2 Unix SMB/Netbios implementation.
5 Winbind daemon for ntdom nss module
7 Copyright (C) Tim Potter 2000
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 /* Debug connection state */
29 void debug_conn_state(void)
31 struct winbindd_domain *domain;
33 DEBUG(3, ("server: dc=%s, pwdb_init=%d, lsa_hnd=%d\n",
34 server_state.controller,
35 server_state.pwdb_initialised,
36 server_state.lsa_handle_open));
38 for (domain = domain_list; domain; domain = domain->next) {
39 DEBUG(3, ("%s: dc=%s, got_sid=%d, sam_hnd=%d sam_dom_hnd=%d\n",
40 domain->name, domain->controller,
41 domain->got_domain_info, domain->sam_handle_open,
42 domain->sam_dom_handle_open));
46 /* Add a trusted domain to our list of domains */
48 static struct winbindd_domain *add_trusted_domain(char *domain_name)
50 struct winbindd_domain *domain, *tmp;
52 for (tmp = domain_list; tmp != NULL; tmp = tmp->next) {
53 if (strcmp(domain_name, tmp->name) == 0) {
54 DEBUG(3, ("domain %s already in trusted list\n",
60 DEBUG(1, ("adding trusted domain %s\n", domain_name));
62 /* Create new domain entry */
64 if ((domain = (struct winbindd_domain *)malloc(sizeof(*domain))) == NULL) {
73 fstrcpy(domain->name, domain_name);
76 /* Link to domain list */
78 DLIST_ADD(domain_list, domain);
83 /* Look up global info for the winbind daemon */
85 static BOOL get_trusted_domains(void)
89 char **domains = NULL;
94 DEBUG(1, ("getting trusted domain list\n"));
96 /* Add our workgroup - keep handle to look up trusted domains */
97 if (!add_trusted_domain(lp_workgroup())) {
98 DEBUG(0, ("could not add record for domain %s\n",
103 /* Enumerate list of trusted domains */
104 result = wb_lsa_enum_trust_dom(&server_state.lsa_handle, &enum_ctx,
105 &num_doms, &domains, &sids);
107 if (!result || !domains) return False;
109 /* Add each domain to the trusted domain list */
110 for(i = 0; i < num_doms; i++) {
111 if (!add_trusted_domain(domains[i])) {
112 DEBUG(0, ("could not add record for domain %s\n",
121 /* Open sam and sam domain handles */
123 static BOOL open_sam_handles(struct winbindd_domain *domain)
125 /* Get domain info (sid and controller name) */
127 if (!domain->got_domain_info) {
128 domain->got_domain_info = get_domain_info(domain);
129 if (!domain->got_domain_info) return False;
132 /* Shut down existing sam handles */
134 if (domain->sam_dom_handle_open) {
135 wb_samr_close(&domain->sam_dom_handle);
136 domain->sam_dom_handle_open = False;
139 if (domain->sam_handle_open) {
140 wb_samr_close(&domain->sam_handle);
141 domain->sam_handle_open = False;
144 /* Open sam handle */
146 domain->sam_handle_open =
147 wb_samr_connect(domain->controller,
148 SEC_RIGHTS_MAXIMUM_ALLOWED,
149 &domain->sam_handle);
151 if (!domain->sam_handle_open) return False;
153 /* Open sam domain handle */
155 domain->sam_dom_handle_open =
156 wb_samr_open_domain(&domain->sam_handle,
157 SEC_RIGHTS_MAXIMUM_ALLOWED,
159 &domain->sam_dom_handle);
161 if (!domain->sam_dom_handle_open) return False;
166 static BOOL rpc_hnd_ok(CLI_POLICY_HND *hnd)
168 return hnd->cli->fd != -1;
171 /* Return true if the SAM domain handles are open and responding. */
173 BOOL domain_handles_open(struct winbindd_domain *domain)
178 /* Check we haven't checked too recently */
182 if ((t - domain->last_check) < WINBINDD_ESTABLISH_LOOP) {
183 return domain->sam_handle_open &&
184 domain->sam_dom_handle_open;
187 DEBUG(3, ("checking domain handles for domain %s\n", domain->name));
190 domain->last_check = t;
192 /* Open sam handles if they are marked as closed */
