2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "lib/util_unixsids.h"
27 #include "../libcli/security/security.h"
28 #include "../libcli/auth/pam_errors.h"
29 #include "passdb/machine_sid.h"
31 #include "source4/lib/messaging/messaging.h"
32 #include "librpc/gen_ndr/ndr_lsa.h"
33 #include "librpc/gen_ndr/ndr_drsblobs.h"
34 #include "auth/credentials/credentials.h"
35 #include "libsmb/samlogon_cache.h"
36 #include "lib/util/smb_strtox.h"
37 #include "lib/util/string_wrappers.h"
38 #include "lib/global_contexts.h"
39 #include "librpc/gen_ndr/ndr_winbind_c.h"
42 #define DBGC_CLASS DBGC_WINBIND
45 * @file winbindd_util.c
47 * Winbind daemon for NT domain authentication nss module.
50 static bool add_trusted_domains_dc(void);
52 /* The list of trusted domains. Note that the list can be deleted and
53 recreated using the init_domain_list() function so pointers to
54 individual winbindd_domain structures cannot be made. Keep a copy of
55 the domain name instead. */
57 static struct winbindd_domain *_domain_list = NULL;
59 struct winbindd_domain *domain_list(void)
63 if ((!_domain_list) && (!init_domain_list())) {
64 smb_panic("Init_domain_list failed");
70 /* Free all entries in the trusted domain list */
72 static void free_domain_list(void)
74 struct winbindd_domain *domain = _domain_list;
77 struct winbindd_domain *next = domain->next;
79 DLIST_REMOVE(_domain_list, domain);
86 * Iterator for winbindd's domain list.
87 * To be used (e.g.) in tevent based loops.
89 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
92 domain = domain_list();
94 domain = domain->next;
97 if ((domain != NULL) &&
98 (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
99 sid_check_is_our_sam(&domain->sid))
101 domain = domain->next;
107 static bool is_internal_domain(const struct dom_sid *sid)
112 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
115 /* Add a trusted domain to our list of domains.
116 If the domain already exists in the list,
117 return it and don't re-initialize. */
119 static NTSTATUS add_trusted_domain(const char *domain_name,
120 const char *dns_name,
121 const struct dom_sid *sid,
123 uint32_t trust_flags,
124 uint32_t trust_attribs,
125 enum netr_SchannelType secure_channel_type,
126 struct winbindd_domain *routing_domain,
127 struct winbindd_domain **_d)
129 struct winbindd_domain *domain = NULL;
130 int role = lp_server_role();
131 struct dom_sid_buf buf;
133 if (is_null_sid(sid)) {
134 DBG_ERR("Got null SID for domain [%s]\n", domain_name);
135 return NT_STATUS_INVALID_PARAMETER;
138 if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
139 return NT_STATUS_NO_SUCH_DOMAIN;
143 * We can't call domain_list() as this function is called from
144 * init_domain_list() and we'll get stuck in a loop.
146 for (domain = _domain_list; domain; domain = domain->next) {
147 if (strequal(domain_name, domain->name)) {
152 if (domain != NULL) {
153 struct winbindd_domain *check_domain = NULL;
155 for (check_domain = _domain_list;
156 check_domain != NULL;
157 check_domain = check_domain->next)
159 if (check_domain == domain) {
163 if (dom_sid_equal(&check_domain->sid, sid)) {
168 if (check_domain != NULL) {
169 DBG_ERR("SID [%s] already used by domain [%s], "
171 dom_sid_str_buf(sid, &buf),
174 return NT_STATUS_INVALID_PARAMETER;
178 if ((domain != NULL) && (dns_name != NULL)) {
179 struct winbindd_domain *check_domain = NULL;
181 for (check_domain = _domain_list;
182 check_domain != NULL;
183 check_domain = check_domain->next)
185 if (check_domain == domain) {
189 if (strequal(check_domain->alt_name, dns_name)) {
194 if (check_domain != NULL) {
195 DBG_ERR("DNS name [%s] used by domain [%s], "
197 dns_name, check_domain->name,
199 return NT_STATUS_INVALID_PARAMETER;
203 if (domain != NULL) {
208 /* Create new domain entry */
209 domain = talloc_zero(NULL, struct winbindd_domain);
210 if (domain == NULL) {
211 return NT_STATUS_NO_MEMORY;
214 domain->children = talloc_zero_array(domain,
215 struct winbindd_child,
216 lp_winbind_max_domain_connections());
217 if (domain->children == NULL) {
219 return NT_STATUS_NO_MEMORY;
222 domain->queue = tevent_queue_create(domain, "winbind_domain");
223 if (domain->queue == NULL) {
225 return NT_STATUS_NO_MEMORY;
228 domain->binding_handle = wbint_binding_handle(domain, domain, NULL);
229 if (domain->binding_handle == NULL) {
231 return NT_STATUS_NO_MEMORY;
234 domain->name = talloc_strdup(domain, domain_name);
235 if (domain->name == NULL) {
237 return NT_STATUS_NO_MEMORY;
240 if (dns_name != NULL) {
241 domain->alt_name = talloc_strdup(domain, dns_name);
242 if (domain->alt_name == NULL) {
244 return NT_STATUS_NO_MEMORY;
248 domain->backend = NULL;
249 domain->internal = is_internal_domain(sid);
250 domain->secure_channel_type = secure_channel_type;
251 domain->sequence_number = DOM_SEQUENCE_NONE;
252 domain->last_seq_check = 0;
253 domain->initialized = false;
254 domain->online = is_internal_domain(sid);
255 domain->domain_flags = trust_flags;
256 domain->domain_type = trust_type;
257 domain->domain_trust_attribs = trust_attribs;
258 domain->secure_channel_type = secure_channel_type;
259 domain->routing_domain = routing_domain;
260 sid_copy(&domain->sid, sid);
262 /* Is this our primary domain ? */
263 if (role == ROLE_DOMAIN_MEMBER) {
264 domain->primary = strequal(domain_name, lp_workgroup());
266 domain->primary = strequal(domain_name, get_global_sam_name());
269 if (domain->primary) {
270 if (role == ROLE_ACTIVE_DIRECTORY_DC) {
271 domain->active_directory = true;
273 if (lp_security() == SEC_ADS) {
274 domain->active_directory = true;
276 } else if (!domain->internal) {
277 if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
278 domain->active_directory = true;
282 domain->can_do_ncacn_ip_tcp = domain->active_directory;
284 /* Link to domain list */
285 DLIST_ADD_END(_domain_list, domain);
287 wcache_tdc_add_domain( domain );
289 setup_domain_child(domain);
291 DBG_NOTICE("Added domain [%s] [%s] [%s]\n",
292 domain->name, domain->alt_name,
293 dom_sid_str_buf(&domain->sid, &buf));
299 bool set_routing_domain(struct winbindd_domain *domain,
300 struct winbindd_domain *routing_domain)
302 if (domain->routing_domain == NULL) {
303 domain->routing_domain = routing_domain;
306 if (domain->routing_domain != routing_domain) {
312 bool add_trusted_domain_from_auth(uint16_t validation_level,
313 struct info3_text *info3,
314 struct info6_text *info6)
316 struct winbindd_domain *domain = NULL;
317 struct dom_sid domain_sid;
318 const char *dns_domainname = NULL;
323 * We got a successful auth from a domain that might not yet be in our
324 * domain list. If we're a member we trust our DC who authenticated the
325 * user from that domain and add the domain to our list on-the-fly. If
326 * we're a DC we rely on configured trusts and don't add on-the-fly.
