2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
35 * @file winbindd_util.c
37 * Winbind daemon for NT domain authentication nss module.
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
46 static struct winbindd_domain *_domain_list = NULL;
48 struct winbindd_domain *domain_list(void)
52 if ((!_domain_list) && (!init_domain_list())) {
53 smb_panic("Init_domain_list failed");
59 /* Free all entries in the trusted domain list */
61 void free_domain_list(void)
63 struct winbindd_domain *domain = _domain_list;
66 struct winbindd_domain *next = domain->next;
68 DLIST_REMOVE(_domain_list, domain);
74 static bool is_internal_domain(const DOM_SID *sid)
80 return sid_check_is_builtin(sid);
82 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
85 static bool is_in_internal_domain(const DOM_SID *sid)
91 return sid_check_is_in_builtin(sid);
93 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
97 /* Add a trusted domain to our list of domains */
98 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
99 struct winbindd_methods *methods,
102 struct winbindd_domain *domain;
103 const char *alternative_name = NULL;
104 char *idmap_config_option;
106 const char **ignored_domains, **dom;
108 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
109 for (dom=ignored_domains; dom && *dom; dom++) {
110 if (gen_fnmatch(*dom, domain_name) == 0) {
111 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
116 /* ignore alt_name if we are not in an AD domain */
118 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
119 alternative_name = alt_name;
122 /* We can't call domain_list() as this function is called from
123 init_domain_list() and we'll get stuck in a loop. */
124 for (domain = _domain_list; domain; domain = domain->next) {
125 if (strequal(domain_name, domain->name) ||
126 strequal(domain_name, domain->alt_name))
131 if (alternative_name && *alternative_name)
133 if (strequal(alternative_name, domain->name) ||
134 strequal(alternative_name, domain->alt_name))
142 if (is_null_sid(sid)) {
146 if (sid_equal(sid, &domain->sid)) {
152 /* See if we found a match. Check if we need to update the
155 if ( domain && sid) {
156 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
157 sid_copy( &domain->sid, sid );
162 /* Create new domain entry */
164 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
169 ZERO_STRUCTP(domain);
171 fstrcpy(domain->name, domain_name);
172 if (alternative_name) {
173 fstrcpy(domain->alt_name, alternative_name);
176 domain->methods = methods;
177 domain->backend = NULL;
178 domain->internal = is_internal_domain(sid);
179 domain->sequence_number = DOM_SEQUENCE_NONE;
180 domain->last_seq_check = 0;
181 domain->initialized = False;
182 domain->online = is_internal_domain(sid);
183 domain->check_online_timeout = 0;
184 domain->dc_probe_pid = (pid_t)-1;
186 sid_copy(&domain->sid, sid);
189 /* Link to domain list */
190 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
192 wcache_tdc_add_domain( domain );
194 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
196 if (idmap_config_option == NULL) {
197 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
201 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
203 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
204 param ? param : "not defined"));
207 unsigned low_id, high_id;
208 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
209 DEBUG(1, ("invalid range syntax in %s: %s\n",
210 idmap_config_option, param));
213 if (low_id > high_id) {
214 DEBUG(1, ("invalid range in %s: %s\n",
215 idmap_config_option, param));
218 domain->have_idmap_config = true;
219 domain->id_range_low = low_id;
220 domain->id_range_high = high_id;
225 DEBUG(2,("Added domain %s %s %s\n",
226 domain->name, domain->alt_name,
227 &domain->sid?sid_string_dbg(&domain->sid):""));
232 /********************************************************************
233 rescan our domains looking for new trusted domains
234 ********************************************************************/
236 struct trustdom_state {
240 struct winbindd_response *response;
243 static void trustdom_recv(void *private_data, bool success);
