From 7272f24d3e31add7670c8b8bb020927b62bf39d0 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 10 Sep 2009 19:59:37 +0200 Subject: [PATCH 01/12] s3-rpc_client: add enum dcerpc_transport_t to rpc_cli_transport struct. Guenther (cherry picked from commit 393a1f594d5f03a51448cdc465f92c599a93904c) --- source3/include/client.h | 2 ++ source3/rpc_client/cli_pipe.c | 8 ++++++++ 2 files changed, 10 insertions(+), 0 deletions(-) diff --git a/source3/include/client.h b/source3/include/client.h index 320a90e..1914210 100644 --- a/source3/include/client.h +++ b/source3/include/client.h @@ -68,6 +68,8 @@ struct cli_pipe_auth_data { struct rpc_cli_transport { + enum dcerpc_transport_t transport; + /** * Trigger an async read from the server. May return a short read. */ diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 9aba938..12d2b9e 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3233,6 +3233,8 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host, goto fail; } + result->transport->transport = NCACN_IP_TCP; + *presult = result; return NT_STATUS_OK; @@ -3451,6 +3453,8 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path, goto fail; } + result->transport->transport = NCALRPC; + *presult = result; return NT_STATUS_OK; @@ -3523,6 +3527,8 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, return status; } + result->transport->transport = NCACN_NP; + DLIST_ADD(cli->pipe_list, result); talloc_set_destructor(result, rpc_pipe_client_np_destructor); @@ -3581,6 +3587,8 @@ NTSTATUS rpc_pipe_open_local(TALLOC_CTX *mem_ctx, return status; } + result->transport->transport = NCACN_INTERNAL; + *presult = result; return NT_STATUS_OK; } -- 1.6.2.5 From 51542774216607ad96ec2bbd610a373548db9f76 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 4 Nov 2008 18:40:24 +0100 Subject: [PATCH 02/12] s3-rpc_client: add cli_rpc_pipe_open_noauth_transport. Guenther (cherry picked from commit 87f61a144b8d25c90b847940ca03ced1f77b036c) --- source3/include/proto.h | 4 ++++ source3/rpc_client/cli_pipe.c | 40 ++++++++++++++++++++++++++-------------- 2 files changed, 30 insertions(+), 14 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index 802c2ed..910b49e 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -5289,6 +5289,10 @@ NTSTATUS rpc_pipe_open_internal(TALLOC_CTX *mem_ctx, const struct ndr_syntax_id NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, const struct ndr_syntax_id *interface, struct rpc_pipe_client **presult); +NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, + enum dcerpc_transport_t transport, + const struct ndr_syntax_id *interface, + struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, const struct ndr_syntax_id *interface, enum pipe_auth_level auth_level, diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 12d2b9e..75ce7cb 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3598,34 +3598,35 @@ NTSTATUS rpc_pipe_open_local(TALLOC_CTX *mem_ctx, ****************************************************************************/ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli, + enum dcerpc_transport_t transport, const struct ndr_syntax_id *interface, struct rpc_pipe_client **presult) { - if (ndr_syntax_id_equal(interface, &ndr_table_drsuapi.syntax_id)) { - /* - * We should have a better way to figure out this drsuapi - * speciality... - */ + switch (transport) { + case NCACN_IP_TCP: return rpc_pipe_open_tcp(NULL, cli->desthost, interface, presult); + case NCACN_NP: + return rpc_pipe_open_np(cli, interface, presult); + default: + return NT_STATUS_NOT_IMPLEMENTED; } - - return rpc_pipe_open_np(cli, interface, presult); } /**************************************************************************** Open a named pipe to an SMB server and bind anonymously. ****************************************************************************/ -NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, - const struct ndr_syntax_id *interface, - struct rpc_pipe_client **presult) +NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, + enum dcerpc_transport_t transport, + const struct ndr_syntax_id *interface, + struct rpc_pipe_client **presult) { struct rpc_pipe_client *result; struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, interface, &result); + status = cli_rpc_pipe_open(cli, transport, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3684,6 +3685,17 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, } /**************************************************************************** + ****************************************************************************/ + +NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, + const struct ndr_syntax_id *interface, + struct rpc_pipe_client **presult) +{ + return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP, + interface, presult); +} + +/**************************************************************************** Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP ****************************************************************************/ @@ -3700,7 +3712,7 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, interface, &result); + status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3879,7 +3891,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, interface, &result); + status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -4055,7 +4067,7 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli, struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, interface, &result); + status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } -- 