333 ok = dom_sid_parse(info3->dom_sid, &domain_sid);
335 DBG_NOTICE("dom_sid_parse [%s] failed\n", info3->dom_sid);
339 if (validation_level == 6) {
340 if (!strequal(info6->dns_domainname, "")) {
341 dns_domainname = info6->dns_domainname;
345 status = add_trusted_domain(info3->logon_dom,
349 NETR_TRUST_FLAG_OUTBOUND,
352 find_default_route_domain(),
354 if (!NT_STATUS_IS_OK(status) &&
355 !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
357 DBG_DEBUG("Adding domain [%s] with sid [%s] failed\n",
358 info3->logon_dom, info3->dom_sid);
365 bool domain_is_forest_root(const struct winbindd_domain *domain)
367 const uint32_t fr_flags =
368 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
370 return ((domain->domain_flags & fr_flags) == fr_flags);
373 /********************************************************************
374 rescan our domains looking for new trusted domains
375 ********************************************************************/
377 struct trustdom_state {
378 struct winbindd_domain *domain;
379 struct netr_DomainTrustList trusts;
382 static void trustdom_list_done(struct tevent_req *req);
383 static void rescan_forest_root_trusts( void );
384 static void rescan_forest_trusts( void );
386 static void add_trusted_domains( struct winbindd_domain *domain )
388 struct tevent_context *ev = global_event_context();
389 struct trustdom_state *state;
390 struct tevent_req *req;
391 const char *client_name = NULL;
394 state = talloc_zero(NULL, struct trustdom_state);
396 DEBUG(0, ("talloc failed\n"));
399 state->domain = domain;
401 /* Called from timer, not from a real client */
402 client_name = getprogname();
403 client_pid = getpid();
405 req = dcerpc_wbint_ListTrustedDomains_send(state,
407 dom_child_handle(domain),
412 DBG_ERR("dcerpc_wbint_ListTrustedDomains_send failed\n");
416 tevent_req_set_callback(req, trustdom_list_done, state);
419 static void trustdom_list_done(struct tevent_req *req)
421 struct trustdom_state *state = tevent_req_callback_data(
422 req, struct trustdom_state);
423 bool within_forest = false;
424 NTSTATUS status, result;
428 * Only when we enumerate our primary domain
429 * or our forest root domain, we should keep
430 * the NETR_TRUST_FLAG_IN_FOREST flag, in
431 * all other cases we need to clear it as the domain
432 * is not part of our forest.
434 if (state->domain->primary) {
435 within_forest = true;
436 } else if (domain_is_forest_root(state->domain)) {
437 within_forest = true;
440 status = dcerpc_wbint_ListTrustedDomains_recv(req, state, &result);
441 if (any_nt_status_not_ok(status, result, &status)) {
442 DBG_WARNING("Could not receive trusts for domain %s: %s-%s\n",
443 state->domain->name, nt_errstr(status),
449 for (i=0; i<state->trusts.count; i++) {
450 struct netr_DomainTrust *trust = &state->trusts.array[i];
451 struct winbindd_domain *domain = NULL;
453 if (!within_forest) {
454 trust->trust_flags &= ~NETR_TRUST_FLAG_IN_FOREST;
457 if (!state->domain->primary) {
458 trust->trust_flags &= ~NETR_TRUST_FLAG_PRIMARY;
462 * We always call add_trusted_domain() cause on an existing
463 * domain structure, it will update the SID if necessary.
