2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
35 * @file winbindd_util.c
37 * Winbind daemon for NT domain authentication nss module.
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
46 static struct winbindd_domain *_domain_list = NULL;
48 struct winbindd_domain *domain_list(void)
52 if ((!_domain_list) && (!init_domain_list())) {
53 smb_panic("Init_domain_list failed");
59 /* Free all entries in the trusted domain list */
61 static void free_domain_list(void)
63 struct winbindd_domain *domain = _domain_list;
66 struct winbindd_domain *next = domain->next;
68 DLIST_REMOVE(_domain_list, domain);
74 static bool is_internal_domain(const struct dom_sid *sid)
79 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
82 static bool is_in_internal_domain(const struct dom_sid *sid)
87 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
91 /* Add a trusted domain to our list of domains */
92 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
93 struct winbindd_methods *methods,
94 const struct dom_sid *sid)
96 struct winbindd_domain *domain;
97 const char *alternative_name = NULL;
98 char *idmap_config_option;
100 const char **ignored_domains, **dom;
102 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
103 for (dom=ignored_domains; dom && *dom; dom++) {
104 if (gen_fnmatch(*dom, domain_name) == 0) {
105 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
110 /* ignore alt_name if we are not in an AD domain */
112 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
113 alternative_name = alt_name;
116 /* We can't call domain_list() as this function is called from
117 init_domain_list() and we'll get stuck in a loop. */
118 for (domain = _domain_list; domain; domain = domain->next) {
119 if (strequal(domain_name, domain->name) ||
120 strequal(domain_name, domain->alt_name))
125 if (alternative_name && *alternative_name)
127 if (strequal(alternative_name, domain->name) ||
128 strequal(alternative_name, domain->alt_name))
136 if (is_null_sid(sid)) {
140 if (sid_equal(sid, &domain->sid)) {
146 if (domain != NULL) {
148 * We found a match. Possibly update the SID
151 && sid_equal(&domain->sid, &global_sid_NULL)) {
152 sid_copy( &domain->sid, sid );
157 /* Create new domain entry */
159 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
164 ZERO_STRUCTP(domain);
166 fstrcpy(domain->name, domain_name);
167 if (alternative_name) {
168 fstrcpy(domain->alt_name, alternative_name);
171 domain->methods = methods;
172 domain->backend = NULL;
173 domain->internal = is_internal_domain(sid);
174 domain->sequence_number = DOM_SEQUENCE_NONE;
175 domain->last_seq_check = 0;
176 domain->initialized = False;
177 domain->online = is_internal_domain(sid);
178 domain->check_online_timeout = 0;
179 domain->dc_probe_pid = (pid_t)-1;
181 sid_copy(&domain->sid, sid);
184 /* Link to domain list */
185 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
187 wcache_tdc_add_domain( domain );
189 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
191 if (idmap_config_option == NULL) {
192 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
196 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
198 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
199 param ? param : "not defined"));
202 unsigned low_id, high_id;
203 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
204 DEBUG(1, ("invalid range syntax in %s: %s\n",
205 idmap_config_option, param));
208 if (low_id > high_id) {
209 DEBUG(1, ("invalid range in %s: %s\n",
210 idmap_config_option, param));
213 domain->have_idmap_config = true;
214 domain->id_range_low = low_id;
215 domain->id_range_high = high_id;
220 DEBUG(2,("Added domain %s %s %s\n",
221 domain->name, domain->alt_name,
222 &domain->sid?sid_string_dbg(&domain->sid):""));
227 bool domain_is_forest_root(const struct winbindd_domain *domain)
229 const uint32_t fr_flags =
230 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
232 return ((domain->domain_flags & fr_flags) == fr_flags);
