[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Tue Oct 1 11:02:02 UTC 2024
The branch, master has been updated
via 2c91e81ce6d s3:winbindd: let store_current_dc_in_gencache() take the dcaddr directly
via d9183ccc89d s3:winbindd: dcip_check_name() only takes pss as const input value
via b375f7dca96 s3:winbindd: set_dc_type_and_flags() doesn't need to do something for primary or internal domains
via b9207b32fc0 s3:winbindd: let add_trusted_domain() mark domains as initialized when loaded from config
via a15f67a00ee s3:winbindd: remove unused line in add_trusted_domain()
via 749c515bab5 s3:winbindd: it's 2024 and all AD domains should be native now
via f2fd8602515 s3:winbindd: let cm_connect_lsa() require schannel also for direct trusts
via ba24faaf913 s3:winbindd: let connect_preferred_dc() pass the dcname to smbsock_connect()
via 56fc50b0aa9 s3:libsmb: ads_dc_name() doesn't need to retry if we found a DC in the closest site
from 25a6e1c8e75 libsmb: use more precise error status
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2c91e81ce6df33b6aa8fa843447fc71183e71367
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 27 13:31:13 2024 +0200
s3:winbindd: let store_current_dc_in_gencache() take the dcaddr directly
We could avoid relying on smbXcli_conn_remote_sockaddr() as much as
possible, because we aim to remove domain->conn.cli same day...
Also note that find_dc() always filled domain->dcaddr already
when cm_open_connection() calls store_current_dc_in_gencache().
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Oct 1 11:01:35 UTC 2024 on atb-devel-224
commit d9183ccc89d0b2d7b9e42d400138df186ea39364
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 27 13:29:31 2024 +0200
s3:winbindd: dcip_check_name() only takes pss as const input value
The makes things easier to understand, because the callers
pass in &domain->dcaddr, which could also used as output value.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b375f7dca96becb5369c1536c4e5586570c81e38
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 19:33:09 2024 +0200
s3:winbindd: set_dc_type_and_flags() doesn't need to do something for primary or internal domains
In the end set_dc_type_and_flags should be removed completely, but
this is a good start in the right direction...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b9207b32fc04c2a2dcf39130302c5a902e4b9ff3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 19:31:01 2024 +0200
s3:winbindd: let add_trusted_domain() mark domains as initialized when loaded from config
We at least pass SEC_CHAN_LOCAL for internal domains,
only learned domains use SEC_CHAN_NULL.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a15f67a00ee4a8a9efce1e01e50540b8e7d6194c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 19:29:53 2024 +0200
s3:winbindd: remove unused line in add_trusted_domain()
Review with: git show -U8
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 749c515bab5e9c3dd1c615bdeb28c8ef5afd6aca
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 19:04:41 2024 +0200
s3:winbindd: it's 2024 and all AD domains should be native now
No need to use dssetup_DsRoleGetPrimaryDomainInformation that
only adds latency...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f2fd86025152ea3d96fffdec4945b324139bea4b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 27 12:21:53 2024 +0200
s3:winbindd: let cm_connect_lsa() require schannel also for direct trusts
This means as domain member we require it also for our primary domain.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ba24faaf913cf21751485b9291d75f1ddf5519f7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 27 10:50:55 2024 +0200
s3:winbindd: let connect_preferred_dc() pass the dcname to smbsock_connect()
The is not critical, but avoids using the ip address with
fallback to '*SMBSERVER' for connections to port 139.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 56fc50b0aa91cccbb356ab82c695e8dfa9788f9f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 26 19:14:40 2024 +0200
s3:libsmb: ads_dc_name() doesn't need to retry if we found a DC in the closest site
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/libsmb/namequery_dc.c | 7 +-
source3/winbindd/winbindd.h | 1 -
source3/winbindd/winbindd_cm.c | 126 ++++++++------------------------
source3/winbindd/winbindd_domain_info.c | 2 +-
source3/winbindd/winbindd_dual.c | 2 -
source3/winbindd/winbindd_dual_srv.c | 4 +-
source3/winbindd/winbindd_ndr.c | 1 -
source3/winbindd/winbindd_util.c | 10 ++-
8 files changed, 49 insertions(+), 104 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
index c61d14e25e1..3a2f22129b8 100644
--- a/source3/libsmb/namequery_dc.c
+++ b/source3/libsmb/namequery_dc.c
@@ -60,7 +60,7 @@ static bool ads_dc_name(const char *domain,
TALLOC_CTX *tmp_ctx = talloc_stackframe();
bool ok = false;
ADS_STRUCT *ads;
- char *sitename;
+ const char *sitename;
int i;
char addr[INET6_ADDRSTRLEN];
@@ -94,6 +94,11 @@ static bool ads_dc_name(const char *domain,
has changed. If so, we need to re-do the DNS query
to ensure we only find servers in our site. */
+#ifdef HAVE_ADS
+ if (ads_closest_dc(ads)) {
+ sitename = ads->config.client_site_name;
+ } else
+#endif
if (stored_sitename_changed(realm, sitename)) {
sitename = sitename_fetch(tmp_ctx, realm);
TALLOC_FREE(ads);
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index 53430a694bb..24139b46ce9 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -130,7 +130,6 @@ struct winbindd_domain {