1.6.2.5 From 9fc86ed89a10d26f1f37ac0ed62ab73b773cb6ff Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 10 Sep 2009 22:23:21 +0200 Subject: [PATCH 03/12] s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_spnego_ntlmssp and cli_rpc_pipe_open_ntlmssp. Guenther (cherry picked from commit 032e01e7c13724d057b5744d7d79613449c2f24f) --- source3/include/proto.h | 2 ++ source3/libsmb/passchange.c | 1 + source3/rpc_client/cli_pipe.c | 10 ++++++++-- source3/rpcclient/rpcclient.c | 2 ++ source3/utils/net.h | 1 + source3/utils/net_rpc.c | 2 ++ source3/utils/net_rpc_samsync.c | 2 +- source3/winbindd/winbindd_cm.c | 3 ++- 8 files changed, 19 insertions(+), 4 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index 910b49e..96c1d93 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -5295,6 +5295,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, @@ -5302,6 +5303,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c index f3cb9d6..d73b34c 100644 --- a/source3/libsmb/passchange.c +++ b/source3/libsmb/passchange.c @@ -176,6 +176,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam if (!pass_must_change) { result = cli_rpc_pipe_open_ntlmssp(cli, &ndr_table_samr.syntax_id, + NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain, user, old_passwd, diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 75ce7cb..5b8a2d4 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3701,6 +3701,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_type auth_type, enum pipe_auth_level auth_level, const char *domain, @@ -3712,7 +3713,7 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); + status = cli_rpc_pipe_open(cli, transport, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3754,6 +3755,7 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, @@ -3762,6 +3764,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, { return cli_rpc_pipe_open_ntlmssp_internal(cli, interface, + transport, PIPE_AUTH_TYPE_NTLMSSP, auth_level, domain, @@ -3777,6 +3780,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, @@ -3785,6 +3789,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, { return cli_rpc_pipe_open_ntlmssp_internal(cli, interface, + transport, PIPE_AUTH_TYPE_SPNEGO_NTLMSSP, auth_level, domain, @@ -3951,7 +3956,8 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli, NTSTATUS status; status = cli_rpc_pipe_open_spnego_ntlmssp( - cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, + cli, &ndr_table_netlogon.syntax_id, NCACN_NP, + PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, &netlogon_pipe); if (!NT_STATUS_IS_OK(status)) { return status; diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 82de603..ae2a820 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -594,6 +594,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: ntresult = cli_rpc_pipe_open_spnego_ntlmssp( cli, cmd_entry->interface, + NCACN_NP, pipe_default_auth_level, lp_workgroup(), get_cmdline_auth_info_username(auth_info), @@ -603,6 +604,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, case PIPE_AUTH_TYPE_NTLMSSP: ntresult = cli_rpc_pipe_open_ntlmssp( cli, cmd_entry->interface, + NCACN_NP, pipe_default_auth_level, lp_workgroup(), get_cmdline_auth_info_username(auth_info), diff --git a/source3/utils/net.h b/source3/utils/net.h index d88f962..86e8b1c 100644 --- a/source3/utils/net.h +++ b/source3/utils/net.h @@ -157,6 +157,7 @@ enum netdom_domain_t { ND_TYPE_NT4, ND_TYPE_AD }; #define NET_FLAGS_NO_PIPE 0x00000020 /* don't open an RPC pipe */ #define NET_FLAGS_SIGN 0x00000040 /* sign RPC connection */ #define NET_FLAGS_SEAL 0x00000080 /* seal RPC connection */ +#define NET_FLAGS_TCP 0x00000100 /* use ncacn_ip_tcp */ /* net share operation modes */ #define NET_MODE_SHARE_MIGRATE 1 diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 3a1aeb0..168659a 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -169,6 +169,8 @@ int run_rpc_command(struct net_context *c, if (conn_flags & NET_FLAGS_SEAL) { nt_status = cli_rpc_pipe_open_ntlmssp( cli, interface, + (conn_flags & NET_FLAGS_TCP) ? + NCACN_IP_TCP : NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, lp_workgroup(), c->opt_user_name, c->opt_password, &pipe_hnd); diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c index 309be17..0c7f9a8 100644 --- a/source3/utils/net_rpc_samsync.c +++ b/source3/utils/net_rpc_samsync.c @@ -499,7 +499,7 @@ int rpc_vampire_keytab(struct net_context *c, int argc, const char **argv) return -1; } else { ret = run_rpc_command(c, cli, &ndr_table_drsuapi.syntax_id, - NET_FLAGS_SEAL, + NET_FLAGS_SEAL | NET_FLAGS_TCP, rpc_vampire_keytab_ds_internals, argc, argv); if (ret != 0 && dc_info.is_mixed_mode) { printf("Fallback to NT4 vampire on Mixed-Mode AD Domain\n"); diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 4571f22..ac22ed4 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2045,6 +2045,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, authenticated SAMR pipe with sign & seal. */ result = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, &ndr_table_samr.syntax_id, + NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain_name, machine_account, @@ -2183,7 +2184,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, /* We have an authenticated connection. Use a NTLMSSP SPNEGO * authenticated LSA pipe with sign & seal. */ result = cli_rpc_pipe_open_spnego_ntlmssp - (conn->cli, &ndr_table_lsarpc.syntax_id, + (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, conn->cli->domain, conn->cli->user_name, conn->cli->password, &conn->lsa_pipe); -- 1.6.2.5 From 02c53303afa22034d675525478700406220a391c Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 10 Sep 2009 22:23:21 +0200 Subject: [PATCH 04/12] s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_schannel(). Guenther (cherry picked from commit bea8e5fa6038d5abd2ec1e12f9005c4a04abb79f) --- source3/auth/auth_domain.c | 2 +- source3/include/proto.h | 3 +++ source3/libnet/libnet_join.c | 3 ++- source3/rpc_client/cli_pipe.c | 9 ++++++--- source3/rpcclient/rpcclient.c | 1 + source3/utils/net_rpc.c | 2 +- source3/utils/net_rpc_join.c | 5 +++-- source3/winbindd/winbindd_cm.c | 7 ++++--- 8 files changed, 21 insertions(+), 11 deletions(-) diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f11dbe6..45150ab 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -175,7 +175,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, if (lp_client_schannel()) { /* We also setup the creds chain in the open_schannel call. */ result = cli_rpc_pipe_open_schannel( - *cli, &ndr_table_netlogon.syntax_id, + *cli, &ndr_table_netlogon.syntax_id, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe); } else { result = cli_rpc_pipe_open_noauth( diff --git a/source3/include/proto.h b/source3/include/proto.h index 96c1d93..8a59363 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -5315,12 +5315,14 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const struct dcinfo *pdc, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, @@ -5328,6 +5330,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, struct rpc_pipe_client **presult); diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 5309452..03832cf 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1070,7 +1070,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name, } status = cli_rpc_pipe_open_schannel_with_key( - cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, + cli, &ndr_table_netlogon.syntax_id, NCACN_NP, + PIPE_AUTH_LEVEL_PRIVACY, netbios_domain_name, netlogon_pipe->dc, &pipe_hnd); cli_shutdown(cli); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 5b8a2d4..9990f1b 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3887,6 +3887,7 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const struct dcinfo *pdc, @@ -3896,7 +3897,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, struct cli_pipe_auth_data *auth; NTSTATUS status; - status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); + status = cli_rpc_pipe_open(cli, transport, interface, &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3982,6 +3983,7 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, const char *username, @@ -4003,7 +4005,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, } status = cli_rpc_pipe_open_schannel_with_key( - cli, interface, auth_level, domain, netlogon_pipe->dc, + cli, interface, transport, auth_level, domain, netlogon_pipe->dc, &result); /* Now we've bound using the session key we can close the netlog pipe. */ @@ -4022,6 +4024,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, enum pipe_auth_level auth_level, const char *domain, struct rpc_pipe_client **presult) @@ -4041,7 +4044,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, } status = cli_rpc_pipe_open_schannel_with_key( - cli, interface, auth_level, domain, netlogon_pipe->dc, + cli, interface, transport, auth_level, domain, netlogon_pipe->dc, &result); /* Now we've bound using the session key we can close the netlog pipe. */ diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index ae2a820..17ca5e7 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -614,6 +614,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, case PIPE_AUTH_TYPE_SCHANNEL: ntresult = cli_rpc_pipe_open_schannel( cli, cmd_entry->interface, + NCACN_NP, pipe_default_auth_level, lp_workgroup(), &cmd_entry->rpc_pipe); diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 168659a..7fafa1b 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -157,7 +157,7 @@ int run_rpc_command(struct net_context *c, &ndr_table_netlogon.syntax_id))) { /* Always try and create an schannel netlogon pipe. */ nt_status = cli_rpc_pipe_open_schannel( - cli, interface, + cli, interface, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain_name, &pipe_hnd); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index f0e6fe7..127b306 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -100,7 +100,8 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain, } ntret = cli_rpc_pipe_open_schannel_with_key( - cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, + cli, &ndr_table_netlogon.syntax_id, NCACN_NP, + PIPE_AUTH_LEVEL_PRIVACY, domain, netlogon_pipe->dc, &pipe_hnd); if (!NT_STATUS_IS_OK(ntret)) { @@ -415,7 +416,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) struct rpc_pipe_client *netlogon_schannel_pipe; result = cli_rpc_pipe_open_schannel_with_key( - cli, &ndr_table_netlogon.syntax_id, + cli, &ndr_table_netlogon.syntax_id, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain, pipe_hnd->dc, &netlogon_schannel_pipe); diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index ac22ed4..85333cf 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2089,7 +2089,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, goto anonymous; } result = cli_rpc_pipe_open_schannel_with_key - (conn->cli, &ndr_table_samr.