s3-winbindd: use a cli_credentials structure to hold the trust credentials

Later we can pass this down directly and have a much more sane
handling of credentials and the spnego handshake.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Change-Id: If12ef0b105d8c7af60190d4eed3c8c07849da2ca

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 395 insertions, 207 deletions

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 24ff1f7f90..1604df5d2f 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -78,10 +78,11 @@
 #include "messages.h"
 #include "auth/gensec/gensec.h"
 #include "../libcli/smb/smbXcli_base.h"
-#include "lib/param/loadparm.h"
 #include "libcli/auth/netlogon_creds_cli.h"
 #include "auth.h"
 #include "rpc_server/rpc_ncacn_np.h"
+#include "auth/credentials/credentials.h"
+#include "lib/param/param.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
@@ -667,6 +668,105 @@ static void cm_get_ipc_userpass(char **username, char **domain, char **password)
 	}
 }
 
+static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx,
+				       struct cli_credentials **_creds)
+{
+
+	TALLOC_CTX *frame = talloc_stackframe();
+	NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
+	struct loadparm_context *lp_ctx;
+	char *username = NULL;
+	char *netbios_domain = NULL;
+	char *password = NULL;
+	struct cli_credentials *creds = NULL;
+	bool ok;
+
+	cm_get_ipc_userpass(&username, &netbios_domain, &password);
+
+	lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+	if (lp_ctx == NULL) {
+		DEBUG(1, ("loadparm_init_s3 failed\n"));
+		status = NT_STATUS_INTERNAL_ERROR;
+		goto fail;
+	}
+
+	creds = cli_credentials_init(mem_ctx);
+	if (creds == NULL) {
+		status = NT_STATUS_NO_MEMORY;
+		goto fail;
+	}
+
+	cli_credentials_set_conf(creds, lp_ctx);
+	cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
+
+	ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
+	if (!ok) {
+		status = NT_STATUS_NO_MEMORY;
+		goto fail;
+	}
+
+	ok = cli_credentials_set_username(creds, username, CRED_SPECIFIED);
+	if (!ok) {
+		status = NT_STATUS_NO_MEMORY;
+		goto fail;
+	}
+
+	ok = cli_credentials_set_password(creds, password, CRED_SPECIFIED);
+	if (!ok) {
+		status = NT_STATUS_NO_MEMORY;
+		goto fail;
+	}
+
+	*_creds = creds;
+	creds = NULL;
+	status = NT_STATUS_OK;
+ fail:
+	TALLOC_FREE(creds);
+	SAFE_FREE(username);
+	SAFE_FREE(netbios_domain);
+	SAFE_FREE(password);
+	TALLOC_FREE(frame);
+	return status;
+}
+
+static bool cm_is_ipc_credentials(struct cli_credentials *creds)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	char *ipc_account = NULL;
+	char *ipc_domain = NULL;
+	char *ipc_password = NULL;
+	const char *creds_account = NULL;
+	const char *creds_domain = NULL;
+	const char *creds_password = NULL;
+	bool ret = false;
+
+	cm_get_ipc_userpass(&ipc_account, &ipc_domain, &ipc_password);
+
+	creds_account = cli_credentials_get_username(creds);
+	creds_domain = cli_credentials_get_domain(creds);
+	creds_password = cli_credentials_get_password(creds);
+
+	if (!strequal(ipc_domain, creds_domain)) {
+		goto done;
+	}
+
+	if (!strequal(ipc_account, creds_account)) {
+		goto done;
+	}
+
+	if (!strcsequal(ipc_password, creds_password)) {
+		goto done;
+	}
+
+	ret = true;
+ done:
+	SAFE_FREE(ipc_account);
+	SAFE_FREE(ipc_domain);
+	SAFE_FREE(ipc_password);
+	TALLOC_FREE(frame);
+	return ret;
+}
+
 static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
 				     fstring dcname,
 				     struct sockaddr_storage *dc_ss)
@@ -794,65 +894,64 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
 /**
  * Helper function to assemble trust password and account name
  */
-static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
-				char **machine_password,
-				char **machine_account,
-				char **machine_krb5_principal)
+static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
+				      TALLOC_CTX *mem_ctx,
+				      struct cli_credentials **_creds)
 {
-	const char *account_name;
-	const char *name = NULL;
+	const struct winbindd_domain *creds_domain = NULL;
+	struct cli_credentials *creds;
+	NTSTATUS status;
 
