#include "../libcli/security/security.h"
#include "../libcli/auth/pam_errors.h"
#include "passdb/machine_sid.h"
+#include "passdb.h"
+#include "source4/lib/messaging/messaging.h"
+#include "librpc/gen_ndr/ndr_lsa.h"
+#include "auth/credentials/credentials.h"
+#include "libsmb/samlogon_cache.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
-extern struct winbindd_methods cache_methods;
+static struct winbindd_domain *
+add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc);
/**
- * @file winbindd_util.cq
+ * @file winbindd_util.c
*
* Winbind daemon for NT domain authentication nss module.
**/
struct winbindd_domain *next = domain->next;
DLIST_REMOVE(_domain_list, domain);
- SAFE_FREE(domain);
+ TALLOC_FREE(domain);
domain = next;
}
}
+/**
+ * Iterator for winbindd's domain list.
+ * To be used (e.g.) in tevent based loops.
+ */
+struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
+{
+ if (domain == NULL) {
+ domain = domain_list();
+ } else {
+ domain = domain->next;
+ }
+
+ if ((domain != NULL) &&
+ (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
+ sid_check_is_our_sam(&domain->sid))
+ {
+ domain = domain->next;
+ }
+
+ return domain;
+}
+
static bool is_internal_domain(const struct dom_sid *sid)
{
if (sid == NULL)
return False;
- return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
+ return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
}
static bool is_in_internal_domain(const struct dom_sid *sid)
if (sid == NULL)
return False;
- return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
+ return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
}
-/* Add a trusted domain to our list of domains */
-static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
- struct winbindd_methods *methods,
- const struct dom_sid *sid)
+/* Add a trusted domain to our list of domains.
+ If the domain already exists in the list,
+ return it and don't re-initialize. */
+
+static struct winbindd_domain *
+add_trusted_domain(const char *domain_name, const char *alt_name,
+ const struct dom_sid *sid)
+{
+ struct winbindd_tdc_domain tdc;
+
+ ZERO_STRUCT(tdc);
+
+ tdc.domain_name = domain_name;
+ tdc.dns_name = alt_name;
+ if (sid) {
+ sid_copy(&tdc.sid, sid);
+ }
+
+ return add_trusted_domain_from_tdc(&tdc);
+}
+
+/* Add a trusted domain out of a trusted domain cache
+ entry
+*/
+static struct winbindd_domain *
+add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc)
{
struct winbindd_domain *domain;
const char *alternative_name = NULL;
- char *idmap_config_option;
- const char *param;
const char **ignored_domains, **dom;
+ int role = lp_server_role();
+ const char *domain_name = tdc->domain_name;
+ const struct dom_sid *sid = &tdc->sid;
+
+ if (is_null_sid(sid)) {
+ sid = NULL;
+ }
ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
for (dom=ignored_domains; dom && *dom; dom++) {
}
}
- /* ignore alt_name if we are not in an AD domain */
+ /* use alt_name if available to allow DNS lookups */
- if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
- alternative_name = alt_name;
+ if (tdc->dns_name && *tdc->dns_name) {
+ alternative_name = tdc->dns_name;
}
/* We can't call domain_list() as this function is called from
break;
}
- if (alternative_name && *alternative_name)
- {
+ if (alternative_name) {
if (strequal(alternative_name, domain->name) ||
strequal(alternative_name, domain->alt_name))
{
}
}
- if (sid)
- {
- if (is_null_sid(sid)) {
- continue;
- }
-
+ if (sid != NULL) {
if (dom_sid_equal(sid, &domain->sid)) {
break;
}
if (domain != NULL) {
/*
- * We found a match. Possibly update the SID
+ * We found a match on domain->name or
+ * domain->alt_name. Possibly update the SID
+ * if the stored SID was the NULL SID
+ * and return the matching entry.