194 if (!domain->sam_handle_open || !domain->sam_dom_handle_open) {
196 DEBUG(3, ("opening sam handles\n"));
197 return open_sam_handles(domain);
200 /* Check sam handles are ok - the domain controller may have failed
201 and we need to move to a BDC. */
203 if (!rpc_hnd_ok(&domain->sam_handle) ||
204 !rpc_hnd_ok(&domain->sam_dom_handle)) {
206 /* We want to close the current connection but attempt
207 to open a new set, possibly to a new dc. If this
208 doesn't work then return False as we have no dc
211 DEBUG(3, ("sam handles not responding\n"));
213 winbindd_kill_connections(domain);
217 result = domain->sam_handle_open && domain->sam_dom_handle_open;
222 /* Shut down connections to all domain controllers */
224 void winbindd_kill_connections(struct winbindd_domain *domain)
226 /* Kill all connections */
229 struct winbindd_domain *tmp;
231 for (tmp = domain_list; tmp; tmp = tmp->next) {
232 winbindd_kill_connections(domain);
238 /* Log a level 0 message - this is probably a domain controller
241 if (!domain->controller[0])
244 DEBUG(0, ("killing connections to domain %s with controller %s\n",
245 domain->name, domain->controller));
249 /* Close LSA connections if we are killing connections to the dc
250 that has them open. */
252 if (strequal(server_state.controller, domain->controller)) {
253 server_state.pwdb_initialised = False;
254 server_state.lsa_handle_open = False;
255 wb_lsa_close(&server_state.lsa_handle);
258 /* Close domain sam handles but don't free them as this
259 severely traumatises the getent state. The connections
260 will be reopened later. */
262 if (domain->sam_dom_handle_open) {
263 wb_samr_close(&domain->sam_dom_handle);
264 domain->sam_dom_handle_open = False;
267 if (domain->sam_handle_open) {
268 wb_samr_close(&domain->sam_handle);
269 domain->sam_handle_open = False;
272 /* Re-lookup domain info which includes domain controller name */
274 domain->got_domain_info = False;
277 /* Kill connections to all servers */
279 void winbindd_kill_all_connections(void)
281 struct winbindd_domain *domain;
283 /* Iterate over domain list */
285 domain = domain_list;
288 struct winbindd_domain *next;
290 /* Kill conections */
292 winbindd_kill_connections(domain);
294 /* Remove domain from list */
297 DLIST_REMOVE(domain_list, domain);
304 static BOOL get_any_dc_name(char *domain, fstring srv_name)
306 struct in_addr *ip_list, dc_ip;
307 extern pstring global_myname;
310 /* Lookup domain controller name */
312 if (!get_dc_list(False, domain, &ip_list, &count))
315 /* Firstly choose a PDC/BDC who has the same network address as any
316 of our interfaces. */
318 for (i = 0; i < count; i++) {
319 if(!is_local_net(ip_list[i]))
323 i = (sys_random() % count);
329 if (!lookup_pdc_name(global_myname, domain, &dc_ip, srv_name))
335 /* Attempt to connect to all domain controllers we know about */
337 void establish_connections(BOOL force_reestablish)
342 /* Check we haven't checked too recently */
345 if ((t - lastt < WINBINDD_ESTABLISH_LOOP) && !force_reestablish) {
350 DEBUG(3, ("establishing connections\n"));
353 /* Maybe the connection died - if so then close up and restart */
355 if (server_state.pwdb_initialised &&
356 server_state.lsa_handle_open &&
357 !rpc_hnd_ok(&server_state.lsa_handle)) {
358 winbindd_kill_connections(NULL);
361 if (!server_state.pwdb_initialised) {
363 /* Lookup domain controller name */
365 if (!get_any_dc_name(lp_workgroup(),
366 server_state.controller)) {
367 DEBUG(3, ("could not find any domain controllers "
