2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
35 * @file winbindd_util.c
37 * Winbind daemon for NT domain authentication nss module.
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
46 static struct winbindd_domain *_domain_list = NULL;
49 When was the last scan of trusted domains done?
54 static time_t last_trustdom_scan;
56 struct winbindd_domain *domain_list(void)
60 if ((!_domain_list) && (!init_domain_list())) {
61 smb_panic("Init_domain_list failed");
67 /* Free all entries in the trusted domain list */
69 void free_domain_list(void)
71 struct winbindd_domain *domain = _domain_list;
74 struct winbindd_domain *next = domain->next;
76 DLIST_REMOVE(_domain_list, domain);
82 static bool is_internal_domain(const DOM_SID *sid)
88 return sid_check_is_builtin(sid);
90 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
93 static bool is_in_internal_domain(const DOM_SID *sid)
99 return sid_check_is_in_builtin(sid);
101 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
105 /* Add a trusted domain to our list of domains */
106 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
107 struct winbindd_methods *methods,
110 struct winbindd_domain *domain;
111 const char *alternative_name = NULL;
113 /* ignore alt_name if we are not in an AD domain */
115 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
116 alternative_name = alt_name;
119 /* We can't call domain_list() as this function is called from
120 init_domain_list() and we'll get stuck in a loop. */
121 for (domain = _domain_list; domain; domain = domain->next) {
122 if (strequal(domain_name, domain->name) ||
123 strequal(domain_name, domain->alt_name))
128 if (alternative_name && *alternative_name)
130 if (strequal(alternative_name, domain->name) ||
131 strequal(alternative_name, domain->alt_name))
139 if (is_null_sid(sid)) {
143 if (sid_equal(sid, &domain->sid)) {
149 /* See if we found a match. Check if we need to update the
152 if ( domain && sid) {
153 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
154 sid_copy( &domain->sid, sid );
159 /* Create new domain entry */
161 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
166 ZERO_STRUCTP(domain);
168 fstrcpy(domain->name, domain_name);
169 if (alternative_name) {
170 fstrcpy(domain->alt_name, alternative_name);
173 domain->methods = methods;
174 domain->backend = NULL;
175 domain->internal = is_internal_domain(sid);
176 domain->sequence_number = DOM_SEQUENCE_NONE;
177 domain->last_seq_check = 0;
178 domain->initialized = False;
179 domain->online = is_internal_domain(sid);
180 domain->check_online_timeout = 0;
182 sid_copy(&domain->sid, sid);
185 /* Link to domain list */
186 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
188 wcache_tdc_add_domain( domain );
190 DEBUG(2,("Added domain %s %s %s\n",
191 domain->name, domain->alt_name,
192 &domain->sid?sid_string_dbg(&domain->sid):""));
197 /********************************************************************
198 rescan our domains looking for new trusted domains
199 ********************************************************************/
201 struct trustdom_state {
205 struct winbindd_response *response;
208 static void trustdom_recv(void *private_data, bool success);
209 static void rescan_forest_root_trusts( void );
210 static void rescan_forest_trusts( void );
212 static void add_trusted_domains( struct winbindd_domain *domain )
215 struct winbindd_request *request;
216 struct winbindd_response *response;
217 uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
219 struct trustdom_state *state;
221 mem_ctx = talloc_init("add_trusted_domains");
222 if (mem_ctx == NULL) {
223 DEBUG(0, ("talloc_init failed\n"));
227 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
228 response = TALLOC_P(mem_ctx, struct winbindd_response);
229 state = TALLOC_P(mem_ctx, struct trustdom_state);
231 if ((request == NULL) || (response == NULL) || (state == NULL)) {
232 DEBUG(0, ("talloc failed\n"));
233 talloc_destroy(mem_ctx);
237 state->mem_ctx = mem_ctx;
238 state->response = response;
240 /* Flags used to know how to continue the forest trust search */
242 state->primary = domain->primary;
243 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
245 request->length = sizeof(*request);
246 request->cmd = WINBINDD_LIST_TRUSTDOM;
248 async_domain_request(mem_ctx, domain, request, response,
249 trustdom_recv, state);
252 static void trustdom_recv(void *private_data, bool success)
254 struct trustdom_state *state =