*/
if ((sid != NULL)
&& dom_sid_equal(&domain->sid, &global_sid_NULL)) {
}
/* Create new domain entry */
-
- if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
+ domain = talloc_zero(NULL, struct winbindd_domain);
+ if (domain == NULL) {
return NULL;
+ }
- /* Fill in fields */
-
- ZERO_STRUCTP(domain);
-
- domain->children = SMB_MALLOC_ARRAY(
- struct winbindd_child, lp_winbind_max_domain_connections());
+ domain->children = talloc_zero_array(domain,
+ struct winbindd_child,
+ lp_winbind_max_domain_connections());
if (domain->children == NULL) {
- SAFE_FREE(domain);
+ TALLOC_FREE(domain);
+ return NULL;
+ }
+
+ domain->name = talloc_strdup(domain, domain_name);
+ if (domain->name == NULL) {
+ TALLOC_FREE(domain);
return NULL;
}
- memset(domain->children, 0,
- sizeof(struct winbindd_child)
- * lp_winbind_max_domain_connections());
- fstrcpy(domain->name, domain_name);
if (alternative_name) {
- fstrcpy(domain->alt_name, alternative_name);
+ domain->alt_name = talloc_strdup(domain, alternative_name);
+ if (domain->alt_name == NULL) {
+ TALLOC_FREE(domain);
+ return NULL;
+ }
}
- domain->methods = methods;
domain->backend = NULL;
domain->internal = is_internal_domain(sid);
domain->sequence_number = DOM_SEQUENCE_NONE;
domain->last_seq_check = 0;
- domain->initialized = False;
+ domain->initialized = false;
domain->online = is_internal_domain(sid);
domain->check_online_timeout = 0;
domain->dc_probe_pid = (pid_t)-1;
- if (sid) {
+ if (sid != NULL) {
sid_copy(&domain->sid, sid);
}
+ domain->domain_flags = tdc->trust_flags;
+ domain->domain_type = tdc->trust_type;
+ domain->domain_trust_attribs = tdc->trust_attribs;
- /* Link to domain list */
- DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
-
- wcache_tdc_add_domain( domain );
-
- idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
- domain->name);
- if (idmap_config_option == NULL) {
- DEBUG(0, ("talloc failed, not looking for idmap config\n"));
- goto done;
+ /* Is this our primary domain ? */
+ if (strequal(domain_name, get_global_sam_name()) &&
+ (role != ROLE_DOMAIN_MEMBER)) {
+ domain->primary = true;
+ } else if (strequal(domain_name, lp_workgroup()) &&
+ (role == ROLE_DOMAIN_MEMBER)) {
+ domain->primary = true;
}
- param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
-
- DEBUG(10, ("%s : range = %s\n", idmap_config_option,
- param ? param : "not defined"));
-
- if (param != NULL) {
- unsigned low_id, high_id;
- if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
- DEBUG(1, ("invalid range syntax in %s: %s\n",
- idmap_config_option, param));
- goto done;
+ if (domain->primary) {
+ if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+ domain->active_directory = true;
}
- if (low_id > high_id) {
- DEBUG(1, ("invalid range in %s: %s\n",
- idmap_config_option, param));
- goto done;
+ if (lp_security() == SEC_ADS) {
+ domain->active_directory = true;
+ }
+ } else if (!domain->internal) {
+ if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
+ domain->active_directory = true;
}
- domain->have_idmap_config = true;
- domain->id_range_low = low_id;
- domain->id_range_high = high_id;
}
-done:
+ /* Link to domain list */
+ DLIST_ADD_END(_domain_list, domain);
- DEBUG(2,("Added domain %s %s %s\n",
- domain->name, domain->alt_name,
- &domain->sid?sid_string_dbg(&domain->sid):""));
+ wcache_tdc_add_domain( domain );
+
+ setup_domain_child(domain);
+
+ DEBUG(2,
+ ("Added domain %s %s %s\n", domain->name, domain->alt_name,
