summaryrefslogtreecommitdiff
path: root/source3/winbindd/winbindd_cm.c
AgeCommit message (Collapse)AuthorFilesLines
2008-08-22winbindd: Fix crash in cm_connect_sam()Gerald (Jerry) Carter1-2/+7
Fix segv when talking to parent DC (joined to child domain). The root cause was (a) storing the parent domain in the cli_state struct caused the NTLMSSP pipe bind to fail which made us fallover to the schannel code path (b) the dcinfo pointer in cm_get_schannel_dcinfo() was returning NULL even though the function indicated success. (This used to be commit 5ce4a2ae6697970ea37d0078a506615b4b7a9a9c)
2008-08-20Here is a re-working of the winbinddJeremy Allison1-8/+31
reconnect code to cope with rebooting a DC. This replaces the code I asked Volker to revert. The logic is pretty simple. It adds a new parameter, "winbind reconnect delay", set to 30 seconds by default, which determines how long to wait between connection attempts. To avoid overwhelming the box with DC-probe forked children, the code now keeps track of the DC probe child per winbindd_domain struct and only starts a new one if the existing one has died. I also added a little logic to make sure the dc probe child always sends a message whatever the reason for exit so we will always reschedule another connect attempt. Also added documentation. Jeremy. (This used to be commit 8027197635b988b3dcf9d3d00126a024e768fa62)
2008-08-14Revert "Add winbind:online check timeout parameter"Volker Lendecke1-16/+0
This reverts commit 9920473cc165e75ee9aa5cbb9e568eb5fb67e9e6. (This used to be commit 34a32db9060e7b60455774f923f61b7367ee3fcf)
2008-08-13Add winbind:online check timeout parameterVolker Lendecke1-0/+16
This is a band-aid for the rather convoluted offline/online mess in winbind right now. Winbind re-uses the offline functionality that is targeted at domain client installations on laptops to not overload disfunctional DCs. It uses the winbind cache timeout as the retry timeout after a DC reboot. I am using a parametric options because when this mess is cleaned up, that parameter needs to go away again. I'd recommend to use something like winbind:online check timeout = 30 in typical LAN environments. This means a reconnect is attempted every 30 seconds. Volker (This used to be commit 9920473cc165e75ee9aa5cbb9e568eb5fb67e9e6)
2008-08-06fixed a fd leak when trying to regain contact to a domain controllerAndrew Tridgell1-0/+1
in winbind When a w2k3 DC is rebooted the 139/445 ports come up before the udp/389 cldap port. During this brief period, winbind manages to connect to 139/445 but not to udp 389. It then enters a tight loop where it leaks one fd each time. In a couple of seconds it runs out of file descriptors, and leaves winbind crippled after the DC does finally come up (This used to be commit 57187cafbcc053e75bb54750494df9feabe3a738)
2008-07-20Refactoring: Change calling conventions for cli_rpc_pipe_open_schannel_with_keyVolker Lendecke1-16/+14
Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 78e9c937ff2d2e1b70cfed4121e17feb6efafda1)
2008-07-20Refactoring: Change calling conventions for cli_rpc_pipe_open_ntlmsspVolker Lendecke1-11/+14
Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit a13f0599551609394904b99e4014d580ec65c506)
2008-07-20Refactoring: Change calling conventions for cli_rpc_pipe_open_noauthVolker Lendecke1-15/+18
Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 9abc9dc4dc13bd3e42f98eff64eacf24b51f5779)
2008-06-27libads: Add API call to connect to a global catalog server.Gerald W. Carter1-2/+4
