-/*
+/*
Unix SMB/CIFS implementation.
Winbind daemon for ntdom nss module
Copyright (C) Tim Potter 2000-2001
Copyright (C) 2001 by Martin Pool <mbp@samba.org>
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#define DBGC_CLASS DBGC_WINBIND
extern struct winbindd_methods cache_methods;
-extern struct winbindd_methods passdb_methods;
+extern struct winbindd_methods builtin_passdb_methods;
+extern struct winbindd_methods sam_passdb_methods;
+
/**
* @file winbindd_util.c
/**
When was the last scan of trusted domains done?
-
+
0 == not ever
*/
while(domain) {
struct winbindd_domain *next = domain->next;
-
+
DLIST_REMOVE(_domain_list, domain);
SAFE_FREE(domain);
domain = next;
{
struct winbindd_domain *domain;
const char *alternative_name = NULL;
-
+ char *idmap_config_option;
+ const char *param;
+ const char **ignored_domains, **dom;
+
+ ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
+ for (dom=ignored_domains; dom && *dom; dom++) {
+ if (gen_fnmatch(*dom, domain_name) == 0) {
+ DEBUG(2,("Ignoring domain '%s'\n", domain_name));
+ return NULL;
+ }
+ }
+
/* ignore alt_name if we are not in an AD domain */
-
+
if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
alternative_name = alt_name;
}
-
+
/* We can't call domain_list() as this function is called from
init_domain_list() and we'll get stuck in a loop. */
for (domain = _domain_list; domain; domain = domain->next) {
if (strequal(domain_name, domain->name) ||
- strequal(domain_name, domain->alt_name))
+ strequal(domain_name, domain->alt_name))
{
- break;
+ break;
}
- if (alternative_name && *alternative_name)
+ if (alternative_name && *alternative_name)
{
if (strequal(alternative_name, domain->name) ||
- strequal(alternative_name, domain->alt_name))
+ strequal(alternative_name, domain->alt_name))
{
- break;
+ break;
}
}
- if (sid)
+ if (sid)
{
if (is_null_sid(sid)) {
- continue;
+ continue;
}
-
+
if (sid_equal(sid, &domain->sid)) {
- break;
+ break;
}
}
}
-
+
/* See if we found a match. Check if we need to update the
SID. */
if ( sid_equal( &domain->sid, &global_sid_NULL ) )
sid_copy( &domain->sid, sid );
- return domain;
- }
-
+ return domain;
+ }
+
/* Create new domain entry */
if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
return NULL;
/* Fill in fields */
-
+
ZERO_STRUCTP(domain);
- /* prioritise the short name */
- if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
- fstrcpy(domain->name, alternative_name);
- fstrcpy(domain->alt_name, domain_name);
- } else {
- fstrcpy(domain->name, domain_name);
- if (alternative_name) {
- fstrcpy(domain->alt_name, alternative_name);
- }
+ fstrcpy(domain->name, domain_name);
+ if (alternative_name) {
+ fstrcpy(domain->alt_name, alternative_name);
}
domain->methods = methods;
domain->initialized = False;
domain->online = is_internal_domain(sid);
domain->check_online_timeout = 0;
+ domain->dc_probe_pid = (pid_t)-1;
if (sid) {
sid_copy(&domain->sid, sid);
}
-
+
/* Link to domain list */
DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
-
+
wcache_tdc_add_domain( domain );
-
- DEBUG(2,("Added domain %s %s %s\n",
+
+ idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
+ domain->name);
+ if (idmap_config_option == NULL) {
+ DEBUG(0, ("talloc failed, not looking for idmap config\n"));
+ goto done;
+ }
+
+ param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
+
+ DEBUG(10, ("%s : range = %s\n", idmap_config_option,
+ param ? param : "not defined"));
+
+ if (param != NULL) {
+ unsigned low_id, high_id;
+ if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
+ DEBUG(1, ("invalid range syntax in %s: %s\n",
+ idmap_config_option, param));
+ goto done;
+ }
+ if (low_id > high_id) {
+ DEBUG(1, ("invalid range in %s: %s\n",
+ idmap_config_option, param));
+ goto done;
+ }
+ domain->have_idmap_config = true;
