Changeset 745 for trunk/server/source3/winbindd/winbindd_cm.c
- Timestamp:
- Nov 27, 2012, 4:43:17 PM (13 years ago)
- Location:
- trunk/server
- Files:
-
- 2 edited
-
. (modified) (1 prop)
-
source3/winbindd/winbindd_cm.c (modified) (55 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/server
- Property svn:mergeinfo changed
/vendor/current merged: 581,587,591,594,597,600,615,618,740
- Property svn:mergeinfo changed
-
trunk/server/source3/winbindd/winbindd_cm.c
r596 r745 62 62 #include "winbindd.h" 63 63 #include "../libcli/auth/libcli_auth.h" 64 #include "../librpc/gen_ndr/cli_netlogon.h" 65 #include "../librpc/gen_ndr/cli_samr.h" 66 #include "../librpc/gen_ndr/cli_lsa.h" 67 #include "../librpc/gen_ndr/cli_dssetup.h" 64 #include "../librpc/gen_ndr/ndr_netlogon_c.h" 65 #include "rpc_client/cli_pipe.h" 66 #include "rpc_client/cli_netlogon.h" 67 #include "../librpc/gen_ndr/ndr_samr_c.h" 68 #include "../librpc/gen_ndr/ndr_lsa_c.h" 69 #include "rpc_client/cli_lsarpc.h" 70 #include "../librpc/gen_ndr/ndr_dssetup_c.h" 71 #include "libads/sitename_cache.h" 72 #include "libsmb/libsmb.h" 73 #include "libsmb/clidgram.h" 74 #include "ads.h" 75 #include "secrets.h" 76 #include "../libcli/security/security.h" 77 #include "passdb.h" 78 #include "messages.h" 68 79 69 80 #undef DBGC_CLASS … … 179 190 pid_t parent_pid = sys_getpid(); 180 191 char *lfile = NULL; 192 NTSTATUS status; 181 193 182 194 if (domain->dc_probe_pid != (pid_t)-1) { … … 223 235 } 224 236 225 if (!winbindd_reinit_after_fork(lfile)) { 237 status = winbindd_reinit_after_fork(NULL, lfile); 238 if (!NT_STATUS_IS_OK(status)) { 239 DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n", 240 nt_errstr(status))); 226 241 messaging_send_buf(winbind_messaging_context(), 227 242 pid_to_procid(parent_pid), … … 285 300 /* Are we still in "startup" mode ? */ 286 301 287 if (domain->startup && ( now.tv_sec> domain->startup_time + 30)) {302 if (domain->startup && (time_mono(NULL) > domain->startup_time + 30)) { 288 303 /* No longer in "startup" mode. */ 289 304 DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n", … … 502 517 503 518 /* Go into "startup" mode again. */ 504 domain->startup_time = t ev.tv_sec;519 domain->startup_time = time_mono(NULL); 505 520 domain->startup = True; 506 521 … … 535 550 ****************************************************************/ 536 551 537 void winbind_add_failed_connection_entry(const struct winbindd_domain *domain, 538 const char *server, 539 NTSTATUS result) 552 static void winbind_add_failed_connection_entry( 553 const struct winbindd_domain *domain, 554 const char *server, 555 NTSTATUS result) 540 556 { 541 557 add_failed_connection_entry(domain->name, server, result); … … 595 611 const char *tmp = NULL; 596 612 const char *p; 613 struct dcerpc_binding_handle *b; 597 614 598 615 /* Hmmmm. We can only open one connection to the NETLOGON pipe at the … … 619 636 } 620 637 638 b = netlogon_pipe->binding_handle; 639 621 640 /* This call can take a long time - allow the server to time out. 622 641 35 seconds should do it. */ … … 627 646 struct netr_DsRGetDCNameInfo *domain_info = NULL; 628 647 629 result = rpccli_netr_DsRGetDCName(netlogon_pipe,648 result = dcerpc_netr_DsRGetDCName(b, 630 649 mem_ctx, 631 