464 * This is important because we need the SID for sibling
467 status = add_trusted_domain(trust->netbios_name,
472 trust->trust_attributes,
474 find_default_route_domain(),
476 if (!NT_STATUS_IS_OK(status) &&
477 !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
479 DBG_NOTICE("add_trusted_domain returned %s\n",
486 Cases to consider when scanning trusts:
487 (a) we are calling from a child domain (primary && !forest_root)
488 (b) we are calling from the root of the forest (primary && forest_root)
489 (c) we are calling from a trusted forest domain (!primary
493 if (state->domain->primary) {
494 /* If this is our primary domain and we are not in the
495 forest root, we have to scan the root trusts first */
497 if (!domain_is_forest_root(state->domain))
498 rescan_forest_root_trusts();
500 rescan_forest_trusts();
502 } else if (domain_is_forest_root(state->domain)) {
503 /* Once we have done root forest trust search, we can
504 go on to search the trusted forests */
506 rescan_forest_trusts();
514 /********************************************************************
515 Scan the trusts of our forest root
516 ********************************************************************/
518 static void rescan_forest_root_trusts( void )
520 struct winbindd_tdc_domain *dom_list = NULL;
521 size_t num_trusts = 0;
525 /* The only transitive trusts supported by Windows 2003 AD are
526 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
527 first two are handled in forest and listed by
528 DsEnumerateDomainTrusts(). Forest trusts are not so we
529 have to do that ourselves. */
531 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
534 for ( i=0; i<num_trusts; i++ ) {
535 struct winbindd_domain *d = NULL;
537 /* Find the forest root. Don't necessarily trust
538 the domain_list() as our primary domain may not
539 have been initialized. */
541 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
545 /* Here's the forest root */
547 d = find_domain_from_name_noinit( dom_list[i].domain_name );
549 status = add_trusted_domain(dom_list[i].domain_name,
550 dom_list[i].dns_name,
552 dom_list[i].trust_type,
553 dom_list[i].trust_flags,
554 dom_list[i].trust_attribs,
556 find_default_route_domain(),
559 if (!NT_STATUS_IS_OK(status) &&
560 NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
562 DBG_ERR("add_trusted_domain returned %s\n",
571 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
572 "for domain tree root %s (%s)\n",
573 d->name, d->alt_name ));
575 d->domain_flags = dom_list[i].trust_flags;
576 d->domain_type = dom_list[i].trust_type;
577 d->domain_trust_attribs = dom_list[i].trust_attribs;
579 add_trusted_domains( d );
584 TALLOC_FREE( dom_list );
589 /********************************************************************
590 scan the transitive forest trusts (not our own)
591 ********************************************************************/
594 static void rescan_forest_trusts( void )
596 struct winbindd_domain *d = NULL;
597 struct winbindd_tdc_domain *dom_list = NULL;
598 size_t num_trusts = 0;
602 /* The only transitive trusts supported by Windows 2003 AD are
603 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
604 first two are handled in forest and listed by
605 DsEnumerateDomainTrusts(). Forest trusts are not so we
606 have to do that ourselves. */
608 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
611 for ( i=0; i<num_trusts; i++ ) {
612 uint32_t flags = dom_list[i].trust_flags;
613 uint32_t type = dom_list[i].trust_type;
614 uint32_t attribs = dom_list[i].trust_attribs;
616 d = find_domain_from_name_noinit( dom_list[i].domain_name );
618 /* ignore our primary and internal domains */
620 if ( d && (d->internal || d->primary ) )
623 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
624 (type == LSA_TRUST_TYPE_UPLEVEL) &&
625 (attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
627 /* add the trusted domain if we don't know
631 status = add_trusted_domain(
632 dom_list[i].domain_name,
633 dom_list[i].dns_name,
639 find_default_route_domain(),
641 if (!NT_STATUS_IS_OK(status) &&
642 NT_STATUS_EQUAL(status,
643 NT_STATUS_NO_SUCH_DOMAIN))
645 DBG_ERR("add_trusted_domain: %s\n",
655 DEBUG(10,("Following trust path for domain %s (%s)\n",
656 d->name, d->alt_name ));
657 add_trusted_domains( d );
661 TALLOC_FREE( dom_list );
666 /*********************************************************************
667 The process of updating the trusted domain list is a three step
670 (b) ask the root domain in our forest
671 (c) ask a DC in any Win2003 trusted forests
672 *********************************************************************/
674 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
675 struct timeval now, void *private_data)
679 /* I used to clear the cache here and start over but that
680 caused problems in child processes that needed the
681 trust dom list early on. Removing it means we
682 could have some trusted domains listed that have been
683 removed from our primary domain's DC until a full
684 restart. This should be ok since I think this is what
685 Windows does as well. */
687 /* this will only add new domains we didn't already know about
688 in the domain_list()*/
690 add_trusted_domains( find_our_domain() );
692 te = tevent_add_timer(
693 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
694 rescan_trusted_domains, NULL);
696 * If te == NULL, there's not much we can do here. Don't fail, the
697 * only thing we miss is new trusted domains.
703 static void wbd_ping_dc_done(struct tevent_req *subreq);
705 void winbindd_ping_offline_domains(struct tevent_context *ev,
706 struct tevent_timer *te,
710 struct winbindd_domain *domain = NULL;
714 for (domain = domain_list(); domain != NULL; domain = domain->next) {
715 DBG_DEBUG("Domain %s is %s\n",
717 domain->online ? "online" : "offline");
719 if (get_global_winbindd_state_offline()) {
720 DBG_DEBUG("We are globally offline, do nothing.\n");
724 if (domain->online ||
725 domain->check_online_event != NULL ||
726 domain->secure_channel_type == SEC_CHAN_NULL) {
730 winbindd_flush_negative_conn_cache(domain);
732 domain->check_online_event =
733 dcerpc_wbint_PingDc_send(domain,
735 dom_child_handle(domain),
736 &domain->ping_dcname);
737 if (domain->check_online_event == NULL) {
738 DBG_WARNING("Failed to schedule ping, no-memory\n");
742 tevent_req_set_callback(domain->check_online_event,
743 wbd_ping_dc_done, domain);
746 te = tevent_add_timer(ev,
748 timeval_current_ofs(lp_winbind_reconnect_delay(),
750 winbindd_ping_offline_domains,
753 DBG_ERR("Failed to schedule winbindd_ping_offline_domains()\n");
759 static void wbd_ping_dc_done(struct tevent_req *subreq)
761 struct winbindd_domain *domain =
762 tevent_req_callback_data(subreq,
763 struct winbindd_domain);
764 NTSTATUS status, result;
766 SMB_ASSERT(subreq == domain->check_online_event);
767 domain->check_online_event = NULL;
769 status = dcerpc_wbint_PingDc_recv(subreq, domain, &result);
771 if (any_nt_status_not_ok(status, result, &status)) {
772 DBG_WARNING("dcerpc_wbint_PingDc_recv failed for domain: "
779 DBG_DEBUG("dcerpc_wbint_PingDc_recv() succeeded, "
780 "domain: %s, dc-name: %s\n",
782 domain->ping_dcname);
784 talloc_free(discard_const(domain->ping_dcname));
785 domain->ping_dcname = NULL;
790 static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
793 struct server_id server_id,
801 DBG_WARNING("Received %zu fds, ignoring message\n", num_fds);
805 DBG_NOTICE("Rescanning trusted domains\n");
807 ok = add_trusted_domains_dc();
809 DBG_ERR("Failed to reload trusted domains\n");
814 * We did not get the secret when we queried secrets.tdb, so read it
815 * from secrets.tdb and re-sync the databases
817 static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
820 struct cli_credentials *creds;
821 NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name,
822 NULL, domain, &creds);
823 if (!NT_STATUS_IS_OK(can_migrate)) {
824 DEBUG(0, ("Failed to fetch our own local AD domain join "
825 "password for winbindd's internal use, both from "
826 "secrets.tdb and secrets.ldb: %s\n",
827 nt_errstr(can_migrate)));
832 * NOTE: It is very unlikely we end up here if there is an
833 * oldpass, because a new password is created at
834 * classicupgrade, so this is not a concern.