Extends ads_connect() to a new call ads_connect_gc() which connects on port 3268 rather than port 389. Also makes ads_try_connect() static and only used internally to ldap.c (This used to be commit f4c37dbe2c986fb7bfe510cdff3b4a9fbc06d079)
2008-06-17Revert "Fix a memleak caused by a crappy get_sorted_dc_list() API"Volker Lendecke1-14/+1
This reverts commit 2ea03a1e95a30e321e390bef9408a1215711de07. (This used to be commit 80c2e8295a00c3d88372b55b81d03b455feb69b2)
2008-06-08Bugfix noticed by Herb. On using the again: tag as aJeremy Allison1-0/+15
goto target we were not reinitializing the array counts. From Herb: This is in the file nsswitch/winbindd_cm.c (samba-3.0.30) line 1236 We have a label again: where we keep trying to find the name of the DC from the list of IPs returned by get_dcs. If we fail to figure out the name we do a goto again at the end of the function. The problem is we don't reset the num_dcs, num_addrs, etc and free the memory in the various arrays. This seems wrong to me. I have a winbindd core where I have 9 IPs returned for the DCs but at the time of the crash num_dcs is 87 and if I look through the array dcs it keeps repeating entries from the same group of 9 Jerry, Volker and Guenther please check. Jeremy. (This used to be commit 15f464321a7c71a86b747918343746050d286655)
2008-06-05Fix a memleak caused by a crappy get_sorted_dc_list() APIVolker Lendecke1-1/+14
(This used to be commit 2ea03a1e95a30e321e390bef9408a1215711de07)
2008-06-03winbindd_cm: Replace the use of lp_realm() with our_domain->alt_name.Gerald W. Carter1-1/+7
Reduce the use of config parameters with run time information after discussion with Guenther. (This used to be commit 57d596395db287301eefd34e62c9aaf857c34c69)
2008-05-26winbind: correctly omit check for trusted domain support in ↵Michael Adam1-1/+1
cm_prepare_connection when checking for a trusted domain situation. This is how it was meant to be: Otherwise, with a dc-trusted-domain situation but trusted domains disabled, we would attempt to do a session setup and fail (wouldn't even get a trust password). Michael (This used to be commit a5a51ca8e5971992d9b060d66201b808bd2b7a53)
2008-05-23Manually merge Steven Danneman's patch for SPNEGO auth to a trustedGerald W. Carter1-5/+7
Win2008 domain (merged from v3-0-test). commit 8dc4e979776aae0ecaa74b51dc1eac78a7631405 Author: Steven Danneman <sdanneman@isilon.com> Date: Wed May 7 13:34:26 2008 -0700 spnego SPN fix when contacting trusted domains cli_session_setup_spnego() was not taking into consideration the situation where we're connecting to a trusted domain, specifically one (like W2K8) which doesn't return a SPN in the NegTokenInit. This caused two problems: 1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we were always using our default realm, not the realm of the domain we're connecting to. 2) When falling back on NTLMSSP for authentication we were passing the name of the domain we're connecting to for use in our credentials when we should be passing our own workgroup name. The fix for both was to split the single "domain" parameter into "user_domain" and "dest_realm" parameters. We use the "user_domain" parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN if none was returned in the NegTokenInit2 packet. If no "dest_realm" is provided we assume we're connecting to our own domain and use the credentials cache to build the SPN. Since we have a reasonable guess at the SPN, I removed the check that defaults us directly to NTLM when negHint is empty. (This used to be commit b78b14c88e8354aadf9ba7644bdb1c29245fe419)
2008-05-23Manually port Steven Dannenman fix for using the correct machine domain whenGerald W. Carter1-3/+3