368 "for domain %s\n", lp_workgroup()));
372 /* Initialise password database and sids */
374 /* server_state.pwdb_initialised = pwdb_initialise(False); */
375 server_state.pwdb_initialised = True;
377 if (!server_state.pwdb_initialised) {
378 DEBUG(3, ("could not initialise pwdb\n"));
383 /* Open lsa handle if it isn't already open */
385 if (!server_state.lsa_handle_open) {
387 server_state.lsa_handle_open =
388 wb_lsa_open_policy(server_state.controller,
389 False, SEC_RIGHTS_MAXIMUM_ALLOWED,
390 &server_state.lsa_handle);
392 if (!server_state.lsa_handle_open) {
393 DEBUG(0, ("error opening lsa handle on dc %s\n",
394 server_state.controller));
398 /* Now we can talk to the server we can get some info */
400 get_trusted_domains();
406 /* Connect to a domain controller using get_any_dc_name() to discover
407 the domain name and sid */
409 BOOL lookup_domain_sid(char *domain_name, struct winbindd_domain *domain)
415 char **domains = NULL;
416 DOM_SID *sids = NULL;
418 if (domain == NULL) {
422 DEBUG(1, ("looking up sid for domain %s\n", domain_name));
424 /* Get controller name for domain */
426 if (!get_any_dc_name(domain_name, domain->controller)) {
427 DEBUG(0, ("Could not resolve domain controller for domain %s\n",
432 /* Do a level 5 query info policy if we are looking up our own SID */
434 if (strequal(domain_name, lp_workgroup())) {
435 return wb_lsa_query_info_pol(&server_state.lsa_handle, 0x05,
436 level5_dom, &domain->sid);
439 /* Use lsaenumdomains to get sid for this domain */
441 res = wb_lsa_enum_trust_dom(&server_state.lsa_handle, &enum_ctx,
442 &num_doms, &domains, &sids);
444 /* Look for domain name */
446 if (res && domains && sids) {
450 for(i = 0; i < num_doms; i++) {
451 if (strequal(domain_name, domains[i])) {
452 sid_copy(&domain->sid, &sids[i]);
464 /* Lookup domain controller and sid for a domain */
466 BOOL get_domain_info(struct winbindd_domain *domain)
470 DEBUG(1, ("Getting domain info for domain %s\n", domain->name));
472 /* Lookup domain sid */
474 if (!lookup_domain_sid(domain->name, domain)) {
475 DEBUG(0, ("could not find sid for domain %s\n", domain->name));
477 /* Could be a DC failure - shut down connections to this domain */
479 winbindd_kill_connections(domain);
486 domain->got_domain_info = 1;
488 sid_to_string(sid_str, &domain->sid);
489 DEBUG(1, ("found sid %s for domain %s\n", sid_str, domain->name));
494 /* Lookup a sid in a domain from a name */
496 BOOL winbindd_lookup_sid_by_name(char *name, DOM_SID *sid,
497 enum SID_NAME_USE *type)
499 int num_sids = 0, num_names = 1;
500 DOM_SID *sids = NULL;
501 uint32 *types = NULL;
504 /* Don't bother with machine accounts */
506 if (name[strlen(name) - 1] == '$') {
512 res = wb_lsa_lookup_names(&server_state.lsa_handle, num_names,
513 (char **)&name, &sids, &types, &num_sids);
515 /* Return rid and type if lookup successful */
521 if ((sid != NULL) && (sids != NULL)) {
522 sid_copy(sid, &sids[0]);
525 /* Return name type */
527 if ((type != NULL) && (types != NULL)) {
535 /* Lookup a name in a domain from a sid */
537 BOOL winbindd_lookup_name_by_sid(DOM_SID *sid, fstring name,
538 enum SID_NAME_USE *type)
540 int num_sids = 1, num_names = 0;
541 uint32 *types = NULL;
547 res = wb_lsa_lookup_sids(&server_state.lsa_handle, num_sids, sid,
548 &names, &types, &num_names);
550 /* Return name and type if successful */
556 if ((names != NULL) && (name != NULL)) {
557 fstrcpy(name, names[0]);
560 /* Return name type */
562 if ((type != NULL) && (types != NULL)) {