255 talloc_get_type_abort(private_data, struct trustdom_state);
256 struct winbindd_response *response = state->response;
259 if ((!success) || (response->result != WINBINDD_OK)) {
260 DEBUG(1, ("Could not receive trustdoms\n"));
261 talloc_destroy(state->mem_ctx);
265 p = (char *)response->extra_data.data;
267 while ((p != NULL) && (*p != '\0')) {
268 char *q, *sidstr, *alt_name;
270 struct winbindd_domain *domain;
271 char *alternate_name = NULL;
273 alt_name = strchr(p, '\\');
274 if (alt_name == NULL) {
275 DEBUG(0, ("Got invalid trustdom response\n"));
282 sidstr = strchr(alt_name, '\\');
283 if (sidstr == NULL) {
284 DEBUG(0, ("Got invalid trustdom response\n"));
291 q = strchr(sidstr, '\n');
295 if (!string_to_sid(&sid, sidstr)) {
296 /* Allow NULL sid for sibling domains */
297 if ( strcmp(sidstr,"S-0-0") == 0) {
298 sid_copy( &sid, &global_sid_NULL);
300 DEBUG(0, ("Got invalid trustdom response\n"));
305 /* use the real alt_name if we have one, else pass in NULL */
307 if ( !strequal( alt_name, "(null)" ) )
308 alternate_name = alt_name;
310 /* If we have an existing domain structure, calling
311 add_trusted_domain() will update the SID if
312 necessary. This is important because we need the
313 SID for sibling domains */
315 if ( find_domain_from_name_noinit(p) != NULL ) {
316 domain = add_trusted_domain(p, alternate_name,
320 domain = add_trusted_domain(p, alternate_name,
324 setup_domain_child(domain,
333 SAFE_FREE(response->extra_data.data);
336 Cases to consider when scanning trusts:
337 (a) we are calling from a child domain (primary && !forest_root)
338 (b) we are calling from the root of the forest (primary && forest_root)
339 (c) we are calling from a trusted forest domain (!primary
343 if ( state->primary ) {
344 /* If this is our primary domain and we are not in the
345 forest root, we have to scan the root trusts first */
347 if ( !state->forest_root )
348 rescan_forest_root_trusts();
350 rescan_forest_trusts();
352 } else if ( state->forest_root ) {
353 /* Once we have done root forest trust search, we can
354 go on to search the trusted forests */
356 rescan_forest_trusts();
359 talloc_destroy(state->mem_ctx);
364 /********************************************************************
365 Scan the trusts of our forest root
366 ********************************************************************/
368 static void rescan_forest_root_trusts( void )
370 struct winbindd_tdc_domain *dom_list = NULL;
371 size_t num_trusts = 0;
374 /* The only transitive trusts supported by Windows 2003 AD are
375 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
376 first two are handled in forest and listed by
377 DsEnumerateDomainTrusts(). Forest trusts are not so we
378 have to do that ourselves. */
380 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
383 for ( i=0; i<num_trusts; i++ ) {
384 struct winbindd_domain *d = NULL;
386 /* Find the forest root. Don't necessarily trust
387 the domain_list() as our primary domain may not
388 have been initialized. */
390 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
394 /* Here's the forest root */
396 d = find_domain_from_name_noinit( dom_list[i].domain_name );
399 d = add_trusted_domain( dom_list[i].domain_name,
400 dom_list[i].dns_name,
405 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
406 "for domain tree root %s (%s)\n",
407 d->name, d->alt_name ));
409 d->domain_flags = dom_list[i].trust_flags;
410 d->domain_type = dom_list[i].trust_type;
411 d->domain_trust_attribs = dom_list[i].trust_attribs;
413 add_trusted_domains( d );
418 TALLOC_FREE( dom_list );
423 /********************************************************************
424 scan the transitive forest trusts (not our own)
425 ********************************************************************/
428 static void rescan_forest_trusts( void )
430 struct winbindd_domain *d = NULL;
431 struct winbindd_tdc_domain *dom_list = NULL;
432 size_t num_trusts = 0;
435 /* The only transitive trusts supported by Windows 2003 AD are
436 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
437 first two are handled in forest and listed by
438 DsEnumerateDomainTrusts(). Forest trusts are not so we
439 have to do that ourselves. */
441 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
444 for ( i=0; i<num_trusts; i++ ) {
445 uint32 flags = dom_list[i].trust_flags;
446 uint32 type = dom_list[i].trust_type;
447 uint32 attribs = dom_list[i].trust_attribs;
