2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
29 #define DBGC_CLASS DBGC_WINBIND
31 extern struct winbindd_methods cache_methods;
34 * @file winbindd_util.cq
36 * Winbind daemon for NT domain authentication nss module.
40 /* The list of trusted domains. Note that the list can be deleted and
41 recreated using the init_domain_list() function so pointers to
42 individual winbindd_domain structures cannot be made. Keep a copy of
43 the domain name instead. */
45 static struct winbindd_domain *_domain_list = NULL;
47 struct winbindd_domain *domain_list(void)
51 if ((!_domain_list) && (!init_domain_list())) {
52 smb_panic("Init_domain_list failed");
58 /* Free all entries in the trusted domain list */
60 static void free_domain_list(void)
62 struct winbindd_domain *domain = _domain_list;
65 struct winbindd_domain *next = domain->next;
67 DLIST_REMOVE(_domain_list, domain);
73 static bool is_internal_domain(const struct dom_sid *sid)
78 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
81 static bool is_in_internal_domain(const struct dom_sid *sid)
86 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
90 /* Add a trusted domain to our list of domains */
91 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
92 struct winbindd_methods *methods,
93 const struct dom_sid *sid)
95 struct winbindd_domain *domain;
96 const char *alternative_name = NULL;
97 char *idmap_config_option;
99 const char **ignored_domains, **dom;
101 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
102 for (dom=ignored_domains; dom && *dom; dom++) {
103 if (gen_fnmatch(*dom, domain_name) == 0) {
104 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
109 /* ignore alt_name if we are not in an AD domain */
111 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
112 alternative_name = alt_name;
115 /* We can't call domain_list() as this function is called from
116 init_domain_list() and we'll get stuck in a loop. */
117 for (domain = _domain_list; domain; domain = domain->next) {
118 if (strequal(domain_name, domain->name) ||
119 strequal(domain_name, domain->alt_name))
124 if (alternative_name && *alternative_name)
126 if (strequal(alternative_name, domain->name) ||
127 strequal(alternative_name, domain->alt_name))
135 if (is_null_sid(sid)) {
139 if (dom_sid_equal(sid, &domain->sid)) {
145 if (domain != NULL) {
147 * We found a match. Possibly update the SID
150 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
151 sid_copy( &domain->sid, sid );
156 /* Create new domain entry */
158 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
163 ZERO_STRUCTP(domain);
165 fstrcpy(domain->name, domain_name);
166 if (alternative_name) {
167 fstrcpy(domain->alt_name, alternative_name);
170 domain->methods = methods;
171 domain->backend = NULL;
172 domain->internal = is_internal_domain(sid);
173 domain->sequence_number = DOM_SEQUENCE_NONE;
174 domain->last_seq_check = 0;
175 domain->initialized = False;
176 domain->online = is_internal_domain(sid);
177 domain->check_online_timeout = 0;
178 domain->dc_probe_pid = (pid_t)-1;
180 sid_copy(&domain->sid, sid);
183 /* Link to domain list */
184 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
186 wcache_tdc_add_domain( domain );
188 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
190 if (idmap_config_option == NULL) {
191 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
195 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
197 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
198 param ? param : "not defined"));
201 unsigned low_id, high_id;
202 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
203 DEBUG(1, ("invalid range syntax in %s: %s\n",
204 idmap_config_option, param));
207 if (low_id > high_id) {
208 DEBUG(1, ("invalid range in %s: %s\n",
209 idmap_config_option, param));
212 domain->have_idmap_config = true;
213 domain->id_range_low = low_id;
214 domain->id_range_high = high_id;
219 DEBUG(2,("Added domain %s %s %s\n",
220 domain->name, domain->alt_name,
221 &domain->sid?sid_string_dbg(&domain->sid):""));
226 bool domain_is_forest_root(const struct winbindd_domain *domain)
228 const uint32_t fr_flags =
229 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
231 return ((domain->domain_flags & fr_flags) == fr_flags);
234 /********************************************************************
235 rescan our domains looking for new trusted domains
236 ********************************************************************/
238 struct trustdom_state {
239 struct winbindd_domain *domain;
240 struct winbindd_request request;
243 static void trustdom_list_done(struct tevent_req *req);
244 static void rescan_forest_root_trusts( void );
245 static void rescan_forest_trusts( void );
247 static void add_trusted_domains( struct winbindd_domain *domain )
249 struct trustdom_state *state;
250 struct tevent_req *req;
252 state = TALLOC_ZERO_P(NULL, struct trustdom_state);
254 DEBUG(0, ("talloc failed\n"));
257 state->domain = domain;
259 state->request.length = sizeof(state->request);
