2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2002
7 Copyright (C) Volker Lendecke 2004,2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * We fork a child per domain to be able to act non-blocking in the main
25 * winbind daemon. A domain controller thousands of miles away being being
26 * slow replying with a 10.000 user list should not hold up netlogon calls
27 * that can be handled locally.
32 #include "../../nsswitch/libwbclient/wbc_async.h"
33 #include "librpc/gen_ndr/messaging.h"
35 #include "../lib/util/select.h"
38 #define DBGC_CLASS DBGC_WINBIND
40 extern bool override_logfile;
41 extern struct winbindd_methods cache_methods;
43 /* Read some data from a client connection */
45 static NTSTATUS child_read_request(struct winbindd_cli_state *state)
51 status = read_data(state->sock, (char *)state->request,
52 sizeof(*state->request));
54 if (!NT_STATUS_IS_OK(status)) {
55 DEBUG(3, ("child_read_request: read_data failed: %s\n",
60 if (state->request->extra_len == 0) {
61 state->request->extra_data.data = NULL;
65 DEBUG(10, ("Need to read %d extra bytes\n", (int)state->request->extra_len));
67 state->request->extra_data.data =
68 SMB_MALLOC_ARRAY(char, state->request->extra_len + 1);
70 if (state->request->extra_data.data == NULL) {
71 DEBUG(0, ("malloc failed\n"));
72 return NT_STATUS_NO_MEMORY;
75 /* Ensure null termination */
76 state->request->extra_data.data[state->request->extra_len] = '\0';
78 status= read_data(state->sock, state->request->extra_data.data,
79 state->request->extra_len);
81 if (!NT_STATUS_IS_OK(status)) {
82 DEBUG(0, ("Could not read extra data: %s\n",
89 * Do winbind child async request. This is not simply wb_simple_trans. We have
90 * to do the queueing ourselves because while a request is queued, the child
91 * might have crashed, and we have to re-fork it in the _trigger function.
94 struct wb_child_request_state {
95 struct tevent_context *ev;
96 struct winbindd_child *child;
97 struct winbindd_request *request;
98 struct winbindd_response *response;
101 static bool fork_domain_child(struct winbindd_child *child);
103 static void wb_child_request_trigger(struct tevent_req *req,
105 static void wb_child_request_done(struct tevent_req *subreq);
107 struct tevent_req *wb_child_request_send(TALLOC_CTX *mem_ctx,
108 struct tevent_context *ev,
109 struct winbindd_child *child,
110 struct winbindd_request *request)
112 struct tevent_req *req;
113 struct wb_child_request_state *state;
115 req = tevent_req_create(mem_ctx, &state,
116 struct wb_child_request_state);
122 state->child = child;
123 state->request = request;
125 if (!tevent_queue_add(child->queue, ev, req,
126 wb_child_request_trigger, NULL)) {
127 tevent_req_nomem(NULL, req);
128 return tevent_req_post(req, ev);
133 static void wb_child_request_trigger(struct tevent_req *req,
136 struct wb_child_request_state *state = tevent_req_data(
137 req, struct wb_child_request_state);
138 struct tevent_req *subreq;
140 if ((state->child->pid == 0) && (!fork_domain_child(state->child))) {
141 tevent_req_error(req, errno);
145 subreq = wb_simple_trans_send(state, winbind_event_context(), NULL,
146 state->child->sock, state->request);
147 if (tevent_req_nomem(subreq, req)) {
150 tevent_req_set_callback(subreq, wb_child_request_done, req);
152 if (!tevent_req_set_endtime(req, state->ev,
153 timeval_current_ofs(300, 0))) {
154 tevent_req_nomem(NULL, req);
159 static void wb_child_request_done(struct tevent_req *subreq)
161 struct tevent_req *req = tevent_req_callback_data(
162 subreq, struct tevent_req);
163 struct wb_child_request_state *state = tevent_req_data(
164 req, struct wb_child_request_state);
167 ret = wb_simple_trans_recv(subreq, state, &state->response, &err);
170 tevent_req_error(req, err);
173 tevent_req_done(req);
176 int wb_child_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
177 struct winbindd_response **presponse, int *err)
179 struct wb_child_request_state *state = tevent_req_data(
180 req, struct wb_child_request_state);
182 if (tevent_req_is_unix_error(req, err)) {
185 *presponse = talloc_move(mem_ctx, &state->response);
189 struct wb_domain_request_state {
190 struct tevent_context *ev;
191 struct winbindd_domain *domain;
192 struct winbindd_request *request;
193 struct winbindd_request *init_req;
194 struct winbindd_response *response;
197 static void wb_domain_request_gotdc(struct tevent_req *subreq);
198 static void wb_domain_request_initialized(struct tevent_req *subreq);
199 static void wb_domain_request_done(struct tevent_req *subreq);
