#include "../libcli/security/security.h"
#include "../libcli/auth/pam_errors.h"
#include "passdb/machine_sid.h"
+#include "passdb.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
}
-/* Add a trusted domain to our list of domains */
+/* Add a trusted domain to our list of domains.
+ If the domain already exists in the list,
+ return it and don't re-initialize. */
+
static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
struct winbindd_methods *methods,
const struct dom_sid *sid)
char *idmap_config_option;
const char *param;
const char **ignored_domains, **dom;
+ int role = lp_server_role();
ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
for (dom=ignored_domains; dom && *dom; dom++) {
if (domain != NULL) {
/*
- * We found a match. Possibly update the SID
+ * We found a match on domain->name or
+ * domain->alt_name. Possibly update the SID
+ * if the stored SID was the NULL SID
+ * and return the matching entry.
*/
if ((sid != NULL)
&& dom_sid_equal(&domain->sid, &global_sid_NULL)) {
sid_copy(&domain->sid, sid);
}
+ /* Is this our primary domain ? */
+ if (strequal(domain_name, get_global_sam_name()) &&
+ (role != ROLE_DOMAIN_MEMBER)) {
+ domain->primary = true;
+ } else if (strequal(domain_name, lp_workgroup()) &&
+ (role == ROLE_DOMAIN_MEMBER)) {
+ domain->primary = true;
+ }
+
/* Link to domain list */
DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
done:
+ setup_domain_child(domain);
+
DEBUG(2,("Added domain %s %s %s\n",
domain->name, domain->alt_name,
&domain->sid?sid_string_dbg(&domain->sid):""));
while ((p != NULL) && (*p != '\0')) {
char *q, *sidstr, *alt_name;
struct dom_sid sid;
- struct winbindd_domain *domain;
char *alternate_name = NULL;
- bool domain_exists;
alt_name = strchr(p, '\\');
if (alt_name == NULL) {
if ( !strequal( alt_name, "(null)" ) )
alternate_name = alt_name;
- /* Check if we already have a child for the domain */
- domain_exists = (find_domain_from_name_noinit(p) != NULL);
-
/*
* We always call add_trusted_domain() cause on an existing
* domain structure, it will update the SID if necessary.
* This is important because we need the SID for sibling
* domains.
*/
- domain = add_trusted_domain(p, alternate_name,
+ (void)add_trusted_domain(p, alternate_name,
&cache_methods,
&sid);
- /*
- * If the domain doesn't exist yet and got correctly added,
- * setup a new domain child.
- */
- if (!domain_exists && domain != NULL) {
- setup_domain_child(domain);
- }
p=q;
if (p != NULL)
p += 1;
dom_list[i].dns_name,
&cache_methods,
&dom_list[i].sid );
- if (d != NULL) {
- setup_domain_child(d);
- }
}
if (d == NULL) {
continue;
if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
- (type == NETR_TRUST_TYPE_UPLEVEL) &&
- (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
+ (type == LSA_TRUST_TYPE_UPLEVEL) &&
+ (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
{
/* add the trusted domain if we don't know
about it */
dom_list[i].dns_name,
&cache_methods,
&dom_list[i].sid );
- if (d != NULL) {
- setup_domain_child(d);
- }
}
if (d == NULL) {
fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
}
- if (domain->internal) {
- domain->initialized = true;
- } else {
- init_dc_connection(domain);
- }
+ init_dc_connection(domain, false);
if (!domain->initialized) {
/* If we return error here we can't do any cached authentication,
/* Look up global info for the winbind daemon */
bool init_domain_list(void)
{
- struct winbindd_domain *domain;
int role = lp_server_role();
/* Free existing list */
/* BUILTIN domain */
- domain = add_trusted_domain("BUILTIN", NULL, &cache_methods,
+ (void)add_trusted_domain("BUILTIN", NULL, &cache_methods,
&global_sid_Builtin);
- if (domain) {
- setup_domain_child(domain);
- }
/* Local SAM */
- domain = add_trusted_domain(get_global_sam_name(), NULL,
- &cache_methods, get_global_sam_sid());
- if (domain) {
- if ( role != ROLE_DOMAIN_MEMBER ) {
- domain->primary = True;
+ if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
+ struct winbindd_domain *domain;
+ enum netr_SchannelType sec_chan_type;
+ const char *account_name;
+ struct samr_Password current_nt_hash;
+ bool ok;
+
+ domain = add_trusted_domain(get_global_sam_name(), lp_dnsdomain(),
+ &cache_methods, get_global_sam_sid());
+ if (domain == NULL) {
+ DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n"));
+ return false;
+ }
+
+ /*
+ * We need to call this to find out if we are an RODC
+ */
+ ok = get_trust_pw_hash(domain->name,
+ current_nt_hash.hash,
+ &account_name,
+ &sec_chan_type);
+ if (!ok) {
+ DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n"));
+ return false;
+ }
+ if (sec_chan_type == SEC_CHAN_RODC) {
+ domain->rodc = true;
}
- setup_domain_child(domain);
- }
+ } else {
+ (void)add_trusted_domain(get_global_sam_name(), NULL,
+ &cache_methods, get_global_sam_sid());
+ }
/* Add ourselves as the first entry. */
if ( role == ROLE_DOMAIN_MEMBER ) {
+ struct winbindd_domain *domain;
struct dom_sid our_sid;
if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
domain = add_trusted_domain( lp_workgroup(), lp_realm(),
&cache_methods, &our_sid);
if (domain) {
- domain->primary = True;
- setup_domain_child(domain);
-
/* Even in the parent winbindd we'll need to
talk to the DC, so try and see if we can
contact it. Theoretically this isn't neccessary
return NULL;
if (!domain->initialized)
- init_dc_connection(domain);
+ init_dc_connection(domain, false);
return domain;
}
return NULL;
if (!domain->initialized)
- init_dc_connection(domain);
+ init_dc_connection(domain, false);
return domain;
}