+ domain->id_range_low = low_id;
+ domain->id_range_high = high_id;
+ }
+
+done:
+
+ DEBUG(2,("Added domain %s %s %s\n",
domain->name, domain->alt_name,
&domain->sid?sid_string_dbg(&domain->sid):""));
-
+
return domain;
}
struct trustdom_state {
TALLOC_CTX *mem_ctx;
- bool primary;
- bool forest_root;
+ bool primary;
+ bool forest_root;
struct winbindd_response *response;
};
TALLOC_CTX *mem_ctx;
struct winbindd_request *request;
struct winbindd_response *response;
- uint32 fr_flags = (DS_DOMAIN_TREE_ROOT|DS_DOMAIN_IN_FOREST);
+ uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
struct trustdom_state *state;
if (!string_to_sid(&sid, sidstr)) {
/* Allow NULL sid for sibling domains */
if ( strcmp(sidstr,"S-0-0") == 0) {
- sid_copy( &sid, &global_sid_NULL);
- } else {
+ sid_copy( &sid, &global_sid_NULL);
+ } else {
DEBUG(0, ("Got invalid trustdom response\n"));
break;
- }
+ }
}
/* use the real alt_name if we have one, else pass in NULL */
SAFE_FREE(response->extra_data.data);
- /*
+ /*
Cases to consider when scanning trusts:
(a) we are calling from a child domain (primary && !forest_root)
(b) we are calling from the root of the forest (primary && forest_root)
*/
if ( state->primary ) {
- /* If this is our primary domain and we are not the in the
+ /* If this is our primary domain and we are not in the
forest root, we have to scan the root trusts first */
if ( !state->forest_root )
} else if ( state->forest_root ) {
/* Once we have done root forest trust search, we can
- go on to search thing trusted forests */
+ go on to search the trusted forests */
rescan_forest_trusts();
}
-
+
talloc_destroy(state->mem_ctx);
-
+
return;
}
{
struct winbindd_tdc_domain *dom_list = NULL;
size_t num_trusts = 0;
- int i;
+ int i;
/* The only transitive trusts supported by Windows 2003 AD are
(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
for ( i=0; i<num_trusts; i++ ) {
struct winbindd_domain *d = NULL;
- /* Find the forest root. Don't necessarily trust
- the domain_list() as our primary domain may not
+ /* Find the forest root. Don't necessarily trust
+ the domain_list() as our primary domain may not
have been initialized. */
- if ( !(dom_list[i].trust_flags & DS_DOMAIN_TREE_ROOT) ) {
- continue;
+ if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
+ continue;
}
-
+
/* Here's the forest root */
d = find_domain_from_name_noinit( dom_list[i].domain_name );
&dom_list[i].sid );
}
+ if (d == NULL) {
+ continue;
+ }
+
DEBUG(10,("rescan_forest_root_trusts: Following trust path "
"for domain tree root %s (%s)\n",
d->name, d->alt_name ));
d->domain_flags = dom_list[i].trust_flags;
- d->domain_type = dom_list[i].trust_type;
- d->domain_trust_attribs = dom_list[i].trust_attribs;
-
+ d->domain_type = dom_list[i].trust_type;
+ d->domain_trust_attribs = dom_list[i].trust_attribs;
+
add_trusted_domains( d );
- break;
+ break;
}
TALLOC_FREE( dom_list );
}
/********************************************************************
- scan the transitive forest trists (not our own)
+ scan the transitive forest trusts (not our own)
********************************************************************/
struct winbindd_domain *d = NULL;
struct winbindd_tdc_domain *dom_list = NULL;
size_t num_trusts = 0;
- int i;
+ int i;
/* The only transitive trusts supported by Windows 2003 AD are
(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
uint32 flags = dom_list[i].trust_flags;
uint32 type = dom_list[i].trust_type;
uint32 attribs = dom_list[i].trust_attribs;
-
+
d = find_domain_from_name_noinit( dom_list[i].domain_name );
/* ignore our primary and internal domains */
if ( d && (d->internal || d->primary ) )
- continue;
-
- if ( (flags & DS_DOMAIN_DIRECT_INBOUND) &&
- (type == DS_DOMAIN_TRUST_TYPE_UPLEVEL) &&
- (attribs == DS_DOMAIN_TRUST_ATTRIB_FOREST_TRANSITIVE) )