201 struct tevent_req *wb_domain_request_send(TALLOC_CTX *mem_ctx,
202 struct tevent_context *ev,
203 struct winbindd_domain *domain,
204 struct winbindd_request *request)
206 struct tevent_req *req, *subreq;
207 struct wb_domain_request_state *state;
209 req = tevent_req_create(mem_ctx, &state,
210 struct wb_domain_request_state);
215 if (domain->initialized) {
216 subreq = wb_child_request_send(state, ev, &domain->child,
218 if (tevent_req_nomem(subreq, req)) {
219 return tevent_req_post(req, ev);
221 tevent_req_set_callback(subreq, wb_domain_request_done, req);
225 state->domain = domain;
227 state->request = request;
229 state->init_req = talloc_zero(state, struct winbindd_request);
230 if (tevent_req_nomem(state->init_req, req)) {
231 return tevent_req_post(req, ev);
234 if (IS_DC || domain->primary || domain->internal) {
235 /* The primary domain has to find the DC name itself */
236 state->init_req->cmd = WINBINDD_INIT_CONNECTION;
237 fstrcpy(state->init_req->domain_name, domain->name);
238 state->init_req->data.init_conn.is_primary =
239 domain->primary ? true : false;
240 fstrcpy(state->init_req->data.init_conn.dcname, "");
242 subreq = wb_child_request_send(state, ev, &domain->child,
244 if (tevent_req_nomem(subreq, req)) {
245 return tevent_req_post(req, ev);
247 tevent_req_set_callback(subreq, wb_domain_request_initialized,
253 * Ask our DC for a DC name
255 domain = find_our_domain();
257 /* This is *not* the primary domain, let's ask our DC about a DC
260 state->init_req->cmd = WINBINDD_GETDCNAME;
261 fstrcpy(state->init_req->domain_name, domain->name);
263 subreq = wb_child_request_send(state, ev, &domain->child, request);
264 if (tevent_req_nomem(subreq, req)) {
265 return tevent_req_post(req, ev);
267 tevent_req_set_callback(subreq, wb_domain_request_gotdc, req);
271 static void wb_domain_request_gotdc(struct tevent_req *subreq)
273 struct tevent_req *req = tevent_req_callback_data(
274 subreq, struct tevent_req);
275 struct wb_domain_request_state *state = tevent_req_data(
276 req, struct wb_domain_request_state);
277 struct winbindd_response *response;
280 ret = wb_child_request_recv(subreq, talloc_tos(), &response, &err);
283 tevent_req_error(req, err);
286 state->init_req->cmd = WINBINDD_INIT_CONNECTION;
287 fstrcpy(state->init_req->domain_name, state->domain->name);
288 state->init_req->data.init_conn.is_primary = False;
289 fstrcpy(state->init_req->data.init_conn.dcname,
290 response->data.dc_name);
292 TALLOC_FREE(response);
294 subreq = wb_child_request_send(state, state->ev, &state->domain->child,
296 if (tevent_req_nomem(subreq, req)) {
299 tevent_req_set_callback(subreq, wb_domain_request_initialized, req);
302 static void wb_domain_request_initialized(struct tevent_req *subreq)
304 struct tevent_req *req = tevent_req_callback_data(
305 subreq, struct tevent_req);
306 struct wb_domain_request_state *state = tevent_req_data(
307 req, struct wb_domain_request_state);
308 struct winbindd_response *response;
311 ret = wb_child_request_recv(subreq, talloc_tos(), &response, &err);
314 tevent_req_error(req, err);
318 if (!string_to_sid(&state->domain->sid,
319 response->data.domain_info.sid)) {
320 DEBUG(1,("init_child_recv: Could not convert sid %s "
321 "from string\n", response->data.domain_info.sid));
322 tevent_req_error(req, EINVAL);
325 fstrcpy(state->domain->name, response->data.domain_info.name);
326 fstrcpy(state->domain->alt_name, response->data.domain_info.alt_name);
327 state->domain->native_mode = response->data.domain_info.native_mode;
328 state->domain->active_directory =
329 response->data.domain_info.active_directory;
330 state->domain->initialized = true;
332 TALLOC_FREE(response);
334 subreq = wb_child_request_send(state, state->ev, &state->domain->child,
336 if (tevent_req_nomem(subreq, req)) {
339 tevent_req_set_callback(subreq, wb_domain_request_done, req);
342 static void wb_domain_request_done(struct tevent_req *subreq)
344 struct tevent_req *req = tevent_req_callback_data(
345 subreq, struct tevent_req);
346 struct wb_domain_request_state *state = tevent_req_data(
347 req, struct wb_domain_request_state);
350 ret = wb_child_request_recv(subreq, talloc_tos(), &state->response,
354 tevent_req_error(req, err);
357 tevent_req_done(req);
360 int wb_domain_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
361 struct winbindd_response **presponse, int *err)
363 struct wb_domain_request_state *state = tevent_req_data(
364 req, struct wb_domain_request_state);
366 if (tevent_req_is_unix_error(req, err)) {
369 *presponse = talloc_move(mem_ctx, &state->response);
