2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2002
7 Copyright (C) Volker Lendecke 2004,2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * We fork a child per domain to be able to act non-blocking in the main
25 * winbind daemon. A domain controller thousands of miles away being being
26 * slow replying with a 10.000 user list should not hold up netlogon calls
27 * that can be handled locally.
32 #include "nsswitch/wb_reqtrans.h"
34 #include "../lib/util/select.h"
35 #include "../libcli/security/security.h"
36 #include "system/select.h"
40 #define DBGC_CLASS DBGC_WINBIND
42 extern bool override_logfile;
43 extern struct winbindd_methods cache_methods;
45 /* Read some data from a client connection */
47 static NTSTATUS child_read_request(struct winbindd_cli_state *state)
53 status = read_data(state->sock, (char *)state->request,
54 sizeof(*state->request));
56 if (!NT_STATUS_IS_OK(status)) {
57 DEBUG(3, ("child_read_request: read_data failed: %s\n",
62 if (state->request->extra_len == 0) {
63 state->request->extra_data.data = NULL;
67 DEBUG(10, ("Need to read %d extra bytes\n", (int)state->request->extra_len));
69 state->request->extra_data.data =
70 SMB_MALLOC_ARRAY(char, state->request->extra_len + 1);
72 if (state->request->extra_data.data == NULL) {
73 DEBUG(0, ("malloc failed\n"));
74 return NT_STATUS_NO_MEMORY;
77 /* Ensure null termination */
78 state->request->extra_data.data[state->request->extra_len] = '\0';
80 status= read_data(state->sock, state->request->extra_data.data,
81 state->request->extra_len);
83 if (!NT_STATUS_IS_OK(status)) {
84 DEBUG(0, ("Could not read extra data: %s\n",
91 * Do winbind child async request. This is not simply wb_simple_trans. We have
92 * to do the queueing ourselves because while a request is queued, the child
93 * might have crashed, and we have to re-fork it in the _trigger function.
96 struct wb_child_request_state {
97 struct tevent_context *ev;
98 struct winbindd_child *child;
99 struct winbindd_request *request;
100 struct winbindd_response *response;
103 static bool fork_domain_child(struct winbindd_child *child);
105 static void wb_child_request_trigger(struct tevent_req *req,
107 static void wb_child_request_done(struct tevent_req *subreq);
109 struct tevent_req *wb_child_request_send(TALLOC_CTX *mem_ctx,
110 struct tevent_context *ev,
111 struct winbindd_child *child,
112 struct winbindd_request *request)
114 struct tevent_req *req;
115 struct wb_child_request_state *state;
117 req = tevent_req_create(mem_ctx, &state,
118 struct wb_child_request_state);
124 state->child = child;
125 state->request = request;
127 if (!tevent_queue_add(child->queue, ev, req,
128 wb_child_request_trigger, NULL)) {
129 tevent_req_nomem(NULL, req);
130 return tevent_req_post(req, ev);
135 static void wb_child_request_trigger(struct tevent_req *req,
138 struct wb_child_request_state *state = tevent_req_data(
139 req, struct wb_child_request_state);
140 struct tevent_req *subreq;
142 if ((state->child->sock == -1) && (!fork_domain_child(state->child))) {
143 tevent_req_error(req, errno);
147 subreq = wb_simple_trans_send(state, winbind_event_context(), NULL,
148 state->child->sock, state->request);
149 if (tevent_req_nomem(subreq, req)) {
152 tevent_req_set_callback(subreq, wb_child_request_done, req);
153 tevent_req_set_endtime(req, state->ev, timeval_current_ofs(300, 0));
156 static void wb_child_request_done(struct tevent_req *subreq)
158 struct tevent_req *req = tevent_req_callback_data(
159 subreq, struct tevent_req);
160 struct wb_child_request_state *state = tevent_req_data(
161 req, struct wb_child_request_state);
164 ret = wb_simple_trans_recv(subreq, state, &state->response, &err);
168 * The basic parent/child communication broke, close
171 close(state->child->sock);
172 state->child->sock = -1;
