2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
35 * @file winbindd_util.c
37 * Winbind daemon for NT domain authentication nss module.
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
46 static struct winbindd_domain *_domain_list = NULL;
48 struct winbindd_domain *domain_list(void)
52 if ((!_domain_list) && (!init_domain_list())) {
53 smb_panic("Init_domain_list failed");
59 /* Free all entries in the trusted domain list */
61 static void free_domain_list(void)
63 struct winbindd_domain *domain = _domain_list;
66 struct winbindd_domain *next = domain->next;
68 DLIST_REMOVE(_domain_list, domain);
74 static bool is_internal_domain(const DOM_SID *sid)
79 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
82 static bool is_in_internal_domain(const DOM_SID *sid)
87 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
91 /* Add a trusted domain to our list of domains */
92 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
93 struct winbindd_methods *methods,
96 struct winbindd_domain *domain;
97 const char *alternative_name = NULL;
98 char *idmap_config_option;
100 const char **ignored_domains, **dom;
102 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
103 for (dom=ignored_domains; dom && *dom; dom++) {
104 if (gen_fnmatch(*dom, domain_name) == 0) {
105 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
110 /* ignore alt_name if we are not in an AD domain */
112 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
113 alternative_name = alt_name;
116 /* We can't call domain_list() as this function is called from
117 init_domain_list() and we'll get stuck in a loop. */
118 for (domain = _domain_list; domain; domain = domain->next) {
119 if (strequal(domain_name, domain->name) ||
120 strequal(domain_name, domain->alt_name))
125 if (alternative_name && *alternative_name)
127 if (strequal(alternative_name, domain->name) ||
128 strequal(alternative_name, domain->alt_name))
136 if (is_null_sid(sid)) {
140 if (sid_equal(sid, &domain->sid)) {
146 if (domain != NULL) {
148 * We found a match. Possibly update the SID
151 && sid_equal(&domain->sid, &global_sid_NULL)) {
152 sid_copy( &domain->sid, sid );
157 /* Create new domain entry */
159 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
164 ZERO_STRUCTP(domain);
166 fstrcpy(domain->name, domain_name);
167 if (alternative_name) {
168 fstrcpy(domain->alt_name, alternative_name);
171 domain->methods = methods;
172 domain->backend = NULL;
173 domain->internal = is_internal_domain(sid);
174 domain->sequence_number = DOM_SEQUENCE_NONE;
175 domain->last_seq_check = 0;
176 domain->initialized = False;
177 domain->online = is_internal_domain(sid);
178 domain->check_online_timeout = 0;
179 domain->dc_probe_pid = (pid_t)-1;
181 sid_copy(&domain->sid, sid);
184 /* Link to domain list */
185 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
187 wcache_tdc_add_domain( domain );
189 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
191 if (idmap_config_option == NULL) {
192 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
196 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
198 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
199 param ? param : "not defined"));
202 unsigned low_id, high_id;
203 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
204 DEBUG(1, ("invalid range syntax in %s: %s\n",
205 idmap_config_option, param));
208 if (low_id > high_id) {
209 DEBUG(1, ("invalid range in %s: %s\n",
210 idmap_config_option, param));
213 domain->have_idmap_config = true;
214 domain->id_range_low = low_id;
215 domain->id_range_high = high_id;
220 DEBUG(2,("Added domain %s %s %s\n",
221 domain->name, domain->alt_name,
222 &domain->sid?sid_string_dbg(&domain->sid):""));
227 bool domain_is_forest_root(const struct winbindd_domain *domain)
229 const uint32_t fr_flags =
230 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
232 return ((domain->domain_flags & fr_flags) == fr_flags);
235 /********************************************************************
236 rescan our domains looking for new trusted domains