650 our_domain->dcname, … … 654 673 } 655 674 } else { 656 result = rpccli_netr_GetAnyDCName(netlogon_pipe, mem_ctx,675 result = dcerpc_netr_GetAnyDCName(b, mem_ctx, 657 676 our_domain->dcname, 658 677 domain->name, … … 665 684 666 685 if (!NT_STATUS_IS_OK(result)) { 667 DEBUG(10,(" rpccli_netr_GetAnyDCName failed: %s\n",686 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", 668 687 nt_errstr(result))); 669 688 talloc_destroy(mem_ctx); … … 672 691 673 692 if (!W_ERROR_IS_OK(werr)) { 674 DEBUG(10,(" rpccli_netr_GetAnyDCName failed: %s\n",693 DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", 675 694 win_errstr(werr))); 676 695 talloc_destroy(mem_ctx); … … 678 697 } 679 698 680 /* rpccli_netr_GetAnyDCName gives us a name with \\ */699 /* dcerpc_netr_GetAnyDCName gives us a name with \\ */ 681 700 p = strip_hostname(tmp); 682 701 … … 685 704 talloc_destroy(mem_ctx); 686 705 687 DEBUG(10,(" rpccli_netr_GetAnyDCName returned %s\n", dcname));706 DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname)); 688 707 689 708 if (!resolve_name(dcname, dc_ss, 0x20, true)) { … … 802 821 (*cli)->timeout = 10000; /* 10 seconds */ 803 822 (*cli)->fd = sockfd; 804 fstrcpy((*cli)->desthost, controller); 823 (*cli)->desthost = talloc_strdup((*cli), controller); 824 if ((*cli)->desthost == NULL) { 825 result = NT_STATUS_NO_MEMORY; 826 goto done; 827 } 828 805 829 (*cli)->use_kerberos = True; 806 830 … … 1099 1123 struct ip_service ip_list; 1100 1124 uint32_t nt_version = NETLOGON_NT_VERSION_1; 1125 NTSTATUS status; 1126 const char *dc_name; 1101 1127 1102 1128 ip_list.ss = *pss; 1103 1129 ip_list.port = 0; 1104 1130 1105 #ifdef WITH_ADS1131 #ifdef HAVE_ADS 1106 1132 /* For active directory servers, try to get the ldap server name. 1107 1133 None of these failures should be considered critical for now */ … … 1163 1189 #endif 1164 1190 1165 /* try GETDC requests next */ 1166 1167 if (send_getdc_request(mem_ctx, winbind_messaging_context(), 1168 pss, domain->name, &domain->sid, 1169 nt_version)) { 1170 const char *dc_name = NULL; 1171 int i; 1172 smb_msleep(100); 1173 for (i=0; i<5; i++) { 1174 if (receive_getdc_response(mem_ctx, pss, domain->name, 1175 &nt_version, 1176 &dc_name, NULL)) { 1177 fstrcpy(name, dc_name); 1178 namecache_store(name, 0x20, 1, &ip_list); 1179 return True; 1180 } 1181 smb_msleep(500); 1182 } 1191 status = nbt_getdc(winbind_messaging_context(), pss, domain->name, 1192 &domain->sid, nt_version, mem_ctx, &nt_version, 1193 &dc_name, NULL); 1194 if (NT_STATUS_IS_OK(status)) { 1195 fstrcpy(name, dc_name); 1196 namecache_store(name, 0x20, 1, &ip_list); 1197 return True; 1183 1198 } 1184 1199 … … 1369 1384 return False; 1370 1385 1371 status = smbsock_any_connect(addrs, dcnames, num_addrs,1372 fd, &fd_index, NULL);1386 status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL, 1387 num_addrs, 0, 10, fd, &fd_index, NULL); 1373 1388 if (!NT_STATUS_IS_OK(status)) { 1374 1389 for (i=0; i<num_dcs; i++) { … … 1417 1432 } 1418 1433 1434 static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name) 1435 { 1436 return talloc_asprintf_strupper_m(mem_ctx, "CURRENT_DCNAME/%s", 1437 domain_name); 1438 } 1439 1440 static void store_current_dc_in_gencache(const char *domain_name, 1441 const char *dc_name, 1442 struct cli_state *cli) 1443 { 1444 char addr[INET6_ADDRSTRLEN]; 1445 char *key = NULL; 1446 char *value = NULL; 1447 1448 if (cli == NULL) { 1449 return; 1450 } 1451 if (cli->fd == -1) { 1452 return; 1453 } 1454 get_peer_addr(cli->fd, addr, sizeof(addr)); 1455 1456 key = current_dc_key(talloc_tos(), domain_name); 1457 if (key == NULL) { 1458 goto done; 1459 } 1460 1461 value = talloc_asprintf(talloc_tos(), "%s %s", addr, dc_name); 1462 if (value == NULL) { 1463 goto done; 1464 } 1465 1466 gencache_set(key, value, 0x7fffffff); 1467 done: 1468 TALLOC_FREE(value); 1469 TALLOC_FREE(key); 1470 } 1471 1472 bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx, 1473 const char *domain_name, 1474 char **p_dc_name, char **p_dc_ip) 1475 { 1476 char *key, *value, *p; 1477 bool ret = false; 1478 char *dc_name = NULL; 1479 char *dc_ip = NULL; 1480 1481 key = current_dc_key(talloc_tos(), domain_name); 1482 if (key == NULL) { 1483 goto done; 1484 } 1485 if (!gencache_get(key, &value, NULL)) { 1486 goto done; 1487 } 1488 p = strchr(value, ' '); 1489 if (p == NULL) { 1490 goto done; 1491 } 1492 dc_ip = talloc_strndup(mem_ctx, value, p - value); 1493 if (dc_ip == NULL) { 1494 goto done; 1495 } 1496 dc_name = talloc_strdup(mem_ctx, p+1); 1497 if (dc_name == NULL) { 1498 goto done; 1499 } 1500 1501 if (p_dc_ip != NULL) { 1502 *p_dc_ip = dc_ip; 1503 dc_ip = NULL; 1504 } 1505 if (p_dc_name != NULL) { 1506 *p_dc_name = dc_name; 1507 dc_name = NULL; 1508 } 1509 ret = true; 1510 done: 1511 TALLOC_FREE(dc_name); 1512 TALLOC_FREE(dc_ip); 1513 TALLOC_FREE(key); 1514 return ret; 1515 } 1516 1419 1517 static NTSTATUS cm_open_connection(struct winbindd_domain *domain, 1420 1518 struct winbindd_cm_conn *new_conn) … … 1432 1530 1433 1531 /* we have to check the server affinity cache here since 1434 later we select ea DC based on response time and not preference */1532 later we select a DC based on response time and not preference */ 1435 1533 1436 1534 /* Check the negative connection cache … … 1481 1579 NTSTATUS status; 1482 1580 1483 status = smbsock_connect(&domain->dcaddr, NULL, NULL, 1484 &fd, NULL); 1581 status = smbsock_connect(&domain->dcaddr, 0, 1582 NULL, -1, NULL, -1, 1583 &fd, NULL, 10); 1485 1584 if (!NT_STATUS_IS_OK(status)) { 1486 1585 fd = -1; … … 1517 1616 } 1518 1617 set_domain_online(domain); 1618 1619 /* 1620 * Much as I hate global state, this seems to be the point 1621 * where we can be certain that we have a proper connection to 1622 * a DC. wbinfo --dc-info needs that information, store it in 1623 * gencache with a looong timeout. This will need revisiting 1624 * once we start to connect to multiple DCs, wbcDcInfo is 1625 * already prepared for that. 1626 */ 1627 store_current_dc_in_gencache(domain->name, domain->dcname, 1628 new_conn->cli); 1519 1629 } else { 1520 1630 /* Ensure we setup the retry handler. */ … … 1530 1640 void invalidate_cm_connection(struct winbindd_cm_conn *conn) 1531 1641 { 1642 NTSTATUS result; 1643 1532 1644 /* We're closing down a possibly dead 1533 1645 connection. Don't have impossibly long (10s) timeouts. */ … … 1538 1650 1539 1651 if (conn->samr_pipe != NULL) { 1652 if (is_valid_policy_hnd(&conn->sam_connect_handle)) { 1653 dcerpc_samr_Close(conn->samr_pipe->binding_handle, 