looking up trust credentials in our tdb. commit fd0ae47046d37ec8297396a2733209c4d999ea91 Author: Steven Danneman <sdanneman@isilon.com> Date: Thu May 8 13:34:49 2008 -0700 Use machine account and machine password from our domain when contacting trusted domains. (This used to be commit 69b37ae60757075a0712149c5f97f17ee22c2e41)
2008-05-09Use strip_hostname after dsgetdcname/getdcname calls.Günther Deschner1-7/+1
Guenther (This used to be commit 82cbb3269b2e764c9c2a2fbcbe9c29feae07fb62)
2008-05-09dsgetdcname: mailslot replies are identical to the cldap ones, use cldap ↵Günther Deschner1-0/+1
everywhere. Guenther (This used to be commit fe904ee77a7fec1674e9db660978c40c17897f77)
2008-05-06mailslot/cldap: use nt_version bits in queries.Günther Deschner1-1/+3
Guenther (This used to be commit b261f063125f8454d8f4e8f6b6f8aa5bc393ea34)
2008-04-24mailslot: allow to give back struct nbt_ntlogon_packet.Günther Deschner1-1/+2
Guenther (This used to be commit 2b178dcae608ecc05f62593a7a0c2a127b8b7ca2)
2008-04-24mailslot: allow to define nt_version in send_getdc_request().Günther Deschner1-1/+1
Guenther (This used to be commit ce3728191b23badfd5eb92701e4cebf84273b61e)
2008-04-23Fix CLEAR_IF_FIRST handling of messages.tdbVolker Lendecke1-1/+1
We now open messages.tdb even before we do the become_daemon. become_daemon() involves a fork and an immediate exit of the parent, thus the parent_is_longlived argument must be set to false in this case. The parent is not really long lived :-) (This used to be commit 4f4781c6d17fe2db34dd5945fec52a7685448aec)
2008-04-21cldap: avoid duplicate definitions so remove ads_cldap.h.Günther Deschner1-1/+1
Guenther (This used to be commit 538eefe22ad69540b9f73ffaa613d6be045de199)
2008-04-21winbind: pass down existing talloc context.Günther Deschner1-5/+6
Guenther (This used to be commit 675bf42cfff89b05f21d77ca74eba20c4a24d44c)
2008-04-21winbind: Use libnbt for NTLOGON SAMLOGON mailslot request and reply.Günther Deschner1-1/+3
Guenther (This used to be commit 2d6a1c5da64195784b0b102edb268356a24d84b5)
2008-04-20Replace cli_rpc_pipe_close by a talloc destructor on rpc_pipe_structVolker Lendecke1-29/+23
(This used to be commit 99fc3283c4ecc791f5a242bd1983b4352ce3e6cf)
2008-04-20Introduce rpccli_set_timeout()Volker Lendecke1-2/+2
Reduce dependency on "cli" member of rpc_pipe_client struct (This used to be commit 2e4c1ba38963cffe4c3f25ab24bc28975f2fc291)
2008-04-20Add "desthost" to rpc_pipe_clientVolker Lendecke1-4/+4
This reduces the dependency on cli_state (This used to be commit 783afab9c891dd7bcb78895b2a639b6f3a0edf5b)
2008-04-18winbindd: call reinit_after_fork() in the child processesStefan Metzmacher1-3/+2
metze (This used to be commit 8e9fdef792e612e414444e7714a2fd4513892248)
2008-04-17Move GETDC mailslot out of winbindd.Günther Deschner1-162/+2
Guenther (This used to be commit b003ba65e34bb92bf71a7943957715cd7acbcce0)
2008-04-10Also accept 0x15 getdc repliesVolker Lendecke1-19/+22
My NT4SP6 which my DC here trusts sends 0x15 instead of 0x13, from looking at the sniff at least the DC name is at the same place. (This used to be commit 79bc6796b81395d591fc6ef389f153dd981fe68b)
2008-04-09Try anonymous session setupVolker Lendecke1-1/+3
... if there's no trust password Attempt to fix bug 5350 (This used to be commit 99f6b63f3c637457fdda7ed930c6666171b25b61)
2008-04-02Fix NETLOGON credential chain with Windows 2008 all over the place.Günther Deschner1-5/+1
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8 netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate flags everywhere (not only when running in security=ads). Only for NT4 we need to do a downgrade to the returned negotiate flags. Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6. Guenther (This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0)