+ continue;
+
+ if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
+ (type == NETR_TRUST_TYPE_UPLEVEL) &&
+ (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
{
/* add the trusted domain if we don't know
about it */
&cache_methods,
&dom_list[i].sid );
}
-
+
+ if (d == NULL) {
+ continue;
+ }
+
DEBUG(10,("Following trust path for domain %s (%s)\n",
d->name, d->alt_name ));
add_trusted_domains( d );
TALLOC_FREE( dom_list );
- return;
+ return;
}
/*********************************************************************
void rescan_trusted_domains( void )
{
time_t now = time(NULL);
-
+
+ /* Check that we allow trusted domains at all */
+ if (!lp_allow_trusted_domains())
+ return;
+
/* see if the time has come... */
-
+
if ((now >= last_trustdom_scan) &&
((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
return;
-
+
/* I use to clear the cache here and start over but that
caused problems in child processes that needed the
trust dom list early on. Removing it means we
/* this will only add new domains we didn't already know about
in the domain_list()*/
-
+
add_trusted_domains( find_our_domain() );
last_trustdom_scan = now;
-
- return;
+
+ return;
}
struct init_child_state {
state->response->data.domain_info.name);
fstrcpy(state->domain->alt_name,
state->response->data.domain_info.alt_name);
- string_to_sid(&state->domain->sid,
- state->response->data.domain_info.sid);
+ if (!string_to_sid(&state->domain->sid,
+ state->response->data.domain_info.sid)) {
+ DEBUG(1,("init_child_recv: Could not convert sid %s "
+ "from string\n",
+ state->response->data.domain_info.sid));
+ state->continuation(state->private_data, False);
+ talloc_destroy(state->mem_ctx);
+ return;
+ }
+
state->domain->native_mode =
state->response->data.domain_info.native_mode;
state->domain->active_directory =
struct winbindd_cli_state *state)
{
/* Ensure null termination */
- state->request.domain_name
- [sizeof(state->request.domain_name)-1]='\0';
- state->request.data.init_conn.dcname
- [sizeof(state->request.data.init_conn.dcname)-1]='\0';
+ state->request->domain_name
+ [sizeof(state->request->domain_name)-1]='\0';
+ state->request->data.init_conn.dcname
+ [sizeof(state->request->data.init_conn.dcname)-1]='\0';
- if (strlen(state->request.data.init_conn.dcname) > 0) {
- fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
+ if (strlen(state->request->data.init_conn.dcname) > 0) {
+ fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
}
init_dc_connection(domain);
fstrcpy(state->response.data.domain_info.name, domain->name);
fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
sid_to_fstring(state->response.data.domain_info.sid, &domain->sid);
-
+
state->response.data.domain_info.native_mode
= domain->native_mode;
state->response.data.domain_info.active_directory
/* BUILTIN domain */
- domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
+ domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
&global_sid_Builtin);
if (domain) {
setup_domain_child(domain,
/* Local SAM */
domain = add_trusted_domain(get_global_sam_name(), NULL,
- &passdb_methods, get_global_sam_sid());
+ &sam_passdb_methods, get_global_sam_sid());
if (domain) {
if ( role != ROLE_DOMAIN_MEMBER ) {
domain->primary = True;
DEBUG(0, ("Could not fetch our SID - did we join?\n"));
return False;
}
-
+
domain = add_trusted_domain( lp_workgroup(), lp_realm(),
&cache_methods, &our_sid);
if (domain) {
void check_domain_trusted( const char *name, const DOM_SID *user_sid )
{
- struct winbindd_domain *domain;
+ struct winbindd_domain *domain;
DOM_SID dom_sid;
uint32 rid;
-
+
+ /* Check if we even care */
+
+ if (!lp_allow_trusted_domains())
+ return;
+
domain = find_domain_from_name_noinit( name );
if ( domain )
- return;
-
- sid_copy( &dom_sid, user_sid );
+ return;
+
+ sid_copy( &dom_sid, user_sid );
