smbd_join.c revision 2c1b14e51525da2c09064641416fc4aed457c72f
2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 2N/A * Use is subject to license terms. * Maximum time to wait for a domain controller (30 seconds). * Flags used in conjunction with the location and query condition /* NT4 domain support is not yet available. */ * Inline convenience function to find out if the domain information is * valid. The caller can decide whether or not to wait. * Retrieve the kpasswd server from krb5.conf. if (p ==
NULL || *p ==
'\0')
/* Weed out any comment text */ return ((*
srv ==
'\0') ? -
1 : 0);
" old keys from the Kerberos keytab. " "Please remove the old keys for your " * Ensure that any previous membership of this domain has * been cleared from the environment before we start. This * will ensure that we don't attempt a NETLOGON_SAMLOGON * when attempting to find the PDC. " Kerberos keytab. Please remove the old keys for your " "controller information for '%s'",
"specified domain controller information " * Temporary delay before creating * the workstation trust account. syslog(
LOG_ERR,
"smbd: failed locating domain controller for %s",
* This is the entry point for discovering a domain controller for the * specified domain. The caller may block here for around 30 seconds if * the system has to go to the network and find a domain controller. * Sometime it would be good to change this to smb_locate_pdc and allow * the caller to specify whether or not he wants to wait for a response. * The actual work of discovering a DC is handled by other threads. * All we do here is signal the request and wait for a DC or a timeout. * domain - domain to be discovered * dc - preferred DC. If the preferred DC is set to empty string, it * will attempt to discover any DC in the specified domain. * Returns B_TRUE if a domain controller is available. * Initialization of the DC browser and LSA monitor threads. * Returns 0 on success, an error number if thread creation fails. * smb_netlogon_dc_browser * This is the DC browser thread: it gets woken up whenever someone * wants to locate a domain controller. * With the introduction of Windows 2000, NetBIOS is no longer a * requirement for NT domains. If NetBIOS has been disabled on the * network there will be no browsers and we won't get any response * to netlogon requests. So we try to find a DC controller via ADS * first. If ADS is disabled or the DNS query fails, we drop back * to the netlogon protocol. * This function will block for up to 30 seconds waiting for the PDC * to be discovered. Sometime it would be good to change this to * smb_locate_pdc and allow the caller to specify whether or not he * wants to wait for a response. /* Try to locate a DC via NetBIOS */ * Notify the LSA monitor to update the * primary and trusted domain information. * smb_netlogon_lsa_monitor * This monitor should run as a separate thread. It waits on a condition * variable until someone indicates that the LSA domain information needs * to be refreshed. It then queries the DC for the NT domain information: * primary, account and trusted domains. The condition variable should be * signaled whenever a DC is selected. * Note that the LSA query calls require the DC information and this task * may end up blocked on the DC location protocol, which is why this * monitor is run as a separate thread. This should only happen if the DC * goes down immediately after we located it. * Skip the LSA query if Authenticated IPC is supported * and the credential is not yet set. "NetlogonLSAMonitor: query " "NetlogonLSAMonitor: enum " "trusted domain failed");
"NetlogonLSAMonitor: update failed");
* If the system is joined to an AD domain via kclient, SMB daemon will need * to establish the NETLOGON credential chain. * Since the kclient has updated the machine password stored in SMF * repository, the cached ipc_info must be updated accordingly by calling * Due to potential replication delays in a multiple DC environment, the * NETLOGON rpc request must be sent to the DC, to which the KPASSWD request * is sent. If the DC discovered by the SMB daemon is different than the * kpasswd server, the current connection with the DC will be torn down * and a DC discovery process will be triggered to locate the kpasswd * If joining a new domain, the domain_name property must be set after a * successful credential chain setup. * If the domain join initiated by smbadm join CLI is in * progress, don't do anything. * DC discovery will be triggered if the domain info is not * currently cached or the SMB daemon has previously discovered a DC * that is different than the kpasswd server. * smbd_locate_dc_thread() * If necessary, set up Netlogon credential chain and locate a * domain controller in the given resource domain. * Initialization of the locate dc thread. * Returns 0 on success, an error number if thread creation fails.