1654 talloc_tos(), 1655 &conn->sam_connect_handle, 1656 &result); 1657 } 1540 1658 TALLOC_FREE(conn->samr_pipe); 1541 1659 /* Ok, it must be dead. Drop timeout to 0.5 sec. */ … … 1546 1664 1547 1665 if (conn->lsa_pipe != NULL) { 1666 if (is_valid_policy_hnd(&conn->lsa_policy)) { 1667 dcerpc_lsa_Close(conn->lsa_pipe->binding_handle, 1668 talloc_tos(), 1669 &conn->lsa_policy, 1670 &result); 1671 } 1548 1672 TALLOC_FREE(conn->lsa_pipe); 1549 1673 /* Ok, it must be dead. Drop timeout to 0.5 sec. */ … … 1554 1678 1555 1679 if (conn->lsa_pipe_tcp != NULL) { 1680 if (is_valid_policy_hnd(&conn->lsa_policy)) { 1681 dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle, 1682 talloc_tos(), 1683 &conn->lsa_policy, 1684 &result); 1685 } 1556 1686 TALLOC_FREE(conn->lsa_pipe_tcp); 1557 1687 /* Ok, it must be dead. Drop timeout to 0.5 sec. */ … … 1579 1709 { 1580 1710 struct winbindd_domain *domain; 1711 struct winbindd_cli_state *cli_state; 1581 1712 1582 1713 for (domain = domain_list(); domain; domain = domain->next) { 1583 if (domain->conn.cli == NULL) 1584 continue; 1585 1586 if (domain->conn.cli->fd == -1) 1587 continue; 1588 1589 close(domain->conn.cli->fd); 1590 domain->conn.cli->fd = -1; 1714 struct cli_state *cli = domain->conn.cli; 1715 1716 /* 1717 * first close the low level SMB TCP connection 1718 * so that we don't generate any SMBclose 1719 * requests in invalidate_cm_connection() 1720 */ 1721 if (cli && cli->fd != -1) { 1722 close(domain->conn.cli->fd); 1723 domain->conn.cli->fd = -1; 1724 } 1725 1726 invalidate_cm_connection(&domain->conn); 1727 } 1728 1729 for (cli_state = winbindd_client_list(); 1730 cli_state != NULL; 1731 cli_state = cli_state->next) { 1732 if (cli_state->sock >= 0) { 1733 close(cli_state->sock); 1734 cli_state->sock = -1; 1735 } 1591 1736 } 1592 1737 } … … 1650 1795 NTSTATUS init_dc_connection(struct winbindd_domain *domain) 1651 1796 { 1797 if (domain->internal) { 1798 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; 1799 } 1800 1652 1801 if (domain->initialized && !domain->online) { 1653 1802 /* We check for online status elsewhere. */ … … 1683 1832 struct winbindd_domain *our_domain; 1684 1833 NTSTATUS result = NT_STATUS_UNSUCCESSFUL; 1834 WERROR werr; 1685 1835 struct netr_DomainTrustList trusts; 1686 1836 int i; … … 1690 1840 struct rpc_pipe_client *cli; 1691 1841 TALLOC_CTX *mem_ctx = NULL; 1842 struct dcerpc_binding_handle *b; 1692 1843 1693 1844 DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name )); … … 1724 1875 } 1725 1876 1877 b = cli->binding_handle; 1878 1726 1879 if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) { 1727 1880 DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n")); … … 1729 1882 } 1730 1883 1731 result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,1884 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx, 1732 1885 cli->desthost, 1733 1886 flags, 1734 1887 &trusts, 1735 NULL);1888 &werr); 1736 1889 if (!NT_STATUS_IS_OK(result)) { 1737 1890 DEBUG(0,("set_dc_type_and_flags_trustinfo: " … … 1741 1894 return false; 1742 1895 } 1896 if (!W_ERROR_IS_OK(werr)) { 1897 DEBUG(0,("set_dc_type_and_flags_trustinfo: " 1898 "failed to query trusted domain list: %s\n", 1899 win_errstr(werr))); 1900 