if ( !sid_split_rid( &dom_sid, &rid ) )
return;
-
+
/* add the newly discovered trusted domain */
- domain = add_trusted_domain( name, NULL, &cache_methods,
+ domain = add_trusted_domain( name, NULL, &cache_methods,
&dom_sid);
if ( !domain )
return;
- /* assume this is a trust from a one-way transitive
+ /* assume this is a trust from a one-way transitive
forest trust */
domain->active_directory = True;
- domain->domain_flags = DS_DOMAIN_DIRECT_OUTBOUND;
- domain->domain_type = DS_DOMAIN_TRUST_TYPE_UPLEVEL;
+ domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
+ domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
domain->internal = False;
- domain->online = True;
+ domain->online = True;
setup_domain_child(domain,
&domain->child);
wcache_tdc_add_domain( domain );
- return;
+ return;
}
-/**
- * Given a domain name, return the struct winbindd domain info for it
+/**
+ * Given a domain name, return the struct winbindd domain info for it
*
* @note Do *not* pass lp_workgroup() to this function. domain_list
* may modify it's value, and free that pointer. Instead, our local
struct winbindd_domain *find_root_domain(void)
{
- struct winbindd_domain *ours = find_our_domain();
-
+ struct winbindd_domain *ours = find_our_domain();
+
if ( !ours )
return NULL;
-
+
if ( strlen(ours->forest_name) == 0 )
return NULL;
-
+
return find_domain_from_name( ours->forest_name );
}
{
/* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
- if ( sid_check_is_in_unix_groups(sid) ||
+ if ( sid_check_is_in_unix_groups(sid) ||
sid_check_is_unix_groups(sid) ||
sid_check_is_in_unix_users(sid) ||
sid_check_is_unix_users(sid) )
if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
DEBUG(10, ("calling find_domain_from_sid\n"));
return find_domain_from_sid(sid);
- }
+ }
/* On a member server a query for SID or name can always go to our
* primary DC. */
bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
enum winbindd_cmd orig_cmd,
- struct winbindd_domain *domain,
+ struct winbindd_domain *domain,
const char *domain_name,
- const char *name, DOM_SID *sid,
+ const char *name, DOM_SID *sid,
enum lsa_SidType *type)
{
NTSTATUS result;
result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
/* Return name and type if successful */
-
+
if (NT_STATUS_IS_OK(result)) {
return True;
}
*type = SID_NAME_UNKNOWN;
-
+
return False;
}
temp = state;
while(temp != NULL) {
- struct getent_state *next;
+ struct getent_state *next = temp->next;
/* Free sam entries then list entry */
SAFE_FREE(state->sam_entries);
DLIST_REMOVE(state, state);
- next = temp->next;
SAFE_FREE(temp);
temp = next;
if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
return True;
- }
+ }
/* only left with a domain controller */
if ( strequal(get_global_sam_name(), domain) ) {
return True;
}
-
+
return False;
}
if ( assume_domain(lp_workgroup())) {
fstrcpy(domain, lp_workgroup());
} else if ((p = strchr(domuser, '@')) != NULL) {
- fstrcpy(domain, "");
+ fstrcpy(domain, "");
} else {
return False;
}
fstrcpy(domain, domuser);
domain[PTR_DIFF(p, domuser)] = 0;
}
-
+
strupper_m(domain);
-
+
return True;
}
return ((*domain != NULL) && (*user != NULL));
}
+/* add a domain user name to a buffer */
+void parse_add_domuser(void *buf, char *domuser, int *len)
+{
+ fstring domain;
+ char *p, *user;
+
+ user = domuser;
+ p = strchr(domuser, *lp_winbind_separator());
+
+ if (p) {
+
+ fstrcpy(domain, domuser);
+ domain[PTR_DIFF(p, domuser)] = 0;
+ p++;
+
+ if (assume_domain(domain)) {
+
+ user = p;
+ *len -= (PTR_DIFF(p, domuser));
+ }
+ }
+
+ safe_strcpy((char *)buf, user, *len);
+}
+
/* Ensure an incoming username from NSS is fully qualified. Replace the
incoming fstring with DOMAIN <separator> user. Returns the same
values as parse_domain_user() but also replaces the incoming username.
If we are a PDC or BDC, and this is for our domain, do likewise.
- Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
+ Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
username is then unqualified in unix
We always canonicalize as UPPERCASE DOMAIN, lowercase username.
}
}
+/**
+ * talloc version of fill_domain_username()
+ * return NULL on talloc failure.
+ */
+char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
+ const char *domain,
+ const char *user,
+ bool can_assume)
+{
+ char *tmp_user, *name;
+
+ tmp_user = talloc_strdup(mem_ctx, user);
+ strlower_m(tmp_user);
+
+ if (can_assume && assume_domain(domain)) {
+ name = tmp_user;
+ } else {
+ name = talloc_asprintf(mem_ctx, "%s%c%s",
+ domain,
+ *lp_winbind_separator(),
+ tmp_user);
+ TALLOC_FREE(tmp_user);
+ }
+
+ return name;
+}
+
/*
* Winbindd socket accessor functions
*/
-const char *get_winbind_pipe_dir(void)
+const char *get_winbind_pipe_dir(void)
{
return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
}
-char *get_winbind_priv_pipe_dir(void)
+char *get_winbind_priv_pipe_dir(void)
{
return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
}
return _winbindd_priv_socket;
}
-/* Close the winbindd socket */
-
-void close_winbindd_socket(void)
-{
- if (_winbindd_socket != -1) {
- DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
- _winbindd_socket));
- close(_winbindd_socket);
- _winbindd_socket = -1;
- }
- if (_winbindd_priv_socket != -1) {
- DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
- _winbindd_priv_socket));
- close(_winbindd_priv_socket);
- _winbindd_priv_socket = -1;
- }
-}
-
/*
* Client list accessor functions
*/
while (cl) {
struct winbindd_cli_state *next;
-
+
next = cl->next;
winbindd_remove_client(cl);
cl = next;
const DOM_SID *user_sid,
uint32 *p_num_groups, DOM_SID **user_sids)
{
- NET_USER_INFO_3 *info3 = NULL;
+ struct netr_SamInfo3 *info3 = NULL;
NTSTATUS status = NT_STATUS_NO_MEMORY;
- int i;
size_t num_groups = 0;
- DOM_SID group_sid, primary_group;
-
+
DEBUG(3,(": lookup_usergroups_cached\n"));
-
+
*user_sids = NULL;
- num_groups = 0;
*p_num_groups = 0;
info3 = netsamlogon_cache_get(mem_ctx, user_sid);
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
- if (info3->num_groups == 0) {
+ if (info3->base.groups.count == 0) {
TALLOC_FREE(info3);
return NT_STATUS_UNSUCCESSFUL;
}
-
- /* always add the primary group to the sid array */
- sid_compose(&primary_group, &info3->dom_sid.sid, info3->user_rid);
-
- status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
- &num_groups);
+
+ /* Skip Domain local groups outside our domain.
+ We'll get these from the getsidaliases() RPC call. */
+ status = sid_array_from_info3(mem_ctx, info3,
+ user_sids,
+ &num_groups,
+ false, true);
+
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(info3);
return status;
}
- for (i=0; i<info3->num_groups; i++) {
- sid_copy(&group_sid, &info3->dom_sid.sid);
- sid_append_rid(&group_sid, info3->gids[i].g_rid);
-
- status = add_sid_to_array(mem_ctx, &group_sid, user_sids,
- &num_groups);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(info3);
- return status;
- }
- }
-
- /* Add any Universal groups in the other_sids list */
-
- for (i=0; i<info3->num_other_sids; i++) {
- /* Skip Domain local groups outside our domain.