+ !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : ""));
return domain;
}
struct trustdom_state *state;
struct tevent_req *req;
- state = TALLOC_ZERO_P(NULL, struct trustdom_state);
+ state = talloc_zero(NULL, struct trustdom_state);
if (state == NULL) {
DEBUG(0, ("talloc failed\n"));
return;
struct winbindd_response *response;
int res, err;
char *p;
+ struct winbindd_tdc_domain trust_params = {0};
+ ptrdiff_t extra_len;
res = wb_domain_request_recv(req, state, &response, &err);
if ((res == -1) || (response->result != WINBINDD_OK)) {
- DEBUG(1, ("Could not receive trustdoms\n"));
+ DBG_WARNING("Could not receive trusts for domain %s\n",
+ state->domain->name);
+ TALLOC_FREE(state);
+ return;
+ }
+
+ if (response->length < sizeof(struct winbindd_response)) {
+ DBG_ERR("ill-formed trustdom response - short length\n");
TALLOC_FREE(state);
return;
}
+ extra_len = response->length - sizeof(struct winbindd_response);
+
p = (char *)response->extra_data.data;
- while ((p != NULL) && (*p != '\0')) {
+ while ((p - (char *)response->extra_data.data) < extra_len) {
char *q, *sidstr, *alt_name;
- struct dom_sid sid;
- struct winbindd_domain *domain;
- char *alternate_name = NULL;
+
+ DBG_DEBUG("parsing response line '%s'\n", p);
+
+ ZERO_STRUCT(trust_params);
+ trust_params.domain_name = p;
alt_name = strchr(p, '\\');
if (alt_name == NULL) {
- DEBUG(0, ("Got invalid trustdom response\n"));
+ DBG_ERR("Got invalid trustdom response\n");
break;
}
sidstr = strchr(alt_name, '\\');
if (sidstr == NULL) {
- DEBUG(0, ("Got invalid trustdom response\n"));
+ DBG_ERR("Got invalid trustdom response\n");
break;
}
*sidstr = '\0';
sidstr += 1;
- q = strchr(sidstr, '\n');
- if (q != NULL)
- *q = '\0';
+ /* use the real alt_name if we have one, else pass in NULL */
+ if (!strequal(alt_name, "(null)")) {
+ trust_params.dns_name = alt_name;
+ }
- if (!string_to_sid(&sid, sidstr)) {
+ q = strtok(sidstr, "\\");
+ if (q == NULL) {
+ DBG_ERR("Got invalid trustdom response\n");
+ break;
+ }
+
+ if (!string_to_sid(&trust_params.sid, sidstr)) {
DEBUG(0, ("Got invalid trustdom response\n"));
break;
}
- /* use the real alt_name if we have one, else pass in NULL */
+ q = strtok(NULL, "\\");
+ if (q == NULL) {
+ DBG_ERR("Got invalid trustdom response\n");
+ break;
+ }
+
+ trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10);
- if ( !strequal( alt_name, "(null)" ) )
- alternate_name = alt_name;
+ q = strtok(NULL, "\\");
+ if (q == NULL) {
+ DBG_ERR("Got invalid trustdom response\n");
+ break;
+ }
- /* If we have an existing domain structure, calling
- add_trusted_domain() will update the SID if
- necessary. This is important because we need the
- SID for sibling domains */
+ trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10);
- if ( find_domain_from_name_noinit(p) != NULL ) {
- domain = add_trusted_domain(p, alternate_name,
- &cache_methods,
- &sid);
- } else {
- domain = add_trusted_domain(p, alternate_name,
- &cache_methods,
- &sid);
- if (domain) {
- setup_domain_child(domain);
- }
+ q = strtok(NULL, "\n");
+ if (q == NULL) {
+ DBG_ERR("Got invalid trustdom response\n");
+ break;
}
- p=q;
- if (p != NULL)
- p += 1;
+
+ trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
+
+ /*
+ * We always call add_trusted_domain() cause on an existing
+ * domain structure, it will update the SID if necessary.
+ * This is important because we need the SID for sibling
+ * domains.