uint32_t domain_trust_attribs; /* Trust attribs from netlogon.h */
struct winbindd_domain *routing_domain;
bool initialized; /* Did we already ask for the domain mode? */
- bool native_mode; /* is this a win2k domain in native mode ? */
bool active_directory; /* is this a win2k active directory ? */
bool primary; /* is this our primary domain ? */
bool internal; /* BUILTIN and member SAM */
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 4eaf2ccd9cc..ef7b70f400f 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1201,7 +1201,7 @@ out:
static bool dcip_check_name(TALLOC_CTX *mem_ctx,
const struct winbindd_domain *domain,
- struct sockaddr_storage *pss,
+ const struct sockaddr_storage *pss,
char **name, uint32_t request_flags)
{
struct samba_sockaddr sa = {0};
@@ -1499,7 +1499,7 @@ static bool connect_preferred_dc(TALLOC_CTX *mem_ctx,
}
status = smbsock_connect(&domain->dcaddr, 0,
- NULL, -1, NULL, -1,
+ domain->dcname, -1, NULL, -1,
fd, NULL, 10);
if (!NT_STATUS_IS_OK(status)) {
winbind_add_failed_connection_entry(domain,
@@ -1661,18 +1661,13 @@ static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name)
static void store_current_dc_in_gencache(const char *domain_name,
const char *dc_name,
- struct cli_state *cli)
+ const struct sockaddr_storage *dc_addr)
{
char addr[INET6_ADDRSTRLEN];
char *key = NULL;
char *value = NULL;
- if (!cli_state_is_connected(cli)) {
- return;
- }
-
- print_sockaddr(addr, sizeof(addr),
- smbXcli_conn_remote_sockaddr(cli->conn));
+ print_sockaddr(addr, sizeof(addr), dc_addr);
key = current_dc_key(talloc_tos(), domain_name);
if (key == NULL) {
@@ -1836,8 +1831,9 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
* once we start to connect to multiple DCs, wbcDcInfo is
* already prepared for that.
*/
- store_current_dc_in_gencache(domain->name, domain->dcname,
- new_conn->cli);
+ store_current_dc_in_gencache(domain->name,
+ domain->dcname,
+ &domain->dcaddr);
seal_pipes = lp_winbind_sealed_pipes();
seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
@@ -2157,16 +2153,6 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
if ( domain->domain_type == LSA_TRUST_TYPE_UPLEVEL )
domain->active_directory = True;
- /* This flag is only set if the domain is *our*
- primary domain and the primary domain is in
- native mode */
-
- domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
-
- DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
- "native mode.\n", domain->name,
- domain->native_mode ? "" : "NOT "));
-
DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
"running active directory.\n", domain->name,
domain->active_directory ? "" : "NOT "));
@@ -2196,11 +2182,9 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
{
NTSTATUS status, result;
NTSTATUS close_status = NT_STATUS_UNSUCCESSFUL;
- WERROR werr;
TALLOC_CTX *mem_ctx = NULL;
struct rpc_pipe_client *cli = NULL;
struct policy_handle pol = { .handle_type = 0 };
- union dssetup_DsRoleInfo info;
union lsa_PolicyInformation *lsa_info = NULL;
union lsa_revision_info out_revision_info = {
.info1 = {
@@ -2222,63 +2206,6 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
- if (domain->internal) {
- status = wb_open_internal_pipe(mem_ctx,
- &ndr_table_dssetup,
- &cli);
- } else {
- status = cli_rpc_pipe_open_noauth(domain->conn.cli,
- &ndr_table_dssetup,
- &cli);
- }
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
- "PI_DSSETUP on domain %s: (%s)\n",
- domain->name, nt_errstr(status)));
-
- /* if this is just a non-AD domain we need to continue
- * identifying so that we can in the end return with
- * domain->initialized = True - gd */
-
- goto no_dssetup;
- }
-
- status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
- DS_ROLE_BASIC_INFORMATION,
- &info,
- &werr);
- TALLOC_FREE(cli);
-
- if (NT_STATUS_IS_OK(status)) {
- result = werror_to_ntstatus(werr);
- }
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
- "on domain %s failed: (%s)\n",
- domain->name, nt_errstr(status)));
-
- /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
- * every opcode on the DSSETUP pipe, continue with
- * no_dssetup mode here as well to get domain->initialized
- * set - gd */
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
- goto no_dssetup;
- }
-
- TALLOC_FREE(mem_ctx);
- return;
- }
-
- if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
- !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
- domain->native_mode = True;
- } else {
- domain->native_mode = False;
- }
-
-no_dssetup:
if (domain->internal) {
status = wb_open_internal_pipe(mem_ctx,
&ndr_table_lsarpc,
@@ -2477,9 +2404,6 @@ done:
&close_status);
}
- DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
- domain->name, domain->native_mode ? "" : "NOT "));
-
DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
domain->name, domain->active_directory ? "" : "NOT "));
@@ -2508,11 +2432,18 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
}
/* we always have to contact our primary domain */
-
- if ( domain->primary || domain->internal) {
- DEBUG(10,("set_dc_type_and_flags: setting up flags for "
- "primary or internal domain\n"));
- set_dc_type_and_flags_connect( domain );
+ if (domain->primary || domain->internal) {
+ /*
+ * primary and internal domains are
+ * are already completely
+ * setup via init_domain_list()
+ * calling add_trusted_domain()
+ *
+ * There's no need to ask the
+ * server again, if it hosts an AD
+ * domain...