260 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
262 req = wb_domain_request_send(state, winbind_event_context(),
263 domain, &state->request);
265 DEBUG(1, ("wb_domain_request_send failed\n"));
269 tevent_req_set_callback(req, trustdom_list_done, state);
272 static void trustdom_list_done(struct tevent_req *req)
274 struct trustdom_state *state = tevent_req_callback_data(
275 req, struct trustdom_state);
276 struct winbindd_response *response;
280 res = wb_domain_request_recv(req, state, &response, &err);
281 if ((res == -1) || (response->result != WINBINDD_OK)) {
282 DEBUG(1, ("Could not receive trustdoms\n"));
287 p = (char *)response->extra_data.data;
289 while ((p != NULL) && (*p != '\0')) {
290 char *q, *sidstr, *alt_name;
292 struct winbindd_domain *domain;
293 char *alternate_name = NULL;
295 alt_name = strchr(p, '\\');
296 if (alt_name == NULL) {
297 DEBUG(0, ("Got invalid trustdom response\n"));
304 sidstr = strchr(alt_name, '\\');
305 if (sidstr == NULL) {
306 DEBUG(0, ("Got invalid trustdom response\n"));
313 q = strchr(sidstr, '\n');
317 if (!string_to_sid(&sid, sidstr)) {
318 DEBUG(0, ("Got invalid trustdom response\n"));
322 /* use the real alt_name if we have one, else pass in NULL */
324 if ( !strequal( alt_name, "(null)" ) )
325 alternate_name = alt_name;
327 /* If we have an existing domain structure, calling
328 add_trusted_domain() will update the SID if
329 necessary. This is important because we need the
330 SID for sibling domains */
332 if ( find_domain_from_name_noinit(p) != NULL ) {
333 domain = add_trusted_domain(p, alternate_name,
337 domain = add_trusted_domain(p, alternate_name,
341 setup_domain_child(domain);
350 Cases to consider when scanning trusts:
351 (a) we are calling from a child domain (primary && !forest_root)
352 (b) we are calling from the root of the forest (primary && forest_root)
353 (c) we are calling from a trusted forest domain (!primary
357 if (state->domain->primary) {
358 /* If this is our primary domain and we are not in the
359 forest root, we have to scan the root trusts first */
361 if (!domain_is_forest_root(state->domain))
362 rescan_forest_root_trusts();
364 rescan_forest_trusts();
366 } else if (domain_is_forest_root(state->domain)) {
367 /* Once we have done root forest trust search, we can
368 go on to search the trusted forests */
370 rescan_forest_trusts();
378 /********************************************************************
379 Scan the trusts of our forest root
380 ********************************************************************/
382 static void rescan_forest_root_trusts( void )
384 struct winbindd_tdc_domain *dom_list = NULL;
385 size_t num_trusts = 0;
388 /* The only transitive trusts supported by Windows 2003 AD are
389 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
390 first two are handled in forest and listed by
391 DsEnumerateDomainTrusts(). Forest trusts are not so we
392 have to do that ourselves. */
394 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
397 for ( i=0; i<num_trusts; i++ ) {
398 struct winbindd_domain *d = NULL;
400 /* Find the forest root. Don't necessarily trust
401 the domain_list() as our primary domain may not
402 have been initialized. */
404 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
408 /* Here's the forest root */
410 d = find_domain_from_name_noinit( dom_list[i].domain_name );
413 d = add_trusted_domain( dom_list[i].domain_name,
414 dom_list[i].dns_name,
418 setup_domain_child(d);
426 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
427 "for domain tree root %s (%s)\n",
428 d->name, d->alt_name ));
430 d->domain_flags = dom_list[i].trust_flags;
431 d->domain_type = dom_list[i].trust_type;
432 d->domain_trust_attribs = dom_list[i].trust_attribs;
434 add_trusted_domains( d );
439 TALLOC_FREE( dom_list );
444 /********************************************************************
445 scan the transitive forest trusts (not our own)
446 ********************************************************************/
449 static void rescan_forest_trusts( void )
451 struct winbindd_domain *d = NULL;
452 struct winbindd_tdc_domain *dom_list = NULL;
453 size_t num_trusts = 0;
456 /* The only transitive trusts supported by Windows 2003 AD are
457 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
458 first two are handled in forest and listed by
459 DsEnumerateDomainTrusts(). Forest trusts are not so we
460 have to do that ourselves. */
462 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
465 for ( i=0; i<num_trusts; i++ ) {
466 uint32 flags = dom_list[i].trust_flags;
467 uint32 type = dom_list[i].trust_type;
468 uint32 attribs = dom_list[i].trust_attribs;
470 d = find_domain_from_name_noinit( dom_list[i].domain_name );
472 /* ignore our primary and internal domains */
474 if ( d && (d->internal || d->primary ) )
477 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
478 (type == NETR_TRUST_TYPE_UPLEVEL) &&
479 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
