2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2002
7 Copyright (C) Volker Lendecke 2004,2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * We fork a child per domain to be able to act non-blocking in the main
25 * winbind daemon. A domain controller thousands of miles away being being
26 * slow replying with a 10.000 user list should not hold up netlogon calls
27 * that can be handled locally.
32 #include "nsswitch/wb_reqtrans.h"
34 #include "../lib/util/select.h"
35 #include "../libcli/security/security.h"
36 #include "system/select.h"
38 #include "../lib/util/tevent_unix.h"
41 #define DBGC_CLASS DBGC_WINBIND
43 extern bool override_logfile;
44 extern struct winbindd_methods cache_methods;
46 static struct winbindd_child *winbindd_children = NULL;
48 /* Read some data from a client connection */
50 static NTSTATUS child_read_request(struct winbindd_cli_state *state)
56 status = read_data(state->sock, (char *)state->request,
57 sizeof(*state->request));
59 if (!NT_STATUS_IS_OK(status)) {
60 DEBUG(3, ("child_read_request: read_data failed: %s\n",
65 if (state->request->extra_len == 0) {
66 state->request->extra_data.data = NULL;
70 DEBUG(10, ("Need to read %d extra bytes\n", (int)state->request->extra_len));
72 state->request->extra_data.data =
73 SMB_MALLOC_ARRAY(char, state->request->extra_len + 1);
75 if (state->request->extra_data.data == NULL) {
76 DEBUG(0, ("malloc failed\n"));
77 return NT_STATUS_NO_MEMORY;
80 /* Ensure null termination */
81 state->request->extra_data.data[state->request->extra_len] = '\0';
83 status= read_data(state->sock, state->request->extra_data.data,
84 state->request->extra_len);
86 if (!NT_STATUS_IS_OK(status)) {
87 DEBUG(0, ("Could not read extra data: %s\n",
94 * Do winbind child async request. This is not simply wb_simple_trans. We have
95 * to do the queueing ourselves because while a request is queued, the child
96 * might have crashed, and we have to re-fork it in the _trigger function.
99 struct wb_child_request_state {
100 struct tevent_context *ev;
101 struct winbindd_child *child;
102 struct winbindd_request *request;
103 struct winbindd_response *response;
106 static bool fork_domain_child(struct winbindd_child *child);
108 static void wb_child_request_trigger(struct tevent_req *req,
110 static void wb_child_request_done(struct tevent_req *subreq);
112 struct tevent_req *wb_child_request_send(TALLOC_CTX *mem_ctx,
113 struct tevent_context *ev,
114 struct winbindd_child *child,
115 struct winbindd_request *request)
117 struct tevent_req *req;
118 struct wb_child_request_state *state;
120 req = tevent_req_create(mem_ctx, &state,
121 struct wb_child_request_state);
127 state->child = child;
128 state->request = request;
130 if (!tevent_queue_add(child->queue, ev, req,
131 wb_child_request_trigger, NULL)) {
133 return tevent_req_post(req, ev);
138 static void wb_child_request_trigger(struct tevent_req *req,
141 struct wb_child_request_state *state = tevent_req_data(
142 req, struct wb_child_request_state);
143 struct tevent_req *subreq;
145 if ((state->child->sock == -1) && (!fork_domain_child(state->child))) {
146 tevent_req_error(req, errno);
150 subreq = wb_simple_trans_send(state, winbind_event_context(), NULL,
151 state->child->sock, state->request);
152 if (tevent_req_nomem(subreq, req)) {
155 tevent_req_set_callback(subreq, wb_child_request_done, req);
156 tevent_req_set_endtime(req, state->ev, timeval_current_ofs(300, 0));
159 static void wb_child_request_done(struct tevent_req *subreq)
161 struct tevent_req *req = tevent_req_callback_data(
162 subreq, struct tevent_req);
163 struct wb_child_request_state *state = tevent_req_data(
164 req, struct wb_child_request_state);
167 ret = wb_simple_trans_recv(subreq, state, &state->response, &err);
171 * The basic parent/child communication broke, close
174 close(state->child->sock);
175 state->child->sock = -1;
176 DLIST_REMOVE(winbindd_children, state->child);
177 tevent_req_error(req, err);
180 tevent_req_done(req);
183 int wb_child_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
184 struct winbindd_response **presponse, int *err)
186 struct wb_child_request_state *state = tevent_req_data(
187 req, struct wb_child_request_state);
189 if (tevent_req_is_unix_error(req, err)) {
192 *presponse = talloc_move(mem_ctx, &state->response);
196 static bool winbindd_child_busy(struct winbindd_child *child)
198 return tevent_queue_length(child->queue) > 0;
201 static struct winbindd_child *find_idle_child(struct winbindd_domain *domain)
205 for (i=0; i<lp_winbind_max_domain_connections(); i++) {
206 if (!winbindd_child_busy(&domain->children[i])) {
207 return &domain->children[i];
214 struct winbindd_child *choose_domain_child(struct winbindd_domain *domain)
216 struct winbindd_child *result;
218 result = find_idle_child(domain);
219 if (result != NULL) {
222 return &domain->children[rand() % lp_winbind_max_domain_connections()];
225 struct dcerpc_binding_handle *dom_child_handle(struct winbindd_domain *domain)
227 struct winbindd_child *child;
229 child = choose_domain_child(domain);
230 return child->binding_handle;
233 struct wb_domain_request_state {
234 struct tevent_context *ev;
235 struct winbindd_domain *domain;
236 struct winbindd_child *child;
237 struct winbindd_request *request;
238 struct winbindd_request *init_req;
239 struct winbindd_response *response;
242 static void wb_domain_request_gotdc(struct tevent_req *subreq);
243 static void wb_domain_request_initialized(struct tevent_req *subreq);
244 static void wb_domain_request_done(struct tevent_req *subreq);
246 struct tevent_req *wb_domain_request_send(TALLOC_CTX *mem_ctx,
247 struct tevent_context *ev,
248 struct winbindd_domain *domain,
249 struct winbindd_request *request)
251 struct tevent_req *req, *subreq;
252 struct wb_domain_request_state *state;
254 req = tevent_req_create(mem_ctx, &state,
255 struct wb_domain_request_state);
260 state->child = choose_domain_child(domain);
262 if (domain->initialized) {
263 subreq = wb_child_request_send(state, ev, state->child,
265 if (tevent_req_nomem(subreq, req)) {
266 return tevent_req_post(req, ev);
268 tevent_req_set_callback(subreq, wb_domain_request_done, req);
272 state->domain = domain;
274 state->request = request;
276 state->init_req = talloc_zero(state, struct winbindd_request);
277 if (tevent_req_nomem(state->init_req, req)) {
278 return tevent_req_post(req, ev);
281 if (IS_DC || domain->primary || domain->internal) {
282 /* The primary domain has to find the DC name itself */
283 state->init_req->cmd = WINBINDD_INIT_CONNECTION;
284 fstrcpy(state->init_req->domain_name, domain->name);
285 state->init_req->data.init_conn.is_primary = domain->primary;
286 fstrcpy(state->init_req->data.init_conn.dcname, "");
288 subreq = wb_child_request_send(state, ev, state->child,
290 if (tevent_req_nomem(subreq, req)) {
291 return tevent_req_post(req, ev);
293 tevent_req_set_callback(subreq, wb_domain_request_initialized,
299 * Ask our DC for a DC name
301 domain = find_our_domain();
303 /* This is *not* the primary domain, let's ask our DC about a DC
306 state->init_req->cmd = WINBINDD_GETDCNAME;
307 fstrcpy(state->init_req->domain_name, domain->name);
309 subreq = wb_child_request_send(state, ev, state->child, request);
310 if (tevent_req_nomem(subreq, req)) {
311 return tevent_req_post(req, ev);
313 tevent_req_set_callback(subreq, wb_domain_request_gotdc, req);
317 static void wb_domain_request_gotdc(struct tevent_req *subreq)
319 struct tevent_req *req = tevent_req_callback_data(
320 subreq, struct tevent_req);
321 struct wb_domain_request_state *state = tevent_req_data(
322 req, struct wb_domain_request_state);
323 struct winbindd_response *response;
326 ret = wb_child_request_recv(subreq, talloc_tos(), &response, &err);
329 tevent_req_error(req, err);
332 state->init_req->cmd = WINBINDD_INIT_CONNECTION;
333 fstrcpy(state->init_req->domain_name, state->domain->name);
334 state->init_req->data.init_conn.is_primary = False;
335 fstrcpy(state->init_req->data.init_conn.dcname,
336 response->data.dc_name);
338 TALLOC_FREE(response);
340 subreq = wb_child_request_send(state, state->ev, state->child,
342 if (tevent_req_nomem(subreq, req)) {
345 tevent_req_set_callback(subreq, wb_domain_request_initialized, req);
348 static void wb_domain_request_initialized(struct tevent_req *subreq)
350 struct tevent_req *req = tevent_req_callback_data(
351 subreq, struct tevent_req);
352 struct wb_domain_request_state *state = tevent_req_data(
353 req, struct wb_domain_request_state);
354 struct winbindd_response *response;
357 ret = wb_child_request_recv(subreq, talloc_tos(), &response, &err);
360 tevent_req_error(req, err);
364 if (!string_to_sid(&state->domain->sid,
365 response->data.domain_info.sid)) {
366 DEBUG(1,("init_child_recv: Could not convert sid %s "
367 "from string\n", response->data.domain_info.sid));
368 tevent_req_error(req, EINVAL);
371 fstrcpy(state->domain->name, response->data.domain_info.name);
372 fstrcpy(state->domain->alt_name, response->data.domain_info.alt_name);
373 state->domain->native_mode = response->data.domain_info.native_mode;
374 state->domain->active_directory =
375 response->data.domain_info.active_directory;
376 state->domain->initialized = true;
378 TALLOC_FREE(response);
380 subreq = wb_child_request_send(state, state->ev, state->child,
382 if (tevent_req_nomem(subreq, req)) {
385 tevent_req_set_callback(subreq, wb_domain_request_done, req);
388 static void wb_domain_request_done(struct tevent_req *subreq)
390 struct tevent_req *req = tevent_req_callback_data(
391 subreq, struct tevent_req);
392 struct wb_domain_request_state *state = tevent_req_data(
393 req, struct wb_domain_request_state);
396 ret = wb_child_request_recv(subreq, talloc_tos(), &state->response,
400 tevent_req_error(req, err);
403 tevent_req_done(req);
406 int wb_domain_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
407 struct winbindd_response **presponse, int *err)
409 struct wb_domain_request_state *state = tevent_req_data(
410 req, struct wb_domain_request_state);
412 if (tevent_req_is_unix_error(req, err)) {
415 *presponse = talloc_move(mem_ctx, &state->response);
419 static void child_process_request(struct winbindd_child *child,
420 struct winbindd_cli_state *state)
422 struct winbindd_domain *domain = child->domain;
423 const struct winbindd_child_dispatch_table *table = child->table;
425 /* Free response data - we may be interrupted and receive another
426 command before being able to send this data off. */
428 state->response->result = WINBINDD_ERROR;
429 state->response->length = sizeof(struct winbindd_response);
431 /* as all requests in the child are sync, we can use talloc_tos() */
432 state->mem_ctx = talloc_tos();
434 /* Process command */
436 for (; table->name; table++) {
437 if (state->request->cmd == table->struct_cmd) {
438 DEBUG(10,("child_process_request: request fn %s\n",
440 state->response->result = table->struct_fn(domain, state);
445 DEBUG(1, ("child_process_request: unknown request fn number %d\n",
446 (int)state->request->cmd));
447 state->response->result = WINBINDD_ERROR;
450 void setup_child(struct winbindd_domain *domain, struct winbindd_child *child,
451 const struct winbindd_child_dispatch_table *table,
452 const char *logprefix,
455 if (logprefix && logname) {
456 char *logbase = NULL;
461 if (asprintf(&logbase, "%s", lp_logfile()) < 0) {
462 smb_panic("Internal error: asprintf failed");
465 if ((end = strrchr_m(logbase, '/'))) {
469 if (asprintf(&logbase, "%s", get_dyn_LOGFILEBASE()) < 0) {
470 smb_panic("Internal error: asprintf failed");
474 if (asprintf(&child->logfilename, "%s/%s-%s",
475 logbase, logprefix, logname) < 0) {
477 smb_panic("Internal error: asprintf failed");
482 smb_panic("Internal error: logprefix == NULL && "
487 child->domain = domain;
488 child->table = table;
489 child->queue = tevent_queue_create(NULL, "winbind_child");
490 SMB_ASSERT(child->queue != NULL);
491 child->binding_handle = wbint_binding_handle(NULL, domain, child);
492 SMB_ASSERT(child->binding_handle != NULL);
495 void winbind_child_died(pid_t pid)
497 struct winbindd_child *child;
499 for (child = winbindd_children; child != NULL; child = child->next) {
500 if (child->pid == pid) {
506 DEBUG(5, ("Already reaped child %u died\n", (unsigned int)pid));
510 /* This will be re-added in fork_domain_child() */
512 DLIST_REMOVE(winbindd_children, child);
515 if (child->sock != -1) {
521 /* Ensure any negative cache entries with the netbios or realm names are removed. */
523 void winbindd_flush_negative_conn_cache(struct winbindd_domain *domain)
525 flush_negative_conn_cache_for_domain(domain->name);
526 if (*domain->alt_name) {
527 flush_negative_conn_cache_for_domain(domain->alt_name);
532 * Parent winbindd process sets its own debug level first and then
533 * sends a message to all the winbindd children to adjust their debug
534 * level to that of parents.
537 void winbind_msg_debug(struct messaging_context *msg_ctx,
540 struct server_id server_id,
543 struct winbindd_child *child;
545 DEBUG(10,("winbind_msg_debug: got debug message.\n"));
547 debug_message(msg_ctx, private_data, MSG_DEBUG, server_id, data);
549 for (child = winbindd_children; child != NULL; child = child->next) {
551 DEBUG(10,("winbind_msg_debug: sending message to pid %u.\n",
552 (unsigned int)child->pid));
554 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
557 strlen((char *) data->data) + 1);
561 /* Set our domains as offline and forward the offline message to our children. */
563 void winbind_msg_offline(struct messaging_context *msg_ctx,
566 struct server_id server_id,
569 struct winbindd_child *child;
570 struct winbindd_domain *domain;
572 DEBUG(10,("winbind_msg_offline: got offline message.\n"));
574 if (!lp_winbind_offline_logon()) {
575 DEBUG(10,("winbind_msg_offline: rejecting offline message.\n"));
579 /* Set our global state as offline. */
580 if (!set_global_winbindd_state_offline()) {
581 DEBUG(10,("winbind_msg_offline: offline request failed.\n"));
585 /* Set all our domains as offline. */
586 for (domain = domain_list(); domain; domain = domain->next) {
587 if (domain->internal) {
590 DEBUG(5,("winbind_msg_offline: marking %s offline.\n", domain->name));
591 set_domain_offline(domain);
594 for (child = winbindd_children; child != NULL; child = child->next) {
595 /* Don't send message to internal children. We've already
597 if (!child->domain || winbindd_internal_child(child)) {
601 /* Or internal domains (this should not be possible....) */
602 if (child->domain->internal) {
606 /* Each winbindd child should only process requests for one domain - make sure
607 we only set it online / offline for that domain. */
609 DEBUG(10,("winbind_msg_offline: sending message to pid %u for domain %s.\n",
610 (unsigned int)child->pid, domain->name ));
612 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
614 (uint8 *)child->domain->name,
615 strlen(child->domain->name)+1);
619 /* Set our domains as online and forward the online message to our children. */
621 void winbind_msg_online(struct messaging_context *msg_ctx,
624 struct server_id server_id,
627 struct winbindd_child *child;
628 struct winbindd_domain *domain;
630 DEBUG(10,("winbind_msg_online: got online message.\n"));
632 if (!lp_winbind_offline_logon()) {
633 DEBUG(10,("winbind_msg_online: rejecting online message.\n"));
637 /* Set our global state as online. */
638 set_global_winbindd_state_online();
640 smb_nscd_flush_user_cache();
641 smb_nscd_flush_group_cache();
643 /* Set all our domains as online. */
644 for (domain = domain_list(); domain; domain = domain->next) {
645 if (domain->internal) {
648 DEBUG(5,("winbind_msg_online: requesting %s to go online.\n", domain->name));
650 winbindd_flush_negative_conn_cache(domain);
651 set_domain_online_request(domain);
653 /* Send an online message to the idmap child when our
654 primary domain comes back online */
656 if ( domain->primary ) {
657 struct winbindd_child *idmap = idmap_child();
659 if ( idmap->pid != 0 ) {
660 messaging_send_buf(msg_ctx,
661 pid_to_procid(idmap->pid),
663 (uint8 *)domain->name,
664 strlen(domain->name)+1);
669 for (child = winbindd_children; child != NULL; child = child->next) {
670 /* Don't send message to internal childs. */
671 if (!child->domain || winbindd_internal_child(child)) {
675 /* Or internal domains (this should not be possible....) */
676 if (child->domain->internal) {
680 /* Each winbindd child should only process requests for one domain - make sure
681 we only set it online / offline for that domain. */
683 DEBUG(10,("winbind_msg_online: sending message to pid %u for domain %s.\n",
684 (unsigned int)child->pid, child->domain->name ));
686 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
688 (uint8 *)child->domain->name,
689 strlen(child->domain->name)+1);
693 static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx)
695 struct winbindd_domain *domain;
698 if ((buf = talloc_asprintf(mem_ctx, "global:%s ",
699 get_global_winbindd_state_offline() ?
700 "Offline":"Online")) == NULL) {
704 for (domain = domain_list(); domain; domain = domain->next) {
705 if ((buf = talloc_asprintf_append_buffer(buf, "%s:%s ",
708 "Online":"Offline")) == NULL) {
713 buf = talloc_asprintf_append_buffer(buf, "\n");
715 DEBUG(5,("collect_onlinestatus: %s", buf));
720 void winbind_msg_onlinestatus(struct messaging_context *msg_ctx,
723 struct server_id server_id,
728 struct server_id *sender;
730 DEBUG(5,("winbind_msg_onlinestatus received.\n"));
736 sender = (struct server_id *)data->data;
738 mem_ctx = talloc_init("winbind_msg_onlinestatus");
739 if (mem_ctx == NULL) {
743 message = collect_onlinestatus(mem_ctx);
744 if (message == NULL) {
745 talloc_destroy(mem_ctx);
749 messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS,
750 (const uint8 *)message, strlen(message) + 1);
752 talloc_destroy(mem_ctx);
755 void winbind_msg_dump_event_list(struct messaging_context *msg_ctx,
758 struct server_id server_id,
761 struct winbindd_child *child;
763 DEBUG(10,("winbind_msg_dump_event_list received\n"));
765 dump_event_list(winbind_event_context());
767 for (child = winbindd_children; child != NULL; child = child->next) {
769 DEBUG(10,("winbind_msg_dump_event_list: sending message to pid %u\n",
770 (unsigned int)child->pid));
772 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
779 void winbind_msg_dump_domain_list(struct messaging_context *msg_ctx,
782 struct server_id server_id,
786 const char *message = NULL;
787 struct server_id *sender = NULL;
788 const char *domain = NULL;
791 struct winbindd_domain *dom = NULL;
793 DEBUG(5,("winbind_msg_dump_domain_list received.\n"));
795 if (!data || !data->data) {
799 if (data->length < sizeof(struct server_id)) {
803 mem_ctx = talloc_init("winbind_msg_dump_domain_list");
808 sender = (struct server_id *)data->data;
809 if (data->length > sizeof(struct server_id)) {
810 domain = (const char *)data->data+sizeof(struct server_id);
815 DEBUG(5,("winbind_msg_dump_domain_list for domain: %s\n",
818 message = NDR_PRINT_STRUCT_STRING(mem_ctx, winbindd_domain,
819 find_domain_from_name_noinit(domain));
821 talloc_destroy(mem_ctx);
825 messaging_send_buf(msg_ctx, *sender,
826 MSG_WINBIND_DUMP_DOMAIN_LIST,
827 (const uint8_t *)message, strlen(message) + 1);
829 talloc_destroy(mem_ctx);
834 DEBUG(5,("winbind_msg_dump_domain_list all domains\n"));
836 for (dom = domain_list(); dom; dom=dom->next) {
837 message = NDR_PRINT_STRUCT_STRING(mem_ctx, winbindd_domain, dom);
839 talloc_destroy(mem_ctx);
843 s = talloc_asprintf_append(s, "%s\n", message);
845 talloc_destroy(mem_ctx);
850 status = messaging_send_buf(msg_ctx, *sender,
851 MSG_WINBIND_DUMP_DOMAIN_LIST,
852 (uint8_t *)s, strlen(s) + 1);
853 if (!NT_STATUS_IS_OK(status)) {
854 DEBUG(0,("failed to send message: %s\n",
858 talloc_destroy(mem_ctx);
861 static void account_lockout_policy_handler(struct event_context *ctx,
862 struct timed_event *te,
866 struct winbindd_child *child =
867 (struct winbindd_child *)private_data;
868 TALLOC_CTX *mem_ctx = NULL;
869 struct winbindd_methods *methods;
870 struct samr_DomInfo12 lockout_policy;
873 DEBUG(10,("account_lockout_policy_handler called\n"));
875 TALLOC_FREE(child->lockout_policy_event);
877 if ( !winbindd_can_contact_domain( child->domain ) ) {
878 DEBUG(10,("account_lockout_policy_handler: Removing myself since I "
879 "do not have an incoming trust to domain %s\n",
880 child->domain->name));
885 methods = child->domain->methods;
887 mem_ctx = talloc_init("account_lockout_policy_handler ctx");
889 result = NT_STATUS_NO_MEMORY;
891 result = methods->lockout_policy(child->domain, mem_ctx, &lockout_policy);
893 TALLOC_FREE(mem_ctx);
895 if (!NT_STATUS_IS_OK(result)) {
896 DEBUG(10,("account_lockout_policy_handler: lockout_policy failed error %s\n",
900 child->lockout_policy_event = event_add_timed(winbind_event_context(), NULL,
901 timeval_current_ofs(3600, 0),
902 account_lockout_policy_handler,
906 static time_t get_machine_password_timeout(void)
908 /* until we have gpo support use lp setting */
909 return lp_machine_password_timeout();
912 static bool calculate_next_machine_pwd_change(const char *domain,
915 time_t pass_last_set_time;
921 pw = secrets_fetch_machine_password(domain,
926 DEBUG(0,("cannot fetch own machine password ????"));
932 timeout = get_machine_password_timeout();
934 DEBUG(10,("machine password never expires\n"));
938 tv.tv_sec = pass_last_set_time;
939 DEBUG(10, ("password last changed %s\n",
940 timeval_string(talloc_tos(), &tv, false)));
941 tv.tv_sec += timeout;
942 DEBUGADD(10, ("password valid until %s\n",
943 timeval_string(talloc_tos(), &tv, false)));
945 if (time(NULL) < (pass_last_set_time + timeout)) {
946 next_change = pass_last_set_time + timeout;
947 DEBUG(10,("machine password still valid until: %s\n",
948 http_timestring(talloc_tos(), next_change)));
949 *t = timeval_set(next_change, 0);
951 if (lp_clustering()) {
954 * When having a cluster, we have several
955 * winbinds racing for the password change. In
956 * the machine_password_change_handler()
957 * function we check if someone else was
958 * faster when the event triggers. We add a
959 * 255-second random delay here, so that we
960 * don't run to change the password at the
963 generate_random_buffer(&randbuf, sizeof(randbuf));
964 DEBUG(10, ("adding %d seconds randomness\n",
966 t->tv_sec += randbuf;
971 DEBUG(10,("machine password expired, needs immediate change\n"));
978 static void machine_password_change_handler(struct event_context *ctx,
979 struct timed_event *te,
983 struct winbindd_child *child =
984 (struct winbindd_child *)private_data;
985 struct rpc_pipe_client *netlogon_pipe = NULL;
988 struct timeval next_change;
990 DEBUG(10,("machine_password_change_handler called\n"));
992 TALLOC_FREE(child->machine_password_change_event);
994 if (!calculate_next_machine_pwd_change(child->domain->name,
996 DEBUG(10, ("calculate_next_machine_pwd_change failed\n"));
1000 DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n",
1001 timeval_string(talloc_tos(), &next_change, false)));
1003 if (!timeval_expired(&next_change)) {
1004 DEBUG(10, ("Someone else has already changed the pw\n"));
1008 if (!winbindd_can_contact_domain(child->domain)) {
1009 DEBUG(10,("machine_password_change_handler: Removing myself since I "
1010 "do not have an incoming trust to domain %s\n",
1011 child->domain->name));
1015 result = cm_connect_netlogon(child->domain, &netlogon_pipe);
1016 if (!NT_STATUS_IS_OK(result)) {
1017 DEBUG(10,("machine_password_change_handler: "
1018 "failed to connect netlogon pipe: %s\n",
1019 nt_errstr(result)));
1023 frame = talloc_stackframe();
1025 result = trust_pw_find_change_and_store_it(netlogon_pipe,
1027 child->domain->name);
1030 DEBUG(10, ("machine_password_change_handler: "
1031 "trust_pw_find_change_and_store_it returned %s\n",
1032 nt_errstr(result)));
1034 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1035 DEBUG(3,("machine_password_change_handler: password set returned "
1036 "ACCESS_DENIED. Maybe the trust account "
1037 "password was changed and we didn't know it. "
1038 "Killing connections to domain %s\n",
1039 child->domain->name));
1040 TALLOC_FREE(child->domain->conn.netlogon_pipe);
1043 if (!calculate_next_machine_pwd_change(child->domain->name,
1045 DEBUG(10, ("calculate_next_machine_pwd_change failed\n"));
1049 DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n",
1050 timeval_string(talloc_tos(), &next_change, false)));
1052 if (!NT_STATUS_IS_OK(result)) {
1055 * In case of failure, give the DC a minute to recover
1057 tmp = timeval_current_ofs(60, 0);
1058 next_change = timeval_max(&next_change, &tmp);
1062 child->machine_password_change_event = event_add_timed(winbind_event_context(), NULL,
1064 machine_password_change_handler,
1068 /* Deal with a request to go offline. */
1070 static void child_msg_offline(struct messaging_context *msg,
1073 struct server_id server_id,
1076 struct winbindd_domain *domain;
1077 struct winbindd_domain *primary_domain = NULL;
1078 const char *domainname = (const char *)data->data;
1080 if (data->data == NULL || data->length == 0) {
1084 DEBUG(5,("child_msg_offline received for domain %s.\n", domainname));
1086 if (!lp_winbind_offline_logon()) {
1087 DEBUG(10,("child_msg_offline: rejecting offline message.\n"));
1091 primary_domain = find_our_domain();
1093 /* Mark the requested domain offline. */
1095 for (domain = domain_list(); domain; domain = domain->next) {
1096 if (domain->internal) {
1099 if (strequal(domain->name, domainname)) {
1100 DEBUG(5,("child_msg_offline: marking %s offline.\n", domain->name));
1101 set_domain_offline(domain);
1102 /* we are in the trusted domain, set the primary domain
1104 if (domain != primary_domain) {
1105 set_domain_offline(primary_domain);
1111 /* Deal with a request to go online. */
1113 static void child_msg_online(struct messaging_context *msg,
1116 struct server_id server_id,
1119 struct winbindd_domain *domain;
1120 struct winbindd_domain *primary_domain = NULL;
1121 const char *domainname = (const char *)data->data;
1123 if (data->data == NULL || data->length == 0) {
1127 DEBUG(5,("child_msg_online received for domain %s.\n", domainname));
1129 if (!lp_winbind_offline_logon()) {
1130 DEBUG(10,("child_msg_online: rejecting online message.\n"));
1134 primary_domain = find_our_domain();
1136 /* Set our global state as online. */
1137 set_global_winbindd_state_online();
1139 /* Try and mark everything online - delete any negative cache entries
1140 to force a reconnect now. */
1142 for (domain = domain_list(); domain; domain = domain->next) {
1143 if (domain->internal) {
1146 if (strequal(domain->name, domainname)) {
1147 DEBUG(5,("child_msg_online: requesting %s to go online.\n", domain->name));
1148 winbindd_flush_negative_conn_cache(domain);
1149 set_domain_online_request(domain);
1151 /* we can be in trusted domain, which will contact primary domain
1152 * we have to bring primary domain online in trusted domain process
1153 * see, winbindd_dual_pam_auth() --> winbindd_dual_pam_auth_samlogon()
1154 * --> contact_domain = find_our_domain()
1156 if (domain != primary_domain) {
1157 winbindd_flush_negative_conn_cache(primary_domain);
1158 set_domain_online_request(primary_domain);
1164 static void child_msg_dump_event_list(struct messaging_context *msg,
1167 struct server_id server_id,
1170 DEBUG(5,("child_msg_dump_event_list received\n"));
1172 dump_event_list(winbind_event_context());
1175 NTSTATUS winbindd_reinit_after_fork(const struct winbindd_child *myself,
1176 const char *logfilename)
1178 struct winbindd_domain *domain;
1179 struct winbindd_child *cl;
1182 status = reinit_after_fork(
1183 winbind_messaging_context(),
1184 winbind_event_context(),
1186 if (!NT_STATUS_IS_OK(status)) {
1187 DEBUG(0,("reinit_after_fork() failed\n"));
1191 close_conns_after_fork();
1193 if (!override_logfile && logfilename) {
1194 lp_set_logfile(logfilename);
1198 if (!winbindd_setup_sig_term_handler(false))
1199 return NT_STATUS_NO_MEMORY;
1200 if (!winbindd_setup_sig_hup_handler(override_logfile ? NULL :
1202 return NT_STATUS_NO_MEMORY;
1204 /* Stop zombies in children */
1207 /* Don't handle the same messages as our parent. */
1208 messaging_deregister(winbind_messaging_context(),
1209 MSG_SMB_CONF_UPDATED, NULL);
1210 messaging_deregister(winbind_messaging_context(),
1211 MSG_SHUTDOWN, NULL);
1212 messaging_deregister(winbind_messaging_context(),
1213 MSG_WINBIND_OFFLINE, NULL);
1214 messaging_deregister(winbind_messaging_context(),
1215 MSG_WINBIND_ONLINE, NULL);
1216 messaging_deregister(winbind_messaging_context(),
1217 MSG_WINBIND_ONLINESTATUS, NULL);
1218 messaging_deregister(winbind_messaging_context(),
1219 MSG_DUMP_EVENT_LIST, NULL);
1220 messaging_deregister(winbind_messaging_context(),
1221 MSG_WINBIND_DUMP_DOMAIN_LIST, NULL);
1222 messaging_deregister(winbind_messaging_context(),
1225 /* We have destroyed all events in the winbindd_event_context
1226 * in reinit_after_fork(), so clean out all possible pending
1227 * event pointers. */
1229 /* Deal with check_online_events. */
1231 for (domain = domain_list(); domain; domain = domain->next) {
1232 TALLOC_FREE(domain->check_online_event);
1235 /* Ensure we're not handling a credential cache event inherited
1236 * from our parent. */
1238 ccache_remove_all_after_fork();
1240 /* Destroy all possible events in child list. */
1241 for (cl = winbindd_children; cl != NULL; cl = cl->next) {
1242 TALLOC_FREE(cl->lockout_policy_event);
1243 TALLOC_FREE(cl->machine_password_change_event);
1245 /* Children should never be able to send
1246 * each other messages, all messages must
1247 * go through the parent.
1252 * Close service sockets to all other children
1254 if ((cl != myself) && (cl->sock != -1)) {
1260 * This is a little tricky, children must not
1261 * send an MSG_WINBIND_ONLINE message to idmap_child().
1262 * If we are in a child of our primary domain or
1263 * in the process created by fork_child_dc_connect(),
1264 * and the primary domain cannot go online,
1265 * fork_child_dc_connection() sends MSG_WINBIND_ONLINE
1266 * periodically to idmap_child().
1268 * The sequence is, fork_child_dc_connect() ---> getdcs() --->
1269 * get_dc_name_via_netlogon() ---> cm_connect_netlogon()
1270 * ---> init_dc_connection() ---> cm_open_connection --->
1271 * set_domain_online(), sends MSG_WINBIND_ONLINE to
1272 * idmap_child(). Disallow children sending messages
1273 * to each other, all messages must go through the parent.
1278 return NT_STATUS_OK;
1282 * In a child there will be only one domain, reference that here.
1284 static struct winbindd_domain *child_domain;
1286 struct winbindd_domain *wb_child_domain(void)
1288 return child_domain;
1291 static bool fork_domain_child(struct winbindd_child *child)
1294 struct winbindd_cli_state state;
1295 struct winbindd_request request;
1296 struct winbindd_response response;
1297 struct winbindd_domain *primary_domain = NULL;
1301 if (child->domain) {
1302 DEBUG(10, ("fork_domain_child called for domain '%s'\n",
1303 child->domain->name));
1305 DEBUG(10, ("fork_domain_child called without domain.\n"));
1308 if (socketpair(AF_UNIX, SOCK_STREAM, 0, fdpair) != 0) {
1309 DEBUG(0, ("Could not open child pipe: %s\n",
1315 state.pid = getpid();
1316 state.request = &request;
1317 state.response = &response;
1319 child->pid = fork();
1321 if (child->pid == -1) {
1322 DEBUG(0, ("Could not fork: %s\n", strerror(errno)));
1326 if (child->pid != 0) {
1332 nread = sys_read(fdpair[1], &status, sizeof(status));
1333 if (nread != sizeof(status)) {
1334 DEBUG(1, ("fork_domain_child: Could not read child status: "
1335 "nread=%d, error=%s\n", (int)nread,
1340 if (!NT_STATUS_IS_OK(status)) {
1341 DEBUG(1, ("fork_domain_child: Child status is %s\n",
1342 nt_errstr(status)));
1347 child->next = child->prev = NULL;
1348 DLIST_ADD(winbindd_children, child);
1349 child->sock = fdpair[1];
1354 child_domain = child->domain;
1356 DEBUG(10, ("Child process %d\n", (int)getpid()));
1358 state.sock = fdpair[0];
1361 status = winbindd_reinit_after_fork(child, child->logfilename);
1363 nwritten = sys_write(state.sock, &status, sizeof(status));
1364 if (nwritten != sizeof(status)) {
1365 DEBUG(1, ("fork_domain_child: Could not write status: "
1366 "nwritten=%d, error=%s\n", (int)nwritten,
1370 if (!NT_STATUS_IS_OK(status)) {
1371 DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n",
1372 nt_errstr(status)));
1376 /* Handle online/offline messages. */
1377 messaging_register(winbind_messaging_context(), NULL,
1378 MSG_WINBIND_OFFLINE, child_msg_offline);
1379 messaging_register(winbind_messaging_context(), NULL,
1380 MSG_WINBIND_ONLINE, child_msg_online);
1381 messaging_register(winbind_messaging_context(), NULL,
1382 MSG_DUMP_EVENT_LIST, child_msg_dump_event_list);
1383 messaging_register(winbind_messaging_context(), NULL,
1384 MSG_DEBUG, debug_message);
1385 messaging_register(winbind_messaging_context(), NULL,
1386 MSG_WINBIND_IP_DROPPED,
1387 winbind_msg_ip_dropped);
1390 primary_domain = find_our_domain();
1392 if (primary_domain == NULL) {
1393 smb_panic("no primary domain found");
1396 /* It doesn't matter if we allow cache login,
1397 * try to bring domain online after fork. */
1398 if ( child->domain ) {
1399 child->domain->startup = True;
1400 child->domain->startup_time = time_mono(NULL);
1401 /* we can be in primary domain or in trusted domain
1402 * If we are in trusted domain, set the primary domain
1403 * in start-up mode */
1404 if (!(child->domain->internal)) {
1405 set_domain_online_request(child->domain);
1406 if (!(child->domain->primary)) {
1407 primary_domain->startup = True;
1408 primary_domain->startup_time = time_mono(NULL);
1409 set_domain_online_request(primary_domain);
1415 * We are in idmap child, make sure that we set the
1416 * check_online_event to bring primary domain online.
1418 if (child == idmap_child()) {
1419 set_domain_online_request(primary_domain);
1422 /* We might be in the idmap child...*/
1423 if (child->domain && !(child->domain->internal) &&
1424 lp_winbind_offline_logon()) {
1426 set_domain_online_request(child->domain);
1428 if (primary_domain && (primary_domain != child->domain)) {
1429 /* We need to talk to the primary
1430 * domain as well as the trusted
1431 * domain inside a trusted domain
1434 * set_dc_type_and_flags_trustinfo()
1437 set_domain_online_request(primary_domain);
1440 child->lockout_policy_event = event_add_timed(
1441 winbind_event_context(), NULL, timeval_zero(),
1442 account_lockout_policy_handler,
1446 if (child->domain && child->domain->primary &&
1447 !USE_KERBEROS_KEYTAB &&
1448 lp_server_role() == ROLE_DOMAIN_MEMBER) {
1450 struct timeval next_change;
1452 if (calculate_next_machine_pwd_change(child->domain->name,
1454 child->machine_password_change_event = event_add_timed(
1455 winbind_event_context(), NULL, next_change,
1456 machine_password_change_handler,
1464 struct pollfd *pfds;
1469 TALLOC_CTX *frame = talloc_stackframe();
1470 struct iovec iov[2];
1473 if (run_events_poll(winbind_event_context(), 0, NULL, 0)) {
1478 if (child->domain && child->domain->startup &&
1479 (time_mono(NULL) > child->domain->startup_time + 30)) {
1480 /* No longer in "startup" mode. */
1481 DEBUG(10,("fork_domain_child: domain %s no longer in 'startup' mode.\n",
1482 child->domain->name ));
1483 child->domain->startup = False;
1486 pfds = talloc_zero(talloc_tos(), struct pollfd);
1488 DEBUG(1, ("talloc failed\n"));
1492 pfds->fd = state.sock;
1493 pfds->events = POLLIN|POLLHUP;
1498 if (!event_add_to_poll_args(
1499 winbind_event_context(), talloc_tos(),
1500 &pfds, &num_pfds, &timeout)) {
1501 DEBUG(1, ("event_add_to_poll_args failed\n"));
1504 tp = get_timed_events_timeout(winbind_event_context(), &t);
1506 DEBUG(11,("select will use timeout of %u.%u seconds\n",
1507 (unsigned int)tp->tv_sec, (unsigned int)tp->tv_usec ));
1510 ret = poll(pfds, num_pfds, timeout);
1512 if (run_events_poll(winbind_event_context(), ret,
1514 /* We got a signal - continue. */
1522 DEBUG(11,("nothing is ready yet, continue\n"));
1527 if (ret == -1 && errno == EINTR) {
1528 /* We got a signal - continue. */
1533 if (ret == -1 && errno != EINTR) {
1534 DEBUG(0,("poll error occured\n"));
1540 /* fetch a request from the main daemon */
1541 status = child_read_request(&state);
1543 if (!NT_STATUS_IS_OK(status)) {
1544 /* we lost contact with our parent */
1548 DEBUG(4,("child daemon request %d\n", (int)state.request->cmd));
1550 ZERO_STRUCTP(state.response);
1551 state.request->null_term = '\0';
1552 state.mem_ctx = frame;
1553 child_process_request(child, &state);
1555 DEBUG(4, ("Finished processing child request %d\n",
1556 (int)state.request->cmd));
1558 SAFE_FREE(state.request->extra_data.data);
1560 iov[0].iov_base = (void *)state.response;
1561 iov[0].iov_len = sizeof(struct winbindd_response);
1564 if (state.response->length > sizeof(struct winbindd_response)) {
1566 (void *)state.response->extra_data.data;
1567 iov[1].iov_len = state.response->length-iov[0].iov_len;
1571 DEBUG(10, ("Writing %d bytes to parent\n",
1572 (int)state.response->length));
1574 if (write_data_iov(state.sock, iov, iov_count) !=
1575 state.response->length) {
1576 DEBUG(0, ("Could not write result\n"));
1583 void winbind_msg_ip_dropped_parent(struct messaging_context *msg_ctx,
1586 struct server_id server_id,
1589 struct winbindd_child *child;
1591 winbind_msg_ip_dropped(msg_ctx, private_data, msg_type,
1595 for (child = winbindd_children; child != NULL; child = child->next) {
1596 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
1597 msg_type, data->data, data->length);
git.samba.org / samba.git / blob