+ */
+ (void)add_trusted_domain_from_tdc(&trust_params);
+
+ p = q + strlen(q) + 1;
}
/*
d = find_domain_from_name_noinit( dom_list[i].domain_name );
if ( !d ) {
- d = add_trusted_domain( dom_list[i].domain_name,
- dom_list[i].dns_name,
- &cache_methods,
- &dom_list[i].sid );
- if (d != NULL) {
- setup_domain_child(d);
- }
+ d = add_trusted_domain_from_tdc(&dom_list[i]);
}
if (d == NULL) {
return;
for ( i=0; i<num_trusts; i++ ) {
- uint32 flags = dom_list[i].trust_flags;
- uint32 type = dom_list[i].trust_type;
- uint32 attribs = dom_list[i].trust_attribs;
+ uint32_t flags = dom_list[i].trust_flags;
+ uint32_t type = dom_list[i].trust_type;
+ uint32_t attribs = dom_list[i].trust_attribs;
d = find_domain_from_name_noinit( dom_list[i].domain_name );
continue;
if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
- (type == NETR_TRUST_TYPE_UPLEVEL) &&
- (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
+ (type == LSA_TRUST_TYPE_UPLEVEL) &&
+ (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
{
/* add the trusted domain if we don't know
about it */
if ( !d ) {
- d = add_trusted_domain( dom_list[i].domain_name,
- dom_list[i].dns_name,
- &cache_methods,
- &dom_list[i].sid );
- if (d != NULL) {
- setup_domain_child(d);
- }
+ d = add_trusted_domain_from_tdc(&dom_list[i]);
}
if (d == NULL) {
fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
}
- if (domain->internal) {
- domain->initialized = true;
- } else {
- init_dc_connection(domain);
- }
+ init_dc_connection(domain, false);
if (!domain->initialized) {
/* If we return error here we can't do any cached authentication,
return WINBINDD_OK;
}
+static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct lsa_TrustDomainInfoInfoEx info;
+ enum ndr_err_code ndr_err;
+ struct winbindd_domain *d = NULL;
+
+ DEBUG(5, ("wb_imsg_new_trusted_domain\n"));
+
+ if (data == NULL) {
+ TALLOC_FREE(frame);
+ return;
+ }
+
+ ndr_err = ndr_pull_struct_blob_all(data, frame, &info,
+ (ndr_pull_flags_fn_t)ndr_pull_lsa_TrustDomainInfoInfoEx);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ TALLOC_FREE(frame);
+ return;
+ }
+
+ d = find_domain_from_name_noinit(info.netbios_name.string);
+ if (d != NULL) {
+ TALLOC_FREE(frame);
+ return;
+ }
+
+ d = add_trusted_domain(info.netbios_name.string,
+ info.domain_name.string,
+ info.sid);
+ if (d == NULL) {
+ TALLOC_FREE(frame);
+ return;
+ }
+
+ if (d->internal) {
+ TALLOC_FREE(frame);
+ return;
+ }
+
+ if (d->primary) {
+ TALLOC_FREE(frame);
+ return;
+ }
+
+ if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
+ d->domain_flags |= NETR_TRUST_FLAG_INBOUND;
+ }
+ if (info.trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
+ d->domain_flags |= NETR_TRUST_FLAG_OUTBOUND;
+ }
+ if (info.trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+ d->domain_flags |= NETR_TRUST_FLAG_IN_FOREST;
+ }
+ d->domain_type = info.trust_type;
+ d->domain_trust_attribs = info.trust_attributes;
+
+ TALLOC_FREE(frame);
+}
+
+/*
+ * We did not get the secret when we queried secrets.tdb, so read it
+ * from secrets.tdb and re-sync the databases
+ */
+static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
+{
+ bool ok;
+ struct cli_credentials *creds;
+ NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name,
+ NULL, domain, &creds);
+ if (!NT_STATUS_IS_OK(can_migrate)) {
+ DEBUG(0, ("Failed to fetch our own, local AD domain join "
+ "password for winbindd's internal use, both from "
+ "secrets.tdb and secrets.ldb: %s\n",
+ nt_errstr(can_migrate)));
+ return false;
+ }
+
+ /*
+ * NOTE: It is very unlikely we end up here if there is an
+ * oldpass, because a new password is created at
+ * classicupgrade, so this is not a concern.