449 d = find_domain_from_name_noinit( dom_list[i].domain_name );
451 /* ignore our primary and internal domains */
453 if ( d && (d->internal || d->primary ) )
456 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
457 (type == NETR_TRUST_TYPE_UPLEVEL) &&
458 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
460 /* add the trusted domain if we don't know
464 d = add_trusted_domain( dom_list[i].domain_name,
465 dom_list[i].dns_name,
470 DEBUG(10,("Following trust path for domain %s (%s)\n",
471 d->name, d->alt_name ));
472 add_trusted_domains( d );
476 TALLOC_FREE( dom_list );
481 /*********************************************************************
482 The process of updating the trusted domain list is a three step
485 (b) ask the root domain in our forest
486 (c) ask the a DC in any Win2003 trusted forests
487 *********************************************************************/
489 void rescan_trusted_domains( void )
491 time_t now = time(NULL);
493 /* see if the time has come... */
495 if ((now >= last_trustdom_scan) &&
496 ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
499 /* I use to clear the cache here and start over but that
500 caused problems in child processes that needed the
501 trust dom list early on. Removing it means we
502 could have some trusted domains listed that have been
503 removed from our primary domain's DC until a full
504 restart. This should be ok since I think this is what
505 Windows does as well. */
507 /* this will only add new domains we didn't already know about
508 in the domain_list()*/
510 add_trusted_domains( find_our_domain() );
512 last_trustdom_scan = now;
517 struct init_child_state {
519 struct winbindd_domain *domain;
520 struct winbindd_request *request;
521 struct winbindd_response *response;
522 void (*continuation)(void *private_data, bool success);
526 static void init_child_recv(void *private_data, bool success);
527 static void init_child_getdc_recv(void *private_data, bool success);
529 enum winbindd_result init_child_connection(struct winbindd_domain *domain,
530 void (*continuation)(void *private_data,
535 struct winbindd_request *request;
536 struct winbindd_response *response;
537 struct init_child_state *state;
538 struct winbindd_domain *request_domain;
540 mem_ctx = talloc_init("init_child_connection");
541 if (mem_ctx == NULL) {
542 DEBUG(0, ("talloc_init failed\n"));
543 return WINBINDD_ERROR;
546 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
547 response = TALLOC_P(mem_ctx, struct winbindd_response);
548 state = TALLOC_P(mem_ctx, struct init_child_state);
550 if ((request == NULL) || (response == NULL) || (state == NULL)) {
551 DEBUG(0, ("talloc failed\n"));
552 TALLOC_FREE(mem_ctx);
553 continuation(private_data, False);
554 return WINBINDD_ERROR;
557 request->length = sizeof(*request);
559 state->mem_ctx = mem_ctx;
560 state->domain = domain;
561 state->request = request;
562 state->response = response;
563 state->continuation = continuation;
564 state->private_data = private_data;
566 if (IS_DC || domain->primary || domain->internal ) {
567 /* The primary domain has to find the DC name itself */
568 request->cmd = WINBINDD_INIT_CONNECTION;
569 fstrcpy(request->domain_name, domain->name);
570 request->data.init_conn.is_primary = domain->primary ? true : false;
571 fstrcpy(request->data.init_conn.dcname, "");
572 async_request(mem_ctx, &domain->child, request, response,
573 init_child_recv, state);
574 return WINBINDD_PENDING;
577 /* This is *not* the primary domain, let's ask our DC about a DC
580 request->cmd = WINBINDD_GETDCNAME;
581 fstrcpy(request->domain_name, domain->name);
583 request_domain = find_our_domain();
584 async_domain_request(mem_ctx, request_domain, request, response,
585 init_child_getdc_recv, state);
586 return WINBINDD_PENDING;
589 static void init_child_getdc_recv(void *private_data, bool success)
591 struct init_child_state *state =
592 talloc_get_type_abort(private_data, struct init_child_state);
593 const char *dcname = "";
595 DEBUG(10, ("Received getdcname response\n"));
597 if (success && (state->response->result == WINBINDD_OK)) {
598 dcname = state->response->data.dc_name;
601 state->request->cmd = WINBINDD_INIT_CONNECTION;
602 fstrcpy(state->request->domain_name, state->domain->name);
603 state->request->data.init_conn.is_primary = False;
604 fstrcpy(state->request->data.init_conn.dcname, dcname);
606 async_request(state->mem_ctx, &state->domain->child,