 	/* If we are a DC and this is not our own domain */
 
 	if (IS_DC) {
-		name = domain->name;
+		creds_domain = domain;
 	} else {
-		struct winbindd_domain *our_domain = find_our_domain();
-
-		if (!our_domain)
-			return NT_STATUS_INVALID_SERVER_STATE;		
-
-		name = our_domain->name;		
-	}	
-
-	if (!get_trust_pw_clear(name, machine_password,
-				&account_name, NULL))
-	{
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		creds_domain = find_our_domain();
+		if (creds_domain == NULL) {
+			return NT_STATUS_INVALID_SERVER_STATE;
+		}
 	}
 
-	if ((machine_account != NULL) &&
-	    (asprintf(machine_account, "%s$", account_name) == -1))
-	{
-		return NT_STATUS_NO_MEMORY;
+	status = pdb_get_trust_credentials(creds_domain->name,
+					   creds_domain->alt_name,
+					   mem_ctx,
+					   &creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto ipc_fallback;
 	}
 
-	/* For now assume our machine account only exists in our domain */
-
-	if (machine_krb5_principal != NULL)
-	{
-		struct winbindd_domain *our_domain = find_our_domain();
+	if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+		cli_credentials_set_kerberos_state(creds,
+						   CRED_MUST_USE_KERBEROS);
+	}
 
-		if (!our_domain) {
-			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;			
-		}
+	if (domain->primary && lp_security() == SEC_ADS) {
+		cli_credentials_set_kerberos_state(creds,
+						   CRED_AUTO_USE_KERBEROS);
+	} else if (!domain->active_directory) {
+		cli_credentials_set_kerberos_state(creds,
+						   CRED_DONT_USE_KERBEROS);
+	}
 
-		if (our_domain->alt_name == NULL) {
-			return NT_STATUS_INVALID_PARAMETER;
-		}
+	if (creds_domain != domain) {
+		/*
+		 * We can only use schannel against a direct trust
+		 */
+		cli_credentials_set_secure_channel_type(creds,
+							SEC_CHAN_NULL);
+	}
 
-		if (asprintf(machine_krb5_principal, "%s$@%s",
-			     account_name, our_domain->alt_name) == -1)
-		{
-			return NT_STATUS_NO_MEMORY;
-		}
+	*_creds = creds;
+	return NT_STATUS_OK;
 
-		if (!strupper_m(*machine_krb5_principal)) {
-			SAFE_FREE(*machine_krb5_principal);
-			return NT_STATUS_INVALID_PARAMETER;
-		}
+ ipc_fallback:
+	status = cm_get_ipc_credentials(mem_ctx, &creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
 
+	*_creds = creds;
 	return NT_STATUS_OK;
 }
 
@@ -861,22 +960,20 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
  to the pipe.
 ************************************************************************/
 
-static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
+static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 				      const int sockfd,
 				      const char *controller,
 				      struct cli_state **cli,
 				      bool *retry)
 {
-	bool try_spnego = false;
 	bool try_ipc_auth = false;
-	char *machine_password = NULL;
-	char *machine_krb5_principal = NULL;
-	char *machine_account = NULL;
-	char *ipc_username = NULL;
-	char *ipc_domain = NULL;
-	char *ipc_password = NULL;
+	const char *machine_password = NULL;
+	const char *machine_krb5_principal = NULL;
+	const char *machine_account = NULL;
+	const char *machine_domain = NULL;
 	int flags = 0;
-	uint16_t sec_mode = 0;
+	struct cli_credentials *creds = NULL;
+	enum credentials_use_kerberos krb5_state;
 
 	struct named_mutex *mutex;
 