570 /* Lookup user information from a rid */
572 BOOL winbindd_lookup_userinfo(struct winbindd_domain *domain,
573 uint32 user_rid, SAM_USERINFO_CTR **user_info)
575 return wb_get_samr_query_userinfo(&domain->sam_dom_handle, 0x15,
576 user_rid, user_info);
579 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
581 BOOL winbindd_lookup_usergroups(struct winbindd_domain *domain,
582 uint32 user_rid, uint32 *num_groups,
583 DOM_GID **user_groups)
588 if (!wb_samr_open_user(&domain->sam_dom_handle,
589 SEC_RIGHTS_MAXIMUM_ALLOWED,
590 user_rid, &user_pol)) {
594 if (cli_samr_query_usergroups(domain->sam_dom_handle.cli,
595 domain->sam_dom_handle.mem_ctx,
596 &user_pol, num_groups, user_groups)
605 cli_samr_close(domain->sam_dom_handle.cli,
606 domain->sam_dom_handle.mem_ctx, &user_pol);
611 /* Lookup group information from a rid */
613 BOOL winbindd_lookup_groupinfo(struct winbindd_domain *domain,
614 uint32 group_rid, GROUP_INFO_CTR *info)
616 return wb_get_samr_query_groupinfo(&domain->sam_dom_handle, 1,
620 /* Lookup group membership given a rid */
622 BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain,
623 uint32 group_rid, uint32 *num_names,
624 uint32 **rid_mem, char ***names,
625 enum SID_NAME_USE **name_types)
627 return wb_sam_query_groupmem(&domain->sam_dom_handle, group_rid,
628 num_names, rid_mem, names, name_types);
631 /* Globals for domain list stuff */
633 struct winbindd_domain *domain_list = NULL;
635 /* Given a domain name, return the struct winbindd domain info for it
636 if it is actually working. */
638 struct winbindd_domain *find_domain_from_name(char *domain_name)
640 struct winbindd_domain *tmp;
642 /* Search through list */
644 for (tmp = domain_list; tmp != NULL; tmp = tmp->next) {
645 if (strcmp(domain_name, tmp->name) == 0) {
647 if (!tmp->got_domain_info) {
648 get_domain_info(tmp);
651 return tmp->got_domain_info ? tmp : NULL;
660 /* Given a domain name, return the struct winbindd domain info for it */
662 struct winbindd_domain *find_domain_from_sid(DOM_SID *sid)
664 struct winbindd_domain *tmp;
666 /* Search through list */
667 for (tmp = domain_list; tmp != NULL; tmp = tmp->next) {
668 if (sid_equal(sid, &tmp->sid)) {
669 if (!tmp->got_domain_info) return NULL;
678 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
680 void free_getent_state(struct getent_state *state)
682 struct getent_state *temp;
684 /* Iterate over state list */
688 while(temp != NULL) {
689 struct getent_state *next;
691 /* Free sam entries then list entry */
693 safe_free(state->sam_entries);
694 DLIST_REMOVE(state, state);
702 /* Parse list of arguments to winbind uid or winbind gid parameters */
704 static BOOL parse_id_list(char *paramstr, BOOL is_user)
706 uid_t id_low, id_high = 0;
708 /* Give a nicer error message if no parameters specified */
710 if (strequal(paramstr, "")) {
711 DEBUG(0, ("winbind %s parameter missing\n", is_user ? "uid" : "gid"));
717 if (sscanf(paramstr, "%u-%u", &id_low, &id_high) != 2) {
718 DEBUG(0, ("winbind %s parameter invalid\n",
719 is_user ? "uid" : "gid"));
726 server_state.uid_low = id_low;
727 server_state.uid_high = id_high;
729 server_state.gid_low = id_low;
730 server_state.gid_high = id_high;
736 /* Initialise trusted domain info */
738 BOOL winbindd_param_init(void)
740 /* Parse winbind uid and winbind_gid parameters */
742 if (!(parse_id_list(lp_winbind_uid(), True) &&
743 parse_id_list(lp_winbind_gid(), False))) {
747 /* Check for reversed uid and gid ranges */
749 if (server_state.uid_low > server_state.uid_high) {
750 DEBUG(0, ("uid range invalid\n"));
754 if (server_state.gid_low > server_state.gid_high) {
755 DEBUG(0, ("gid range invalid\n"));
762 /* Convert a enum winbindd_cmd to a string */
764 struct cmdstr_table {
765 enum winbindd_cmd cmd;
769 static struct cmdstr_table cmdstr_table[] = {
773 { WINBINDD_GETPWNAM_FROM_USER, "getpwnam from user" },
774 { WINBINDD_GETPWNAM_FROM_UID, "getpwnam from uid" },
775 { WINBINDD_SETPWENT, "setpwent" },
776 { WINBINDD_ENDPWENT, "endpwent" },
777 { WINBINDD_GETPWENT, "getpwent" },
778 { WINBINDD_GETGROUPS, "getgroups" },
780 /* Group functions */
782 { WINBINDD_GETGRNAM_FROM_GROUP, "getgrnam from group" },
783 { WINBINDD_GETGRNAM_FROM_GID, "getgrnam from gid" },
784 { WINBINDD_SETGRENT, "setgrent" },
785 { WINBINDD_ENDGRENT, "endgrent" },
786 { WINBINDD_GETGRENT, "getgrent" },
788 /* PAM auth functions */
790 { WINBINDD_PAM_AUTH, "pam auth" },
791 { WINBINDD_PAM_AUTH_CRAP, "pam auth crap" },
792 { WINBINDD_PAM_CHAUTHTOK, "pam chauthtok" },
796 { WINBINDD_LIST_USERS, "list users" },
797 { WINBINDD_LIST_GROUPS, "list groups" },
798 { WINBINDD_LIST_TRUSTDOM, "list trusted domains" },
800 /* SID related functions */
802 { WINBINDD_LOOKUPSID, "lookup sid" },
803 { WINBINDD_LOOKUPNAME, "lookup name" },
805 /* S*RS related functions */
807 { WINBINDD_SID_TO_UID, "sid to uid" },
808 { WINBINDD_SID_TO_GID, "sid to gid " },
809 { WINBINDD_GID_TO_SID, "gid to sid" },
810 { WINBINDD_UID_TO_SID, "uid to sid" },
812 /* Miscellaneous other stuff */
814 { WINBINDD_CHECK_MACHACC, "check machine acct pw" },
818 { WINBINDD_NUM_CMDS, NULL }
821 char *winbindd_cmd_to_string(enum winbindd_cmd cmd)
823 struct cmdstr_table *table = cmdstr_table;
826 for(table = cmdstr_table; table->desc; table++) {
827 if (cmd == table->cmd) {
828 result = table->desc;
833 if (result == NULL) {
834 result = "invalid command";
840 /* find the sequence number for a domain */
842 uint32 domain_sequence_number(char *domain_name)
844 struct winbindd_domain *domain;
847 domain = find_domain_from_name(domain_name);
848 if (!domain) return DOM_SEQUENCE_NONE;
850 if (!wb_samr_query_dom_info(&domain->sam_dom_handle, 2, &ctr)) {
852 /* If this fails, something bad has gone wrong */
854 winbindd_kill_connections(domain);
856 DEBUG(2,("domain sequence query failed\n"));
857 return DOM_SEQUENCE_NONE;
860 DEBUG(4,("got domain sequence number for %s of %u\n",
861 domain_name, (unsigned)ctr.info.inf2.seq_num));
863 return ctr.info.inf2.seq_num;
866 /* Query display info for a domain. This returns enough information plus a
867 bit extra to give an overview of domain users for the User Manager
870 uint32 winbindd_query_dispinfo(struct winbindd_domain *domain,
871 uint32 *start_ndx, uint16 info_level,
872 uint32 *num_entries, SAM_DISPINFO_CTR *ctr)
876 status = wb_samr_query_dispinfo(&domain->sam_dom_handle, start_ndx,
877 info_level, num_entries, ctr);
882 /* Check if a domain is present in a comma-separated list of domains */
884 BOOL check_domain_env(char *domain_env, char *domain)
887 char *tmp = domain_env;
889 while(next_token(&tmp, name, ",", sizeof(fstring))) {
890 if (strequal(name, domain)) {
899 /* Parse a string of the form DOMAIN/user into a domain and a user */
901 void parse_domain_user(char *domuser, fstring domain, fstring user)
904 char *sep = lp_winbind_separator();
905 if (!sep) sep = "\\";
906 p = strchr(domuser,*sep);
907 if (!p) p = strchr(domuser,'\\');
910 fstrcpy(user, domuser);
915 fstrcpy(domain, domuser);
916 domain[PTR_DIFF(p, domuser)] = 0;