235 /********************************************************************
236 rescan our domains looking for new trusted domains
237 ********************************************************************/
239 struct trustdom_state {
240 struct winbindd_domain *domain;
241 struct winbindd_request request;
244 static void trustdom_list_done(struct tevent_req *req);
245 static void rescan_forest_root_trusts( void );
246 static void rescan_forest_trusts( void );
248 static void add_trusted_domains( struct winbindd_domain *domain )
250 struct trustdom_state *state;
251 struct tevent_req *req;
253 state = TALLOC_ZERO_P(NULL, struct trustdom_state);
255 DEBUG(0, ("talloc failed\n"));
258 state->domain = domain;
260 state->request.length = sizeof(state->request);
261 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
263 req = wb_domain_request_send(state, winbind_event_context(),
264 domain, &state->request);
266 DEBUG(1, ("wb_domain_request_send failed\n"));
270 tevent_req_set_callback(req, trustdom_list_done, state);
273 static void trustdom_list_done(struct tevent_req *req)
275 struct trustdom_state *state = tevent_req_callback_data(
276 req, struct trustdom_state);
277 struct winbindd_response *response;
281 res = wb_domain_request_recv(req, state, &response, &err);
282 if ((res == -1) || (response->result != WINBINDD_OK)) {
283 DEBUG(1, ("Could not receive trustdoms\n"));
288 p = (char *)response->extra_data.data;
290 while ((p != NULL) && (*p != '\0')) {
291 char *q, *sidstr, *alt_name;
293 struct winbindd_domain *domain;
294 char *alternate_name = NULL;
296 alt_name = strchr(p, '\\');
297 if (alt_name == NULL) {
298 DEBUG(0, ("Got invalid trustdom response\n"));
305 sidstr = strchr(alt_name, '\\');
306 if (sidstr == NULL) {
307 DEBUG(0, ("Got invalid trustdom response\n"));
314 q = strchr(sidstr, '\n');
318 if (!string_to_sid(&sid, sidstr)) {
319 DEBUG(0, ("Got invalid trustdom response\n"));
323 /* use the real alt_name if we have one, else pass in NULL */
325 if ( !strequal( alt_name, "(null)" ) )
326 alternate_name = alt_name;
328 /* If we have an existing domain structure, calling
329 add_trusted_domain() will update the SID if
330 necessary. This is important because we need the
331 SID for sibling domains */
333 if ( find_domain_from_name_noinit(p) != NULL ) {
334 domain = add_trusted_domain(p, alternate_name,
338 domain = add_trusted_domain(p, alternate_name,
342 setup_domain_child(domain);
351 Cases to consider when scanning trusts:
352 (a) we are calling from a child domain (primary && !forest_root)
353 (b) we are calling from the root of the forest (primary && forest_root)
354 (c) we are calling from a trusted forest domain (!primary
358 if (state->domain->primary) {
359 /* If this is our primary domain and we are not in the
360 forest root, we have to scan the root trusts first */
362 if (!domain_is_forest_root(state->domain))
363 rescan_forest_root_trusts();
365 rescan_forest_trusts();
367 } else if (domain_is_forest_root(state->domain)) {
368 /* Once we have done root forest trust search, we can
369 go on to search the trusted forests */
371 rescan_forest_trusts();
379 /********************************************************************
380 Scan the trusts of our forest root
381 ********************************************************************/
383 static void rescan_forest_root_trusts( void )
385 struct winbindd_tdc_domain *dom_list = NULL;
386 size_t num_trusts = 0;
389 /* The only transitive trusts supported by Windows 2003 AD are
390 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
391 first two are handled in forest and listed by
392 DsEnumerateDomainTrusts(). Forest trusts are not so we
393 have to do that ourselves. */
395 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
398 for ( i=0; i<num_trusts; i++ ) {
399 struct winbindd_domain *d = NULL;
401 /* Find the forest root. Don't necessarily trust
402 the domain_list() as our primary domain may not
403 have been initialized. */
405 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