237 ********************************************************************/
239 struct trustdom_state {
242 struct winbindd_response *response;
245 static void trustdom_recv(void *private_data, bool success);
246 static void rescan_forest_root_trusts( void );
247 static void rescan_forest_trusts( void );
249 static void add_trusted_domains( struct winbindd_domain *domain )
251 struct winbindd_request *request;
252 struct winbindd_response *response;
253 struct trustdom_state *state;
255 state = TALLOC_ZERO_P(NULL, struct trustdom_state);
257 DEBUG(0, ("talloc_init failed\n"));
261 request = TALLOC_ZERO_P(state, struct winbindd_request);
262 response = TALLOC_P(state, struct winbindd_response);
264 if ((request == NULL) || (response == NULL)) {
265 DEBUG(0, ("talloc failed\n"));
269 state->response = response;
271 /* Flags used to know how to continue the forest trust search */
273 state->primary = domain->primary;
274 state->forest_root = domain_is_forest_root(domain);
276 request->length = sizeof(*request);
277 request->cmd = WINBINDD_LIST_TRUSTDOM;
279 async_domain_request(state, domain, request, response,
280 trustdom_recv, state);
283 static void trustdom_recv(void *private_data, bool success)
285 struct trustdom_state *state =
286 talloc_get_type_abort(private_data, struct trustdom_state);
287 struct winbindd_response *response = state->response;
290 if ((!success) || (response->result != WINBINDD_OK)) {
291 DEBUG(1, ("Could not receive trustdoms\n"));
296 p = (char *)response->extra_data.data;
298 while ((p != NULL) && (*p != '\0')) {
299 char *q, *sidstr, *alt_name;
301 struct winbindd_domain *domain;
302 char *alternate_name = NULL;
304 alt_name = strchr(p, '\\');
305 if (alt_name == NULL) {
306 DEBUG(0, ("Got invalid trustdom response\n"));
313 sidstr = strchr(alt_name, '\\');
314 if (sidstr == NULL) {
315 DEBUG(0, ("Got invalid trustdom response\n"));
322 q = strchr(sidstr, '\n');
326 if (!string_to_sid(&sid, sidstr)) {
327 DEBUG(0, ("Got invalid trustdom response\n"));
331 /* use the real alt_name if we have one, else pass in NULL */
333 if ( !strequal( alt_name, "(null)" ) )
334 alternate_name = alt_name;
336 /* If we have an existing domain structure, calling
337 add_trusted_domain() will update the SID if
338 necessary. This is important because we need the
339 SID for sibling domains */
341 if ( find_domain_from_name_noinit(p) != NULL ) {
342 domain = add_trusted_domain(p, alternate_name,
346 domain = add_trusted_domain(p, alternate_name,
350 setup_domain_child(domain);
359 Cases to consider when scanning trusts:
360 (a) we are calling from a child domain (primary && !forest_root)
361 (b) we are calling from the root of the forest (primary && forest_root)
362 (c) we are calling from a trusted forest domain (!primary
366 if ( state->primary ) {
367 /* If this is our primary domain and we are not in the
368 forest root, we have to scan the root trusts first */
370 if ( !state->forest_root )
371 rescan_forest_root_trusts();
373 rescan_forest_trusts();
375 } else if ( state->forest_root ) {
376 /* Once we have done root forest trust search, we can
377 go on to search the trusted forests */
379 rescan_forest_trusts();
387 /********************************************************************
388 Scan the trusts of our forest root
389 ********************************************************************/
391 static void rescan_forest_root_trusts( void )
393 struct winbindd_tdc_domain *dom_list = NULL;
394 size_t num_trusts = 0;
397 /* The only transitive trusts supported by Windows 2003 AD are
398 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
399 first two are handled in forest and listed by
400 DsEnumerateDomainTrusts(). Forest trusts are not so we
401 have to do that ourselves. */
403 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
406 for ( i=0; i<num_trusts; i++ ) {
407 struct winbindd_domain *d = NULL;
409 /* Find the forest root. Don't necessarily trust
410 the domain_list() as our primary domain may not
411 have been initialized. */