836 ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
838 cli_credentials_get_domain(creds),
839 cli_credentials_get_realm(creds),
840 cli_credentials_get_salt_principal(creds),
841 0, /* Supported enc types, unused */
843 cli_credentials_get_password_last_changed_time(creds),
844 cli_credentials_get_secure_channel_type(creds),
845 false /* do_delete: Do not delete */);
848 DEBUG(0, ("Failed to write our own "
849 "local AD domain join password for "
850 "winbindd's internal use into secrets.tdb\n"));
856 static bool add_trusted_domains_dc(void)
858 struct winbindd_domain *domain = NULL;
859 struct pdb_trusted_domain **domains = NULL;
860 uint32_t num_domains = 0;
864 if (!(pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX)) {
865 struct trustdom_info **ti = NULL;
867 status = pdb_enum_trusteddoms(talloc_tos(), &num_domains, &ti);
868 if (!NT_STATUS_IS_OK(status)) {
869 DBG_ERR("pdb_enum_trusteddoms() failed - %s\n",
874 for (i = 0; i < num_domains; i++) {
875 status = add_trusted_domain(ti[i]->name,
878 LSA_TRUST_TYPE_DOWNLEVEL,
879 NETR_TRUST_FLAG_OUTBOUND,
884 if (!NT_STATUS_IS_OK(status)) {
885 DBG_NOTICE("add_trusted_domain returned %s\n",
894 status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains);
895 if (!NT_STATUS_IS_OK(status)) {
896 DBG_ERR("pdb_enum_trusted_domains() failed - %s\n",
901 for (i = 0; i < num_domains; i++) {
902 enum netr_SchannelType sec_chan_type = SEC_CHAN_DOMAIN;
903 uint32_t trust_flags = 0;
905 if (domains[i]->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
906 sec_chan_type = SEC_CHAN_DNS_DOMAIN;
909 if (!(domains[i]->trust_direction & LSA_TRUST_DIRECTION_OUTBOUND)) {
910 sec_chan_type = SEC_CHAN_NULL;
913 if (domains[i]->trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
914 trust_flags |= NETR_TRUST_FLAG_INBOUND;
916 if (domains[i]->trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
917 trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
919 if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
920 trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
923 if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
925 * We don't support selective authentication yet.
927 DBG_WARNING("Ignoring CROSS_ORGANIZATION trust to "
929 domains[i]->netbios_name,
930 domains[i]->domain_name);
934 status = add_trusted_domain(domains[i]->netbios_name,
935 domains[i]->domain_name,
936 &domains[i]->security_identifier,
937 domains[i]->trust_type,
939 domains[i]->trust_attributes,
943 if (!NT_STATUS_IS_OK(status)) {
944 DBG_NOTICE("add_trusted_domain returned %s\n",
949 if (domains[i]->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
950 domain->active_directory = true;
952 domain->domain_type = domains[i]->trust_type;
953 domain->domain_trust_attribs = domains[i]->trust_attributes;
956 for (i = 0; i < num_domains; i++) {
957 struct ForestTrustInfo fti;
959 enum ndr_err_code ndr_err;
960 struct winbindd_domain *routing_domain = NULL;
962 if (domains[i]->trust_type != LSA_TRUST_TYPE_UPLEVEL) {
966 if (!(domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)) {
970 if (domains[i]->trust_forest_trust_info.length == 0) {
974 routing_domain = find_domain_from_name_noinit(
975 domains[i]->netbios_name);
976 if (routing_domain == NULL) {
977 DBG_ERR("Can't find winbindd domain [%s]\n",
978 domains[i]->netbios_name);
982 ndr_err = ndr_pull_struct_blob_all(
983 &domains[i]->trust_forest_trust_info,
985 (ndr_pull_flags_fn_t)ndr_pull_ForestTrustInfo);
986 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
987 DBG_ERR("ndr_pull_ForestTrustInfo(%s) - %s\n",
988 domains[i]->netbios_name,
989 ndr_map_error2string(ndr_err));
993 for (fi = 0; fi < fti.count; fi++) {
994 struct ForestTrustInfoRecord *rec =
995 &fti.records[fi].record;
996 struct ForestTrustDataDomainInfo *drec = NULL;
998 if (rec->type != FOREST_TRUST_DOMAIN_INFO) {
1001 drec = &rec->data.info;
1003 if (rec->flags & LSA_NB_DISABLED_MASK) {
1007 if (rec->flags & LSA_SID_DISABLED_MASK) {
1013 * also try to find a matching
1014 * LSA_TLN_DISABLED_MASK ???
1017 domain = find_domain_from_name_noinit(drec->netbios_name.string);
1018 if (domain != NULL) {
1022 status = add_trusted_domain(drec->netbios_name.string,
1023 drec->dns_name.string,
1025 LSA_TRUST_TYPE_UPLEVEL,
1026 NETR_TRUST_FLAG_OUTBOUND,
1031 if (!NT_STATUS_IS_OK(status)) {
1032 DBG_NOTICE("add_trusted_domain returned %s\n",
1036 if (domain == NULL) {
1046 /* Look up global info for the winbind daemon */
1047 bool init_domain_list(void)
1049 int role = lp_server_role();
1050 struct pdb_domain_info *pdb_domain_info = NULL;
1051 struct winbindd_domain *domain = NULL;
1055 /* Free existing list */
1058 /* BUILTIN domain */
1060 status = add_trusted_domain("BUILTIN",
1062 &global_sid_Builtin,
1063 LSA_TRUST_TYPE_DOWNLEVEL,
1064 0, /* trust_flags */
1065 0, /* trust_attribs */
1069 if (!NT_STATUS_IS_OK(status)) {
1070 DBG_ERR("add_trusted_domain BUILTIN returned %s\n",
1078 * In case the passdb backend is passdb_dsdb the domain SID comes from
1079 * dsdb, not from secrets.tdb. As we use the domain SID in various
1080 * places, we must ensure the domain SID is migrated from dsdb to
1081 * secrets.tdb before get_global_sam_sid() is called the first time.
