winbindd: Call set_dc_type_and_flags on the internal domain

This allows the AD DC to be picked up correctly and gives the correct DNS name. To ensure no confusion, we also always init it with the full DNS name. It also means that, aside from the BUILTIN domain the initialized flag is set only in one place, which will help when we add more details to the domain structure in the future. This in turn allows kerberos authentication against winbindd on the AD DC. Andrew Bartlett Change-Id: Idc829cfe5f2e867c87107b49275b17f294821dcd Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
author: Andrew Bartlett <abartlet@samba.org> 2014-05-16 18:10:23 +1200
committer: Andrew Bartlett <abartlet@samba.org> 2014-06-11 10:18:26 +0200
commit: 2e961bf598e58178ce0d4ed5e35553acd882e436 (patch)
tree: 337771214caf5b77e926e36022249d9fce96d3c0
parent: 791c38282d681c60eaedb47803b9043991f5950d (diff)
download: samba-2e961bf598e58178ce0d4ed5e35553acd882e436.tar.gz
samba-2e961bf598e58178ce0d4ed5e35553acd882e436.tar.xz
samba-2e961bf598e58178ce0d4ed5e35553acd882e436.zip
5 files changed, 87 insertions, 113 deletions
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 9c4b5bd4e82..264e75c8bdf 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -120,13 +120,15 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain)
 
 	if (domain->internal) {
 		domain->backend = &builtin_passdb_methods;
-		domain->initialized = True;
+	}
+
+	if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
+		domain->initialized = true;
 	}
 
 	if (strequal(domain->name, get_global_sam_name()) &&
 	    sid_check_is_our_sam(&domain->sid)) {
 		domain->backend = &sam_passdb_methods;
-		domain->initialized = True;
 	}
 
 	if ( !domain->initialized ) {
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index be13a57e9ea..a8ace52472e 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -80,6 +80,8 @@
 #include "../libcli/smb/smbXcli_base.h"
 #include "lib/param/loadparm.h"
 #include "libcli/auth/netlogon_creds_cli.h"
+#include "auth.h"
+#include "rpc_server/rpc_ncacn_np.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
@@ -1607,6 +1609,47 @@ done:
 	return ret;
 }
 
+NTSTATUS wb_open_internal_pipe(TALLOC_CTX *mem_ctx,
+			       const struct ndr_interface_table *table,
+			       struct rpc_pipe_client **ret_pipe)
+{
+	struct rpc_pipe_client *cli = NULL;
+	const struct auth_session_info *session_info;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+
+	session_info = get_session_info_system();
+	SMB_ASSERT(session_info != NULL);
+
+	/* create a connection to the specified pipe */
+	if (lp_parm_bool(-1, "winbindd", "use external pipes", false)) {
+		status = rpc_pipe_open_interface(mem_ctx,
+						 table,
+						 session_info,
+						 NULL,
+						 winbind_messaging_context(),
+						 &cli);
+	} else {
+		status = rpc_pipe_open_internal(mem_ctx,
+						&table->syntax_id,
+						session_info,
+						NULL,
+						winbind_messaging_context(),
+						&cli);
+	}
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("open_internal_pipe: Could not connect to %s pipe: %s\n",
+			  table->name, nt_errstr(status)));
+		return status;
+	}
+
+	if (ret_pipe) {
+		*ret_pipe = cli;
+	}
+
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
 				   struct winbindd_cm_conn *new_conn)
 {
@@ -1893,12 +1936,12 @@ static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
 	NTSTATUS result;
 
 	/* Internal connections never use the network. */
-	if (domain->internal) {
-		domain->initialized = True;
-		return NT_STATUS_OK;
+	if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
-	if (connection_ok(domain)) {
+	/* Still ask the internal LSA and SAMR server about the local domain */
+	if (domain->internal || connection_ok(domain)) {
 		if (!domain->initialized) {
 			set_dc_type_and_flags(domain);
 		}
@@ -1918,7 +1961,7 @@ static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
 