244 static void rescan_forest_root_trusts( void );
245 static void rescan_forest_trusts( void );
247 static void add_trusted_domains( struct winbindd_domain *domain )
250 struct winbindd_request *request;
251 struct winbindd_response *response;
252 uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
254 struct trustdom_state *state;
256 mem_ctx = talloc_init("add_trusted_domains");
257 if (mem_ctx == NULL) {
258 DEBUG(0, ("talloc_init failed\n"));
262 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
263 response = TALLOC_P(mem_ctx, struct winbindd_response);
264 state = TALLOC_P(mem_ctx, struct trustdom_state);
266 if ((request == NULL) || (response == NULL) || (state == NULL)) {
267 DEBUG(0, ("talloc failed\n"));
268 talloc_destroy(mem_ctx);
272 state->mem_ctx = mem_ctx;
273 state->response = response;
275 /* Flags used to know how to continue the forest trust search */
277 state->primary = domain->primary;
278 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
280 request->length = sizeof(*request);
281 request->cmd = WINBINDD_LIST_TRUSTDOM;
283 async_domain_request(mem_ctx, domain, request, response,
284 trustdom_recv, state);
287 static void trustdom_recv(void *private_data, bool success)
289 struct trustdom_state *state =
290 talloc_get_type_abort(private_data, struct trustdom_state);
291 struct winbindd_response *response = state->response;
294 if ((!success) || (response->result != WINBINDD_OK)) {
295 DEBUG(1, ("Could not receive trustdoms\n"));
296 talloc_destroy(state->mem_ctx);
300 p = (char *)response->extra_data.data;
302 while ((p != NULL) && (*p != '\0')) {
303 char *q, *sidstr, *alt_name;
305 struct winbindd_domain *domain;
306 char *alternate_name = NULL;
308 alt_name = strchr(p, '\\');
309 if (alt_name == NULL) {
310 DEBUG(0, ("Got invalid trustdom response\n"));
317 sidstr = strchr(alt_name, '\\');
318 if (sidstr == NULL) {
319 DEBUG(0, ("Got invalid trustdom response\n"));
326 q = strchr(sidstr, '\n');
330 if (!string_to_sid(&sid, sidstr)) {
331 /* Allow NULL sid for sibling domains */
332 if ( strcmp(sidstr,"S-0-0") == 0) {
333 sid_copy( &sid, &global_sid_NULL);
335 DEBUG(0, ("Got invalid trustdom response\n"));
340 /* use the real alt_name if we have one, else pass in NULL */
342 if ( !strequal( alt_name, "(null)" ) )
343 alternate_name = alt_name;
345 /* If we have an existing domain structure, calling
346 add_trusted_domain() will update the SID if
347 necessary. This is important because we need the
348 SID for sibling domains */
350 if ( find_domain_from_name_noinit(p) != NULL ) {
351 domain = add_trusted_domain(p, alternate_name,
355 domain = add_trusted_domain(p, alternate_name,
359 setup_domain_child(domain,
369 Cases to consider when scanning trusts:
370 (a) we are calling from a child domain (primary && !forest_root)
371 (b) we are calling from the root of the forest (primary && forest_root)
372 (c) we are calling from a trusted forest domain (!primary
376 if ( state->primary ) {
377 /* If this is our primary domain and we are not in the
378 forest root, we have to scan the root trusts first */
380 if ( !state->forest_root )
381 rescan_forest_root_trusts();
383 rescan_forest_trusts();
385 } else if ( state->forest_root ) {
386 /* Once we have done root forest trust search, we can
387 go on to search the trusted forests */
389 rescan_forest_trusts();
392 talloc_destroy(state->mem_ctx);
397 /********************************************************************
398 Scan the trusts of our forest root
399 ********************************************************************/
401 static void rescan_forest_root_trusts( void )
403 struct winbindd_tdc_domain *dom_list = NULL;
404 size_t num_trusts = 0;
407 /* The only transitive trusts supported by Windows 2003 AD are
408 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
409 first two are handled in forest and listed by
410 DsEnumerateDomainTrusts(). Forest trusts are not so we
411 have to do that ourselves. */
413 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
416 for ( i=0; i<num_trusts; i++ ) {
417 struct winbindd_domain *d = NULL;
419 /* Find the forest root. Don't necessarily trust
420 the domain_list() as our primary domain may not
421 have been initialized. */
423 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
427 /* Here's the forest root */
429 d = find_domain_from_name_noinit( dom_list[i].domain_name );
432 d = add_trusted_domain( dom_list[i].domain_name,
433 dom_list[i].dns_name,
442 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
443 "for domain tree root %s (%s)\n",
444 d->name, d->alt_name ));
446 d->domain_flags = dom_list[i].trust_flags;
447 d->domain_type = dom_list[i].trust_type;
448 d->domain_trust_attribs = dom_list[i].trust_attribs;
450 add_trusted_domains( d );
455 TALLOC_FREE( dom_list );
460 /********************************************************************
461 scan the transitive forest trusts (not our own)
462 ********************************************************************/
465 static void rescan_forest_trusts( void )
467 struct winbindd_domain *d = NULL;
468 struct winbindd_tdc_domain *dom_list = NULL;
469 size_t num_trusts = 0;
472 /* The only transitive trusts supported by Windows 2003 AD are
473 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
474 first two are handled in forest and listed by
475 DsEnumerateDomainTrusts(). Forest trusts are not so we
476 have to do that ourselves. */
478 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
481 for ( i=0; i<num_trusts; i++ ) {
482 uint32 flags = dom_list[i].trust_flags;
483 uint32 type = dom_list[i].trust_type;
484 uint32 attribs = dom_list[i].trust_attribs;
486 d = find_domain_from_name_noinit( dom_list[i].domain_name );
488 /* ignore our primary and internal domains */
490 if ( d && (d->internal || d->primary ) )
493 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
494 (type == NETR_TRUST_TYPE_UPLEVEL) &&
495 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
497 /* add the trusted domain if we don't know
501 d = add_trusted_domain( dom_list[i].domain_name,
502 dom_list[i].dns_name,
511 DEBUG(10,("Following trust path for domain %s (%s)\n",
512 d->name, d->alt_name ));
513 add_trusted_domains( d );
517 TALLOC_FREE( dom_list );
522 /*********************************************************************
523 The process of updating the trusted domain list is a three step
526 (b) ask the root domain in our forest
527 (c) ask the a DC in any Win2003 trusted forests
528 *********************************************************************/
530 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
531 struct timeval now, void *private_data)
535 /* I use to clear the cache here and start over but that
536 caused problems in child processes that needed the
537 trust dom list early on. Removing it means we
538 could have some trusted domains listed that have been
539 removed from our primary domain's DC until a full
540 restart. This should be ok since I think this is what
541 Windows does as well. */
543 /* this will only add new domains we didn't already know about
544 in the domain_list()*/
546 add_trusted_domains( find_our_domain() );
548 te = tevent_add_timer(
549 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
550 rescan_trusted_domains, NULL);
552 * If te == NULL, there's not much we can do here. Don't fail, the
553 * only thing we miss is new trusted domains.
559 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
560 struct winbindd_cli_state *state)
562 /* Ensure null termination */
563 state->request->domain_name
564 [sizeof(state->request->domain_name)-1]='\0';
565 state->request->data.init_conn.dcname
566 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
568 if (strlen(state->request->data.init_conn.dcname) > 0) {
569 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
572 if (domain->internal) {
573 domain->initialized = true;
575 init_dc_connection(domain);
578 if (!domain->initialized) {
579 /* If we return error here we can't do any cached authentication,
580 but we may be in disconnected mode and can't initialize correctly.
581 Do what the previous code did and just return without initialization,
582 once we go online we'll re-initialize.
584 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
585 "online = %d\n", domain->name, (int)domain->online ));
588 fstrcpy(state->response->data.domain_info.name, domain->name);
589 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
590 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
592 state->response->data.domain_info.native_mode
593 = domain->native_mode;
594 state->response->data.domain_info.active_directory
595 = domain->active_directory;
596 state->response->data.domain_info.primary
602 /* Look up global info for the winbind daemon */
603 bool init_domain_list(void)
605 struct winbindd_domain *domain;
606 int role = lp_server_role();
608 /* Free existing list */
613 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
614 &global_sid_Builtin);
616 setup_domain_child(domain,
622 domain = add_trusted_domain(get_global_sam_name(), NULL,
623 &sam_passdb_methods, get_global_sam_sid());
625 if ( role != ROLE_DOMAIN_MEMBER ) {
626 domain->primary = True;
628 setup_domain_child(domain,
632 /* Add ourselves as the first entry. */
634 if ( role == ROLE_DOMAIN_MEMBER ) {
637 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
638 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
642 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
643 &cache_methods, &our_sid);
645 domain->primary = True;
646 setup_domain_child(domain,
649 /* Even in the parent winbindd we'll need to
650 talk to the DC, so try and see if we can
651 contact it. Theoretically this isn't neccessary
652 as the init_dc_connection() in init_child_recv()
653 will do this, but we can start detecting the DC
655 set_domain_online_request(domain);
662 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
664 struct winbindd_domain *domain;
668 /* Check if we even care */
670 if (!lp_allow_trusted_domains())
673 domain = find_domain_from_name_noinit( name );
677 sid_copy( &dom_sid, user_sid );
678 if ( !sid_split_rid( &dom_sid, &rid ) )
681 /* add the newly discovered trusted domain */
683 domain = add_trusted_domain( name, NULL, &cache_methods,
689 /* assume this is a trust from a one-way transitive
692 domain->active_directory = True;
693 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
694 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
695 domain->internal = False;
696 domain->online = True;
698 setup_domain_child(domain,
701 wcache_tdc_add_domain( domain );
707 * Given a domain name, return the struct winbindd domain info for it
709 * @note Do *not* pass lp_workgroup() to this function. domain_list
710 * may modify it's value, and free that pointer. Instead, our local
711 * domain may be found by calling find_our_domain().
715 * @return The domain structure for the named domain, if it is working.
718 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
720 struct winbindd_domain *domain;
722 /* Search through list */
724 for (domain = domain_list(); domain != NULL; domain = domain->next) {
725 if (strequal(domain_name, domain->name) ||
726 (domain->alt_name[0] &&
727 strequal(domain_name, domain->alt_name))) {
737 struct winbindd_domain *find_domain_from_name(const char *domain_name)
739 struct winbindd_domain *domain;
741 domain = find_domain_from_name_noinit(domain_name);
746 if (!domain->initialized)
747 init_dc_connection(domain);
752 /* Given a domain sid, return the struct winbindd domain info for it */
754 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
756 struct winbindd_domain *domain;
758 /* Search through list */
760 for (domain = domain_list(); domain != NULL; domain = domain->next) {
761 if (sid_compare_domain(sid, &domain->sid) == 0)
770 /* Given a domain sid, return the struct winbindd domain info for it */
772 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
774 struct winbindd_domain *domain;
776 domain = find_domain_from_sid_noinit(sid);
781 if (!domain->initialized)
782 init_dc_connection(domain);
787 struct winbindd_domain *find_our_domain(void)
789 struct winbindd_domain *domain;
791 /* Search through list */
793 for (domain = domain_list(); domain != NULL; domain = domain->next) {
798 smb_panic("Could not find our domain");
802 struct winbindd_domain *find_root_domain(void)
804 struct winbindd_domain *ours = find_our_domain();
809 if ( strlen(ours->forest_name) == 0 )
812 return find_domain_from_name( ours->forest_name );
815 struct winbindd_domain *find_builtin_domain(void)
818 struct winbindd_domain *domain;
820 string_to_sid(&sid, "S-1-5-32");
821 domain = find_domain_from_sid(&sid);
823 if (domain == NULL) {
824 smb_panic("Could not find BUILTIN domain");
830 /* Find the appropriate domain to lookup a name or SID */
832 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
834 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
836 if ( sid_check_is_in_unix_groups(sid) ||
837 sid_check_is_unix_groups(sid) ||
838 sid_check_is_in_unix_users(sid) ||
839 sid_check_is_unix_users(sid) )
841 return find_domain_from_sid(get_global_sam_sid());
844 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
845 * one to contact the external DC's. On member servers the internal
846 * domains are different: These are part of the local SAM. */
848 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
850 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
851 DEBUG(10, ("calling find_domain_from_sid\n"));
852 return find_domain_from_sid(sid);
855 /* On a member server a query for SID or name can always go to our
858 DEBUG(10, ("calling find_our_domain\n"));
859 return find_our_domain();
862 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
864 if ( strequal(domain_name, unix_users_domain_name() ) ||
865 strequal(domain_name, unix_groups_domain_name() ) )
868 * The "Unix User" and "Unix Group" domain our handled by
871 return find_domain_from_name_noinit( get_global_sam_name() );
874 if (IS_DC || strequal(domain_name, "BUILTIN") ||
875 strequal(domain_name, get_global_sam_name()))
876 return find_domain_from_name_noinit(domain_name);
879 return find_our_domain();
882 /* Lookup a sid in a domain from a name */
884 bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
885 enum winbindd_cmd orig_cmd,
886 struct winbindd_domain *domain,
887 const char *domain_name,
888 const char *name, DOM_SID *sid,
889 enum lsa_SidType *type)
894 * For all but LOOKUPNAME we have to avoid nss calls to avoid
897 result = domain->methods->name_to_sid(
898 domain, mem_ctx, domain_name, name,
899 orig_cmd == WINBINDD_LOOKUPNAME ? 0 : LOOKUP_NAME_NO_NSS,
902 /* Return sid and type if lookup successful */
903 if (!NT_STATUS_IS_OK(result)) {
904 *type = SID_NAME_UNKNOWN;
907 return NT_STATUS_IS_OK(result);
911 * @brief Lookup a name in a domain from a sid.
913 * @param sid Security ID you want to look up.
914 * @param name On success, set to the name corresponding to @p sid.
915 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
916 * @param type On success, contains the type of name: alias, group or
918 * @retval True if the name exists, in which case @p name and @p type
919 * are set, otherwise False.
921 bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
922 struct winbindd_domain *domain,
926 enum lsa_SidType *type)
935 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
937 /* Return name and type if successful */
939 if (NT_STATUS_IS_OK(result)) {
943 *type = SID_NAME_UNKNOWN;
948 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
950 void free_getent_state(struct getent_state *state)
952 struct getent_state *temp;
954 /* Iterate over state list */
958 while(temp != NULL) {
959 struct getent_state *next = temp->next;
961 /* Free sam entries then list entry */
963 SAFE_FREE(state->sam_entries);
964 DLIST_REMOVE(state, state);
971 /* Is this a domain which we may assume no DOMAIN\ prefix? */
973 static bool assume_domain(const char *domain)
975 /* never assume the domain on a standalone server */
977 if ( lp_server_role() == ROLE_STANDALONE )
980 /* domain member servers may possibly assume for the domain name */
982 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
983 if ( !strequal(lp_workgroup(), domain) )
986 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
990 /* only left with a domain controller */
992 if ( strequal(get_global_sam_name(), domain) ) {
999 /* Parse a string of the form DOMAIN\user into a domain and a user */
1001 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1003 char *p = strchr(domuser,*lp_winbind_separator());
1006 fstrcpy(user, domuser);
1008 if ( assume_domain(lp_workgroup())) {
1009 fstrcpy(domain, lp_workgroup());
1010 } else if ((p = strchr(domuser, '@')) != NULL) {
1011 fstrcpy(domain, p + 1);
1012 user[PTR_DIFF(p, domuser)] = 0;
1018 fstrcpy(domain, domuser);
1019 domain[PTR_DIFF(p, domuser)] = 0;
1027 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1028 char **domain, char **user)
1030 fstring fstr_domain, fstr_user;
1031 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1034 *domain = talloc_strdup(mem_ctx, fstr_domain);
1035 *user = talloc_strdup(mem_ctx, fstr_user);
1036 return ((*domain != NULL) && (*user != NULL));
1039 /* add a domain user name to a buffer */
1040 void parse_add_domuser(void *buf, char *domuser, int *len)
1046 p = strchr(domuser, *lp_winbind_separator());
1050 fstrcpy(domain, domuser);
1051 domain[PTR_DIFF(p, domuser)] = 0;
1054 if (assume_domain(domain)) {
1057 *len -= (PTR_DIFF(p, domuser));
1061 safe_strcpy((char *)buf, user, *len);
1064 /* Ensure an incoming username from NSS is fully qualified. Replace the
1065 incoming fstring with DOMAIN <separator> user. Returns the same
1066 values as parse_domain_user() but also replaces the incoming username.
1067 Used to ensure all names are fully qualified within winbindd.
1068 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1069 The protocol definitions of auth_crap, chng_pswd_auth_crap
1070 really should be changed to use this instead of doing things
1073 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1075 if (!parse_domain_user(username_inout, domain, user)) {
1078 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1079 domain, *lp_winbind_separator(),
1085 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1086 'winbind separator' options.
1088 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1091 If we are a PDC or BDC, and this is for our domain, do likewise.
1093 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1094 username is then unqualified in unix
1096 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1098 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1102 fstrcpy(tmp_user, user);
1103 strlower_m(tmp_user);
1105 if (can_assume && assume_domain(domain)) {
1106 strlcpy(name, tmp_user, sizeof(fstring));
1108 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1109 domain, *lp_winbind_separator(),
1115 * talloc version of fill_domain_username()
1116 * return NULL on talloc failure.
1118 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1123 char *tmp_user, *name;
1125 tmp_user = talloc_strdup(mem_ctx, user);
1126 strlower_m(tmp_user);
1128 if (can_assume && assume_domain(domain)) {
1131 name = talloc_asprintf(mem_ctx, "%s%c%s",
1133 *lp_winbind_separator(),
1135 TALLOC_FREE(tmp_user);
1142 * Winbindd socket accessor functions
1145 const char *get_winbind_pipe_dir(void)
1147 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1150 char *get_winbind_priv_pipe_dir(void)
1152 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1155 /* Open the winbindd socket */
1157 static int _winbindd_socket = -1;
1158 static int _winbindd_priv_socket = -1;
1160 int open_winbindd_socket(void)
1162 if (_winbindd_socket == -1) {
1163 _winbindd_socket = create_pipe_sock(
1164 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1165 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1169 return _winbindd_socket;
1172 int open_winbindd_priv_socket(void)
1174 if (_winbindd_priv_socket == -1) {
1175 _winbindd_priv_socket = create_pipe_sock(
1176 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1177 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1178 _winbindd_priv_socket));
1181 return _winbindd_priv_socket;
1185 * Client list accessor functions
1188 static struct winbindd_cli_state *_client_list;
1189 static int _num_clients;
1191 /* Return list of all connected clients */
1193 struct winbindd_cli_state *winbindd_client_list(void)
1195 return _client_list;
1198 /* Add a connection to the list */
1200 void winbindd_add_client(struct winbindd_cli_state *cli)
1202 DLIST_ADD(_client_list, cli);
1206 /* Remove a client from the list */
1208 void winbindd_remove_client(struct winbindd_cli_state *cli)
1210 DLIST_REMOVE(_client_list, cli);
1214 /* Close all open clients */
1216 void winbindd_kill_all_clients(void)
1218 struct winbindd_cli_state *cl = winbindd_client_list();
1220 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1223 struct winbindd_cli_state *next;
1226 winbindd_remove_client(cl);
1231 /* Return number of open clients */
1233 int winbindd_num_clients(void)
1235 return _num_clients;
1238 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1239 TALLOC_CTX *mem_ctx,
1240 const DOM_SID *user_sid,
1241 uint32 *p_num_groups, DOM_SID **user_sids)
1243 struct netr_SamInfo3 *info3 = NULL;
1244 NTSTATUS status = NT_STATUS_NO_MEMORY;
1245 size_t num_groups = 0;
1247 DEBUG(3,(": lookup_usergroups_cached\n"));
1252 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1254 if (info3 == NULL) {
1255 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1258 if (info3->base.groups.count == 0) {
1260 return NT_STATUS_UNSUCCESSFUL;
1263 /* Skip Domain local groups outside our domain.
1264 We'll get these from the getsidaliases() RPC call. */
1265 status = sid_array_from_info3(mem_ctx, info3,
1270 if (!NT_STATUS_IS_OK(status)) {
1276 *p_num_groups = num_groups;
1277 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1279 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1284 /*********************************************************************
1285 We use this to remove spaces from user and group names
1286 ********************************************************************/
1288 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1289 struct winbindd_domain *domain,
1295 if (!name || !normalized) {
1296 return NT_STATUS_INVALID_PARAMETER;
1299 if (!lp_winbind_normalize_names()) {
1300 return NT_STATUS_PROCEDURE_NOT_FOUND;
1303 /* Alias support and whitespace replacement are mutually
1306 nt_status = resolve_username_to_alias(mem_ctx, domain,
1308 if (NT_STATUS_IS_OK(nt_status)) {
1309 /* special return code to let the caller know we
1310 mapped to an alias */
1311 return NT_STATUS_FILE_RENAMED;
1314 /* check for an unreachable domain */
1316 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1317 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1319 set_domain_offline(domain);
1323 /* deal with whitespace */
1325 *normalized = talloc_strdup(mem_ctx, name);
1326 if (!(*normalized)) {
1327 return NT_STATUS_NO_MEMORY;
1330 all_string_sub( *normalized, " ", "_", 0 );
1332 return NT_STATUS_OK;
1335 /*********************************************************************
1336 We use this to do the inverse of normalize_name_map()
1337 ********************************************************************/
1339 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1344 struct winbindd_domain *domain = find_our_domain();
1346 if (!name || !normalized) {
1347 return NT_STATUS_INVALID_PARAMETER;
1350 if (!lp_winbind_normalize_names()) {
1351 return NT_STATUS_PROCEDURE_NOT_FOUND;
1354 /* Alias support and whitespace replacement are mutally
1357 /* When mapping from an alias to a username, we don't know the
1358 domain. But we only need a domain structure to cache
1359 a successful lookup , so just our own domain structure for
1362 nt_status = resolve_alias_to_username(mem_ctx, domain,
1364 if (NT_STATUS_IS_OK(nt_status)) {
1365 /* Special return code to let the caller know we mapped
1367 return NT_STATUS_FILE_RENAMED;
1370 /* check for an unreachable domain */
1372 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1373 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1375 set_domain_offline(domain);
1379 /* deal with whitespace */
1381 *normalized = talloc_strdup(mem_ctx, name);
1382 if (!(*normalized)) {
1383 return NT_STATUS_NO_MEMORY;
1386 all_string_sub(*normalized, "_", " ", 0);
1388 return NT_STATUS_OK;
1391 /*********************************************************************
1392 ********************************************************************/
1394 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1396 struct winbindd_tdc_domain *tdc = NULL;
1397 TALLOC_CTX *frame = talloc_stackframe();
1400 /* We can contact the domain if it is our primary domain */
1402 if (domain->primary) {
1406 /* Trust the TDC cache and not the winbindd_domain flags */
1408 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1409 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1414 /* Can always contact a domain that is in out forest */
1416 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1422 * On a _member_ server, we cannot contact the domain if it
1423 * is running AD and we have no inbound trust.
1427 domain->active_directory &&
1428 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1430 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1431 "and we have no inbound trust.\n", domain->name));
1435 /* Assume everything else is ok (probably not true but what
1441 talloc_destroy(frame);
1446 /*********************************************************************
1447 ********************************************************************/
1449 bool winbindd_internal_child(struct winbindd_child *child)
1451 if ((child == idmap_child()) || (child == locator_child())) {
1458 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1460 /*********************************************************************
1461 ********************************************************************/
1463 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1466 char addr[INET6_ADDRSTRLEN];
1467 const char *kdc = NULL;
1470 if (!domain || !domain->alt_name || !*domain->alt_name) {
1474 if (domain->initialized && !domain->active_directory) {
1475 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1480 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1483 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1485 kdc = domain->dcname;
1488 if (!kdc || !*kdc) {
1489 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1494 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1495 domain->alt_name) == -1) {
1499 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1502 setenv(var, kdc, 1);
1506 /*********************************************************************
1507 ********************************************************************/
1509 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1511 struct winbindd_domain *our_dom = find_our_domain();
1513 winbindd_set_locator_kdc_env(domain);
1515 if (domain != our_dom) {
1516 winbindd_set_locator_kdc_env(our_dom);
1520 /*********************************************************************
1521 ********************************************************************/
1523 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1527 if (!domain || !domain->alt_name || !*domain->alt_name) {
1531 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1532 domain->alt_name) == -1) {
1541 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1546 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1551 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1553 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1555 resp->data.auth.nt_status = NT_STATUS_V(result);
1556 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1558 /* we might have given a more useful error above */
1559 if (*resp->data.auth.error_string == '\0')
1560 fstrcpy(resp->data.auth.error_string,
1561 get_friendly_nt_error_msg(result));
1562 resp->data.auth.pam_error = nt_status_to_pam(result);