The branch, master has been updated
via ae72733 s3-winbindd: Attempt to connect to NETLOGON over
NCACN_IP_TCP if we can
from e94422a build: Hook CTDB into top level build using
--with-cluster-support
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ae72733874f474c24fdeb5d9bc718ddf9abf4b8f
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Sep 5 16:59:00 2014 +1200
s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we can
This is very helpful in the trusted domain situation, as we may not
have a two-way trust but we can use our domain trust account to set up
a connection to NETLOGON
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Oct 8 12:48:15 CEST 2014 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
librpc/rpc/rpc_common.h | 2 +
source3/auth/auth_domain.c | 2 +-
source3/libnet/libnet_join.c | 4 +-
source3/rpc_client/cli_netlogon.c | 8 +++--
source3/rpc_client/cli_netlogon.h | 2 +
source3/rpc_client/cli_pipe_schannel.c | 2 +-
source3/rpcclient/rpcclient.c | 2 +-
source3/winbindd/winbindd_cm.c | 54 +++++++++++++++++++++++++++----
8 files changed, 61 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index ce7e6ea..1b54b80 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -22,6 +22,8 @@
#ifndef __DEFAULT_LIBRPC_RPCCOMMON_H__
#define __DEFAULT_LIBRPC_RPCCOMMON_H__
+#include "gen_ndr/dcerpc.h"
+
struct dcerpc_binding_handle;
struct GUID;
struct ndr_interface_table;
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 937841c..373b596 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -148,7 +148,7 @@ static NTSTATUS connect_to_domain_password_server(struct
cli_state **cli_ret,
return result;
}
- result = rpccli_setup_netlogon_creds(cli,
+ result = rpccli_setup_netlogon_creds(cli, NCACN_NP,
netlogon_creds,
false, /* force_reauth */
current_nt_hash,
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index e70e11a..be953ae 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -983,7 +983,7 @@ static NTSTATUS
libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
return status;
}
- status = rpccli_setup_netlogon_creds(cli,
+ status = rpccli_setup_netlogon_creds(cli, NCACN_NP,
netlogon_creds,
true, /* force_reauth */
current_nt_hash,
@@ -1444,7 +1444,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
return status;
}
- status = rpccli_setup_netlogon_creds(cli,
+ status = rpccli_setup_netlogon_creds(cli, NCACN_NP,
netlogon_creds,
true, /* force_reauth */
current_nt_hash,
diff --git a/source3/rpc_client/cli_netlogon.c
b/source3/rpc_client/cli_netlogon.c
index 7063351..a5ea02c 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -125,6 +125,7 @@ NTSTATUS rpccli_create_netlogon_creds(const char
*server_computer,
}
NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
struct netlogon_creds_cli_context
*netlogon_creds,
bool force_reauth,
struct samr_Password current_nt_hash,
@@ -155,9 +156,10 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
TALLOC_FREE(creds);
}
- status = cli_rpc_pipe_open_noauth(cli,
- &ndr_table_netlogon,
- &netlogon_pipe);
+ status = cli_rpc_pipe_open_noauth_transport(cli,
+ transport,
+ &ndr_table_netlogon,
+ &netlogon_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(5,("%s: failed to open noauth netlogon connection to %s -
%s\n",
__FUNCTION__,
diff --git a/source3/rpc_client/cli_netlogon.h
b/source3/rpc_client/cli_netlogon.h
index fee0801..cc4033e 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -27,6 +27,7 @@ struct cli_state;
struct messaging_context;
struct netlogon_creds_cli_context;
struct dcerpc_binding_handle;
+#include "librpc/rpc/rpc_common.h"
/* The following definitions come from rpc_client/cli_netlogon.c */
@@ -39,6 +40,7 @@ NTSTATUS rpccli_create_netlogon_creds(const char
*server_computer,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context
**netlogon_creds);
NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
struct netlogon_creds_cli_context
*netlogon_creds,
bool force_reauth,
struct samr_Password current_nt_hash,
diff --git a/source3/rpc_client/cli_pipe_schannel.c
b/source3/rpc_client/cli_pipe_schannel.c
index a842333..7b53cf0 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -90,7 +90,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
return status;
}
- status = rpccli_setup_netlogon_creds(cli,
+ status = rpccli_setup_netlogon_creds(cli, transport,
netlogon_creds,
false, /* force_reauth */
current_nt_hash,
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 7b190c1..a573106 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -805,7 +805,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
return ntresult;
}
- ntresult = rpccli_setup_netlogon_creds(cli,
+ ntresult = rpccli_setup_netlogon_creds(cli, NCACN_NP,
rpcclient_netlogon_creds,
false, /* force_reauth
*/
current_nt_hash,
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 96c4577..24ff1f7 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2947,6 +2947,8 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
* we tried twice to connect via ncan_ip_tcp and schannel and
* failed - maybe it is a trusted domain we can't connect to ?
* do not try tcp next time - gd
+ *
+ * This also prevents NETLOGON over TCP
*/
domain->can_do_ncacn_ip_tcp = false;
}
@@ -2961,8 +2963,9 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
session key stored in conn->netlogon_pipe->dc->sess_key.
****************************************************************************/
-NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- struct rpc_pipe_client **cli)
+static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
+ enum dcerpc_transport_t transport,
+ struct rpc_pipe_client **cli)
{
struct messaging_context *msg_ctx = winbind_messaging_context();
struct winbindd_cm_conn *conn;
@@ -3028,7 +3031,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain
*domain,
return result;
}
- result = rpccli_setup_netlogon_creds(conn->cli,
+ result = rpccli_setup_netlogon_creds(conn->cli, transport,
conn->netlogon_creds,
conn->netlogon_force_reauth,
current_nt_hash,
@@ -3066,9 +3069,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain
*domain,
invalidate_cm_connection(domain);
return result;
}
- result = cli_rpc_pipe_open_noauth(conn->cli,
- &ndr_table_netlogon,
- &conn->netlogon_pipe);
+ result = cli_rpc_pipe_open_noauth_transport(conn->cli,
+ transport,
+ &ndr_table_netlogon,
+
&conn->netlogon_pipe);
if (!NT_STATUS_IS_OK(result)) {
invalidate_cm_connection(domain);
return result;
@@ -3084,7 +3088,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain
*domain,
*/
result = cli_rpc_pipe_open_schannel_with_key(
- conn->cli, &ndr_table_netlogon, NCACN_NP,
+ conn->cli, &ndr_table_netlogon, transport,
domain->name,
conn->netlogon_creds,
&conn->netlogon_pipe);
@@ -3100,6 +3104,42 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain
*domain,
return NT_STATUS_OK;
}
+/****************************************************************************
+Open a LSA connection to a DC, suiteable for LSA lookup calls.
+****************************************************************************/
+
+NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ struct rpc_pipe_client **cli)
+{
+ NTSTATUS status;
+
+ if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
+ status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP,
cli);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
+ invalidate_cm_connection(domain);
+ status = cm_connect_netlogon_transport(domain,
NCACN_IP_TCP, cli);
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /*
+ * we tried twice to connect via ncan_ip_tcp and schannel and
+ * failed - maybe it is a trusted domain we can't connect to ?
+ * do not try tcp next time - gd
+ *
+ * This also prevents LSA over TCP
+ */
+ domain->can_do_ncacn_ip_tcp = false;
+ }
+
+ status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
+
+ return status;
+}
+
void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
void *private_data,
uint32_t msg_type,
--
Samba Shared Repository
