
2220 domain->name, nt_errstr(status)));
2221 TALLOC_FREE(cli);
2222 TALLOC_FREE(mem_ctx);
2223 return;
2224 }
2225
2226 status = dcerpc_lsa_open_policy_fallback(cli->binding_handle,
2227 mem_ctx,
2228 cli->srv_name_slash,
2229 true,
2230 SEC_FLAG_MAXIMUM_ALLOWED,
2231 &out_version,
2232 &out_revision_info,
2233 &pol,
2234 &result);
2235
2236 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2237 /* This particular query is exactly what Win2k clients use
2238 to determine that the DC is active directory */
2239 status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx,
2240 &pol,
2241 LSA_POLICY_INFO_DNS,
2242 &lsa_info,
2243 &result);
2244 }
2245
2246 /*
2247 * If the status and result will not be OK we will fallback to
2248 * OpenPolicy.
2249 */
2250 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2251 domain->active_directory = True;
2252
2253 if (lsa_info->dns.name.string) {
2254 if (!strequal(domain->name, lsa_info->dns.name.string))
2255 {
2256 DEBUG(1, ("set_dc_type_and_flags_connect: DC "
2257 "for domain %s claimed it was a DC "
2258 "for domain %s, refusing to "
2259 "initialize\n",
2260 domain->name,
2261 lsa_info->dns.name.string));
2262 TALLOC_FREE(cli);
2263 TALLOC_FREE(mem_ctx);
2264 return;
2265 }
2266 talloc_free(domain->name);
2267 domain->name = talloc_strdup(domain,
2268 lsa_info->dns.name.string);
2269 if (domain->name == NULL) {
2270 goto done;
2271 }
2272 }
2273
2274 if (lsa_info->dns.dns_domain.string) {
2275 if (domain->alt_name != NULL &&
2276 !strequal(domain->alt_name,
2277 lsa_info->dns.dns_domain.string))
2278 {
2279 DEBUG(1, ("set_dc_type_and_flags_connect: DC "
2280 "for domain %s (%s) claimed it was "
2281 "a DC for domain %s, refusing to "
2282 "initialize\n",
2283 domain->alt_name, domain->name,
2284 lsa_info->dns.dns_domain.string));
2285 TALLOC_FREE(cli);
2286 TALLOC_FREE(mem_ctx);
2287 return;
2288 }
2289 talloc_free(domain->alt_name);
2290 domain->alt_name =
2291 talloc_strdup(domain,
2292 lsa_info->dns.dns_domain.string);
2293 if (domain->alt_name == NULL) {
2294 goto done;
2295 }
2296 }
2297
2298 /* See if we can set some domain trust flags about
2299 ourself */
2300
2301 if (lsa_info->dns.dns_forest.string) {
2302 talloc_free(domain->forest_name);
2303 domain->forest_name =
2304 talloc_strdup(domain,
2305 lsa_info->dns.dns_forest.string);
2306 if (domain->forest_name == NULL) {
2307 goto done;
2308 }
2309
2310 if (strequal(domain->forest_name, domain->alt_name)) {
2311 domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
2312 }
2313 }
2314
2315 if (lsa_info->dns.sid) {
2316 if (!is_null_sid(&domain->sid) &&
2317 !dom_sid_equal(&domain->sid,
2318 lsa_info->dns.sid))
2319 {
2320 struct dom_sid_buf buf1, buf2;
2321 DEBUG(1, ("set_dc_type_and_flags_connect: DC "
2322 "for domain %s (%s) claimed it was "
2323 "a DC for domain %s, refusing to "
2324 "initialize\n",
2325 dom_sid_str_buf(&domain->sid, &buf1),
2326 domain->name,
2327 dom_sid_str_buf(lsa_info->dns.sid,
2328 &buf2)));
2329 TALLOC_FREE(cli);
2330 TALLOC_FREE(mem_ctx);
2331 return;
2332 }
2333 sid_copy(&domain->sid, lsa_info->dns.sid);
2334 }
2335 } else {
2336 domain->active_directory = False;
2337
2338 status = rpccli_lsa_open_policy(cli, mem_ctx, True,
2339 SEC_FLAG_MAXIMUM_ALLOWED,
2340 &pol);
2341
2342 if (!NT_STATUS_IS_OK(status)) {
2343 goto done;
2344 }
2345
2346 status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx,
2347 &pol,
2348 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
2349 &lsa_info,
2350 &result);
2351 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2352
2353 if (lsa_info->account_domain.name.string) {
2354 if (!strequal(domain->name,
2355 lsa_info->account_domain.name.string))
2356 {
2357 DEBUG(1,
2358 ("set_dc_type_and_flags_connect: "
2359 "DC for domain %s claimed it was"
2360 " a DC for domain %s, refusing "
2361 "to initialize\n", domain->name,
2362 lsa_info->
2363 account_domain.name.string));
2364 TALLOC_FREE(cli);
2365 TALLOC_FREE(mem_ctx);
2366 return;
2367 }
2368 talloc_free(domain->name);
2369 domain->name =
2370 talloc_strdup(domain,