409 /* Here's the forest root */
411 d = find_domain_from_name_noinit( dom_list[i].domain_name );
414 d = add_trusted_domain( dom_list[i].domain_name,
415 dom_list[i].dns_name,
419 setup_domain_child(d);
427 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
428 "for domain tree root %s (%s)\n",
429 d->name, d->alt_name ));
431 d->domain_flags = dom_list[i].trust_flags;
432 d->domain_type = dom_list[i].trust_type;
433 d->domain_trust_attribs = dom_list[i].trust_attribs;
435 add_trusted_domains( d );
440 TALLOC_FREE( dom_list );
445 /********************************************************************
446 scan the transitive forest trusts (not our own)
447 ********************************************************************/
450 static void rescan_forest_trusts( void )
452 struct winbindd_domain *d = NULL;
453 struct winbindd_tdc_domain *dom_list = NULL;
454 size_t num_trusts = 0;
457 /* The only transitive trusts supported by Windows 2003 AD are
458 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
459 first two are handled in forest and listed by
460 DsEnumerateDomainTrusts(). Forest trusts are not so we
461 have to do that ourselves. */
463 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
466 for ( i=0; i<num_trusts; i++ ) {
467 uint32 flags = dom_list[i].trust_flags;
468 uint32 type = dom_list[i].trust_type;
469 uint32 attribs = dom_list[i].trust_attribs;
471 d = find_domain_from_name_noinit( dom_list[i].domain_name );
473 /* ignore our primary and internal domains */
475 if ( d && (d->internal || d->primary ) )
478 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
479 (type == NETR_TRUST_TYPE_UPLEVEL) &&
480 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
482 /* add the trusted domain if we don't know
486 d = add_trusted_domain( dom_list[i].domain_name,
487 dom_list[i].dns_name,
491 setup_domain_child(d);
499 DEBUG(10,("Following trust path for domain %s (%s)\n",
500 d->name, d->alt_name ));
501 add_trusted_domains( d );
505 TALLOC_FREE( dom_list );
510 /*********************************************************************
511 The process of updating the trusted domain list is a three step
514 (b) ask the root domain in our forest
515 (c) ask the a DC in any Win2003 trusted forests
516 *********************************************************************/
518 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
519 struct timeval now, void *private_data)
523 /* I use to clear the cache here and start over but that
524 caused problems in child processes that needed the
525 trust dom list early on. Removing it means we
526 could have some trusted domains listed that have been
527 removed from our primary domain's DC until a full
528 restart. This should be ok since I think this is what
529 Windows does as well. */
531 /* this will only add new domains we didn't already know about
532 in the domain_list()*/
534 add_trusted_domains( find_our_domain() );
536 te = tevent_add_timer(
537 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
538 rescan_trusted_domains, NULL);
540 * If te == NULL, there's not much we can do here. Don't fail, the
541 * only thing we miss is new trusted domains.
547 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
548 struct winbindd_cli_state *state)
550 /* Ensure null termination */
551 state->request->domain_name
552 [sizeof(state->request->domain_name)-1]='\0';
553 state->request->data.init_conn.dcname
554 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
556 if (strlen(state->request->data.init_conn.dcname) > 0) {
557 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
560 if (domain->internal) {
561 domain->initialized = true;
563 init_dc_connection(domain);
566 if (!domain->initialized) {
567 /* If we return error here we can't do any cached authentication,
568 but we may be in disconnected mode and can't initialize correctly.
569 Do what the previous code did and just return without initialization,
570 once we go online we'll re-initialize.
