From 2de6809325112b5f705b10371530489f8d3cd46e Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 4 Nov 2008 18:40:24 +0100 Subject: [PATCH 01/12] s3-rpc_client: add cli_rpc_pipe_open_noauth_transport. Guenther (cherry picked from commit 87f61a144b8d25c90b847940ca03ced1f77b036c) --- source/include/proto.h | 4 ++++ source/rpc_client/cli_pipe.c | 40 ++++++++++++++++++++++++++-------------- 2 files changed, 30 insertions(+), 14 deletions(-) diff --git a/source/include/proto.h b/source/include/proto.h index ec8637b..42fb7aa 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -6988,6 +6988,10 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path, NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, const struct ndr_syntax_id *interface, struct rpc_pipe_client **presult); +NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, + enum dcerpc_transport_t transport, + const struct ndr_syntax_id *interface, + struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, const struct ndr_syntax_id *interface, enum pipe_auth_level auth_level, diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c index 2e2767b..507ada3 100644 --- a/source/rpc_client/cli_pipe.c +++ b/source/rpc_client/cli_pipe.c @@ -2931,34 +2931,35 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, ****************************************************************************/ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli, + enum dcerpc_transport_t transport, const struct ndr_syntax_id *interface, struct rpc_pipe_client **presult) { - if (ndr_syntax_id_equal(interface, &ndr_table_drsuapi.syntax_id)) { - /* - * We should have a better way to figure out this drsuapi - * speciality... - */ + switch (transport) { + case NCACN_IP_TCP: return rpc_pipe_open_tcp(NULL, cli->desthost, interface, presult); + case NCACN_NP: + return rpc_pipe_open_np(cli, interface, presult); + default: + return NT_STATUS_NOT_IMPLEMENTED; } - - return rpc_pipe_open_np(cli, interface, presult); } /**************************************************************************** Open a named pipe to an SMB server and bind anonymously. ****************************************************************************/ -NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, - const struct ndr_syntax_id *interface, - struct rpc_pipe_client **presult) +NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, + enum dcerpc_transport_t transport, + const struct ndr_syntax_id *interface, + struct rpc_pipe_client **presult) { struct rpc_pipe_client *result; struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, interface, &result); + status = cli_rpc_pipe_open(cli, transport, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3015,6 +3016,17 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, } /**************************************************************************** + ****************************************************************************/ + +NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, + const struct ndr_syntax_id *interface, + struct rpc_pipe_client **presult) +{ + return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP, + interface, presult); +} + +/**************************************************************************** Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP ****************************************************************************/ @@ -3031,7 +3043,7 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, interface, &result); + status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3210,7 +3222,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, interface, &result); + status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3386,7 +3398,7 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli, struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, interface, &result); + status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } -- 1.6.2.5 From 9f6cdb60a48f99ae851a08c09e7db717a900e65b Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Mon, 5 Oct 2009 17:41:06 +0200 Subject: [PATCH 02/12] s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_spnego_ntlmssp and cli_rpc_pipe_open_ntlmssp. Guenther --- source/include/proto.h | 2 ++ source/libsmb/passchange.c | 1 + source/rpc_client/cli_pipe.c | 10 ++++++++-- source/rpcclient/rpcclient.c | 2 ++ source/utils/net.h | 1 + source/utils/net_rpc.c | 2 ++ source/utils/net_rpc_samsync.c | 2 +- source/winbindd/winbindd_cm.c | 3 ++- 8 files changed, 19 insertions(+), 4 deletions(-) diff --git a/source/include/proto.h b/source/include/proto.h index 42fb7aa..b8a4eda 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -6994,6 +6994,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, @@ -7001,6 +7002,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, diff --git a/source/libsmb/passchange.c b/source/libsmb/passchange.c index 299d98d..e202d19 100644 --- a/source/libsmb/passchange.c +++ b/source/libsmb/passchange.c @@ -152,6 +152,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam if (!pass_must_change) { result = cli_rpc_pipe_open_ntlmssp(cli, &ndr_table_samr.syntax_id, + NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, "", /* what domain... ? */ user_name, diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c index 507ada3..04bb87f 100644 --- a/source/rpc_client/cli_pipe.c +++ b/source/rpc_client/cli_pipe.c @@ -3032,6 +3032,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_type auth_type, enum pipe_auth_level auth_level, const char *domain, @@ -3043,7 +3044,7 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); + status = cli_rpc_pipe_open(cli, transport, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3085,6 +3086,7 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, @@ -3093,6 +3095,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, { return cli_rpc_pipe_open_ntlmssp_internal(cli, interface, + transport, PIPE_AUTH_TYPE_NTLMSSP, auth_level, domain, @@ -3108,6 +3111,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, @@ -3116,6 +3120,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, { return cli_rpc_pipe_open_ntlmssp_internal(cli, interface, + transport, PIPE_AUTH_TYPE_SPNEGO_NTLMSSP, auth_level, domain, @@ -3282,7 +3287,8 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli, NTSTATUS status; status = cli_rpc_pipe_open_spnego_ntlmssp( - cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, + cli, &ndr_table_netlogon.syntax_id, NCACN_NP, + PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, &netlogon_pipe); if (!NT_STATUS_IS_OK(status)) { return status; diff --git a/source/rpcclient/rpcclient.c b/source/rpcclient/rpcclient.c index 421c681..0db9a79 100644 --- a/source/rpcclient/rpcclient.c +++ b/source/rpcclient/rpcclient.c @@ -587,6 +587,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: ntresult = cli_rpc_pipe_open_spnego_ntlmssp( cli, cmd_entry->interface, + NCACN_NP, pipe_default_auth_level, lp_workgroup(), get_cmdline_auth_info_username(), @@ -596,6 +597,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, case PIPE_AUTH_TYPE_NTLMSSP: ntresult = cli_rpc_pipe_open_ntlmssp( cli, cmd_entry->interface, + NCACN_NP, pipe_default_auth_level, lp_workgroup(), get_cmdline_auth_info_username(), diff --git a/source/utils/net.h b/source/utils/net.h index d88f962..86e8b1c 100644 --- a/source/utils/net.h +++ b/source/utils/net.h @@ -157,6 +157,7 @@ enum netdom_domain_t { ND_TYPE_NT4, ND_TYPE_AD }; #define NET_FLAGS_NO_PIPE 0x00000020 /* don't open an RPC pipe */ #define NET_FLAGS_SIGN 0x00000040 /* sign RPC connection */ #define NET_FLAGS_SEAL 0x00000080 /* seal RPC connection */ +#define NET_FLAGS_TCP 0x00000100 /* use ncacn_ip_tcp */ /* net share operation modes */ #define NET_MODE_SHARE_MIGRATE 1 diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c index 74a610e..220c825 100644 --- a/source/utils/net_rpc.c +++ b/source/utils/net_rpc.c @@ -169,6 +169,8 @@ int run_rpc_command(struct net_context *c, if (conn_flags & NET_FLAGS_SEAL) { nt_status = cli_rpc_pipe_open_ntlmssp( cli, interface, + (conn_flags & NET_FLAGS_TCP) ? + NCACN_IP_TCP : NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, lp_workgroup(), c->opt_user_name, c->opt_password, &pipe_hnd); diff --git a/source/utils/net_rpc_samsync.c b/source/utils/net_rpc_samsync.c index 6b23db7..e4013ce 100644 --- a/source/utils/net_rpc_samsync.c +++ b/source/utils/net_rpc_samsync.c @@ -502,7 +502,7 @@ int rpc_vampire_keytab(struct net_context *c, int argc, const char **argv) rpc_vampire_keytab_internals, argc, argv); } else { ret = run_rpc_command(c, cli, &ndr_table_drsuapi.syntax_id, - NET_FLAGS_SEAL, + NET_FLAGS_SEAL | NET_FLAGS_TCP, rpc_vampire_keytab_ds_internals, argc, argv); } diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c index 0c53112..8bbe861 100644 --- a/source/winbindd/winbindd_cm.c +++ b/source/winbindd/winbindd_cm.c @@ -2038,6 +2038,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, authenticated SAMR pipe with sign & seal. */ result = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, &ndr_table_samr.syntax_id, + NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain_name, machine_account, @@ -2178,7 +2179,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, /* We have an authenticated connection. Use a NTLMSSP SPNEGO * authenticated LSA pipe with sign & seal. */ result = cli_rpc_pipe_open_spnego_ntlmssp - (conn->cli, &ndr_table_lsarpc.syntax_id, + (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, conn->cli->domain, conn->cli->user_name, conn_pwd, &conn->lsa_pipe); -- 1.6.2.5 From 66588e1319b3c04b166d868687d2fe71625ddcf6 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 10 Sep 2009 22:23:21 +0200 Subject: [PATCH 03/12] s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_schannel(). Guenther (cherry picked from commit bea8e5fa6038d5abd2ec1e12f9005c4a04abb79f) --- source/auth/auth_domain.c | 2 +- source/include/proto.h | 3 +++ source/libnet/libnet_join.c | 3 ++- source/rpc_client/cli_pipe.c | 9 ++++++--- source/rpcclient/rpcclient.c | 1 + source/utils/net_rpc.c | 2 +- source/utils/net_rpc_join.c | 5 +++-- source/winbindd/winbindd_cm.c | 7 ++++--- 8 files changed, 21 insertions(+), 11 deletions(-) diff --git a/source/auth/auth_domain.c b/source/auth/auth_domain.c index f11dbe6..45150ab 100644 --- a/source/auth/auth_domain.c +++ b/source/auth/auth_domain.c @@ -175,7 +175,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, if (lp_client_schannel()) { /* We also setup the creds chain in the open_schannel call. */ result = cli_rpc_pipe_open_schannel( - *cli, &ndr_table_netlogon.syntax_id, + *cli, &ndr_table_netlogon.syntax_id, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe); } else { result = cli_rpc_pipe_open_noauth( diff --git a/source/include/proto.h b/source/include/proto.h index b8a4eda..312b130 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -7014,12 +7014,14 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const struct dcinfo *pdc, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, @@ -7027,6 +7029,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, struct rpc_pipe_client **presult); diff --git a/source/libnet/libnet_join.c b/source/libnet/libnet_join.c index 9029d61..915c66b 100644 --- a/source/libnet/libnet_join.c +++ b/source/libnet/libnet_join.c @@ -1070,7 +1070,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name, } status = cli_rpc_pipe_open_schannel_with_key( - cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, + cli, &ndr_table_netlogon.syntax_id, NCACN_NP, + PIPE_AUTH_LEVEL_PRIVACY, netbios_domain_name, netlogon_pipe->dc, &pipe_hnd); cli_shutdown(cli); diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c index 04bb87f..8049d06 100644 --- a/source/rpc_client/cli_pipe.c +++ b/source/rpc_client/cli_pipe.c @@ -3218,6 +3218,7 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const struct dcinfo *pdc, @@ -3227,7 +3228,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); + status = cli_rpc_pipe_open(cli, transport, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3313,6 +3314,7 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, @@ -3334,7 +3336,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, } status = cli_rpc_pipe_open_schannel_with_key( - cli, interface, auth_level, domain, netlogon_pipe->dc, + cli, interface, transport, auth_level, domain, netlogon_pipe->dc, &result); /* Now we've bound using the session key we can close the netlog pipe. */ @@ -3353,6 +3355,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, struct rpc_pipe_client **presult) @@ -3372,7 +3375,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, } status = cli_rpc_pipe_open_schannel_with_key( - cli, interface, auth_level, domain, netlogon_pipe->dc, + cli, interface, transport, auth_level, domain, netlogon_pipe->dc, &result); /* Now we've bound using the session key we can close the netlog pipe. */ diff --git a/source/rpcclient/rpcclient.c b/source/rpcclient/rpcclient.c index 0db9a79..780ad71 100644 --- a/source/rpcclient/rpcclient.c +++ b/source/rpcclient/rpcclient.c @@ -607,6 +607,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, case PIPE_AUTH_TYPE_SCHANNEL: ntresult = cli_rpc_pipe_open_schannel( cli, cmd_entry->interface, + NCACN_NP, pipe_default_auth_level, lp_workgroup(), &cmd_entry->rpc_pipe); diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c index 220c825..60de1cb 100644 --- a/source/utils/net_rpc.c +++ b/source/utils/net_rpc.c @@ -157,7 +157,7 @@ int run_rpc_command(struct net_context *c, &ndr_table_netlogon.syntax_id))) { /* Always try and create an schannel netlogon pipe. */ nt_status = cli_rpc_pipe_open_schannel( - cli, interface, + cli, interface, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain_name, &pipe_hnd); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c index e663cc8..0198ff6 100644 --- a/source/utils/net_rpc_join.c +++ b/source/utils/net_rpc_join.c @@ -100,7 +100,8 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain, } ntret = cli_rpc_pipe_open_schannel_with_key( - cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, + cli, &ndr_table_netlogon.syntax_id, NCACN_NP, + PIPE_AUTH_LEVEL_PRIVACY, domain, netlogon_pipe->dc, &pipe_hnd); if (!NT_STATUS_IS_OK(ntret)) { @@ -419,7 +420,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) struct rpc_pipe_client *netlogon_schannel_pipe; result = cli_rpc_pipe_open_schannel_with_key( - cli, &ndr_table_netlogon.syntax_id, + cli, &ndr_table_netlogon.syntax_id, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain, pipe_hnd->dc, &netlogon_schannel_pipe); diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c index 8bbe861..176104a 100644 --- a/source/winbindd/winbindd_cm.c +++ b/source/winbindd/winbindd_cm.c @@ -2082,7 +2082,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, goto anonymous; } result = cli_rpc_pipe_open_schannel_with_key - (conn->cli, &ndr_table_samr.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, + (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP, + PIPE_AUTH_LEVEL_PRIVACY, domain->name, p_dcinfo, &conn->samr_pipe); if (!NT_STATUS_IS_OK(result)) { @@ -2220,7 +2221,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, goto anonymous; } result = cli_rpc_pipe_open_schannel_with_key - (conn->cli, &ndr_table_lsarpc.syntax_id, + (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain->name, p_dcinfo, &conn->lsa_pipe); @@ -2367,7 +2368,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, */ result = cli_rpc_pipe_open_schannel_with_key( - conn->cli, &ndr_table_netlogon.syntax_id, + conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain->name, netlogon_pipe->dc, &conn->netlogon_pipe); -- 1.6.2.5 From 1ff9d8ace453ce886b48bb08c6f7a7e4f6653676 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2009 07:59:25 +0200 Subject: [PATCH 04/12] s3-winbindd: add and use winbindd_lookup_sids(). Guenther (cherry picked from commit f0b52b8c3133e3696db361d9d0e7d1fff0fab991) --- source/winbindd/winbindd_ads.c | 64 +++++------------------- source/winbindd/winbindd_proto.h | 9 +++ source/winbindd/winbindd_rpc.c | 101 ++++++++++++++++++++----------------- 3 files changed, 78 insertions(+), 96 deletions(-) diff --git a/source/winbindd/winbindd_ads.c b/source/winbindd/winbindd_ads.c index 3c45f57..7981ebc 100644 --- a/source/winbindd/winbindd_ads.c +++ b/source/winbindd/winbindd_ads.c @@ -977,8 +977,6 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, int i; size_t num_members = 0; ads_control args; - struct rpc_pipe_client *cli; - POLICY_HND lsa_policy; DOM_SID *sid_mem_nocache = NULL; char **names_nocache = NULL; enum lsa_SidType *name_types_nocache = NULL; @@ -1122,31 +1120,14 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, /* handle sids not resolved from cache by lsa_lookup_sids */ if (num_nocache > 0) { - unsigned int orig_timeout; - status = cm_connect_lsa(domain, tmp_ctx, &cli, &lsa_policy); - - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - - /* - * This call can take a long time - * allow the server to time out. - * 35 seconds should do it. - */ - orig_timeout = rpccli_set_timeout(cli, 35000); - - status = rpccli_lsa_lookup_sids(cli, tmp_ctx, - &lsa_policy, - num_nocache, - sid_mem_nocache, - &domains_nocache, - &names_nocache, - &name_types_nocache); - - /* And restore our original timeout. */ - rpccli_set_timeout(cli, orig_timeout); + status = winbindd_lookup_sids(tmp_ctx, + domain, + num_nocache, + sid_mem_nocache, + &domains_nocache, + &names_nocache, + &name_types_nocache); if (!(NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) || @@ -1155,30 +1136,13 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, DEBUG(1, ("lsa_lookupsids call failed with %s " "- retrying...\n", nt_errstr(status))); - status = cm_connect_lsa(domain, tmp_ctx, &cli, - &lsa_policy); - - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - - /* - * This call can take a long time - * allow the server to time out. - * 35 seconds should do it. - */ - orig_timeout = rpccli_set_timeout(cli, 35000); - - status = rpccli_lsa_lookup_sids(cli, tmp_ctx, - &lsa_policy, - num_nocache, - sid_mem_nocache, - &domains_nocache, - &names_nocache, - &name_types_nocache); - - /* And restore our original timeout. */ - rpccli_set_timeout(cli, orig_timeout); + status = winbindd_lookup_sids(tmp_ctx, + domain, + num_nocache, + sid_mem_nocache, + &domains_nocache, + &names_nocache, + &name_types_nocache); } if (NT_STATUS_IS_OK(status) || diff --git a/source/winbindd/winbindd_proto.h b/source/winbindd/winbindd_proto.h index 3909d16..84091c4 100644 --- a/source/winbindd/winbindd_proto.h +++ b/source/winbindd/winbindd_proto.h @@ -73,6 +73,15 @@ int main(int argc, char **argv, char **envp); /* The following definitions come from winbindd/winbindd_ads.c */ +/* The following definitions come from winbindd/winbindd_rpc.c */ + +NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + uint32_t num_sids, + const struct dom_sid *sids, + char ***domains, + char ***names, + enum lsa_SidType **types); /* The following definitions come from winbindd/winbindd_async.c */ diff --git a/source/winbindd/winbindd_rpc.c b/source/winbindd/winbindd_rpc.c index 5f51b5f..f1dd529 100644 --- a/source/winbindd/winbindd_rpc.c +++ b/source/winbindd/winbindd_rpc.c @@ -353,42 +353,26 @@ static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain, char **names; enum lsa_SidType *types = NULL; NTSTATUS result; - struct rpc_pipe_client *cli; - POLICY_HND lsa_policy; NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; char *mapped_name = NULL; - unsigned int orig_timeout; DEBUG(3,("sid_to_name [rpc] %s for domain %s\n", sid_string_dbg(sid), domain->name )); - result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + result = winbindd_lookup_sids(mem_ctx, + domain, + 1, + sid, + &domains, + &names, + &types); if (!NT_STATUS_IS_OK(result)) { - DEBUG(2,("msrpc_sid_to_name: cm_connect_lsa() failed (%s)\n", - nt_errstr(result))); + DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n", + nt_errstr(result))); return result; } - /* - * This call can take a long time - * allow the server to time out. - * 35 seconds should do it. - */ - orig_timeout = rpccli_set_timeout(cli, 35000); - - result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, - 1, sid, &domains, &names, &types); - - /* And restore our original timeout. */ - rpccli_set_timeout(cli, orig_timeout); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(2,("msrpc_sid_to_name: rpccli_lsa_lookup_sids() failed (%s)\n", - nt_errstr(result))); - return result; - } - *type = (enum lsa_SidType)types[0]; *domain_name = domains[0]; *name = names[0]; @@ -418,12 +402,9 @@ static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain, { char **domains; NTSTATUS result; - struct rpc_pipe_client *cli; - POLICY_HND lsa_policy; DOM_SID *sids; size_t i; char **ret_names; - unsigned int orig_timeout; DEBUG(3, ("rids_to_names [rpc] for domain %s\n", domain->name )); @@ -442,24 +423,13 @@ static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain, } } - result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); - if (!NT_STATUS_IS_OK(result)) { - return result; - } - - /* - * This call can take a long time - * allow the server to time out. - * 35 seconds should do it. - */ - orig_timeout = rpccli_set_timeout(cli, 35000); - - result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, - num_rids, sids, &domains, - names, types); - - /* And restore our original timeout. */ - rpccli_set_timeout(cli, orig_timeout); + result = winbindd_lookup_sids(mem_ctx, + domain, + num_rids, + sids, + &domains, + names, + types); if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) { @@ -1220,6 +1190,45 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, return result; } +NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + uint32_t num_sids, + const struct dom_sid *sids, + char ***domains, + char ***names, + enum lsa_SidType **types) +{ + NTSTATUS status; + struct rpc_pipe_client *cli = NULL; + struct policy_handle lsa_policy; + unsigned int orig_timeout; + + status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* + * This