* Winbind daemon for NT domain authentication nss module.
**/
+
/* The list of trusted domains. Note that the list can be deleted and
recreated using the init_domain_list() function so pointers to
individual winbindd_domain structures cannot be made. Keep a copy of
the domain name instead. */
-static struct winbindd_domain *_domain_list;
+static struct winbindd_domain *_domain_list = NULL;
/**
When was the last scan of trusted domains done?
}
}
-static BOOL is_internal_domain(const DOM_SID *sid)
+static bool is_internal_domain(const DOM_SID *sid)
{
if (sid == NULL)
return False;
- if ( IS_DC )
- return sid_check_is_builtin(sid);
-
return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
}
-static BOOL is_in_internal_domain(const DOM_SID *sid)
+static bool is_in_internal_domain(const DOM_SID *sid)
{
if (sid == NULL)
return False;
- if ( IS_DC )
- return sid_check_is_in_builtin(sid);
-
return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
}
DEBUG(2,("Added domain %s %s %s\n",
domain->name, domain->alt_name,
- &domain->sid?sid_string_static(&domain->sid):""));
+ &domain->sid?sid_string_dbg(&domain->sid):""));
return domain;
}
struct trustdom_state {
TALLOC_CTX *mem_ctx;
- BOOL primary;
- BOOL forest_root;
+ bool primary;
+ bool forest_root;
struct winbindd_response *response;
};
-static void trustdom_recv(void *private_data, BOOL success);
+static void trustdom_recv(void *private_data, bool success);
static void rescan_forest_root_trusts( void );
static void rescan_forest_trusts( void );
TALLOC_CTX *mem_ctx;
struct winbindd_request *request;
struct winbindd_response *response;
- uint32 fr_flags = (DS_DOMAIN_TREE_ROOT|DS_DOMAIN_IN_FOREST);
+ uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
struct trustdom_state *state;
trustdom_recv, state);
}
-static void trustdom_recv(void *private_data, BOOL success)
+static void trustdom_recv(void *private_data, bool success)
{
struct trustdom_state *state =
talloc_get_type_abort(private_data, struct trustdom_state);
&cache_methods,
&sid);
if (domain) {
- setup_domain_child(domain, &domain->child, NULL);
+ setup_domain_child(domain,
+ &domain->child);
}
}
p=q;
the domain_list() as our primary domain may not
have been initialized. */
- if ( !(dom_list[i].trust_flags & DS_DOMAIN_TREE_ROOT) ) {
- continue;
+ if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
+ continue;
}
/* Here's the forest root */
if ( d && (d->internal || d->primary ) )
continue;
-
- if ( (flags & DS_DOMAIN_DIRECT_INBOUND) &&
- (type == DS_DOMAIN_TRUST_TYPE_UPLEVEL) &&
- (attribs == DS_DOMAIN_TRUST_ATTRIB_FOREST_TRANSITIVE) )
+
+ if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
+ (type == NETR_TRUST_TYPE_UPLEVEL) &&
+ (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
{
/* add the trusted domain if we don't know
about it */
((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
return;
- /* clear the TRUSTDOM cache first */
-
- wcache_tdc_clear();
+ /* I use to clear the cache here and start over but that
+ caused problems in child processes that needed the
+ trust dom list early on. Removing it means we
+ could have some trusted domains listed that have been
+ removed from our primary domain's DC until a full
+ restart. This should be ok since I think this is what
+ Windows does as well. */
/* this will only add new domains we didn't already know about
in the domain_list()*/
struct winbindd_domain *domain;
struct winbindd_request *request;
struct winbindd_response *response;
- void (*continuation)(void *private_data, BOOL success);
+ void (*continuation)(void *private_data, bool success);
void *private_data;
};
-static void init_child_recv(void *private_data, BOOL success);
-static void init_child_getdc_recv(void *private_data, BOOL success);
+static void init_child_recv(void *private_data, bool success);
+static void init_child_getdc_recv(void *private_data, bool success);
enum winbindd_result init_child_connection(struct winbindd_domain *domain,
void (*continuation)(void *private_data,
- BOOL success),
+ bool success),
void *private_data)
{
TALLOC_CTX *mem_ctx;
/* The primary domain has to find the DC name itself */
request->cmd = WINBINDD_INIT_CONNECTION;
fstrcpy(request->domain_name, domain->name);
- request->data.init_conn.is_primary = domain->internal ? False : True;