2371 lsa_info->account_domain.name.string);
2372 }
2373
2374 if (lsa_info->account_domain.sid) {
2375 if (!is_null_sid(&domain->sid) &&
2376 !dom_sid_equal(&domain->sid,
2377 lsa_info->account_domain.sid))
2378 {
2379 struct dom_sid_buf buf1, buf2;
2380 DEBUG(1,
2381 ("set_dc_type_and_flags_connect: "
2382 "DC for domain %s (%s) claimed "
2383 "it was a DC for domain %s, "
2384 "refusing to initialize\n",
2385 dom_sid_str_buf(
2386 &domain->sid, &buf1),
2387 domain->name,
2388 dom_sid_str_buf(
2389 lsa_info->account_domain.sid,
2390 &buf2)));
2391 TALLOC_FREE(cli);
2392 TALLOC_FREE(mem_ctx);
2393 return;
2394 }
2395 sid_copy(&domain->sid, lsa_info->account_domain.sid);
2396 }
2397 }
2398 }
2399 done:
2400 if (is_valid_policy_hnd(&pol)) {
2401 dcerpc_lsa_Close(cli->binding_handle,
2402 mem_ctx,
2403 &pol,
2404 &close_status);
2405 }
2406
2407 DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
2408 domain->name, domain->active_directory ? "" : "NOT "));
2409
2410 domain->can_do_ncacn_ip_tcp = domain->active_directory;
2411
2412 TALLOC_FREE(cli);
2413
2414 TALLOC_FREE(mem_ctx);
2415
2416 domain->initialized = True;
2417 }
2418
2419 /**********************************************************************
2420 Set the domain_flags (trust attributes, domain operating modes, etc...
2421 ***********************************************************************/
2422
2423 static void set_dc_type_and_flags( struct winbindd_domain *domain )
2424 {
2425 if (IS_DC) {
2426 /*
2427 * On a DC we loaded all trusts
2428 * from configuration and never learn
2429 * new domains.
2430 */
2431 return;
2432 }
2433
2434 /* we always have to contact our primary domain */
2435 if (domain->primary || domain->internal) {
2436 /*
2437 * primary and internal domains are
2438 * are already completely
2439 * setup via init_domain_list()
2440 * calling add_trusted_domain()
2441 *
2442 * There's no need to ask the
2443 * server again, if it hosts an AD
2444 * domain...
2445 */
2446 domain->initialized = true;
2447 return;
2448 }
2449
2450 /* Use our DC to get the information if possible */
2451
2452 if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
2453 /* Otherwise, fallback to contacting the
2454 domain directly */
2455 set_dc_type_and_flags_connect( domain );
2456 }
2457
2458 return;
2459 }
2460
2461
2462
2463 /**********************************************************************
2464 ***********************************************************************/
2465
2466 static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
2467 struct netlogon_creds_cli_context **ppdc)
2468 {
2469 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2470 struct rpc_pipe_client *netlogon_pipe;
2471
2472 *ppdc = NULL;
2473
2474 if ((!IS_DC) && (!domain->primary)) {
2475 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
2476 }
2477
2478 if (domain->conn.netlogon_creds_ctx != NULL) {
2479 *ppdc = domain->conn.netlogon_creds_ctx;
2480 return NT_STATUS_OK;
2481 }
2482
2483 result = cm_connect_netlogon_secure(domain, &netlogon_pipe, ppdc);
2484 if (!NT_STATUS_IS_OK(result)) {
2485 return result;
2486 }
2487
2488 return NT_STATUS_OK;
2489 }
2490
2491 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2492 bool need_rw_dc,
2493 struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
2494 {
2495 struct winbindd_cm_conn *conn;
2496 NTSTATUS status, result;
2497 struct netlogon_creds_cli_context *p_creds;
2498 struct cli_credentials *creds = NULL;
2499 bool retry = false; /* allow one retry attempt for expired session */
2500 const char *remote_name = NULL;
2501 const struct sockaddr_storage *remote_sockaddr = NULL;
2502 bool sealed_pipes = true;
2503 bool strong_key = true;
2504
2505 if (sid_check_is_our_sam(&domain->sid)) {
2506 if (domain->rodc == false || need_rw_dc == false) {
2507 return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
2508 }
2509 }
2510
2511 if (IS_AD_DC) {
2512 /*
2513 * In theory we should not use SAMR within
2514 * winbindd at all, but that's a larger task to
2515 * remove this and avoid breaking existing
2516 * setups.
