#include "includes.h"
#include "winbindd.h"
+#include "lib/util_unixsids.h"
#include "secrets.h"
#include "../libcli/security/security.h"
#include "../libcli/auth/pam_errors.h"
#include "passdb.h"
#include "source4/lib/messaging/messaging.h"
#include "librpc/gen_ndr/ndr_lsa.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "auth/credentials/credentials.h"
#include "libsmb/samlogon_cache.h"
+#include "lib/util/smb_strtox.h"
+#include "lib/util/string_wrappers.h"
+#include "lib/global_contexts.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
-static struct winbindd_domain *
-add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc);
-
/**
* @file winbindd_util.c
*
* Winbind daemon for NT domain authentication nss module.
**/
-
/* The list of trusted domains. Note that the list can be deleted and
recreated using the init_domain_list() function so pointers to
individual winbindd_domain structures cannot be made. Keep a copy of
return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
}
-static bool is_in_internal_domain(const struct dom_sid *sid)
-{
- if (sid == NULL)
- return False;
-
- return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
-}
-
-
/* Add a trusted domain to our list of domains.
If the domain already exists in the list,
return it and don't re-initialize. */
-static struct winbindd_domain *
-add_trusted_domain(const char *domain_name, const char *alt_name,
- const struct dom_sid *sid)
+static NTSTATUS add_trusted_domain(const char *domain_name,
+ const char *dns_name,
+ const struct dom_sid *sid,
+ uint32_t trust_type,
+ uint32_t trust_flags,
+ uint32_t trust_attribs,
+ enum netr_SchannelType secure_channel_type,
+ struct winbindd_domain *routing_domain,
+ struct winbindd_domain **_d)
{
- struct winbindd_tdc_domain tdc;
-
- ZERO_STRUCT(tdc);
-
- tdc.domain_name = domain_name;
- tdc.dns_name = alt_name;
- if (sid) {
- sid_copy(&tdc.sid, sid);
- }
-
- return add_trusted_domain_from_tdc(&tdc);
-}
-
-/* Add a trusted domain out of a trusted domain cache
- entry
-*/
-static struct winbindd_domain *
-add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc)
-{
- struct winbindd_domain *domain;
- const char *alternative_name = NULL;
- const char **ignored_domains, **dom;
+ struct winbindd_domain *domain = NULL;
int role = lp_server_role();
- const char *domain_name = tdc->domain_name;
- const struct dom_sid *sid = &tdc->sid;
+ struct dom_sid_buf buf;
if (is_null_sid(sid)) {
- sid = NULL;
- }
-
- ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
- for (dom=ignored_domains; dom && *dom; dom++) {
- if (gen_fnmatch(*dom, domain_name) == 0) {
- DEBUG(2,("Ignoring domain '%s'\n", domain_name));
- return NULL;
- }
+ DBG_ERR("Got null SID for domain [%s]\n", domain_name);
+ return NT_STATUS_INVALID_PARAMETER;
}
- /* use alt_name if available to allow DNS lookups */
-
- if (tdc->dns_name && *tdc->dns_name) {
- alternative_name = tdc->dns_name;
+ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
+ return NT_STATUS_NO_SUCH_DOMAIN;
}
- /* We can't call domain_list() as this function is called from
- init_domain_list() and we'll get stuck in a loop. */
+ /*
+ * We can't call domain_list() as this function is called from
+ * init_domain_list() and we'll get stuck in a loop.
+ */
for (domain = _domain_list; domain; domain = domain->next) {
- if (strequal(domain_name, domain->name) ||
- strequal(domain_name, domain->alt_name))
- {
+ if (strequal(domain_name, domain->name)) {
break;
}
+ }
- if (alternative_name) {
- if (strequal(alternative_name, domain->name) ||
- strequal(alternative_name, domain->alt_name))
- {
+ if (domain != NULL) {
+ struct winbindd_domain *check_domain = NULL;
+
+ for (check_domain = _domain_list;
+ check_domain != NULL;
+ check_domain = check_domain->next)
+ {
+ if (check_domain == domain) {
+ continue;
+ }
+
+ if (dom_sid_equal(&check_domain->sid, sid)) {
break;
}
}
- if (sid != NULL) {
- if (dom_sid_equal(sid, &domain->sid)) {
+ if (check_domain != NULL) {
+ DBG_ERR("SID [%s] already used by domain [%s], "
+ "expected [%s]\n",
+ dom_sid_str_buf(sid, &buf),
+ check_domain->name,
+ domain->name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ if ((domain != NULL) && (dns_name != NULL)) {
+ struct winbindd_domain *check_domain = NULL;
+
+ for (check_domain = _domain_list;
+ check_domain != NULL;
+ check_domain = check_domain->next)
+ {
+ if (check_domain == domain) {
+ continue;
+ }
+
+ if (strequal(check_domain->alt_name, dns_name)) {
break;
}
}
+
+ if (check_domain != NULL) {
+ DBG_ERR("DNS name [%s] used by domain [%s], "
+ "expected [%s]\n",
+ dns_name, check_domain->name,
+ domain->name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
}
if (domain != NULL) {
- /*
- * We found a match on domain->name or
- * domain->alt_name. Possibly update the SID
- * if the stored SID was the NULL SID
- * and return the matching entry.