173 tevent_req_error(req, err);
176 tevent_req_done(req);
179 int wb_child_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
180 struct winbindd_response **presponse, int *err)
182 struct wb_child_request_state *state = tevent_req_data(
183 req, struct wb_child_request_state);
185 if (tevent_req_is_unix_error(req, err)) {
188 *presponse = talloc_move(mem_ctx, &state->response);
192 static bool winbindd_child_busy(struct winbindd_child *child)
194 return tevent_queue_length(child->queue) > 0;
197 static struct winbindd_child *find_idle_child(struct winbindd_domain *domain)
201 for (i=0; i<lp_winbind_max_domain_connections(); i++) {
202 if (!winbindd_child_busy(&domain->children[i])) {
203 return &domain->children[i];
210 struct winbindd_child *choose_domain_child(struct winbindd_domain *domain)
212 struct winbindd_child *result;
214 result = find_idle_child(domain);
215 if (result != NULL) {
218 return &domain->children[rand() % lp_winbind_max_domain_connections()];
221 struct dcerpc_binding_handle *dom_child_handle(struct winbindd_domain *domain)
223 struct winbindd_child *child;
225 child = choose_domain_child(domain);
226 return child->binding_handle;
229 struct wb_domain_request_state {
230 struct tevent_context *ev;
231 struct winbindd_domain *domain;
232 struct winbindd_child *child;
233 struct winbindd_request *request;
234 struct winbindd_request *init_req;
235 struct winbindd_response *response;
238 static void wb_domain_request_gotdc(struct tevent_req *subreq);
239 static void wb_domain_request_initialized(struct tevent_req *subreq);
240 static void wb_domain_request_done(struct tevent_req *subreq);
242 struct tevent_req *wb_domain_request_send(TALLOC_CTX *mem_ctx,
243 struct tevent_context *ev,
244 struct winbindd_domain *domain,
245 struct winbindd_request *request)
247 struct tevent_req *req, *subreq;
248 struct wb_domain_request_state *state;
250 req = tevent_req_create(mem_ctx, &state,
251 struct wb_domain_request_state);
256 state->child = choose_domain_child(domain);
258 if (domain->initialized) {
259 subreq = wb_child_request_send(state, ev, state->child,
261 if (tevent_req_nomem(subreq, req)) {
262 return tevent_req_post(req, ev);
264 tevent_req_set_callback(subreq, wb_domain_request_done, req);
268 state->domain = domain;
270 state->request = request;
272 state->init_req = talloc_zero(state, struct winbindd_request);
273 if (tevent_req_nomem(state->init_req, req)) {
274 return tevent_req_post(req, ev);
277 if (IS_DC || domain->primary || domain->internal) {
278 /* The primary domain has to find the DC name itself */
279 state->init_req->cmd = WINBINDD_INIT_CONNECTION;
280 fstrcpy(state->init_req->domain_name, domain->name);
281 state->init_req->data.init_conn.is_primary = domain->primary;
282 fstrcpy(state->init_req->data.init_conn.dcname, "");
284 subreq = wb_child_request_send(state, ev, state->child,
286 if (tevent_req_nomem(subreq, req)) {
287 return tevent_req_post(req, ev);
289 tevent_req_set_callback(subreq, wb_domain_request_initialized,
295 * Ask our DC for a DC name
297 domain = find_our_domain();
299 /* This is *not* the primary domain, let's ask our DC about a DC
302 state->init_req->cmd = WINBINDD_GETDCNAME;
303 fstrcpy(state->init_req->domain_name, domain->name);
305 subreq = wb_child_request_send(state, ev, state->child, request);
306 if (tevent_req_nomem(subreq, req)) {
307 return tevent_req_post(req, ev);
309 tevent_req_set_callback(subreq, wb_domain_request_gotdc, req);
313 static void wb_domain_request_gotdc(struct tevent_req *subreq)
315 struct tevent_req *req = tevent_req_callback_data(
316 subreq, struct tevent_req);
317 struct wb_domain_request_state *state = tevent_req_data(
318 req, struct wb_domain_request_state);
319 struct winbindd_response *response;
322 ret = wb_child_request_recv(subreq, talloc_tos(), &response, &err);
