[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-626-g6a8ef6c
Günther Deschner
gd at samba.org
Tue Sep 22 08:52:21 MDT 2009
The branch, master has been updated
via 6a8ef6c424c52be861ed2a9806f917a64ec892a6 (commit)
via 58f2deb94024f002e3c3df47f45454edc97f47e1 (commit)
from 455d44d9618afdc1d1f4198ae9f64ccc56dee62f (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6a8ef6c424c52be861ed2a9806f917a64ec892a6
Author: Günther Deschner <gd at samba.org>
Date: Thu Sep 17 09:43:36 2009 +0200
s3-winbindd: Fix Bug #6711: trusts to windows 2008 (2008 r2) not working.
Winbindd should always try to use LSA via an schannel authenticated ncacn_ip_tcp
connection when talking to AD for LSA lookup calls.
In Samba <-> W2k8 interdomain trust scenarios, LookupSids3 and LookupNames4 via an
schannel ncacn_ip_tcp LSA connection are the *only* options to successfully resolve
sids and names.
Guenther
commit 58f2deb94024f002e3c3df47f45454edc97f47e1
Author: Günther Deschner <gd at samba.org>
Date: Sat Sep 12 23:30:39 2009 +0200
s3-winbindd: add cm_connect_lsa_tcp().
Guenther
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd.h | 3 ++
source3/winbindd/winbindd_cm.c | 61 +++++++++++++++++++++++++++++++++++
source3/winbindd/winbindd_proto.h | 3 ++
source3/winbindd/winbindd_rpc.c | 64 ++++++++++++++++++++++++++++++++++---
4 files changed, 126 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index b61017e..2e7d09f 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -115,6 +115,7 @@ struct winbindd_cm_conn {
struct policy_handle sam_connect_handle, sam_domain_handle;
struct rpc_pipe_client *lsa_pipe;
+ struct rpc_pipe_client *lsa_pipe_tcp;
struct policy_handle lsa_policy;
struct rpc_pipe_client *netlogon_pipe;
@@ -177,6 +178,8 @@ struct winbindd_domain {
* to False. This variable is around so that
* we don't have to try _ex every time. */
+ bool can_do_ncacn_ip_tcp;
+
/* Lookup methods for this domain (LDAP or RPC) */
struct winbindd_methods *methods;
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 450bb1b..d03a580 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1561,6 +1561,14 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
}
}
+ if (conn->lsa_pipe_tcp != NULL) {
+ TALLOC_FREE(conn->lsa_pipe_tcp);
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
+ }
+ }
+
if (conn->netlogon_pipe != NULL) {
TALLOC_FREE(conn->netlogon_pipe);
/* Ok, it must be dead. Drop timeout to 0.5 sec. */
@@ -1935,6 +1943,8 @@ done:
DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
domain->name, domain->active_directory ? "" : "NOT "));
+ domain->can_do_ncacn_ip_tcp = domain->active_directory;
+
TALLOC_FREE(cli);
TALLOC_FREE(mem_ctx);
@@ -2167,6 +2177,57 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
return result;
}
+/**********************************************************************
+ open an schanneld ncacn_ip_tcp connection to LSA
+***********************************************************************/
+
+NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **cli)
+{
+ struct winbindd_cm_conn *conn;
+ NTSTATUS status;
+
+ DEBUG(10,("cm_connect_lsa_tcp\n"));
+
+ status = init_dc_connection(domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ conn = &domain->conn;
+
+ if (conn->lsa_pipe_tcp &&
+ conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
+ conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ goto done;
+ }
+
+ TALLOC_FREE(conn->lsa_pipe_tcp);
+
+ status = cli_rpc_pipe_open_schannel(conn->cli,
+ &ndr_table_lsarpc.syntax_id,
+ NCACN_IP_TCP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ domain->name,
+ &conn->lsa_pipe_tcp);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
+
+ done:
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(conn->lsa_pipe_tcp);
+ return status;
+ }
+
+ *cli = conn->lsa_pipe_tcp;
+
+ return status;
+}
+
NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
{
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 427579f..49034d7 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -247,6 +247,9 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
struct rpc_pipe_client **cli, struct policy_handle *sam_handle);
NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
struct rpc_pipe_client **cli, struct policy_handle *lsa_policy);
+NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **cli);
NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
struct rpc_pipe_client **cli);
diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
index 70eeae6..82e782b 100644
--- a/source3/winbindd/winbindd_rpc.c
+++ b/source3/winbindd/winbindd_rpc.c
@@ -1178,6 +1178,15 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
return result;
}
+typedef NTSTATUS (*lookup_sids_fn_t)(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ struct policy_handle *pol,
+ int num_sids,
+ const DOM_SID *sids,
+ char ***pdomains,
+ char ***pnames,
+ enum lsa_SidType **ptypes);
+
NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
struct winbindd_domain *domain,
uint32_t num_sids,
@@ -1190,12 +1199,23 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *cli = NULL;
struct policy_handle lsa_policy;
unsigned int orig_timeout;
+ lookup_sids_fn_t lookup_sids_fn = rpccli_lsa_lookup_sids;
+ if (domain->can_do_ncacn_ip_tcp) {
+ status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
+ if (NT_STATUS_IS_OK(status)) {
+ lookup_sids_fn = rpccli_lsa_lookup_sids3;
+ goto lookup;
+ }
+ domain->can_do_ncacn_ip_tcp = false;
+ }
status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ lookup:
/*
* This call can take a long time
* allow the server to time out.
@@ -1203,9 +1223,14 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
*/
orig_timeout = rpccli_set_timeout(cli, 35000);
- status = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy,
- num_sids, sids, domains,
- names, types);
+ status = lookup_sids_fn(cli,
+ mem_ctx,
+ &lsa_policy,
+ num_sids,
+ sids,
+ domains,
+ names,
+ types);
/* And restore our original timeout. */
rpccli_set_timeout(cli, orig_timeout);
@@ -1217,6 +1242,16 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
return status;
}
+typedef NTSTATUS (*lookup_names_fn_t)(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ struct policy_handle *pol,
+ int num_names,
+ const char **names,
+ const char ***dom_names,
+ int level,
+ struct dom_sid **sids,
+ enum lsa_SidType **types);
+
NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
struct winbindd_domain *domain,
uint32_t num_names,
@@ -1229,12 +1264,24 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *cli = NULL;
struct policy_handle lsa_policy;
unsigned int orig_timeout;
+ lookup_names_fn_t lookup_names_fn = rpccli_lsa_lookup_names;
+ if (domain->can_do_ncacn_ip_tcp) {
+ status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
+ if (NT_STATUS_IS_OK(status)) {
+ lookup_names_fn = rpccli_lsa_lookup_names4;
+ goto lookup;
+ }
+ domain->can_do_ncacn_ip_tcp = false;
+ }
status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ lookup:
+
/*
* This call can take a long time
* allow the server to time out.
@@ -1242,8 +1289,15 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
*/
orig_timeout = rpccli_set_timeout(cli, 35000);
- status = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, num_names,
- names, domains, 1, sids, types);
+ status = lookup_names_fn(cli,
+ mem_ctx,
+ &lsa_policy,
+ num_names,
+ (const char **) names,
+ domains,
+ 1,
+ sids,
+ types);
/* And restore our original timeout. */
rpccli_set_timeout(cli, orig_timeout);
--
Samba Shared Repository
More information about the samba-cvs
mailing list