373 static void child_process_request(struct winbindd_child *child,
374 struct winbindd_cli_state *state)
376 struct winbindd_domain *domain = child->domain;
377 const struct winbindd_child_dispatch_table *table = child->table;
379 /* Free response data - we may be interrupted and receive another
380 command before being able to send this data off. */
382 state->response->result = WINBINDD_ERROR;
383 state->response->length = sizeof(struct winbindd_response);
385 /* as all requests in the child are sync, we can use talloc_tos() */
386 state->mem_ctx = talloc_tos();
388 /* Process command */
390 for (; table->name; table++) {
391 if (state->request->cmd == table->struct_cmd) {
392 DEBUG(10,("child_process_request: request fn %s\n",
394 state->response->result = table->struct_fn(domain, state);
399 DEBUG(1 ,("child_process_request: unknown request fn number %d\n",
400 (int)state->request->cmd));
401 state->response->result = WINBINDD_ERROR;
404 void setup_child(struct winbindd_domain *domain, struct winbindd_child *child,
405 const struct winbindd_child_dispatch_table *table,
406 const char *logprefix,
409 if (logprefix && logname) {
410 char *logbase = NULL;
415 if (asprintf(&logbase, "%s", lp_logfile()) < 0) {
416 smb_panic("Internal error: asprintf failed");
419 if ((end = strrchr_m(logbase, '/'))) {
423 if (asprintf(&logbase, "%s", get_dyn_LOGFILEBASE()) < 0) {
424 smb_panic("Internal error: asprintf failed");
428 if (asprintf(&child->logfilename, "%s/%s-%s",
429 logbase, logprefix, logname) < 0) {
431 smb_panic("Internal error: asprintf failed");
436 smb_panic("Internal error: logprefix == NULL && "
440 child->domain = domain;
441 child->table = table;
442 child->queue = tevent_queue_create(NULL, "winbind_child");
443 SMB_ASSERT(child->queue != NULL);
444 child->binding_handle = wbint_binding_handle(NULL, domain, child);
445 SMB_ASSERT(child->binding_handle != NULL);
448 static struct winbindd_child *winbindd_children = NULL;
450 void winbind_child_died(pid_t pid)
452 struct winbindd_child *child;
454 for (child = winbindd_children; child != NULL; child = child->next) {
455 if (child->pid == pid) {
461 DEBUG(5, ("Already reaped child %u died\n", (unsigned int)pid));
465 /* This will be re-added in fork_domain_child() */
467 DLIST_REMOVE(winbindd_children, child);
474 /* Ensure any negative cache entries with the netbios or realm names are removed. */
476 void winbindd_flush_negative_conn_cache(struct winbindd_domain *domain)
478 flush_negative_conn_cache_for_domain(domain->name);
479 if (*domain->alt_name) {
480 flush_negative_conn_cache_for_domain(domain->alt_name);
485 * Parent winbindd process sets its own debug level first and then
486 * sends a message to all the winbindd children to adjust their debug
487 * level to that of parents.
490 void winbind_msg_debug(struct messaging_context *msg_ctx,
493 struct server_id server_id,
496 struct winbindd_child *child;
498 DEBUG(10,("winbind_msg_debug: got debug message.\n"));
500 debug_message(msg_ctx, private_data, MSG_DEBUG, server_id, data);
502 for (child = winbindd_children; child != NULL; child = child->next) {
504 DEBUG(10,("winbind_msg_debug: sending message to pid %u.\n",
505 (unsigned int)child->pid));
507 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
510 strlen((char *) data->data) + 1);
514 /* Set our domains as offline and forward the offline message to our children. */
516 void winbind_msg_offline(struct messaging_context *msg_ctx,
519 struct server_id server_id,
522 struct winbindd_child *child;
523 struct winbindd_domain *domain;
525 DEBUG(10,("winbind_msg_offline: got offline message.\n"));
527 if (!lp_winbind_offline_logon()) {
528 DEBUG(10,("winbind_msg_offline: rejecting offline message.\n"));
532 /* Set our global state as offline. */
533 if (!set_global_winbindd_state_offline()) {
534 DEBUG(10,("winbind_msg_offline: offline request failed.\n"));
538 /* Set all our domains as offline. */
539 for (domain = domain_list(); domain; domain = domain->next) {
540 if (domain->internal) {
543 DEBUG(5,("winbind_msg_offline: marking %s offline.\n", domain->name));
544 set_domain_offline(domain);
547 for (child = winbindd_children; child != NULL; child = child->next) {
548 /* Don't send message to internal children. We've already
550 if (!child->domain || winbindd_internal_child(child)) {
554 /* Or internal domains (this should not be possible....) */
555 if (child->domain->internal) {
559 /* Each winbindd child should only process requests for one domain - make sure
560 we only set it online / offline for that domain. */
