summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/libads/ldap.c2
-rw-r--r--source3/nsswitch/winbindd_cm.c150
-rw-r--r--source3/nsswitch/winbindd_util.c5
3 files changed, 87 insertions, 70 deletions
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index c9bba72524..6e1b011c37 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -112,7 +112,7 @@ static int ldap_search_with_timeout(LDAP *ld,
TODO : add a negative connection cache in here leveraged off of the one
found in the rpc code. --jerry
*/
-static BOOL ads_try_connect(ADS_STRUCT *ads, const char *server, unsigned port)
+BOOL ads_try_connect(ADS_STRUCT *ads, const char *server, unsigned port)
{
char *srv;
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index f5dcb69ce0..dc2d6cfc6f 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -459,97 +459,107 @@ static BOOL add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
return True;
}
-static BOOL get_dcs_1c(TALLOC_CTX *mem_ctx,
- const struct winbindd_domain *domain,
- struct dc_name_ip **dcs, int *num_dcs)
+/*******************************************************************
+ convert an ip to a name
+*******************************************************************/
+
+static void dcip_to_name( const char *domainname, const char *realm, struct in_addr ip, fstring name )
{
- struct ip_service *iplist = NULL;
- int i, num = 0;
+ /* try node status request first */
- if (!internal_resolve_name(domain->name, 0x1c, &iplist, &num,
- lp_name_resolve_order()))
- return False;
+ if ( name_status_find(domainname, 0x1c, 0x20, ip, name) )
+ return;
- /* Now try to find the server names of at least one IP address, hosts
- * not replying are cached as such */
+ /* backup in case the ads stuff fails */
- for (i=0; i<num; i++) {
+ fstrcpy( name, inet_ntoa(ip) );
- fstring dcname;
+#ifdef WITH_ADS
+ /* for active directory servers, try to get the ldap server name.
+ None of these failure should be considered critical for now */
- if (!name_status_find(domain->name, 0x1c, 0x20, iplist[i].ip,
- dcname))
- continue;
+ if ( lp_security() == SEC_ADS )
+ {
+ ADS_STRUCT *ads;
+ ADS_STATUS status;
- if (add_one_dc_unique(mem_ctx, domain->name, dcname,
- iplist[i].ip, dcs, num_dcs)) {
- /* One DC responded, so we assume that he will also
- work on 139/445 */
- break;
+ ads = ads_init( realm, domainname, NULL );
+ ads->auth.flags |= ADS_AUTH_NO_BIND;
+
+ if ( !ads_try_connect( ads, inet_ntoa(ip), LDAP_PORT ) ) {
+ ads_destroy( &ads );
+ return;
}
- }
- SAFE_FREE(iplist);
+ status = ads_server_info(ads);
+ if ( !ADS_ERR_OK(status) ) {
+ ads_destroy( &ads );
+ return;
+ }
- return True;
+ fstrcpy(name, ads->config.ldap_server_name);
+
+ ads_destroy( &ads );
+ }
+#endif
+
+ return;
}
+
+/*******************************************************************
+ Retreive a list of IP address for domain controllers. Fill in
+ the dcs[] with results.