607 state->request, state->response,
608 init_child_recv, state);
611 static void init_child_recv(void *private_data, bool success)
613 struct init_child_state *state =
614 talloc_get_type_abort(private_data, struct init_child_state);
616 DEBUG(5, ("Received child initialization response for domain %s\n",
617 state->domain->name));
619 if ((!success) || (state->response->result != WINBINDD_OK)) {
620 DEBUG(3, ("Could not init child\n"));
621 state->continuation(state->private_data, False);
622 talloc_destroy(state->mem_ctx);
626 fstrcpy(state->domain->name,
627 state->response->data.domain_info.name);
628 fstrcpy(state->domain->alt_name,
629 state->response->data.domain_info.alt_name);
630 string_to_sid(&state->domain->sid,
631 state->response->data.domain_info.sid);
632 state->domain->native_mode =
633 state->response->data.domain_info.native_mode;
634 state->domain->active_directory =
635 state->response->data.domain_info.active_directory;
637 init_dc_connection(state->domain);
639 if (state->continuation != NULL)
640 state->continuation(state->private_data, True);
641 talloc_destroy(state->mem_ctx);
644 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
645 struct winbindd_cli_state *state)
647 /* Ensure null termination */
648 state->request.domain_name
649 [sizeof(state->request.domain_name)-1]='\0';
650 state->request.data.init_conn.dcname
651 [sizeof(state->request.data.init_conn.dcname)-1]='\0';
653 if (strlen(state->request.data.init_conn.dcname) > 0) {
654 fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
657 init_dc_connection(domain);
659 if (!domain->initialized) {
660 /* If we return error here we can't do any cached authentication,
661 but we may be in disconnected mode and can't initialize correctly.
662 Do what the previous code did and just return without initialization,
663 once we go online we'll re-initialize.
665 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
666 "online = %d\n", domain->name, (int)domain->online ));
669 fstrcpy(state->response.data.domain_info.name, domain->name);
670 fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
671 sid_to_fstring(state->response.data.domain_info.sid, &domain->sid);
673 state->response.data.domain_info.native_mode
674 = domain->native_mode;
675 state->response.data.domain_info.active_directory
676 = domain->active_directory;
677 state->response.data.domain_info.primary
683 /* Look up global info for the winbind daemon */
684 bool init_domain_list(void)
686 struct winbindd_domain *domain;
687 int role = lp_server_role();
689 /* Free existing list */
694 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
695 &global_sid_Builtin);
697 setup_domain_child(domain,
703 domain = add_trusted_domain(get_global_sam_name(), NULL,
704 &sam_passdb_methods, get_global_sam_sid());
706 if ( role != ROLE_DOMAIN_MEMBER ) {
707 domain->primary = True;
709 setup_domain_child(domain,
713 /* Add ourselves as the first entry. */
715 if ( role == ROLE_DOMAIN_MEMBER ) {
718 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
719 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
723 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
724 &cache_methods, &our_sid);
726 domain->primary = True;
727 setup_domain_child(domain,
730 /* Even in the parent winbindd we'll need to
731 talk to the DC, so try and see if we can
732 contact it. Theoretically this isn't neccessary
733 as the init_dc_connection() in init_child_recv()
734 will do this, but we can start detecting the DC
736 set_domain_online_request(domain);
743 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
745 struct winbindd_domain *domain;
749 domain = find_domain_from_name_noinit( name );
753 sid_copy( &dom_sid, user_sid );
754 if ( !sid_split_rid( &dom_sid, &rid ) )
757 /* add the newly discovered trusted domain */
759 domain = add_trusted_domain( name, NULL, &cache_methods,
765 /* assume this is a trust from a one-way transitive
768 domain->active_directory = True;
769 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
770 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
771 domain->internal = False;
772 domain->online = True;
774 setup_domain_child(domain,
777 wcache_tdc_add_domain( domain );
783 * Given a domain name, return the struct winbindd domain info for it
785 * @note Do *not* pass lp_workgroup() to this function. domain_list
786 * may modify it's value, and free that pointer. Instead, our local
787 * domain may be found by calling find_our_domain().