572 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
573 "online = %d\n", domain->name, (int)domain->online ));
576 fstrcpy(state->response->data.domain_info.name, domain->name);
577 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
578 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
580 state->response->data.domain_info.native_mode
581 = domain->native_mode;
582 state->response->data.domain_info.active_directory
583 = domain->active_directory;
584 state->response->data.domain_info.primary
590 /* Look up global info for the winbind daemon */
591 bool init_domain_list(void)
593 struct winbindd_domain *domain;
594 int role = lp_server_role();
596 /* Free existing list */
601 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
602 &global_sid_Builtin);
604 setup_domain_child(domain);
609 domain = add_trusted_domain(get_global_sam_name(), NULL,
610 &sam_passdb_methods, get_global_sam_sid());
612 if ( role != ROLE_DOMAIN_MEMBER ) {
613 domain->primary = True;
615 setup_domain_child(domain);
618 /* Add ourselves as the first entry. */
620 if ( role == ROLE_DOMAIN_MEMBER ) {
621 struct dom_sid our_sid;
623 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
624 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
628 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
629 &cache_methods, &our_sid);
631 domain->primary = True;
632 setup_domain_child(domain);
634 /* Even in the parent winbindd we'll need to
635 talk to the DC, so try and see if we can
636 contact it. Theoretically this isn't neccessary
637 as the init_dc_connection() in init_child_recv()
638 will do this, but we can start detecting the DC
640 set_domain_online_request(domain);
647 void check_domain_trusted( const char *name, const struct dom_sid *user_sid )
649 struct winbindd_domain *domain;
650 struct dom_sid dom_sid;
653 /* Check if we even care */
655 if (!lp_allow_trusted_domains())
658 domain = find_domain_from_name_noinit( name );
662 sid_copy( &dom_sid, user_sid );
663 if ( !sid_split_rid( &dom_sid, &rid ) )
666 /* add the newly discovered trusted domain */
668 domain = add_trusted_domain( name, NULL, &cache_methods,
674 /* assume this is a trust from a one-way transitive
677 domain->active_directory = True;
678 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
679 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
680 domain->internal = False;
681 domain->online = True;
683 setup_domain_child(domain);
685 wcache_tdc_add_domain( domain );
691 * Given a domain name, return the struct winbindd domain info for it
693 * @note Do *not* pass lp_workgroup() to this function. domain_list
694 * may modify it's value, and free that pointer. Instead, our local
695 * domain may be found by calling find_our_domain().
699 * @return The domain structure for the named domain, if it is working.
702 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
704 struct winbindd_domain *domain;
706 /* Search through list */
708 for (domain = domain_list(); domain != NULL; domain = domain->next) {
709 if (strequal(domain_name, domain->name) ||
710 (domain->alt_name[0] &&
711 strequal(domain_name, domain->alt_name))) {
721 struct winbindd_domain *find_domain_from_name(const char *domain_name)
723 struct winbindd_domain *domain;
725 domain = find_domain_from_name_noinit(domain_name);
730 if (!domain->initialized)
731 init_dc_connection(domain);
736 /* Given a domain sid, return the struct winbindd domain info for it */
738 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
740 struct winbindd_domain *domain;
742 /* Search through list */
744 for (domain = domain_list(); domain != NULL; domain = domain->next) {
745 if (sid_compare_domain(sid, &domain->sid) == 0)
754 /* Given a domain sid, return the struct winbindd domain info for it */
756 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
758 struct winbindd_domain *domain;
760 domain = find_domain_from_sid_noinit(sid);
765 if (!domain->initialized)
766 init_dc_connection(domain);
771 struct winbindd_domain *find_our_domain(void)
773 struct winbindd_domain *domain;
775 /* Search through list */
777 for (domain = domain_list(); domain != NULL; domain = domain->next) {
782 smb_panic("Could not find our domain");
786 struct winbindd_domain *find_root_domain(void)
788 struct winbindd_domain *ours = find_our_domain();
790 if (ours->forest_name[0] == '\0') {
794 return find_domain_from_name( ours->forest_name );
797 struct winbindd_domain *find_builtin_domain(void)
799 struct winbindd_domain *domain;
801 domain = find_domain_from_sid(&global_sid_Builtin);
802 if (domain == NULL) {