1083 * The migration is done as part of the passdb_dsdb initialisation,
1084 * calling pdb_get_domain_info() triggers it.
1086 pdb_domain_info = pdb_get_domain_info(talloc_tos());
1088 if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
1089 uint32_t trust_flags;
1091 enum netr_SchannelType sec_chan_type;
1092 const char *account_name;
1093 struct samr_Password current_nt_hash;
1095 if (pdb_domain_info == NULL) {
1096 DEBUG(0, ("Failed to fetch our own local AD "
1097 "domain info from sam.ldb\n"));
1101 trust_flags = NETR_TRUST_FLAG_PRIMARY;
1102 trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
1103 trust_flags |= NETR_TRUST_FLAG_NATIVE;
1104 trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
1106 is_root = strequal(pdb_domain_info->dns_domain,
1107 pdb_domain_info->dns_forest);
1109 trust_flags |= NETR_TRUST_FLAG_TREEROOT;
1112 status = add_trusted_domain(pdb_domain_info->name,
1113 pdb_domain_info->dns_domain,
1114 &pdb_domain_info->sid,
1115 LSA_TRUST_TYPE_UPLEVEL,
1117 LSA_TRUST_ATTRIBUTE_WITHIN_FOREST,
1121 TALLOC_FREE(pdb_domain_info);
1122 if (!NT_STATUS_IS_OK(status)) {
1123 DBG_ERR("Failed to add our own local AD "
1124 "domain to winbindd's internal list\n");
1129 * We need to call this to find out if we are an RODC
1131 ok = get_trust_pw_hash(domain->name,
1132 current_nt_hash.hash,
1137 * If get_trust_pw_hash() fails, then try and
1138 * fetch the password from the more recent of
1139 * secrets.{ldb,tdb} using the
1140 * pdb_get_trust_credentials()
1142 ok = migrate_secrets_tdb_to_ldb(domain);
1145 DEBUG(0, ("Failed to migrate our own "
1146 "local AD domain join password for "
1147 "winbindd's internal use into "
1151 ok = get_trust_pw_hash(domain->name,
1152 current_nt_hash.hash,
1156 DEBUG(0, ("Failed to find our own just "
1157 "written local AD domain join "
1158 "password for winbindd's internal "
1159 "use in secrets.tdb\n"));
1164 domain->secure_channel_type = sec_chan_type;
1165 if (sec_chan_type == SEC_CHAN_RODC) {
1166 domain->rodc = true;
1170 uint32_t trust_flags;
1171 enum netr_SchannelType secure_channel_type;
1173 trust_flags = NETR_TRUST_FLAG_OUTBOUND;
1174 if (role != ROLE_DOMAIN_MEMBER) {
1175 trust_flags |= NETR_TRUST_FLAG_PRIMARY;
1178 if (role > ROLE_DOMAIN_MEMBER) {
1179 secure_channel_type = SEC_CHAN_BDC;
1181 secure_channel_type = SEC_CHAN_LOCAL;
1184 if ((pdb_domain_info != NULL) && (role == ROLE_IPA_DC)) {
1185 /* This is IPA DC that presents itself as
1186 * an Active Directory domain controller to trusted AD
1187 * forests but in fact is a classic domain controller.
1189 trust_flags = NETR_TRUST_FLAG_PRIMARY;
1190 trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
1191 trust_flags |= NETR_TRUST_FLAG_NATIVE;
1192 trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
1193 trust_flags |= NETR_TRUST_FLAG_TREEROOT;
1194 status = add_trusted_domain(pdb_domain_info->name,
1195 pdb_domain_info->dns_domain,
1196 &pdb_domain_info->sid,
1197 LSA_TRUST_TYPE_UPLEVEL,
1199 LSA_TRUST_ATTRIBUTE_WITHIN_FOREST,
1200 secure_channel_type,
1203 TALLOC_FREE(pdb_domain_info);
1205 status = add_trusted_domain(get_global_sam_name(),
1207 get_global_sam_sid(),
1208 LSA_TRUST_TYPE_DOWNLEVEL,
1210 0, /* trust_attribs */
1211 secure_channel_type,
1215 if (!NT_STATUS_IS_OK(status)) {
1216 DBG_ERR("Failed to add local SAM to "
1217 "domain to winbindd's internal list\n");
1223 ok = add_trusted_domains_dc();
1225 DBG_ERR("init_domain_list_dc failed\n");
1230 if ( role == ROLE_DOMAIN_MEMBER ) {
1231 struct dom_sid our_sid;
1232 uint32_t trust_type;
1234 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
1235 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
1239 if (lp_realm() != NULL) {
1240 trust_type = LSA_TRUST_TYPE_UPLEVEL;
1242 trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1245 status = add_trusted_domain(lp_workgroup(),
1249 NETR_TRUST_FLAG_PRIMARY|
1250 NETR_TRUST_FLAG_OUTBOUND,
1251 0, /* trust_attribs */
1255 if (!NT_STATUS_IS_OK(status)) {
1256 DBG_ERR("Failed to add local SAM to "
1257 "domain to winbindd's internal list\n");
1262 status = imessaging_register(winbind_imessaging_context(), NULL,
1263 MSG_WINBIND_RELOAD_TRUSTED_DOMAINS,
1264 wb_imsg_new_trusted_domain);
1265 if (!NT_STATUS_IS_OK(status)) {
1266 DBG_ERR("imessaging_register failed %s\n", nt_errstr(status));
1274 * Given a domain name, return the struct winbindd domain info for it
1276 * @note Do *not* pass lp_workgroup() to this function. domain_list
1277 * may modify it's value, and free that pointer. Instead, our local
1278 * domain may be found by calling find_our_domain().
1282 * @return The domain structure for the named domain, if it is working.