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, + (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP, + PIPE_AUTH_LEVEL_PRIVACY, domain->name, p_dcinfo, &conn->samr_pipe); if (!NT_STATUS_IS_OK(result)) { @@ -2225,7 +2226,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, goto anonymous; } result = cli_rpc_pipe_open_schannel_with_key - (conn->cli, &ndr_table_lsarpc.syntax_id, + (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain->name, p_dcinfo, &conn->lsa_pipe); @@ -2372,7 +2373,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, */ result = cli_rpc_pipe_open_schannel_with_key( - conn->cli, &ndr_table_netlogon.syntax_id, + conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP, PIPE_AUTH_LEVEL_PRIVACY, domain->name, netlogon_pipe->dc, &conn->netlogon_pipe); -- 1.6.2.5 From 32403c64d528b0594cfae0112f05d7ec47ec7a1d Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2009 07:59:25 +0200 Subject: [PATCH 05/12] s3-winbindd: add and use winbindd_lookup_sids(). Guenther (cherry picked from commit f0b52b8c3133e3696db361d9d0e7d1fff0fab991) --- source3/winbindd/winbindd_ads.c | 64 +++++------------------ source3/winbindd/winbindd_proto.h | 9 +++ source3/winbindd/winbindd_rpc.c | 101 ++++++++++++++++++++----------------- 3 files changed, 78 insertions(+), 96 deletions(-) diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 7828b45..227c967 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -977,8 +977,6 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, int i; size_t num_members = 0; ads_control args; - struct rpc_pipe_client *cli; - struct policy_handle lsa_policy; DOM_SID *sid_mem_nocache = NULL; char **names_nocache = NULL; enum lsa_SidType *name_types_nocache = NULL; @@ -1122,31 +1120,14 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, /* handle sids not resolved from cache by lsa_lookup_sids */ if (num_nocache > 0) { - unsigned int orig_timeout; - status = cm_connect_lsa(domain, tmp_ctx, &cli, &lsa_policy); - - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - - /* - * This call can take a long time - * allow the server to time out. - * 35 seconds should do it. - */ - orig_timeout = rpccli_set_timeout(cli, 35000); - - status = rpccli_lsa_lookup_sids(cli, tmp_ctx, - &lsa_policy, - num_nocache, - sid_mem_nocache, - &domains_nocache, - &names_nocache, - &name_types_nocache); - - /* And restore our original timeout. */ - rpccli_set_timeout(cli, orig_timeout); + status = winbindd_lookup_sids(tmp_ctx, + domain, + num_nocache, + sid_mem_nocache, + &domains_nocache, + &names_nocache, + &name_types_nocache); if (!(NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) || @@ -1155,30 +1136,13 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, DEBUG(1, ("lsa_lookupsids call failed with %s " "- retrying...\n", nt_errstr(status))); - status = cm_connect_lsa(domain, tmp_ctx, &cli, - &lsa_policy); - - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - - /* - * This call can take a long time - * allow the server to time out. - * 35 seconds should do it. - */ - orig_timeout = rpccli_set_timeout(cli, 35000); - - status = rpccli_lsa_lookup_sids(cli, tmp_ctx, - &lsa_policy, - num_nocache, - sid_mem_nocache, - &domains_nocache, - &names_nocache, - &name_types_nocache); - - /* And restore our original timeout. */ - rpccli_set_timeout(cli, orig_timeout); + status = winbindd_lookup_sids(tmp_ctx, + domain, + num_nocache, + sid_mem_nocache, + &domains_nocache, + &names_nocache, + &name_types_nocache); } if (NT_STATUS_IS_OK(status) || diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 384395f..ad80182 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -71,6 +71,15 @@ int main(int argc, char **argv, char **envp); /* The following definitions come from winbindd/winbindd_ads.c */ +/* The following definitions come from winbindd/winbindd_rpc.c */ + +NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + uint32_t num_sids, + const struct dom_sid *sids, + char ***domains, + char ***names, + enum lsa_SidType **types); /* The following definitions come from winbindd/winbindd_async.c */ diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 38b20d8..255db61 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -353,42 +353,26 @@ static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain, char **names; enum lsa_SidType *types = NULL; NTSTATUS result; - struct rpc_pipe_client *cli; - struct policy_handle lsa_policy; NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; char *mapped_name = NULL; - unsigned int orig_timeout; DEBUG(3,("sid_to_name [rpc] %s for domain %s\n", sid_string_dbg(sid), domain->name )); - result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + result = winbindd_lookup_sids(mem_ctx, + domain, + 1, + sid, + &domains, + &names, + &types); if (!NT_STATUS_IS_OK(result)) { - DEBUG(2,("msrpc_sid_to_name: cm_connect_lsa() failed (%s)\n", - nt_errstr(result))); + DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n", + nt_errstr(result))); return result; } - /* - * This call can take a long time - * allow the server to time out. - * 35 seconds should do it. - */ - orig_timeout = rpccli_set_timeout(cli, 35000); - - result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, - 1, sid, &domains, &names, &types); - - /* And restore our original timeout. */ - rpccli_set_timeout(cli, orig_timeout); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(2,("msrpc_sid_to_name: rpccli_lsa_lookup_sids() failed (%s)\n", - nt_errstr(result))); - return result; - } - *type = (enum