481 /* add the trusted domain if we don't know
485 d = add_trusted_domain( dom_list[i].domain_name,
486 dom_list[i].dns_name,
490 setup_domain_child(d);
498 DEBUG(10,("Following trust path for domain %s (%s)\n",
499 d->name, d->alt_name ));
500 add_trusted_domains( d );
504 TALLOC_FREE( dom_list );
509 /*********************************************************************
510 The process of updating the trusted domain list is a three step
513 (b) ask the root domain in our forest
514 (c) ask the a DC in any Win2003 trusted forests
515 *********************************************************************/
517 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
518 struct timeval now, void *private_data)
522 /* I use to clear the cache here and start over but that
523 caused problems in child processes that needed the
524 trust dom list early on. Removing it means we
525 could have some trusted domains listed that have been
526 removed from our primary domain's DC until a full
527 restart. This should be ok since I think this is what
528 Windows does as well. */
530 /* this will only add new domains we didn't already know about
531 in the domain_list()*/
533 add_trusted_domains( find_our_domain() );
535 te = tevent_add_timer(
536 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
537 rescan_trusted_domains, NULL);
539 * If te == NULL, there's not much we can do here. Don't fail, the
540 * only thing we miss is new trusted domains.
546 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
547 struct winbindd_cli_state *state)
549 /* Ensure null termination */
550 state->request->domain_name
551 [sizeof(state->request->domain_name)-1]='\0';
552 state->request->data.init_conn.dcname
553 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
555 if (strlen(state->request->data.init_conn.dcname) > 0) {
556 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
559 if (domain->internal) {
560 domain->initialized = true;
562 init_dc_connection(domain);
565 if (!domain->initialized) {
566 /* If we return error here we can't do any cached authentication,
567 but we may be in disconnected mode and can't initialize correctly.
568 Do what the previous code did and just return without initialization,
569 once we go online we'll re-initialize.
571 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
572 "online = %d\n", domain->name, (int)domain->online ));
575 fstrcpy(state->response->data.domain_info.name, domain->name);
576 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
577 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
579 state->response->data.domain_info.native_mode
580 = domain->native_mode;
581 state->response->data.domain_info.active_directory
582 = domain->active_directory;
583 state->response->data.domain_info.primary
589 /* Look up global info for the winbind daemon */
590 bool init_domain_list(void)
592 struct winbindd_domain *domain;
593 int role = lp_server_role();
595 /* Free existing list */
600 domain = add_trusted_domain("BUILTIN", NULL, &cache_methods,
601 &global_sid_Builtin);
603 setup_domain_child(domain);
608 domain = add_trusted_domain(get_global_sam_name(), NULL,
609 &cache_methods, get_global_sam_sid());
611 if ( role != ROLE_DOMAIN_MEMBER ) {
612 domain->primary = True;
614 setup_domain_child(domain);
617 /* Add ourselves as the first entry. */
619 if ( role == ROLE_DOMAIN_MEMBER ) {
620 struct dom_sid our_sid;
622 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
623 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
627 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
628 &cache_methods, &our_sid);
630 domain->primary = True;
631 setup_domain_child(domain);
633 /* Even in the parent winbindd we'll need to
634 talk to the DC, so try and see if we can
635 contact it. Theoretically this isn't neccessary
636 as the init_dc_connection() in init_child_recv()
637 will do this, but we can start detecting the DC
639 set_domain_online_request(domain);
646 void check_domain_trusted( const char *name, const struct dom_sid *user_sid )
648 struct winbindd_domain *domain;
649 struct dom_sid dom_sid;
652 /* Check if we even care */
654 if (!lp_allow_trusted_domains())
657 domain = find_domain_from_name_noinit( name );
661 sid_copy( &dom_sid, user_sid );
662 if ( !sid_split_rid( &dom_sid, &rid ) )
665 /* add the newly discovered trusted domain */
667 domain = add_trusted_domain( name, NULL, &cache_methods,
673 /* assume this is a trust from a one-way transitive
676 domain->active_directory = True;
677 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
678 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
679 domain->internal = False;
680 domain->online = True;
682 setup_domain_child(domain);
684 wcache_tdc_add_domain( domain );
690 * Given a domain name, return the struct winbindd domain info for it
692 * @note Do *not* pass lp_workgroup() to this function. domain_list
693 * may modify it's value, and free that pointer. Instead, our local
694 * domain may be found by calling find_our_domain().