@@ -945,59 +1042,94 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
 	if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
 	    smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
-		try_spnego = true;
+		try_ipc_auth = true;
 	} else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
-		try_spnego = true;
+		try_ipc_auth = true;
+	} else if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
+		/*
+		 * If we are forcing on SMB signing, then we must
+		 * require authentication unless this is a one-way
+		 * trust, and we have no stored user/password
+		 */
+		try_ipc_auth = true;
 	}
 
-	if (!is_dc_trusted_domain_situation(domain->name) && try_spnego) {
-		result = get_trust_creds(domain, &machine_password,
-					 &machine_account,
-					 &machine_krb5_principal);
+	if (try_ipc_auth) {
+		result = get_trust_credentials(domain, talloc_tos(), &creds);
 		if (!NT_STATUS_IS_OK(result)) {
-			goto anon_fallback;
+			DEBUG(1, ("get_trust_credentials(%s) failed: %s\n",
+				  domain->name, nt_errstr(result)));
+			goto done;
+		}
+	} else {
+		/*
+		 * Without SPNEGO or NTLMSSP (perhaps via SMB2) we
+		 * would try and authentication with our machine
+		 * account password and fail.  This is very rare in
+		 * the modern world however
+		 */
+		creds = cli_credentials_init_anon(talloc_tos());
+		if (creds == NULL) {
+			result = NT_STATUS_NO_MEMORY;
+			DEBUG(1, ("cli_credentials_init_anon(%s) failed: %s\n",
+				  domain->name, nt_errstr(result)));
+			goto done;
 		}
+	}
 
-		if (lp_security() == SEC_ADS) {
+	krb5_state = cli_credentials_get_kerberos_state(creds);
 
-			/* Try a krb5 session */
+	machine_krb5_principal = cli_credentials_get_principal(creds,
+							talloc_tos());
+	if (machine_krb5_principal == NULL) {
+		krb5_state = CRED_DONT_USE_KERBEROS;
+	}
 
-			(*cli)->use_kerberos = True;
-			DEBUG(5, ("connecting to %s from %s with kerberos principal "
-				  "[%s] and realm [%s]\n", controller, lp_netbios_name(),
-				  machine_krb5_principal, domain->alt_name));
+	machine_account = cli_credentials_get_username(creds);
+	machine_password = cli_credentials_get_password(creds);
+	machine_domain = cli_credentials_get_domain(creds);
 
-			winbindd_set_locator_kdc_envs(domain);
+	if (krb5_state != CRED_DONT_USE_KERBEROS) {
 
-			result = cli_session_setup(*cli,
-						   machine_krb5_principal,
-						   machine_password,
-						   strlen(machine_password)+1,
-						   machine_password,
-						   strlen(machine_password)+1,
-						   lp_workgroup());
+		/* Try a krb5 session */
 
-			if (!NT_STATUS_IS_OK(result)) {
-				DEBUG(4,("failed kerberos session setup with %s\n",
-					nt_errstr(result)));
-			}
+		(*cli)->use_kerberos = True;
+		DEBUG(5, ("connecting to %s from %s with kerberos principal "
+			  "[%s] and realm [%s]\n", controller, lp_netbios_name(),
+			  machine_krb5_principal, domain->alt_name));
 
-			if (NT_STATUS_IS_OK(result)) {
+		winbindd_set_locator_kdc_envs(domain);
+
+		result = cli_session_setup(*cli,
+					   machine_krb5_principal,
+					   machine_password,
+					   strlen(machine_password)+1,
+					   machine_password,
+					   strlen(machine_password)+1,
+					   machine_domain);
+
+		if (NT_STATUS_IS_OK(result)) {
+			if (krb5_state != CRED_MUST_USE_KERBEROS) {
 				/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
-				result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+				result = cli_init_creds(*cli, machine_account, machine_domain, machine_password);
 				if (!NT_STATUS_IS_OK(result)) {
 					goto done;
 				}
-				goto session_setup_done;
 			}
+			goto session_setup_done;
 		}
 
+		DEBUG(4,("failed kerberos session setup with %s\n",
+			 nt_errstr(result)));
+	}
+
+	if (krb5_state != CRED_MUST_USE_KERBEROS) {
 		/* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */
 		(*cli)->use_kerberos = False;
 