791 * @return The domain structure for the named domain, if it is working.
794 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
796 struct winbindd_domain *domain;
798 /* Search through list */
800 for (domain = domain_list(); domain != NULL; domain = domain->next) {
801 if (strequal(domain_name, domain->name) ||
802 (domain->alt_name[0] &&
803 strequal(domain_name, domain->alt_name))) {
813 struct winbindd_domain *find_domain_from_name(const char *domain_name)
815 struct winbindd_domain *domain;
817 domain = find_domain_from_name_noinit(domain_name);
822 if (!domain->initialized)
823 init_dc_connection(domain);
828 /* Given a domain sid, return the struct winbindd domain info for it */
830 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
832 struct winbindd_domain *domain;
834 /* Search through list */
836 for (domain = domain_list(); domain != NULL; domain = domain->next) {
837 if (sid_compare_domain(sid, &domain->sid) == 0)
846 /* Given a domain sid, return the struct winbindd domain info for it */
848 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
850 struct winbindd_domain *domain;
852 domain = find_domain_from_sid_noinit(sid);
857 if (!domain->initialized)
858 init_dc_connection(domain);
863 struct winbindd_domain *find_our_domain(void)
865 struct winbindd_domain *domain;
867 /* Search through list */
869 for (domain = domain_list(); domain != NULL; domain = domain->next) {
874 smb_panic("Could not find our domain");
878 struct winbindd_domain *find_root_domain(void)
880 struct winbindd_domain *ours = find_our_domain();
885 if ( strlen(ours->forest_name) == 0 )
888 return find_domain_from_name( ours->forest_name );
891 struct winbindd_domain *find_builtin_domain(void)
894 struct winbindd_domain *domain;
896 string_to_sid(&sid, "S-1-5-32");
897 domain = find_domain_from_sid(&sid);
899 if (domain == NULL) {
900 smb_panic("Could not find BUILTIN domain");
906 /* Find the appropriate domain to lookup a name or SID */
908 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
910 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
912 if ( sid_check_is_in_unix_groups(sid) ||
913 sid_check_is_unix_groups(sid) ||
914 sid_check_is_in_unix_users(sid) ||
915 sid_check_is_unix_users(sid) )
917 return find_domain_from_sid(get_global_sam_sid());
920 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
921 * one to contact the external DC's. On member servers the internal
922 * domains are different: These are part of the local SAM. */
924 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
926 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
927 DEBUG(10, ("calling find_domain_from_sid\n"));
928 return find_domain_from_sid(sid);
931 /* On a member server a query for SID or name can always go to our
934 DEBUG(10, ("calling find_our_domain\n"));
935 return find_our_domain();
938 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
940 if ( strequal(domain_name, unix_users_domain_name() ) ||
941 strequal(domain_name, unix_groups_domain_name() ) )
943 return find_domain_from_name_noinit( get_global_sam_name() );
946 if (IS_DC || strequal(domain_name, "BUILTIN") ||
947 strequal(domain_name, get_global_sam_name()))
948 return find_domain_from_name_noinit(domain_name);
950 /* The "Unix User" and "Unix Group" domain our handled by passdb */
952 return find_our_domain();
955 /* Lookup a sid in a domain from a name */
957 bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
958 enum winbindd_cmd orig_cmd,
959 struct winbindd_domain *domain,
960 const char *domain_name,
961 const char *name, DOM_SID *sid,
962 enum lsa_SidType *type)
967 result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd,
968 domain_name, name, sid, type);
970 /* Return sid and type if lookup successful */
971 if (!NT_STATUS_IS_OK(result)) {
972 *type = SID_NAME_UNKNOWN;
975 return NT_STATUS_IS_OK(result);
979 * @brief Lookup a name in a domain from a sid.
981 * @param sid Security ID you want to look up.
982 * @param name On success, set to the name corresponding to @p sid.
983 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
984 * @param type On success, contains the type of name: alias, group or
986 * @retval True if the name exists, in which case @p name and @p type
987 * are set, otherwise False.