698 * @return The domain structure for the named domain, if it is working.
701 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
703 struct winbindd_domain *domain;
705 /* Search through list */
707 for (domain = domain_list(); domain != NULL; domain = domain->next) {
708 if (strequal(domain_name, domain->name) ||
709 (domain->alt_name[0] &&
710 strequal(domain_name, domain->alt_name))) {
720 struct winbindd_domain *find_domain_from_name(const char *domain_name)
722 struct winbindd_domain *domain;
724 domain = find_domain_from_name_noinit(domain_name);
729 if (!domain->initialized)
730 init_dc_connection(domain);
735 /* Given a domain sid, return the struct winbindd domain info for it */
737 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
739 struct winbindd_domain *domain;
741 /* Search through list */
743 for (domain = domain_list(); domain != NULL; domain = domain->next) {
744 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
753 /* Given a domain sid, return the struct winbindd domain info for it */
755 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
757 struct winbindd_domain *domain;
759 domain = find_domain_from_sid_noinit(sid);
764 if (!domain->initialized)
765 init_dc_connection(domain);
770 struct winbindd_domain *find_our_domain(void)
772 struct winbindd_domain *domain;
774 /* Search through list */
776 for (domain = domain_list(); domain != NULL; domain = domain->next) {
781 smb_panic("Could not find our domain");
785 struct winbindd_domain *find_root_domain(void)
787 struct winbindd_domain *ours = find_our_domain();
789 if (ours->forest_name[0] == '\0') {
793 return find_domain_from_name( ours->forest_name );
796 struct winbindd_domain *find_builtin_domain(void)
798 struct winbindd_domain *domain;
800 domain = find_domain_from_sid(&global_sid_Builtin);
801 if (domain == NULL) {
802 smb_panic("Could not find BUILTIN domain");
808 /* Find the appropriate domain to lookup a name or SID */
810 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
812 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
814 if ( sid_check_is_in_unix_groups(sid) ||
815 sid_check_is_unix_groups(sid) ||
816 sid_check_is_in_unix_users(sid) ||
817 sid_check_is_unix_users(sid) )
819 return find_domain_from_sid(get_global_sam_sid());
822 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
823 * one to contact the external DC's. On member servers the internal
824 * domains are different: These are part of the local SAM. */
826 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
828 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
829 DEBUG(10, ("calling find_domain_from_sid\n"));
830 return find_domain_from_sid(sid);
833 /* On a member server a query for SID or name can always go to our
836 DEBUG(10, ("calling find_our_domain\n"));
837 return find_our_domain();
840 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
842 if ( strequal(domain_name, unix_users_domain_name() ) ||
843 strequal(domain_name, unix_groups_domain_name() ) )
846 * The "Unix User" and "Unix Group" domain our handled by
849 return find_domain_from_name_noinit( get_global_sam_name() );
852 if (IS_DC || strequal(domain_name, "BUILTIN") ||
853 strequal(domain_name, get_global_sam_name()))
854 return find_domain_from_name_noinit(domain_name);
857 return find_our_domain();
860 /* Is this a domain which we may assume no DOMAIN\ prefix? */
862 static bool assume_domain(const char *domain)
864 /* never assume the domain on a standalone server */
866 if ( lp_server_role() == ROLE_STANDALONE )
869 /* domain member servers may possibly assume for the domain name */
871 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
872 if ( !strequal(lp_workgroup(), domain) )
875 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
879 /* only left with a domain controller */
881 if ( strequal(get_global_sam_name(), domain) ) {
888 /* Parse a string of the form DOMAIN\user into a domain and a user */
890 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
892 char *p = strchr(domuser,*lp_winbind_separator());
895 fstrcpy(user, domuser);
897 if ( assume_domain(lp_workgroup())) {
898 fstrcpy(domain, lp_workgroup());
899 } else if ((p = strchr(domuser, '@')) != NULL) {
900 fstrcpy(domain, p + 1);
901 user[PTR_DIFF(p, domuser)] = 0;
907 fstrcpy(domain, domuser);
908 domain[PTR_DIFF(p, domuser)] = 0;
916 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
917 char **domain, char **user)
919 fstring fstr_domain, fstr_user;
920 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
923 *domain = talloc_strdup(mem_ctx, fstr_domain);
924 *user = talloc_strdup(mem_ctx, fstr_user);
925 return ((*domain != NULL) && (*user != NULL));
928 /* add a domain user name to a buffer */
929 void parse_add_domuser(void *buf, char *domuser, int *len)
935 p = strchr(domuser, *lp_winbind_separator());
939 fstrcpy(domain, domuser);
940 domain[PTR_DIFF(p, domuser)] = 0;
943 if (assume_domain(domain)) {
946 *len -= (PTR_DIFF(p, domuser));
950 safe_strcpy((char *)buf, user, *len);
953 /* Ensure an incoming username from NSS is fully qualified. Replace the
954 incoming fstring with DOMAIN <separator> user. Returns the same
955 values as parse_domain_user() but also replaces the incoming username.