call can take a long time + * allow the server to time out. + * 35 seconds should do it. + */ + orig_timeout = rpccli_set_timeout(cli, 35000); + + status = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, + num_sids, sids, domains, + names, types); + + /* And restore our original timeout. */ + rpccli_set_timeout(cli, orig_timeout); + + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return status; +} + /* the rpc backend methods are exposed via this structure */ struct winbindd_methods msrpc_methods = { -- 1.6.2.5 From 8fdb74ae59f7cc50a63b944ce97ec3bb33773137 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2009 08:06:34 +0200 Subject: [PATCH 05/12] s3-winbindd: add and use winbindd_lookup_names(). Guenther (cherry picked from commit 99c3fc19587431efda1ae6161453d84673b32071) --- source/winbindd/winbindd_proto.h | 7 ++++ source/winbindd/winbindd_rpc.c | 60 +++++++++++++++++++++++++------------ 2 files changed, 47 insertions(+), 20 deletions(-) diff --git a/source/winbindd/winbindd_proto.h b/source/winbindd/winbindd_proto.h index 84091c4..9203c5a 100644 --- a/source/winbindd/winbindd_proto.h +++ b/source/winbindd/winbindd_proto.h @@ -82,6 +82,13 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, char ***domains, char ***names, enum lsa_SidType **types); +NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + uint32_t num_names, + const char **names, + const char ***domains, + struct dom_sid **sids, + enum lsa_SidType **types); /* The following definitions come from winbindd/winbindd_async.c */ diff --git a/source/winbindd/winbindd_rpc.c b/source/winbindd/winbindd_rpc.c index f1dd529..c1f1a64 100644 --- a/source/winbindd/winbindd_rpc.c +++ b/source/winbindd/winbindd_rpc.c @@ -277,11 +277,8 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, DOM_SID *sids = NULL; enum lsa_SidType *types = NULL; char *full_name = NULL; - struct rpc_pipe_client *cli; - POLICY_HND lsa_policy; NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; char *mapped_name = NULL; - unsigned int orig_timeout; if (name == NULL || *name=='\0') { full_name = talloc_asprintf(mem_ctx, "%s", domain_name); @@ -311,23 +308,9 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, DEBUG(3,("name_to_sid [rpc] %s for domain %s\n", full_name?full_name:"", domain_name )); - result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); - if (!NT_STATUS_IS_OK(result)) - return result; - - /* - * This call can take a long time - * allow the server to time out. - * 35 seconds should do it. - */ - orig_timeout = rpccli_set_timeout(cli, 35000); - - result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1, - (const char**) &full_name, NULL, 1, &sids, &types); - - /* And restore our original timeout. */ - rpccli_set_timeout(cli, orig_timeout); - + result = winbindd_lookup_names(mem_ctx, domain, 1, + (const char **)&full_name, NULL, + &sids, &types); if (!NT_STATUS_IS_OK(result)) return result; @@ -1229,6 +1212,43 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, return status; } +NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + uint32_t num_names, + const char **names, + const char ***domains, + struct dom_sid **sids, + enum lsa_SidType **types) +{ + NTSTATUS status; + struct rpc_pipe_client *cli = NULL; + struct policy_handle lsa_policy; + unsigned int orig_timeout; + + status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* + * This call can take a long time + * allow the server to time out. + * 35 seconds should do it. + */ + orig_timeout = rpccli_set_timeout(cli, 35000); + + status = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, num_names, + names, domains, 1, sids, types); + + /* And restore our original timeout. */ + rpccli_set_timeout(cli, orig_timeout); + + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return status; +} /* the rpc backend methods are exposed via this structure */ struct winbindd_methods msrpc_methods = { -- 1.6.2.5 From c23709203d1d8fe607d24eda14bff040ab9e81e7 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 11 Sep 2009 19:35:14 +0200 Subject: [PATCH 06/12] s3-rpc_client: add rpccli_lsa_lookup_names4 wrapper. Guenther (cherry picked from commit ff968712bab6c2635ef74723c6f52b0fdac4b424) --- source/include/proto.h | 9 ++++ source/rpc_client/cli_lsarpc.c | 98 ++++++++++++++++++++++++++++++--------- 2 files changed, 84 insertions(+), 23 deletions(-) diff --git a/source/include/proto.h b/source/include/proto.h index 312b130..b6c6db7 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -6899,6 +6899,15 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, int level, DOM_SID **sids, enum lsa_SidType **types); +NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types); + bool fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid); /* The following definitions come from rpc_client/cli_netlogon.c */ diff --git a/source/rpc_client/cli_lsarpc.c b/source/rpc_client/cli_lsarpc.c index 577df64..a5daa9e 100644 --- a/source/rpc_client/cli_lsarpc.c +++ b/source/rpc_client/cli_lsarpc.c @@ -354,23 +354,26 @@ fail: /** Lookup a list of names */ -NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - POLICY_HND *pol, int num_names, - const char **names, - const char ***dom_names, - int level, - DOM_SID **sids, - enum lsa_SidType **types) +static NTSTATUS rpccli_lsa_lookup_names_generic(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types, + bool use_lookupnames4) { NTSTATUS result; int i; struct lsa_String *lsa_names = NULL; struct