- We'll get these from the getsidaliases() RPC call. */
- if (info3->other_sids_attrib[i] & SE_GROUP_RESOURCE)
- continue;
-
- status = add_sid_to_array(mem_ctx, &info3->other_sids[i].sid,
- user_sids, &num_groups);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(info3);
- return status;
- }
- }
-
-
TALLOC_FREE(info3);
*p_num_groups = num_groups;
status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
-
+
DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
return status;
We use this to remove spaces from user and group names
********************************************************************/
-void ws_name_replace( char *name, char replace )
+NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ char *name,
+ char **normalized)
{
- char replace_char[2] = { 0x0, 0x0 };
-
- if ( !lp_winbind_normalize_names() || (replace == '\0') )
- return;
+ NTSTATUS nt_status;
+
+ if (!name || !normalized) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!lp_winbind_normalize_names()) {
+ return NT_STATUS_PROCEDURE_NOT_FOUND;
+ }
+
+ /* Alias support and whitespace replacement are mutually
+ exclusive */
+
+ nt_status = resolve_username_to_alias(mem_ctx, domain,
+ name, normalized );
+ if (NT_STATUS_IS_OK(nt_status)) {
+ /* special return code to let the caller know we
+ mapped to an alias */
+ return NT_STATUS_FILE_RENAMED;
+ }
+
+ /* check for an unreachable domain */
+
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
+ domain->name));
+ set_domain_offline(domain);
+ return nt_status;
+ }
+
+ /* deal with whitespace */
+
+ *normalized = talloc_strdup(mem_ctx, name);
+ if (!(*normalized)) {
+ return NT_STATUS_NO_MEMORY;
+ }
- replace_char[0] = replace;
- all_string_sub( name, " ", replace_char, 0 );
+ all_string_sub( *normalized, " ", "_", 0 );
- return;
+ return NT_STATUS_OK;
}
/*********************************************************************
- We use this to do the inverse of ws_name_replace()
+ We use this to do the inverse of normalize_name_map()
********************************************************************/
-void ws_name_return( char *name, char replace )
+NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
+ char *name,
+ char **normalized)
{
- char replace_char[2] = { 0x0, 0x0 };
-
- if ( !lp_winbind_normalize_names() || (replace == '\0') )
- return;
-
- replace_char[0] = replace;
- all_string_sub( name, replace_char, " ", 0 );
+ NTSTATUS nt_status;
+ struct winbindd_domain *domain = find_our_domain();
+
+ if (!name || !normalized) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!lp_winbind_normalize_names()) {
+ return NT_STATUS_PROCEDURE_NOT_FOUND;
+ }
+
+ /* Alias support and whitespace replacement are mutally
+ exclusive */
+
+ /* When mapping from an alias to a username, we don't know the
+ domain. But we only need a domain structure to cache
+ a successful lookup , so just our own domain structure for
+ the seqnum. */
+
+ nt_status = resolve_alias_to_username(mem_ctx, domain,
+ name, normalized);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ /* Special return code to let the caller know we mapped
+ from an alias */
+ return NT_STATUS_FILE_RENAMED;
+ }
+
+ /* check for an unreachable domain */
- return;
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
+ domain->name));
+ set_domain_offline(domain);
+ return nt_status;
+ }
+
+ /* deal with whitespace */
+
+ *normalized = talloc_strdup(mem_ctx, name);
+ if (!(*normalized)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ all_string_sub(*normalized, "_", " ", 0);
+
+ return NT_STATUS_OK;
}
/*********************************************************************
/* Can always contact a domain that is in out forest */
- if (tdc->trust_flags & DS_DOMAIN_IN_FOREST) {
+ if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
ret = true;
goto done;
}
-
+
/*
* On a _member_ server, we cannot contact the domain if it
* is running AD and we have no inbound trust.
*/
- if (!IS_DC &&
+ if (!IS_DC &&
domain->active_directory &&
- ((tdc->trust_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND))
+ ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
{
DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
"and we have no inbound trust.\n", domain->name));
/* Assume everything else is ok (probably not true but what
can you do?) */
- ret = true;
+ ret = true;
-done:
+done:
talloc_destroy(frame);
-
- return ret;
+
+ return ret;
}
/*********************************************************************
}
#endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
+
+void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
+{
+ resp->data.auth.nt_status = NT_STATUS_V(result);
+ fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
+
+ /* we might have given a more useful error above */
+ if (*resp->data.auth.error_string == '\0')
+ fstrcpy(resp->data.auth.error_string,
+ get_friendly_nt_error_msg(result));
+ resp->data.auth.pam_error = nt_status_to_pam(result);
+}