956 Used to ensure all names are fully qualified within winbindd.
957 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
958 The protocol definitions of auth_crap, chng_pswd_auth_crap
959 really should be changed to use this instead of doing things
962 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
964 if (!parse_domain_user(username_inout, domain, user)) {
967 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
968 domain, *lp_winbind_separator(),
974 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
975 'winbind separator' options.
977 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
980 If we are a PDC or BDC, and this is for our domain, do likewise.
982 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
983 username is then unqualified in unix
985 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
987 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
991 fstrcpy(tmp_user, user);
992 strlower_m(tmp_user);
994 if (can_assume && assume_domain(domain)) {
995 strlcpy(name, tmp_user, sizeof(fstring));
997 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
998 domain, *lp_winbind_separator(),
1004 * talloc version of fill_domain_username()
1005 * return NULL on talloc failure.
1007 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1012 char *tmp_user, *name;
1014 tmp_user = talloc_strdup(mem_ctx, user);
1015 strlower_m(tmp_user);
1017 if (can_assume && assume_domain(domain)) {
1020 name = talloc_asprintf(mem_ctx, "%s%c%s",
1022 *lp_winbind_separator(),
1024 TALLOC_FREE(tmp_user);
1031 * Client list accessor functions
1034 static struct winbindd_cli_state *_client_list;
1035 static int _num_clients;
1037 /* Return list of all connected clients */
1039 struct winbindd_cli_state *winbindd_client_list(void)
1041 return _client_list;
1044 /* Add a connection to the list */
1046 void winbindd_add_client(struct winbindd_cli_state *cli)
1048 DLIST_ADD(_client_list, cli);
1052 /* Remove a client from the list */
1054 void winbindd_remove_client(struct winbindd_cli_state *cli)
1056 DLIST_REMOVE(_client_list, cli);
1060 /* Return number of open clients */
1062 int winbindd_num_clients(void)
1064 return _num_clients;
1067 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1068 TALLOC_CTX *mem_ctx,
1069 const struct dom_sid *user_sid,
1070 uint32_t *p_num_groups, struct dom_sid **user_sids)
1072 struct netr_SamInfo3 *info3 = NULL;
1073 NTSTATUS status = NT_STATUS_NO_MEMORY;
1074 uint32_t num_groups = 0;
1076 DEBUG(3,(": lookup_usergroups_cached\n"));
1081 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1083 if (info3 == NULL) {
1084 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1087 if (info3->base.groups.count == 0) {
1089 return NT_STATUS_UNSUCCESSFUL;
1092 /* Skip Domain local groups outside our domain.