803 smb_panic("Could not find BUILTIN domain");
809 /* Find the appropriate domain to lookup a name or SID */
811 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
813 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
815 if ( sid_check_is_in_unix_groups(sid) ||
816 sid_check_is_unix_groups(sid) ||
817 sid_check_is_in_unix_users(sid) ||
818 sid_check_is_unix_users(sid) )
820 return find_domain_from_sid(get_global_sam_sid());
823 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
824 * one to contact the external DC's. On member servers the internal
825 * domains are different: These are part of the local SAM. */
827 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
829 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
830 DEBUG(10, ("calling find_domain_from_sid\n"));
831 return find_domain_from_sid(sid);
834 /* On a member server a query for SID or name can always go to our
837 DEBUG(10, ("calling find_our_domain\n"));
838 return find_our_domain();
841 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
843 if ( strequal(domain_name, unix_users_domain_name() ) ||
844 strequal(domain_name, unix_groups_domain_name() ) )
847 * The "Unix User" and "Unix Group" domain our handled by
850 return find_domain_from_name_noinit( get_global_sam_name() );
853 if (IS_DC || strequal(domain_name, "BUILTIN") ||
854 strequal(domain_name, get_global_sam_name()))
855 return find_domain_from_name_noinit(domain_name);
858 return find_our_domain();
861 /* Is this a domain which we may assume no DOMAIN\ prefix? */
863 static bool assume_domain(const char *domain)
865 /* never assume the domain on a standalone server */
867 if ( lp_server_role() == ROLE_STANDALONE )
870 /* domain member servers may possibly assume for the domain name */
872 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
873 if ( !strequal(lp_workgroup(), domain) )
876 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
880 /* only left with a domain controller */
882 if ( strequal(get_global_sam_name(), domain) ) {
889 /* Parse a string of the form DOMAIN\user into a domain and a user */
891 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
893 char *p = strchr(domuser,*lp_winbind_separator());
896 fstrcpy(user, domuser);
898 if ( assume_domain(lp_workgroup())) {
899 fstrcpy(domain, lp_workgroup());
900 } else if ((p = strchr(domuser, '@')) != NULL) {
901 fstrcpy(domain, p + 1);
902 user[PTR_DIFF(p, domuser)] = 0;
908 fstrcpy(domain, domuser);
909 domain[PTR_DIFF(p, domuser)] = 0;
917 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
918 char **domain, char **user)
920 fstring fstr_domain, fstr_user;
921 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
924 *domain = talloc_strdup(mem_ctx, fstr_domain);
925 *user = talloc_strdup(mem_ctx, fstr_user);
926 return ((*domain != NULL) && (*user != NULL));
929 /* add a domain user name to a buffer */
930 void parse_add_domuser(void *buf, char *domuser, int *len)
936 p = strchr(domuser, *lp_winbind_separator());
940 fstrcpy(domain, domuser);
941 domain[PTR_DIFF(p, domuser)] = 0;
944 if (assume_domain(domain)) {
947 *len -= (PTR_DIFF(p, domuser));
951 safe_strcpy((char *)buf, user, *len);
954 /* Ensure an incoming username from NSS is fully qualified. Replace the
955 incoming fstring with DOMAIN <separator> user. Returns the same
956 values as parse_domain_user() but also replaces the incoming username.
957 Used to ensure all names are fully qualified within winbindd.
958 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
959 The protocol definitions of auth_crap, chng_pswd_auth_crap
960 really should be changed to use this instead of doing things
963 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
965 if (!parse_domain_user(username_inout, domain, user)) {
968 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
969 domain, *lp_winbind_separator(),
975 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
976 'winbind separator' options.
978 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
981 If we are a PDC or BDC, and this is for our domain, do likewise.
983 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
984 username is then unqualified in unix
986 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
988 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
992 fstrcpy(tmp_user, user);
993 strlower_m(tmp_user);
995 if (can_assume && assume_domain(domain)) {
996 strlcpy(name, tmp_user, sizeof(fstring));
998 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
999 domain, *lp_winbind_separator(),
1005 * talloc version of fill_domain_username()
1006 * return NULL on talloc failure.
1008 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1013 char *tmp_user, *name;
1015 tmp_user = talloc_strdup(mem_ctx, user);
1016 strlower_m(tmp_user);
1018 if (can_assume && assume_domain(domain)) {
1021 name = talloc_asprintf(mem_ctx, "%s%c%s",
1023 *lp_winbind_separator(),
1025 TALLOC_FREE(tmp_user);
1032 * Winbindd socket accessor functions
1035 const char *get_winbind_pipe_dir(void)
1037 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1040 char *get_winbind_priv_pipe_dir(void)
1042 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1045 /* Open the winbindd socket */
1047 static int _winbindd_socket = -1;
1048 static int _winbindd_priv_socket = -1;
1050 int open_winbindd_socket(void)
1052 if (_winbindd_socket == -1) {
1053 _winbindd_socket = create_pipe_sock(
1054 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1055 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1059 return _winbindd_socket;
1062 int open_winbindd_priv_socket(void)
1064 if (_winbindd_priv_socket == -1) {
1065 _winbindd_priv_socket = create_pipe_sock(
1066 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1067 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1068 _winbindd_priv_socket));
1071 return _winbindd_priv_socket;
1075 * Client list accessor functions
1078 static struct winbindd_cli_state *_client_list;
1079 static int _num_clients;
1081 /* Return list of all connected clients */
1083 struct winbindd_cli_state *winbindd_client_list(void)
1085 return _client_list;
1088 /* Add a connection to the list */
1090 void winbindd_add_client(struct winbindd_cli_state *cli)
1092 DLIST_ADD(_client_list, cli);
1096 /* Remove a client from the list */
1098 void winbindd_remove_client(struct winbindd_cli_state *cli)
1100 DLIST_REMOVE(_client_list, cli);
1104 /* Return number of open clients */
1106 int winbindd_num_clients(void)
1108 return _num_clients;
1111 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1112 TALLOC_CTX *mem_ctx,
1113 const struct dom_sid *user_sid,
1114 uint32 *p_num_groups, struct dom_sid **user_sids)
1116 struct netr_SamInfo3 *info3 = NULL;
1117 NTSTATUS status = NT_STATUS_NO_MEMORY;
1118 size_t num_groups = 0;
1120 DEBUG(3,(": lookup_usergroups_cached\n"));
1125 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1127 if (info3 == NULL) {
1128 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1131 if (info3->base.groups.count == 0) {
1133 return NT_STATUS_UNSUCCESSFUL;
1136 /* Skip Domain local groups outside our domain.
1137 We'll get these from the getsidaliases() RPC call. */
1138 status = sid_array_from_info3(mem_ctx, info3,
1143 if (!NT_STATUS_IS_OK(status)) {
1149 *p_num_groups = num_groups;
1150 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1152 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1157 /*********************************************************************
1158 We use this to remove spaces from user and group names
1159 ********************************************************************/
1161 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1162 struct winbindd_domain *domain,
1168 if (!name || !normalized) {
1169 return NT_STATUS_INVALID_PARAMETER;
1172 if (!lp_winbind_normalize_names()) {
1173 return NT_STATUS_PROCEDURE_NOT_FOUND;
1176 /* Alias support and whitespace replacement are mutually
1179 nt_status = resolve_username_to_alias(mem_ctx, domain,
1181 if (NT_STATUS_IS_OK(nt_status)) {
1182 /* special return code to let the caller know we
1183 mapped to an alias */
1184 return NT_STATUS_FILE_RENAMED;
1187 /* check for an unreachable domain */
1189 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1190 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1192 set_domain_offline(domain);
1196 /* deal with whitespace */
1198 *normalized = talloc_strdup(mem_ctx, name);
1199 if (!(*normalized)) {
1200 return NT_STATUS_NO_MEMORY;
1203 all_string_sub( *normalized, " ", "_", 0 );
1205 return NT_STATUS_OK;
1208 /*********************************************************************
1209 We use this to do the inverse of normalize_name_map()
1210 ********************************************************************/
1212 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1217 struct winbindd_domain *domain = find_our_domain();
1219 if (!name || !normalized) {
1220 return NT_STATUS_INVALID_PARAMETER;
1223 if (!lp_winbind_normalize_names()) {
1224 return NT_STATUS_PROCEDURE_NOT_FOUND;
1227 /* Alias support and whitespace replacement are mutally
1230 /* When mapping from an alias to a username, we don't know the