+ request->data.init_conn.is_primary = domain->primary ? true : false;
fstrcpy(request->data.init_conn.dcname, "");
async_request(mem_ctx, &domain->child, request, response,
init_child_recv, state);
return WINBINDD_PENDING;
}
-static void init_child_getdc_recv(void *private_data, BOOL success)
+static void init_child_getdc_recv(void *private_data, bool success)
{
struct init_child_state *state =
talloc_get_type_abort(private_data, struct init_child_state);
init_child_recv, state);
}
-static void init_child_recv(void *private_data, BOOL success)
+static void init_child_recv(void *private_data, bool success)
{
struct init_child_state *state =
talloc_get_type_abort(private_data, struct init_child_state);
fstrcpy(state->response.data.domain_info.name, domain->name);
fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
- fstrcpy(state->response.data.domain_info.sid,
- sid_string_static(&domain->sid));
+ sid_to_fstring(state->response.data.domain_info.sid, &domain->sid);
state->response.data.domain_info.native_mode
= domain->native_mode;
}
/* Look up global info for the winbind daemon */
-BOOL init_domain_list(void)
+bool init_domain_list(void)
{
struct winbindd_domain *domain;
int role = lp_server_role();
domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
&global_sid_Builtin);
if (domain) {
- setup_domain_child(domain, &domain->child, NULL);
+ setup_domain_child(domain,
+ &domain->child);
}
/* Local SAM */
if ( role != ROLE_DOMAIN_MEMBER ) {
domain->primary = True;
}
- setup_domain_child(domain, &domain->child, NULL);
+ setup_domain_child(domain,
+ &domain->child);
}
/* Add ourselves as the first entry. */
&cache_methods, &our_sid);
if (domain) {
domain->primary = True;
- setup_domain_child(domain, &domain->child, NULL);
-
+ setup_domain_child(domain,
+ &domain->child);
+
/* Even in the parent winbindd we'll need to
talk to the DC, so try and see if we can
contact it. Theoretically this isn't neccessary
forest trust */
domain->active_directory = True;
- domain->domain_flags = DS_DOMAIN_DIRECT_OUTBOUND;
- domain->domain_type = DS_DOMAIN_TRUST_TYPE_UPLEVEL;
+ domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
+ domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
domain->internal = False;
domain->online = True;
- setup_domain_child(domain, &domain->child, NULL);
+ setup_domain_child(domain,
+ &domain->child);
wcache_tdc_add_domain( domain );
* one to contact the external DC's. On member servers the internal
* domains are different: These are part of the local SAM. */
- DEBUG(10, ("find_lookup_domain_from_sid(%s)\n",
- sid_string_static(sid)));
+ DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
DEBUG(10, ("calling find_domain_from_sid\n"));
/* Lookup a sid in a domain from a name */
-BOOL winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
+bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
enum winbindd_cmd orig_cmd,
struct winbindd_domain *domain,
const char *domain_name,
* @retval True if the name exists, in which case @p name and @p type
* are set, otherwise False.
**/
-BOOL winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
+bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
struct winbindd_domain *domain,
DOM_SID *sid,
char **dom_name,
/* Is this a domain which we may assume no DOMAIN\ prefix? */
-static BOOL assume_domain(const char *domain)
+static bool assume_domain(const char *domain)
{
/* never assume the domain on a standalone server */
/* Parse a string of the form DOMAIN\user into a domain and a user */
-BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
+bool parse_domain_user(const char *domuser, fstring domain, fstring user)
{
char *p = strchr(domuser,*lp_winbind_separator());
return True;
}
-BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
+bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
char **domain, char **user)
{
fstring fstr_domain, fstr_user;
really should be changed to use this instead of doing things
by hand. JRA. */
-BOOL canonicalize_username(fstring username_inout, fstring domain, fstring user)
+bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
{
if (!parse_domain_user(username_inout, domain, user)) {
return False;
We always canonicalize as UPPERCASE DOMAIN, lowercase username.