562 DEBUG(10,("winbind_msg_offline: sending message to pid %u for domain %s.\n",
563 (unsigned int)child->pid, domain->name ));
565 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
567 (uint8 *)child->domain->name,
568 strlen(child->domain->name)+1);
572 /* Set our domains as online and forward the online message to our children. */
574 void winbind_msg_online(struct messaging_context *msg_ctx,
577 struct server_id server_id,
580 struct winbindd_child *child;
581 struct winbindd_domain *domain;
583 DEBUG(10,("winbind_msg_online: got online message.\n"));
585 if (!lp_winbind_offline_logon()) {
586 DEBUG(10,("winbind_msg_online: rejecting online message.\n"));
590 /* Set our global state as online. */
591 set_global_winbindd_state_online();
593 smb_nscd_flush_user_cache();
594 smb_nscd_flush_group_cache();
596 /* Set all our domains as online. */
597 for (domain = domain_list(); domain; domain = domain->next) {
598 if (domain->internal) {
601 DEBUG(5,("winbind_msg_online: requesting %s to go online.\n", domain->name));
603 winbindd_flush_negative_conn_cache(domain);
604 set_domain_online_request(domain);
606 /* Send an online message to the idmap child when our
607 primary domain comes back online */
609 if ( domain->primary ) {
610 struct winbindd_child *idmap = idmap_child();
612 if ( idmap->pid != 0 ) {
613 messaging_send_buf(msg_ctx,
614 pid_to_procid(idmap->pid),
616 (uint8 *)domain->name,
617 strlen(domain->name)+1);
622 for (child = winbindd_children; child != NULL; child = child->next) {
623 /* Don't send message to internal childs. */
624 if (!child->domain || winbindd_internal_child(child)) {
628 /* Or internal domains (this should not be possible....) */
629 if (child->domain->internal) {
633 /* Each winbindd child should only process requests for one domain - make sure
634 we only set it online / offline for that domain. */
636 DEBUG(10,("winbind_msg_online: sending message to pid %u for domain %s.\n",
637 (unsigned int)child->pid, child->domain->name ));
639 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
641 (uint8 *)child->domain->name,
642 strlen(child->domain->name)+1);
646 static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx)
648 struct winbindd_domain *domain;
651 if ((buf = talloc_asprintf(mem_ctx, "global:%s ",
652 get_global_winbindd_state_offline() ?
653 "Offline":"Online")) == NULL) {
657 for (domain = domain_list(); domain; domain = domain->next) {
658 if ((buf = talloc_asprintf_append_buffer(buf, "%s:%s ",
661 "Online":"Offline")) == NULL) {
666 buf = talloc_asprintf_append_buffer(buf, "\n");
668 DEBUG(5,("collect_onlinestatus: %s", buf));
673 void winbind_msg_onlinestatus(struct messaging_context *msg_ctx,
676 struct server_id server_id,
681 struct server_id *sender;
683 DEBUG(5,("winbind_msg_onlinestatus received.\n"));
689 sender = (struct server_id *)data->data;
691 mem_ctx = talloc_init("winbind_msg_onlinestatus");
692 if (mem_ctx == NULL) {
696 message = collect_onlinestatus(mem_ctx);
697 if (message == NULL) {
698 talloc_destroy(mem_ctx);
702 messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS,
703 (uint8 *)message, strlen(message) + 1);
705 talloc_destroy(mem_ctx);
708 void winbind_msg_dump_event_list(struct messaging_context *msg_ctx,
711 struct server_id server_id,
714 struct winbindd_child *child;
716 DEBUG(10,("winbind_msg_dump_event_list received\n"));
718 dump_event_list(winbind_event_context());
720 for (child = winbindd_children; child != NULL; child = child->next) {
722 DEBUG(10,("winbind_msg_dump_event_list: sending message to pid %u\n",
723 (unsigned int)child->pid));
725 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
732 void winbind_msg_dump_domain_list(struct messaging_context *msg_ctx,
735 struct server_id server_id,
739 const char *message = NULL;
740 struct server_id *sender = NULL;
741 const char *domain = NULL;
744 struct winbindd_domain *dom = NULL;
746 DEBUG(5,("winbind_msg_dump_domain_list received.\n"));
748 if (!data || !data->data) {
752 if (data->length < sizeof(struct server_id)) {
756 mem_ctx = talloc_init("winbind_msg_dump_domain_list");
761 sender = (struct server_id *)data->data;
762 if (data->length > sizeof(struct server_id)) {
763 domain = (const char *)data->data+sizeof(struct server_id);
768 DEBUG(5,("winbind_msg_dump_domain_list for domain: %s\n",
771 message = NDR_PRINT_STRUCT_STRING(mem_ctx, winbindd_domain,
772 find_domain_from_name_noinit(domain));
774 talloc_destroy(mem_ctx);
778 messaging_send_buf(msg_ctx, *sender,
779 MSG_WINBIND_DUMP_DOMAIN_LIST,