1231 domain. But we only need a domain structure to cache
1232 a successful lookup , so just our own domain structure for
1235 nt_status = resolve_alias_to_username(mem_ctx, domain,
1237 if (NT_STATUS_IS_OK(nt_status)) {
1238 /* Special return code to let the caller know we mapped
1240 return NT_STATUS_FILE_RENAMED;
1243 /* check for an unreachable domain */
1245 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1246 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1248 set_domain_offline(domain);
1252 /* deal with whitespace */
1254 *normalized = talloc_strdup(mem_ctx, name);
1255 if (!(*normalized)) {
1256 return NT_STATUS_NO_MEMORY;
1259 all_string_sub(*normalized, "_", " ", 0);
1261 return NT_STATUS_OK;
1264 /*********************************************************************
1265 ********************************************************************/
1267 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1269 struct winbindd_tdc_domain *tdc = NULL;
1270 TALLOC_CTX *frame = talloc_stackframe();
1273 /* We can contact the domain if it is our primary domain */
1275 if (domain->primary) {
1279 /* Trust the TDC cache and not the winbindd_domain flags */
1281 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1282 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1287 /* Can always contact a domain that is in out forest */
1289 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1295 * On a _member_ server, we cannot contact the domain if it
1296 * is running AD and we have no inbound trust.
1300 domain->active_directory &&
1301 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1303 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1304 "and we have no inbound trust.\n", domain->name));
1308 /* Assume everything else is ok (probably not true but what
1314 talloc_destroy(frame);
1319 /*********************************************************************
1320 ********************************************************************/
1322 bool winbindd_internal_child(struct winbindd_child *child)
1324 if ((child == idmap_child()) || (child == locator_child())) {
1331 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1333 /*********************************************************************
1334 ********************************************************************/
1336 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1339 char addr[INET6_ADDRSTRLEN];
1340 const char *kdc = NULL;
1343 if (!domain || !domain->alt_name || !*domain->alt_name) {
1347 if (domain->initialized && !domain->active_directory) {
1348 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1353 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1356 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1358 kdc = domain->dcname;
1361 if (!kdc || !*kdc) {
1362 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1367 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1368 domain->alt_name) == -1) {
1372 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1375 setenv(var, kdc, 1);
1379 /*********************************************************************
1380 ********************************************************************/
1382 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1384 struct winbindd_domain *our_dom = find_our_domain();
1386 winbindd_set_locator_kdc_env(domain);
1388 if (domain != our_dom) {
1389 winbindd_set_locator_kdc_env(our_dom);
1393 /*********************************************************************
1394 ********************************************************************/
1396 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1400 if (!domain || !domain->alt_name || !*domain->alt_name) {
1404 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1405 domain->alt_name) == -1) {
1414 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1419 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1424 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1426 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1428 resp->data.auth.nt_status = NT_STATUS_V(result);
1429 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1431 /* we might have given a more useful error above */
1432 if (*resp->data.auth.error_string == '\0')
1433 fstrcpy(resp->data.auth.error_string,
1434 get_friendly_nt_error_msg(result));
1435 resp->data.auth.pam_error = nt_status_to_pam(result);
1438 bool is_domain_offline(const struct winbindd_domain *domain)
1440 if (!lp_winbind_offline_logon()) {
1443 if (get_global_winbindd_state_offline()) {
1446 return !domain->online;