*/
-void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume)
+void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
{
fstring tmp_user;
return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
}
+/* Open the winbindd socket */
+
+static int _winbindd_socket = -1;
+static int _winbindd_priv_socket = -1;
+
+int open_winbindd_socket(void)
+{
+ if (_winbindd_socket == -1) {
+ _winbindd_socket = create_pipe_sock(
+ get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
+ DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
+ _winbindd_socket));
+ }
+
+ return _winbindd_socket;
+}
+
+int open_winbindd_priv_socket(void)
+{
+ if (_winbindd_priv_socket == -1) {
+ _winbindd_priv_socket = create_pipe_sock(
+ get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
+ DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
+ _winbindd_priv_socket));
+ }
+
+ return _winbindd_priv_socket;
+}
+
+/* Close the winbindd socket */
+
+void close_winbindd_socket(void)
+{
+ if (_winbindd_socket != -1) {
+ DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
+ _winbindd_socket));
+ close(_winbindd_socket);
+ _winbindd_socket = -1;
+ }
+ if (_winbindd_priv_socket != -1) {
+ DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
+ _winbindd_priv_socket));
+ close(_winbindd_priv_socket);
+ _winbindd_priv_socket = -1;
+ }
+}
+
/*
* Client list accessor functions
*/
/* always add the primary group to the sid array */
sid_compose(&primary_group, &info3->dom_sid.sid, info3->user_rid);
- if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) {
+ status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
+ &num_groups);
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(info3);
- return NT_STATUS_NO_MEMORY;
+ return status;
}
for (i=0; i<info3->num_groups; i++) {
sid_copy(&group_sid, &info3->dom_sid.sid);
sid_append_rid(&group_sid, info3->gids[i].g_rid);
- if (!add_sid_to_array(mem_ctx, &group_sid, user_sids,
- &num_groups)) {
+ status = add_sid_to_array(mem_ctx, &group_sid, user_sids,
+ &num_groups);
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(info3);
- return NT_STATUS_NO_MEMORY;
+ return status;
}
}
if (info3->other_sids_attrib[i] & SE_GROUP_RESOURCE)
continue;
- if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid,
- user_sids, &num_groups))
- {
+ status = add_sid_to_array(mem_ctx, &info3->other_sids[i].sid,
+ user_sids, &num_groups);
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(info3);
- return NT_STATUS_NO_MEMORY;
+ return status;
}
}
/*********************************************************************
********************************************************************/
-BOOL winbindd_can_contact_domain( struct winbindd_domain *domain )
+bool winbindd_can_contact_domain(struct winbindd_domain *domain)
{
+ struct winbindd_tdc_domain *tdc = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+ bool ret = false;
+
/* We can contact the domain if it is our primary domain */
- if ( domain->primary )
- return True;
+ if (domain->primary) {
+ return true;
+ }
- /* Can always contact a domain that is in out forest */
+ /* Trust the TDC cache and not the winbindd_domain flags */
- if ( domain->domain_flags & DS_DOMAIN_IN_FOREST )
- return True;
+ if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
+ DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
+ domain->name));
+ return false;
+ }
- /* We cannot contact the domain if it is running AD and
- we have no inbound trust */
+ /* Can always contact a domain that is in out forest */
- if ( domain->active_directory &&
- ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) )
- {
- return False;
+ if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
+ ret = true;
+ goto done;
}
+ /*
+ * On a _member_ server, we cannot contact the domain if it
+ * is running AD and we have no inbound trust.
+ */
+
+ if (!IS_DC &&
+ domain->active_directory &&
+ ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
+ {
+ DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
+ "and we have no inbound trust.\n", domain->name));
+ goto done;
+ }
+
/* Assume everything else is ok (probably not true but what
can you do?) */
+
+ ret = true;
+
+done:
+ talloc_destroy(frame);
- return True;
+ return ret;
}
/*********************************************************************
********************************************************************/
-BOOL winbindd_internal_child(struct winbindd_child *child)
+bool winbindd_internal_child(struct winbindd_child *child)
{
if ((child == idmap_child()) || (child == locator_child())) {
return True;
static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
{
char *var = NULL;
+ char addr[INET6_ADDRSTRLEN];
const char *kdc = NULL;
int lvl = 11;
return;
}
- kdc = inet_ntoa(domain->dcaddr.sin_addr);
- if (!kdc) {
+ print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
+ kdc = addr;
+ if (!*kdc) {
DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
domain->alt_name));
kdc = domain->dcname;
return;
}
- if (asprintf(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
- strupper_static(domain->alt_name)) == -1) {
+ if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
+ domain->alt_name) == -1) {
return;
}
return;
}
- if (asprintf(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
- strupper_static(domain->alt_name)) == -1) {
+ if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
+ domain->alt_name) == -1) {
return;
}