Copyright (C) Tim Potter 2000
Copyright (C) Andrew Bartlett 2002
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "winbindd.h"
+#include "../librpc/gen_ndr/cli_netlogon.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
-/* Check the machine account password is valid */
-
-void winbindd_check_machine_acct(struct winbindd_cli_state *state)
-{
- DEBUG(3, ("[%5lu]: check machine account\n",
- (unsigned long)state->pid));
-
- sendto_domain(state, find_our_domain());
-}
-
-enum winbindd_result winbindd_dual_check_machine_acct(struct winbindd_domain *domain,
- struct winbindd_cli_state *state)
-{
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- int num_retries = 0;
- struct winbindd_domain *contact_domain;
-
- DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid));
-
- /* Get trust account password */
-
- again:
-
- contact_domain = find_our_domain();
-
- /* This call does a cli_nt_setup_creds() which implicitly checks
- the trust account password. */
-
- invalidate_cm_connection(&contact_domain->conn);
-
- {
- struct rpc_pipe_client *netlogon_pipe;
- result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
- }
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
- goto done;
- }
-
- /* There is a race condition between fetching the trust account
- password and the periodic machine password change. So it's
- possible that the trust account password has been changed on us.
- We are returned NT_STATUS_ACCESS_DENIED if this happens. */
-
-#define MAX_RETRIES 8
-
- if ((num_retries < MAX_RETRIES) &&
- NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED)) {
- num_retries++;
- goto again;
- }
-
- /* Pass back result code - zero for success, other values for
- specific failures. */
-
- DEBUG(3, ("secret is %s\n", NT_STATUS_IS_OK(result) ?
- "good" : "bad"));
-
- done:
- set_auth_errors(state->response, result);
-
- DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Checking the trust account password returned %s\n",
- state->response->data.auth.nt_status_string));
-
- return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
-}
-
-/* Helpers for listing user and group names */
-
-const char *ent_type_strings[] = {"users",
- "groups"};
-
-static const char *get_ent_type_string(enum ent_type type)
-{
- return ent_type_strings[type];
-}
-
-struct listent_state {
- TALLOC_CTX *mem_ctx;
- struct winbindd_cli_state *cli_state;
- enum ent_type type;
- int domain_count;
- char *extra_data;
- uint32_t extra_data_len;
-};
-
-static void listent_recv(void *private_data, bool success, fstring dom_name,
- char *extra_data);
-
-/* List domain users/groups without mapping to unix ids */
-void winbindd_list_ent(struct winbindd_cli_state *state, enum ent_type type)
-{
- struct winbindd_domain *domain;
- const char *which_domain;
- struct listent_state *ent_state;
-
- DEBUG(3, ("[%5lu]: list %s\n", (unsigned long)state->pid,
- get_ent_type_string(type)));
-
- /* Ensure null termination */
- state->request->domain_name[sizeof(state->request->domain_name)-1]='\0';
- which_domain = state->request->domain_name;
-
- /* Initialize listent_state */
- ent_state = TALLOC_P(state->mem_ctx, struct listent_state);
- if (ent_state == NULL) {
- DEBUG(0, ("talloc failed\n"));
- request_error(state);
- return;
- }
-
- ent_state->mem_ctx = state->mem_ctx;
- ent_state->cli_state = state;
- ent_state->type = type;
- ent_state->domain_count = 0;
- ent_state->extra_data = NULL;
- ent_state->extra_data_len = 0;
-
- /* Must count the full list of expected domains before we request data
- * from any of them. Otherwise it's possible for a connection to the
- * first domain to fail, call listent_recv(), and return to the
- * client without checking any other domains. */
- for (domain = domain_list(); domain; domain = domain->next) {
- /* if we have a domain name restricting the request and this
- one in the list doesn't match, then just bypass the remainder
- of the loop */
- if ( *which_domain && !strequal(which_domain, domain->name) )
- continue;
-
- ent_state->domain_count++;
- }
-
- /* Make sure we're enumerating at least one domain */
- if (!ent_state->domain_count) {
- request_ok(state);
- return;
- }
-
- /* Enumerate list of trusted domains and request user/group list from
- * each */
- for (domain = domain_list(); domain; domain = domain->next) {
- if ( *which_domain && !strequal(which_domain, domain->name) )
- continue;
-
- winbindd_listent_async(state->mem_ctx, domain,
- listent_recv, ent_state, type);
- }
-}
-
-static void listent_recv(void *private_data, bool success, fstring dom_name,
- char *extra_data)
-{
- /* extra_data comes to us as a '\0' terminated string of comma
- separated users or groups */
- struct listent_state *state = talloc_get_type_abort(
- private_data, struct listent_state);
-
- /* Append users/groups from one domain onto the whole list */
- if (extra_data) {
- DEBUG(5, ("listent_recv: %s returned %s.\n",
- dom_name, get_ent_type_string(state->type)));
- if (!state->extra_data)
- state->extra_data = talloc_asprintf(state->mem_ctx,
- "%s", extra_data);
- else
- state->extra_data = talloc_asprintf_append(
- state->extra_data,
- ",%s", extra_data);
- /* Add one for the '\0' and each additional ',' */
- state->extra_data_len += strlen(extra_data) + 1;
- }
- else {
- DEBUG(5, ("listent_recv: %s returned no %s.\n",
- dom_name, get_ent_type_string(state->type)));
- }
-
- if (--state->domain_count)
- /* Still waiting for some child domains to return */
- return;
-
- /* Return list of all users/groups to the client */
- if (state->extra_data) {
- state->cli_state->response->extra_data.data = state->extra_data;
- state->cli_state->response->length += state->extra_data_len;
- }
-
- request_ok(state->cli_state);
-}
-
/* Constants and helper functions for determining domain trust types */
enum trust_type {
int extra_data_len = 0;
char *extra_data = NULL;
int i = 0;
-
+
DEBUG(3, ("[%5lu]: list trusted domains\n",
(unsigned long)state->pid));
is_online ? "Online" : "Offline" );
}
}
-
+
extra_data_len = 0;
if (extra_data != NULL) {
extra_data_len = strlen(extra_data);
sid_string_talloc(state->mem_ctx, &sids[i]));
/* add our primary domain */
-
+
for (i=0; i<num_domains; i++) {
if (strequal(names[i], domain->name)) {
have_own_domain = True;
return WINBINDD_OK;
}
-void winbindd_getdcname(struct winbindd_cli_state *state)
-{
- struct winbindd_domain *domain;
-
- state->request->domain_name
- [sizeof(state->request->domain_name)-1] = '\0';
-
- DEBUG(3, ("[%5lu]: Get DC name for %s\n", (unsigned long)state->pid,
- state->request->domain_name));
-
- domain = find_domain_from_name_noinit(state->request->domain_name);
- if (domain && domain->internal) {
- fstrcpy(state->response->data.dc_name, global_myname());
- request_ok(state);
- return;
- }
-
- sendto_domain(state, find_our_domain());
-}
-
-enum winbindd_result winbindd_dual_getdcname(struct winbindd_domain *domain,
- struct winbindd_cli_state *state)
-{
- const char *dcname_slash = NULL;
- const char *p;
- struct rpc_pipe_client *netlogon_pipe;
- NTSTATUS result;
- WERROR werr;
- unsigned int orig_timeout;
- struct winbindd_domain *req_domain;
-
- state->request->domain_name
- [sizeof(state->request->domain_name)-1] = '\0';
-
- DEBUG(3, ("[%5lu]: Get DC name for %s\n", (unsigned long)state->pid,
- state->request->domain_name));
-
- result = cm_connect_netlogon(domain, &netlogon_pipe);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(1, ("Can't contact the NETLOGON pipe\n"));
- return WINBINDD_ERROR;
- }
-
- /* This call can take a long time - allow the server to time out.
- 35 seconds should do it. */
-
- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
- req_domain = find_domain_from_name_noinit(state->request->domain_name);
- if (req_domain == domain) {
- result = rpccli_netr_GetDcName(netlogon_pipe,
- state->mem_ctx,
- domain->dcname,
- state->request->domain_name,
- &dcname_slash,
- &werr);
- } else {
- result = rpccli_netr_GetAnyDCName(netlogon_pipe,
- state->mem_ctx,
- domain->dcname,
- state->request->domain_name,
- &dcname_slash,
- &werr);
- }
- /* And restore our original timeout. */
- rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(5,("Error requesting DCname for domain %s: %s\n",
- state->request->domain_name, nt_errstr(result)));
- return WINBINDD_ERROR;
- }
-
- if (!W_ERROR_IS_OK(werr)) {
- DEBUG(5, ("Error requesting DCname for domain %s: %s\n",
- state->request->domain_name, win_errstr(werr)));
- return WINBINDD_ERROR;
- }
-
- p = dcname_slash;
- if (*p == '\\') {
- p+=1;
- }
- if (*p == '\\') {
- p+=1;
- }
-
- fstrcpy(state->response->data.dc_name, p);
- return WINBINDD_OK;
-}
-
/* This is the child-only version of --sequence. It only allows for a single
* domain (ie "our" one) to be displayed. */
if (req == NULL) {
DEBUG(3, ("wb_domain_request_send failed\n"));
request_error(cli);
+ return;
}
tevent_req_set_callback(req, domain_info_done, state);
}
{
DEBUG(3, ("[%5lu]: request interface version\n",
(unsigned long)state->pid));
-
+
state->response->data.interface_version = WINBIND_INTERFACE_VERSION;
request_ok(state);
}
void winbindd_domain_name(struct winbindd_cli_state *state)
{
DEBUG(3, ("[%5lu]: request domain name\n", (unsigned long)state->pid));
-
+
fstrcpy(state->response->data.domain_name, lp_workgroup());
request_ok(state);
}
{
DEBUG(3, ("[%5lu]: request netbios name\n",
(unsigned long)state->pid));
-
+
fstrcpy(state->response->data.netbios_name, global_myname());
request_ok(state);
}
-/* Where can I find the privilaged pipe? */
+/* Where can I find the privileged pipe? */
void winbindd_priv_pipe_dir(struct winbindd_cli_state *state)
{
char *priv_dir;
DEBUG(3, ("[%5lu]: request location of privileged pipe\n",
(unsigned long)state->pid));
-
+
priv_dir = get_winbind_priv_pipe_dir();
state->response->extra_data.data = talloc_move(state->mem_ctx,
&priv_dir);
git.samba.org / ira / wip.git / blobdiff