- */
- if ((sid != NULL)
- && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
- sid_copy( &domain->sid, sid );
- }
- return domain;
+ *_d = domain;
+ return NT_STATUS_OK;
}
/* Create new domain entry */
domain = talloc_zero(NULL, struct winbindd_domain);
if (domain == NULL) {
- return NULL;
+ return NT_STATUS_NO_MEMORY;
}
domain->children = talloc_zero_array(domain,
lp_winbind_max_domain_connections());
if (domain->children == NULL) {
TALLOC_FREE(domain);
- return NULL;
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ domain->queue = tevent_queue_create(domain, "winbind_domain");
+ if (domain->queue == NULL) {
+ TALLOC_FREE(domain);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ domain->binding_handle = wbint_binding_handle(domain, domain, NULL);
+ if (domain->binding_handle == NULL) {
+ TALLOC_FREE(domain);
+ return NT_STATUS_NO_MEMORY;
}
domain->name = talloc_strdup(domain, domain_name);
if (domain->name == NULL) {
TALLOC_FREE(domain);
- return NULL;
+ return NT_STATUS_NO_MEMORY;
}
- if (alternative_name) {
- domain->alt_name = talloc_strdup(domain, alternative_name);
+ if (dns_name != NULL) {
+ domain->alt_name = talloc_strdup(domain, dns_name);
if (domain->alt_name == NULL) {
TALLOC_FREE(domain);
- return NULL;
+ return NT_STATUS_NO_MEMORY;
}
}
domain->backend = NULL;
domain->internal = is_internal_domain(sid);
+ domain->secure_channel_type = secure_channel_type;
domain->sequence_number = DOM_SEQUENCE_NONE;
domain->last_seq_check = 0;
domain->initialized = false;
domain->online = is_internal_domain(sid);
- domain->check_online_timeout = 0;
- domain->dc_probe_pid = (pid_t)-1;
- if (sid != NULL) {
- sid_copy(&domain->sid, sid);
- }
- domain->domain_flags = tdc->trust_flags;
- domain->domain_type = tdc->trust_type;
- domain->domain_trust_attribs = tdc->trust_attribs;
+ domain->domain_flags = trust_flags;
+ domain->domain_type = trust_type;
+ domain->domain_trust_attribs = trust_attribs;
+ domain->secure_channel_type = secure_channel_type;
+ domain->routing_domain = routing_domain;
+ sid_copy(&domain->sid, sid);
/* Is this our primary domain ? */
- if (strequal(domain_name, get_global_sam_name()) &&
- (role != ROLE_DOMAIN_MEMBER)) {
- domain->primary = true;
- } else if (strequal(domain_name, lp_workgroup()) &&
- (role == ROLE_DOMAIN_MEMBER)) {
- domain->primary = true;
+ if (role == ROLE_DOMAIN_MEMBER) {
+ domain->primary = strequal(domain_name, lp_workgroup());
+ } else {
+ domain->primary = strequal(domain_name, get_global_sam_name());
}
if (domain->primary) {
}
}
+ domain->can_do_ncacn_ip_tcp = domain->active_directory;
+
/* Link to domain list */
DLIST_ADD_END(_domain_list, domain);
setup_domain_child(domain);
- DEBUG(2,
- ("Added domain %s %s %s\n", domain->name, domain->alt_name,
- !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : ""));
+ DBG_NOTICE("Added domain [%s] [%s] [%s]\n",
+ domain->name, domain->alt_name,
+ dom_sid_str_buf(&domain->sid, &buf));
- return domain;
+ *_d = domain;
+ return NT_STATUS_OK;
+}
+
+bool set_routing_domain(struct winbindd_domain *domain,
+ struct winbindd_domain *routing_domain)
+{
+ if (domain->routing_domain == NULL) {
+ domain->routing_domain = routing_domain;
+ return true;
+ }
+ if (domain->routing_domain != routing_domain) {
+ return false;
+ }
+ return true;
+}
+
+bool add_trusted_domain_from_auth(uint16_t validation_level,
+ struct info3_text *info3,
+ struct info6_text *info6)
+{
+ struct winbindd_domain *domain = NULL;
+ struct dom_sid domain_sid;
+ const char *dns_domainname = NULL;
+ NTSTATUS status;
+ bool ok;
+
+ /*
+ * We got a successful auth from a domain that might not yet be in our
+ * domain list. If we're a member we trust our DC who authenticated the
+ * user from that domain and add the domain to our list on-the-fly. If
+ * we're a DC we rely on configured trusts and don't add on-the-fly.
+ */
+
+ if (IS_DC) {
+ return true;
+ }
+
+ ok = dom_sid_parse(info3->dom_sid, &domain_sid);
+ if (!ok) {
+ DBG_NOTICE("dom_sid_parse [%s] failed\n", info3->dom_sid);
+ return false;
+ }
+
+ if (validation_level == 6) {
+ if (!strequal(info6->dns_domainname, "")) {
+ dns_domainname = info6->dns_domainname;
+ }
+ }
+
+ status = add_trusted_domain(info3->logon_dom,
+ dns_domainname,
+ &domain_sid,
+ 0,
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0,
+ SEC_CHAN_NULL,
+ find_default_route_domain(),
+ &domain);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
+ {
+ DBG_DEBUG("Adding domain [%s] with sid [%s] failed\n",
+ info3->logon_dom, info3->dom_sid);
+ return false;
+ }
+
+ return true;
}
bool domain_is_forest_root(const struct winbindd_domain *domain)
struct trustdom_state {
struct winbindd_domain *domain;
- struct winbindd_request request;
+ struct netr_DomainTrustList trusts;
};
static void trustdom_list_done(struct tevent_req *req);
static void add_trusted_domains( struct winbindd_domain *domain )
{
+ struct tevent_context *ev = global_event_context();
struct trustdom_state *state;
struct tevent_req *req;
+ const char *client_name = NULL;
+ pid_t client_pid;
state = talloc_zero(NULL, struct trustdom_state);
if (state == NULL) {
}
state->domain = domain;
- state->request.length = sizeof(state->request);
- state->request.cmd = WINBINDD_LIST_TRUSTDOM;
+ /* Called from timer, not from a real client */
+ client_name = getprogname();
+ client_pid = getpid();
- req = wb_domain_request_send(state, winbind_event_context(),
- domain, &state->request);
+ req = dcerpc_wbint_ListTrustedDomains_send(state,
+ ev,
+ dom_child_handle(domain),
+ client_name,
+ client_pid,
+ &state->trusts);
if (req == NULL) {
- DEBUG(1, ("wb_domain_request_send failed\n"));
+ DBG_ERR("dcerpc_wbint_ListTrustedDomains_send failed\n");
TALLOC_FREE(state);
return;
}
{
struct trustdom_state *state = tevent_req_callback_data(
req, struct trustdom_state);
- struct winbindd_response *response;
- int res, err;
- char *p;
- struct winbindd_tdc_domain trust_params = {0};
- ptrdiff_t extra_len;
-
- res = wb_domain_request_recv(req, state, &response, &err);
- if ((res == -1) || (response->result != WINBINDD_OK)) {
- DBG_WARNING("Could not receive trusts for domain %s\n",
- state->domain->name);
- TALLOC_FREE(state);
- return;
+ bool within_forest = false;
+ NTSTATUS status, result;
+ uint32_t i;
+
+ /*
+ * Only when we enumerate our primary domain
+ * or our forest root domain, we should keep
+ * the NETR_TRUST_FLAG_IN_FOREST flag, in
+ * all other cases we need to clear it as the domain
+ * is not part of our forest.
+ */
+ if (state->domain->primary) {
+ within_forest = true;
+ } else if (domain_is_forest_root(state->domain)) {
+ within_forest = true;
}
- if (response->length < sizeof(struct winbindd_response)) {
- DBG_ERR("ill-formed trustdom response - short length\n");
+ status = dcerpc_wbint_ListTrustedDomains_recv(req, state, &result);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ DBG_WARNING("Could not receive trusts for domain %s: %s-%s\n",
+ state->domain->name, nt_errstr(status),
+ nt_errstr(result));
TALLOC_FREE(state);
return;
}
- extra_len = response->length - sizeof(struct winbindd_response);
-
- p = (char *)response->extra_data.data;
-
- while ((p - (char *)response->extra_data.data) < extra_len) {
- char *q, *sidstr, *alt_name;
-
- DBG_DEBUG("parsing response line '%s'\n", p);
-
- ZERO_STRUCT(trust_params);
- trust_params.domain_name = p;
-
- alt_name = strchr(p, '\\');
- if (alt_name == NULL) {
- DBG_ERR("Got invalid trustdom response\n");
- break;
- }
-
- *alt_name = '\0';
- alt_name += 1;
+ for (i=0; i<state->trusts.count; i++) {
+ struct netr_DomainTrust *trust = &state->trusts.array[i];
+ struct winbindd_domain *domain = NULL;
- sidstr = strchr(alt_name, '\\');
- if (sidstr == NULL) {
- DBG_ERR("Got invalid trustdom response\n");
- break;
- }
-
- *sidstr = '\0';
- sidstr += 1;
-
- /* use the real alt_name if we have one, else pass in NULL */
- if (!strequal(alt_name, "(null)")) {
- trust_params.dns_name = alt_name;
+ if (!within_forest) {
+ trust->trust_flags &= ~NETR_TRUST_FLAG_IN_FOREST;
}
- q = strtok(sidstr, "\\");
- if (q == NULL) {
- DBG_ERR("Got invalid trustdom response\n");
- break;
- }
-
- if (!string_to_sid(&trust_params.sid, sidstr)) {
- DEBUG(0, ("Got invalid trustdom response\n"));
- break;
- }
-
- q = strtok(NULL, "\\");
- if (q == NULL) {
- DBG_ERR("Got invalid trustdom response\n");
- break;
- }
-
- trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10);
-
- q = strtok(NULL, "\\");
- if (q == NULL) {
- DBG_ERR("Got invalid trustdom response\n");
- break;
+ if (!state->domain->primary) {
+ trust->trust_flags &= ~NETR_TRUST_FLAG_PRIMARY;
}
- trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10);
-
- q = strtok(NULL, "\n");
- if (q == NULL) {
- DBG_ERR("Got invalid trustdom response\n");
- break;
- }
-
- trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
-
/*
* We always call add_trusted_domain() cause on an existing
* domain structure, it will update the SID if necessary.
* This is important because we need the SID for sibling
* domains.
*/
- (void)add_trusted_domain_from_tdc(&trust_params);
-
- p = q + strlen(q) + 1;
+ status = add_trusted_domain(trust->netbios_name,
+ trust->dns_name,
+ trust->sid,
+ trust->trust_type,
+ trust->trust_flags,
+ trust->trust_attributes,
+ SEC_CHAN_NULL,
+ find_default_route_domain(),
+ &domain);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
+ {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return;
+ }
}
/*
{
struct winbindd_tdc_domain *dom_list = NULL;
size_t num_trusts = 0;
- int i;
+ size_t i;
+ NTSTATUS status;
/* The only transitive trusts supported by Windows 2003 AD are
(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
/* Here's the forest root */
d = find_domain_from_name_noinit( dom_list[i].domain_name );
-
- if ( !d ) {
- d = add_trusted_domain_from_tdc(&dom_list[i]);
+ if (d == NULL) {
+ status = add_trusted_domain(dom_list[i].domain_name,
+ dom_list[i].dns_name,
+ &dom_list[i].sid,
+ dom_list[i].trust_type,
+ dom_list[i].trust_flags,
+ dom_list[i].trust_attribs,
+ SEC_CHAN_NULL,
+ find_default_route_domain(),
+ &d);
+
+ if (!NT_STATUS_IS_OK(status) &&
+ NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
+ {
+ DBG_ERR("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return;
+ }
}
-
if (d == NULL) {
continue;
}
struct winbindd_domain *d = NULL;
struct winbindd_tdc_domain *dom_list = NULL;
size_t num_trusts = 0;
- int i;
+ size_t i;
+ NTSTATUS status;
/* The only transitive trusts supported by Windows 2003 AD are
(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
(type == LSA_TRUST_TYPE_UPLEVEL) &&
- (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
+ (attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
{
/* add the trusted domain if we don't know
about it */
- if ( !d ) {
- d = add_trusted_domain_from_tdc(&dom_list[i]);
+ if (d == NULL) {
+ status = add_trusted_domain(
+ dom_list[i].domain_name,
+ dom_list[i].dns_name,
+ &dom_list[i].sid,
+ type,
+ flags,
+ attribs,
+ SEC_CHAN_NULL,
+ find_default_route_domain(),
+ &d);
+ if (!NT_STATUS_IS_OK(status) &&
+ NT_STATUS_EQUAL(status,
+ NT_STATUS_NO_SUCH_DOMAIN))
+ {
+ DBG_ERR("add_trusted_domain: %s\n",
+ nt_errstr(status));
+ return;
+ }
}
if (d == NULL) {
async process:
(a) ask our domain
(b) ask the root domain in our forest
- (c) ask the a DC in any Win2003 trusted forests
+ (c) ask a DC in any Win2003 trusted forests
*********************************************************************/
void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
{
TALLOC_FREE(te);
- /* I use to clear the cache here and start over but that
+ /* I used to clear the cache here and start over but that
caused problems in child processes that needed the
trust dom list early on. Removing it means we
could have some trusted domains listed that have been
return;
}
-enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
- struct winbindd_cli_state *state)
+static void wbd_ping_dc_done(struct tevent_req *subreq);
+
+void winbindd_ping_offline_domains(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval now,
+ void *private_data)
{
- /* Ensure null termination */
- state->request->domain_name
- [sizeof(state->request->domain_name)-1]='\0';
- state->request->data.init_conn.dcname
- [sizeof(state->request->data.init_conn.dcname)-1]='\0';
+ struct winbindd_domain *domain = NULL;
+
+ TALLOC_FREE(te);
+
+ for (domain = domain_list(); domain != NULL; domain = domain->next) {
+ DBG_DEBUG("Domain %s is %s\n",
+ domain->name,
+ domain->online ? "online" : "offline");
- if (strlen(state->request->data.init_conn.dcname) > 0) {
- fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
+ if (get_global_winbindd_state_offline()) {
+ DBG_DEBUG("We are globally offline, do nothing.\n");
+ break;
+ }
+
+ if (domain->online ||
+ domain->check_online_event != NULL ||
+ domain->secure_channel_type == SEC_CHAN_NULL) {
+ continue;
+ }
+
+ winbindd_flush_negative_conn_cache(domain);
+
+ domain->check_online_event =
+ dcerpc_wbint_PingDc_send(domain,
+ ev,
+ dom_child_handle(domain),
+ &domain->ping_dcname);
+ if (domain->check_online_event == NULL) {
+ DBG_WARNING("Failed to schedule ping, no-memory\n");
+ continue;
+ }
+
+ tevent_req_set_callback(domain->check_online_event,
+ wbd_ping_dc_done, domain);
}
- init_dc_connection(domain, false);
+ te = tevent_add_timer(ev,
+ NULL,
+ timeval_current_ofs(lp_winbind_reconnect_delay(),
+ 0),
+ winbindd_ping_offline_domains,
+ NULL);
+ if (te == NULL) {
+ DBG_ERR("Failed to schedule winbindd_ping_offline_domains()\n");
+ }
- if (!domain->initialized) {
- /* If we return error here we can't do any cached authentication,
- but we may be in disconnected mode and can't initialize correctly.
- Do what the previous code did and just return without initialization,
- once we go online we'll re-initialize.
- */
- DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
- "online = %d\n", domain->name, (int)domain->online ));
+ return;
+}
+
+static void wbd_ping_dc_done(struct tevent_req *subreq)
+{
+ struct winbindd_domain *domain =
+ tevent_req_callback_data(subreq,
+ struct winbindd_domain);
+ NTSTATUS status, result;
+
+ SMB_ASSERT(subreq == domain->check_online_event);
+ domain->check_online_event = NULL;
+
+ status = dcerpc_wbint_PingDc_recv(subreq, domain, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ DBG_WARNING("dcerpc_wbint_PingDc_recv failed for domain: "
+ "%s - %s\n",
+ domain->name,
+ nt_errstr(status));
+ return;
}
- fstrcpy(state->response->data.domain_info.name, domain->name);
- fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
- sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
+ DBG_DEBUG("dcerpc_wbint_PingDc_recv() succeeded, "
+ "domain: %s, dc-name: %s\n",
+ domain->name,
+ domain->ping_dcname);
- state->response->data.domain_info.native_mode
- = domain->native_mode;
- state->response->data.domain_info.active_directory
- = domain->active_directory;
- state->response->data.domain_info.primary
- = domain->primary;
+ talloc_free(discard_const(domain->ping_dcname));
+ domain->ping_dcname = NULL;
- return WINBINDD_OK;
+ return;
}
static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
void *private_data,
uint32_t msg_type,
struct server_id server_id,
+ size_t num_fds,
+ int *fds,
DATA_BLOB *data)
{
- TALLOC_CTX *frame = talloc_stackframe();
- struct lsa_TrustDomainInfoInfoEx info;
- enum ndr_err_code ndr_err;
- struct winbindd_domain *d = NULL;
-
- DEBUG(5, ("wb_imsg_new_trusted_domain\n"));
-
- if (data == NULL) {
- TALLOC_FREE(frame);
- return;
- }
-
- ndr_err = ndr_pull_struct_blob_all(data, frame, &info,
- (ndr_pull_flags_fn_t)ndr_pull_lsa_TrustDomainInfoInfoEx);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- TALLOC_FREE(frame);
- return;
- }
-
- d = find_domain_from_name_noinit(info.netbios_name.string);
- if (d != NULL) {
- TALLOC_FREE(frame);
- return;
- }
-
- d = add_trusted_domain(info.netbios_name.string,
- info.domain_name.string,
- info.sid);
- if (d == NULL) {
- TALLOC_FREE(frame);
- return;
- }
+ bool ok;
- if (d->internal) {
- TALLOC_FREE(frame);
+ if (num_fds != 0) {
+ DBG_WARNING("Received %zu fds, ignoring message\n", num_fds);
return;
}
- if (d->primary) {
- TALLOC_FREE(frame);
- return;
- }
+ DBG_NOTICE("Rescanning trusted domains\n");
- if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
- d->domain_flags |= NETR_TRUST_FLAG_INBOUND;
- }
- if (info.trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
- d->domain_flags |= NETR_TRUST_FLAG_OUTBOUND;
- }
- if (info.trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
- d->domain_flags |= NETR_TRUST_FLAG_IN_FOREST;
+ ok = add_trusted_domains_dc();
+ if (!ok) {
+ DBG_ERR("Failed to reload trusted domains\n");
}
- d->domain_type = info.trust_type;
- d->domain_trust_attribs = info.trust_attributes;
-
- TALLOC_FREE(frame);
}
/*
NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name,
NULL, domain, &creds);
if (!NT_STATUS_IS_OK(can_migrate)) {
- DEBUG(0, ("Failed to fetch our own, local AD domain join "
+ DEBUG(0, ("Failed to fetch our own local AD domain join "
"password for winbindd's internal use, both from "
"secrets.tdb and secrets.ldb: %s\n",
nt_errstr(can_migrate)));
NULL /* oldpass */,
cli_credentials_get_domain(creds),
cli_credentials_get_realm(creds),
- cli_credentials_get_salt_principal(creds),
+ cli_credentials_get_salt_principal(creds, creds),
0, /* Supported enc types, unused */
&domain->sid,
cli_credentials_get_password_last_changed_time(creds),
false /* do_delete: Do not delete */);
TALLOC_FREE(creds);
if (ok == false) {
- DEBUG(0, ("Failed to write our our own, "
+ DEBUG(0, ("Failed to write our own "
"local AD domain join password for "
"winbindd's internal use into secrets.tdb\n"));
return false;
return true;
}
+bool add_trusted_domains_dc(void)
+{
+ struct winbindd_domain *domain = NULL;
+ struct pdb_trusted_domain **domains = NULL;
+ uint32_t num_domains = 0;
+ uint32_t i;
+ NTSTATUS status;
+
+ if (!(pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX)) {
+ struct trustdom_info **ti = NULL;
+
+ status = pdb_enum_trusteddoms(talloc_tos(), &num_domains, &ti);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_enum_trusteddoms() failed - %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ for (i = 0; i < num_domains; i++) {
+ status = add_trusted_domain(ti[i]->name,
+ NULL,
+ &ti[i]->sid,
+ LSA_TRUST_TYPE_DOWNLEVEL,
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0,
+ SEC_CHAN_DOMAIN,
+ NULL,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+ status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_enum_trusted_domains() failed - %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ for (i = 0; i < num_domains; i++) {
+ enum netr_SchannelType sec_chan_type = SEC_CHAN_DOMAIN;
+ uint32_t trust_flags = 0;
+
+ if (domains[i]->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
+ sec_chan_type = SEC_CHAN_DNS_DOMAIN;
+ }
+
+ if (!(domains[i]->trust_direction & LSA_TRUST_DIRECTION_OUTBOUND)) {
+ sec_chan_type = SEC_CHAN_NULL;
+ }
+
+ if (domains[i]->trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
+ trust_flags |= NETR_TRUST_FLAG_INBOUND;
+ }
+ if (domains[i]->trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
+ trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
+ }
+ if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+ trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
+ }
+
+ if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+ /*
+ * We don't support selective authentication yet.
+ */
+ DBG_WARNING("Ignoring CROSS_ORGANIZATION trust to "
+ "domain[%s/%s]\n",
+ domains[i]->netbios_name,
+ domains[i]->domain_name);
+ continue;
+ }
+
+ status = add_trusted_domain(domains[i]->netbios_name,
+ domains[i]->domain_name,
+ &domains[i]->security_identifier,
+ domains[i]->trust_type,
+ trust_flags,
+ domains[i]->trust_attributes,
+ sec_chan_type,
+ NULL,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ if (domains[i]->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
+ domain->active_directory = true;
+ }
+ domain->domain_type = domains[i]->trust_type;
+ domain->domain_trust_attribs = domains[i]->trust_attributes;
+ }
+
+ for (i = 0; i < num_domains; i++) {
+ struct ForestTrustInfo fti;
+ uint32_t fi;
+ enum ndr_err_code ndr_err;
+ struct winbindd_domain *routing_domain = NULL;
+
+ if (domains[i]->trust_type != LSA_TRUST_TYPE_UPLEVEL) {
+ continue;
+ }
+
+ if (!(domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)) {
+ continue;
+ }
+
+ if (domains[i]->trust_forest_trust_info.length == 0) {
+ continue;
+ }
+
+ routing_domain = find_domain_from_name_noinit(
+ domains[i]->netbios_name);
+ if (routing_domain == NULL) {
+ DBG_ERR("Can't find winbindd domain [%s]\n",
+ domains[i]->netbios_name);
+ return false;
+ }
+
+ ndr_err = ndr_pull_struct_blob_all(
+ &domains[i]->trust_forest_trust_info,
+ talloc_tos(), &fti,
+ (ndr_pull_flags_fn_t)ndr_pull_ForestTrustInfo);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DBG_ERR("ndr_pull_ForestTrustInfo(%s) - %s\n",
+ domains[i]->netbios_name,
+ ndr_map_error2string(ndr_err));
+ return false;
+ }
+
+ for (fi = 0; fi < fti.count; fi++) {
+ struct ForestTrustInfoRecord *rec =
+ &fti.records[fi].record;
+ struct ForestTrustDataDomainInfo *drec = NULL;
+
+ if (rec->type != FOREST_TRUST_DOMAIN_INFO) {
+ continue;
+ }
+ drec = &rec->data.info;
+
+ if (rec->flags & LSA_NB_DISABLED_MASK) {
+ continue;
+ }
+
+ if (rec->flags & LSA_SID_DISABLED_MASK) {
+ continue;
+ }
+
+ /*
+ * TODO:
+ * also try to find a matching
+ * LSA_TLN_DISABLED_MASK ???
+ */
+
+ domain = find_domain_from_name_noinit(drec->netbios_name.string);
+ if (domain != NULL) {
+ continue;
+ }
+
+ status = add_trusted_domain(drec->netbios_name.string,
+ drec->dns_name.string,
+ &drec->sid,
+ LSA_TRUST_TYPE_UPLEVEL,
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0,
+ SEC_CHAN_NULL,
+ routing_domain,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+ if (domain == NULL) {
+ continue;
+ }
+ }
+ }
+
+ return true;
+}
+
+
/* Look up global info for the winbind daemon */
bool init_domain_list(void)
{
int role = lp_server_role();
+ struct pdb_domain_info *pdb_domain_info = NULL;
+ struct winbindd_domain *domain = NULL;
NTSTATUS status;
+ bool ok;
/* Free existing list */
free_domain_list();
/* BUILTIN domain */
- (void)add_trusted_domain("BUILTIN", NULL, &global_sid_Builtin);
+ status = add_trusted_domain("BUILTIN",
+ NULL,
+ &global_sid_Builtin,
+ LSA_TRUST_TYPE_DOWNLEVEL,
+ 0, /* trust_flags */
+ 0, /* trust_attribs */
+ SEC_CHAN_LOCAL,
+ NULL,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("add_trusted_domain BUILTIN returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
/* Local SAM */
+ /*
+ * In case the passdb backend is passdb_dsdb the domain SID comes from
+ * dsdb, not from secrets.tdb. As we use the domain SID in various
+ * places, we must ensure the domain SID is migrated from dsdb to
+ * secrets.tdb before get_global_sam_sid() is called the first time.
+ *
+ * The migration is done as part of the passdb_dsdb initialisation,
+ * calling pdb_get_domain_info() triggers it.
+ */
+ pdb_domain_info = pdb_get_domain_info(talloc_tos());
+
if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
- struct winbindd_domain *domain;
+ uint32_t trust_flags;
+ bool is_root;
enum netr_SchannelType sec_chan_type;
const char *account_name;
struct samr_Password current_nt_hash;
- struct pdb_domain_info *pdb_domain_info;
- bool ok;
- pdb_domain_info = pdb_get_domain_info(talloc_tos());
if (pdb_domain_info == NULL) {
- DEBUG(0, ("Failed to fetch our own, local AD "
+ DEBUG(0, ("Failed to fetch our own local AD "
"domain info from sam.ldb\n"));
return false;
}
- domain = add_trusted_domain(pdb_domain_info->name,
- pdb_domain_info->dns_domain,
- &pdb_domain_info->sid);
+
+ trust_flags = NETR_TRUST_FLAG_PRIMARY;
+ trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
+ trust_flags |= NETR_TRUST_FLAG_NATIVE;
+ trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
+
+ is_root = strequal(pdb_domain_info->dns_domain,
+ pdb_domain_info->dns_forest);
+ if (is_root) {
+ trust_flags |= NETR_TRUST_FLAG_TREEROOT;
+ }
+
+ status = add_trusted_domain(pdb_domain_info->name,
+ pdb_domain_info->dns_domain,
+ &pdb_domain_info->sid,
+ LSA_TRUST_TYPE_UPLEVEL,
+ trust_flags,
+ LSA_TRUST_ATTRIBUTE_WITHIN_FOREST,
+ SEC_CHAN_BDC,
+ NULL,
+ &domain);
TALLOC_FREE(pdb_domain_info);
- if (domain == NULL) {
- DEBUG(0, ("Failed to add our own, local AD "
- "domain to winbindd's internal list\n"));
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to add our own local AD "
+ "domain to winbindd's internal list\n");
return false;
}
*/
ok = migrate_secrets_tdb_to_ldb(domain);
- if (ok == false) {
- DEBUG(0, ("Failed to migrate our own, "
+ if (!ok) {
+ DEBUG(0, ("Failed to migrate our own "
"local AD domain join password for "
"winbindd's internal use into "
"secrets.tdb\n"));
current_nt_hash.hash,
&account_name,
&sec_chan_type);
- if (ok == false) {
- DEBUG(0, ("Failed to find our our own, just "
+ if (!ok) {
+ DEBUG(0, ("Failed to find our own just "
"written local AD domain join "
"password for winbindd's internal "
"use in secrets.tdb\n"));
return false;
}
}
+
+ domain->secure_channel_type = sec_chan_type;
if (sec_chan_type == SEC_CHAN_RODC) {
domain->rodc = true;
}
} else {
- (void)add_trusted_domain(get_global_sam_name(), NULL,
- get_global_sam_sid());
+ uint32_t trust_flags;
+ enum netr_SchannelType secure_channel_type;
+
+ trust_flags = NETR_TRUST_FLAG_OUTBOUND;
+ if (role != ROLE_DOMAIN_MEMBER) {
+ trust_flags |= NETR_TRUST_FLAG_PRIMARY;
+ }
+
+ if (role > ROLE_DOMAIN_MEMBER) {
+ secure_channel_type = SEC_CHAN_BDC;
+ } else {
+ secure_channel_type = SEC_CHAN_LOCAL;
+ }
+
+ if ((pdb_domain_info != NULL) && (role == ROLE_IPA_DC)) {
+ /* This is IPA DC that presents itself as
+ * an Active Directory domain controller to trusted AD
+ * forests but in fact is a classic domain controller.
+ */
+ trust_flags = NETR_TRUST_FLAG_PRIMARY;
+ trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
+ trust_flags |= NETR_TRUST_FLAG_NATIVE;
+ trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
+ trust_flags |= NETR_TRUST_FLAG_TREEROOT;
+ status = add_trusted_domain(pdb_domain_info->name,
+ pdb_domain_info->dns_domain,
+ &pdb_domain_info->sid,
+ LSA_TRUST_TYPE_UPLEVEL,
+ trust_flags,
+ LSA_TRUST_ATTRIBUTE_WITHIN_FOREST,
+ secure_channel_type,
+ NULL,
+ &domain);
+ TALLOC_FREE(pdb_domain_info);
+ } else {
+ status = add_trusted_domain(get_global_sam_name(),
+ NULL,
+ get_global_sam_sid(),
+ LSA_TRUST_TYPE_DOWNLEVEL,
+ trust_flags,
+ 0, /* trust_attribs */
+ secure_channel_type,
+ NULL,
+ &domain);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to add local SAM to "
+ "domain to winbindd's internal list\n");
+ return false;
+ }
+ }
+
+ if (IS_DC) {
+ ok = add_trusted_domains_dc();
+ if (!ok) {
+ DBG_ERR("init_domain_list_dc failed\n");
+ return false;
+ }
}
- /* Add ourselves as the first entry. */
if ( role == ROLE_DOMAIN_MEMBER ) {
- struct winbindd_domain *domain;
struct dom_sid our_sid;
+ uint32_t trust_type;
if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
DEBUG(0, ("Could not fetch our SID - did we join?\n"));
return False;
}
- domain = add_trusted_domain(lp_workgroup(), lp_realm(),
- &our_sid);
- if (domain) {
- /* Even in the parent winbindd we'll need to
- talk to the DC, so try and see if we can
- contact it. Theoretically this isn't neccessary
- as the init_dc_connection() in init_child_recv()
- will do this, but we can start detecting the DC
- early here. */
- set_domain_online_request(domain);
+ if (lp_realm() != NULL) {
+ trust_type = LSA_TRUST_TYPE_UPLEVEL;
+ } else {
+ trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
+ }
+
+ status = add_trusted_domain(lp_workgroup(),
+ lp_realm(),
+ &our_sid,
+ trust_type,
+ NETR_TRUST_FLAG_PRIMARY|
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0, /* trust_attribs */
+ SEC_CHAN_WKSTA,
+ NULL,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to add local SAM to "
+ "domain to winbindd's internal list\n");
+ return false;
}
}
status = imessaging_register(winbind_imessaging_context(), NULL,
- MSG_WINBIND_NEW_TRUSTED_DOMAIN,
+ MSG_WINBIND_RELOAD_TRUSTED_DOMAINS,
wb_imsg_new_trusted_domain);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("imessaging_register(MSG_WINBIND_NEW_TRUSTED_DOMAIN) - %s\n",
- nt_errstr(status)));
+ DBG_ERR("imessaging_register failed %s\n", nt_errstr(status));
return false;
}
/* Search through list */
for (domain = domain_list(); domain != NULL; domain = domain->next) {
- if (strequal(domain_name, domain->name) ||
- (domain->alt_name != NULL &&
- strequal(domain_name, domain->alt_name))) {
+ if (strequal(domain_name, domain->name)) {
+ return domain;
+ }
+ if (domain->alt_name == NULL) {
+ continue;
+ }
+ if (strequal(domain_name, domain->alt_name)) {
return domain;
}
}
return NULL;
}
+/**
+ * Given a domain name, return the struct winbindd domain if it's a direct
+ * outgoing trust
+ *
+ * @return The domain structure for the named domain, if it is a direct outgoing trust
+ */
+struct winbindd_domain *find_trust_from_name_noinit(const char *domain_name)
+{
+ struct winbindd_domain *domain = NULL;
+
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
+
+ return NULL;
+}
+
struct winbindd_domain *find_domain_from_name(const char *domain_name)
{
struct winbindd_domain *domain;
return NULL;
}
+/**
+ * Given a domain sid, return the struct winbindd domain if it's a direct
+ * outgoing trust
+ *
+ * @return The domain structure for the specified domain, if it is a direct outgoing trust
+ */
+struct winbindd_domain *find_trust_from_sid_noinit(const struct dom_sid *sid)
+{
+ struct winbindd_domain *domain = NULL;
+
+ domain = find_domain_from_sid_noinit(sid);
+ if (domain == NULL) {
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
+
+ return NULL;
+}
+
/* Given a domain sid, return the struct winbindd domain info for it */
struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
return NULL;
}
-struct winbindd_domain *find_root_domain(void)
+struct winbindd_domain *find_default_route_domain(void)
{
- struct winbindd_domain *ours = find_our_domain();
-
- if (ours->forest_name == NULL) {
- return NULL;
+ if (!IS_DC) {
+ return find_our_domain();
}
-
- return find_domain_from_name( ours->forest_name );
-}
-
-struct winbindd_domain *find_builtin_domain(void)
-{
- struct winbindd_domain *domain;
-
- domain = find_domain_from_sid(&global_sid_Builtin);
- if (domain == NULL) {
- smb_panic("Could not find BUILTIN domain");
- }
-
- return domain;
+ DBG_DEBUG("Routing logic not yet implemented on a DC\n");
+ return NULL;
}
/* Find the appropriate domain to lookup a name or SID */
struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
{
- /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
+ struct dom_sid_buf buf;
+
+ DBG_DEBUG("SID [%s]\n", dom_sid_str_buf(sid, &buf));
+
+ /*
+ * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled
+ * by our passdb.
+ */
if ( sid_check_is_in_unix_groups(sid) ||
sid_check_is_unix_groups(sid) ||
sid_check_is_in_unix_users(sid) ||
- sid_check_is_unix_users(sid) )
+ sid_check_is_unix_users(sid) ||
+ sid_check_is_our_sam(sid) ||
+ sid_check_is_in_our_sam(sid) )
{
return find_domain_from_sid(get_global_sam_sid());
}
- /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
- * one to contact the external DC's. On member servers the internal
- * domains are different: These are part of the local SAM. */
+ if ( sid_check_is_builtin(sid) ||
+ sid_check_is_in_builtin(sid) ||
+ sid_check_is_wellknown_domain(sid, NULL) ||
+ sid_check_is_in_wellknown_domain(sid) )
+ {
+ return find_domain_from_sid(&global_sid_Builtin);
+ }
+
+ if (IS_DC) {
+ struct winbindd_domain *domain = NULL;
- DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
+ domain = find_domain_from_sid_noinit(sid);
+ if (domain == NULL) {
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
- if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
- DEBUG(10, ("calling find_domain_from_sid\n"));
- return find_domain_from_sid(sid);
+ return domain->routing_domain;
}
/* On a member server a query for SID or name can always go to our
struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
{
+ bool predefined;
+
if ( strequal(domain_name, unix_users_domain_name() ) ||
strequal(domain_name, unix_groups_domain_name() ) )
{
/*
- * The "Unix User" and "Unix Group" domain our handled by
+ * The "Unix User" and "Unix Group" domain are handled by
* passdb
*/
return find_domain_from_name_noinit( get_global_sam_name() );
}
- if (IS_DC || strequal(domain_name, "BUILTIN") ||
- strequal(domain_name, get_global_sam_name()))
+ if (strequal(domain_name, "BUILTIN") ||
+ strequal(domain_name, get_global_sam_name())) {
return find_domain_from_name_noinit(domain_name);
+ }
+ predefined = dom_sid_lookup_is_predefined_domain(domain_name);
+ if (predefined) {
+ return find_domain_from_name_noinit(builtin_domain_name());
+ }
+
+ if (IS_DC) {
+ struct winbindd_domain *domain = NULL;
+
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
+
+ return domain->routing_domain;
+ }
return find_our_domain();
}
if ( !strequal(lp_workgroup(), domain) )
return False;
- if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
+ if ( lp_winbind_use_default_domain() )
return True;
}
return False;
}
-/* Parse a string of the form DOMAIN\user into a domain and a user */
-
-bool parse_domain_user(const char *domuser, fstring domain, fstring user)
+/* Parse a DOMAIN\user or UPN string into a domain, namespace and a user */
+bool parse_domain_user(TALLOC_CTX *ctx,
+ const char *domuser,
+ char **pnamespace,
+ char **pdomain,
+ char **puser)
{
- char *p = strchr(domuser,*lp_winbind_separator());
+ char *p = NULL;
+ char *namespace = NULL;
+ char *domain = NULL;
+ char *user = NULL;
+
+ if (strlen(domuser) == 0) {
+ return false;
+ }
- if ( !p ) {
- fstrcpy(user, domuser);
+ p = strchr(domuser, *lp_winbind_separator());
+ if (p != NULL) {
+ user = talloc_strdup(ctx, p + 1);
+ if (user == NULL) {
+ goto fail;
+ }
+ domain = talloc_strdup(ctx,
+ domuser);
+ if (domain == NULL) {
+ goto fail;
+ }
+ domain[PTR_DIFF(p, domuser)] = '\0';
+ namespace = talloc_strdup(ctx, domain);
+ if (namespace == NULL) {
+ goto fail;
+ }
+ } else {
+ user = talloc_strdup(ctx, domuser);
+ if (user == NULL) {
+ goto fail;
+ }
p = strchr(domuser, '@');
+ if (p != NULL) {
+ /* upn */
+ namespace = talloc_strdup(ctx, p + 1);
+ if (namespace == NULL) {
+ goto fail;
+ }
+ domain = talloc_strdup(ctx, "");
+ if (domain == NULL) {
+ goto fail;
+ }
- if ( assume_domain(lp_workgroup()) && p == NULL) {
- fstrcpy(domain, lp_workgroup());
- } else if (p != NULL) {
- fstrcpy(domain, p + 1);
- user[PTR_DIFF(p, domuser)] = 0;
+ } else if (assume_domain(lp_workgroup())) {
+ domain = talloc_strdup(ctx, lp_workgroup());
+ if (domain == NULL) {
+ goto fail;
+ }
+ namespace = talloc_strdup(ctx, domain);
+ if (namespace == NULL) {
+ goto fail;
+ }
} else {
- return False;
+ namespace = talloc_strdup(ctx, lp_netbios_name());
+ if (namespace == NULL) {
+ goto fail;
+ }
+ domain = talloc_strdup(ctx, "");
+ if (domain == NULL) {
+ goto fail;
+ }
}
- } else {
- fstrcpy(user, p+1);
- fstrcpy(domain, domuser);
- domain[PTR_DIFF(p, domuser)] = 0;
}
- return strupper_m(domain);
+ if (!strupper_m(domain)) {
+ goto fail;
+ }
+
+ *pnamespace = namespace;
+ *pdomain = domain;
+ *puser = user;
+ return true;
+fail:
+ TALLOC_FREE(user);
+ TALLOC_FREE(domain);
+ TALLOC_FREE(namespace);
+ return false;
}
-bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
- char **domain, char **user)
+bool canonicalize_username(TALLOC_CTX *mem_ctx,
+ char **pusername_inout,
+ char **pnamespace,
+ char **pdomain,
+ char **puser)
{
- fstring fstr_domain, fstr_user;
- if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
- return False;
- }
- *domain = talloc_strdup(mem_ctx, fstr_domain);
- *user = talloc_strdup(mem_ctx, fstr_user);
- return ((*domain != NULL) && (*user != NULL));
-}
+ bool ok;
+ char *namespace = NULL;
+ char *domain = NULL;
+ char *user = NULL;
+ char *username_inout = NULL;
-/* Ensure an incoming username from NSS is fully qualified. Replace the
- incoming fstring with DOMAIN <separator> user. Returns the same
- values as parse_domain_user() but also replaces the incoming username.
- Used to ensure all names are fully qualified within winbindd.
- Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
- The protocol definitions of auth_crap, chng_pswd_auth_crap
- really should be changed to use this instead of doing things
- by hand. JRA. */
+ ok = parse_domain_user(mem_ctx,
+ *pusername_inout,
+ &namespace, &domain, &user);
-bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
-{
- if (!parse_domain_user(username_inout, domain, user)) {
+ if (!ok) {
return False;
}
- slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
+
+ username_inout = talloc_asprintf(mem_ctx, "%s%c%s",
domain, *lp_winbind_separator(),
user);
+
+ if (username_inout == NULL) {
+ goto fail;
+ }
+
+ *pnamespace = namespace;
+ *puser = user;
+ *pdomain = domain;
+ *pusername_inout = username_inout;
return True;
+fail:
+ TALLOC_FREE(username_inout);
+ TALLOC_FREE(namespace);
+ TALLOC_FREE(domain);
+ TALLOC_FREE(user);
+ return false;
}
/*
If we are a PDC or BDC, and this is for our domain, do likewise.
- Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
- username is then unqualified in unix
-
On an AD DC we always fill DOMAIN\\USERNAME.
We always canonicalize as UPPERCASE DOMAIN, lowercase username.
*/
-void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
-{
- fstring tmp_user;
-
- if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
- can_assume = false;
- }
-
- fstrcpy(tmp_user, user);
- (void)strlower_m(tmp_user);
-
- if (can_assume && assume_domain(domain)) {
- strlcpy(name, tmp_user, sizeof(fstring));
- } else {
- slprintf(name, sizeof(fstring) - 1, "%s%c%s",
- domain, *lp_winbind_separator(),
- tmp_user);
- }
-}
-
/**
* talloc version of fill_domain_username()
* return NULL on talloc failure.
can_assume = false;
}
+ if (user == NULL) {
+ return NULL;
+ }
+
tmp_user = talloc_strdup(mem_ctx, user);
+ if (tmp_user == NULL) {
+ return NULL;
+ }
if (!strlower_m(tmp_user)) {
TALLOC_FREE(tmp_user);
return NULL;
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
- if (info3->base.groups.count == 0) {
- TALLOC_FREE(info3);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
/*
* Before bug #7843 the "Domain Local" groups were added with a
* lookupuseraliases call, but this isn't done anymore for our domain
********************************************************************/
NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
- struct winbindd_domain *domain,
+ const char *domain_name,
const char *name,
char **normalized)
{
+ struct winbindd_domain *domain = NULL;
NTSTATUS nt_status;
if (!name || !normalized) {
return NT_STATUS_PROCEDURE_NOT_FOUND;
}
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ DBG_ERR("Failed to find domain '%s'\n", domain_name);
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ }
+
/* Alias support and whitespace replacement are mutually
exclusive */
********************************************************************/
NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
- char *name,
+ const char *name,
char **normalized)
{
NTSTATUS nt_status;
return ret;
}
-/*********************************************************************
- ********************************************************************/
-
-bool winbindd_internal_child(struct winbindd_child *child)
-{
- if ((child == idmap_child()) || (child == locator_child())) {
- return True;
- }
-
- return False;
-}
-
#ifdef HAVE_KRB5_LOCATE_PLUGIN_H
/*********************************************************************
return;
}
- if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
- domain->alt_name) == -1) {
+ var = talloc_asprintf_strupper_m(
+ talloc_tos(),
+ "%s_%s",
+ WINBINDD_LOCATOR_KDC_ADDRESS,
+ domain->alt_name);
+ if (var == NULL) {
return;
}
var, kdc));
setenv(var, kdc, 1);
- free(var);
+ TALLOC_FREE(var);
}
/*********************************************************************
return;
}
- if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
- domain->alt_name) == -1) {
+ var = talloc_asprintf_strupper_m(
+ talloc_tos(),
+ "%s_%s",
+ WINBINDD_LOCATOR_KDC_ADDRESS,
+ domain->alt_name);
+ if (var == NULL) {
return;
}
unsetenv(var);
- free(var);
+ TALLOC_FREE(var);
}
#else
void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
{
+ /*
+ * Make sure we start with authoritative=true,
+ * it will only set to false if we don't know the
+ * domain.
+ */
+ resp->data.auth.authoritative = true;
+
resp->data.auth.nt_status = NT_STATUS_V(result);
fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
bool is_domain_offline(const struct winbindd_domain *domain)
{
- if (!lp_winbind_offline_logon()) {
- return false;
- }
if (get_global_winbindd_state_offline()) {
return true;
}
struct unixid xid;
unsigned long long id;
char *endp;
+ int error = 0;
switch (p[0]) {
case 'U':
p += 1;
- id = strtoull(p, &endp, 10);
- if ((id == ULLONG_MAX) && (errno == ERANGE)) {
+ id = smb_strtoull(p, &endp, 10, &error, SMB_STR_STANDARD);
+ if (error != 0) {
goto fail;
}
if (*endp != '\n') {
git.samba.org / metze / samba-autobuild / .git / blobdiff