lsa_RefDomainList *domains = NULL; struct lsa_TransSidArray sid_array; + struct lsa_TransSidArray3 sid_array3; uint32_t count = 0; ZERO_STRUCT(sid_array); + ZERO_STRUCT(sid_array3); lsa_names = TALLOC_ARRAY(mem_ctx, struct lsa_String, num_names); if (!lsa_names) { @@ -381,14 +384,26 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, init_lsa_String(&lsa_names[i], names[i]); } - result = rpccli_lsa_LookupNames(cli, mem_ctx, - pol, - num_names, - lsa_names, - &domains, - &sid_array, - level, - &count); + if (use_lookupnames4) { + result = rpccli_lsa_LookupNames4(cli, mem_ctx, + num_names, + lsa_names, + &domains, + &sid_array3, + level, + &count, + 0, + 0); + } else { + result = rpccli_lsa_LookupNames(cli, mem_ctx, + pol, + num_names, + lsa_names, + &domains, + &sid_array, + level, + &count); + } if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) != NT_STATUS_V(STATUS_SOME_UNMAPPED)) { @@ -435,10 +450,17 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, } for (i = 0; i < num_names; i++) { - uint32_t dom_idx = sid_array.sids[i].sid_index; - uint32_t dom_rid = sid_array.sids[i].rid; + uint32_t dom_idx; DOM_SID *sid = &(*sids)[i]; + if (use_lookupnames4) { + dom_idx = sid_array3.sids[i].sid_index; + (*types)[i] = sid_array3.sids[i].sid_type; + } else { + dom_idx = sid_array.sids[i].sid_index; + (*types)[i] = sid_array.sids[i].sid_type; + } + /* Translate optimised sid through domain index array */ if (dom_idx == 0xffffffff) { @@ -448,14 +470,16 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, continue; } - sid_copy(sid, domains->domains[dom_idx].sid); + if (use_lookupnames4) { + sid_copy(sid, sid_array3.sids[i].sid); + } else { + sid_copy(sid, domains->domains[dom_idx].sid); - if (dom_rid != 0xffffffff) { - sid_append_rid(sid, dom_rid); + if (sid_array.sids[i].rid != 0xffffffff) { + sid_append_rid(sid, sid_array.sids[i].rid); + } } - (*types)[i] = sid_array.sids[i].sid_type; - if (dom_names == NULL) { continue; } @@ -467,3 +491,31 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, return result; } + +NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types) +{ + return rpccli_lsa_lookup_names_generic(cli, mem_ctx, pol, num_names, + names, dom_names, level, sids, + types, false); +} + +NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types) +{ + return rpccli_lsa_lookup_names_generic(cli, mem_ctx, pol, num_names, + names, dom_names, level, sids, + types, true); +} -- 1.6.2.5 From 3516e7be8665fbf6151ebad8cc2bf9eeb2495c08 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Sun, 13 Sep 2009 00:28:49 +0200 Subject: [PATCH 07/12] s3-rpc_client: add rpccli_lsa_lookup_sids3 wrapper. Guenther (cherry picked from commit 2f9adf04e4b3e16c046cb371a428a8a70d5de041) --- source/include/proto.h | 8 ++++ source/rpc_client/cli_lsarpc.c | 91 ++++++++++++++++++++++++++++++++------- 2 files changed, 82 insertions(+), 17 deletions(-) diff --git a/source/include/proto.h b/source/include/proto.h index b6c6db7..8dbab9a 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -6891,6 +6891,14 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, char ***pdomains, char ***pnames, enum lsa_SidType **ptypes); +NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes); NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, POLICY_HND *pol, int num_names, diff --git a/source/rpc_client/cli_lsarpc.c b/source/rpc_client/cli_lsarpc.c index a5daa9e..00412bc 100644 --- a/source/rpc_client/cli_lsarpc.c +++ b/source/rpc_client/cli_lsarpc.c @@ -126,7 +126,8 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, const DOM_SID *sids, char **domains, char **names, - enum lsa_SidType *types) + enum lsa_SidType *types, + bool use_lookupsids3) { NTSTATUS result = NT_STATUS_OK; TALLOC_CTX *tmp_ctx = NULL; @@ -159,13 +160,41 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, } } - result = rpccli_lsa_LookupSids(cli, mem_ctx, - pol, - &sid_array, - &ref_domains, - &lsa_names, - level, - &count); + if (use_lookupsids3) { + struct lsa_TransNameArray2 lsa_names2; + uint32_t n; + + result = rpccli_lsa_LookupSids3(cli, mem_ctx, + &sid_array, + &ref_domains, + &lsa_names2, + level, + &count, + 0, + 0); + + if (!NT_STATUS_IS_ERR(result)) { + lsa_names.count = lsa_names2.count; + lsa_names.names = talloc_array(mem_ctx, struct lsa_TranslatedName, lsa_names.count); + if (!lsa_names.names) { + return NT_STATUS_NO_MEMORY; + } + for (n=0; n < lsa_names.count; n++) { + lsa_names.names[n].sid_type = lsa_names2.names[n].sid_type; + lsa_names.names[n].name = lsa_names2.names[n].name; + lsa_names.names[n].sid_index = lsa_names2.names[n].sid_index; + } + } + + } else { + result = rpccli_lsa_LookupSids(cli, mem_ctx, + pol, + &sid_array, + &ref_domains, + &lsa_names, + level, + &count); + } DEBUG(10, ("LSA_LOOKUPSIDS returned '%s', mapped count = %d'\n", nt_errstr(result), count)); @@ -245,14 +274,15 @@ done: * at 20480 for win2k3, but we keep it at a save 1000 for now. */ #define LOOKUP_SIDS_HUNK_SIZE 1000 -NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - POLICY_HND *pol, - int num_sids, - const DOM_SID *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes) +static NTSTATUS rpccli_lsa_lookup_sids_generic(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes, + bool use_lookupsids3) { NTSTATUS result = NT_STATUS_OK; int sids_left = 0; @@ -311,7 +341,8 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, hunk_sids, hunk_domains, hunk_names, - hunk_types); + hunk_types, + use_lookupsids3); if (!NT_STATUS_IS_OK(hunk_result) && !NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) && @@ -352,6 +383,32 @@ fail: return result; } +NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes) +{ + return rpccli_lsa_lookup_sids_generic(cli, mem_ctx, pol, num_sids, sids, + pdomains, pnames, ptypes, false); +} + +NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes) +{ + return rpccli_lsa_lookup_sids_generic(cli, mem_ctx, pol, num_sids, sids, + pdomains, pnames, ptypes, true); +} + /** Lookup a list of names */ static NTSTATUS rpccli_lsa_lookup_names_generic(struct rpc_pipe_client *cli, -- 1.6.2.5 From af3483d306618a14e084a522d04d87992308147d Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2009 09:42:49 +0200 Subject: [PATCH 08/12] s3-rpc_client: fix non initialized structure in rpccli_lsa_lookup_sids_noalloc. Guenther (cherry picked from commit a4b5c792c55ef90648a528d279beec32f86a9b22) --- source/rpc_client/cli_lsarpc.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/source/rpc_client/cli_lsarpc.c b/source/rpc_client/cli_lsarpc.c index 00412bc..b2ae167 100644 --- a/source/rpc_client/cli_lsarpc.c +++ b/source/rpc_client/cli_lsarpc.c @@ -164,6 +164,8 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, struct lsa_TransNameArray2 lsa_names2; uint32_t n; + ZERO_STRUCT(lsa_names2); + result = rpccli_lsa_LookupSids3(cli, mem_ctx, &sid_array, &ref_domains, -- 1.6.2.5 From 20eca0f1f2ccfbf4621680d0a47f0614906ab652 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Sat, 12 Sep 2009 23:30:39 +0200 Subject: [PATCH 09/12] s3-winbindd: add cm_connect_lsa_tcp(). Guenther (cherry picked from commit 58f2deb94024f002e3c3df47f45454edc97f47e1) --- source/winbindd/winbindd.h | 1 + source/winbindd/winbindd_cm.c | 59 ++++++++++++++++++++++++++++++++++++++ source/winbindd/winbindd_proto.h | 3 ++ 3 files changed, 63 insertions(+), 0 deletions(-) diff --git a/source/winbindd/winbindd.h b/source/winbindd/winbindd.h index d8e6ec4..f97eed0 100644 --- a/source/winbindd/winbindd.h +++ b/source/winbindd/winbindd.h @@ -122,6 +122,7 @@ struct winbindd_cm_conn { POLICY_HND sam_connect_handle, sam_domain_handle; struct rpc_pipe_client *lsa_pipe; + struct rpc_pipe_client *lsa_pipe_tcp; POLICY_HND lsa_policy; struct rpc_pipe_client *netlogon_pipe; diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c index 176104a..2f823cb 100644 --- a/source/winbindd/winbindd_cm.c +++ b/source/winbindd/winbindd_cm.c @@ -1542,6 +1542,14 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn) } } + if (conn->lsa_pipe_tcp != NULL) { + TALLOC_FREE(conn->lsa_pipe_tcp); + /* Ok, it must be dead. Drop timeout to 0.5 sec. */ + if (conn->cli) { + cli_set_timeout(conn->cli, 500); + } + } + if (conn->netlogon_pipe != NULL) { TALLOC_FREE(conn->netlogon_pipe); /* Ok, it must be dead. Drop timeout to 0.5 sec. */ @@ -2150,6 +2158,57 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, return result; } +/********************************************************************** + open an schanneld ncacn_ip_tcp connection to LSA +***********************************************************************/ + +NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct rpc_pipe_client **cli) +{ + struct winbindd_cm_conn *conn; + NTSTATUS status; + + DEBUG(10,("cm_connect_lsa_tcp\n")); + + status = init_dc_connection(domain); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + conn = &domain->conn; + + if (conn->lsa_pipe_tcp && + conn->lsa_pipe_tcp->transport_type == NCACN_IP_TCP && + conn->lsa_pipe_tcp->auth->auth_level == PIPE_AUTH_LEVEL_PRIVACY) { + goto done; + } + + TALLOC_FREE(conn->lsa_pipe_tcp); + + status = cli_rpc_pipe_open_schannel(conn->cli, + &ndr_table_lsarpc.syntax_id, + NCACN_IP_TCP, + PIPE_AUTH_LEVEL_PRIVACY, + domain->name, + &conn->lsa_pipe_tcp); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n", + nt_errstr(status))); + goto done; + } + + done: + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(conn->lsa_pipe_tcp); + return status; + } + + *cli = conn->lsa_pipe_tcp; + + return status; +} + NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct rpc_pipe_client **cli, POLICY_HND *lsa_policy) { diff --git a/source/winbindd/winbindd_proto.h b/source/winbindd/winbindd_proto.h index 9203c5a..53d424b 100644 --- a/source/winbindd/winbindd_proto.h +++ b/source/winbindd/winbindd_proto.h @@ -233,6 +233,9 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct rpc_pipe_client **cli, POLICY_HND *sam_handle); NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct rpc_pipe_client **cli, POLICY_HND *lsa_policy); +NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct rpc_pipe_client **cli); NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, struct rpc_pipe_client **cli); -- 1.6.2.5 From 492e57d4a6cabdaed7300b270f6a6f624f670fd8 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2009 09:43:36 +0200 Subject: [PATCH 10/12] s3-winbindd: Fix Bug #6711: trusts to windows 2008 (2008 r2) not working. Winbindd should always try to use LSA via an schannel authenticated ncacn_ip_tcp connection when talking to AD for LSA lookup calls. In Samba <-> W2k8 interdomain trust scenarios, LookupSids3 and LookupNames4 via an schannel ncacn_ip_tcp LSA connection are the *only* options to successfully resolve sids and names. Guenther (cherry picked from commit 6a8ef6c424c52be861ed2a9806f917a64ec892a6) --- source/winbindd/winbindd.h | 2 + source/winbindd/winbindd_cm.c | 2 + source/winbindd/winbindd_rpc.c | 64 ++++++++++++++++++++++++++++++++++++--- 3 files changed, 63 insertions(+), 5 deletions(-) diff --git a/source/winbindd/winbindd.h b/source/winbindd/winbindd.h index f97eed0..63b7269 100644 --- a/source/winbindd/winbindd.h +++ b/source/winbindd/winbindd.h @@ -183,6 +183,8 @@ struct winbindd_domain { * to False. This variable is around so that * we don't have to try _ex every time. */ + bool can_do_ncacn_ip_tcp; + /* Lookup methods for this domain (LDAP or RPC) */ struct winbindd_methods *methods; diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c index 2f823cb..9ea3e75 100644 --- a/source/winbindd/winbindd_cm.c +++ b/source/winbindd/winbindd_cm.c @@ -1924,6 +1924,8 @@ done: DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n", domain->name, domain->active_directory ? "" : "NOT ")); + domain->can_do_ncacn_ip_tcp = domain->active_directory; + TALLOC_FREE(cli); TALLOC_FREE(mem_ctx); diff --git a/source/winbindd/winbindd_rpc.c b/source/winbindd/winbindd_rpc.c index c1f1a64..db43559 100644 --- a/source/winbindd/winbindd_rpc.c +++ b/source/winbindd/winbindd_rpc.c @@ -1173,6 +1173,15 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, return result; } +typedef NTSTATUS (*lookup_sids_fn_t)(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes); + NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, uint32_t num_sids, @@ -1185,12 +1194,23 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *cli = NULL; struct policy_handle lsa_policy; unsigned int orig_timeout; + lookup_sids_fn_t lookup_sids_fn = rpccli_lsa_lookup_sids; + if (domain->can_do_ncacn_ip_tcp) { + status = cm_connect_lsa_tcp(domain, mem_ctx, &cli); + if (NT_STATUS_IS_OK(status)) { + lookup_sids_fn = rpccli_lsa_lookup_sids3; + goto lookup; + } + domain->can_do_ncacn_ip_tcp = false; + } status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + if (!NT_STATUS_IS_OK(status)) { return status; } + lookup: /* * This call can take a long time * allow the server to time out. @@ -1198,9 +1218,14 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, */ orig_timeout = rpccli_set_timeout(cli, 35000); - status = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, - num_sids, sids, domains, - names, types); + status = lookup_sids_fn(cli, + mem_ctx, + &lsa_policy, + num_sids, + sids, + domains, + names, + types); /* And restore our original timeout. */ rpccli_set_timeout(cli, orig_timeout); @@ -1212,6 +1237,16 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, return status; } +typedef NTSTATUS (*lookup_names_fn_t)(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_names, + const char **names, + const char ***dom_names, + int level, + struct dom_sid **sids, + enum lsa_SidType **types); + NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, uint32_t num_names, @@ -1224,12 +1259,24 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *cli = NULL; struct policy_handle lsa_policy; unsigned int orig_timeout; + lookup_names_fn_t lookup_names_fn = rpccli_lsa_lookup_names; + if (domain->can_do_ncacn_ip_tcp) { + status = cm_connect_lsa_tcp(domain, mem_ctx, &cli); + if (NT_STATUS_IS_OK(status)) { + lookup_names_fn = rpccli_lsa_lookup_names4; + goto lookup; + } + domain->can_do_ncacn_ip_tcp = false; + } status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + if (!NT_STATUS_IS_OK(status)) { return status; } + lookup: + /* * This call can take a long time * allow the server to time out. @@ -1237,8 +1284,15 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, */ orig_timeout = rpccli_set_timeout(cli, 35000); - status = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, num_names, - names, domains, 1, sids, types); + status = lookup_names_fn(cli, + mem_ctx, + &lsa_policy, + num_names, + (const char **) names, + domains, + 1, + sids, + types); /* And restore our original timeout. */ rpccli_set_timeout(cli, orig_timeout); -- 1.6.2.5 From 9a10cd35c307a4c82676ab0dd10e814500ca55fc Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 23 Sep 2009 06:23:50 +0200 Subject: [PATCH 11/12] s3:winbind: Fix an uninitialized variable (cherry picked from commit 0724649a8a7c04d015317d9dc2ae43ee87c1bd25) --- source/winbindd/winbindd_cm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c index 9ea3e75..bf8490e 100644 --- a/source/winbindd/winbindd_cm.c +++ b/source/winbindd/winbindd_cm.c @@ -2175,7 +2175,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, status = init_dc_connection(domain); if (!NT_STATUS_IS_OK(status)) { - goto done; + return status; } conn = &domain->conn; -- 1.6.2.5 From c670199440f2c073b3fb9e160fbca51dcc3bbb44 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 6 Oct 2009 11:10:47 +0200 Subject: [PATCH 12/12] s3-rpc_client: fix rpccli_set_timeout to cope with abstract transport. taken from: b7094c0b804984de8e0b50c17e7908a2685df557 Guenther --- source/rpc_client/cli_pipe.c | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-) diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c index 8049d06..be84c39 100644 --- a/source/rpc_client/cli_pipe.c +++ b/source/rpc_client/cli_pipe.c @@ -2319,11 +2319,15 @@ NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli, prs_mem_free(&rbuf); return NT_STATUS_OK; } - -unsigned int rpccli_set_timeout(struct rpc_pipe_client *cli, +unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli, unsigned int timeout) { - return cli_set_timeout(cli->trans.np.cli, timeout); + struct cli_state *cli = rpc_pipe_np_smb_conn(rpc_cli); + + if (cli == NULL) { + return 0; + } + return cli_set_timeout(cli, timeout); } bool rpccli_get_pwd_hash(struct rpc_pipe_client *cli, uint8_t nt_hash[16]) -- 1.6.2.5