325 tevent_req_error(req, err);
328 state->init_req->cmd = WINBINDD_INIT_CONNECTION;
329 fstrcpy(state->init_req->domain_name, state->domain->name);
330 state->init_req->data.init_conn.is_primary = False;
331 fstrcpy(state->init_req->data.init_conn.dcname,
332 response->data.dc_name);
334 TALLOC_FREE(response);
336 subreq = wb_child_request_send(state, state->ev, state->child,
338 if (tevent_req_nomem(subreq, req)) {
341 tevent_req_set_callback(subreq, wb_domain_request_initialized, req);
344 static void wb_domain_request_initialized(struct tevent_req *subreq)
346 struct tevent_req *req = tevent_req_callback_data(
347 subreq, struct tevent_req);
348 struct wb_domain_request_state *state = tevent_req_data(
349 req, struct wb_domain_request_state);
350 struct winbindd_response *response;
353 ret = wb_child_request_recv(subreq, talloc_tos(), &response, &err);
356 tevent_req_error(req, err);
360 if (!string_to_sid(&state->domain->sid,
361 response->data.domain_info.sid)) {
362 DEBUG(1,("init_child_recv: Could not convert sid %s "
363 "from string\n", response->data.domain_info.sid));
364 tevent_req_error(req, EINVAL);
367 fstrcpy(state->domain->name, response->data.domain_info.name);
368 fstrcpy(state->domain->alt_name, response->data.domain_info.alt_name);
369 state->domain->native_mode = response->data.domain_info.native_mode;
370 state->domain->active_directory =
371 response->data.domain_info.active_directory;
372 state->domain->initialized = true;
374 TALLOC_FREE(response);
376 subreq = wb_child_request_send(state, state->ev, state->child,
378 if (tevent_req_nomem(subreq, req)) {
381 tevent_req_set_callback(subreq, wb_domain_request_done, req);
384 static void wb_domain_request_done(struct tevent_req *subreq)
386 struct tevent_req *req = tevent_req_callback_data(
387 subreq, struct tevent_req);
388 struct wb_domain_request_state *state = tevent_req_data(
389 req, struct wb_domain_request_state);
392 ret = wb_child_request_recv(subreq, talloc_tos(), &state->response,
396 tevent_req_error(req, err);
399 tevent_req_done(req);
402 int wb_domain_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
403 struct winbindd_response **presponse, int *err)
405 struct wb_domain_request_state *state = tevent_req_data(
406 req, struct wb_domain_request_state);
408 if (tevent_req_is_unix_error(req, err)) {
411 *presponse = talloc_move(mem_ctx, &state->response);
415 static void child_process_request(struct winbindd_child *child,
416 struct winbindd_cli_state *state)
418 struct winbindd_domain *domain = child->domain;
419 const struct winbindd_child_dispatch_table *table = child->table;
421 /* Free response data - we may be interrupted and receive another
422 command before being able to send this data off. */
424 state->response->result = WINBINDD_ERROR;
425 state->response->length = sizeof(struct winbindd_response);
427 /* as all requests in the child are sync, we can use talloc_tos() */
428 state->mem_ctx = talloc_tos();
430 /* Process command */
432 for (; table->name; table++) {
433 if (state->request->cmd == table->struct_cmd) {
434 DEBUG(10,("child_process_request: request fn %s\n",
436 state->response->result = table->struct_fn(domain, state);
441 DEBUG(1, ("child_process_request: unknown request fn number %d\n",
442 (int)state->request->cmd));
443 state->response->result = WINBINDD_ERROR;
446 void setup_child(struct winbindd_domain *domain, struct winbindd_child *child,
447 const struct winbindd_child_dispatch_table *table,
448 const char *logprefix,
451 if (logprefix && logname) {
452 char *logbase = NULL;
457 if (asprintf(&logbase, "%s", lp_logfile()) < 0) {
458 smb_panic("Internal error: asprintf failed");
461 if ((end = strrchr_m(logbase, '/'))) {
465 if (asprintf(&logbase, "%s", get_dyn_LOGFILEBASE()) < 0) {
466 smb_panic("Internal error: asprintf failed");