lsa_SidType)types[0]; *domain_name = domains[0]; *name = names[0]; @@ -418,12 +402,9 @@ static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain, { char **domains; NTSTATUS result; - struct rpc_pipe_client *cli; - struct policy_handle lsa_policy; DOM_SID *sids; size_t i; char **ret_names; - unsigned int orig_timeout; DEBUG(3, ("rids_to_names [rpc] for domain %s\n", domain->name )); @@ -442,24 +423,13 @@ static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain, } } - result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); - if (!NT_STATUS_IS_OK(result)) { - return result; - } - - /* - * This call can take a long time - * allow the server to time out. - * 35 seconds should do it. - */ - orig_timeout = rpccli_set_timeout(cli, 35000); - - result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, - num_rids, sids, &domains, - names, types); - - /* And restore our original timeout. */ - rpccli_set_timeout(cli, orig_timeout); + result = winbindd_lookup_sids(mem_ctx, + domain, + num_rids, + sids, + &domains, + names, + types); if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) { @@ -1222,6 +1192,45 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, return result; } +NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + uint32_t num_sids, + const struct dom_sid *sids, + char ***domains, + char ***names, + enum lsa_SidType **types) +{ + NTSTATUS status; + struct rpc_pipe_client *cli = NULL; + struct policy_handle lsa_policy; + unsigned int orig_timeout; + + status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* + * This call can take a long time + * allow the server to time out. + * 35 seconds should do it. + */ + orig_timeout = rpccli_set_timeout(cli, 35000); + + status = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, + num_sids, sids, domains, + names, types); + + /* And restore our original timeout. */ + rpccli_set_timeout(cli, orig_timeout); + + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return status; +} + /* the rpc backend methods are exposed via this structure */ struct winbindd_methods msrpc_methods = { -- 1.6.2.5 From 106c1c4c073215b060726a0cd05dae9cf5c26109 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2009 08:06:34 +0200 Subject: [PATCH 06/12] s3-winbindd: add and use winbindd_lookup_names(). Guenther (cherry picked from commit 99c3fc19587431efda1ae6161453d84673b32071) --- source3/winbindd/winbindd_proto.h | 7 ++++ source3/winbindd/winbindd_rpc.c | 60 ++++++++++++++++++++++++------------ 2 files changed, 47 insertions(+), 20 deletions(-) diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index ad80182..fceb463 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -80,6 +80,13 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, char ***domains, char ***names, enum lsa_SidType **types); +NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + uint32_t num_names, + const char **names, + const char ***domains, + struct dom_sid **sids, + enum lsa_SidType **types); /* The following definitions come from winbindd/winbindd_async.c */ diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 255db61..8e1a985 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -277,11 +277,8 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, DOM_SID *sids = NULL; enum lsa_SidType *types = NULL; char *full_name = NULL; - struct rpc_pipe_client *cli; - struct policy_handle lsa_policy; NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; char *mapped_name = NULL; - unsigned int orig_timeout; if (name == NULL || *name=='\0') { full_name = talloc_asprintf(mem_ctx, "%s", domain_name); @@ -311,23 +308,9 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, DEBUG(3,("name_to_sid [rpc] %s for domain %s\n", full_name?full_name:"", domain_name )); - result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); - if (!NT_STATUS_IS_OK(result)) - return result; - - /* - * This call can take a long time - * allow the server to time out. - * 35 seconds should do it. - */ - orig_timeout = rpccli_set_timeout(cli, 35000); - - result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1, - (const char**) &full_name, NULL, 1, &sids, &types); - - /* And restore our original timeout. */ - rpccli_set_timeout(cli, orig_timeout); - + result = winbindd_lookup_names(mem_ctx, domain, 1, + (const char **)&full_name, NULL, + &sids, &types); if (!NT_STATUS_IS_OK(result)) return result; @@ -1231,6 +1214,43 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, return status; } +NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + uint32_t num_names, + const char **names, + const char ***domains, + struct dom_sid **sids, + enum lsa_SidType **types) +{ + NTSTATUS status; + struct rpc_pipe_client *cli = NULL; + struct policy_handle lsa_policy; + unsigned int orig_timeout; + + status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* + * This call can take a long time + * allow the server to time out. + * 35 seconds should do it. + */ + orig_timeout = rpccli_set_timeout(cli, 35000); + + status = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, num_names, + names, domains, 1, sids, types); + + /* And restore our original timeout. */ + rpccli_set_timeout(cli, orig_timeout); + + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return status; +} /* the rpc backend methods are exposed via this structure */ struct winbindd_methods msrpc_methods = { -- 1.6.2.5 From ea64b21f6ac70aee0a2e6ee0af39313a6a71e4b2 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 