 NTSTATUS init_dc_connection(struct winbindd_domain *domain)
 {
-	if (domain->internal) {
+	if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
@@ -2081,7 +2124,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
 	union dssetup_DsRoleInfo info;
 	union lsa_PolicyInformation *lsa_info = NULL;
 
-	if (!connection_ok(domain)) {
+	if (!domain->internal && !connection_ok(domain)) {
 		return;
 	}
 
@@ -2094,9 +2137,15 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
 
 	DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
 
-	status = cli_rpc_pipe_open_noauth(domain->conn.cli,
-					  &ndr_table_dssetup,
-					  &cli);
+	if (domain->internal) {
+		status = wb_open_internal_pipe(mem_ctx,
+					       &ndr_table_dssetup,
+					       &cli);
+	} else {
+		status = cli_rpc_pipe_open_noauth(domain->conn.cli,
+						  &ndr_table_dssetup,
+						  &cli);
+	}
 
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
@@ -2145,9 +2194,14 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
 	}
 
 no_dssetup:
-	status = cli_rpc_pipe_open_noauth(domain->conn.cli,
-					  &ndr_table_lsarpc, &cli);
-
+	if (domain->internal) {
+		status = wb_open_internal_pipe(mem_ctx,
+					       &ndr_table_lsarpc,
+					       &cli);
+	} else {
+		status = cli_rpc_pipe_open_noauth(domain->conn.cli,
+						  &ndr_table_lsarpc, &cli);
+	}
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
 			  "PI_LSARPC on domain %s: (%s)\n",
@@ -2267,9 +2321,9 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
 {
 	/* we always have to contact our primary domain */
 
-	if ( domain->primary ) {
+	if ( domain->primary || domain->internal) {
 		DEBUG(10,("set_dc_type_and_flags: setting up flags for "
-			  "primary domain\n"));
+			  "primary or internal domain\n"));
 		set_dc_type_and_flags_connect( domain );
 		return;		
 	}
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 33a70821b1f..65553f70ed2 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -163,6 +163,11 @@ void winbind_msg_domain_online(struct messaging_context *msg_ctx,
 
 void set_domain_offline(struct winbindd_domain *domain);
 void set_domain_online_request(struct winbindd_domain *domain);
+
+struct ndr_interface_table;
+NTSTATUS wb_open_internal_pipe(TALLOC_CTX *mem_ctx,
+			       const struct ndr_interface_table *table,
+			       struct rpc_pipe_client **ret_pipe);
 void invalidate_cm_connection(struct winbindd_cm_conn *conn);
 void close_conns_after_fork(void);
 NTSTATUS init_dc_connection(struct winbindd_domain *domain);
diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c
index 8a717008086..888ce648a4e 100644
--- a/source3/winbindd/winbindd_samr.c
+++ b/source3/winbindd/winbindd_samr.c
@@ -39,50 +39,6 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
-static NTSTATUS open_internal_samr_pipe(TALLOC_CTX *mem_ctx,
-					struct rpc_pipe_client **samr_pipe)
-{
-	struct rpc_pipe_client *cli = NULL;
-	struct auth_session_info *session_info = NULL;
-	NTSTATUS status;
-
-	status = make_session_info_system(mem_ctx, &session_info);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("open_samr_pipe: Could not create auth_session_info: %s\n",
-			  nt_errstr(status)));
-		return status;
-	}
-
-	/* create a samr connection */
-	if (lp_parm_bool(-1, "winbindd", "use external pipes", false)) {
-		status = rpc_pipe_open_interface(mem_ctx,
-						 &ndr_table_samr,
-						 session_info,
-						 NULL,
-						 winbind_messaging_context(),
-						 &cli);
-	} else {
-		status = rpc_pipe_open_internal(mem_ctx,
-						&ndr_table_samr.syntax_id,
-						session_info,
-						NULL,
-						winbind_messaging_context(),
-						&cli);
-	}
-
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("open_samr_pipe: Could not connect to samr_pipe: %s\n",
-			  nt_errstr(status)));
-		return status;
-	}
-
-	if (samr_pipe) {
-		*samr_pipe = cli;
-	}
-
-	return NT_STATUS_OK;
-}
-
 NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
 				 struct winbindd_domain *domain,
 				 struct rpc_pipe_client **samr_pipe,
@@ -92,7 +48,7 @@ NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
 	struct policy_handle samr_connect_hnd;
 	struct dcerpc_binding_handle *b;
 