talloc_destroy(mem_ctx); 1901 return false; 1902 } 1743 1903 1744 1904 /* Now find the domain name and get the flags */ … … 1789 1949 static void set_dc_type_and_flags_connect( struct winbindd_domain *domain ) 1790 1950 { 1791 NTSTATUS 1951 NTSTATUS status, result; 1792 1952 WERROR werr; 1793 1953 TALLOC_CTX *mem_ctx = NULL; … … 1810 1970 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name )); 1811 1971 1812 result= cli_rpc_pipe_open_noauth(domain->conn.cli,1972 status = cli_rpc_pipe_open_noauth(domain->conn.cli, 1813 1973 &ndr_table_dssetup.syntax_id, 1814 1974 &cli); 1815 1975 1816 if (!NT_STATUS_IS_OK( result)) {1976 if (!NT_STATUS_IS_OK(status)) { 1817 1977 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to " 1818 1978 "PI_DSSETUP on domain %s: (%s)\n", 1819 domain->name, nt_errstr( result)));1979 domain->name, nt_errstr(status))); 1820 1980 1821 1981 /* if this is just a non-AD domain we need to continue … … 1826 1986 } 1827 1987 1828 result = rpccli_dssetup_DsRoleGetPrimaryDomainInformation(cli, mem_ctx,1988 status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx, 1829 1989 DS_ROLE_BASIC_INFORMATION, 1830 1990 &info, … … 1832 1992 TALLOC_FREE(cli); 1833 1993 1834 if (!NT_STATUS_IS_OK(result)) { 1994 if (NT_STATUS_IS_OK(status)) { 1995 result = werror_to_ntstatus(werr); 1996 } 1997 if (!NT_STATUS_IS_OK(status)) { 1835 1998 DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo " 1836 1999 "on domain %s failed: (%s)\n", 1837 domain->name, nt_errstr( result)));2000 domain->name, nt_errstr(status))); 1838 2001 1839 2002 /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for … … 1842 2005 * set - gd */ 1843 2006 1844 if (NT_STATUS_ V(result) == DCERPC_FAULT_OP_RNG_ERROR) {2007 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) { 1845 2008 goto no_dssetup; 1846 2009 } … … 1858 2021 1859 2022 no_dssetup: 1860 result= cli_rpc_pipe_open_noauth(domain->conn.cli,2023 status = cli_rpc_pipe_open_noauth(domain->conn.cli, 1861 2024 &ndr_table_lsarpc.syntax_id, &cli); 1862 2025 1863 if (!NT_STATUS_IS_OK( result)) {2026 if (!NT_STATUS_IS_OK(status)) { 1864 2027 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to " 1865 2028 "PI_LSARPC on domain %s: (%s)\n", 1866 domain->name, nt_errstr( result)));2029 domain->name, nt_errstr(status))); 1867 2030 TALLOC_FREE(cli); 1868 2031 TALLOC_FREE(mem_ctx); … … 1870 2033 } 1871 2034 1872 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,2035 status = rpccli_lsa_open_policy2(cli, mem_ctx, True, 1873 2036 SEC_FLAG_MAXIMUM_ALLOWED, &pol); 1874 2037 1875 if (NT_STATUS_IS_OK( result)) {2038 if (NT_STATUS_IS_OK(status)) { 1876 2039 /* This particular query is exactly what Win2k clients use 1877 2040 to determine that the DC is active directory */ 1878 result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,2041 status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx, 1879 2042 &pol, 1880 2043 LSA_POLICY_INFO_DNS, 1881 &lsa_info); 1882 } 1883 1884 if (NT_STATUS_IS_OK(result)) { 2044 &lsa_info, 2045 &result); 2046 } 2047 2048 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) { 1885 2049 domain->active_directory = True; 1886 2050 … … 1912 2076 domain->active_directory = False; 1913 2077 1914 result = rpccli_lsa_open_policy(cli, mem_ctx, True,2078 