2517 *
2518 * At least as AD DC we have the restriction
2519 * to avoid SAMR against trusted domains,
2520 * as there're no existing setups.
2521 */
2522 return NT_STATUS_REQUEST_NOT_ACCEPTED;
2523 }
2524
2525 retry:
2526 status = init_dc_connection_rpc(domain, need_rw_dc);
2527 if (!NT_STATUS_IS_OK(status)) {
2528 return status;
2529 }
2530
2531 conn = &domain->conn;
2532
2533 if (rpccli_is_connected(conn->samr_pipe)) {
2534 goto done;
2535 }
2536
2537 TALLOC_FREE(conn->samr_pipe);
2538
2539 /*
2540 * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
2541 * sign and sealed pipe using the machine account password by
2542 * preference. If we can't - try schannel, if that fails, try
2543 * anonymous.
2544 */
2545
2546 result = winbindd_get_trust_credentials(domain,
2547 talloc_tos(),
2548 false, /* netlogon */
2549 true, /* ipc_fallback */
2550 &creds);
2551 if (!NT_STATUS_IS_OK(result)) {
2552 DEBUG(10, ("cm_connect_sam: No user available for "
2553 "domain %s, trying schannel\n", domain->name));
2554 goto schannel;
2555 }
2556
2557 if (cli_credentials_is_anonymous(creds)) {
2558 goto anonymous;
2559 }
2560
2561 remote_name = smbXcli_conn_remote_name(conn->cli->conn);
2562 remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn);
2563
2564 /*
2565 * We have an authenticated connection. Use a SPNEGO
2566 * authenticated SAMR pipe with sign & seal.
2567 */
2568 status = cli_rpc_pipe_open_with_creds(conn->cli,
2569 &ndr_table_samr,
2570 NCACN_NP,
2571 DCERPC_AUTH_TYPE_SPNEGO,
2572 conn->auth_level,
2573 remote_name,
2574 remote_sockaddr,
2575 creds,
2576 &conn->samr_pipe);
2577
2578 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
2579 && !retry) {
2580 invalidate_cm_connection(domain);
2581 retry = true;
2582 goto retry;
2583 }
2584
2585 if (!NT_STATUS_IS_OK(status)) {
2586 DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
2587 "pipe for domain %s using NTLMSSP "
2588 "authenticated pipe: user %s. Error was "
2589 "%s\n", domain->name,
2590 cli_credentials_get_unparsed_name(creds, talloc_tos()),
2591 nt_errstr(status)));
2592 goto schannel;
2593 }
2594
2595 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
2596 "domain %s using NTLMSSP authenticated "
2597 "pipe: user %s\n", domain->name,
2598 cli_credentials_get_unparsed_name(creds, talloc_tos())));
2599
2600 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2601 conn->samr_pipe->desthost,
2602 SEC_FLAG_MAXIMUM_ALLOWED,
2603 &conn->sam_connect_handle,
2604 &result);
2605
2606 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
2607 invalidate_cm_connection(domain);
2608 TALLOC_FREE(conn->samr_pipe);
2609 retry = true;
2610 goto retry;
2611 }
2612
2613 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2614 goto open_domain;
2615 }
2616 if (NT_STATUS_IS_OK(status)) {
2617 status = result;
2618 }
2619
2620 DEBUG(10,("cm_connect_sam: ntlmssp-sealed dcerpc_samr_Connect2 "
2621 "failed for domain %s, error was %s. Trying schannel\n",
2622 domain->name, nt_errstr(status) ));
2623 TALLOC_FREE(conn->samr_pipe);
2624
2625 schannel:
2626
2627 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2628
2629 status = cm_get_schannel_creds(domain, &p_creds);
2630 if (!NT_STATUS_IS_OK(status)) {
2631 /* If this call fails - conn->cli can now be NULL ! */
2632 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
2633 "for domain %s (error %s), trying anon\n",
2634 domain->name,
2635 nt_errstr(status) ));
2636 goto anonymous;
2637 }
2638 TALLOC_FREE(creds);
2639 status = cli_rpc_pipe_open_schannel_with_creds(
2640 conn->cli, &ndr_table_samr, NCACN_NP, p_creds,
2641 remote_name,
2642 remote_sockaddr,
2643 &conn->samr_pipe);
2644
2645 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
2646 && !retry) {