+ */
+ domain->initialized = true;
return;
}
@@ -2927,6 +2858,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
const struct sockaddr_storage *remote_sockaddr = NULL;
bool sealed_pipes = true;
bool strong_key = true;
+ bool require_schannel = false;
retry:
result = init_dc_connection_rpc(domain, false);
@@ -2941,10 +2873,14 @@ retry:
TALLOC_FREE(conn->lsa_pipe);
- if (IS_DC) {
+ if (IS_DC ||
+ domain->secure_channel_type != SEC_CHAN_NULL)
+ {
/*
- * Make sure we only use schannel as AD DC.
+ * Make sure we only use schannel as DC
+ * or with a direct trust
*/
+ require_schannel = true;
goto schannel;
}
@@ -3071,9 +3007,10 @@ retry:
goto done;
}
- if (IS_DC) {
+ if (require_schannel) {
/*
- * Make sure we only use schannel as AD DC.
+ * Make sure we only use schannel as DC
+ * or with a direct trust
*/
goto done;
}
@@ -3085,9 +3022,10 @@ retry:
anonymous:
- if (IS_DC) {
+ if (require_schannel) {
/*
- * Make sure we only use schannel as AD DC.
+ * Make sure we only use schannel as DC
+ * or with a direct trust
*/
goto done;
}
diff --git a/source3/winbindd/winbindd_domain_info.c b/source3/winbindd/winbindd_domain_info.c
index c4364d99ad3..5b3c46a9de5 100644
--- a/source3/winbindd/winbindd_domain_info.c
+++ b/source3/winbindd/winbindd_domain_info.c
@@ -133,7 +133,7 @@ NTSTATUS winbindd_domain_info_recv(struct tevent_req *req,
fstrcpy(response->data.domain_info.alt_name, domain->alt_name);
sid_to_fstring(response->data.domain_info.sid, &domain->sid);
- response->data.domain_info.native_mode = domain->native_mode;
+ response->data.domain_info.native_mode = domain->active_directory;
response->data.domain_info.active_directory = domain->active_directory;
response->data.domain_info.primary = domain->primary;
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index d4e1995f928..7582c0606e4 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -701,8 +701,6 @@ static void wb_domain_request_initialized(struct tevent_req *subreq)
}
}
- state->domain->native_mode =
- (*state->r.out.flags & WB_DOMINFO_DOMAIN_NATIVE);
state->domain->active_directory =
(*state->r.out.flags & WB_DOMINFO_DOMAIN_AD);
state->domain->initialized = true;
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 0c7e9dd5491..2572588f6d1 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -91,11 +91,9 @@ NTSTATUS _wbint_InitConnection(struct pipes_struct *p,
}
*r->out.flags = 0;
- if (domain->native_mode) {
- *r->out.flags |= WB_DOMINFO_DOMAIN_NATIVE;
- }
if (domain->active_directory) {
*r->out.flags |= WB_DOMINFO_DOMAIN_AD;
+ *r->out.flags |= WB_DOMINFO_DOMAIN_NATIVE;
}
if (domain->primary) {
*r->out.flags |= WB_DOMINFO_DOMAIN_PRIMARY;
diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c
index a52a704c024..058bf08ce8b 100644
--- a/source3/winbindd/winbindd_ndr.c
+++ b/source3/winbindd/winbindd_ndr.c
@@ -134,7 +134,6 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
ndr_print_lsa_TrustType(ndr, "domain_type", r->domain_type);
ndr_print_lsa_TrustAttributes(ndr, "domain_trust_attribs", r->domain_trust_attribs);
ndr_print_bool(ndr, "initialized", r->initialized);
- ndr_print_bool(ndr, "native_mode", r->native_mode);
ndr_print_bool(ndr, "active_directory", r->active_directory);
ndr_print_bool(ndr, "primary", r->primary);
ndr_print_bool(ndr, "internal", r->internal);
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 2234efeed54..681d4194127 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -253,7 +253,6 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
domain->domain_flags = trust_flags;
domain->domain_type = trust_type;
domain->domain_trust_attribs = trust_attribs;
- domain->secure_channel_type = secure_channel_type;
domain->routing_domain = routing_domain;
sid_copy(&domain->sid, sid);
@@ -279,6 +278,15 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
domain->can_do_ncacn_ip_tcp = domain->active_directory;
+ if (secure_channel_type != SEC_CHAN_NULL) {
+ /*
+ * If we loaded the domain from
+ * our config it is initialized
+ * completely.
+ */
+ domain->initialized = true;
+ }
+
/* Link to domain list */
DLIST_ADD_END(_domain_list, domain);
--
Samba Shared Repository
More information about the samba-cvs
mailing list