470 if (asprintf(&child->logfilename, "%s/%s-%s",
471 logbase, logprefix, logname) < 0) {
473 smb_panic("Internal error: asprintf failed");
478 smb_panic("Internal error: logprefix == NULL && "
483 child->domain = domain;
484 child->table = table;
485 child->queue = tevent_queue_create(NULL, "winbind_child");
486 SMB_ASSERT(child->queue != NULL);
487 child->binding_handle = wbint_binding_handle(NULL, domain, child);
488 SMB_ASSERT(child->binding_handle != NULL);
491 static struct winbindd_child *winbindd_children = NULL;
493 void winbind_child_died(pid_t pid)
495 struct winbindd_child *child;
497 for (child = winbindd_children; child != NULL; child = child->next) {
498 if (child->pid == pid) {
504 DEBUG(5, ("Already reaped child %u died\n", (unsigned int)pid));
508 /* This will be re-added in fork_domain_child() */
510 DLIST_REMOVE(winbindd_children, child);
514 /* Ensure any negative cache entries with the netbios or realm names are removed. */
516 void winbindd_flush_negative_conn_cache(struct winbindd_domain *domain)
518 flush_negative_conn_cache_for_domain(domain->name);
519 if (*domain->alt_name) {
520 flush_negative_conn_cache_for_domain(domain->alt_name);
525 * Parent winbindd process sets its own debug level first and then
526 * sends a message to all the winbindd children to adjust their debug
527 * level to that of parents.
530 void winbind_msg_debug(struct messaging_context *msg_ctx,
533 struct server_id server_id,
536 struct winbindd_child *child;
538 DEBUG(10,("winbind_msg_debug: got debug message.\n"));
540 debug_message(msg_ctx, private_data, MSG_DEBUG, server_id, data);
542 for (child = winbindd_children; child != NULL; child = child->next) {
544 DEBUG(10,("winbind_msg_debug: sending message to pid %u.\n",
545 (unsigned int)child->pid));
547 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
550 strlen((char *) data->data) + 1);
554 /* Set our domains as offline and forward the offline message to our children. */
556 void winbind_msg_offline(struct messaging_context *msg_ctx,
559 struct server_id server_id,
562 struct winbindd_child *child;
563 struct winbindd_domain *domain;
565 DEBUG(10,("winbind_msg_offline: got offline message.\n"));
567 if (!lp_winbind_offline_logon()) {
568 DEBUG(10,("winbind_msg_offline: rejecting offline message.\n"));
572 /* Set our global state as offline. */
573 if (!set_global_winbindd_state_offline()) {
574 DEBUG(10,("winbind_msg_offline: offline request failed.\n"));
578 /* Set all our domains as offline. */
579 for (domain = domain_list(); domain; domain = domain->next) {
580 if (domain->internal) {
583 DEBUG(5,("winbind_msg_offline: marking %s offline.\n", domain->name));
584 set_domain_offline(domain);
587 for (child = winbindd_children; child != NULL; child = child->next) {
588 /* Don't send message to internal children. We've already
590 if (!child->domain || winbindd_internal_child(child)) {
594 /* Or internal domains (this should not be possible....) */
595 if (child->domain->internal) {
599 /* Each winbindd child should only process requests for one domain - make sure
600 we only set it online / offline for that domain. */
602 DEBUG(10,("winbind_msg_offline: sending message to pid %u for domain %s.\n",
603 (unsigned int)child->pid, domain->name ));
605 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
607 (uint8 *)child->domain->name,
608 strlen(child->domain->name)+1);
612 /* Set our domains as online and forward the online message to our children. */
614 void winbind_msg_online(struct messaging_context *msg_ctx,
617 struct server_id server_id,
620 struct winbindd_child *child;
621 struct winbindd_domain *domain;
623 DEBUG(10,("winbind_msg_online: got online message.\n"));
625 if (!lp_winbind_offline_logon()) {
626 DEBUG(10,("winbind_msg_online: rejecting online message.\n"));
630 /* Set our global state as online. */
