In-Child server implementation of the routines defined in wbint.idl
Copyright (C) Volker Lendecke 2009
+ Copyright (C) Guenther Deschner 2009
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "winbindd/winbindd.h"
#include "winbindd/winbindd_proto.h"
#include "librpc/gen_ndr/srv_wbint.h"
+#include "../librpc/gen_ndr/cli_netlogon.h"
void _wbint_Ping(pipes_struct *p, struct wbint_Ping *r)
{
return NT_STATUS_OK;
}
+NTSTATUS _wbint_AllocateGid(pipes_struct *p, struct wbint_AllocateGid *r)
+{
+ struct unixid xid;
+ NTSTATUS status;
+
+ status = idmap_allocate_gid(&xid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ *r->out.gid = xid.id;
+ return NT_STATUS_OK;
+}
+
NTSTATUS _wbint_QueryUser(pipes_struct *p, struct wbint_QueryUser *r)
{
struct winbindd_domain *domain = wb_child_domain();
r->out.names->principals = result;
return NT_STATUS_OK;
}
+
+NTSTATUS _wbint_CheckMachineAccount(pipes_struct *p,
+ struct wbint_CheckMachineAccount *r)
+{
+ struct winbindd_domain *domain;
+ int num_retries = 0;
+ NTSTATUS status;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+again:
+ invalidate_cm_connection(&domain->conn);
+
+ {
+ struct rpc_pipe_client *netlogon_pipe;
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ }
+
+ /* There is a race condition between fetching the trust account
+ password and the periodic machine password change. So it's
+ possible that the trust account password has been changed on us.
+ We are returned NT_STATUS_ACCESS_DENIED if this happens. */
+
+#define MAX_RETRIES 3
+
+ if ((num_retries < MAX_RETRIES)
+ && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ num_retries++;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+ goto done;
+ }
+
+ /* Pass back result code - zero for success, other values for
+ specific failures. */
+
+ DEBUG(3,("domain %s secret is %s\n", domain->name,
+ NT_STATUS_IS_OK(status) ? "good" : "bad"));
+
+ done:
+ DEBUG(NT_STATUS_IS_OK(status) ? 5 : 2,
+ ("Checking the trust account password for domain %s returned %s\n",
+ domain->name, nt_errstr(status)));
+
+ return status;
+}
+
+NTSTATUS _wbint_ChangeMachineAccount(pipes_struct *p,
+ struct wbint_ChangeMachineAccount *r)
+{
+ struct winbindd_domain *domain;
+ int num_retries = 0;
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe;
+ TALLOC_CTX *tmp_ctx;
+
+again:
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ invalidate_cm_connection(&domain->conn);
+
+ {
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ }
+
+ /* There is a race condition between fetching the trust account
+ password and the periodic machine password change. So it's
+ possible that the trust account password has been changed on us.
+ We are returned NT_STATUS_ACCESS_DENIED if this happens. */
+
+#define MAX_RETRIES 3
+
+ if ((num_retries < MAX_RETRIES)
+ && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ num_retries++;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+ goto done;
+ }
+
+ tmp_ctx = talloc_new(p->mem_ctx);
+
+ status = trust_pw_find_change_and_store_it(netlogon_pipe,
+ tmp_ctx,
+ domain->name);
+ talloc_destroy(tmp_ctx);
+
+ /* Pass back result code - zero for success, other values for
+ specific failures. */
+
+ DEBUG(3,("domain %s secret %s\n", domain->name,
+ NT_STATUS_IS_OK(status) ? "changed" : "unchanged"));
+
+ done:
+ DEBUG(NT_STATUS_IS_OK(status) ? 5 : 2,
+ ("Changing the trust account password for domain %s returned %s\n",
+ domain->name, nt_errstr(status)));
+
+ return status;
+}
+
+NTSTATUS _wbint_PingDc(pipes_struct *p, struct wbint_PingDc *r)
+{
+ NTSTATUS status;
+ struct winbindd_domain *domain;
+ struct rpc_pipe_client *netlogon_pipe;
+ union netr_CONTROL_QUERY_INFORMATION info;
+ WERROR werr;
+ fstring logon_server;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+ return status;
+ }
+
+ fstr_sprintf(logon_server, "\\\\%s", domain->dcname);
+
+ /*
+ * This provokes a WERR_NOT_SUPPORTED error message. This is
+ * documented in the wspp docs. I could not get a successful
+ * call to work, but the main point here is testing that the
+ * netlogon pipe works.
+ */
+ status = rpccli_netr_LogonControl(netlogon_pipe, p->mem_ctx,
+ logon_server, NETLOGON_CONTROL_QUERY,
+ 2, &info, &werr);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
+ DEBUG(2, ("rpccli_netr_LogonControl timed out\n"));
+ invalidate_cm_connection(&domain->conn);
+ return status;
+ }
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_CTL_FILE_NOT_SUPPORTED)) {
+ DEBUG(2, ("rpccli_netr_LogonControl returned %s, expected "
+ "NT_STATUS_CTL_FILE_NOT_SUPPORTED\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ DEBUG(5, ("winbindd_dual_ping_dc succeeded\n"));
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _wbint_SetMapping(pipes_struct *p, struct wbint_SetMapping *r)
+{
+ struct id_map map;
+
+ map.sid = r->in.sid;
+ map.xid.id = r->in.id;
+ map.status = ID_MAPPED;
+
+ switch (r->in.type) {
+ case WBINT_ID_TYPE_UID:
+ map.xid.type = ID_TYPE_UID;
+ break;
+ case WBINT_ID_TYPE_GID:
+ map.xid.type = ID_TYPE_GID;
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ return idmap_set_mapping(&map);
+}
+
+NTSTATUS _wbint_RemoveMapping(pipes_struct *p, struct wbint_RemoveMapping *r)
+{
+ struct id_map map;
+
+ map.sid = r->in.sid;
+ map.xid.id = r->in.id;
+ map.status = ID_MAPPED;
+
+ switch (r->in.type) {
+ case WBINT_ID_TYPE_UID:
+ map.xid.type = ID_TYPE_UID;
+ break;
+ case WBINT_ID_TYPE_GID:
+ map.xid.type = ID_TYPE_GID;
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ return idmap_remove_mapping(&map);
+}
+
+NTSTATUS _wbint_SetHWM(pipes_struct *p, struct wbint_SetHWM *r)
+{
+ struct unixid id;
+ NTSTATUS status;
+
+ id.id = r->in.id;
+
+ switch (id.type) {
+ case WBINT_ID_TYPE_UID:
+ id.type = ID_TYPE_UID;
+ status = idmap_set_uid_hwm(&id);
+ break;
+ case ID_TYPE_GID:
+ id.type = ID_TYPE_GID;
+ status = idmap_set_gid_hwm(&id);
+ break;
+ default:
+ status = NT_STATUS_INVALID_PARAMETER;
+ break;
+ }
+ return status;
+}