The branch, v3-6-test has been updated via 4ab547a s3-winbind: use new reconnect logic in rpc_lookup_sids() also. via c64473a s3-winbindd: rework reconnect logic in winbindd_lookup_names(). via 7cdebbe s3-winbindd: rework reconnect logic in winbindd_lookup_sids(). via 1c13408 s3-winbindd: remove lookup_sids_fn_t. via ea68747 s3-winbindd: remove lookup_names_fn_t. via 4a86c29 s3-rpc_client: make dcerpc_lsa_lookup_names_generic() public. via bb5e0a9 s3-rpc_cli: make dcerpc_lsa_lookup_sids_generic() public. via 5ccb4e5 s3-winbindd: add cm_connect_lsat(). via 83ac277 s3-rpc_cli: Remove some unused wrapping code. via bbaa714 s3: Make winbindd_lookup_names static from d7fdb05 spoolss: fix segfault when "default devmode" is disabled
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log ----------------------------------------------------------------- commit 4ab547a8ddcb45e479079361a601e08476954110 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 14:31:19 2012 +0100 s3-winbind: use new reconnect logic in rpc_lookup_sids() also. Volker, please check. Guenther Signed-off-by: Günther Deschner <g...@samba.org> The last 10 patches address bug #9439 - ncacn_ip_tcp reconnection code for lsa lookups still broken. commit c64473ab88ca36462e7976bf0006bc092386894c Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 12:03:53 2012 +0100 s3-winbindd: rework reconnect logic in winbindd_lookup_names(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> commit 7cdebbe5122c7174bc7e74297bf1e891cb14fe78 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 12:03:16 2012 +0100 s3-winbindd: rework reconnect logic in winbindd_lookup_sids(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> commit 1c1340846926f97bda823f4fac1fea86b4b6f0d1 Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 20:41:21 2012 +0100 s3-winbindd: remove lookup_sids_fn_t. Guenther Signed-off-by: Günther Deschner <g...@samba.org> commit ea687479739d6d6e371e641cf0aa432e355a2fce Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 17:03:40 2012 +0100 s3-winbindd: remove lookup_names_fn_t. Guenther Signed-off-by: Günther Deschner <g...@samba.org> commit 4a86c29fa5140a5a3ad68967abef5eeffaf448c1 Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 17:00:49 2012 +0100 s3-rpc_client: make dcerpc_lsa_lookup_names_generic() public. Guenther Signed-off-by: Günther Deschner <g...@samba.org> commit bb5e0a95f62354129ef3569a23298091d58a02e3 Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 16:57:57 2012 +0100 s3-rpc_cli: make dcerpc_lsa_lookup_sids_generic() public. Guenther Signed-off-by: Günther Deschner <g...@samba.org> commit 5ccb4e5a90aa1b681380899d56971dfc7ceb1b34 Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 16:57:24 2012 +0100 s3-winbindd: add cm_connect_lsat(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> commit 83ac2771622d90e50ef27778a8227872571b9af3 Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 14:53:27 2012 +0100 s3-rpc_cli: Remove some unused wrapping code. Guenther Signed-off-by: Günther Deschner <g...@samba.org> commit bbaa7142d168949019d989c2d853717faad30cb0 Author: Volker Lendecke <v...@samba.org> Date: Tue Sep 6 18:33:35 2011 +0200 s3: Make winbindd_lookup_names static Autobuild-User: Volker Lendecke <vlen...@samba.org> Autobuild-Date: Tue Sep 6 20:03:56 CEST 2011 on sn-devel-104 (cherry picked from commit fd65e5eb8cdd38917a574734c9079cd75e4e1be0) ----------------------------------------------------------------------- Summary of changes: source3/rpc_client/cli_lsarpc.c | 101 ++++++---------------------- source3/rpc_client/cli_lsarpc.h | 39 ++++++----- source3/winbindd/winbindd_cm.c | 31 +++++++++ source3/winbindd/winbindd_msrpc.c | 131 +++++++++++++++++-------------------- source3/winbindd/winbindd_proto.h | 11 +-- source3/winbindd/winbindd_rpc.c | 23 ++----- 6 files changed, 145 insertions(+), 191 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index 99e0262..330774d 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -330,16 +330,16 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h, * at 20480 for win2k3, but we keep it at a save 1000 for now. */ #define LOOKUP_SIDS_HUNK_SIZE 1000 -static NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_sids, - const struct dom_sid *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes, - bool use_lookupsids3, - NTSTATUS *presult) +NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const struct dom_sid *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes, + bool use_lookupsids3, + NTSTATUS *presult) { NTSTATUS status = NT_STATUS_OK; NTSTATUS result = NT_STATUS_OK; @@ -539,48 +539,19 @@ NTSTATUS dcerpc_lsa_lookup_sids3(struct dcerpc_binding_handle *h, result); } -NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_sids, - const struct dom_sid *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes) -{ - NTSTATUS status; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - status = dcerpc_lsa_lookup_sids_generic(cli->binding_handle, - mem_ctx, - pol, - num_sids, - sids, - pdomains, - pnames, - ptypes, - true, - &result); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - return result; -} - /** Lookup a list of names */ -static NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - uint32_t num_names, - const char **names, - const char ***dom_names, - enum lsa_LookupNamesLevel level, - struct dom_sid **sids, - enum lsa_SidType **types, - bool use_lookupnames4, - NTSTATUS *presult) +NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + uint32_t num_names, + const char **names, + const char ***dom_names, + enum lsa_LookupNamesLevel level, + struct dom_sid **sids, + enum lsa_SidType **types, + bool use_lookupnames4, + NTSTATUS *presult) { NTSTATUS status; struct lsa_String *lsa_names = NULL; @@ -790,33 +761,3 @@ NTSTATUS dcerpc_lsa_lookup_names4(struct dcerpc_binding_handle *h, true, result); } - -NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_names, - const char **names, - const char ***dom_names, - int level, - struct dom_sid **sids, - enum lsa_SidType **types) -{ - NTSTATUS status; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - status = dcerpc_lsa_lookup_names4(cli->binding_handle, - mem_ctx, - pol, - num_names, - names, - dom_names, - level, - sids, - types, - &result); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - return result; -} diff --git a/source3/rpc_client/cli_lsarpc.h b/source3/rpc_client/cli_lsarpc.h index a26193e..36afe0b 100644 --- a/source3/rpc_client/cli_lsarpc.h +++ b/source3/rpc_client/cli_lsarpc.h @@ -125,7 +125,16 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, char ***pdomains, char ***pnames, enum lsa_SidType **ptypes); - +NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const struct dom_sid *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes, + bool use_lookupsids3, + NTSTATUS *presult); /** * @brief Look up the names that correspond to an array of sids. * @@ -158,15 +167,6 @@ NTSTATUS dcerpc_lsa_lookup_sids3(struct dcerpc_binding_handle *h, char ***pnames, enum lsa_SidType **ptypes, NTSTATUS *result); -NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_sids, - const struct dom_sid *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes); - NTSTATUS dcerpc_lsa_lookup_names(struct dcerpc_binding_handle *h, TALLOC_CTX *mem_ctx, struct policy_handle *pol, @@ -196,14 +196,17 @@ NTSTATUS dcerpc_lsa_lookup_names4(struct dcerpc_binding_handle *h, struct dom_sid **sids, enum lsa_SidType **types, NTSTATUS *result); -NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, int num_names, - const char **names, - const char ***dom_names, - int level, - struct dom_sid **sids, - enum lsa_SidType **types); +NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + uint32_t num_names, + const char **names, + const char ***dom_names, + enum lsa_LookupNamesLevel level, + struct dom_sid **sids, + enum lsa_SidType **types, + bool use_lookupnames4, + NTSTATUS *presult); bool fetch_domain_sid( char *domain, char *remote_machine, struct dom_sid *psid); diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 9a02789..28583fd 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2568,6 +2568,37 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, } /**************************************************************************** +Open a LSA connection to a DC, suiteable for LSA lookup calls. +****************************************************************************/ + +NTSTATUS cm_connect_lsat(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct rpc_pipe_client **cli, + struct policy_handle *lsa_policy) +{ + NTSTATUS status; + + if (domain->can_do_ncacn_ip_tcp) { + status = cm_connect_lsa_tcp(domain, mem_ctx, cli); + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || + NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) || + NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { + invalidate_cm_connection(&domain->conn); + status = cm_connect_lsa_tcp(domain, mem_ctx, cli); + } + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; + } + + status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy); + + return status; +} + +/**************************************************************************** Open the netlogon pipe to this DC. Use schannel if specified in client conf. session key stored in conn->netlogon_pipe->dc->sess_key. ****************************************************************************/ diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c index 921cdb5..b14a4f8 100644 --- a/source3/winbindd/winbindd_msrpc.c +++ b/source3/winbindd/winbindd_msrpc.c @@ -35,6 +35,13 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND +static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + uint32_t num_names, + const char **names, + const char ***domains, + struct dom_sid **sids, + enum lsa_SidType **types); /* Query display info for a domain. This returns enough information plus a bit extra to give an overview of domain users for the User Manager @@ -1057,16 +1064,6 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, return status; } -typedef NTSTATUS (*lookup_sids_fn_t)(struct dcerpc_binding_handle *h, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_sids, - const struct dom_sid *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes, - NTSTATUS *result); - NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, uint32_t num_sids, @@ -1081,25 +1078,21 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, struct dcerpc_binding_handle *b = NULL; struct policy_handle lsa_policy; unsigned int orig_timeout; - lookup_sids_fn_t lookup_sids_fn = dcerpc_lsa_lookup_sids; - - if (domain->can_do_ncacn_ip_tcp) { - status = cm_connect_lsa_tcp(domain, mem_ctx, &cli); - if (NT_STATUS_IS_OK(status)) { - lookup_sids_fn = dcerpc_lsa_lookup_sids3; - goto lookup; - } - domain->can_do_ncacn_ip_tcp = false; - } - status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + bool use_lookupsids3 = false; + bool retried = false; + connect: + status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy); if (!NT_STATUS_IS_OK(status)) { return status; } - lookup: b = cli->binding_handle; + if (cli->transport->transport == NCACN_IP_TCP) { + use_lookupsids3 = true; + } + /* * This call can take a long time * allow the server to time out. @@ -1107,21 +1100,23 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, */ orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000); - status = lookup_sids_fn(b, - mem_ctx, - &lsa_policy, - num_sids, - sids, - domains, - names, - types, - &result); + status = dcerpc_lsa_lookup_sids_generic(b, + mem_ctx, + &lsa_policy, + num_sids, + sids, + domains, + names, + types, + use_lookupsids3, + &result); /* And restore our original timeout. */ dcerpc_binding_handle_set_timeout(b, orig_timeout); if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || - NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) { + NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) || + NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { /* * This can happen if the schannel key is not * valid anymore, we need to invalidate the @@ -1129,6 +1124,11 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, * a netlogon connection first. */ invalidate_cm_connection(&domain->conn); + domain->can_do_ncacn_ip_tcp = domain->active_directory; + if (!retried) { + retried = true; + goto connect; + } status = NT_STATUS_ACCESS_DENIED; } @@ -1143,24 +1143,13 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -typedef NTSTATUS (*lookup_names_fn_t)(struct dcerpc_binding_handle *h, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, +static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, uint32_t num_names, const char **names, - const char ***dom_names, - enum lsa_LookupNamesLevel level, + const char ***domains, struct dom_sid **sids, - enum lsa_SidType **types, - NTSTATUS *result); - -NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, - struct winbindd_domain *domain, - uint32_t num_names, - const char **names, - const char ***domains, - struct dom_sid **sids, - enum lsa_SidType **types) + enum lsa_SidType **types) { NTSTATUS status; NTSTATUS result; @@ -1168,25 +1157,21 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, struct dcerpc_binding_handle *b = NULL; struct policy_handle lsa_policy; unsigned int orig_timeout = 0; - lookup_names_fn_t lookup_names_fn = dcerpc_lsa_lookup_names; - - if (domain->can_do_ncacn_ip_tcp) { - status = cm_connect_lsa_tcp(domain, mem_ctx, &cli); - if (NT_STATUS_IS_OK(status)) { - lookup_names_fn = dcerpc_lsa_lookup_names4; - goto lookup; - } - domain->can_do_ncacn_ip_tcp = false; - } - status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + bool use_lookupnames4 = false; + bool retried = false; + connect: + status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy); if (!NT_STATUS_IS_OK(status)) { return status; } - lookup: b = cli->binding_handle; + if (cli->transport->transport == NCACN_IP_TCP) { + use_lookupnames4 = true; + } + /* * This call can take a long time * allow the server to time out. @@ -1194,22 +1179,24 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, */ orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000); - status = lookup_names_fn(b, - mem_ctx, - &lsa_policy, - num_names, - (const char **) names, - domains, - 1, - sids, - types, - &result); + status = dcerpc_lsa_lookup_names_generic(b, + mem_ctx, + &lsa_policy, + num_names, + (const char **) names, + domains, + 1, + sids, + types, + use_lookupnames4, + &result); /* And restore our original timeout. */ dcerpc_binding_handle_set_timeout(b, orig_timeout); if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || - NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) { + NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) || + NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { /* * This can happen if the schannel key is not * valid anymore, we need to invalidate the @@ -1217,6 +1204,10 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, * a netlogon connection first. */ invalidate_cm_connection(&domain->conn); + if (!retried) { + retried = true; + goto connect; + } status = NT_STATUS_ACCESS_DENIED; } diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 41292d4..a38d54c 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -47,13 +47,6 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, char ***domains, char ***names, enum lsa_SidType **types); -NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, - struct winbindd_domain *domain, - uint32_t num_names, - const char **names, - const char ***domains, - struct dom_sid **sids, - enum lsa_SidType **types); NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, struct lsa_SidArray *sids, @@ -170,6 +163,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct rpc_pipe_client **cli); +NTSTATUS cm_connect_lsat(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct rpc_pipe_client **cli, + struct policy_handle *lsa_policy); NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, struct rpc_pipe_client **cli); bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx, diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index bf438a6..9a95e57 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -1033,6 +1033,7 @@ NTSTATUS rpc_trusted_domains(TALLOC_CTX *mem_ctx, static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, + struct rpc_pipe_client *cli, struct lsa_SidArray *sids, struct lsa_RefDomainList **pdomains, struct lsa_TransNameArray **pnames) @@ -1040,15 +1041,8 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, struct lsa_TransNameArray2 lsa_names2; struct lsa_TransNameArray *names; -- Samba Shared Repository