413 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
417 /* Here's the forest root */
419 d = find_domain_from_name_noinit( dom_list[i].domain_name );
422 d = add_trusted_domain( dom_list[i].domain_name,
423 dom_list[i].dns_name,
427 setup_domain_child(d);
435 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
436 "for domain tree root %s (%s)\n",
437 d->name, d->alt_name ));
439 d->domain_flags = dom_list[i].trust_flags;
440 d->domain_type = dom_list[i].trust_type;
441 d->domain_trust_attribs = dom_list[i].trust_attribs;
443 add_trusted_domains( d );
448 TALLOC_FREE( dom_list );
453 /********************************************************************
454 scan the transitive forest trusts (not our own)
455 ********************************************************************/
458 static void rescan_forest_trusts( void )
460 struct winbindd_domain *d = NULL;
461 struct winbindd_tdc_domain *dom_list = NULL;
462 size_t num_trusts = 0;
465 /* The only transitive trusts supported by Windows 2003 AD are
466 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
467 first two are handled in forest and listed by
468 DsEnumerateDomainTrusts(). Forest trusts are not so we
469 have to do that ourselves. */
471 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
474 for ( i=0; i<num_trusts; i++ ) {
475 uint32 flags = dom_list[i].trust_flags;
476 uint32 type = dom_list[i].trust_type;
477 uint32 attribs = dom_list[i].trust_attribs;
479 d = find_domain_from_name_noinit( dom_list[i].domain_name );
481 /* ignore our primary and internal domains */
483 if ( d && (d->internal || d->primary ) )
486 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
487 (type == NETR_TRUST_TYPE_UPLEVEL) &&
488 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
490 /* add the trusted domain if we don't know
494 d = add_trusted_domain( dom_list[i].domain_name,
495 dom_list[i].dns_name,
499 setup_domain_child(d);
507 DEBUG(10,("Following trust path for domain %s (%s)\n",
508 d->name, d->alt_name ));
509 add_trusted_domains( d );
513 TALLOC_FREE( dom_list );
518 /*********************************************************************
519 The process of updating the trusted domain list is a three step
522 (b) ask the root domain in our forest
523 (c) ask the a DC in any Win2003 trusted forests
524 *********************************************************************/
526 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
527 struct timeval now, void *private_data)
531 /* I use to clear the cache here and start over but that
532 caused problems in child processes that needed the
533 trust dom list early on. Removing it means we
534 could have some trusted domains listed that have been
535 removed from our primary domain's DC until a full
536 restart. This should be ok since I think this is what
537 Windows does as well. */
539 /* this will only add new domains we didn't already know about
540 in the domain_list()*/
542 add_trusted_domains( find_our_domain() );
544 te = tevent_add_timer(
545 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
546 rescan_trusted_domains, NULL);
548 * If te == NULL, there's not much we can do here. Don't fail, the
549 * only thing we miss is new trusted domains.
555 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
556 struct winbindd_cli_state *state)
558 /* Ensure null termination */
559 state->request->domain_name
560 [sizeof(state->request->domain_name)-1]='\0';
561 state->request->data.init_conn.dcname
562 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
564 if (strlen(state->request->data.init_conn.dcname) > 0) {
565 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
568 if (domain->internal) {
569 domain->initialized = true;
571 init_dc_connection(domain);
574 if (!domain->initialized) {
575 /* If we return error here we can't do any cached authentication,
576 but we may be in disconnected mode and can't initialize correctly.
577 Do what the previous code did and just return without initialization,
578 once we go online we'll re-initialize.