989 bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
990 struct winbindd_domain *domain,
994 enum lsa_SidType *type)
1003 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
1005 /* Return name and type if successful */
1007 if (NT_STATUS_IS_OK(result)) {
1011 *type = SID_NAME_UNKNOWN;
1016 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
1018 void free_getent_state(struct getent_state *state)
1020 struct getent_state *temp;
1022 /* Iterate over state list */
1026 while(temp != NULL) {
1027 struct getent_state *next;
1029 /* Free sam entries then list entry */
1031 SAFE_FREE(state->sam_entries);
1032 DLIST_REMOVE(state, state);
1040 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1042 static bool assume_domain(const char *domain)
1044 /* never assume the domain on a standalone server */
1046 if ( lp_server_role() == ROLE_STANDALONE )
1049 /* domain member servers may possibly assume for the domain name */
1051 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1052 if ( !strequal(lp_workgroup(), domain) )
1055 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1059 /* only left with a domain controller */
1061 if ( strequal(get_global_sam_name(), domain) ) {
1068 /* Parse a string of the form DOMAIN\user into a domain and a user */
1070 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1072 char *p = strchr(domuser,*lp_winbind_separator());
1075 fstrcpy(user, domuser);
1077 if ( assume_domain(lp_workgroup())) {
1078 fstrcpy(domain, lp_workgroup());
1079 } else if ((p = strchr(domuser, '@')) != NULL) {
1080 fstrcpy(domain, "");
1086 fstrcpy(domain, domuser);
1087 domain[PTR_DIFF(p, domuser)] = 0;
1095 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1096 char **domain, char **user)
1098 fstring fstr_domain, fstr_user;
1099 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1102 *domain = talloc_strdup(mem_ctx, fstr_domain);
1103 *user = talloc_strdup(mem_ctx, fstr_user);
1104 return ((*domain != NULL) && (*user != NULL));
1107 /* Ensure an incoming username from NSS is fully qualified. Replace the
1108 incoming fstring with DOMAIN <separator> user. Returns the same
1109 values as parse_domain_user() but also replaces the incoming username.
1110 Used to ensure all names are fully qualified within winbindd.
1111 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1112 The protocol definitions of auth_crap, chng_pswd_auth_crap
1113 really should be changed to use this instead of doing things
1116 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1118 if (!parse_domain_user(username_inout, domain, user)) {
1121 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1122 domain, *lp_winbind_separator(),
1128 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1129 'winbind separator' options.
1131 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1134 If we are a PDC or BDC, and this is for our domain, do likewise.
1136 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1137 username is then unqualified in unix
1139 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1141 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1145 fstrcpy(tmp_user, user);
1146 strlower_m(tmp_user);
1148 if (can_assume && assume_domain(domain)) {
1149 strlcpy(name, tmp_user, sizeof(fstring));
1151 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1152 domain, *lp_winbind_separator(),
1158 * Winbindd socket accessor functions
1161 const char *get_winbind_pipe_dir(void)
1163 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1166 char *get_winbind_priv_pipe_dir(void)
1168 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1171 /* Open the winbindd socket */
1173 static int _winbindd_socket = -1;
1174 static int _winbindd_priv_socket = -1;
1176 int open_winbindd_socket(void)
1178 if (_winbindd_socket == -1) {
1179 _winbindd_socket = create_pipe_sock(
1180 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1181 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1185 return _winbindd_socket;
1188 int open_winbindd_priv_socket(void)
1190 if (_winbindd_priv_socket == -1) {
1191 _winbindd_priv_socket = create_pipe_sock(
1192 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1193 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1194 _winbindd_priv_socket));
1197 return _winbindd_priv_socket;
1200 /* Close the winbindd socket */
1202 void close_winbindd_socket(void)
1204 if (_winbindd_socket != -1) {
1205 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1207 close(_winbindd_socket);
1208 _winbindd_socket = -1;
1210 if (_winbindd_priv_socket != -1) {
1211 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1212 _winbindd_priv_socket));
1213 close(_winbindd_priv_socket);
1214 _winbindd_priv_socket = -1;
1219 * Client list accessor functions
1222 static struct winbindd_cli_state *_client_list;
1223 static int _num_clients;
1225 /* Return list of all connected clients */
1227 struct winbindd_cli_state *winbindd_client_list(void)
1229 return _client_list;
1232 /* Add a connection to the list */
1234 void winbindd_add_client(struct winbindd_cli_state *cli)
1236 DLIST_ADD(_client_list, cli);
1240 /* Remove a client from the list */
1242 void winbindd_remove_client(struct winbindd_cli_state *cli)
1244 DLIST_REMOVE(_client_list, cli);
1248 /* Close all open clients */
1250 void winbindd_kill_all_clients(void)