1285 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
1287 struct winbindd_domain *domain;
1289 /* Search through list */
1291 for (domain = domain_list(); domain != NULL; domain = domain->next) {
1292 if (strequal(domain_name, domain->name)) {
1295 if (domain->alt_name == NULL) {
1298 if (strequal(domain_name, domain->alt_name)) {
1309 * Given a domain name, return the struct winbindd domain if it's a direct
1312 * @return The domain structure for the named domain, if it is a direct outgoing trust
1314 struct winbindd_domain *find_trust_from_name_noinit(const char *domain_name)
1316 struct winbindd_domain *domain = NULL;
1318 domain = find_domain_from_name_noinit(domain_name);
1319 if (domain == NULL) {
1323 if (domain->secure_channel_type != SEC_CHAN_NULL) {
1330 struct winbindd_domain *find_domain_from_name(const char *domain_name)
1332 struct winbindd_domain *domain;
1334 domain = find_domain_from_name_noinit(domain_name);
1339 if (!domain->initialized)
1340 init_dc_connection(domain, false);
1345 /* Given a domain sid, return the struct winbindd domain info for it */
1347 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
1349 struct winbindd_domain *domain;
1351 /* Search through list */
1353 for (domain = domain_list(); domain != NULL; domain = domain->next) {
1354 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
1364 * Given a domain sid, return the struct winbindd domain if it's a direct
1367 * @return The domain structure for the specified domain, if it is a direct outgoing trust
1369 struct winbindd_domain *find_trust_from_sid_noinit(const struct dom_sid *sid)
1371 struct winbindd_domain *domain = NULL;
1373 domain = find_domain_from_sid_noinit(sid);
1374 if (domain == NULL) {
1378 if (domain->secure_channel_type != SEC_CHAN_NULL) {
1385 /* Given a domain sid, return the struct winbindd domain info for it */
1387 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
1389 struct winbindd_domain *domain;
1391 domain = find_domain_from_sid_noinit(sid);
1396 if (!domain->initialized)
1397 init_dc_connection(domain, false);
1402 struct winbindd_domain *find_our_domain(void)
1404 struct winbindd_domain *domain;
1406 /* Search through list */
1408 for (domain = domain_list(); domain != NULL; domain = domain->next) {
1409 if (domain->primary)
1413 smb_panic("Could not find our domain");
1417 struct winbindd_domain *find_default_route_domain(void)
1420 return find_our_domain();
1422 DBG_DEBUG("Routing logic not yet implemented on a DC\n");
1426 /* Find the appropriate domain to lookup a name or SID */
1428 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
1430 struct dom_sid_buf buf;
1432 DBG_DEBUG("SID [%s]\n", dom_sid_str_buf(sid, &buf));
1435 * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled
1439 if ( sid_check_is_in_unix_groups(sid) ||
1440 sid_check_is_unix_groups(sid) ||
1441 sid_check_is_in_unix_users(sid) ||
1442 sid_check_is_unix_users(sid) ||
1443 sid_check_is_our_sam(sid) ||
1444 sid_check_is_in_our_sam(sid) )
1446 return find_domain_from_sid(get_global_sam_sid());
1449 if ( sid_check_is_builtin(sid) ||
1450 sid_check_is_in_builtin(sid) ||
1451 sid_check_is_wellknown_domain(sid, NULL) ||
1452 sid_check_is_in_wellknown_domain(sid) )
1454 return find_domain_from_sid(&global_sid_Builtin);
1458 struct winbindd_domain *domain = NULL;
1460 domain = find_domain_from_sid_noinit(sid);
1461 if (domain == NULL) {
1465 if (domain->secure_channel_type != SEC_CHAN_NULL) {
1469 return domain->routing_domain;
1472 /* On a member server a query for SID or name can always go to our
1475 DEBUG(10, ("calling find_our_domain\n"));
1476 return find_our_domain();
1479 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
1483 if ( strequal(domain_name, unix_users_domain_name() ) ||
1484 strequal(domain_name, unix_groups_domain_name() ) )
1487 * The "Unix User" and "Unix Group" domain are handled by
1490 return find_domain_from_name_noinit( get_global_sam_name() );
1493 if (strequal(domain_name, "BUILTIN") ||
1494 strequal(domain_name, get_global_sam_name())) {
1495 return find_domain_from_name_noinit(domain_name);
1498 predefined = dom_sid_lookup_is_predefined_domain(domain_name);
1500 return find_domain_from_name_noinit(builtin_domain_name());
1504 struct winbindd_domain *domain = NULL;
1506 domain = find_domain_from_name_noinit(domain_name);
1507 if (domain == NULL) {
1511 if (domain->secure_channel_type != SEC_CHAN_NULL) {
1515 return domain->routing_domain;
1518 return find_our_domain();
1521 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1523 static bool assume_domain(const char *domain)
1525 /* never assume the domain on a standalone server */
1527 if ( lp_server_role() == ROLE_STANDALONE )
1530 /* domain member servers may possibly assume for the domain name */
1532 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1533 if ( !strequal(lp_workgroup(), domain) )
1536 if ( lp_winbind_use_default_domain() )
1540 /* only left with a domain controller */
1542 if ( strequal(get_global_sam_name(), domain) ) {
1549 /* Parse a DOMAIN\user or UPN string into a domain, namespace and a user */
1550 bool parse_domain_user(TALLOC_CTX *ctx,
1551 const char *domuser,
1557 char *namespace = NULL;
1558 char *domain = NULL;
1561 if (strlen(domuser) == 0) {
1565 p = strchr(domuser, *lp_winbind_separator());
1567 user = talloc_strdup(ctx, p + 1);