2008-03-31Fix enumeration of forest trusts from our root domain.Gerald W. Carter1-1/+1
Do not overwrite the domain->domain_flags when setting infomation in set_dc_type_and_flags_connect(). (This used to be commit 3414eac439b731ad7204b821ddc4fec54fe4435d)
2008-03-26Fix winbind NETLOGON cred chain on a samba dc for w2k8 trusts.Günther Deschner1-1/+5
Guenther (This used to be commit 2586dc34e0f72204749f5bf10c8135cd3a753a42)
2008-03-19Merge dd9e0bea31751 from 3-0-ctdb -- use NetSamLogonEx when possibleVolker Lendecke1-0/+10
NetSamLogonEx has the advantage that it does not use the credential chain (This used to be commit cfceb063f559f8549b8f24ce347be213c89303b0)
2008-03-10Use a separate tdb for mutexesVolker Lendecke1-11/+6
Another preparation to convert secrets.c to dbwrap: The dbwrap API does not provide a sane tdb_lock_with_timeout abstraction. In the clustered case the DC mutex is needed per-node anyway, so it is perfectly fine to use a local mutex only. (This used to be commit f94a63cd8f94490780ad9331da229c0bcb2ca5d6)
2008-02-08Use rpccli_netr_DsRGetDCName() in rpcclient and winbindd.Günther Deschner1-12/+13
Guenther (This used to be commit 4f3e97cbae3df8e12db37b8a8a0eaee947fa723a)
2008-02-08Use rpccli_lsa_QueryInfoPolicy() all over the place.Günther Deschner1-14/+17
Guenther (This used to be commit ce22abcea3446e4ad42e8e04654b9855b173c5a1)
2008-02-08Use rpccli_lsa_QueryInfoPolicy2 in winbindd.Günther Deschner1-16/+19
Guenther (This used to be commit ccf79cfa88c7f3a10d191f8f0eedb9d421c65f6c)
2008-02-07Use rpccli_netr_GetAnyDCName and rpccli_netr_GetDCName everywhere.Günther Deschner1-12/+18
Guenther (This used to be commit 8abeea9922ac09e7307730ee7695453718356873)
2008-02-04Use rpccli_samr_Connect2() all over the place.Günther Deschner1-12/+15
Guenther (This used to be commit bdf8d562621e1a09bf83e2009dec24966e7fdf22)
2008-02-01Use rpccli_samr_OpenDomain() all over the place.Günther Deschner1-6/+6
Guenther (This used to be commit e4e9d72724d547e1405b2ed4cec509d50ec88c8d)
2008-01-29Remove include/rpc_ds.h and all references to it completly.Günther Deschner1-6/+6
Jerry, please have a look if you're fine with that. Guenther (This used to be commit beae25c808a3a03d645f247e9befcd05e3ecca2c)
2008-01-29Use pidl generated call to enumerate ds trusted domains in winbindd.Günther Deschner1-12/+19
Guenther (This used to be commit 3a3c1aed9bfc681457aa06f706fc6fe2d9b2e903)
2008-01-25Use the correct domain name when looking up the trust password.Gerald W. Carter1-1/+15
On a DC, we always use the domain name given. On a domain member, we use lp_workgroup(). This fixes a bug supporting trusted domains. (This used to be commit 8b063a414149bdf401a8f854d55ed7dc6f94cb60)
2008-01-25Use generated DSSETUP client & server rpc functions and remove the ↵Günther Deschner1-15/+16
hand-written ones. Guenther (This used to be commit d5ebfccebb1f1b56b45673a506fcdb414103c43b)
2008-01-23Windows 2008 (Longhorn) auth2 flag fixes.Andreas Schneider1-1/+1
Interop fixes for AD specific flags. Original patch from Todd Stetcher. (This used to be commit 5aadfcdaacd6f136eab9e107a88b8544e6d2105f)
2008-01-23Fix get_trust_creds() to return always an upper-cased krb5 principal (thisGünther Deschner1-4/+8
fixes winbind krb5 session at least with heimdal). Guenther (This used to be commit 9cf3a98eacea2dd07f89245f147e002b3f49482e)
2008-01-20Fix a segfaultVolker Lendecke1-3/+10
Pointed out by Steven Danneman on irc, thanks! Jerry, Günther, please check! (This used to be commit 9e71c89ac648040739ef2161a2e6c4299be1e35b)