static int get_ldap_sequence_number( const char* domain, uint32 *seq)
{
int ret = -1;
int i, port = LDAP_PORT;
struct ip_service *ip_list = NULL;
int count;
if ( !get_sorted_dc_list(domain, &ip_list, &count, False) ) {
DEBUG(3, ("Could not look up dc's for domain %s\n", domain));
return False;
}
/* Finally return first DC that we can contact */
for (i = 0; i < count; i++) {
fstring ipstr;
/* since the is an LDAP lookup, default to the LDAP_PORT is not set */
port = (ip_list[i].port!= PORT_NONE) ? ip_list[i].port : LDAP_PORT;
fstrcpy( ipstr, inet_ntoa(ip_list[i].ip) );
if (is_zero_ip(ip_list[i].ip))
continue;
if ( (ret = get_ldap_seq( ipstr, port, seq)) == 0 )
goto done;
/* add to failed connection cache */
add_failed_connection_entry( domain, ipstr, NT_STATUS_UNSUCCESSFUL );
}
done:
if ( ret == 0 ) {
DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence number for Domain (%s) from DC (%s:%d)\n",
domain, inet_ntoa(ip_list[i].ip), port));
}
SAFE_FREE(ip_list);
return ret;
}
static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
const int sockfd,
const int pipe_index,
const char *controller,
struct cli_state **cli,
BOOL *retry)
{
char *machine_password, *machine_krb5_principal;
char *ipc_username, *ipc_domain, *ipc_password;
BOOL got_mutex;
BOOL add_failed_connection = True;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct sockaddr peeraddr;
socklen_t peeraddr_len;
struct sockaddr_in *peeraddr_in = (struct sockaddr_in *)&peeraddr;
machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL,
NULL);
if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(),
lp_realm()) == -1) {
SAFE_FREE(machine_password);
return NT_STATUS_NO_MEMORY;
}
cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
*retry = True;
got_mutex = secrets_named_mutex(controller,
WINBIND_SERVER_MUTEX_WAIT_TIME);
if (!got_mutex) {
DEBUG(0,("cm_open_connection: mutex grab failed for %s\n",
controller));
result = NT_STATUS_POSSIBLE_DEADLOCK;
goto done;
}
if ((*cli = cli_initialise(NULL)) == NULL) {
DEBUG(1, ("Could not cli_initialize\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
(*cli)->timeout = 10000; /* 10 seconds */
(*cli)->fd = sockfd;
fstrcpy((*cli)->desthost, controller);
(*cli)->use_kerberos = True;
peeraddr_len = sizeof(peeraddr);
if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) ||
(peeraddr_len != sizeof(struct sockaddr_in)) ||
(peeraddr_in->sin_family != PF_INET))
{
DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno)));
goto done;
}
if (ntohs(peeraddr_in->sin_port) == 139) {
struct nmb_name calling;
struct nmb_name called;
make_nmb_name(&calling, global_myname(), 0x0);
make_nmb_name(&called, "*SMBSERVER", 0x20);
if (!cli_session_request(*cli, &calling, &called)) {
DEBUG(8, ("cli_session_request failed for %s\n",
controller));
goto done;
}
}
cli_setup_signing_state(*cli, Undefined);
if (!cli_negprot(*cli)) {
DEBUG(1, ("cli_negprot failed\n"));
cli_shutdown(*cli);
goto done;
}
/* Krb5 session */
if ((lp_security() == SEC_ADS)
&& ((*cli)->protocol >= PROTOCOL_NT1 &&
(*cli)->capabilities & CAP_EXTENDED_SECURITY)) {
ADS_STATUS ads_status;
(*cli)->use_kerberos = True;
DEBUG(5, ("connecting to %s from %s with kerberos principal "
"[%s]\n", controller, global_myname(),
machine_krb5_principal));
ads_status = cli_session_setup_spnego(*cli,
machine_krb5_principal,
machine_password,
lp_workgroup());
if (!ADS_ERR_OK(ads_status))
DEBUG(4,("failed kerberos session setup with %s\n",
ads_errstr(ads_status)));
result = ads_ntstatus(ads_status);
}
if (NT_STATUS_IS_OK(result))
goto session_setup_done;
/* Fall back to non-kerberos session setup */
(*cli)->use_kerberos = False;
if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
(strlen(ipc_username) > 0)) {
/* Only try authenticated if we have a username */
DEBUG(5, ("connecting to %s from %s with username "
"[%s]\\[%s]\n", controller, global_myname(),
ipc_domain, ipc_username));
if (cli_session_setup(*cli, ipc_username,
ipc_password, strlen(ipc_password)+1,
ipc_password, strlen(ipc_password)+1,
ipc_domain)) {
DEBUG(5, ("authenticated session setup failed\n"));
goto session_setup_done;
}
}
/* Fall back to anonymous connection, this might fail later */
if (cli_session_setup(*cli, "", NULL, 0, NULL, 0, "")) {
DEBUG(5, ("Connected anonymously\n"));
goto session_setup_done;
}
result = cli_nt_error(*cli);
if (NT_STATUS_IS_OK(result))
result = NT_STATUS_UNSUCCESSFUL;
/* We can't session setup */
goto done;
session_setup_done:
if (!cli_send_tconX(*cli, "IPC$", "IPC", "", 0)) {
result = cli_nt_error(*cli);
DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
if (NT_STATUS_IS_OK(result))
result = NT_STATUS_UNSUCCESSFUL;
cli_shutdown(*cli);
goto done;
}
secrets_named_mutex_release(controller);
got_mutex = False;
*retry = False;
/* Windows 2003 SP1 does not lie LsaOpenPolicy() over schannel.
Returns RPC_NT_CANNOT_SUPPPORT (0xc0020041) for that call.
So just drop it on the lsarpc pipe */
if ( (domain->primary || IS_DC) && (pipe_index!=PI_LSARPC) ) {
NTSTATUS status = setup_schannel( *cli, domain->name );
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3,("schannel refused - continuing without "
"schannel (%s)\n", nt_errstr(status)));
}
}
/* set the domain if empty; needed for schannel connections */
if ( !*(*cli)->domain )
fstrcpy( (*cli)->domain, domain->name );
if ( !cli_nt_session_open (*cli, pipe_index) ) {
result = NT_STATUS_PIPE_NOT_AVAILABLE;
/* This might be a NT4 DC */
if ( is_win2k_pipe(pipe_index) )
add_failed_connection = False;
cli_shutdown(*cli);
goto done;
}
result = NT_STATUS_OK;
add_failed_connection = False;
done:
if (got_mutex)
secrets_named_mutex_release(controller);
SAFE_FREE(machine_password);
SAFE_FREE(machine_krb5_principal);
SAFE_FREE(ipc_username);
SAFE_FREE(ipc_domain);
SAFE_FREE(ipc_password);
if (add_failed_connection)
add_failed_connection_entry(domain->name, controller, result);
return result;
}