1093 We'll get these from the getsidaliases() RPC call. */
1094 status = sid_array_from_info3(mem_ctx, info3,
1099 if (!NT_STATUS_IS_OK(status)) {
1105 *p_num_groups = num_groups;
1106 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1108 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1113 /*********************************************************************
1114 We use this to remove spaces from user and group names
1115 ********************************************************************/
1117 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1118 struct winbindd_domain *domain,
1124 if (!name || !normalized) {
1125 return NT_STATUS_INVALID_PARAMETER;
1128 if (!lp_winbind_normalize_names()) {
1129 return NT_STATUS_PROCEDURE_NOT_FOUND;
1132 /* Alias support and whitespace replacement are mutually
1135 nt_status = resolve_username_to_alias(mem_ctx, domain,
1137 if (NT_STATUS_IS_OK(nt_status)) {
1138 /* special return code to let the caller know we
1139 mapped to an alias */
1140 return NT_STATUS_FILE_RENAMED;
1143 /* check for an unreachable domain */
1145 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1146 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1148 set_domain_offline(domain);
1152 /* deal with whitespace */
1154 *normalized = talloc_strdup(mem_ctx, name);
1155 if (!(*normalized)) {
1156 return NT_STATUS_NO_MEMORY;
1159 all_string_sub( *normalized, " ", "_", 0 );
1161 return NT_STATUS_OK;
1164 /*********************************************************************
1165 We use this to do the inverse of normalize_name_map()
1166 ********************************************************************/
1168 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1173 struct winbindd_domain *domain = find_our_domain();
1175 if (!name || !normalized) {
1176 return NT_STATUS_INVALID_PARAMETER;
1179 if (!lp_winbind_normalize_names()) {
1180 return NT_STATUS_PROCEDURE_NOT_FOUND;
1183 /* Alias support and whitespace replacement are mutally
1186 /* When mapping from an alias to a username, we don't know the
1187 domain. But we only need a domain structure to cache
1188 a successful lookup , so just our own domain structure for
1191 nt_status = resolve_alias_to_username(mem_ctx, domain,
1193 if (NT_STATUS_IS_OK(nt_status)) {
1194 /* Special return code to let the caller know we mapped
1196 return NT_STATUS_FILE_RENAMED;
1199 /* check for an unreachable domain */
1201 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1202 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1204 set_domain_offline(domain);
1208 /* deal with whitespace */
1210 *normalized = talloc_strdup(mem_ctx, name);
1211 if (!(*normalized)) {
1212 return NT_STATUS_NO_MEMORY;
1215 all_string_sub(*normalized, "_", " ", 0);
1217 return NT_STATUS_OK;
1220 /*********************************************************************
1221 ********************************************************************/
1223 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1225 struct winbindd_tdc_domain *tdc = NULL;
1226 TALLOC_CTX *frame = talloc_stackframe();
1229 /* We can contact the domain if it is our primary domain */
1231 if (domain->primary) {
1235 /* Trust the TDC cache and not the winbindd_domain flags */
1237 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1238 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1243 /* Can always contact a domain that is in out forest */
1245 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1251 * On a _member_ server, we cannot contact the domain if it
1252 * is running AD and we have no inbound trust.
1256 domain->active_directory &&
1257 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1259 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1260 "and we have no inbound trust.\n", domain->name));
1264 /* Assume everything else is ok (probably not true but what
1270 talloc_destroy(frame);
1275 /*********************************************************************
1276 ********************************************************************/
1278 bool winbindd_internal_child(struct winbindd_child *child)
1280 if ((child == idmap_child()) || (child == locator_child())) {
1287 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1289 /*********************************************************************
1290 ********************************************************************/
1292 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1295 char addr[INET6_ADDRSTRLEN];
1296 const char *kdc = NULL;
1299 if (!domain || !domain->alt_name || !*domain->alt_name) {
1303 if (domain->initialized && !domain->active_directory) {
1304 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1309 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1312 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1314 kdc = domain->dcname;
1317 if (!kdc || !*kdc) {
1318 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1323 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1324 domain->alt_name) == -1) {
1328 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1331 setenv(var, kdc, 1);
1335 /*********************************************************************
1336 ********************************************************************/
1338 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1340 struct winbindd_domain *our_dom = find_our_domain();
1342 winbindd_set_locator_kdc_env(domain);
1344 if (domain != our_dom) {
1345 winbindd_set_locator_kdc_env(our_dom);
1349 /*********************************************************************
1350 ********************************************************************/
1352 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1356 if (!domain || !domain->alt_name || !*domain->alt_name) {
1360 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1361 domain->alt_name) == -1) {
1370 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1375 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1380 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1382 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1384 resp->data.auth.nt_status = NT_STATUS_V(result);
1385 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1387 /* we might have given a more useful error above */
1388 if (*resp->data.auth.error_string == '\0')
1389 fstrcpy(resp->data.auth.error_string,
1390 get_friendly_nt_error_msg(result));
1391 resp->data.auth.pam_error = nt_status_to_pam(result);
1394 bool is_domain_offline(const struct winbindd_domain *domain)
1396 if (!lp_winbind_offline_logon()) {
1399 if (get_global_winbindd_state_offline()) {
1402 return !domain->online;