-	status = open_internal_samr_pipe(mem_ctx, samr_pipe);
+	status = wb_open_internal_pipe(mem_ctx, &ndr_table_samr, samr_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -124,56 +80,13 @@ NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
 	return result;
 }
 
-static NTSTATUS open_internal_lsa_pipe(TALLOC_CTX *mem_ctx,
-				       struct rpc_pipe_client **lsa_pipe)
-{
-	struct rpc_pipe_client *cli = NULL;
-	struct auth_session_info *session_info = NULL;
-	NTSTATUS status;
-
-	status = make_session_info_system(mem_ctx, &session_info);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("open_lsa_pipe: Could not create auth_session_info: %s\n",
-			  nt_errstr(status)));
-		return status;
-	}
-
-	/* create a lsa connection */
-	if (lp_parm_bool(-1, "winbindd", "use external pipes", false)) {
-		status = rpc_pipe_open_interface(mem_ctx,
-						 &ndr_table_lsarpc,
-						 session_info,
-						 NULL,
-						 winbind_messaging_context(),
-						 &cli);
-	} else {
-		status = rpc_pipe_open_internal(mem_ctx,
-						&ndr_table_lsarpc.syntax_id,
-						session_info,
-						NULL,
-						winbind_messaging_context(),
-						&cli);
-	}
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("open_lsa_pipe: Could not connect to lsa_pipe: %s\n",
-			  nt_errstr(status)));
-		return status;
-	}
-
-	if (lsa_pipe) {
-		*lsa_pipe = cli;
-	}
-
-	return NT_STATUS_OK;
-}
-
 static NTSTATUS open_internal_lsa_conn(TALLOC_CTX *mem_ctx,
 				       struct rpc_pipe_client **lsa_pipe,
 				       struct policy_handle *lsa_hnd)
 {
 	NTSTATUS status;
 
-	status = open_internal_lsa_pipe(mem_ctx, lsa_pipe);
+	status = wb_open_internal_pipe(mem_ctx, &ndr_table_lsarpc, lsa_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index a00fe14e85c..4e8ab92c00a 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -576,11 +576,7 @@ enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domai
 		fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
 	}
 
-	if (domain->internal) {
-		domain->initialized = true;
-	} else {
-		init_dc_connection(domain);
-	}
+	init_dc_connection(domain);
 
 	if (!domain->initialized) {
 		/* If we return error here we can't do any cached authentication,
@@ -621,9 +617,13 @@ bool init_domain_list(void)
 
 	/* Local SAM */
 
-	(void)add_trusted_domain(get_global_sam_name(), NULL,
-				    &cache_methods, get_global_sam_sid());
-
+	if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
+		(void)add_trusted_domain(get_global_sam_name(), lp_dnsdomain(),
+					 &cache_methods, get_global_sam_sid());
+	} else {
+		(void)add_trusted_domain(get_global_sam_name(), NULL,
+					 &cache_methods, get_global_sam_sid());
+	}
 	/* Add ourselves as the first entry. */
 
 	if ( role == ROLE_DOMAIN_MEMBER ) {
author	Andrew Bartlett <abartlet@samba.org>	2014-05-16 18:10:23 +1200
committer	Andrew Bartlett <abartlet@samba.org>	2014-06-11 10:18:26 +0200
commit	2e961bf598e58178ce0d4ed5e35553acd882e436 (patch)
tree	337771214caf5b77e926e36022249d9fce96d3c0
parent	791c38282d681c60eaedb47803b9043991f5950d (diff)
download	samba-2e961bf598e58178ce0d4ed5e35553acd882e436.tar.gz samba-2e961bf598e58178ce0d4ed5e35553acd882e436.tar.xz samba-2e961bf598e58178ce0d4ed5e35553acd882e436.zip