1/* 2 Unix SMB/CIFS implementation. 3 4 Winbind daemon connection manager 5 6 Copyright (C) Tim Potter 2001 7 Copyright (C) Andrew Bartlett 2002 8 Copyright (C) Gerald Carter 2003 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License as published by 12 the Free Software Foundation; either version 3 of the License, or 13 (at your option) any later version. 14 15 This program is distributed in the hope that it will be useful, 16 but WITHOUT ANY WARRANTY; without even the implied warranty of 17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 GNU General Public License for more details. 19 20 You should have received a copy of the GNU General Public License 21 along with this program. If not, see <http://www.gnu.org/licenses/>. 22*/ 23 24 25#include "includes.h" 26 27/********************************************************************** 28 Is this our primary domain ? 29**********************************************************************/ 30 31#ifdef HAVE_KRB5 32static bool is_our_primary_domain(const char *domain) 33{ 34 int role = lp_server_role(); 35 36 if ((role == ROLE_DOMAIN_MEMBER) && strequal(lp_workgroup(), domain)) { 37 return True; 38 } else if (strequal(get_global_sam_name(), domain)) { 39 return True; 40 } 41 return False; 42} 43#endif 44 45/************************************************************************** 46 Find the name and IP address for a server in the realm/domain 47 *************************************************************************/ 48 49static bool ads_dc_name(const char *domain, 50 const char *realm, 51 struct sockaddr_storage *dc_ss, 52 fstring srv_name) 53{ 54 ADS_STRUCT *ads; 55 char *sitename; 56 int i; 57 char addr[INET6_ADDRSTRLEN]; 58 59 if (!realm && strequal(domain, lp_workgroup())) { 60 realm = lp_realm(); 61 } 62 63 sitename = sitename_fetch(realm); 64 65 /* Try this 3 times then give up. */ 66 for( i =0 ; i < 3; i++) { 67 ads = ads_init(realm, domain, NULL); 68 if (!ads) { 69 SAFE_FREE(sitename); 70 return False; 71 } 72 73 DEBUG(4,("ads_dc_name: domain=%s\n", domain)); 74 75#ifdef HAVE_ADS 76 /* we don't need to bind, just connect */ 77 ads->auth.flags |= ADS_AUTH_NO_BIND; 78 ads_connect(ads); 79#endif 80 81 if (!ads->config.realm) { 82 SAFE_FREE(sitename); 83 ads_destroy(&ads); 84 return False; 85 } 86 87 /* Now we've found a server, see if our sitename 88 has changed. If so, we need to re-do the DNS query 89 to ensure we only find servers in our site. */ 90 91 if (stored_sitename_changed(realm, sitename)) { 92 SAFE_FREE(sitename); 93 sitename = sitename_fetch(realm); 94 ads_destroy(&ads); 95 /* Ensure we don't cache the DC we just connected to. */ 96 namecache_delete(realm, 0x1C); 97 namecache_delete(domain, 0x1C); 98 continue; 99 } 100 101#ifdef HAVE_KRB5 102 if (is_our_primary_domain(domain) && (ads->config.flags & NBT_SERVER_KDC)) { 103 if (ads_closest_dc(ads)) { 104 /* We're going to use this KDC for this realm/domain. 105 If we are using sites, then force the krb5 libs 106 to use this KDC. */ 107 108 create_local_private_krb5_conf_for_domain(realm, 109 domain, 110 sitename, 111 &ads->ldap.ss, 112 ads->config.ldap_server_name); 113 } else { 114 create_local_private_krb5_conf_for_domain(realm, 115 domain, 116 NULL, 117 &ads->ldap.ss, 118 ads->config.ldap_server_name); 119 } 120 } 121#endif 122 break; 123 } 124 125 if (i == 3) { 126 DEBUG(1,("ads_dc_name: sitename (now \"%s\") keeps changing ???\n", 127 sitename ? sitename : "")); 128 SAFE_FREE(sitename); 129 return False; 130 } 131 132 SAFE_FREE(sitename); 133 134 fstrcpy(srv_name, ads->config.ldap_server_name); 135 strupper_m(srv_name); 136#ifdef HAVE_ADS 137 *dc_ss = ads->ldap.ss; 138#else 139 zero_sockaddr(dc_ss); 140#endif 141 ads_destroy(&ads); 142 143 print_sockaddr(addr, sizeof(addr), dc_ss); 144 DEBUG(4,("ads_dc_name: using server='%s' IP=%s\n", 145 srv_name, addr)); 146 147 return True; 148} 149 150/**************************************************************************** 151 Utility function to return the name of a DC. The name is guaranteed to be 152 valid since we have already done a name_status_find on it 153 ***************************************************************************/ 154 155static bool rpc_dc_name(const char *domain, 156 fstring srv_name, 157 struct sockaddr_storage *ss_out) 158{ 159 struct ip_service *ip_list = NULL; 160 struct sockaddr_storage dc_ss; 161 int count, i; 162 NTSTATUS result; 163 char addr[INET6_ADDRSTRLEN]; 164 165 /* get a list of all domain controllers */ 166 167 if (!NT_STATUS_IS_OK(get_sorted_dc_list(domain, NULL, &ip_list, &count, 168 False))) { 169 DEBUG(3, ("Could not look up dc's for domain %s\n", domain)); 170 return False; 171 } 172 173 /* Remove the entry we've already failed with (should be the PDC). */ 174 175 for (i = 0; i < count; i++) { 176 if (is_zero_addr((struct sockaddr *)&ip_list[i].ss)) 177 continue; 178 179 if (name_status_find(domain, 0x1c, 0x20, &ip_list[i].ss, srv_name)) { 180 result = check_negative_conn_cache( domain, srv_name ); 181 if ( NT_STATUS_IS_OK(result) ) { 182 dc_ss = ip_list[i].ss; 183 goto done; 184 } 185 } 186 } 187 188 SAFE_FREE(ip_list); 189 190 /* No-one to talk to )-: */ 191 return False; /* Boo-hoo */ 192 193 done: 194 /* We have the netbios name and IP address of a domain controller. 195 Ideally we should sent a SAMLOGON request to determine whether 196 the DC is alive and kicking. If we can catch a dead DC before 197 performing a cli_connect() we can avoid a 30-second timeout. */ 198 199 print_sockaddr(addr, sizeof(addr), &dc_ss); 200 DEBUG(3, ("rpc_dc_name: Returning DC %s (%s) for domain %s\n", srv_name, 201 addr, domain)); 202 203 *ss_out = dc_ss; 204 SAFE_FREE(ip_list); 205 206 return True; 207} 208 209/********************************************************************** 210 wrapper around ads and rpc methods of finds DC's 211**********************************************************************/ 212 213bool get_dc_name(const char *domain, 214 const char *realm, 215 fstring srv_name, 216 struct sockaddr_storage *ss_out) 217{ 218 struct sockaddr_storage dc_ss; 219 bool ret; 220 bool our_domain = False; 221 222 zero_sockaddr(&dc_ss); 223 224 ret = False; 225 226 if ( strequal(lp_workgroup(), domain) || strequal(lp_realm(), realm) ) 227 our_domain = True; 228 229 /* always try to obey what the admin specified in smb.conf 230 (for the local domain) */ 231 232 if ( (our_domain && lp_security()==SEC_ADS) || realm ) { 233 ret = ads_dc_name(domain, realm, &dc_ss, srv_name); 234 } 235 236 if (!domain) { 237 /* if we have only the realm we can't do anything else */ 238 return False; 239 } 240 241 if (!ret) { 242 /* fall back on rpc methods if the ADS methods fail */ 243 ret = rpc_dc_name(domain, srv_name, &dc_ss); 244 } 245 246 *ss_out = dc_ss; 247 248 return ret; 249} 250