780 (uint8_t *)message, strlen(message) + 1);
782 talloc_destroy(mem_ctx);
787 DEBUG(5,("winbind_msg_dump_domain_list all domains\n"));
789 for (dom = domain_list(); dom; dom=dom->next) {
790 message = NDR_PRINT_STRUCT_STRING(mem_ctx, winbindd_domain, dom);
792 talloc_destroy(mem_ctx);
796 s = talloc_asprintf_append(s, "%s\n", message);
798 talloc_destroy(mem_ctx);
803 status = messaging_send_buf(msg_ctx, *sender,
804 MSG_WINBIND_DUMP_DOMAIN_LIST,
805 (uint8_t *)s, strlen(s) + 1);
806 if (!NT_STATUS_IS_OK(status)) {
807 DEBUG(0,("failed to send message: %s\n",
811 talloc_destroy(mem_ctx);
814 static void account_lockout_policy_handler(struct event_context *ctx,
815 struct timed_event *te,
819 struct winbindd_child *child =
820 (struct winbindd_child *)private_data;
821 TALLOC_CTX *mem_ctx = NULL;
822 struct winbindd_methods *methods;
823 struct samr_DomInfo12 lockout_policy;
826 DEBUG(10,("account_lockout_policy_handler called\n"));
828 TALLOC_FREE(child->lockout_policy_event);
830 if ( !winbindd_can_contact_domain( child->domain ) ) {
831 DEBUG(10,("account_lockout_policy_handler: Removing myself since I "
832 "do not have an incoming trust to domain %s\n",
833 child->domain->name));
838 methods = child->domain->methods;
840 mem_ctx = talloc_init("account_lockout_policy_handler ctx");
842 result = NT_STATUS_NO_MEMORY;
844 result = methods->lockout_policy(child->domain, mem_ctx, &lockout_policy);
846 TALLOC_FREE(mem_ctx);
848 if (!NT_STATUS_IS_OK(result)) {
849 DEBUG(10,("account_lockout_policy_handler: lockout_policy failed error %s\n",
853 child->lockout_policy_event = event_add_timed(winbind_event_context(), NULL,
854 timeval_current_ofs(3600, 0),
855 account_lockout_policy_handler,
859 static time_t get_machine_password_timeout(void)
861 /* until we have gpo support use lp setting */
862 return lp_machine_password_timeout();
865 static bool calculate_next_machine_pwd_change(const char *domain,
868 time_t pass_last_set_time;
874 pw = secrets_fetch_machine_password(domain,
879 DEBUG(0,("cannot fetch own machine password ????"));
885 timeout = get_machine_password_timeout();
887 DEBUG(10,("machine password never expires\n"));
891 tv.tv_sec = pass_last_set_time;
892 DEBUG(10, ("password last changed %s\n",
893 timeval_string(talloc_tos(), &tv, false)));
894 tv.tv_sec += timeout;
895 DEBUGADD(10, ("password valid until %s\n",
896 timeval_string(talloc_tos(), &tv, false)));
898 if (time(NULL) < (pass_last_set_time + timeout)) {
899 next_change = pass_last_set_time + timeout;
900 DEBUG(10,("machine password still valid until: %s\n",
901 http_timestring(talloc_tos(), next_change)));
902 *t = timeval_set(next_change, 0);
904 if (lp_clustering()) {
907 * When having a cluster, we have several
908 * winbinds racing for the password change. In
909 * the machine_password_change_handler()
910 * function we check if someone else was
911 * faster when the event triggers. We add a
912 * 255-second random delay here, so that we
913 * don't run to change the password at the
916 generate_random_buffer(&randbuf, sizeof(randbuf));
917 DEBUG(10, ("adding %d seconds randomness\n",
919 t->tv_sec += randbuf;
924 DEBUG(10,("machine password expired, needs immediate change\n"));
931 static void machine_password_change_handler(struct event_context *ctx,
932 struct timed_event *te,
936 struct winbindd_child *child =
937 (struct winbindd_child *)private_data;
938 struct rpc_pipe_client *netlogon_pipe = NULL;
941 struct timeval next_change;
943 DEBUG(10,("machine_password_change_handler called\n"));
945 TALLOC_FREE(child->machine_password_change_event);
947 if (!calculate_next_machine_pwd_change(child->domain->name,
949 DEBUG(10, ("calculate_next_machine_pwd_change failed\n"));
953 DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n",
954 timeval_string(talloc_tos(), &next_change, false)));
956 if (!timeval_expired(&next_change)) {
957 DEBUG(10, ("Someone else has already changed the pw\n"));
961 if (!winbindd_can_contact_domain(child->domain)) {
962 DEBUG(10,("machine_password_change_handler: Removing myself since I "
963 "do not have an incoming trust to domain %s\n",
964 child->domain->name));
968 result = cm_connect_netlogon(child->domain, &netlogon_pipe);
969 if (!NT_STATUS_IS_OK(result)) {
970 DEBUG(10,("machine_password_change_handler: "
971 "failed to connect netlogon pipe: %s\n",
976 frame = talloc_stackframe();
978 result = trust_pw_find_change_and_store_it(netlogon_pipe,
980 child->domain->name);
983 DEBUG(10, ("machine_password_change_handler: "
984 "trust_pw_find_change_and_store_it returned %s\n",