2647 invalidate_cm_connection(domain);
2648 retry = true;
2649 goto retry;
2650 }
2651
2652 if (!NT_STATUS_IS_OK(status)) {
2653 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
2654 "domain %s using schannel. Error was %s\n",
2655 domain->name, nt_errstr(status) ));
2656 goto anonymous;
2657 }
2658 DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
2659 "schannel.\n", domain->name ));
2660
2661 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2662 conn->samr_pipe->desthost,
2663 SEC_FLAG_MAXIMUM_ALLOWED,
2664 &conn->sam_connect_handle,
2665 &result);
2666
2667 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
2668 invalidate_cm_connection(domain);
2669 TALLOC_FREE(conn->samr_pipe);
2670 retry = true;
2671 goto retry;
2672 }
2673
2674 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2675 goto open_domain;
2676 }
2677 if (NT_STATUS_IS_OK(status)) {
2678 status = result;
2679 }
2680 DEBUG(10,("cm_connect_sam: schannel-sealed dcerpc_samr_Connect2 failed "
2681 "for domain %s, error was %s. Trying anonymous\n",
2682 domain->name, nt_errstr(status) ));
2683 TALLOC_FREE(conn->samr_pipe);
2684
2685 anonymous:
2686
2687 sealed_pipes = lp_winbind_sealed_pipes();
2688 sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
2689 domain->name,
2690 sealed_pipes);
2691 strong_key = lp_require_strong_key();
2692 strong_key = lp_parm_bool(-1, "require strong key",
2693 domain->name,
2694 strong_key);
2695
2696 /* Finally fall back to anonymous. */
2697 if (sealed_pipes || strong_key) {
2698 status = NT_STATUS_DOWNGRADE_DETECTED;
2699 DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
2700 "without connection level security, "
2701 "must set 'winbind sealed pipes:%s = false' and "
2702 "'require strong key:%s = false' to proceed: %s\n",
2703 domain->name, domain->name, domain->name,
2704 nt_errstr(status)));
2705 goto done;
2706 }
2707 status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
2708 &conn->samr_pipe);
2709
2710 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
2711 && !retry) {
2712 invalidate_cm_connection(domain);
2713 retry = true;
2714 goto retry;
2715 }
2716
2717 if (!NT_STATUS_IS_OK(status)) {
2718 goto done;
2719 }
2720
2721 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
2722 conn->samr_pipe->desthost,
2723 SEC_FLAG_MAXIMUM_ALLOWED,
2724 &conn->sam_connect_handle,
2725 &result);
2726
2727 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
2728 invalidate_cm_connection(domain);
2729 TALLOC_FREE(conn->samr_pipe);
2730 retry = true;
2731 goto retry;
2732 }
2733
2734 if (!NT_STATUS_IS_OK(status)) {
2735 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
2736 "for domain %s Error was %s\n",
2737 domain->name, nt_errstr(status) ));
2738 goto done;
2739 }
2740 if (!NT_STATUS_IS_OK(result)) {
2741 status = result;
2742 DEBUG(10,("cm_connect_sam: dcerpc_samr_Connect2 failed "
2743 "for domain %s Error was %s\n",
2744 domain->name, nt_errstr(result)));
2745 goto done;
2746 }
2747
2748 open_domain:
2749 status = dcerpc_samr_OpenDomain(conn->samr_pipe->binding_handle,
2750 mem_ctx,
2751 &conn->sam_connect_handle,
2752 SEC_FLAG_MAXIMUM_ALLOWED,
2753 &domain->sid,
2754 &conn->sam_domain_handle,
2755 &result);
2756 if (!NT_STATUS_IS_OK(status)) {
2757 goto done;
2758 }
2759
2760 status = result;
2761 done:
2762
2763 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
2764 /*
2765 * if we got access denied, we might just have no access rights
2766 * to talk to the remote samr server server (e.g. when we are a
2767 * PDC and we are connecting a w2k8 pdc via an interdomain
2768 * trust). In that case do not invalidate the whole connection
2769 * stack
2770 */
2771 TALLOC_FREE(conn->samr_pipe);
2772 ZERO_STRUCT(conn->sam_domain_handle);
2773 return status;
2774 } else if (!NT_STATUS_IS_OK(status)) {
2775 invalidate_cm_connection(domain);
2776 return status;
2777 }
2778
2779 *cli = conn->samr_pipe;
2780 *sam_handle = conn->sam_domain_handle;
2781 return status;
2782 }
2783
2784 /**********************************************************************
2785 open an schanneld ncacn_ip_tcp connection to LSA
2786 ***********************************************************************/
2787
2788 static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
2789 TALLOC_CTX *mem_ctx,
2790 struct rpc_pipe_client **cli)
2791 {
2792 struct winbindd_cm_conn *conn;
2793 struct netlogon_creds_cli_context *p_creds = NULL;
2794 NTSTATUS status;
2795 const char *remote_name = NULL;
2796 const struct sockaddr_storage *remote_sockaddr = NULL;
2797
2798 DEBUG(10,("cm_connect_lsa_tcp\n"));
2799
2800 status = init_dc_connection_rpc(domain, false);
2801 if (!NT_STATUS_IS_OK(status)) {
2802 return status;
2803 }
2804
2805 conn = &domain->conn;
2806
2807 /*
2808 * rpccli_is_connected handles more error cases
2809 */
2810 if (rpccli_is_connected(conn->lsa_pipe_tcp)) {
2811 goto done;
2812 }
2813
2814 TALLOC_FREE(conn->lsa_pipe_tcp);
2815
2816 status = cm_get_schannel_creds(domain, &p_creds);
2817 if (!NT_STATUS_IS_OK(status)) {
2818 goto done;
2819 }
2820
2821 remote_name = smbXcli_conn_remote_name(conn->cli->conn);
2822 remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn);
2823
2824 status = cli_rpc_pipe_open_schannel_with_creds(
2825 conn->cli,
2826 &ndr_table_lsarpc,
2827 NCACN_IP_TCP,
2828 p_creds,
2829 remote_name,
2830 remote_sockaddr,
2831 &conn->lsa_pipe_tcp);
2832 if (!NT_STATUS_IS_OK(status)) {
2833 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
2834 nt_errstr(status)));
2835 goto done;
2836 }
2837
2838 done:
2839 if (!NT_STATUS_IS_OK(status)) {
2840 TALLOC_FREE(conn->lsa_pipe_tcp);
2841 return status;
2842 }
2843
2844 *cli = conn->lsa_pipe_tcp;
2845
2846 return status;
2847 }
2848
2849 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2850 struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
2851 {
2852 struct winbindd_cm_conn *conn;
2853 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2854 struct netlogon_creds_cli_context *p_creds;
2855 struct cli_credentials *creds = NULL;
2856 bool retry = false; /* allow one retry attempt for expired session */
2857 const char *remote_name = NULL;
2858 const struct sockaddr_storage *remote_sockaddr = NULL;
2859 bool sealed_pipes = true;
2860 bool strong_key = true;
2861 bool require_schannel = false;
2862
2863 retry:
2864 result = init_dc_connection_rpc(domain, false);
2865 if (!NT_STATUS_IS_OK(result))
2866 return result;
2867
2868 conn = &domain->conn;
2869
2870 if (rpccli_is_connected(conn->lsa_pipe)) {
2871 goto done;
2872 }
2873
2874 TALLOC_FREE(conn->lsa_pipe);
2875
2876 if (IS_DC ||
2877 domain->secure_channel_type != SEC_CHAN_NULL)
2878 {
2879 /*
2880 * Make sure we only use schannel as DC
2881 * or with a direct trust
2882 */
2883 require_schannel = true;
2884 goto schannel;
2885 }
2886
2887 result = winbindd_get_trust_credentials(domain,
2888 talloc_tos(),
2889 false, /* netlogon */
2890 true, /* ipc_fallback */
2891 &creds);
2892 if (!NT_STATUS_IS_OK(result)) {
2893 DEBUG(10, ("cm_connect_lsa: No user available for "
2894 "domain %s, trying schannel\n", domain->name));
2895 goto schannel;
2896 }
2897
2898 if (cli_credentials_is_anonymous(creds)) {
2899 goto anonymous;
2900 }
2901
2902 remote_name = smbXcli_conn_remote_name(conn->cli->conn);
2903 remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn);
2904
2905 /*
2906 * We have an authenticated connection. Use a SPNEGO
2907 * authenticated LSA pipe with sign & seal.