1571 domain = talloc_strdup(ctx,
1573 if (domain == NULL) {
1576 domain[PTR_DIFF(p, domuser)] = '\0';
1577 namespace = talloc_strdup(ctx, domain);
1578 if (namespace == NULL) {
1582 user = talloc_strdup(ctx, domuser);
1586 p = strchr(domuser, '@');
1589 namespace = talloc_strdup(ctx, p + 1);
1590 if (namespace == NULL) {
1593 domain = talloc_strdup(ctx, "");
1594 if (domain == NULL) {
1598 } else if (assume_domain(lp_workgroup())) {
1599 domain = talloc_strdup(ctx, lp_workgroup());
1600 if (domain == NULL) {
1603 namespace = talloc_strdup(ctx, domain);
1604 if (namespace == NULL) {
1608 namespace = talloc_strdup(ctx, lp_netbios_name());
1609 if (namespace == NULL) {
1612 domain = talloc_strdup(ctx, "");
1613 if (domain == NULL) {
1619 if (!strupper_m(domain)) {
1623 *pnamespace = namespace;
1629 TALLOC_FREE(domain);
1630 TALLOC_FREE(namespace);
1634 /* Parse a DOMAIN\user or UPN string into a domain, namespace and a user */
1635 bool parse_domain_user_fstr(const char *domuser,
1642 if (strlen(domuser) == 0) {
1646 p = strchr(domuser, *lp_winbind_separator());
1648 if (PTR_DIFF(p, domuser) >= sizeof(fstring)) {
1649 DBG_ERR("index %td exceeds len of dest string %zu\n",
1650 PTR_DIFF(p, domuser),
1651 (sizeof(fstring) - 1));
1654 fstrcpy(user, p + 1);
1655 fstrcpy(domain, domuser);
1656 domain[PTR_DIFF(p, domuser)] = '\0';
1657 fstrcpy(namespace, domain);
1659 fstrcpy(user, domuser);
1662 namespace[0] = '\0';
1663 p = strchr(domuser, '@');
1666 fstrcpy(namespace, p + 1);
1667 } else if (assume_domain(lp_workgroup())) {
1668 fstrcpy(domain, lp_workgroup());
1669 fstrcpy(namespace, domain);
1671 fstrcpy(namespace, lp_netbios_name());
1675 return strupper_m(domain);
1678 bool canonicalize_username(TALLOC_CTX *mem_ctx,
1679 char **pusername_inout,
1685 char *namespace = NULL;
1686 char *domain = NULL;
1688 char *username_inout = NULL;
1689 fstring f_username_inout;
1690 fstring f_namespace;
1694 fstrcpy(f_username_inout, *pusername_inout);
1695 fstrcpy(f_namespace, *pnamespace);
1696 fstrcpy(f_domain, *pdomain);
1697 fstrcpy(f_user, *puser);
1699 ok = parse_domain_user_fstr(f_username_inout,
1700 f_namespace, f_domain, f_user);
1705 username_inout = talloc_asprintf(mem_ctx, "%s%c%s",
1706 f_domain, *lp_winbind_separator(),
1709 if (username_inout == NULL) {
1713 user = talloc_strdup(mem_ctx, f_user);
1717 domain = talloc_strdup(mem_ctx, f_domain);
1718 if (domain == NULL) {
1721 namespace = talloc_strdup(mem_ctx, f_namespace);
1722 if (namespace == NULL) {
1725 *pnamespace = namespace;
1728 *pusername_inout = username_inout;
1731 TALLOC_FREE(username_inout);
1732 TALLOC_FREE(namespace);
1733 TALLOC_FREE(domain);
1739 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1740 'winbind separator' options.
1742 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1745 If we are a PDC or BDC, and this is for our domain, do likewise.
1747 On an AD DC we always fill DOMAIN\\USERNAME.
1749 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1752 * talloc version of fill_domain_username()
1753 * return NULL on talloc failure.
1755 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1760 char *tmp_user, *name;
1762 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1770 tmp_user = talloc_strdup(mem_ctx, user);
1771 if (tmp_user == NULL) {
1774 if (!strlower_m(tmp_user)) {
1775 TALLOC_FREE(tmp_user);
1779 if (can_assume && assume_domain(domain)) {
1782 name = talloc_asprintf(mem_ctx, "%s%c%s",
1784 *lp_winbind_separator(),
1786 TALLOC_FREE(tmp_user);
1793 * Client list accessor functions
1796 static struct winbindd_cli_state *_client_list;
1797 static int _num_clients;
1799 /* Return list of all connected clients */
1801 struct winbindd_cli_state *winbindd_client_list(void)
1803 return _client_list;
1806 /* Return list-tail of all connected clients */
1808 struct winbindd_cli_state *winbindd_client_list_tail(void)
1810 return DLIST_TAIL(_client_list);
1813 /* Return previous (read:newer) client in list */
1815 struct winbindd_cli_state *
1816 winbindd_client_list_prev(struct winbindd_cli_state *cli)
1818 return DLIST_PREV(cli);
1821 /* Add a connection to the list */
1823 void winbindd_add_client(struct winbindd_cli_state *cli)
1825 cli->last_access = time(NULL);
1826 DLIST_ADD(_client_list, cli);
1830 /* Remove a client from the list */
1832 void winbindd_remove_client(struct winbindd_cli_state *cli)
1834 DLIST_REMOVE(_client_list, cli);
1838 /* Move a client to head or list */
1840 void winbindd_promote_client(struct winbindd_cli_state *cli)
1842 cli->last_access = time(NULL);
1843 DLIST_PROMOTE(_client_list, cli);
1846 /* Return number of open clients */
1848 int winbindd_num_clients(void)
1850 return _num_clients;
1853 NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
1854 const struct dom_sid *user_sid,
1855 uint32_t *p_num_groups, struct dom_sid **user_sids)
1857 struct netr_SamInfo3 *info3 = NULL;
1858 NTSTATUS status = NT_STATUS_NO_MEMORY;
1859 uint32_t num_groups = 0;
1861 DEBUG(3,(": lookup_usergroups_cached\n"));
1866 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1868 if (info3 == NULL) {
1869 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1873 * Before bug #7843 the "Domain Local" groups were added with a
1874 * lookupuseraliases call, but this isn't done anymore for our domain
1875 * so we need to resolve resource groups here.