+*******************************************************************/
+
static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain,
struct dc_name_ip **dcs, int *num_dcs)
{
fstring dcname;
- struct in_addr ip;
- BOOL is_our_domain;
+ struct in_addr ip;
+ struct ip_service *ip_list = NULL;
+ int iplist_size = 0;
+ int i;
+ BOOL is_our_domain;
- const char *p;
is_our_domain = strequal(domain->name, lp_workgroup());
- if (!is_our_domain && get_dc_name_via_netlogon(domain, dcname, &ip) &&
- add_one_dc_unique(mem_ctx, domain->name, dcname, ip, dcs, num_dcs))
- return True;
-
- if (!is_our_domain) {
- /* NETLOGON to our own domain could not give us a DC name
- * (which is an error), fall back to looking up domain#1c */
- return get_dcs_1c(mem_ctx, domain, dcs, num_dcs);
+ if ( !is_our_domain
+ && get_dc_name_via_netlogon(domain, dcname, &ip)
+ && add_one_dc_unique(mem_ctx, domain->name, dcname, ip, dcs, num_dcs) )
+ {
+ return True;
}
- if (must_use_pdc(domain->name) && get_pdc_ip(domain->name, &ip)) {
-
- if (!name_status_find(domain->name, 0x1b, 0x20, ip, dcname))
- return False;
-
- if (add_one_dc_unique(mem_ctx, domain->name,
- dcname, ip, dcs, num_dcs))
+ if ( is_our_domain
+ && must_use_pdc(domain->name)
+ && get_pdc_ip(domain->name, &ip))
+ {
+ if (add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip), ip, dcs, num_dcs))
return True;
}
- p = lp_passwordserver();
-
- if (*p == 0)
- return get_dcs_1c(mem_ctx, domain, dcs, num_dcs);
+ /* try standard netbios queries first */
- while (next_token(&p, dcname, LIST_SEP, sizeof(dcname))) {
-
- if (strequal(dcname, "*")) {
- get_dcs_1c(mem_ctx, domain, dcs, num_dcs);
- continue;
- }
+ get_sorted_dc_list(domain->name, &ip_list, &iplist_size, False);
- if (!resolve_name(dcname, &ip, 0x20))
- continue;
+ /* check for security = ads and use DNS if we can */
- /* Even if we got the dcname, double check the name to use for
- * the netlogon auth2 */
+ if ( iplist_size==0 && lp_security() == SEC_ADS )
+ get_sorted_dc_list(domain->alt_name, &ip_list, &iplist_size, True);
- if (!name_status_find(domain->name, 0x1c, 0x20, ip, dcname))
- continue;
+ /* now add to the dc array. We'll wait until the last minute
+ to look up the name of the DC. But we fill in the char* for
+ the ip now in to make the failed connection cache work */
- add_one_dc_unique(mem_ctx, domain->name, dcname, ip,
- dcs, num_dcs);
+ for ( i=0; i<iplist_size; i++ ) {
+ add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip),
+ ip_list[i].ip, dcs, num_dcs);
}
+ SAFE_FREE( ip_list );
+
return True;
}
@@ -560,7 +570,7 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
struct dc_name_ip *dcs = NULL;
int num_dcs = 0;
- char **dcnames = NULL;
+ const char **dcnames = NULL;
int num_dcnames = 0;
struct sockaddr_in *addrs = NULL;
@@ -587,18 +597,25 @@ static BOOL find_new_dc(TALLOC_CTX *mem_ctx,
if ((num_dcnames == 0) || (num_dcnames != num_addrs))
return False;
- if (!open_any_socket_out(addrs, num_addrs, 10000, &fd_index, fd)) {
+ if ( !open_any_socket_out(addrs, num_addrs, 10000, &fd_index, fd) )
+ {
for (i=0; i<num_dcs; i++) {
add_failed_connection_entry(domain->name,
- dcs[i].name,
- NT_STATUS_UNSUCCESSFUL);
+ dcs[i].name, NT_STATUS_UNSUCCESSFUL);
}
return False;
}
- fstrcpy(dcname, dcnames[fd_index]);
*addr = addrs[fd_index];
+ /* if we have no name on the server or just an IP address for
+ the name, now try to get the name */
+
+ if ( is_ipaddress(dcnames[fd_index]) || *dcnames[fd_index] == '\0' )
+ dcip_to_name( domain->name, domain->alt_name, addr->sin_addr, dcname );
+ else
+ fstrcpy(dcname, dcnames[fd_index]);
+
return True;
}
@@ -883,6 +900,11 @@ void set_dc_type_and_flags( struct winbindd_domain *domain )
done:
+ DEBUG(3,("add_trusted_domain: %s is an %s %s domain\n", domain->name,
+ domain->active_directory ? "ADS" : "NT4",
+ domain->native_mode ? "native mode" :
+ ((domain->active_directory && !domain->native_mode) ? "mixed mode" : "")));
+
/* close the connection; no other calls use this pipe and it is called only
on reestablishing the domain list --jerry */
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 1f727dd18d..11da05ac3b 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -167,11 +167,6 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
sid_copy(&domain->sid, sid);
}
- DEBUG(3,("add_trusted_domain: %s is an %s %s domain\n", domain->name,
- domain->active_directory ? "ADS" : "NT4",
- domain->native_mode ? "native mode" :
- ((domain->active_directory && !domain->native_mode) ? "mixed mode" : "")));
-
/* Link to domain list */
DLIST_ADD(_domain_list, domain);