631 set_global_winbindd_state_online();
633 smb_nscd_flush_user_cache();
634 smb_nscd_flush_group_cache();
636 /* Set all our domains as online. */
637 for (domain = domain_list(); domain; domain = domain->next) {
638 if (domain->internal) {
641 DEBUG(5,("winbind_msg_online: requesting %s to go online.\n", domain->name));
643 winbindd_flush_negative_conn_cache(domain);
644 set_domain_online_request(domain);
646 /* Send an online message to the idmap child when our
647 primary domain comes back online */
649 if ( domain->primary ) {
650 struct winbindd_child *idmap = idmap_child();
652 if ( idmap->pid != 0 ) {
653 messaging_send_buf(msg_ctx,
654 pid_to_procid(idmap->pid),
656 (uint8 *)domain->name,
657 strlen(domain->name)+1);
662 for (child = winbindd_children; child != NULL; child = child->next) {
663 /* Don't send message to internal childs. */
664 if (!child->domain || winbindd_internal_child(child)) {
668 /* Or internal domains (this should not be possible....) */
669 if (child->domain->internal) {
673 /* Each winbindd child should only process requests for one domain - make sure
674 we only set it online / offline for that domain. */
676 DEBUG(10,("winbind_msg_online: sending message to pid %u for domain %s.\n",
677 (unsigned int)child->pid, child->domain->name ));
679 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
681 (uint8 *)child->domain->name,
682 strlen(child->domain->name)+1);
686 static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx)
688 struct winbindd_domain *domain;
691 if ((buf = talloc_asprintf(mem_ctx, "global:%s ",
692 get_global_winbindd_state_offline() ?
693 "Offline":"Online")) == NULL) {
697 for (domain = domain_list(); domain; domain = domain->next) {
698 if ((buf = talloc_asprintf_append_buffer(buf, "%s:%s ",
701 "Online":"Offline")) == NULL) {
706 buf = talloc_asprintf_append_buffer(buf, "\n");
708 DEBUG(5,("collect_onlinestatus: %s", buf));
713 void winbind_msg_onlinestatus(struct messaging_context *msg_ctx,
716 struct server_id server_id,
721 struct server_id *sender;
723 DEBUG(5,("winbind_msg_onlinestatus received.\n"));
729 sender = (struct server_id *)data->data;
731 mem_ctx = talloc_init("winbind_msg_onlinestatus");
732 if (mem_ctx == NULL) {
736 message = collect_onlinestatus(mem_ctx);
737 if (message == NULL) {
738 talloc_destroy(mem_ctx);
742 messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS,
743 (uint8 *)message, strlen(message) + 1);
745 talloc_destroy(mem_ctx);
748 void winbind_msg_dump_event_list(struct messaging_context *msg_ctx,
751 struct server_id server_id,
754 struct winbindd_child *child;
756 DEBUG(10,("winbind_msg_dump_event_list received\n"));
758 dump_event_list(winbind_event_context());
760 for (child = winbindd_children; child != NULL; child = child->next) {
762 DEBUG(10,("winbind_msg_dump_event_list: sending message to pid %u\n",
763 (unsigned int)child->pid));
765 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
772 void winbind_msg_dump_domain_list(struct messaging_context *msg_ctx,
775 struct server_id server_id,
779 const char *message = NULL;
780 struct server_id *sender = NULL;
781 const char *domain = NULL;
784 struct winbindd_domain *dom = NULL;
786 DEBUG(5,("winbind_msg_dump_domain_list received.\n"));
788 if (!data || !data->data) {
792 if (data->length < sizeof(struct server_id)) {
796 mem_ctx = talloc_init("winbind_msg_dump_domain_list");
801 sender = (struct server_id *)data->data;
802 if (data->length > sizeof(struct server_id)) {
803 domain = (const char *)data->data+sizeof(struct server_id);
808 DEBUG(5,("winbind_msg_dump_domain_list for domain: %s\n",
811 message = NDR_PRINT_STRUCT_STRING(mem_ctx, winbindd_domain,
812 find_domain_from_name_noinit(domain));
814 talloc_destroy(mem_ctx);
818 messaging_send_buf(msg_ctx, *sender,
819 MSG_WINBIND_DUMP_DOMAIN_LIST,
820 (uint8_t *)message, strlen(message) + 1);
822 talloc_destroy(mem_ctx);
827 DEBUG(5,("winbind_msg_dump_domain_list all domains\n"));
829 for (dom = domain_list(); dom; dom=dom->next) {
830 message = NDR_PRINT_STRUCT_STRING(mem_ctx, winbindd_domain, dom);
832 talloc_destroy(mem_ctx);
836 s = talloc_asprintf_append(s, "%s\n", message);
838 talloc_destroy(mem_ctx);
843 status = messaging_send_buf(msg_ctx, *sender,
844 MSG_WINBIND_DUMP_DOMAIN_LIST,
845 (uint8_t *)s, strlen(s) + 1);
846 if (!NT_STATUS_IS_OK(status)) {
847 DEBUG(0,("failed to send message: %s\n",
851 talloc_destroy(mem_ctx);
854 static void account_lockout_policy_handler(struct event_context *ctx,
855 struct timed_event *te,
859 struct winbindd_child *child =
860 (struct winbindd_child *)private_data;
861 TALLOC_CTX *mem_ctx = NULL;
862 struct winbindd_methods *methods;
863 struct samr_DomInfo12 lockout_policy;
866 DEBUG(10,("account_lockout_policy_handler called\n"));
868 TALLOC_FREE(child->lockout_policy_event);
870 if ( !winbindd_can_contact_domain( child->domain ) ) {
871 DEBUG(10,("account_lockout_policy_handler: Removing myself since I "
872 "do not have an incoming trust to domain %s\n",
873 child->domain->name));
878 methods = child->domain->methods;
880 mem_ctx = talloc_init("account_lockout_policy_handler ctx");
882 result = NT_STATUS_NO_MEMORY;
884 result = methods->lockout_policy(child->domain, mem_ctx, &lockout_policy);
886 TALLOC_FREE(mem_ctx);
888 if (!NT_STATUS_IS_OK(result)) {
889 DEBUG(10,("account_lockout_policy_handler: lockout_policy failed error %s\n",
893 child->lockout_policy_event = event_add_timed(winbind_event_context(), NULL,
894 timeval_current_ofs(3600, 0),
895 account_lockout_policy_handler,
899 static time_t get_machine_password_timeout(void)
901 /* until we have gpo support use lp setting */
902 return lp_machine_password_timeout();
905 static bool calculate_next_machine_pwd_change(const char *domain,
908 time_t pass_last_set_time;
914 pw = secrets_fetch_machine_password(domain,
919 DEBUG(0,("cannot fetch own machine password ????"));
925 timeout = get_machine_password_timeout();
927 DEBUG(10,("machine password never expires\n"));
931 tv.tv_sec = pass_last_set_time;
932 DEBUG(10, ("password last changed %s\n",
933 timeval_string(talloc_tos(), &tv, false)));
934 tv.tv_sec += timeout;
935 DEBUGADD(10, ("password valid until %s\n",
936 timeval_string(talloc_tos(), &tv, false)));
938 if (time(NULL) < (pass_last_set_time + timeout)) {
939 next_change = pass_last_set_time + timeout;
940 DEBUG(10,("machine password still valid until: %s\n",
941 http_timestring(talloc_tos(), next_change)));
942 *t = timeval_set(next_change, 0);
944 if (lp_clustering()) {
947 * When having a cluster, we have several
948 * winbinds racing for the password change. In
949 * the machine_password_change_handler()
950 * function we check if someone else was
951 * faster when the event triggers. We add a
952 * 255-second random delay here, so that we
953 * don't run to change the password at the
956 generate_random_buffer(&randbuf, sizeof(randbuf));
957 DEBUG(10, ("adding %d seconds randomness\n",
959 t->tv_sec += randbuf;
964 DEBUG(10,("machine password expired, needs immediate change\n"));
971 static void machine_password_change_handler(struct event_context *ctx,
972 struct timed_event *te,
976 struct winbindd_child *child =
977 (struct winbindd_child *)private_data;
978 struct rpc_pipe_client *netlogon_pipe = NULL;
981 struct timeval next_change;
983 DEBUG(10,("machine_password_change_handler called\n"));
985 TALLOC_FREE(child->machine_password_change_event);
987 if (!calculate_next_machine_pwd_change(child->domain->name,
989 DEBUG(10, ("calculate_next_machine_pwd_change failed\n"));
993 DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n",
994 timeval_string(talloc_tos(), &next_change, false)));