1252 struct winbindd_cli_state *cl = winbindd_client_list();
1254 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1257 struct winbindd_cli_state *next;
1260 winbindd_remove_client(cl);
1265 /* Return number of open clients */
1267 int winbindd_num_clients(void)
1269 return _num_clients;
1272 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1273 TALLOC_CTX *mem_ctx,
1274 const DOM_SID *user_sid,
1275 uint32 *p_num_groups, DOM_SID **user_sids)
1277 struct netr_SamInfo3 *info3 = NULL;
1278 NTSTATUS status = NT_STATUS_NO_MEMORY;
1279 size_t num_groups = 0;
1281 DEBUG(3,(": lookup_usergroups_cached\n"));
1286 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1288 if (info3 == NULL) {
1289 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1292 if (info3->base.groups.count == 0) {
1294 return NT_STATUS_UNSUCCESSFUL;
1297 /* Skip Domain local groups outside our domain.
1298 We'll get these from the getsidaliases() RPC call. */
1299 status = sid_array_from_info3(mem_ctx, info3,
1304 if (!NT_STATUS_IS_OK(status)) {
1310 *p_num_groups = num_groups;
1311 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1313 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1318 /*********************************************************************
1319 We use this to remove spaces from user and group names
1320 ********************************************************************/
1322 void ws_name_replace( char *name, char replace )
1324 char replace_char[2] = { 0x0, 0x0 };
1326 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1329 replace_char[0] = replace;
1330 all_string_sub( name, " ", replace_char, 0 );
1335 /*********************************************************************
1336 We use this to do the inverse of ws_name_replace()
1337 ********************************************************************/
1339 void ws_name_return( char *name, char replace )
1341 char replace_char[2] = { 0x0, 0x0 };
1343 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1346 replace_char[0] = replace;
1347 all_string_sub( name, replace_char, " ", 0 );
1352 /*********************************************************************
1353 ********************************************************************/
1355 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1357 struct winbindd_tdc_domain *tdc = NULL;
1358 TALLOC_CTX *frame = talloc_stackframe();
1361 /* We can contact the domain if it is our primary domain */
1363 if (domain->primary) {
1367 /* Trust the TDC cache and not the winbindd_domain flags */
1369 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1370 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1375 /* Can always contact a domain that is in out forest */
1377 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1383 * On a _member_ server, we cannot contact the domain if it
1384 * is running AD and we have no inbound trust.
1388 domain->active_directory &&
1389 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1391 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1392 "and we have no inbound trust.\n", domain->name));
1396 /* Assume everything else is ok (probably not true but what
1402 talloc_destroy(frame);
1407 /*********************************************************************
1408 ********************************************************************/
1410 bool winbindd_internal_child(struct winbindd_child *child)
1412 if ((child == idmap_child()) || (child == locator_child())) {
1419 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1421 /*********************************************************************
1422 ********************************************************************/
1424 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1427 char addr[INET6_ADDRSTRLEN];
1428 const char *kdc = NULL;
1431 if (!domain || !domain->alt_name || !*domain->alt_name) {
1435 if (domain->initialized && !domain->active_directory) {
1436 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1441 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1444 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1446 kdc = domain->dcname;
1449 if (!kdc || !*kdc) {
1450 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1455 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1456 domain->alt_name) == -1) {
1460 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1463 setenv(var, kdc, 1);
1467 /*********************************************************************
1468 ********************************************************************/
1470 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1472 struct winbindd_domain *our_dom = find_our_domain();
1474 winbindd_set_locator_kdc_env(domain);
1476 if (domain != our_dom) {
1477 winbindd_set_locator_kdc_env(our_dom);
1481 /*********************************************************************
1482 ********************************************************************/
1484 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1488 if (!domain || !domain->alt_name || !*domain->alt_name) {
1492 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1493 domain->alt_name) == -1) {
1502 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1507 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1512 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */