748099a32e578d2b7e94605955d750dee9154b2d
[kai/samba.git] / source3 / winbindd / winbindd_util.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon for ntdom nss module
5
6    Copyright (C) Tim Potter 2000-2001
7    Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8    
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_WINBIND
28
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
32
33
34 /**
35  * @file winbindd_util.c
36  *
37  * Winbind daemon for NT domain authentication nss module.
38  **/
39
40
41 /* The list of trusted domains.  Note that the list can be deleted and
42    recreated using the init_domain_list() function so pointers to
43    individual winbindd_domain structures cannot be made.  Keep a copy of
44    the domain name instead. */
45
46 static struct winbindd_domain *_domain_list = NULL;
47
48 /**
49    When was the last scan of trusted domains done?
50    
51    0 == not ever
52 */
53
54 static time_t last_trustdom_scan;
55
56 struct winbindd_domain *domain_list(void)
57 {
58         /* Initialise list */
59
60         if ((!_domain_list) && (!init_domain_list())) {
61                 smb_panic("Init_domain_list failed");
62         }
63
64         return _domain_list;
65 }
66
67 /* Free all entries in the trusted domain list */
68
69 void free_domain_list(void)
70 {
71         struct winbindd_domain *domain = _domain_list;
72
73         while(domain) {
74                 struct winbindd_domain *next = domain->next;
75                 
76                 DLIST_REMOVE(_domain_list, domain);
77                 SAFE_FREE(domain);
78                 domain = next;
79         }
80 }
81
82 static bool is_internal_domain(const DOM_SID *sid)
83 {
84         if (sid == NULL)
85                 return False;
86
87         if ( IS_DC )
88                 return sid_check_is_builtin(sid);
89
90         return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
91 }
92
93 static bool is_in_internal_domain(const DOM_SID *sid)
94 {
95         if (sid == NULL)
96                 return False;
97
98         if ( IS_DC )
99                 return sid_check_is_in_builtin(sid);
100
101         return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
102 }
103
104
105 /* Add a trusted domain to our list of domains */
106 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
107                                                   struct winbindd_methods *methods,
108                                                   const DOM_SID *sid)
109 {
110         struct winbindd_domain *domain;
111         const char *alternative_name = NULL;
112         char *idmap_config_option;
113         const char *param;
114         const char **ignored_domains, **dom;
115         
116         ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
117         for (dom=ignored_domains; dom && *dom; dom++) {
118                 if (gen_fnmatch(*dom, domain_name) == 0) {
119                         DEBUG(2,("Ignoring domain '%s'\n", domain_name));
120                         return NULL;
121                 }
122         }
123
124         /* ignore alt_name if we are not in an AD domain */
125         
126         if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
127                 alternative_name = alt_name;
128         }
129         
130         /* We can't call domain_list() as this function is called from
131            init_domain_list() and we'll get stuck in a loop. */
132         for (domain = _domain_list; domain; domain = domain->next) {
133                 if (strequal(domain_name, domain->name) ||
134                     strequal(domain_name, domain->alt_name)) 
135                 {
136                         break;                  
137                 }
138
139                 if (alternative_name && *alternative_name) 
140                 {
141                         if (strequal(alternative_name, domain->name) ||
142                             strequal(alternative_name, domain->alt_name)) 
143                         {
144                                 break;                          
145                         }
146                 }
147
148                 if (sid) 
149                 {
150                         if (is_null_sid(sid)) {
151                                 continue;                               
152                         }
153                                 
154                         if (sid_equal(sid, &domain->sid)) {
155                                 break;                          
156                         }
157                 }
158         }
159         
160         /* See if we found a match.  Check if we need to update the
161            SID. */
162
163         if ( domain && sid) {
164                 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
165                         sid_copy( &domain->sid, sid );
166
167                 return domain;          
168         }       
169         
170         /* Create new domain entry */
171
172         if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
173                 return NULL;
174
175         /* Fill in fields */
176         
177         ZERO_STRUCTP(domain);
178
179         fstrcpy(domain->name, domain_name);
180         if (alternative_name) {
181                 fstrcpy(domain->alt_name, alternative_name);
182         }
183
184         domain->methods = methods;
185         domain->backend = NULL;
186         domain->internal = is_internal_domain(sid);
187         domain->sequence_number = DOM_SEQUENCE_NONE;
188         domain->last_seq_check = 0;
189         domain->initialized = False;
190         domain->online = is_internal_domain(sid);
191         domain->check_online_timeout = 0;
192         domain->dc_probe_pid = (pid_t)-1;
193         if (sid) {
194                 sid_copy(&domain->sid, sid);
195         }
196
197         /* Link to domain list */
198         DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
199         
200         wcache_tdc_add_domain( domain );
201         
202         idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
203                                               domain->name);
204         if (idmap_config_option == NULL) {
205                 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
206                 goto done;
207         }
208
209         param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
210
211         DEBUG(10, ("%s : range = %s\n", idmap_config_option,
212                    param ? param : "not defined"));
213
214         if (param != NULL) {
215                 unsigned low_id, high_id;
216                 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
217                         DEBUG(1, ("invalid range syntax in %s: %s\n",
218                                   idmap_config_option, param));
219                         goto done;
220                 }
221                 if (low_id > high_id) {
222                         DEBUG(1, ("invalid range in %s: %s\n",
223                                   idmap_config_option, param));
224                         goto done;
225                 }
226                 domain->have_idmap_config = true;
227                 domain->id_range_low = low_id;
228                 domain->id_range_high = high_id;
229         }
230
231 done:
232
233         DEBUG(2,("Added domain %s %s %s\n", 
234                  domain->name, domain->alt_name,
235                  &domain->sid?sid_string_dbg(&domain->sid):""));
236         
237         return domain;
238 }
239
240 /********************************************************************
241   rescan our domains looking for new trusted domains
242 ********************************************************************/
243
244 struct trustdom_state {
245         TALLOC_CTX *mem_ctx;
246         bool primary;   
247         bool forest_root;       
248         struct winbindd_response *response;
249 };
250
251 static void trustdom_recv(void *private_data, bool success);
252 static void rescan_forest_root_trusts( void );
253 static void rescan_forest_trusts( void );
254
255 static void add_trusted_domains( struct winbindd_domain *domain )
256 {
257         TALLOC_CTX *mem_ctx;
258         struct winbindd_request *request;
259         struct winbindd_response *response;
260         uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
261
262         struct trustdom_state *state;
263
264         mem_ctx = talloc_init("add_trusted_domains");
265         if (mem_ctx == NULL) {
266                 DEBUG(0, ("talloc_init failed\n"));
267                 return;
268         }
269
270         request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
271         response = TALLOC_P(mem_ctx, struct winbindd_response);
272         state = TALLOC_P(mem_ctx, struct trustdom_state);
273
274         if ((request == NULL) || (response == NULL) || (state == NULL)) {
275                 DEBUG(0, ("talloc failed\n"));
276                 talloc_destroy(mem_ctx);
277                 return;
278         }
279
280         state->mem_ctx = mem_ctx;
281         state->response = response;
282
283         /* Flags used to know how to continue the forest trust search */
284
285         state->primary = domain->primary;
286         state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
287
288         request->length = sizeof(*request);
289         request->cmd = WINBINDD_LIST_TRUSTDOM;
290
291         async_domain_request(mem_ctx, domain, request, response,
292                              trustdom_recv, state);
293 }
294
295 static void trustdom_recv(void *private_data, bool success)
296 {
297         struct trustdom_state *state =
298                 talloc_get_type_abort(private_data, struct trustdom_state);
299         struct winbindd_response *response = state->response;
300         char *p;
301
302         if ((!success) || (response->result != WINBINDD_OK)) {
303                 DEBUG(1, ("Could not receive trustdoms\n"));
304                 talloc_destroy(state->mem_ctx);
305                 return;
306         }
307
308         p = (char *)response->extra_data.data;
309
310         while ((p != NULL) && (*p != '\0')) {
311                 char *q, *sidstr, *alt_name;
312                 DOM_SID sid;
313                 struct winbindd_domain *domain;
314                 char *alternate_name = NULL;
315
316                 alt_name = strchr(p, '\\');
317                 if (alt_name == NULL) {
318                         DEBUG(0, ("Got invalid trustdom response\n"));
319                         break;
320                 }
321
322                 *alt_name = '\0';
323                 alt_name += 1;
324
325                 sidstr = strchr(alt_name, '\\');
326                 if (sidstr == NULL) {
327                         DEBUG(0, ("Got invalid trustdom response\n"));
328                         break;
329                 }
330
331                 *sidstr = '\0';
332                 sidstr += 1;
333
334                 q = strchr(sidstr, '\n');
335                 if (q != NULL)
336                         *q = '\0';
337
338                 if (!string_to_sid(&sid, sidstr)) {
339                         /* Allow NULL sid for sibling domains */
340                         if ( strcmp(sidstr,"S-0-0") == 0) {
341                                 sid_copy( &sid, &global_sid_NULL);                              
342                         } else {                                
343                                 DEBUG(0, ("Got invalid trustdom response\n"));
344                                 break;
345                         }                       
346                 }
347
348                 /* use the real alt_name if we have one, else pass in NULL */
349
350                 if ( !strequal( alt_name, "(null)" ) )
351                         alternate_name = alt_name;
352
353                 /* If we have an existing domain structure, calling
354                    add_trusted_domain() will update the SID if
355                    necessary.  This is important because we need the
356                    SID for sibling domains */
357
358                 if ( find_domain_from_name_noinit(p) != NULL ) {
359                         domain = add_trusted_domain(p, alternate_name,
360                                                     &cache_methods,
361                                                     &sid);
362                 } else {
363                         domain = add_trusted_domain(p, alternate_name,
364                                                     &cache_methods,
365                                                     &sid);
366                         if (domain) {
367                                 setup_domain_child(domain,
368                                                    &domain->child);
369                         }
370                 }
371                 p=q;
372                 if (p != NULL)
373                         p += 1;
374         }
375
376         SAFE_FREE(response->extra_data.data);
377
378         /* 
379            Cases to consider when scanning trusts:
380            (a) we are calling from a child domain (primary && !forest_root)
381            (b) we are calling from the root of the forest (primary && forest_root)
382            (c) we are calling from a trusted forest domain (!primary
383                && !forest_root)
384         */
385
386         if ( state->primary ) {
387                 /* If this is our primary domain and we are not in the
388                    forest root, we have to scan the root trusts first */
389
390                 if ( !state->forest_root )
391                         rescan_forest_root_trusts();
392                 else
393                         rescan_forest_trusts();
394
395         } else if ( state->forest_root ) {
396                 /* Once we have done root forest trust search, we can
397                    go on to search the trusted forests */
398
399                 rescan_forest_trusts();
400         }
401         
402         talloc_destroy(state->mem_ctx);
403         
404         return;
405 }
406
407 /********************************************************************
408  Scan the trusts of our forest root
409 ********************************************************************/
410
411 static void rescan_forest_root_trusts( void )
412 {
413         struct winbindd_tdc_domain *dom_list = NULL;
414         size_t num_trusts = 0;
415         int i;  
416
417         /* The only transitive trusts supported by Windows 2003 AD are
418            (a) Parent-Child, (b) Tree-Root, and (c) Forest.   The
419            first two are handled in forest and listed by
420            DsEnumerateDomainTrusts().  Forest trusts are not so we
421            have to do that ourselves. */
422
423         if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
424                 return;
425
426         for ( i=0; i<num_trusts; i++ ) {
427                 struct winbindd_domain *d = NULL;
428
429                 /* Find the forest root.  Don't necessarily trust 
430                    the domain_list() as our primary domain may not 
431                    have been initialized. */
432
433                 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
434                         continue;
435                 }
436         
437                 /* Here's the forest root */
438
439                 d = find_domain_from_name_noinit( dom_list[i].domain_name );
440
441                 if ( !d ) {
442                         d = add_trusted_domain( dom_list[i].domain_name,
443                                                 dom_list[i].dns_name,
444                                                 &cache_methods,
445                                                 &dom_list[i].sid );
446                 }
447
448                 if (d == NULL) {
449                         continue;
450                 }
451
452                 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
453                           "for domain tree root %s (%s)\n",
454                           d->name, d->alt_name ));
455
456                 d->domain_flags = dom_list[i].trust_flags;
457                 d->domain_type  = dom_list[i].trust_type;               
458                 d->domain_trust_attribs = dom_list[i].trust_attribs;            
459                 
460                 add_trusted_domains( d );
461
462                 break;          
463         }
464
465         TALLOC_FREE( dom_list );
466
467         return;
468 }
469
470 /********************************************************************
471  scan the transitive forest trusts (not our own)
472 ********************************************************************/
473
474
475 static void rescan_forest_trusts( void )
476 {
477         struct winbindd_domain *d = NULL;
478         struct winbindd_tdc_domain *dom_list = NULL;
479         size_t num_trusts = 0;
480         int i;  
481
482         /* The only transitive trusts supported by Windows 2003 AD are
483            (a) Parent-Child, (b) Tree-Root, and (c) Forest.   The
484            first two are handled in forest and listed by
485            DsEnumerateDomainTrusts().  Forest trusts are not so we
486            have to do that ourselves. */
487
488         if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
489                 return;
490
491         for ( i=0; i<num_trusts; i++ ) {
492                 uint32 flags   = dom_list[i].trust_flags;
493                 uint32 type    = dom_list[i].trust_type;
494                 uint32 attribs = dom_list[i].trust_attribs;
495                 
496                 d = find_domain_from_name_noinit( dom_list[i].domain_name );
497
498                 /* ignore our primary and internal domains */
499
500                 if ( d && (d->internal || d->primary ) )
501                         continue;               
502
503                 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
504                      (type == NETR_TRUST_TYPE_UPLEVEL) &&
505                      (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
506                 {
507                         /* add the trusted domain if we don't know
508                            about it */
509
510                         if ( !d ) {
511                                 d = add_trusted_domain( dom_list[i].domain_name,
512                                                         dom_list[i].dns_name,
513                                                         &cache_methods,
514                                                         &dom_list[i].sid );
515                         }
516
517                         if (d == NULL) {
518                                 continue;
519                         }
520                         
521                         DEBUG(10,("Following trust path for domain %s (%s)\n",
522                                   d->name, d->alt_name ));
523                         add_trusted_domains( d );
524                 }
525         }
526
527         TALLOC_FREE( dom_list );
528
529         return; 
530 }
531
532 /*********************************************************************
533  The process of updating the trusted domain list is a three step
534  async process:
535  (a) ask our domain
536  (b) ask the root domain in our forest
537  (c) ask the a DC in any Win2003 trusted forests
538 *********************************************************************/
539
540 void rescan_trusted_domains( void )
541 {
542         time_t now = time(NULL);
543
544         /* Check that we allow trusted domains at all */
545         if (!lp_allow_trusted_domains())
546                 return;
547
548         /* see if the time has come... */
549         
550         if ((now >= last_trustdom_scan) &&
551             ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
552                 return;
553                 
554         /* I use to clear the cache here and start over but that
555            caused problems in child processes that needed the
556            trust dom list early on.  Removing it means we
557            could have some trusted domains listed that have been
558            removed from our primary domain's DC until a full
559            restart.  This should be ok since I think this is what
560            Windows does as well. */
561
562         /* this will only add new domains we didn't already know about
563            in the domain_list()*/
564         
565         add_trusted_domains( find_our_domain() );
566
567         last_trustdom_scan = now;
568         
569         return; 
570 }
571
572 struct init_child_state {
573         TALLOC_CTX *mem_ctx;
574         struct winbindd_domain *domain;
575         struct winbindd_request *request;
576         struct winbindd_response *response;
577         void (*continuation)(void *private_data, bool success);
578         void *private_data;
579 };
580
581 static void init_child_recv(void *private_data, bool success);
582 static void init_child_getdc_recv(void *private_data, bool success);
583
584 enum winbindd_result init_child_connection(struct winbindd_domain *domain,
585                                            void (*continuation)(void *private_data,
586                                                                 bool success),
587                                            void *private_data)
588 {
589         TALLOC_CTX *mem_ctx;
590         struct winbindd_request *request;
591         struct winbindd_response *response;
592         struct init_child_state *state;
593         struct winbindd_domain *request_domain;
594
595         mem_ctx = talloc_init("init_child_connection");
596         if (mem_ctx == NULL) {
597                 DEBUG(0, ("talloc_init failed\n"));
598                 return WINBINDD_ERROR;
599         }
600
601         request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
602         response = TALLOC_P(mem_ctx, struct winbindd_response);
603         state = TALLOC_P(mem_ctx, struct init_child_state);
604
605         if ((request == NULL) || (response == NULL) || (state == NULL)) {
606                 DEBUG(0, ("talloc failed\n"));
607                 TALLOC_FREE(mem_ctx);
608                 continuation(private_data, False);
609                 return WINBINDD_ERROR;
610         }
611
612         request->length = sizeof(*request);
613
614         state->mem_ctx = mem_ctx;
615         state->domain = domain;
616         state->request = request;
617         state->response = response;
618         state->continuation = continuation;
619         state->private_data = private_data;
620
621         if (IS_DC || domain->primary || domain->internal ) {
622                 /* The primary domain has to find the DC name itself */
623                 request->cmd = WINBINDD_INIT_CONNECTION;
624                 fstrcpy(request->domain_name, domain->name);
625                 request->data.init_conn.is_primary = domain->primary ? true : false;
626                 fstrcpy(request->data.init_conn.dcname, "");
627                 async_request(mem_ctx, &domain->child, request, response,
628                               init_child_recv, state);
629                 return WINBINDD_PENDING;
630         }
631
632         /* This is *not* the primary domain, let's ask our DC about a DC
633          * name */
634
635         request->cmd = WINBINDD_GETDCNAME;
636         fstrcpy(request->domain_name, domain->name);
637
638         request_domain = find_our_domain();
639         async_domain_request(mem_ctx, request_domain, request, response,
640                              init_child_getdc_recv, state);
641         return WINBINDD_PENDING;
642 }
643
644 static void init_child_getdc_recv(void *private_data, bool success)
645 {
646         struct init_child_state *state =
647                 talloc_get_type_abort(private_data, struct init_child_state);
648         const char *dcname = "";
649
650         DEBUG(10, ("Received getdcname response\n"));
651
652         if (success && (state->response->result == WINBINDD_OK)) {
653                 dcname = state->response->data.dc_name;
654         }
655
656         state->request->cmd = WINBINDD_INIT_CONNECTION;
657         fstrcpy(state->request->domain_name, state->domain->name);
658         state->request->data.init_conn.is_primary = False;
659         fstrcpy(state->request->data.init_conn.dcname, dcname);
660
661         async_request(state->mem_ctx, &state->domain->child,
662                       state->request, state->response,
663                       init_child_recv, state);
664 }
665
666 static void init_child_recv(void *private_data, bool success)
667 {
668         struct init_child_state *state =
669                 talloc_get_type_abort(private_data, struct init_child_state);
670
671         DEBUG(5, ("Received child initialization response for domain %s\n",
672                   state->domain->name));
673
674         if ((!success) || (state->response->result != WINBINDD_OK)) {
675                 DEBUG(3, ("Could not init child\n"));
676                 state->continuation(state->private_data, False);
677                 talloc_destroy(state->mem_ctx);
678                 return;
679         }
680
681         fstrcpy(state->domain->name,
682                 state->response->data.domain_info.name);
683         fstrcpy(state->domain->alt_name,
684                 state->response->data.domain_info.alt_name);
685         string_to_sid(&state->domain->sid,
686                       state->response->data.domain_info.sid);
687         state->domain->native_mode =
688                 state->response->data.domain_info.native_mode;
689         state->domain->active_directory =
690                 state->response->data.domain_info.active_directory;
691
692         init_dc_connection(state->domain);
693
694         if (state->continuation != NULL)
695                 state->continuation(state->private_data, True);
696         talloc_destroy(state->mem_ctx);
697 }
698
699 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
700                                                    struct winbindd_cli_state *state)
701 {
702         /* Ensure null termination */
703         state->request.domain_name
704                 [sizeof(state->request.domain_name)-1]='\0';
705         state->request.data.init_conn.dcname
706                 [sizeof(state->request.data.init_conn.dcname)-1]='\0';
707
708         if (strlen(state->request.data.init_conn.dcname) > 0) {
709                 fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
710         }
711
712         init_dc_connection(domain);
713
714         if (!domain->initialized) {
715                 /* If we return error here we can't do any cached authentication,
716                    but we may be in disconnected mode and can't initialize correctly.
717                    Do what the previous code did and just return without initialization,
718                    once we go online we'll re-initialize.
719                 */
720                 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
721                         "online = %d\n", domain->name, (int)domain->online ));
722         }
723
724         fstrcpy(state->response.data.domain_info.name, domain->name);
725         fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
726         sid_to_fstring(state->response.data.domain_info.sid, &domain->sid);
727         
728         state->response.data.domain_info.native_mode
729                 = domain->native_mode;
730         state->response.data.domain_info.active_directory
731                 = domain->active_directory;
732         state->response.data.domain_info.primary
733                 = domain->primary;
734
735         return WINBINDD_OK;
736 }
737
738 /* Look up global info for the winbind daemon */
739 bool init_domain_list(void)
740 {
741         struct winbindd_domain *domain;
742         int role = lp_server_role();
743
744         /* Free existing list */
745         free_domain_list();
746
747         /* BUILTIN domain */
748
749         domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
750                                     &global_sid_Builtin);
751         if (domain) {
752                 setup_domain_child(domain,
753                                    &domain->child);
754         }
755
756         /* Local SAM */
757
758         domain = add_trusted_domain(get_global_sam_name(), NULL,
759                                     &sam_passdb_methods, get_global_sam_sid());
760         if (domain) {
761                 if ( role != ROLE_DOMAIN_MEMBER ) {
762                         domain->primary = True;
763                 }
764                 setup_domain_child(domain,
765                                    &domain->child);
766         }
767
768         /* Add ourselves as the first entry. */
769
770         if ( role == ROLE_DOMAIN_MEMBER ) {
771                 DOM_SID our_sid;
772
773                 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
774                         DEBUG(0, ("Could not fetch our SID - did we join?\n"));
775                         return False;
776                 }
777         
778                 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
779                                              &cache_methods, &our_sid);
780                 if (domain) {
781                         domain->primary = True;
782                         setup_domain_child(domain,
783                                            &domain->child);
784
785                         /* Even in the parent winbindd we'll need to
786                            talk to the DC, so try and see if we can
787                            contact it. Theoretically this isn't neccessary
788                            as the init_dc_connection() in init_child_recv()
789                            will do this, but we can start detecting the DC
790                            early here. */
791                         set_domain_online_request(domain);
792                 }
793         }
794
795         return True;
796 }
797
798 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
799 {
800         struct winbindd_domain *domain; 
801         DOM_SID dom_sid;
802         uint32 rid;
803
804         /* Check if we even care */
805
806         if (!lp_allow_trusted_domains())
807                 return;
808
809         domain = find_domain_from_name_noinit( name );
810         if ( domain )
811                 return; 
812         
813         sid_copy( &dom_sid, user_sid );         
814         if ( !sid_split_rid( &dom_sid, &rid ) )
815                 return;
816         
817         /* add the newly discovered trusted domain */
818
819         domain = add_trusted_domain( name, NULL, &cache_methods, 
820                                      &dom_sid);
821
822         if ( !domain )
823                 return;
824
825         /* assume this is a trust from a one-way transitive 
826            forest trust */
827
828         domain->active_directory = True;
829         domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
830         domain->domain_type  = NETR_TRUST_TYPE_UPLEVEL;
831         domain->internal = False;
832         domain->online = True;  
833
834         setup_domain_child(domain,
835                            &domain->child);
836
837         wcache_tdc_add_domain( domain );
838
839         return; 
840 }
841
842 /** 
843  * Given a domain name, return the struct winbindd domain info for it 
844  *
845  * @note Do *not* pass lp_workgroup() to this function.  domain_list
846  *       may modify it's value, and free that pointer.  Instead, our local
847  *       domain may be found by calling find_our_domain().
848  *       directly.
849  *
850  *
851  * @return The domain structure for the named domain, if it is working.
852  */
853
854 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
855 {
856         struct winbindd_domain *domain;
857
858         /* Search through list */
859
860         for (domain = domain_list(); domain != NULL; domain = domain->next) {
861                 if (strequal(domain_name, domain->name) ||
862                     (domain->alt_name[0] &&
863                      strequal(domain_name, domain->alt_name))) {
864                         return domain;
865                 }
866         }
867
868         /* Not found */
869
870         return NULL;
871 }
872
873 struct winbindd_domain *find_domain_from_name(const char *domain_name)
874 {
875         struct winbindd_domain *domain;
876
877         domain = find_domain_from_name_noinit(domain_name);
878
879         if (domain == NULL)
880                 return NULL;
881
882         if (!domain->initialized)
883                 init_dc_connection(domain);
884
885         return domain;
886 }
887
888 /* Given a domain sid, return the struct winbindd domain info for it */
889
890 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
891 {
892         struct winbindd_domain *domain;
893
894         /* Search through list */
895
896         for (domain = domain_list(); domain != NULL; domain = domain->next) {
897                 if (sid_compare_domain(sid, &domain->sid) == 0)
898                         return domain;
899         }
900
901         /* Not found */
902
903         return NULL;
904 }
905
906 /* Given a domain sid, return the struct winbindd domain info for it */
907
908 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
909 {
910         struct winbindd_domain *domain;
911
912         domain = find_domain_from_sid_noinit(sid);
913
914         if (domain == NULL)
915                 return NULL;
916
917         if (!domain->initialized)
918                 init_dc_connection(domain);
919
920         return domain;
921 }
922
923 struct winbindd_domain *find_our_domain(void)
924 {
925         struct winbindd_domain *domain;
926
927         /* Search through list */
928
929         for (domain = domain_list(); domain != NULL; domain = domain->next) {
930                 if (domain->primary)
931                         return domain;
932         }
933
934         smb_panic("Could not find our domain");
935         return NULL;
936 }
937
938 struct winbindd_domain *find_root_domain(void)
939 {
940         struct winbindd_domain *ours = find_our_domain();       
941         
942         if ( !ours )
943                 return NULL;
944         
945         if ( strlen(ours->forest_name) == 0 )
946                 return NULL;
947         
948         return find_domain_from_name( ours->forest_name );
949 }
950
951 struct winbindd_domain *find_builtin_domain(void)
952 {
953         DOM_SID sid;
954         struct winbindd_domain *domain;
955
956         string_to_sid(&sid, "S-1-5-32");
957         domain = find_domain_from_sid(&sid);
958
959         if (domain == NULL) {
960                 smb_panic("Could not find BUILTIN domain");
961         }
962
963         return domain;
964 }
965
966 /* Find the appropriate domain to lookup a name or SID */
967
968 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
969 {
970         /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
971
972         if ( sid_check_is_in_unix_groups(sid) || 
973              sid_check_is_unix_groups(sid) ||
974              sid_check_is_in_unix_users(sid) ||
975              sid_check_is_unix_users(sid) )
976         {
977                 return find_domain_from_sid(get_global_sam_sid());
978         }
979
980         /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
981          * one to contact the external DC's. On member servers the internal
982          * domains are different: These are part of the local SAM. */
983
984         DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
985
986         if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
987                 DEBUG(10, ("calling find_domain_from_sid\n"));
988                 return find_domain_from_sid(sid);
989         }       
990
991         /* On a member server a query for SID or name can always go to our
992          * primary DC. */
993
994         DEBUG(10, ("calling find_our_domain\n"));
995         return find_our_domain();
996 }
997
998 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
999 {
1000         if ( strequal(domain_name, unix_users_domain_name() ) ||
1001              strequal(domain_name, unix_groups_domain_name() ) )
1002         {
1003                 return find_domain_from_name_noinit( get_global_sam_name() );
1004         }
1005
1006         if (IS_DC || strequal(domain_name, "BUILTIN") ||
1007             strequal(domain_name, get_global_sam_name()))
1008                 return find_domain_from_name_noinit(domain_name);
1009
1010         /* The "Unix User" and "Unix Group" domain our handled by passdb */
1011
1012         return find_our_domain();
1013 }
1014
1015 /* Lookup a sid in a domain from a name */
1016
1017 bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
1018                                  enum winbindd_cmd orig_cmd,
1019                                  struct winbindd_domain *domain, 
1020                                  const char *domain_name,
1021                                  const char *name, DOM_SID *sid, 
1022                                  enum lsa_SidType *type)
1023 {
1024         NTSTATUS result;
1025
1026         /* Lookup name */
1027         result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd,
1028                                               domain_name, name, sid, type);
1029
1030         /* Return sid and type if lookup successful */
1031         if (!NT_STATUS_IS_OK(result)) {
1032                 *type = SID_NAME_UNKNOWN;
1033         }
1034
1035         return NT_STATUS_IS_OK(result);
1036 }
1037
1038 /**
1039  * @brief Lookup a name in a domain from a sid.
1040  *
1041  * @param sid Security ID you want to look up.
1042  * @param name On success, set to the name corresponding to @p sid.
1043  * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
1044  * @param type On success, contains the type of name: alias, group or
1045  * user.
1046  * @retval True if the name exists, in which case @p name and @p type
1047  * are set, otherwise False.
1048  **/
1049 bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
1050                                  struct winbindd_domain *domain,
1051                                  DOM_SID *sid,
1052                                  char **dom_name,
1053                                  char **name,
1054                                  enum lsa_SidType *type)
1055 {
1056         NTSTATUS result;
1057
1058         *dom_name = NULL;
1059         *name = NULL;
1060
1061         /* Lookup name */
1062
1063         result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
1064
1065         /* Return name and type if successful */
1066         
1067         if (NT_STATUS_IS_OK(result)) {
1068                 return True;
1069         }
1070
1071         *type = SID_NAME_UNKNOWN;
1072         
1073         return False;
1074 }
1075
1076 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
1077
1078 void free_getent_state(struct getent_state *state)
1079 {
1080         struct getent_state *temp;
1081
1082         /* Iterate over state list */
1083
1084         temp = state;
1085
1086         while(temp != NULL) {
1087                 struct getent_state *next = temp->next;
1088
1089                 /* Free sam entries then list entry */
1090
1091                 SAFE_FREE(state->sam_entries);
1092                 DLIST_REMOVE(state, state);
1093
1094                 SAFE_FREE(temp);
1095                 temp = next;
1096         }
1097 }
1098
1099 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1100
1101 static bool assume_domain(const char *domain)
1102 {
1103         /* never assume the domain on a standalone server */
1104
1105         if ( lp_server_role() == ROLE_STANDALONE )
1106                 return False;
1107
1108         /* domain member servers may possibly assume for the domain name */
1109
1110         if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1111                 if ( !strequal(lp_workgroup(), domain) )
1112                         return False;
1113
1114                 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1115                         return True;
1116         } 
1117
1118         /* only left with a domain controller */
1119
1120         if ( strequal(get_global_sam_name(), domain) )  {
1121                 return True;
1122         }
1123         
1124         return False;
1125 }
1126
1127 /* Parse a string of the form DOMAIN\user into a domain and a user */
1128
1129 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1130 {
1131         char *p = strchr(domuser,*lp_winbind_separator());
1132
1133         if ( !p ) {
1134                 fstrcpy(user, domuser);
1135
1136                 if ( assume_domain(lp_workgroup())) {
1137                         fstrcpy(domain, lp_workgroup());
1138                 } else if ((p = strchr(domuser, '@')) != NULL) {
1139                         fstrcpy(domain, "");                    
1140                 } else {
1141                         return False;
1142                 }
1143         } else {
1144                 fstrcpy(user, p+1);
1145                 fstrcpy(domain, domuser);
1146                 domain[PTR_DIFF(p, domuser)] = 0;
1147         }
1148         
1149         strupper_m(domain);
1150         
1151         return True;
1152 }
1153
1154 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1155                               char **domain, char **user)
1156 {
1157         fstring fstr_domain, fstr_user;
1158         if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1159                 return False;
1160         }
1161         *domain = talloc_strdup(mem_ctx, fstr_domain);
1162         *user = talloc_strdup(mem_ctx, fstr_user);
1163         return ((*domain != NULL) && (*user != NULL));
1164 }
1165
1166 /* add a domain user name to a buffer */
1167 void parse_add_domuser(void *buf, char *domuser, int *len)
1168 {
1169         fstring domain;
1170         char *p, *user;
1171
1172         user = domuser;
1173         p = strchr(domuser, *lp_winbind_separator());
1174
1175         if (p) {
1176
1177                 fstrcpy(domain, domuser);
1178                 domain[PTR_DIFF(p, domuser)] = 0;
1179                 p++;
1180
1181                 if (assume_domain(domain)) {
1182
1183                         user = p;
1184                         *len -= (PTR_DIFF(p, domuser));
1185                 }
1186         }
1187
1188         safe_strcpy((char *)buf, user, *len);
1189 }
1190
1191 /* Ensure an incoming username from NSS is fully qualified. Replace the
1192    incoming fstring with DOMAIN <separator> user. Returns the same
1193    values as parse_domain_user() but also replaces the incoming username.
1194    Used to ensure all names are fully qualified within winbindd.
1195    Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1196    The protocol definitions of auth_crap, chng_pswd_auth_crap
1197    really should be changed to use this instead of doing things
1198    by hand. JRA. */
1199
1200 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1201 {
1202         if (!parse_domain_user(username_inout, domain, user)) {
1203                 return False;
1204         }
1205         slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1206                  domain, *lp_winbind_separator(),
1207                  user);
1208         return True;
1209 }
1210
1211 /*
1212     Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1213     'winbind separator' options.
1214     This means:
1215         - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1216         lp_workgroup()
1217
1218     If we are a PDC or BDC, and this is for our domain, do likewise.
1219
1220     Also, if omit DOMAIN if 'winbind trusted domains only = true', as the 
1221     username is then unqualified in unix
1222
1223     We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1224 */
1225 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1226 {
1227         fstring tmp_user;
1228
1229         fstrcpy(tmp_user, user);
1230         strlower_m(tmp_user);
1231
1232         if (can_assume && assume_domain(domain)) {
1233                 strlcpy(name, tmp_user, sizeof(fstring));
1234         } else {
1235                 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1236                          domain, *lp_winbind_separator(),
1237                          tmp_user);
1238         }
1239 }
1240
1241 /**
1242  * talloc version of fill_domain_username()
1243  * return NULL on talloc failure.
1244  */
1245 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1246                                   const char *domain,
1247                                   const char *user,
1248                                   bool can_assume)
1249 {
1250         char *tmp_user, *name;
1251
1252         tmp_user = talloc_strdup(mem_ctx, user);
1253         strlower_m(tmp_user);
1254
1255         if (can_assume && assume_domain(domain)) {
1256                 name = tmp_user;
1257         } else {
1258                 name = talloc_asprintf(mem_ctx, "%s%c%s",
1259                                        domain,
1260                                        *lp_winbind_separator(),
1261                                        tmp_user);
1262                 TALLOC_FREE(tmp_user);
1263         }
1264
1265         return name;
1266 }
1267
1268 /*
1269  * Winbindd socket accessor functions
1270  */
1271
1272 const char *get_winbind_pipe_dir(void) 
1273 {
1274         return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1275 }
1276
1277 char *get_winbind_priv_pipe_dir(void) 
1278 {
1279         return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1280 }
1281
1282 /* Open the winbindd socket */
1283
1284 static int _winbindd_socket = -1;
1285 static int _winbindd_priv_socket = -1;
1286
1287 int open_winbindd_socket(void)
1288 {
1289         if (_winbindd_socket == -1) {
1290                 _winbindd_socket = create_pipe_sock(
1291                         get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1292                 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1293                            _winbindd_socket));
1294         }
1295
1296         return _winbindd_socket;
1297 }
1298
1299 int open_winbindd_priv_socket(void)
1300 {
1301         if (_winbindd_priv_socket == -1) {
1302                 _winbindd_priv_socket = create_pipe_sock(
1303                         get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1304                 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1305                            _winbindd_priv_socket));
1306         }
1307
1308         return _winbindd_priv_socket;
1309 }
1310
1311 /* Close the winbindd socket */
1312
1313 void close_winbindd_socket(void)
1314 {
1315         if (_winbindd_socket != -1) {
1316                 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1317                            _winbindd_socket));
1318                 close(_winbindd_socket);
1319                 _winbindd_socket = -1;
1320         }
1321         if (_winbindd_priv_socket != -1) {
1322                 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1323                            _winbindd_priv_socket));
1324                 close(_winbindd_priv_socket);
1325                 _winbindd_priv_socket = -1;
1326         }
1327 }
1328
1329 /*
1330  * Client list accessor functions
1331  */
1332
1333 static struct winbindd_cli_state *_client_list;
1334 static int _num_clients;
1335
1336 /* Return list of all connected clients */
1337
1338 struct winbindd_cli_state *winbindd_client_list(void)
1339 {
1340         return _client_list;
1341 }
1342
1343 /* Add a connection to the list */
1344
1345 void winbindd_add_client(struct winbindd_cli_state *cli)
1346 {
1347         DLIST_ADD(_client_list, cli);
1348         _num_clients++;
1349 }
1350
1351 /* Remove a client from the list */
1352
1353 void winbindd_remove_client(struct winbindd_cli_state *cli)
1354 {
1355         DLIST_REMOVE(_client_list, cli);
1356         _num_clients--;
1357 }
1358
1359 /* Close all open clients */
1360
1361 void winbindd_kill_all_clients(void)
1362 {
1363         struct winbindd_cli_state *cl = winbindd_client_list();
1364
1365         DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1366
1367         while (cl) {
1368                 struct winbindd_cli_state *next;
1369                 
1370                 next = cl->next;
1371                 winbindd_remove_client(cl);
1372                 cl = next;
1373         }
1374 }
1375
1376 /* Return number of open clients */
1377
1378 int winbindd_num_clients(void)
1379 {
1380         return _num_clients;
1381 }
1382
1383 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1384                                   TALLOC_CTX *mem_ctx,
1385                                   const DOM_SID *user_sid,
1386                                   uint32 *p_num_groups, DOM_SID **user_sids)
1387 {
1388         struct netr_SamInfo3 *info3 = NULL;
1389         NTSTATUS status = NT_STATUS_NO_MEMORY;
1390         size_t num_groups = 0;
1391
1392         DEBUG(3,(": lookup_usergroups_cached\n"));
1393
1394         *user_sids = NULL;
1395         *p_num_groups = 0;
1396
1397         info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1398
1399         if (info3 == NULL) {
1400                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1401         }
1402
1403         if (info3->base.groups.count == 0) {
1404                 TALLOC_FREE(info3);
1405                 return NT_STATUS_UNSUCCESSFUL;
1406         }
1407
1408         /* Skip Domain local groups outside our domain.
1409            We'll get these from the getsidaliases() RPC call. */
1410         status = sid_array_from_info3(mem_ctx, info3,
1411                                       user_sids,
1412                                       &num_groups,
1413                                       false, true);
1414
1415         if (!NT_STATUS_IS_OK(status)) {
1416                 TALLOC_FREE(info3);
1417                 return status;
1418         }
1419
1420         TALLOC_FREE(info3);
1421         *p_num_groups = num_groups;
1422         status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1423         
1424         DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1425
1426         return status;
1427 }
1428
1429 /*********************************************************************
1430  We use this to remove spaces from user and group names
1431 ********************************************************************/
1432
1433 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1434                              struct winbindd_domain *domain,
1435                              char *name,
1436                              char **normalized)
1437 {
1438         NTSTATUS nt_status;
1439
1440         if (!name || !normalized) {
1441                 return NT_STATUS_INVALID_PARAMETER;
1442         }
1443
1444         if (!lp_winbind_normalize_names()) {
1445                 return NT_STATUS_PROCEDURE_NOT_FOUND;
1446         }
1447
1448         /* Alias support and whitespace replacement are mutually
1449            exclusive */
1450
1451         nt_status = resolve_username_to_alias(mem_ctx, domain,
1452                                               name, normalized );
1453         if (NT_STATUS_IS_OK(nt_status)) {
1454                 /* special return code to let the caller know we
1455                    mapped to an alias */
1456                 return NT_STATUS_FILE_RENAMED;
1457         }
1458
1459         /* check for an unreachable domain */
1460
1461         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1462                 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1463                          domain->name));
1464                 set_domain_offline(domain);
1465                 return nt_status;
1466         }
1467
1468         /* deal with whitespace */
1469
1470         *normalized = talloc_strdup(mem_ctx, name);
1471         if (!(*normalized)) {
1472                 return NT_STATUS_NO_MEMORY;
1473         }
1474
1475         all_string_sub( *normalized, " ", "_", 0 );
1476
1477         return NT_STATUS_OK;
1478 }
1479
1480 /*********************************************************************
1481  We use this to do the inverse of normalize_name_map()
1482 ********************************************************************/
1483
1484 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1485                               char *name,
1486                               char **normalized)
1487 {
1488         NTSTATUS nt_status;
1489         struct winbindd_domain *domain = find_our_domain();
1490
1491         if (!name || !normalized) {
1492                 return NT_STATUS_INVALID_PARAMETER;
1493         }
1494         
1495         if (!lp_winbind_normalize_names()) {
1496                 return NT_STATUS_PROCEDURE_NOT_FOUND;
1497         }
1498
1499         /* Alias support and whitespace replacement are mutally
1500            exclusive */
1501
1502         /* When mapping from an alias to a username, we don't know the
1503            domain.  But we only need a domain structure to cache
1504            a successful lookup , so just our own domain structure for
1505            the seqnum. */
1506
1507         nt_status = resolve_alias_to_username(mem_ctx, domain,
1508                                               name, normalized);
1509         if (NT_STATUS_IS_OK(nt_status)) {
1510                 /* Special return code to let the caller know we mapped
1511                    from an alias */
1512                 return NT_STATUS_FILE_RENAMED;
1513         }
1514
1515         /* check for an unreachable domain */
1516
1517         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1518                 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1519                          domain->name));
1520                 set_domain_offline(domain);
1521                 return nt_status;
1522         }
1523
1524         /* deal with whitespace */
1525
1526         *normalized = talloc_strdup(mem_ctx, name);
1527         if (!(*normalized)) {
1528                 return NT_STATUS_NO_MEMORY;
1529         }
1530
1531         all_string_sub(*normalized, "_", " ", 0);
1532
1533         return NT_STATUS_OK;
1534 }
1535
1536 /*********************************************************************
1537  ********************************************************************/
1538
1539 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1540 {
1541         struct winbindd_tdc_domain *tdc = NULL;
1542         TALLOC_CTX *frame = talloc_stackframe();
1543         bool ret = false;
1544
1545         /* We can contact the domain if it is our primary domain */
1546
1547         if (domain->primary) {
1548                 return true;
1549         }
1550
1551         /* Trust the TDC cache and not the winbindd_domain flags */
1552
1553         if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1554                 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1555                           domain->name));
1556                 return false;
1557         }
1558
1559         /* Can always contact a domain that is in out forest */
1560
1561         if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1562                 ret = true;
1563                 goto done;
1564         }
1565         
1566         /*
1567          * On a _member_ server, we cannot contact the domain if it
1568          * is running AD and we have no inbound trust.
1569          */
1570
1571         if (!IS_DC && 
1572              domain->active_directory &&
1573             ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1574         {
1575                 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1576                            "and we have no inbound trust.\n", domain->name));
1577                 goto done;
1578         }
1579
1580         /* Assume everything else is ok (probably not true but what
1581            can you do?) */
1582
1583         ret = true;     
1584
1585 done:   
1586         talloc_destroy(frame);
1587         
1588         return ret;     
1589 }
1590
1591 /*********************************************************************
1592  ********************************************************************/
1593
1594 bool winbindd_internal_child(struct winbindd_child *child)
1595 {
1596         if ((child == idmap_child()) || (child == locator_child())) {
1597                 return True;
1598         }
1599
1600         return False;
1601 }
1602
1603 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1604
1605 /*********************************************************************
1606  ********************************************************************/
1607
1608 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1609 {
1610         char *var = NULL;
1611         char addr[INET6_ADDRSTRLEN];
1612         const char *kdc = NULL;
1613         int lvl = 11;
1614
1615         if (!domain || !domain->alt_name || !*domain->alt_name) {
1616                 return;
1617         }
1618
1619         if (domain->initialized && !domain->active_directory) {
1620                 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1621                         domain->alt_name));
1622                 return;
1623         }
1624
1625         print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1626         kdc = addr;
1627         if (!*kdc) {
1628                 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1629                         domain->alt_name));
1630                 kdc = domain->dcname;
1631         }
1632
1633         if (!kdc || !*kdc) {
1634                 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1635                         domain->alt_name));
1636                 return;
1637         }
1638
1639         if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1640                                 domain->alt_name) == -1) {
1641                 return;
1642         }
1643
1644         DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1645                 var, kdc));
1646
1647         setenv(var, kdc, 1);
1648         free(var);
1649 }
1650
1651 /*********************************************************************
1652  ********************************************************************/
1653
1654 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1655 {
1656         struct winbindd_domain *our_dom = find_our_domain();
1657
1658         winbindd_set_locator_kdc_env(domain);
1659
1660         if (domain != our_dom) {
1661                 winbindd_set_locator_kdc_env(our_dom);
1662         }
1663 }
1664
1665 /*********************************************************************
1666  ********************************************************************/
1667
1668 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1669 {
1670         char *var = NULL;
1671
1672         if (!domain || !domain->alt_name || !*domain->alt_name) {
1673                 return;
1674         }
1675
1676         if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1677                                 domain->alt_name) == -1) {
1678                 return;
1679         }
1680
1681         unsetenv(var);
1682         free(var);
1683 }
1684 #else
1685
1686 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1687 {
1688         return;
1689 }
1690
1691 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1692 {
1693         return;
1694 }
1695
1696 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1697
1698 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1699 {
1700         resp->data.auth.nt_status = NT_STATUS_V(result);
1701         fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1702
1703         /* we might have given a more useful error above */
1704         if (*resp->data.auth.error_string == '\0')
1705                 fstrcpy(resp->data.auth.error_string,
1706                         get_friendly_nt_error_msg(result));
1707         resp->data.auth.pam_error = nt_status_to_pam(result);
1708 }