580 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
581 "online = %d\n", domain->name, (int)domain->online ));
584 fstrcpy(state->response->data.domain_info.name, domain->name);
585 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
586 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
588 state->response->data.domain_info.native_mode
589 = domain->native_mode;
590 state->response->data.domain_info.active_directory
591 = domain->active_directory;
592 state->response->data.domain_info.primary
598 /* Look up global info for the winbind daemon */
599 bool init_domain_list(void)
601 struct winbindd_domain *domain;
602 int role = lp_server_role();
604 /* Free existing list */
609 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
610 &global_sid_Builtin);
612 setup_domain_child(domain);
617 domain = add_trusted_domain(get_global_sam_name(), NULL,
618 &sam_passdb_methods, get_global_sam_sid());
620 if ( role != ROLE_DOMAIN_MEMBER ) {
621 domain->primary = True;
623 setup_domain_child(domain);
626 /* Add ourselves as the first entry. */
628 if ( role == ROLE_DOMAIN_MEMBER ) {
631 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
632 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
636 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
637 &cache_methods, &our_sid);
639 domain->primary = True;
640 setup_domain_child(domain);
642 /* Even in the parent winbindd we'll need to
643 talk to the DC, so try and see if we can
644 contact it. Theoretically this isn't neccessary
645 as the init_dc_connection() in init_child_recv()
646 will do this, but we can start detecting the DC
648 set_domain_online_request(domain);
655 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
657 struct winbindd_domain *domain;
661 /* Check if we even care */
663 if (!lp_allow_trusted_domains())
666 domain = find_domain_from_name_noinit( name );
670 sid_copy( &dom_sid, user_sid );
671 if ( !sid_split_rid( &dom_sid, &rid ) )
674 /* add the newly discovered trusted domain */
676 domain = add_trusted_domain( name, NULL, &cache_methods,
682 /* assume this is a trust from a one-way transitive
685 domain->active_directory = True;
686 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
687 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
688 domain->internal = False;
689 domain->online = True;
691 setup_domain_child(domain);
693 wcache_tdc_add_domain( domain );
699 * Given a domain name, return the struct winbindd domain info for it
701 * @note Do *not* pass lp_workgroup() to this function. domain_list
702 * may modify it's value, and free that pointer. Instead, our local
703 * domain may be found by calling find_our_domain().
707 * @return The domain structure for the named domain, if it is working.
710 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
712 struct winbindd_domain *domain;
714 /* Search through list */
716 for (domain = domain_list(); domain != NULL; domain = domain->next) {
717 if (strequal(domain_name, domain->name) ||
718 (domain->alt_name[0] &&
719 strequal(domain_name, domain->alt_name))) {
729 struct winbindd_domain *find_domain_from_name(const char *domain_name)
731 struct winbindd_domain *domain;
733 domain = find_domain_from_name_noinit(domain_name);
738 if (!domain->initialized)
739 init_dc_connection(domain);
744 /* Given a domain sid, return the struct winbindd domain info for it */
746 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
748 struct winbindd_domain *domain;
750 /* Search through list */
752 for (domain = domain_list(); domain != NULL; domain = domain->next) {
753 if (sid_compare_domain(sid, &domain->sid) == 0)
762 /* Given a domain sid, return the struct winbindd domain info for it */
764 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
766 struct winbindd_domain *domain;
768 domain = find_domain_from_sid_noinit(sid);
773 if (!domain->initialized)
774 init_dc_connection(domain);
779 struct winbindd_domain *find_our_domain(void)
781 struct winbindd_domain *domain;
783 /* Search through list */
785 for (domain = domain_list(); domain != NULL; domain = domain->next) {
790 smb_panic("Could not find our domain");
794 struct winbindd_domain *find_root_domain(void)
796 struct winbindd_domain *ours = find_our_domain();
798 if (ours->forest_name[0] == '\0') {
802 return find_domain_from_name( ours->forest_name );
805 struct winbindd_domain *find_builtin_domain(void)
807 struct winbindd_domain *domain;
809 domain = find_domain_from_sid(&global_sid_Builtin);
810 if (domain == NULL) {
811 smb_panic("Could not find BUILTIN domain");
817 /* Find the appropriate domain to lookup a name or SID */
819 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
821 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
823 if ( sid_check_is_in_unix_groups(sid) ||
824 sid_check_is_unix_groups(sid) ||
825 sid_check_is_in_unix_users(sid) ||
826 sid_check_is_unix_users(sid) )
828 return find_domain_from_sid(get_global_sam_sid());
831 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
832 * one to contact the external DC's. On member servers the internal
833 * domains are different: These are part of the local SAM. */
835 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
837 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
838 DEBUG(10, ("calling find_domain_from_sid\n"));
839 return find_domain_from_sid(sid);
842 /* On a member server a query for SID or name can always go to our
845 DEBUG(10, ("calling find_our_domain\n"));
846 return find_our_domain();
849 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
851 if ( strequal(domain_name, unix_users_domain_name() ) ||
852 strequal(domain_name, unix_groups_domain_name() ) )
855 * The "Unix User" and "Unix Group" domain our handled by
858 return find_domain_from_name_noinit( get_global_sam_name() );
861 if (IS_DC || strequal(domain_name, "BUILTIN") ||
862 strequal(domain_name, get_global_sam_name()))
863 return find_domain_from_name_noinit(domain_name);
866 return find_our_domain();
869 /* Is this a domain which we may assume no DOMAIN\ prefix? */
871 static bool assume_domain(const char *domain)
873 /* never assume the domain on a standalone server */
875 if ( lp_server_role() == ROLE_STANDALONE )
878 /* domain member servers may possibly assume for the domain name */
880 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
881 if ( !strequal(lp_workgroup(), domain) )
884 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
888 /* only left with a domain controller */
890 if ( strequal(get_global_sam_name(), domain) ) {
897 /* Parse a string of the form DOMAIN\user into a domain and a user */
899 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
901 char *p = strchr(domuser,*lp_winbind_separator());
904 fstrcpy(user, domuser);
906 if ( assume_domain(lp_workgroup())) {
907 fstrcpy(domain, lp_workgroup());
908 } else if ((p = strchr(domuser, '@')) != NULL) {
909 fstrcpy(domain, p + 1);
910 user[PTR_DIFF(p, domuser)] = 0;
916 fstrcpy(domain, domuser);
917 domain[PTR_DIFF(p, domuser)] = 0;
925 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
926 char **domain, char **user)
928 fstring fstr_domain, fstr_user;
929 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
932 *domain = talloc_strdup(mem_ctx, fstr_domain);
933 *user = talloc_strdup(mem_ctx, fstr_user);
934 return ((*domain != NULL) && (*user != NULL));
937 /* add a domain user name to a buffer */
938 void parse_add_domuser(void *buf, char *domuser, int *len)
944 p = strchr(domuser, *lp_winbind_separator());
948 fstrcpy(domain, domuser);
949 domain[PTR_DIFF(p, domuser)] = 0;
952 if (assume_domain(domain)) {
955 *len -= (PTR_DIFF(p, domuser));
959 safe_strcpy((char *)buf, user, *len);
962 /* Ensure an incoming username from NSS is fully qualified. Replace the
963 incoming fstring with DOMAIN <separator> user. Returns the same
964 values as parse_domain_user() but also replaces the incoming username.
965 Used to ensure all names are fully qualified within winbindd.
966 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
967 The protocol definitions of auth_crap, chng_pswd_auth_crap
968 really should be changed to use this instead of doing things
971 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
973 if (!parse_domain_user(username_inout, domain, user)) {
976 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
977 domain, *lp_winbind_separator(),
983 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
984 'winbind separator' options.
986 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
989 If we are a PDC or BDC, and this is for our domain, do likewise.
991 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
992 username is then unqualified in unix
994 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
996 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1000 fstrcpy(tmp_user, user);
1001 strlower_m(tmp_user);
1003 if (can_assume && assume_domain(domain)) {
1004 strlcpy(name, tmp_user, sizeof(fstring));
1006 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1007 domain, *lp_winbind_separator(),
1013 * talloc version of fill_domain_username()
1014 * return NULL on talloc failure.
1016 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1021 char *tmp_user, *name;
1023 tmp_user = talloc_strdup(mem_ctx, user);
1024 strlower_m(tmp_user);
1026 if (can_assume && assume_domain(domain)) {
1029 name = talloc_asprintf(mem_ctx, "%s%c%s",
1031 *lp_winbind_separator(),
1033 TALLOC_FREE(tmp_user);
1040 * Winbindd socket accessor functions
1043 const char *get_winbind_pipe_dir(void)
1045 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1048 char *get_winbind_priv_pipe_dir(void)
1050 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1053 /* Open the winbindd socket */
1055 static int _winbindd_socket = -1;
1056 static int _winbindd_priv_socket = -1;
1058 int open_winbindd_socket(void)
1060 if (_winbindd_socket == -1) {
1061 _winbindd_socket = create_pipe_sock(
1062 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1063 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1067 return _winbindd_socket;
1070 int open_winbindd_priv_socket(void)
1072 if (_winbindd_priv_socket == -1) {
1073 _winbindd_priv_socket = create_pipe_sock(
1074 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1075 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1076 _winbindd_priv_socket));
1079 return _winbindd_priv_socket;
1083 * Client list accessor functions
1086 static struct winbindd_cli_state *_client_list;
1087 static int _num_clients;
1089 /* Return list of all connected clients */
1091 struct winbindd_cli_state *winbindd_client_list(void)
1093 return _client_list;
1096 /* Add a connection to the list */
1098 void winbindd_add_client(struct winbindd_cli_state *cli)
1100 DLIST_ADD(_client_list, cli);
1104 /* Remove a client from the list */
1106 void winbindd_remove_client(struct winbindd_cli_state *cli)
1108 DLIST_REMOVE(_client_list, cli);
1112 /* Close all open clients */
1114 void winbindd_kill_all_clients(void)
1116 struct winbindd_cli_state *cl = winbindd_client_list();
1118 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1121 struct winbindd_cli_state *next;
1124 winbindd_remove_client(cl);
1129 /* Return number of open clients */
1131 int winbindd_num_clients(void)
1133 return _num_clients;
1136 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1137 TALLOC_CTX *mem_ctx,
1138 const DOM_SID *user_sid,
1139 uint32 *p_num_groups, DOM_SID **user_sids)
1141 struct netr_SamInfo3 *info3 = NULL;
1142 NTSTATUS status = NT_STATUS_NO_MEMORY;
1143 size_t num_groups = 0;
1145 DEBUG(3,(": lookup_usergroups_cached\n"));
1150 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1152 if (info3 == NULL) {
1153 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1156 if (info3->base.groups.count == 0) {
1158 return NT_STATUS_UNSUCCESSFUL;
1161 /* Skip Domain local groups outside our domain.
1162 We'll get these from the getsidaliases() RPC call. */
1163 status = sid_array_from_info3(mem_ctx, info3,
1168 if (!NT_STATUS_IS_OK(status)) {
1174 *p_num_groups = num_groups;
1175 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1177 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1182 /*********************************************************************
1183 We use this to remove spaces from user and group names
1184 ********************************************************************/
1186 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1187 struct winbindd_domain *domain,
1193 if (!name || !normalized) {
1194 return NT_STATUS_INVALID_PARAMETER;
1197 if (!lp_winbind_normalize_names()) {
1198 return NT_STATUS_PROCEDURE_NOT_FOUND;
1201 /* Alias support and whitespace replacement are mutually
1204 nt_status = resolve_username_to_alias(mem_ctx, domain,
1206 if (NT_STATUS_IS_OK(nt_status)) {
1207 /* special return code to let the caller know we
1208 mapped to an alias */
1209 return NT_STATUS_FILE_RENAMED;
1212 /* check for an unreachable domain */
1214 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1215 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1217 set_domain_offline(domain);
1221 /* deal with whitespace */
1223 *normalized = talloc_strdup(mem_ctx, name);
1224 if (!(*normalized)) {
1225 return NT_STATUS_NO_MEMORY;
1228 all_string_sub( *normalized, " ", "_", 0 );
1230 return NT_STATUS_OK;
1233 /*********************************************************************
1234 We use this to do the inverse of normalize_name_map()
1235 ********************************************************************/
1237 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1242 struct winbindd_domain *domain = find_our_domain();
1244 if (!name || !normalized) {
1245 return NT_STATUS_INVALID_PARAMETER;
1248 if (!lp_winbind_normalize_names()) {
1249 return NT_STATUS_PROCEDURE_NOT_FOUND;
1252 /* Alias support and whitespace replacement are mutally
1255 /* When mapping from an alias to a username, we don't know the
1256 domain. But we only need a domain structure to cache
1257 a successful lookup , so just our own domain structure for
1260 nt_status = resolve_alias_to_username(mem_ctx, domain,
1262 if (NT_STATUS_IS_OK(nt_status)) {
1263 /* Special return code to let the caller know we mapped
1265 return NT_STATUS_FILE_RENAMED;
1268 /* check for an unreachable domain */
1270 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1271 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1273 set_domain_offline(domain);
1277 /* deal with whitespace */
1279 *normalized = talloc_strdup(mem_ctx, name);
1280 if (!(*normalized)) {
1281 return NT_STATUS_NO_MEMORY;
1284 all_string_sub(*normalized, "_", " ", 0);
1286 return NT_STATUS_OK;
1289 /*********************************************************************
1290 ********************************************************************/
1292 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1294 struct winbindd_tdc_domain *tdc = NULL;
1295 TALLOC_CTX *frame = talloc_stackframe();
1298 /* We can contact the domain if it is our primary domain */
1300 if (domain->primary) {
1304 /* Trust the TDC cache and not the winbindd_domain flags */
1306 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1307 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1312 /* Can always contact a domain that is in out forest */
1314 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1320 * On a _member_ server, we cannot contact the domain if it
1321 * is running AD and we have no inbound trust.
1325 domain->active_directory &&
1326 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1328 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1329 "and we have no inbound trust.\n", domain->name));
1333 /* Assume everything else is ok (probably not true but what
1339 talloc_destroy(frame);
1344 /*********************************************************************
1345 ********************************************************************/
1347 bool winbindd_internal_child(struct winbindd_child *child)
1349 if ((child == idmap_child()) || (child == locator_child())) {
1356 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1358 /*********************************************************************
1359 ********************************************************************/
1361 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1364 char addr[INET6_ADDRSTRLEN];
1365 const char *kdc = NULL;
1368 if (!domain || !domain->alt_name || !*domain->alt_name) {
1372 if (domain->initialized && !domain->active_directory) {
1373 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1378 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1381 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1383 kdc = domain->dcname;
1386 if (!kdc || !*kdc) {
1387 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1392 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1393 domain->alt_name) == -1) {
1397 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1400 setenv(var, kdc, 1);
1404 /*********************************************************************
1405 ********************************************************************/
1407 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1409 struct winbindd_domain *our_dom = find_our_domain();
1411 winbindd_set_locator_kdc_env(domain);
1413 if (domain != our_dom) {
1414 winbindd_set_locator_kdc_env(our_dom);
1418 /*********************************************************************
1419 ********************************************************************/
1421 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1425 if (!domain || !domain->alt_name || !*domain->alt_name) {
1429 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1430 domain->alt_name) == -1) {
1439 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1444 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1449 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1451 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1453 resp->data.auth.nt_status = NT_STATUS_V(result);
1454 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1456 /* we might have given a more useful error above */
1457 if (*resp->data.auth.error_string == '\0')
1458 fstrcpy(resp->data.auth.error_string,
1459 get_friendly_nt_error_msg(result));
1460 resp->data.auth.pam_error = nt_status_to_pam(result);
1463 bool is_domain_offline(const struct winbindd_domain *domain)
1465 if (!lp_winbind_offline_logon()) {
1468 if (get_global_winbindd_state_offline()) {
1471 return !domain->online;