+ */
+ ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
+ NULL /* oldpass */,
+ cli_credentials_get_domain(creds),
+ cli_credentials_get_realm(creds),
+ cli_credentials_get_salt_principal(creds),
+ 0, /* Supported enc types, unused */
+ &domain->sid,
+ cli_credentials_get_password_last_changed_time(creds),
+ cli_credentials_get_secure_channel_type(creds),
+ false /* do_delete: Do not delete */);
+ TALLOC_FREE(creds);
+ if (ok == false) {
+ DEBUG(0, ("Failed to write our our own, "
+ "local AD domain join password for "
+ "winbindd's internal use into secrets.tdb\n"));
+ return false;
+ }
+ return true;
+}
+
/* Look up global info for the winbind daemon */
bool init_domain_list(void)
{
- struct winbindd_domain *domain;
int role = lp_server_role();
+ NTSTATUS status;
/* Free existing list */
free_domain_list();
/* BUILTIN domain */
- domain = add_trusted_domain("BUILTIN", NULL, &cache_methods,
- &global_sid_Builtin);
- if (domain) {
- setup_domain_child(domain);
- }
+ (void)add_trusted_domain("BUILTIN", NULL, &global_sid_Builtin);
/* Local SAM */
- domain = add_trusted_domain(get_global_sam_name(), NULL,
- &cache_methods, get_global_sam_sid());
- if (domain) {
- if ( role != ROLE_DOMAIN_MEMBER ) {
- domain->primary = True;
+ if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
+ struct winbindd_domain *domain;
+ enum netr_SchannelType sec_chan_type;
+ const char *account_name;
+ struct samr_Password current_nt_hash;
+ struct pdb_domain_info *pdb_domain_info;
+ bool ok;
+
+ pdb_domain_info = pdb_get_domain_info(talloc_tos());
+ if (pdb_domain_info == NULL) {
+ DEBUG(0, ("Failed to fetch our own, local AD "
+ "domain info from sam.ldb\n"));
+ return false;
+ }
+ domain = add_trusted_domain(pdb_domain_info->name,
+ pdb_domain_info->dns_domain,
+ &pdb_domain_info->sid);
+ TALLOC_FREE(pdb_domain_info);
+ if (domain == NULL) {
+ DEBUG(0, ("Failed to add our own, local AD "
+ "domain to winbindd's internal list\n"));
+ return false;
}
- setup_domain_child(domain);
- }
+ /*
+ * We need to call this to find out if we are an RODC
+ */
+ ok = get_trust_pw_hash(domain->name,
+ current_nt_hash.hash,
+ &account_name,
+ &sec_chan_type);
+ if (!ok) {
+ /*
+ * If get_trust_pw_hash() fails, then try and
+ * fetch the password from the more recent of
+ * secrets.{ldb,tdb} using the
+ * pdb_get_trust_credentials()
+ */
+ ok = migrate_secrets_tdb_to_ldb(domain);
+
+ if (ok == false) {
+ DEBUG(0, ("Failed to migrate our own, "
+ "local AD domain join password for "
+ "winbindd's internal use into "
+ "secrets.tdb\n"));
+ return false;
+ }
+ ok = get_trust_pw_hash(domain->name,
+ current_nt_hash.hash,
+ &account_name,
+ &sec_chan_type);
+ if (ok == false) {
+ DEBUG(0, ("Failed to find our our own, just "
+ "written local AD domain join "
+ "password for winbindd's internal "
+ "use in secrets.tdb\n"));
+ return false;
+ }
+ }
+ if (sec_chan_type == SEC_CHAN_RODC) {
+ domain->rodc = true;
+ }
+
+ } else {
+ (void)add_trusted_domain(get_global_sam_name(), NULL,
+ get_global_sam_sid());
+ }
/* Add ourselves as the first entry. */
if ( role == ROLE_DOMAIN_MEMBER ) {
+ struct winbindd_domain *domain;
struct dom_sid our_sid;
if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
return False;
}
- domain = add_trusted_domain( lp_workgroup(), lp_realm(),
- &cache_methods, &our_sid);
+ domain = add_trusted_domain(lp_workgroup(), lp_realm(),
+ &our_sid);
if (domain) {
- domain->primary = True;
- setup_domain_child(domain);
-
/* Even in the parent winbindd we'll need to
talk to the DC, so try and see if we can