1877 * When to use Resource Groups:
1878 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1880 status = sid_array_from_info3(mem_ctx, info3,
1885 if (!NT_STATUS_IS_OK(status)) {
1891 *p_num_groups = num_groups;
1892 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1894 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1899 /*********************************************************************
1900 We use this to remove spaces from user and group names
1901 ********************************************************************/
1903 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1904 const char *domain_name,
1908 struct winbindd_domain *domain = NULL;
1911 if (!name || !normalized) {
1912 return NT_STATUS_INVALID_PARAMETER;
1915 if (!lp_winbind_normalize_names()) {
1916 return NT_STATUS_PROCEDURE_NOT_FOUND;
1919 domain = find_domain_from_name_noinit(domain_name);
1920 if (domain == NULL) {
1921 DBG_ERR("Failed to find domain '%s'\n", domain_name);
1922 return NT_STATUS_NO_SUCH_DOMAIN;
1925 /* Alias support and whitespace replacement are mutually
1928 nt_status = resolve_username_to_alias(mem_ctx, domain,
1930 if (NT_STATUS_IS_OK(nt_status)) {
1931 /* special return code to let the caller know we
1932 mapped to an alias */
1933 return NT_STATUS_FILE_RENAMED;
1936 /* check for an unreachable domain */
1938 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1939 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1941 set_domain_offline(domain);
1945 /* deal with whitespace */
1947 *normalized = talloc_strdup(mem_ctx, name);
1948 if (!(*normalized)) {
1949 return NT_STATUS_NO_MEMORY;
1952 all_string_sub( *normalized, " ", "_", 0 );
1954 return NT_STATUS_OK;
1957 /*********************************************************************
1958 We use this to do the inverse of normalize_name_map()
1959 ********************************************************************/
1961 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1966 struct winbindd_domain *domain = find_our_domain();
1968 if (!name || !normalized) {
1969 return NT_STATUS_INVALID_PARAMETER;
1972 if (!lp_winbind_normalize_names()) {
1973 return NT_STATUS_PROCEDURE_NOT_FOUND;
1976 /* Alias support and whitespace replacement are mutally
1979 /* When mapping from an alias to a username, we don't know the
1980 domain. But we only need a domain structure to cache
1981 a successful lookup , so just our own domain structure for
1984 nt_status = resolve_alias_to_username(mem_ctx, domain,
1986 if (NT_STATUS_IS_OK(nt_status)) {
1987 /* Special return code to let the caller know we mapped
1989 return NT_STATUS_FILE_RENAMED;
1992 /* check for an unreachable domain */
1994 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1995 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1997 set_domain_offline(domain);
2001 /* deal with whitespace */
2003 *normalized = talloc_strdup(mem_ctx, name);
2004 if (!(*normalized)) {
2005 return NT_STATUS_NO_MEMORY;
2008 all_string_sub(*normalized, "_", " ", 0);
2010 return NT_STATUS_OK;
2013 /*********************************************************************
2014 ********************************************************************/
2016 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
2018 struct winbindd_tdc_domain *tdc = NULL;
2019 TALLOC_CTX *frame = talloc_stackframe();
2022 /* We can contact the domain if it is our primary domain */
2024 if (domain->primary) {
2029 /* Trust the TDC cache and not the winbindd_domain flags */
2031 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
2032 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
2038 /* Can always contact a domain that is in out forest */
2040 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
2046 * On a _member_ server, we cannot contact the domain if it
2047 * is running AD and we have no inbound trust.
2051 domain->active_directory &&
2052 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
2054 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
2055 "and we have no inbound trust.\n", domain->name));
2059 /* Assume everything else is ok (probably not true but what
2065 talloc_destroy(frame);
2070 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
2072 /*********************************************************************
2073 ********************************************************************/
2075 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
2078 char addr[INET6_ADDRSTRLEN];
2079 const char *kdc = NULL;
2082 if (!domain || !domain->alt_name || !*domain->alt_name) {
2086 if (domain->initialized && !domain->active_directory) {
2087 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
2092 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
2095 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
2097 kdc = domain->dcname;
2100 if (!kdc || !*kdc) {
2101 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
2106 var = talloc_asprintf_strupper_m(
2109 WINBINDD_LOCATOR_KDC_ADDRESS,
2115 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
2118 setenv(var, kdc, 1);
2122 /*********************************************************************
2123 ********************************************************************/
2125 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
2127 struct winbindd_domain *our_dom = find_our_domain();
2129 winbindd_set_locator_kdc_env(domain);
2131 if (domain != our_dom) {
2132 winbindd_set_locator_kdc_env(our_dom);
2136 /*********************************************************************
2137 ********************************************************************/
2139 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
2143 if (!domain || !domain->alt_name || !*domain->alt_name) {
2147 var = talloc_asprintf_strupper_m(
2150 WINBINDD_LOCATOR_KDC_ADDRESS,
2161 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
2166 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
2171 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
2173 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
2176 * Make sure we start with authoritative=true,
2177 * it will only set to false if we don't know the
2180 resp->data.auth.authoritative = true;
2182 resp->data.auth.nt_status = NT_STATUS_V(result);
2183 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
2185 /* we might have given a more useful error above */
2186 if (*resp->data.auth.error_string == '\0')
2187 fstrcpy(resp->data.auth.error_string,
2188 get_friendly_nt_error_msg(result));
2189 resp->data.auth.pam_error = nt_status_to_pam(result);
2192 bool is_domain_offline(const struct winbindd_domain *domain)
2194 if (get_global_winbindd_state_offline()) {
2197 return !domain->online;
2200 bool is_domain_online(const struct winbindd_domain *domain)
2202 return !is_domain_offline(domain);
2206 * Parse an char array into a list of sids.
2208 * The input sidstr should consist of 0-terminated strings
2209 * representing sids, separated by newline characters '\n'.
2210 * The list is terminated by an empty string, i.e.
2211 * character '\0' directly following a character '\n'
2212 * (or '\0' right at the start of sidstr).
2214 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
2215 struct dom_sid **sids, uint32_t *num_sids)
2223 while (p[0] != '\0') {
2225 const char *q = NULL;
2227 if (!dom_sid_parse_endp(p, &sid, &q)) {
2228 DEBUG(1, ("Could not parse sid %s\n", p));
2232 DEBUG(1, ("Got invalid sidstr: %s\n", p));
2235 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
2245 bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
2246 struct unixid **pxids, uint32_t *pnum_xids)
2249 struct unixid *xids = NULL;
2250 uint32_t num_xids = 0;
2257 while (p[0] != '\0') {
2260 unsigned long long id;
2266 xid = (struct unixid) { .type = ID_TYPE_UID };
2269 xid = (struct unixid) { .type = ID_TYPE_GID };
2277 id = smb_strtoull(p, &endp, 10, &error, SMB_STR_STANDARD);
2281 if (*endp != '\n') {
2287 if ((unsigned long long)xid.id != id) {
2291 tmp = talloc_realloc(mem_ctx, xids, struct unixid, num_xids+1);
2297 xids[num_xids] = xid;
2302 *pnum_xids = num_xids;