-		DEBUG(5, ("connecting to %s from %s with username "
+		DEBUG(5, ("connecting to %s from %s using NTLMSSP with username "
 			  "[%s]\\[%s]\n",  controller, lp_netbios_name(),
-			  lp_workgroup(), machine_account));
+			  machine_domain, machine_account));
 
 		result = cli_session_setup(*cli,
 					   machine_account,
@@ -1005,73 +1137,137 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 					   strlen(machine_password)+1,
 					   machine_password,
 					   strlen(machine_password)+1,
-					   lp_workgroup());
+					   machine_domain);
+	}
+
+	if (NT_STATUS_IS_OK(result)) {
+		/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
+		result = cli_init_creds(*cli, machine_account, machine_domain, machine_password);
 		if (!NT_STATUS_IS_OK(result)) {
-			DEBUG(4, ("authenticated session setup failed with %s\n",
-				nt_errstr(result)));
+			goto done;
 		}
+		goto session_setup_done;
+	}
 
-		if (NT_STATUS_IS_OK(result)) {
-			/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
-			result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
-			if (!NT_STATUS_IS_OK(result)) {
-				goto done;
-			}
-			goto session_setup_done;
+	/*
+	 * If we are not going to validiate the conneciton
+	 * with SMB signing, then allow us to fall back to
+	 * anonymous
+	 */
+	if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
+	    || NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
+	    || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
+	{
+		if (cli_credentials_is_anonymous(creds)) {
+			goto done;
 		}
-	}
 
-	/* Fall back to non-kerberos session setup with auth_user */
+		if (!cm_is_ipc_credentials(creds)) {
+			goto ipc_fallback;
+		}
 
-	(*cli)->use_kerberos = False;
+		if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
+			goto done;
+		}
 
-	cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
+		goto anon_fallback;
+	}
 
-	sec_mode = smb1cli_conn_server_security_mode((*cli)->conn);
+	DEBUG(4, ("authenticated session setup failed with %s\n",
+		nt_errstr(result)));
 
-	try_ipc_auth = false;
-	if (try_spnego) {
-		try_ipc_auth = true;
-	} else if (sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
-		try_ipc_auth = true;
+	goto done;
+
+ ipc_fallback:
+	result = cm_get_ipc_credentials(talloc_tos(), &creds);
+	if (!NT_STATUS_IS_OK(result)) {
+		goto done;
 	}
 
-	if (try_ipc_auth && (strlen(ipc_username) > 0)) {
+	if (cli_credentials_is_anonymous(creds)) {
+		TALLOC_FREE(creds);
+		goto anon_fallback;
+	}
 
-		/* Only try authenticated if we have a username */
+	machine_account = cli_credentials_get_username(creds);
+	machine_password = cli_credentials_get_password(creds);
+	machine_domain = cli_credentials_get_domain(creds);
 
-		DEBUG(5, ("connecting to %s from %s with username "
-			  "[%s]\\[%s]\n",  controller, lp_netbios_name(),
-			  ipc_domain, ipc_username));
-
-		if (NT_STATUS_IS_OK(cli_session_setup(
-					    *cli, ipc_username,
-					    ipc_password, strlen(ipc_password)+1,
-					    ipc_password, strlen(ipc_password)+1,
-					    ipc_domain))) {
-			/* Successful logon with given username. */
-			result = cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
-			if (!NT_STATUS_IS_OK(result)) {
-				goto done;
-			}
-			goto session_setup_done;
-		} else {
-			DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
-				ipc_domain, ipc_username ));
+	/* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the ipc creds. */
+	(*cli)->use_kerberos = False;
+
+	DEBUG(5, ("connecting to %s from %s using NTLMSSP with username "
+		  "[%s]\\[%s]\n",  controller, lp_netbios_name(),
+		  machine_domain, machine_account));
+
+	result = cli_session_setup(*cli,
+				   machine_account,
+				   machine_password,
+				   strlen(machine_password)+1,
+				   machine_password,
+				   strlen(machine_password)+1,
+				   machine_domain);
+
+	if (NT_STATUS_IS_OK(result)) {
+		/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
+		result = cli_init_creds(*cli, machine_account, machine_domain, machine_password);
+		if (!NT_STATUS_IS_OK(result)) {
+			goto done;
 		}
+		goto session_setup_done;
 	}
 
