Changeset 342 for branches/samba-3.3.x/source/winbindd/winbindd_cm.c

Timestamp:

Oct 30, 2009, 9:39:05 AM (16 years ago)

Author:

Herwig Bauernfeind

Message:

Update 3.3 to 3.3.9

File:

• branches/samba-3.3.x/source/winbindd/winbindd_cm.c (modified) (10 diffs)

branches/samba-3.3.x/source/winbindd/winbindd_cm.c

@@ -858 +858 @@
                                                               machine_password,
                                                               lp_workgroup(),
-                                                              domain->name);
+                                                              domain->alt_name);
 
                         if (!ADS_ERR_OK(ads_status)) {
@@ -1543 +1543 @@
         }
 
+        if (conn->lsa_pipe_tcp != NULL) {
+                TALLOC_FREE(conn->lsa_pipe_tcp);
+                /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+                if (conn->cli) {
+                        cli_set_timeout(conn->cli, 500);
+                }
+        }
+
         if (conn->netlogon_pipe != NULL) {
                 TALLOC_FREE(conn->netlogon_pipe);
@@ -1917 +1925 @@
                   domain->name, domain->active_directory ? "" : "NOT "));
 
+        domain->can_do_ncacn_ip_tcp = domain->active_directory;
+
         TALLOC_FREE(cli);
 
@@ -2039 +2049 @@
         result = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli,
                                                   &ndr_table_samr.syntax_id,
+                                                  NCACN_NP,
                                                   PIPE_AUTH_LEVEL_PRIVACY,
                                                   domain_name,
@@ -2082 +2093 @@
         }
         result = cli_rpc_pipe_open_schannel_with_key
-                (conn->cli, &ndr_table_samr.syntax_id, PIPE_AUTH_LEVEL_PRIVACY,
+                (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
+                PIPE_AUTH_LEVEL_PRIVACY,
                  domain->name, p_dcinfo, &conn->samr_pipe);
 
@@ -2137 +2149 @@
  done:
 
-        if (!NT_STATUS_IS_OK(result)) {
+        if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
+                /*
+                 * if we got access denied, we might just have no access rights
+                 * to talk to the remote samr server server (e.g. when we are a
+                 * PDC and we are connecting a w2k8 pdc via an interdomain
+                 * trust). In that case do not invalidate the whole connection
+                 * stack
+                 */
+                TALLOC_FREE(conn->samr_pipe);
+                ZERO_STRUCT(conn->sam_domain_handle);
+                return result;
+        } else if (!NT_STATUS_IS_OK(result)) {
                 invalidate_cm_connection(conn);
                 return result;
@@ -2147 +2170 @@
         SAFE_FREE(machine_account);
         return result;
+}
+
+/**********************************************************************
+ open an schanneld ncacn_ip_tcp connection to LSA
+***********************************************************************/
+
+NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
+                            TALLOC_CTX *mem_ctx,
+                            struct rpc_pipe_client **cli)
+{
+        struct winbindd_cm_conn *conn;
+        NTSTATUS status;
+
+        DEBUG(10,("cm_connect_lsa_tcp\n"));
+
+        status = init_dc_connection(domain);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+
+        conn = &domain->conn;
+
+        if (conn->lsa_pipe_tcp &&
+            conn->lsa_pipe_tcp->transport_type == NCACN_IP_TCP &&
+            conn->lsa_pipe_tcp->auth->auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
+                goto done;
+        }
+
+        TALLOC_FREE(conn->lsa_pipe_tcp);
+
+        status = cli_rpc_pipe_open_schannel(conn->cli,
+                                            &ndr_table_lsarpc.syntax_id,
+                                            NCACN_IP_TCP,
+                                            PIPE_AUTH_LEVEL_PRIVACY,
+                                            domain->name,
+                                            &conn->lsa_pipe_tcp);
+        if (!NT_STATUS_IS_OK(status)) {
+                DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n",
+                        nt_errstr(status)));
+                goto done;
+        }
+
+ done:
+        if (!NT_STATUS_IS_OK(status)) {
+                TALLOC_FREE(conn->lsa_pipe_tcp);
+                return status;
+        }
+
+        *cli = conn->lsa_pipe_tcp;
+
+        return status;
 }
 
@@ -2179 +2253 @@
          * authenticated LSA pipe with sign & seal. */
         result = cli_rpc_pipe_open_spnego_ntlmssp
-                (conn->cli, &ndr_table_lsarpc.syntax_id,
+                (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
                  PIPE_AUTH_LEVEL_PRIVACY,
                  conn->cli->domain, conn->cli->user_name, conn_pwd,
@@ -2220 +2294 @@
         }
         result = cli_rpc_pipe_open_schannel_with_key
-                (conn->cli, &ndr_table_lsarpc.syntax_id,
+                (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
                  PIPE_AUTH_LEVEL_PRIVACY,
                  domain->name, p_dcinfo, &conn->lsa_pipe);
@@ -2367 +2441 @@
 
         result = cli_rpc_pipe_open_schannel_with_key(
-                conn->cli, &ndr_table_netlogon.syntax_id,
+                conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
                 PIPE_AUTH_LEVEL_PRIVACY, domain->name, netlogon_pipe->dc,
                 &conn->netlogon_pipe);