contact it. Theoretically this isn't neccessary
}
}
+ status = imessaging_register(winbind_imessaging_context(), NULL,
+ MSG_WINBIND_NEW_TRUSTED_DOMAIN,
+ wb_imsg_new_trusted_domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("imessaging_register(MSG_WINBIND_NEW_TRUSTED_DOMAIN) - %s\n",
+ nt_errstr(status)));
+ return false;
+ }
+
return True;
}
for (domain = domain_list(); domain != NULL; domain = domain->next) {
if (strequal(domain_name, domain->name) ||
- (domain->alt_name[0] &&
+ (domain->alt_name != NULL &&
strequal(domain_name, domain->alt_name))) {
return domain;
}
return NULL;
if (!domain->initialized)
- init_dc_connection(domain);
+ init_dc_connection(domain, false);
return domain;
}
return NULL;
if (!domain->initialized)
- init_dc_connection(domain);
+ init_dc_connection(domain, false);
return domain;
}
{
struct winbindd_domain *ours = find_our_domain();
- if (ours->forest_name[0] == '\0') {
+ if (ours->forest_name == NULL) {
return NULL;
}
if ( !p ) {
fstrcpy(user, domuser);
+ p = strchr(domuser, '@');
- if ( assume_domain(lp_workgroup())) {
+ if ( assume_domain(lp_workgroup()) && p == NULL) {
fstrcpy(domain, lp_workgroup());
- } else if ((p = strchr(domuser, '@')) != NULL) {
+ } else if (p != NULL) {
fstrcpy(domain, p + 1);
user[PTR_DIFF(p, domuser)] = 0;
} else {
domain[PTR_DIFF(p, domuser)] = 0;
}
- strupper_m(domain);
-
- return True;
+ return strupper_m(domain);
}
bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
username is then unqualified in unix
+ On an AD DC we always fill DOMAIN\\USERNAME.
+
We always canonicalize as UPPERCASE DOMAIN, lowercase username.
*/
void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
{
fstring tmp_user;
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ can_assume = false;
+ }
+
fstrcpy(tmp_user, user);
- strlower_m(tmp_user);
+ (void)strlower_m(tmp_user);
if (can_assume && assume_domain(domain)) {
strlcpy(name, tmp_user, sizeof(fstring));
{
char *tmp_user, *name;
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ can_assume = false;
+ }
+
tmp_user = talloc_strdup(mem_ctx, user);
- strlower_m(tmp_user);
+ if (!strlower_m(tmp_user)) {
+ TALLOC_FREE(tmp_user);
+ return NULL;
+ }
if (can_assume && assume_domain(domain)) {
name = tmp_user;
return _client_list;
}
+/* Return list-tail of all connected clients */
+
+struct winbindd_cli_state *winbindd_client_list_tail(void)
+{
+ return DLIST_TAIL(_client_list);
+}
+
+/* Return previous (read:newer) client in list */
+
+struct winbindd_cli_state *
+winbindd_client_list_prev(struct winbindd_cli_state *cli)
+{
+ return DLIST_PREV(cli);
+}
+
/* Add a connection to the list */
void winbindd_add_client(struct winbindd_cli_state *cli)
{
+ cli->last_access = time(NULL);
DLIST_ADD(_client_list, cli);
_num_clients++;
}
_num_clients--;
}
+/* Move a client to head or list */
+
+void winbindd_promote_client(struct winbindd_cli_state *cli)
+{
+ cli->last_access = time(NULL);
+ DLIST_PROMOTE(_client_list, cli);
+}
+
/* Return number of open clients */
int winbindd_num_clients(void)
return _num_clients;
}
-NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
+NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
const struct dom_sid *user_sid,
uint32_t *p_num_groups, struct dom_sid **user_sids)
{
*user_sids = NULL;
*p_num_groups = 0;
- if (!winbindd_use_cache()) {
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
- }
-
info3 = netsamlogon_cache_get(mem_ctx, user_sid);
if (info3 == NULL) {
return NT_STATUS_UNSUCCESSFUL;
}
- /* Skip Domain local groups outside our domain.
- We'll get these from the getsidaliases() RPC call. */
+ /*
+ * Before bug #7843 the "Domain Local" groups were added with a
+ * lookupuseraliases call, but this isn't done anymore for our domain
+ * so we need to resolve resource groups here.
+ *
+ * When to use Resource Groups:
+ * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
+ */
status = sid_array_from_info3(mem_ctx, info3,
user_sids,
&num_groups,
- false, true);
+ false);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(info3);
/* We can contact the domain if it is our primary domain */
if (domain->primary) {
- return true;
+ ret = true;
+ goto done;
}
/* Trust the TDC cache and not the winbindd_domain flags */
if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
domain->name));
- return false;
+ ret = false;
+ goto done;
}
/* Can always contact a domain that is in out forest */
return !is_domain_offline(domain);
}
+/**
+ * Parse an char array into a list of sids.
+ *
+ * The input sidstr should consist of 0-terminated strings
+ * representing sids, separated by newline characters '\n'.
+ * The list is terminated by an empty string, i.e.
+ * character '\0' directly following a character '\n'
+ * (or '\0' right at the start of sidstr).
+ */
bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
struct dom_sid **sids, uint32_t *num_sids)
{
DEBUG(1, ("Could not parse sid %s\n", p));
return false;
}
- if ((q == NULL) || (q[0] != '\n')) {
+ if (q[0] != '\n') {
DEBUG(1, ("Got invalid sidstr: %s\n", p));
return false;
}
}
return True;
}
+
+bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
+ struct unixid **pxids, uint32_t *pnum_xids)
+{
+ const char *p;
+ struct unixid *xids = NULL;
+ uint32_t num_xids = 0;
+
+ p = xidstr;
+ if (p == NULL) {
+ return false;
+ }
+
+ while (p[0] != '\0') {
+ struct unixid *tmp;
+ struct unixid xid;
+ unsigned long long id;
+ char *endp;
+
+ switch (p[0]) {
+ case 'U':
+ xid = (struct unixid) { .type = ID_TYPE_UID };
+ break;
+ case 'G':
+ xid = (struct unixid) { .type = ID_TYPE_GID };
+ break;
+ default:
+ return false;
+ }
+
+ p += 1;
+
+ id = strtoull(p, &endp, 10);
+ if ((id == ULLONG_MAX) && (errno == ERANGE)) {
+ goto fail;
+ }
+ if (*endp != '\n') {
+ goto fail;
+ }
+ p = endp+1;
+
+ xid.id = id;
+ if ((unsigned long long)xid.id != id) {
+ goto fail;
+ }
+
+ tmp = talloc_realloc(mem_ctx, xids, struct unixid, num_xids+1);
+ if (tmp == NULL) {
+ return 0;
+ }
+ xids = tmp;
+
+ xids[num_xids] = xid;
+ num_xids += 1;
+ }
+
+ *pxids = xids;
+ *pnum_xids = num_xids;
+ return true;
+
+fail:
+ TALLOC_FREE(xids);
+ return false;
+}