+	/*
+	 * If we are not going to validiate the conneciton
+	 * with SMB signing, then allow us to fall back to
+	 * anonymous
+	 */
+	if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
+	    || NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
+	    || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
+	{
+		goto anon_fallback;
+	}
+
+	DEBUG(4, ("authenticated session setup failed with %s\n",
+		nt_errstr(result)));
+
+	goto done;
+
  anon_fallback:
 
+	if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
+		goto done;
+	}
+
+	creds = cli_credentials_init_anon(talloc_tos());
+	if (creds == NULL) {
+		result = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+
+	machine_account = cli_credentials_get_username(creds);
+	machine_password = cli_credentials_get_password(creds);
+	machine_domain = cli_credentials_get_domain(creds);
+
 	/* Fall back to anonymous connection, this might fail later */
 	DEBUG(10,("cm_prepare_connection: falling back to anonymous "
 		"connection for DC %s\n",
 		controller ));
 
-	result = cli_session_setup(*cli, "", NULL, 0, NULL, 0, "");
+	(*cli)->use_kerberos = False;
+
+	result = cli_session_setup(*cli,
+				   machine_account,
+				   machine_password,
+				   strlen(machine_password)+1,
+				   machine_password,
+				   strlen(machine_password)+1,
+				   machine_domain);
+
 	if (NT_STATUS_IS_OK(result)) {
 		DEBUG(5, ("Connected anonymously\n"));
-		result = cli_init_creds(*cli, "", "", "");
+		result = cli_init_creds(*cli, machine_account, machine_domain, machine_password);
 		if (!NT_STATUS_IS_OK(result)) {
 			goto done;
 		}
@@ -1094,6 +1290,13 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 		smbXcli_session_set_disconnect_expired((*cli)->smb2.session);
 	}
 
+	result = cli_tree_connect(*cli, "IPC$", "IPC", "", 0);
+
+	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
+		goto done;
+	}
+
 	/* cache the server name for later connections */
 
 	saf_store(domain->name, controller);
@@ -1103,37 +1306,13 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
 	winbindd_set_locator_kdc_envs(domain);
 
-	result = cli_tree_connect(*cli, "IPC$", "IPC", "", 0);
-
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
-		goto done;
-	}
-
 	TALLOC_FREE(mutex);
 	*retry = False;
 
-	/* set the domain if empty; needed for schannel connections */
-	if ( !(*cli)->domain[0] ) {
-		result = cli_set_domain((*cli), domain->name);
-		if (!NT_STATUS_IS_OK(result)) {
-			SAFE_FREE(ipc_username);
-			SAFE_FREE(ipc_domain);
-			SAFE_FREE(ipc_password);
-			return result;
-		}
-	}
-
 	result = NT_STATUS_OK;
 
  done:
 	TALLOC_FREE(mutex);
-	SAFE_FREE(machine_account);
-	SAFE_FREE(machine_password);
-	SAFE_FREE(machine_krb5_principal);
-	SAFE_FREE(ipc_username);
-	SAFE_FREE(ipc_domain);
-	SAFE_FREE(ipc_password);
 
 	if (!NT_STATUS_IS_OK(result)) {
 		winbind_add_failed_connection_entry(domain, controller, result);
@@ -2512,9 +2691,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	struct winbindd_cm_conn *conn;
 	NTSTATUS status, result;
 	struct netlogon_creds_cli_context *p_creds;
-	char *machine_password = NULL;
-	char *machine_account = NULL;
+	const char *machine_password = NULL;
+	const char *machine_account = NULL;
 	const char *domain_name = NULL;
+	struct cli_credentials *creds = NULL;
 
 	if (sid_check_is_our_sam(&domain->sid)) {
 		if (domain->rodc == false || need_rw_dc == false) {
@@ -2542,35 +2722,29 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	 * anonymous.
 	 */
 