987 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
988 DEBUG(3,("machine_password_change_handler: password set returned "
989 "ACCESS_DENIED. Maybe the trust account "
990 "password was changed and we didn't know it. "
991 "Killing connections to domain %s\n",
992 child->domain->name));
993 TALLOC_FREE(child->domain->conn.netlogon_pipe);
996 if (!calculate_next_machine_pwd_change(child->domain->name,
998 DEBUG(10, ("calculate_next_machine_pwd_change failed\n"));
1002 DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n",
1003 timeval_string(talloc_tos(), &next_change, false)));
1005 if (!NT_STATUS_IS_OK(result)) {
1008 * In case of failure, give the DC a minute to recover
1010 tmp = timeval_current_ofs(60, 0);
1011 next_change = timeval_max(&next_change, &tmp);
1015 child->machine_password_change_event = event_add_timed(winbind_event_context(), NULL,
1017 machine_password_change_handler,
1021 /* Deal with a request to go offline. */
1023 static void child_msg_offline(struct messaging_context *msg,
1026 struct server_id server_id,
1029 struct winbindd_domain *domain;
1030 struct winbindd_domain *primary_domain = NULL;
1031 const char *domainname = (const char *)data->data;
1033 if (data->data == NULL || data->length == 0) {
1037 DEBUG(5,("child_msg_offline received for domain %s.\n", domainname));
1039 if (!lp_winbind_offline_logon()) {
1040 DEBUG(10,("child_msg_offline: rejecting offline message.\n"));
1044 primary_domain = find_our_domain();
1046 /* Mark the requested domain offline. */
1048 for (domain = domain_list(); domain; domain = domain->next) {
1049 if (domain->internal) {
1052 if (strequal(domain->name, domainname)) {
1053 DEBUG(5,("child_msg_offline: marking %s offline.\n", domain->name));
1054 set_domain_offline(domain);
1055 /* we are in the trusted domain, set the primary domain
1057 if (domain != primary_domain) {
1058 set_domain_offline(primary_domain);
1064 /* Deal with a request to go online. */
1066 static void child_msg_online(struct messaging_context *msg,
1069 struct server_id server_id,
1072 struct winbindd_domain *domain;
1073 struct winbindd_domain *primary_domain = NULL;
1074 const char *domainname = (const char *)data->data;
1076 if (data->data == NULL || data->length == 0) {
1080 DEBUG(5,("child_msg_online received for domain %s.\n", domainname));
1082 if (!lp_winbind_offline_logon()) {
1083 DEBUG(10,("child_msg_online: rejecting online message.\n"));
1087 primary_domain = find_our_domain();
1089 /* Set our global state as online. */
1090 set_global_winbindd_state_online();
1092 /* Try and mark everything online - delete any negative cache entries
1093 to force a reconnect now. */
1095 for (domain = domain_list(); domain; domain = domain->next) {
1096 if (domain->internal) {
1099 if (strequal(domain->name, domainname)) {
1100 DEBUG(5,("child_msg_online: requesting %s to go online.\n", domain->name));
1101 winbindd_flush_negative_conn_cache(domain);
1102 set_domain_online_request(domain);
1104 /* we can be in trusted domain, which will contact primary domain
1105 * we have to bring primary domain online in trusted domain process
1106 * see, winbindd_dual_pam_auth() --> winbindd_dual_pam_auth_samlogon()
1107 * --> contact_domain = find_our_domain()
1109 if (domain != primary_domain) {
1110 winbindd_flush_negative_conn_cache(primary_domain);
1111 set_domain_online_request(primary_domain);
1117 static void child_msg_dump_event_list(struct messaging_context *msg,
1120 struct server_id server_id,
1123 DEBUG(5,("child_msg_dump_event_list received\n"));
1125 dump_event_list(winbind_event_context());
1128 bool winbindd_reinit_after_fork(const char *logfilename)
1130 struct winbindd_domain *domain;
1131 struct winbindd_child *cl;
1134 status = reinit_after_fork(
1135 winbind_messaging_context(),
1136 winbind_event_context(),
1139 if (!NT_STATUS_IS_OK(status)) {
1140 DEBUG(0,("reinit_after_fork() failed\n"));
1144 close_conns_after_fork();
1146 if (!override_logfile && logfilename) {
1147 lp_set_logfile(logfilename);
1151 if (!winbindd_setup_sig_term_handler(false))
1153 if (!winbindd_setup_sig_hup_handler(override_logfile ? NULL :
1157 /* Stop zombies in children */
1160 /* Don't handle the same messages as our parent. */
1161 messaging_deregister(winbind_messaging_context(),
1162 MSG_SMB_CONF_UPDATED, NULL);
1163 messaging_deregister(winbind_messaging_context(),
1164 MSG_SHUTDOWN, NULL);
1165 messaging_deregister(winbind_messaging_context(),
1166 MSG_WINBIND_OFFLINE, NULL);
1167 messaging_deregister(winbind_messaging_context(),
1168 MSG_WINBIND_ONLINE, NULL);
1169 messaging_deregister(winbind_messaging_context(),
1170 MSG_WINBIND_ONLINESTATUS, NULL);
1171 messaging_deregister(winbind_messaging_context(),
1172 MSG_DUMP_EVENT_LIST, NULL);
1173 messaging_deregister(winbind_messaging_context(),
1174 MSG_WINBIND_DUMP_DOMAIN_LIST, NULL);
1175 messaging_deregister(winbind_messaging_context(),
1178 /* We have destroyed all events in the winbindd_event_context
1179 * in reinit_after_fork(), so clean out all possible pending
1180 * event pointers. */
1182 /* Deal with check_online_events. */
1184 for (domain = domain_list(); domain; domain = domain->next) {
1185 TALLOC_FREE(domain->check_online_event);
1188 /* Ensure we're not handling a credential cache event inherited
1189 * from our parent. */
1191 ccache_remove_all_after_fork();
1193 /* Destroy all possible events in child list. */
1194 for (cl = winbindd_children; cl != NULL; cl = cl->next) {
1195 TALLOC_FREE(cl->lockout_policy_event);
1196 TALLOC_FREE(cl->machine_password_change_event);
1198 /* Children should never be able to send
1199 * each other messages, all messages must
1200 * go through the parent.
1205 * This is a little tricky, children must not
1206 * send an MSG_WINBIND_ONLINE message to idmap_child().
1207 * If we are in a child of our primary domain or
1208 * in the process created by fork_child_dc_connect(),
1209 * and the primary domain cannot go online,
1210 * fork_child_dc_connection() sends MSG_WINBIND_ONLINE
1211 * periodically to idmap_child().
1213 * The sequence is, fork_child_dc_connect() ---> getdcs() --->
1214 * get_dc_name_via_netlogon() ---> cm_connect_netlogon()
1215 * ---> init_dc_connection() ---> cm_open_connection --->
1216 * set_domain_online(), sends MSG_WINBIND_ONLINE to
1217 * idmap_child(). Disallow children sending messages
1218 * to each other, all messages must go through the parent.
1227 * In a child there will be only one domain, reference that here.
1229 static struct winbindd_domain *child_domain;
1231 struct winbindd_domain *wb_child_domain(void)
1233 return child_domain;
1236 static bool fork_domain_child(struct winbindd_child *child)
1239 struct winbindd_cli_state state;
1240 struct winbindd_request request;
1241 struct winbindd_response response;
1242 struct winbindd_domain *primary_domain = NULL;
1244 if (child->domain) {
1245 DEBUG(10, ("fork_domain_child called for domain '%s'\n",
1246 child->domain->name));
1248 DEBUG(10, ("fork_domain_child called without domain.\n"));
1251 if (socketpair(AF_UNIX, SOCK_STREAM, 0, fdpair) != 0) {
1252 DEBUG(0, ("Could not open child pipe: %s\n",
1258 state.pid = sys_getpid();
1259 state.request = &request;
1260 state.response = &response;
1262 child->pid = sys_fork();
1264 if (child->pid == -1) {
1265 DEBUG(0, ("Could not fork: %s\n", strerror(errno)));
1269 if (child->pid != 0) {
1272 child->next = child->prev = NULL;
1273 DLIST_ADD(winbindd_children, child);
1274 child->sock = fdpair[1];
1279 child_domain = child->domain;
1281 DEBUG(10, ("Child process %d\n", (int)sys_getpid()));
1283 state.sock = fdpair[0];
1286 if (!winbindd_reinit_after_fork(child->logfilename)) {
1290 /* Handle online/offline messages. */
1291 messaging_register(winbind_messaging_context(), NULL,
1292 MSG_WINBIND_OFFLINE, child_msg_offline);
1293 messaging_register(winbind_messaging_context(), NULL,
1294 MSG_WINBIND_ONLINE, child_msg_online);
1295 messaging_register(winbind_messaging_context(), NULL,
1296 MSG_DUMP_EVENT_LIST, child_msg_dump_event_list);
1297 messaging_register(winbind_messaging_context(), NULL,
1298 MSG_DEBUG, debug_message);
1299 messaging_register(winbind_messaging_context(), NULL,
1300 MSG_WINBIND_IP_DROPPED,
1301 winbind_msg_ip_dropped);
1304 primary_domain = find_our_domain();
1306 if (primary_domain == NULL) {
1307 smb_panic("no primary domain found");
1310 /* It doesn't matter if we allow cache login,
1311 * try to bring domain online after fork. */
1312 if ( child->domain ) {
1313 child->domain->startup = True;
1314 child->domain->startup_time = time_mono(NULL);
1315 /* we can be in primary domain or in trusted domain
1316 * If we are in trusted domain, set the primary domain
1317 * in start-up mode */
1318 if (!(child->domain->internal)) {
1319 set_domain_online_request(child->domain);
1320 if (!(child->domain->primary)) {
1321 primary_domain->startup = True;
1322 primary_domain->startup_time = time_mono(NULL);
1323 set_domain_online_request(primary_domain);
1329 * We are in idmap child, make sure that we set the
1330 * check_online_event to bring primary domain online.
1332 if (child == idmap_child()) {
1333 set_domain_online_request(primary_domain);
1336 /* We might be in the idmap child...*/
1337 if (child->domain && !(child->domain->internal) &&
1338 lp_winbind_offline_logon()) {
1340 set_domain_online_request(child->domain);
1342 if (primary_domain && (primary_domain != child->domain)) {
1343 /* We need to talk to the primary
1344 * domain as well as the trusted
1345 * domain inside a trusted domain
1348 * set_dc_type_and_flags_trustinfo()
1351 set_domain_online_request(primary_domain);
1354 child->lockout_policy_event = event_add_timed(
1355 winbind_event_context(), NULL, timeval_zero(),
1356 account_lockout_policy_handler,
1360 if (child->domain && child->domain->primary &&
1361 !USE_KERBEROS_KEYTAB &&
1362 lp_server_role() == ROLE_DOMAIN_MEMBER) {
1364 struct timeval next_change;
1366 if (calculate_next_machine_pwd_change(child->domain->name,
1368 child->machine_password_change_event = event_add_timed(
1369 winbind_event_context(), NULL, next_change,
1370 machine_password_change_handler,
1384 TALLOC_CTX *frame = talloc_stackframe();
1385 struct iovec iov[2];
1389 if (run_events(winbind_event_context(), &ret, NULL, NULL)) {
1396 if (child->domain && child->domain->startup &&
1397 (time_mono(NULL) > child->domain->startup_time + 30)) {
1398 /* No longer in "startup" mode. */
1399 DEBUG(10,("fork_domain_child: domain %s no longer in 'startup' mode.\n",
1400 child->domain->name ));
1401 child->domain->startup = False;
1406 FD_SET(state.sock, &r_fds);
1410 * Initialize this high as event_add_to_select_args()
1411 * uses a timeval_min() on this and next_event. Fix
1412 * from Roel van Meer <rolek@alt001.com>.
1417 event_add_to_select_args(winbind_event_context(), &now,
1418 &r_fds, &w_fds, &t, &maxfd);
1419 tp = get_timed_events_timeout(winbind_event_context(), &t);
1421 DEBUG(11,("select will use timeout of %u.%u seconds\n",
1422 (unsigned int)tp->tv_sec, (unsigned int)tp->tv_usec ));
1425 ret = sys_select(maxfd + 1, &r_fds, &w_fds, NULL, tp);
1427 if (run_events(winbind_event_context(), &ret, &r_fds, &w_fds)) {
1428 /* We got a signal - continue. */
1434 DEBUG(11,("nothing is ready yet, continue\n"));
1439 if (ret == -1 && errno == EINTR) {
1440 /* We got a signal - continue. */
1445 if (ret == -1 && errno != EINTR) {
1446 DEBUG(0,("select error occured\n"));
1452 /* fetch a request from the main daemon */
1453 status = child_read_request(&state);
1455 if (!NT_STATUS_IS_OK(status)) {
1456 /* we lost contact with our parent */
1460 DEBUG(4,("child daemon request %d\n", (int)state.request->cmd));
1462 ZERO_STRUCTP(state.response);
1463 state.request->null_term = '\0';
1464 state.mem_ctx = frame;
1465 child_process_request(child, &state);
1467 DEBUG(4, ("Finished processing child request %d\n",
1468 (int)state.request->cmd));
1470 SAFE_FREE(state.request->extra_data.data);
1472 iov[0].iov_base = (void *)state.response;
1473 iov[0].iov_len = sizeof(struct winbindd_response);
1476 if (state.response->length > sizeof(struct winbindd_response)) {
1478 (void *)state.response->extra_data.data;
1479 iov[1].iov_len = state.response->length-iov[0].iov_len;
1483 DEBUG(10, ("Writing %d bytes to parent\n",
1484 (int)state.response->length));
1486 if (write_data_iov(state.sock, iov, iov_count) !=
1487 state.response->length) {
1488 DEBUG(0, ("Could not write result\n"));
1495 void winbind_msg_ip_dropped_parent(struct messaging_context *msg_ctx,
1498 struct server_id server_id,
1501 struct winbindd_child *child;
1503 winbind_msg_ip_dropped(msg_ctx, private_data, msg_type,
1507 for (child = winbindd_children; child != NULL; child = child->next) {
1508 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
1509 msg_type, data->data, data->length);
git.samba.org / kai / samba.git / blob