11 Sep 2009 19:35:14 +0200 Subject: [PATCH 07/12] s3-rpc_client: add rpccli_lsa_lookup_names4 wrapper. Guenther (cherry picked from commit ff968712bab6c2635ef74723c6f52b0fdac4b424) --- source3/include/proto.h | 9 ++++ source3/rpc_client/cli_lsarpc.c | 98 +++++++++++++++++++++++++++++--------- 2 files changed, 84 insertions(+), 23 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index 8a59363..f7f5516 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -5185,6 +5185,15 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, int level, DOM_SID **sids, enum lsa_SidType **types); +NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types); + bool fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid); /* The following definitions come from rpc_client/cli_netlogon.c */ diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index 68fd96f..0c06e7b 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -342,23 +342,26 @@ fail: /** Lookup a list of names */ -NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, int num_names, - const char **names, - const char ***dom_names, - int level, - DOM_SID **sids, - enum lsa_SidType **types) +static NTSTATUS rpccli_lsa_lookup_names_generic(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types, + bool use_lookupnames4) { NTSTATUS result; int i; struct lsa_String *lsa_names = NULL; struct lsa_RefDomainList *domains = NULL; struct lsa_TransSidArray sid_array; + struct lsa_TransSidArray3 sid_array3; uint32_t count = 0; ZERO_STRUCT(sid_array); + ZERO_STRUCT(sid_array3); lsa_names = TALLOC_ARRAY(mem_ctx, struct lsa_String, num_names); if (!lsa_names) { @@ -369,14 +372,26 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, init_lsa_String(&lsa_names[i], names[i]); } - result = rpccli_lsa_LookupNames(cli, mem_ctx, - pol, - num_names, - lsa_names, - &domains, - &sid_array, - level, - &count); + if (use_lookupnames4) { + result = rpccli_lsa_LookupNames4(cli, mem_ctx, + num_names, + lsa_names, + &domains, + &sid_array3, + level, + &count, + 0, + 0); + } else { + result = rpccli_lsa_LookupNames(cli, mem_ctx, + pol, + num_names, + lsa_names, + &domains, + &sid_array, + level, + &count); + } if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) != NT_STATUS_V(STATUS_SOME_UNMAPPED)) { @@ -423,10 +438,17 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, } for (i = 0; i < num_names; i++) { - uint32_t dom_idx = sid_array.sids[i].sid_index; - uint32_t dom_rid = sid_array.sids[i].rid; + uint32_t dom_idx; DOM_SID *sid = &(*sids)[i]; + if (use_lookupnames4) { + dom_idx = sid_array3.sids[i].sid_index; + (*types)[i] = sid_array3.sids[i].sid_type; + } else { + dom_idx = sid_array.sids[i].sid_index; + (*types)[i] = sid_array.sids[i].sid_type; + } + /* Translate optimised sid through domain index array */ if (dom_idx == 0xffffffff) { @@ -436,14 +458,16 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, continue; } - sid_copy(sid, domains->domains[dom_idx].sid); + if (use_lookupnames4) { + sid_copy(sid, sid_array3.sids[i].sid); + } else { + sid_copy(sid, domains->domains[dom_idx].sid); - if (dom_rid != 0xffffffff) { - sid_append_rid(sid, dom_rid); + if (sid_array.sids[i].rid != 0xffffffff) { + sid_append_rid(sid, sid_array.sids[i].rid); + } } - (*types)[i] = sid_array.sids[i].sid_type; - if (dom_names == NULL) { continue; } @@ -455,3 +479,31 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, return result; } + +NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types) +{ + return rpccli_lsa_lookup_names_generic(cli, mem_ctx, pol, num_names, + names, dom_names, level, sids, + types, false); +} + +NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types) +{ + return rpccli_lsa_lookup_names_generic(cli, mem_ctx, pol, num_names, + names, dom_names, level, sids, + types, true); +} -- 1.6.2.5 From 1318c199f0edf1152648fe4a46109f9c66f693dc Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Sun, 13 Sep 2009 00:28:49 +0200 Subject: [PATCH 08/12] s3-rpc_client: add rpccli_lsa_lookup_sids3 wrapper. Guenther (cherry picked from commit 2f9adf04e4b3e16c046cb371a428a8a70d5de041) --- source3/include/proto.h | 8 +++ source3/rpc_client/cli_lsarpc.c | 91 +++++++++++++++++++++++++++++++------- 2 files changed, 82 insertions(+), 17 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index f7f5516..e489224 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -5177,6 +5177,14 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, char ***pdomains, char ***pnames, enum lsa_SidType **ptypes); +NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes); NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *pol, int num_names, diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index 0c06e7b..aa883d3 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -114,7 +114,8 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, const DOM_SID *sids, char **domains, char **names, - enum lsa_SidType *types) + enum lsa_SidType *types, + bool use_lookupsids3) { NTSTATUS result = NT_STATUS_OK; TALLOC_CTX *tmp_ctx = NULL; @@ -147,13 +148,41 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, } } - result = rpccli_lsa_LookupSids(cli, mem_ctx, - pol, - &sid_array, - &ref_domains, - &lsa_names, - level, - &count); + if (use_lookupsids3) { + struct lsa_TransNameArray2 lsa_names2; + uint32_t n; + + result = rpccli_lsa_LookupSids3(cli, mem_ctx, + &sid_array, + &ref_domains, + &lsa_names2, + level, + &count, + 0, + 0); + + if (!NT_STATUS_IS_ERR(result)) { + lsa_names.count = lsa_names2.count; + lsa_names.names = talloc_array(mem_ctx, struct lsa_TranslatedName, lsa_names.count); + if (!lsa_names.names) { + return NT_STATUS_NO_MEMORY; + } + for (n=0; n < lsa_names.count; n++) { + lsa_names.names[n].sid_type = lsa_names2.names[n].sid_type; + lsa_names.names[n].name = lsa_names2.names[n].name; + lsa_names.names[n].sid_index = lsa_names2.names[n].sid_index; + } + } + + } else { + result = rpccli_lsa_LookupSids(cli, mem_ctx, + pol, + &sid_array, + &ref_domains, + &lsa_names, + level, + &count); + } DEBUG(10, ("LSA_LOOKUPSIDS returned '%s', mapped count = %d'\n", nt_errstr(result), count)); @@ -233,14 +262,15 @@ done: * at 20480 for win2k3, but we keep it at a save 1000 for now. */ #define LOOKUP_SIDS_HUNK_SIZE 1000 -NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_sids, - const DOM_SID *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes) +static NTSTATUS rpccli_lsa_lookup_sids_generic(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes, + bool use_lookupsids3) { NTSTATUS result = NT_STATUS_OK; int sids_left = 0; @@ -299,7 +329,8 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, hunk_sids, hunk_domains, hunk_names, - hunk_types); + hunk_types, + use_lookupsids3); if (!NT_STATUS_IS_OK(hunk_result) && !NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) && @@ -340,6 +371,32 @@ fail: return result; } +NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes) +{ + return rpccli_lsa_lookup_sids_generic(cli, mem_ctx, pol, num_sids, sids, + pdomains, pnames, ptypes, false); +} + +NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes) +{ + return rpccli_lsa_lookup_sids_generic(cli, mem_ctx, pol, num_sids, sids, + pdomains, pnames, ptypes, true); +} + /** Lookup a list of names */ static NTSTATUS rpccli_lsa_lookup_names_generic(struct rpc_pipe_client *cli, -- 1.6.2.5 From f0d2909906b0e0b79a915f956b049d537bf926bb Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2009 09:42:49 +0200 Subject: [PATCH 09/12] s3-rpc_client: fix non initialized structure in rpccli_lsa_lookup_sids_noalloc. Guenther (cherry picked from commit a4b5c792c55ef90648a528d279beec32f86a9b22) --- source3/rpc_client/cli_lsarpc.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index aa883d3..d49fa47 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -152,6 +152,8 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, struct lsa_TransNameArray2 lsa_names2; uint32_t n; + ZERO_STRUCT(lsa_names2); + result = rpccli_lsa_LookupSids3(cli, mem_ctx, &sid_array, &ref_domains, -- 1.6.2.5 From 8ae9eb2c9503ce94be13c53d37731f431e105821 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Sat, 12 Sep 2009 23:30:39 +0200 Subject: [PATCH 10/12] s3-winbindd: add cm_connect_lsa_tcp(). Guenther (cherry picked from commit 58f2deb94024f002e3c3df47f45454edc97f47e1) --- source3/winbindd/winbindd.h | 1 + source3/winbindd/winbindd_cm.c | 59 +++++++++++++++++++++++++++++++++++++ source3/winbindd/winbindd_proto.h | 3 ++ 3 files changed, 63 insertions(+), 0 deletions(-) diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h index f3733dc..32af656 100644 --- a/source3/winbindd/winbindd.h +++ b/source3/winbindd/winbindd.h @@ -122,6 +122,7 @@ struct winbindd_cm_conn { struct policy_handle sam_connect_handle, sam_domain_handle; struct rpc_pipe_client *lsa_pipe; + struct rpc_pipe_client *lsa_pipe_tcp; struct policy_handle lsa_policy; struct rpc_pipe_client *netlogon_pipe; diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 85333cf..d2dbcb4 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1551,6 +1551,14 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn) } } + if (conn->lsa_pipe_tcp != NULL) { + TALLOC_FREE(conn->lsa_pipe_tcp); + /* Ok, it must be dead. Drop timeout to 0.5 sec. */ + if (conn->cli) { + cli_set_timeout(conn->cli, 500); + } + } + if (conn->netlogon_pipe != NULL) { TALLOC_FREE(conn->netlogon_pipe); /* Ok, it must be dead. Drop timeout to 0.5 sec. */ @@ -2157,6 +2165,57 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, return result; } +/********************************************************************** + open an schanneld ncacn_ip_tcp connection to LSA +***********************************************************************/ + +NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct rpc_pipe_client **cli) +{ + struct winbindd_cm_conn *conn; + NTSTATUS status; + + DEBUG(10,("cm_connect_lsa_tcp\n")); + + status = init_dc_connection(domain); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + conn = &domain->conn; + + if (conn->lsa_pipe_tcp && + conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP && + conn->lsa_pipe_tcp->auth->auth_level == PIPE_AUTH_LEVEL_PRIVACY) { + goto done; + } + + TALLOC_FREE(conn->lsa_pipe_tcp); + + status = cli_rpc_pipe_open_schannel(conn->cli, + &ndr_table_lsarpc.syntax_id, + NCACN_IP_TCP, + PIPE_AUTH_LEVEL_PRIVACY, + domain->name, + &conn->lsa_pipe_tcp); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n", + nt_errstr(status))); + goto done; + } + + done: + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(conn->lsa_pipe_tcp); + return status; + } + + *cli = conn->lsa_pipe_tcp; + + return status; +} + NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct rpc_pipe_client **cli, struct policy_handle *lsa_policy) { diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index fceb463..2aec595 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -227,6 +227,9 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct rpc_pipe_client **cli, struct policy_handle *sam_handle); NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct rpc_pipe_client **cli, struct policy_handle *lsa_policy); +NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct rpc_pipe_client **cli); NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, struct rpc_pipe_client **cli); -- 1.6.2.5 From e8b68747ebf8bbbe3f97db2a9c045897f163ec88 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2009 09:43:36 +0200 Subject: [PATCH 11/12] s3-winbindd: Fix Bug #6711: trusts to windows 2008 (2008 r2) not working. Winbindd should always try to use LSA via an schannel authenticated ncacn_ip_tcp connection when talking to AD for LSA lookup calls. In Samba <-> W2k8 interdomain trust scenarios, LookupSids3 and LookupNames4 via an schannel ncacn_ip_tcp LSA connection are the *only* options to successfully resolve sids and names. Guenther (cherry picked from commit 6a8ef6c424c52be861ed2a9806f917a64ec892a6) --- source3/winbindd/winbindd.h | 2 + source3/winbindd/winbindd_cm.c | 2 + source3/winbindd/winbindd_rpc.c | 64 +++++++++++++++++++++++++++++++++++--- 3 files changed, 63 insertions(+), 5 deletions(-) diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h index 32af656..16812d8 100644 --- a/source3/winbindd/winbindd.h +++ b/source3/winbindd/winbindd.h @@ -183,6 +183,8 @@ struct winbindd_domain { * to False. This variable is around so that * we don't have to try _ex every time. */ + bool can_do_ncacn_ip_tcp; + /* Lookup methods for this domain (LDAP or RPC) */ struct winbindd_methods *methods; diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index d2dbcb4..46aa3d6 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1933,6 +1933,8 @@ done: DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n", domain->name, domain->active_directory ? "" : "NOT ")); + domain->can_do_ncacn_ip_tcp = domain->active_directory; + TALLOC_FREE(cli); TALLOC_FREE(mem_ctx); diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 8e1a985..f176fb3 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -1175,6 +1175,15 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, return result; } +typedef NTSTATUS (*lookup_sids_fn_t)(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes); + NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, uint32_t num_sids, @@ -1187,12 +1196,23 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *cli = NULL; struct policy_handle lsa_policy; unsigned int orig_timeout; + lookup_sids_fn_t lookup_sids_fn = rpccli_lsa_lookup_sids; + if (domain->can_do_ncacn_ip_tcp) { + status = cm_connect_lsa_tcp(domain, mem_ctx, &cli); + if (NT_STATUS_IS_OK(status)) { + lookup_sids_fn = rpccli_lsa_lookup_sids3; + goto lookup; + } + domain->can_do_ncacn_ip_tcp = false; + } status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + if (!NT_STATUS_IS_OK(status)) { return status; } + lookup: /* * This call can take a long time * allow the server to time out. @@ -1200,9 +1220,14 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, */ orig_timeout = rpccli_set_timeout(cli, 35000); - status = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, - num_sids, sids, domains, - names, types); + status = lookup_sids_fn(cli, + mem_ctx, + &lsa_policy, + num_sids, + sids, + domains, + names, + types); /* And restore our original timeout. */ rpccli_set_timeout(cli, orig_timeout); @@ -1214,6 +1239,16 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, return status; } +typedef NTSTATUS (*lookup_names_fn_t)(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_names, + const char **names, + const char ***dom_names, + int level, + struct dom_sid **sids, + enum lsa_SidType **types); + NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, uint32_t num_names, @@ -1226,12 +1261,24 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *cli = NULL; struct policy_handle lsa_policy; unsigned int orig_timeout; + lookup_names_fn_t lookup_names_fn = rpccli_lsa_lookup_names; + if (domain->can_do_ncacn_ip_tcp) { + status = cm_connect_lsa_tcp(domain, mem_ctx, &cli); + if (NT_STATUS_IS_OK(status)) { + lookup_names_fn = rpccli_lsa_lookup_names4; + goto lookup; + } + domain->can_do_ncacn_ip_tcp = false; + } status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + if (!NT_STATUS_IS_OK(status)) { return status; } + lookup: + /* * This call can take a long time * allow the server to time out. @@ -1239,8 +1286,15 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, */ orig_timeout = rpccli_set_timeout(cli, 35000); - status = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, num_names, - names, domains, 1, sids, types); + status = lookup_names_fn(cli, + mem_ctx, + &lsa_policy, + num_names, + (const char **) names, + domains, + 1, + sids, + types); /* And restore our original timeout. */ rpccli_set_timeout(cli, orig_timeout); -- 1.6.2.5 From f02ed74192daa9726834b32f360dc716bc381624 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 23 Sep 2009 06:23:50 +0200 Subject: [PATCH 12/12] s3:winbind: Fix an uninitialized variable (cherry picked from commit 0724649a8a7c04d015317d9dc2ae43ee87c1bd25) --- source3/winbindd/winbindd_cm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 46aa3d6..3162362 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2182,7 +2182,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, status = init_dc_connection(domain); if (!NT_STATUS_IS_OK(status)) { - goto done; + return status; } conn = &domain->conn; -- 1.6.2.5