-	if ((conn->cli->user_name[0] == '\0') ||
-	    (conn->cli->domain[0] == '\0') || 
-	    (conn->cli->password == NULL || conn->cli->password[0] == '\0'))
-	{
-		status = get_trust_creds(domain, &machine_password,
-					 &machine_account, NULL);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(10, ("cm_connect_sam: No no user available for "
-				   "domain %s, trying schannel\n", conn->cli->domain));
-			goto schannel;
-		}
-		domain_name = domain->name;
-	} else {
-		machine_password = SMB_STRDUP(conn->cli->password);
-		machine_account = SMB_STRDUP(conn->cli->user_name);
-		domain_name = conn->cli->domain;
+	result = get_trust_credentials(domain, talloc_tos(), &creds);
+	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(10, ("cm_connect_sam: No no user available for "
+			   "domain %s, trying schannel\n", conn->cli->domain));
+		goto schannel;
 	}
 
-	if (!machine_password || !machine_account) {
-		status = NT_STATUS_NO_MEMORY;
-		goto done;
+	if (cli_credentials_is_anonymous(creds)) {
+		goto anonymous;
 	}
 
-	/* We have an authenticated connection. Use a NTLMSSP SPNEGO
-	   authenticated SAMR pipe with sign & seal. */
+	machine_password = cli_credentials_get_password(creds);
+	machine_account = cli_credentials_get_username(creds);
+	domain_name = cli_credentials_get_domain(creds);
+
+	/*
+	 * We have an authenticated connection. Use a SPNEGO
+	 * authenticated SAMR pipe with sign & seal.
+	 */
 	status = cli_rpc_pipe_open_generic_auth(conn->cli,
 						&ndr_table_samr,
 						NCACN_NP,
-						CRED_DONT_USE_KERBEROS,
+						cli_credentials_get_kerberos_state(creds),
 						DCERPC_AUTH_TYPE_SPNEGO,
 						conn->auth_level,
 						smbXcli_conn_remote_name(conn->cli->conn),
@@ -2578,7 +2752,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 						machine_account,
 						machine_password,
 						&conn->samr_pipe);
-
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
 			  "pipe for domain %s using NTLMSSP "
@@ -2723,8 +2896,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 
 	*cli = conn->samr_pipe;
 	*sam_handle = conn->sam_domain_handle;
-	SAFE_FREE(machine_password);
-	SAFE_FREE(machine_account);
 	return status;
 }
 
@@ -2792,6 +2963,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	struct winbindd_cm_conn *conn;
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	struct netlogon_creds_cli_context *p_creds;
+	const char *machine_password = NULL;
+	const char *machine_account = NULL;
+	const char *domain_name = NULL;
+	struct cli_credentials *creds = NULL;
 
 	result = init_dc_connection_rpc(domain, false);
 	if (!NT_STATUS_IS_OK(result))
@@ -2805,23 +2980,32 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 
 	TALLOC_FREE(conn->lsa_pipe);
 
-	if ((conn->cli->user_name[0] == '\0') ||
-	    (conn->cli->domain[0] == '\0') || 
-	    (conn->cli->password == NULL || conn->cli->password[0] == '\0')) {
-		DEBUG(10, ("cm_connect_lsa: No no user available for "
+	result = get_trust_credentials(domain, talloc_tos(), &creds);
+	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(10, ("cm_connect_sam: No no user available for "
 			   "domain %s, trying schannel\n", conn->cli->domain));
 		goto schannel;
 	}
 
-	/* We have an authenticated connection. Use a NTLMSSP SPNEGO
-	 * authenticated LSA pipe with sign & seal. */
+	if (cli_credentials_is_anonymous(creds)) {
+		goto anonymous;
+	}
+
+	machine_password = cli_credentials_get_password(creds);
+	machine_account = cli_credentials_get_username(creds);
+	domain_name = cli_credentials_get_domain(creds);
+
+	/*
+	 * We have an authenticated connection. Use a SPNEGO
+	 * authenticated LSA pipe with sign & seal.
+	 */
 	result = cli_rpc_pipe_open_generic_auth
 		(conn->cli, &ndr_table_lsarpc, NCACN_NP,
-		 CRED_DONT_USE_KERBEROS,
+		 cli_credentials_get_kerberos_state(creds),
 		 DCERPC_AUTH_TYPE_SPNEGO,
 		 conn->auth_level,
 		 smbXcli_conn_remote_name(conn->cli->conn),
-		 conn->cli->domain, conn->cli->user_name, conn->cli->password,
+		 domain_name, machine_account, machine_password,
 		 &conn->lsa_pipe);
 
 	if (!NT_STATUS_IS_OK(result)) {
@@ -2971,12 +3155,12 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 	struct winbindd_cm_conn *conn;
 	NTSTATUS result;
 	enum netr_SchannelType sec_chan_type;
-	const char *_account_name;
 	const char *account_name;
-	struct samr_Password current_nt_hash;
-	struct samr_Password *previous_nt_hash = NULL;
-	struct netlogon_creds_CredentialState *creds = NULL;
-	bool ok;
+	const char *domain_name;
+	const struct samr_Password *current_nt_hash = NULL;
+	const struct samr_Password *previous_nt_hash = NULL;
+	struct netlogon_creds_CredentialState *netlogon_creds = NULL;
+	struct cli_credentials *creds = NULL;
 
 	*cli = NULL;
 
@@ -2996,28 +3180,34 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 	conn->netlogon_flags = 0;
 	TALLOC_FREE(conn->netlogon_creds);
 
-	if ((!IS_DC) && (!domain->primary)) {
-		goto no_schannel;
+	result = get_trust_credentials(domain, talloc_tos(), &creds);
+	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(10, ("cm_connect_sam: No no user available for "
+			   "domain %s, trying schannel\n", conn->cli->domain));
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
-	ok = get_trust_pw_hash(domain->name,
-			       current_nt_hash.hash,
-			       &_account_name,
-			       &sec_chan_type);
-	if (!ok) {
-		DEBUG(1, ("get_trust_pw_hash failed for %s, "
-			  "unable to get NETLOGON credentials\n",
+	if (cli_credentials_is_anonymous(creds)) {
+		DEBUG(1, ("get_trust_credential only gave anonymous for %s, unable to make get NETLOGON credentials\n",
 			  domain->name));
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
-	account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
-	if (account_name == NULL) {
+	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
+	if (sec_chan_type == SEC_CHAN_NULL) {
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		goto no_schannel;
+	}
+
+	account_name = cli_credentials_get_username(creds);
+	domain_name = cli_credentials_get_domain(creds);
+	current_nt_hash = cli_credentials_get_nt_hash(creds, talloc_tos());
+	if (current_nt_hash == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	result = rpccli_create_netlogon_creds(domain->dcname,
-					      domain->name,
+					      domain_name,
 					      account_name,
 					      sec_chan_type,
 					      msg_ctx,
@@ -3027,17 +3217,15 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 		DEBUG(1, ("rpccli_create_netlogon_creds failed for %s, "
 			  "unable to create NETLOGON credentials: %s\n",
 			  domain->name, nt_errstr(result)));
-		SAFE_FREE(previous_nt_hash);
 		return result;
 	}
 
 	result = rpccli_setup_netlogon_creds(conn->cli, transport,
 					     conn->netlogon_creds,
 					     conn->netlogon_force_reauth,
-					     current_nt_hash,
+					     *current_nt_hash,
 					     previous_nt_hash);
 	conn->netlogon_force_reauth = false;
-	SAFE_FREE(previous_nt_hash);
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(1, ("rpccli_setup_netlogon_creds failed for %s, "
 			  "unable to setup NETLOGON credentials: %s\n",
@@ -3047,15 +3235,15 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
 	result = netlogon_creds_cli_get(conn->netlogon_creds,
 					talloc_tos(),
-					&creds);
+					&netlogon_creds);
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(1, ("netlogon_creds_cli_get failed for %s, "
 			  "unable to get NETLOGON credentials: %s\n",
 			  domain->name, nt_errstr(result)));
 		return result;
 	}
-	conn->netlogon_flags = creds->negotiate_flags;
-	TALLOC_FREE(creds);
+	conn->netlogon_flags = netlogon_creds->negotiate_flags;
+	TALLOC_FREE(netlogon_creds);
 
  no_schannel:
 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {