This puts real netlogon connection caching to winbind. This becomes

important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.

Volker
(This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)

3 files changed, 135 insertions, 81 deletions

diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index dbcfdcf88f..45cded75fa 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -415,21 +415,19 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index,
 static BOOL connection_ok(struct winbindd_cm_conn *conn)
 {
 	if (!conn) {
-		smb_panic("Invalid paramater passed to conneciton_ok():  conn was NULL!\n");
+		smb_panic("Invalid parameter passed to connection_ok():  conn was NULL!\n");
 		return False;
 	}
 
 	if (!conn->cli) {
-		DEBUG(0, ("Connection to %s for domain %s (pipe %s) has NULL conn->cli!\n", 
+		DEBUG(3, ("Connection to %s for domain %s (pipe %s) has NULL conn->cli!\n", 
 			  conn->controller, conn->domain, conn->pipe_name));
-		smb_panic("connection_ok: conn->cli was null!");
 		return False;
 	}
 
 	if (!conn->cli->initialised) {
-		DEBUG(0, ("Connection to %s for domain %s (pipe %s) was never initialised!\n", 
+		DEBUG(3, ("Connection to %s for domain %s (pipe %s) was never initialised!\n", 
 			  conn->controller, conn->domain, conn->pipe_name));
-		smb_panic("connection_ok: conn->cli->initialised is False!");
 		return False;
 	}
 
@@ -442,13 +440,13 @@ static BOOL connection_ok(struct winbindd_cm_conn *conn)
 	return True;
 }
 
-/* Get a connection to the remote DC and open the pipe.  If there is already a connection, use that */
+/* Search the cache for a connection. If there is a broken one,
+   shut it down properly and return NULL. */
 
-static NTSTATUS get_connection_from_cache(const char *domain, const char *pipe_name,
-		struct winbindd_cm_conn **conn_out) 
+static void find_cm_connection(const char *domain, const char *pipe_name,
+			       struct winbindd_cm_conn **conn_out) 
 {
 	struct winbindd_cm_conn *conn, conn_temp;
-	NTSTATUS result;
 
 	for (conn = cm_conns; conn; conn = conn->next) {
 		if (strequal(conn->domain, domain) && 
@@ -466,26 +464,47 @@ static NTSTATUS get_connection_from_cache(const char *domain, const char *pipe_n
 			}
 		}
 	}
-	
-	if (!conn) {
-		if (!(conn = malloc(sizeof(*conn))))
-			return NT_STATUS_NO_MEMORY;
+
+	*conn_out = conn;
+}
+
+/* Initialize a new connection up to the RPC BIND. */
+
+static NTSTATUS new_cm_connection(const char *domain, const char *pipe_name,
+				  struct winbindd_cm_conn **conn_out)
+{
+	struct winbindd_cm_conn *conn;
+	NTSTATUS result;
+
+	if (!(conn = malloc(sizeof(*conn))))
+		return NT_STATUS_NO_MEMORY;
 		
-		ZERO_STRUCTP(conn);
+	ZERO_STRUCTP(conn);
 		
-		if (!NT_STATUS_IS_OK(result = cm_open_connection(domain, get_pipe_index(pipe_name), conn))) {
-			DEBUG(3, ("Could not open a connection to %s for %s (%s)\n", 
-				  domain, pipe_name, nt_errstr(result)));
-		        SAFE_FREE(conn);
-			return result;
-		}
-		DLIST_ADD(cm_conns, conn);		
+	if (!NT_STATUS_IS_OK(result = cm_open_connection(domain, get_pipe_index(pipe_name), conn))) {
+		DEBUG(3, ("Could not open a connection to %s for %s (%s)\n", 
+			  domain, pipe_name, nt_errstr(result)));
+		SAFE_FREE(conn);
+		return result;
 	}
-	
+	DLIST_ADD(cm_conns, conn);
+
 	*conn_out = conn;
 	return NT_STATUS_OK;
 }
 
+/* Get a connection to the remote DC and open the pipe.  If there is already a connection, use that */
+
+static NTSTATUS get_connection_from_cache(const char *domain, const char *pipe_name,
+					  struct winbindd_cm_conn **conn_out)
+{
+	find_cm_connection(domain, pipe_name, conn_out);
+
+	if (conn_out != NULL)
+		return NT_STATUS_OK;
+
+	return new_cm_connection(domain, pipe_name, conn_out);
+}
 
 /**********************************************************************************
 **********************************************************************************/
@@ -856,11 +875,11 @@ CLI_POLICY_HND *cm_get_sam_group_handle(char *domain, DOM_SID *domain_sid,
 NTSTATUS cm_get_netlogon_cli(const char *domain, 
 			     const unsigned char *trust_passwd, 
 			     uint32 sec_channel_type,
+			     BOOL fresh,
 			     struct cli_state **cli)
 {
 	NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
 	struct winbindd_cm_conn *conn;
-	uint32 neg_flags = 0x000001ff;
 	fstring lock_name;
 	BOOL got_mutex;
 
@@ -869,7 +888,30 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
 
 	/* Open an initial conection - keep the mutex. */
 
-	if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_NETLOGON, &conn)))
+	find_cm_connection(domain, PIPE_NETLOGON, &conn);
+
+	if ( fresh && (conn != NULL) ) {
+		cli_shutdown(conn->cli);
+		conn->cli = NULL;
+
+		conn = NULL;
+
+		/* purge connection from cache */
+		find_cm_connection(domain, PIPE_NETLOGON, &conn);
+		if (conn != NULL) {
+			DEBUG(0,("Could not purge connection\n"));
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	if (conn != NULL) {
+		*cli = conn->cli;
+		return NT_STATUS_OK;
+	}
+
+	result = new_cm_connection(domain, PIPE_NETLOGON, &conn);
+
+	if (!NT_STATUS_IS_OK(result))
 		return result;
 	
 	snprintf(lock_name, sizeof(lock_name), "NETLOGON\\%s", conn->controller);
@@ -878,38 +920,16 @@ NTSTATUS cm_get_netlogon_cli(const char *domain,
 		DEBUG(0,("cm_get_netlogon_cli: mutex grab failed for %s\n", conn->controller));
 	}
 			
-	result = cli_nt_setup_creds(conn->cli, sec_channel_type, trust_passwd, &neg_flags, 2);
+	result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd);
 	
 	if (got_mutex)
 		secrets_named_mutex_release(lock_name);
-			
+				
 	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(0, ("error connecting to domain password server: %s\n",
-			  nt_errstr(result)));
-		
-		/* Hit the cache code again.  This cleans out the old connection and gets a new one */
-		if (conn->cli->fd == -1) {
-			if (!NT_STATUS_IS_OK(result = get_connection_from_cache(domain, PIPE_NETLOGON, &conn)))
-				return result;
-			
-			snprintf(lock_name, sizeof(lock_name), "NETLOGON\\%s", conn->controller);
-			if (!(got_mutex = secrets_named_mutex(lock_name, WINBIND_SERVER_MUTEX_WAIT_TIME))) {
-				DEBUG(0,("cm_get_netlogon_cli: mutex grab failed for %s\n", conn->controller));
-			}
-			
-			/* Try again */
-			result = cli_nt_setup_creds( conn->cli, sec_channel_type,trust_passwd, &neg_flags, 2);
-			
-			if (got_mutex)
-				secrets_named_mutex_release(lock_name);
-		}
-		
-		if (!NT_STATUS_IS_OK(result)) {
-			cli_shutdown(conn->cli);
-			DLIST_REMOVE(cm_conns, conn);
-			SAFE_FREE(conn);
-			return result;
-		}
+		cli_shutdown(conn->cli);
+		DLIST_REMOVE(cm_conns, conn);
+		SAFE_FREE(conn);
+		return result;
 	}
 
 	*cli = conn->cli;
diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c
index fb56d0e657..436c95053e 100644
--- a/source3/nsswitch/winbindd_misc.c
+++ b/source3/nsswitch/winbindd_misc.c
@@ -50,7 +50,9 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
            the trust account password. */
 
 	/* Don't shut this down - it belongs to the connection cache code */
-        result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, sec_channel_type, &cli);
+        result = cm_get_netlogon_cli(lp_workgroup(),
+				     trust_passwd, sec_channel_type,
+				     True, &cli);
 
         if (!NT_STATUS_IS_OK(result)) {
                 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 2998372bd2..3b306eed3b 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -68,6 +68,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 	TALLOC_CTX *mem_ctx = NULL;
 	DATA_BLOB lm_resp;
 	DATA_BLOB nt_resp;
+	DOM_CRED ret_creds;
+	int attempts = 0;
 
 	/* Ensure null termination */
 	state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
@@ -119,23 +121,35 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 		goto done;
 	}
 
-	ZERO_STRUCT(info3);
+	do {
+		ZERO_STRUCT(info3);
+		ZERO_STRUCT(ret_creds);
 	
-	/* Don't shut this down - it belongs to the connection cache code */
-        result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, 
-				     sec_channel_type, 
-				     &cli);
-
-        if (!NT_STATUS_IS_OK(result)) {
-                DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
-                goto done;
-        }
-
-	result = cli_netlogon_sam_network_logon(cli, mem_ctx,
-						name_user, name_domain, 
-						global_myname(), chal, 
-						lm_resp, nt_resp, 
-						&info3);
+		/* Don't shut this down - it belongs to the connection cache code */
+		result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, 
+					     sec_channel_type, False, &cli);
+
+		if (!NT_STATUS_IS_OK(result)) {
+			DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+			goto done;
+		}
+
+		result = cli_netlogon_sam_network_logon(cli, mem_ctx,
+							&ret_creds,
+							name_user, name_domain, 
+							global_myname(), chal, 
+							lm_resp, nt_resp,
+							&info3);
+		attempts += 1;
+
+		/* We have to try a second time as cm_get_netlogon_cli
+		   might not yet have noticed that the DC has killed
+		   our connection. */
+
+	} while ( (attempts < 2) && (cli->fd == -1) );
+
+        
+	clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
         
 	uni_group_cache_store_netlogon(mem_ctx, &info3);
 done:
@@ -176,6 +190,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 	const char *domain = NULL;
 	const char *contact_domain;
 	const char *workstation;
+	DOM_CRED ret_creds;
+	int attempts = 0;
 
 	DATA_BLOB lm_resp, nt_resp;
 
@@ -264,21 +280,37 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 		goto done;
 	}
 
-	ZERO_STRUCT(info3);
+	do {
+		ZERO_STRUCT(info3);
+		ZERO_STRUCT(ret_creds);
+
+		/* Don't shut this down - it belongs to the connection cache code */
+		result = cm_get_netlogon_cli(contact_domain, trust_passwd,
+					     sec_channel_type, False, &cli);
+
+		if (!NT_STATUS_IS_OK(result)) {
+			DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
+				  nt_errstr(result)));
+			goto done;
+		}
+
+		result = cli_netlogon_sam_network_logon(cli, mem_ctx,
+							&ret_creds,
+							user, domain,
+							workstation,
+							state->request.data.auth_crap.chal, 
+							lm_resp, nt_resp, 
+							&info3);
+
+		attempts += 1;
 
-	/* Don't shut this down - it belongs to the connection cache code */
-        result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type, &cli);
+		/* We have to try a second time as cm_get_netlogon_cli
+		   might not yet have noticed that the DC has killed
+		   our connection. */
 
-        if (!NT_STATUS_IS_OK(result)) {
-                DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n", nt_errstr(result)));
-                goto done;
-        }
+	} while ( (attempts < 2) && (cli->fd == -1) );
 
-	result = cli_netlogon_sam_network_logon(cli, mem_ctx,
-						user, domain,
-						workstation, state->request.data.auth_crap.chal, 
-						lm_resp, nt_resp, 
-						&info3);
+	clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
         
 	if (NT_STATUS_IS_OK(result)) {
 		uni_group_cache_store_netlogon(mem_ctx, &info3);