2908 */
2909 result = cli_rpc_pipe_open_with_creds
2910 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
2911 DCERPC_AUTH_TYPE_SPNEGO,
2912 conn->auth_level,
2913 remote_name,
2914 remote_sockaddr,
2915 creds,
2916 &conn->lsa_pipe);
2917
2918 if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
2919 && !retry) {
2920 invalidate_cm_connection(domain);
2921 retry = true;
2922 goto retry;
2923 }
2924
2925 if (!NT_STATUS_IS_OK(result)) {
2926 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2927 "domain %s using NTLMSSP authenticated pipe: user "
2928 "%s. Error was %s. Trying schannel.\n",
2929 domain->name,
2930 cli_credentials_get_unparsed_name(creds, talloc_tos()),
2931 nt_errstr(result)));
2932 goto schannel;
2933 }
2934
2935 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2936 "NTLMSSP authenticated pipe: user %s\n",
2937 domain->name, cli_credentials_get_unparsed_name(creds, talloc_tos())));
2938
2939 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2940 SEC_FLAG_MAXIMUM_ALLOWED,
2941 &conn->lsa_policy);
2942 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
2943 invalidate_cm_connection(domain);
2944 TALLOC_FREE(conn->lsa_pipe);
2945 retry = true;
2946 goto retry;
2947 }
2948
2949 if (NT_STATUS_IS_OK(result)) {
2950 goto done;
2951 }
2952
2953 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
2954 "schannel\n"));
2955
2956 TALLOC_FREE(conn->lsa_pipe);
2957
2958 schannel:
2959
2960 /* Fall back to schannel if it's a W2K pre-SP1 box. */
2961
2962 result = cm_get_schannel_creds(domain, &p_creds);
2963 if (!NT_STATUS_IS_OK(result)) {
2964 /* If this call fails - conn->cli can now be NULL ! */
2965 DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
2966 "for domain %s (error %s), trying anon\n",
2967 domain->name,
2968 nt_errstr(result) ));
2969 goto anonymous;
2970 }
2971
2972 TALLOC_FREE(creds);
2973 result = cli_rpc_pipe_open_schannel_with_creds(
2974 conn->cli, &ndr_table_lsarpc, NCACN_NP, p_creds,
2975 remote_name,
2976 remote_sockaddr,
2977 &conn->lsa_pipe);
2978
2979 if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
2980 && !retry) {
2981 invalidate_cm_connection(domain);
2982 retry = true;
2983 goto retry;
2984 }
2985
2986 if (!NT_STATUS_IS_OK(result)) {
2987 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
2988 "domain %s using schannel. Error was %s\n",
2989 domain->name, nt_errstr(result) ));
2990 goto anonymous;
2991 }
2992 DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
2993 "schannel.\n", domain->name ));
2994
2995 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
2996 SEC_FLAG_MAXIMUM_ALLOWED,
2997 &conn->lsa_policy);
2998
2999 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
3000 invalidate_cm_connection(domain);
3001 TALLOC_FREE(conn->lsa_pipe);
3002 retry = true;
3003 goto retry;
3004 }
3005
3006 if (NT_STATUS_IS_OK(result)) {
3007 goto done;
3008 }
3009
3010 if (require_schannel) {
3011 /*
3012 * Make sure we only use schannel as DC
3013 * or with a direct trust
3014 */
3015 goto done;
3016 }
3017
3018 DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
3019 "anonymous\n"));
3020
3021 TALLOC_FREE(conn->lsa_pipe);
3022
3023 anonymous:
3024
3025 if (require_schannel) {
3026 /*
3027 * Make sure we only use schannel as DC
3028 * or with a direct trust
3029 */
3030 goto done;
3031 }
3032
3033 sealed_pipes = lp_winbind_sealed_pipes();
3034 sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
3035 domain->name,
3036 sealed_pipes);
3037 strong_key = lp_require_strong_key();
3038 strong_key = lp_parm_bool(-1, "require strong key",
3039 domain->name,
3040 strong_key);
3041
3042 /* Finally fall back to anonymous. */
3043 if (sealed_pipes || strong_key) {
3044 result = NT_STATUS_DOWNGRADE_DETECTED;
3045 DEBUG(1, ("Unwilling to make LSA connection to domain %s "
3046 "without connection level security, "
3047 "must set 'winbind sealed pipes:%s = false' and "
3048 "'require strong key:%s = false' to proceed: %s\n",
3049 domain->name, domain->name, domain->name,
3050 nt_errstr(result)));
3051 goto done;
3052 }
3053
3054 result = cli_rpc_pipe_open_noauth(conn->cli,
3055 &ndr_table_lsarpc,
3056 &conn->lsa_pipe);
3057
3058 if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
3059 && !retry) {
3060 invalidate_cm_connection(domain);
3061 retry = true;
3062 goto retry;
3063 }
3064
3065 if (!NT_STATUS_IS_OK(result)) {
3066 goto done;
3067 }
3068
3069 result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
3070 SEC_FLAG_MAXIMUM_ALLOWED,
3071 &conn->lsa_policy);
3072
3073 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
3074 invalidate_cm_connection(domain);
3075 TALLOC_FREE(conn->lsa_pipe);
3076 retry = true;
3077 goto retry;
3078 }
3079
3080 done:
3081 if (!NT_STATUS_IS_OK(result)) {
3082 invalidate_cm_connection(domain);
3083 return result;
3084 }
3085
3086 *cli = conn->lsa_pipe;
3087 *lsa_policy = conn->lsa_policy;
3088 return result;
3089 }
3090
3091 /****************************************************************************
3092 Open a LSA connection to a DC, suitable for LSA lookup calls.
3093 ****************************************************************************/
3094
3095 NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
3096 TALLOC_CTX *mem_ctx,
3097 struct rpc_pipe_client **cli,
3098 struct policy_handle *lsa_policy)
3099 {
3100 NTSTATUS status;
3101
3102 if (domain->can_do_ncacn_ip_tcp) {
3103 status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
3104 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
3105 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
3106 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
3107 invalidate_cm_connection(domain);
3108 status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
3109 }
3110 if (NT_STATUS_IS_OK(status)) {
3111 return status;
3112 }
3113
3114 /*
3115 * we tried twice to connect via ncan_ip_tcp and schannel and
3116 * failed - maybe it is a trusted domain we can't connect to ?
3117 * do not try tcp next time - gd
3118 *
3119 * This also prevents NETLOGON over TCP
3120 */
3121 domain->can_do_ncacn_ip_tcp = false;
3122 }
3123
3124 status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);
3125
3126 return status;
3127 }
3128
3129 /****************************************************************************
3130 Open the netlogon pipe to this DC.
3131 ****************************************************************************/
3132
3133 static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
3134 enum dcerpc_transport_t transport,
3135 struct rpc_pipe_client **cli)
3136 {
3137 struct messaging_context *msg_ctx = global_messaging_context();
3138 struct winbindd_cm_conn *conn;
3139 NTSTATUS result;
3140 enum netr_SchannelType sec_chan_type;
3141 struct cli_credentials *creds = NULL;
3142 const char *remote_name = NULL;
3143 const struct sockaddr_storage *remote_sockaddr = NULL;
3144
3145 *cli = NULL;
3146
3147 if (IS_DC) {
3148 if (domain->secure_channel_type == SEC_CHAN_NULL) {
3149 /*
3150 * Make sure we don't even try to
3151 * connect to a foreign domain
3152 * without a direct outbound trust.
3153 */
3154 return NT_STATUS_NO_TRUST_LSA_SECRET;
3155 }
3156 }
3157
3158 result = init_dc_connection_rpc(domain, domain->rodc);
3159 if (!NT_STATUS_IS_OK(result)) {
3160 return result;
3161 }
3162
3163 conn = &domain->conn;
3164
3165 if (rpccli_is_connected(conn->netlogon_pipe)) {
3166 *cli = conn->netlogon_pipe;
3167 return NT_STATUS_OK;
3168 }
3169
3170 TALLOC_FREE(conn->netlogon_pipe);
3171 TALLOC_FREE(conn->netlogon_creds_ctx);
3172
3173 remote_name = smbXcli_conn_remote_name(conn->cli->conn);
3174 remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn);
3175
3176 result = winbindd_get_trust_credentials(domain,
3177 talloc_tos(),
3178 true, /* netlogon */
3179 false, /* ipc_fallback */
3180 &creds);
3181 if (!NT_STATUS_IS_OK(result)) {
3182 DBG_DEBUG("No user available for domain %s when trying "
3183 "schannel\n", domain->name);
3184 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3185 }
3186
3187 if (cli_credentials_is_anonymous(creds)) {
3188 DBG_WARNING("get_trust_credential only gave anonymous for %s, "
3189 "unable to make get NETLOGON credentials\n",
3190 domain->name);
3191 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3192 }
3193
3194 sec_chan_type = cli_credentials_get_secure_channel_type(creds);
3195 if (sec_chan_type == SEC_CHAN_NULL) {
3196 if (transport == NCACN_IP_TCP) {
3197 DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
3198 "for %s, deny NCACN_IP_TCP and let the "
3199 "caller fallback to NCACN_NP.\n",
3200 domain->name);
3201 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3202 }
3203
3204 DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
3205 "fallback to noauth on NCACN_NP.\n",
3206 domain->name);
3207
3208 result = cli_rpc_pipe_open_noauth_transport(
3209 conn->cli,
3210 transport,
3211 &ndr_table_netlogon,
3212 remote_name,
3213 remote_sockaddr,
3214 &conn->netlogon_pipe);
3215 if (!NT_STATUS_IS_OK(result)) {
3216 invalidate_cm_connection(domain);
3217 return result;
3218 }
3219
3220 *cli = conn->netlogon_pipe;
3221 return NT_STATUS_OK;
3222 }
3223
3224 result = rpccli_create_netlogon_creds_ctx(creds,
3225 domain->dcname,
3226 msg_ctx,
3227 domain,
3228 &conn->netlogon_creds_ctx);
3229 if (!NT_STATUS_IS_OK(result)) {
3230 DEBUG(1, ("rpccli_create_netlogon_creds failed for %s, "
3231 "unable to create NETLOGON credentials: %s\n",
3232 domain->name, nt_errstr(result)));
3233 return result;
3234 }
3235
3236 result = rpccli_connect_netlogon(conn->cli,
3237 transport,
3238 remote_name,
3239 remote_sockaddr,
3240 conn->netlogon_creds_ctx,
3241 conn->netlogon_force_reauth, creds,
3242 &conn->netlogon_pipe);
3243 conn->netlogon_force_reauth = false;
3244 if (!NT_STATUS_IS_OK(result)) {
3245 DBG_DEBUG("rpccli_connect_netlogon failed: %s\n",
3246 nt_errstr(result));
3247 return result;
3248 }
3249
3250 *cli = conn->netlogon_pipe;
3251 return NT_STATUS_OK;
3252 }
3253
3254 /****************************************************************************
3255 Open a NETLOGON connection to a DC, suitable for SamLogon calls.
3256 ****************************************************************************/
3257
3258 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
3259 struct rpc_pipe_client **cli)
3260 {
3261 NTSTATUS status;
3262
3263 status = init_dc_connection_rpc(domain, domain->rodc);
3264 if (!NT_STATUS_IS_OK(status)) {
3265 return status;
3266 }
3267
3268 if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
3269 status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
3270 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
3271 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
3272 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
3273 invalidate_cm_connection(domain);
3274 status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
3275 }
3276 if (NT_STATUS_IS_OK(status)) {
3277 return status;
3278 }
3279
3280 /*
3281 * we tried twice to connect via ncan_ip_tcp and schannel and
3282 * failed - maybe it is a trusted domain we can't connect to ?
3283 * do not try tcp next time - gd
3284 *
3285 * This also prevents LSA over TCP
3286 */
3287 domain->can_do_ncacn_ip_tcp = false;
3288 }
3289
3290 status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
3291 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
3292 /*
3293 * SMB2 session expired, needs reauthentication. Drop
3294 * connection and retry.
3295 */
3296 invalidate_cm_connection(domain);
3297 status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
3298 }
3299
3300 return status;
3301 }
3302
3303 NTSTATUS cm_connect_netlogon_secure(struct winbindd_domain *domain,
3304 struct rpc_pipe_client **cli,
3305 struct netlogon_creds_cli_context **ppdc)
3306 {
3307 NTSTATUS status;
3308
3309 if (domain->secure_channel_type == SEC_CHAN_NULL) {
3310 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3311 }
3312
3313 status = cm_connect_netlogon(domain, cli);
3314 if (!NT_STATUS_IS_OK(status)) {
3315 return status;
3316 }
3317
3318 if (domain->conn.netlogon_creds_ctx == NULL) {
3319 return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
3320 }
3321
3322 *ppdc = domain->conn.netlogon_creds_ctx;
3323 return NT_STATUS_OK;
3324 }
3325
3326 void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
3327 void *private_data,
3328 uint32_t msg_type,
3329 struct server_id server_id,
3330 DATA_BLOB *data)
3331 {
3332 struct winbindd_domain *domain;
3333 char *freeit = NULL;
3334 char *addr;
3335
3336 if ((data == NULL)
3337 || (data->data == NULL)
3338 || (data->length == 0)
3339 || (data->data[data->length-1] != '\0')) {
3340 DEBUG(1, ("invalid msg_ip_dropped message: not a valid "
3341 "string\n"));
3342 return;
3343 }
3344
3345 addr = (char *)data->data;
3346 DEBUG(10, ("IP %s dropped\n", addr));
3347
3348 if (!is_ipaddress(addr)) {
3349 char *slash;
3350 /*
3351 * Some code sends us ip addresses with the /netmask
3352 * suffix
3353 */
3354 slash = strchr(addr, '/');
3355 if (slash == NULL) {
3356 DEBUG(1, ("invalid msg_ip_dropped message: %s\n",
3357 addr));
3358 return;
3359 }
3360 freeit = talloc_strndup(talloc_tos(), addr, slash-addr);
3361 if (freeit == NULL) {
3362 DEBUG(1, ("talloc failed\n"));
3363 return;
3364 }
3365 addr = freeit;
3366 DEBUG(10, ("Stripped /netmask to IP %s\n", addr));
3367 }
3368
3369 for (domain = domain_list(); domain != NULL; domain = domain->next) {
3370 char sockaddr[INET6_ADDRSTRLEN];
3371
3372 if (!cli_state_is_connected(domain->conn.cli)) {
3373 continue;
3374 }
3375
3376 print_sockaddr(sockaddr, sizeof(sockaddr),
3377 smbXcli_conn_local_sockaddr(domain->conn.cli->conn));
3378
3379 if (strequal(sockaddr, addr)) {
3380 smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
3381 }
3382 }
3383 TALLOC_FREE(freeit);
3384 }
3385
3386 void winbind_msg_disconnect_dc(struct messaging_context *msg_ctx,
3387 void *private_data,
3388 uint32_t msg_type,
3389 struct server_id server_id,
3390 DATA_BLOB *data)
3391 {
3392 struct winbindd_domain *domain;
3393
3394 for (domain = domain_list(); domain; domain = domain->next) {
3395 if (domain->internal) {
3396 continue;
3397 }
3398 invalidate_cm_connection(domain);
3399 }
3400 }
GSS-enabled samba4