status = rpccli_lsa_open_policy(cli, mem_ctx, True, 1915 2079 SEC_FLAG_MAXIMUM_ALLOWED, 1916 2080 &pol); 1917 2081 1918 if (!NT_STATUS_IS_OK( result)) {2082 if (!NT_STATUS_IS_OK(status)) { 1919 2083 goto done; 1920 2084 } 1921 2085 1922 result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,2086 status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx, 1923 2087 &pol, 1924 2088 LSA_POLICY_INFO_ACCOUNT_DOMAIN, 1925 &lsa_info );1926 1927 if (NT_STATUS_IS_OK( result)) {2089 &lsa_info, 2090 &result); 2091 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) { 1928 2092 1929 2093 if (lsa_info->account_domain.name.string) { … … 1993 2157 1994 2158 if (lp_client_schannel() == False) { 1995 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; ;2159 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; 1996 2160 } 1997 2161 … … 2016 2180 { 2017 2181 struct winbindd_cm_conn *conn; 2018 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;2182 NTSTATUS status, result; 2019 2183 struct netlogon_creds_CredentialState *p_creds; 2020 2184 char *machine_password = NULL; … … 2022 2186 char *domain_name = NULL; 2023 2187 2024 result = init_dc_connection_rpc(domain); 2025 if (!NT_STATUS_IS_OK(result)) { 2026 return result; 2188 if (sid_check_is_domain(&domain->sid)) { 2189 return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle); 2190 } 2191 2192 status = init_dc_connection_rpc(domain); 2193 if (!NT_STATUS_IS_OK(status)) { 2194 return status; 2027 2195 } 2028 2196 … … 2046 2214 (conn->cli->password == NULL || conn->cli->password[0] == '\0')) 2047 2215 { 2048 result= get_trust_creds(domain, &machine_password,2216 status = get_trust_creds(domain, &machine_password, 2049 2217 &machine_account, NULL); 2050 if (!NT_STATUS_IS_OK( result)) {2218 if (!NT_STATUS_IS_OK(status)) { 2051 2219 DEBUG(10, ("cm_connect_sam: No no user available for " 2052 2220 "domain %s, trying schannel\n", conn->cli->domain)); … … 2061 2229 2062 2230 if (!machine_password || !machine_account) { 2063 result= NT_STATUS_NO_MEMORY;2231 status = NT_STATUS_NO_MEMORY; 2064 2232 goto done; 2065 2233 } … … 2067 2235 /* We have an authenticated connection. Use a NTLMSSP SPNEGO 2068 2236 authenticated SAMR pipe with sign & seal. */ 2069 result= cli_rpc_pipe_open_spnego_ntlmssp(conn->cli,2237 status = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, 2070 2238 &ndr_table_samr.syntax_id, 2071 2239 NCACN_NP, … … 2076 2244 &conn->samr_pipe); 2077 2245 2078 if (!NT_STATUS_IS_OK( result)) {2246 if (!NT_STATUS_IS_OK(status)) { 2079 2247 DEBUG(10,("cm_connect_sam: failed to connect to SAMR " 2080 2248 "pipe for domain %s using NTLMSSP " 2081 2249 "authenticated pipe: user %s\\%s. Error was " 2082 2250 "%s\n", domain->name, domain_name, 2083 machine_account, nt_errstr( result)));2251 machine_account, nt_errstr(status))); 2084 2252 goto schannel; 2085 2253 } … … 2090 2258 domain_name, machine_account)); 2091 2259 2092 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,2260 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx, 2093 2261 conn->samr_pipe->desthost, 2094 2262 SEC_FLAG_MAXIMUM_ALLOWED, 2095 &conn->sam_connect_handle); 2096 if (NT_STATUS_IS_OK(result)) { 2263 &conn->sam_connect_handle, 2264 &result); 2265 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) { 2097 2266 goto open_domain; 2098 2267 } 2099 DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_Connect2 " 2268 if (NT_STATUS_IS_OK(status)) { 2269 status = result; 2270 } 2271 2272 DEBUG(10,("cm_connect_sam: ntlmssp-sealed dcerpc_samr_Connect2 " 2100 2273 "failed for domain %s, error was %s. Trying schannel\n", 2101 domain->name, nt_errstr( result) ));2274 domain->name, nt_errstr(status) )); 2102 2275 TALLOC_FREE(conn->samr_pipe); 2103 2276 … … 2106 2279 /* Fall back to schannel if it's a W2K pre-SP1 box. */ 2107 2280 2108 result= cm_get_schannel_creds(domain, &p_creds);2109 if (!NT_STATUS_IS_OK( result)) {2281 status = cm_get_schannel_creds(domain, &p_creds); 2282 if (!NT_STATUS_IS_OK(status)) { 2110 2283 /* If this call fails - conn->cli can now be NULL ! */ 2111 2284 DEBUG(10, ("cm_connect_sam: Could not get schannel auth info " 2112 2285 "for domain %s (error %s), trying anon\n", 2113 2286 domain->name, 2114 nt_errstr( result) ));2287 nt_errstr(status) )); 2115 2288 goto anonymous; 2116 2289 } 2117 result= cli_rpc_pipe_open_schannel_with_key2290 status = cli_rpc_pipe_open_schannel_with_key 2118 2291 (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP, 2119 2292 DCERPC_AUTH_LEVEL_PRIVACY, 2120 2293 domain->name, &p_creds, &conn->samr_pipe); 2121 2294 2122 if (!NT_STATUS_IS_OK( result)) {2295 if (!NT_STATUS_IS_OK(status)) { 2123 2296 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for " 2124 2297 "domain %s using schannel. Error was %s\n", 2125 domain->name, nt_errstr( result) ));2298 domain->name, nt_errstr(status) )); 2126 2299 goto anonymous; 2127 2300 } … … 2129 2302 "schannel.\n", domain->name )); 2130 2303 2131 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,2304 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx, 2132 2305 conn->samr_pipe->desthost, 2133 2306 SEC_FLAG_MAXIMUM_ALLOWED, 2134 &conn->sam_connect_handle); 2135 if (NT_STATUS_IS_OK(result)) { 2307 &conn->sam_connect_handle, 2308 &result); 2309 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) { 2136 2310 goto open_domain; 2137 2311 } 2138 DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_Connect2 failed " 2312 if (NT_STATUS_IS_OK(status)) { 2313 status = result; 2314 } 2315 DEBUG(10,("cm_connect_sam: schannel-sealed dcerpc_samr_Connect2 failed " 2139 2316 "for domain %s, error was %s. Trying anonymous\n", 2140 domain->name, nt_errstr( result) ));2317 domain->name, nt_errstr(status) )); 2141 2318 TALLOC_FREE(conn->samr_pipe); 2142 2319 … … 2144 2321 2145 2322 /* Finally fall back to anonymous. */ 2146 result= cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,2323 status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id, 2147 2324 &conn->samr_pipe); 2148 2325 2149 if (!NT_STATUS_IS_OK( result)) {2326 if (!NT_STATUS_IS_OK(status)) { 2150 2327 goto done; 2151 2328 } 2152 2329 2153 result = rpccli_samr_Connect2(conn->samr_pipe, mem_ctx,2330 status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx, 2154 2331 conn->samr_pipe->desthost, 2155 2332 SEC_FLAG_MAXIMUM_ALLOWED, 2156 &conn->sam_connect_handle); 2157 if (!NT_STATUS_IS_OK(result)) { 2333 &conn->sam_connect_handle, 2334 &result); 2335 if (!NT_STATUS_IS_OK(status)) { 2158 2336 DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed " 2159 2337 "for domain %s Error was %s\n", 2160 domain->name, nt_errstr( result) ));2338 domain->name, nt_errstr(status) )); 2161 2339 goto done; 2162 2340 } 2341 if (!NT_STATUS_IS_OK(result)) { 2342 status = result; 2343 DEBUG(10,("cm_connect_sam: dcerpc_samr_Connect2 failed " 2344 "for domain %s Error was %s\n", 2345 domain->name, nt_errstr(result))); 2346 goto done; 2347 } 2163 2348 2164 2349 open_domain: 2165 result = rpccli_samr_OpenDomain(conn->samr_pipe,2350 status = dcerpc_samr_OpenDomain(conn->samr_pipe->binding_handle, 2166 2351 mem_ctx, 2167 2352 &conn->sam_connect_handle, 2168 2353 SEC_FLAG_MAXIMUM_ALLOWED, 2169 2354 &domain->sid, 2170 &conn->sam_domain_handle); 2171 2355 &conn->sam_domain_handle, 2356 &result); 2357 if (!NT_STATUS_IS_OK(status)) { 2358 goto done; 2359 } 2360 2361 status = result; 2172 2362 done: 2173 2363 2174 if (NT_STATUS_EQUAL( result, NT_STATUS_ACCESS_DENIED)) {2364 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { 2175 2365 /* 2176 2366 * if we got access denied, we might just have no access rights … … 2182 2372 TALLOC_FREE(conn->samr_pipe); 2183 2373 ZERO_STRUCT(conn->sam_domain_handle); 2184 return result;2185 } else if (!NT_STATUS_IS_OK( result)) {2374 return status; 2375 } else if (!NT_STATUS_IS_OK(status)) { 2186 2376 invalidate_cm_connection(conn); 2187 return result;2377 return status; 2188 2378 } 2189 2379 … … 2192 2382 SAFE_FREE(machine_password); 2193 2383 SAFE_FREE(machine_account); 2194 return result;2384 return status; 2195 2385 } 2196 2386 … … 2504 2694 return NT_STATUS_OK; 2505 2695 } 2696 2697 void winbind_msg_ip_dropped(struct messaging_context *msg_ctx, 2698 void *private_data, 2699 uint32_t msg_type, 2700 struct server_id server_id, 2701 DATA_BLOB *data) 2702 { 2703 struct winbindd_domain *domain; 2704 char *freeit = NULL; 2705 char *addr; 2706 2707 if ((data == NULL) 2708 || (data->data == NULL) 2709 || (data->length == 0) 2710 || (data->data[data->length-1] != '\0')) { 2711 DEBUG(1, ("invalid msg_ip_dropped message: not a valid " 2712 "string\n")); 2713 return; 2714 } 2715 2716 addr = (char *)data->data; 2717 DEBUG(10, ("IP %s dropped\n", addr)); 2718 2719 if (!is_ipaddress(addr)) { 2720 char *slash; 2721 /* 2722 * Some code sends us ip addresses with the /netmask 2723 * suffix 2724 */ 2725 slash = strchr(addr, '/'); 2726 if (slash == NULL) { 2727 DEBUG(1, ("invalid msg_ip_dropped message: %s", 2728 addr)); 2729 return; 2730 } 2731 freeit = talloc_strndup(talloc_tos(), addr, slash-addr); 2732 if (freeit == NULL) { 2733 DEBUG(1, ("talloc failed\n")); 2734 return; 2735 } 2736 addr = freeit; 2737 DEBUG(10, ("Stripped /netmask to IP %s\n", addr)); 2738 } 2739 2740 for (domain = domain_list(); domain != NULL; domain = domain->next) { 2741 char sockaddr[INET6_ADDRSTRLEN]; 2742 if (domain->conn.cli == NULL) { 2743 continue; 2744 } 2745 if (domain->conn.cli->fd == -1) { 2746 continue; 2747 } 2748 client_socket_addr(domain->conn.cli->fd, sockaddr, 2749 sizeof(sockaddr)); 2750 if (strequal(sockaddr, addr)) { 2751 close(domain->conn.cli->fd); 2752 domain->conn.cli->fd = -1; 2753 } 2754 } 2755 TALLOC_FREE(freeit); 2756 }
Note:
See TracChangeset
for help on using the changeset viewer.