996 if (!timeval_expired(&next_change)) {
997 DEBUG(10, ("Someone else has already changed the pw\n"));
1001 if (!winbindd_can_contact_domain(child->domain)) {
1002 DEBUG(10,("machine_password_change_handler: Removing myself since I "
1003 "do not have an incoming trust to domain %s\n",
1004 child->domain->name));
1008 result = cm_connect_netlogon(child->domain, &netlogon_pipe);
1009 if (!NT_STATUS_IS_OK(result)) {
1010 DEBUG(10,("machine_password_change_handler: "
1011 "failed to connect netlogon pipe: %s\n",
1012 nt_errstr(result)));
1016 frame = talloc_stackframe();
1018 result = trust_pw_find_change_and_store_it(netlogon_pipe,
1020 child->domain->name);
1023 DEBUG(10, ("machine_password_change_handler: "
1024 "trust_pw_find_change_and_store_it returned %s\n",
1025 nt_errstr(result)));
1027 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1028 DEBUG(3,("machine_password_change_handler: password set returned "
1029 "ACCESS_DENIED. Maybe the trust account "
1030 "password was changed and we didn't know it. "
1031 "Killing connections to domain %s\n",
1032 child->domain->name));
1033 TALLOC_FREE(child->domain->conn.netlogon_pipe);
1036 if (!calculate_next_machine_pwd_change(child->domain->name,
1038 DEBUG(10, ("calculate_next_machine_pwd_change failed\n"));
1042 DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n",
1043 timeval_string(talloc_tos(), &next_change, false)));
1045 if (!NT_STATUS_IS_OK(result)) {
1048 * In case of failure, give the DC a minute to recover
1050 tmp = timeval_current_ofs(60, 0);
1051 next_change = timeval_max(&next_change, &tmp);
1055 child->machine_password_change_event = event_add_timed(winbind_event_context(), NULL,
1057 machine_password_change_handler,
1061 /* Deal with a request to go offline. */
1063 static void child_msg_offline(struct messaging_context *msg,
1066 struct server_id server_id,
1069 struct winbindd_domain *domain;
1070 struct winbindd_domain *primary_domain = NULL;
1071 const char *domainname = (const char *)data->data;
1073 if (data->data == NULL || data->length == 0) {
1077 DEBUG(5,("child_msg_offline received for domain %s.\n", domainname));
1079 if (!lp_winbind_offline_logon()) {
1080 DEBUG(10,("child_msg_offline: rejecting offline message.\n"));
1084 primary_domain = find_our_domain();
1086 /* Mark the requested domain offline. */
1088 for (domain = domain_list(); domain; domain = domain->next) {
1089 if (domain->internal) {
1092 if (strequal(domain->name, domainname)) {
1093 DEBUG(5,("child_msg_offline: marking %s offline.\n", domain->name));
1094 set_domain_offline(domain);
1095 /* we are in the trusted domain, set the primary domain
1097 if (domain != primary_domain) {
1098 set_domain_offline(primary_domain);
1104 /* Deal with a request to go online. */
1106 static void child_msg_online(struct messaging_context *msg,
1109 struct server_id server_id,
1112 struct winbindd_domain *domain;
1113 struct winbindd_domain *primary_domain = NULL;
1114 const char *domainname = (const char *)data->data;
1116 if (data->data == NULL || data->length == 0) {
1120 DEBUG(5,("child_msg_online received for domain %s.\n", domainname));
1122 if (!lp_winbind_offline_logon()) {
1123 DEBUG(10,("child_msg_online: rejecting online message.\n"));
1127 primary_domain = find_our_domain();
1129 /* Set our global state as online. */
1130 set_global_winbindd_state_online();
1132 /* Try and mark everything online - delete any negative cache entries
1133 to force a reconnect now. */
1135 for (domain = domain_list(); domain; domain = domain->next) {
1136 if (domain->internal) {
1139 if (strequal(domain->name, domainname)) {
1140 DEBUG(5,("child_msg_online: requesting %s to go online.\n", domain->name));
1141 winbindd_flush_negative_conn_cache(domain);
1142 set_domain_online_request(domain);
1144 /* we can be in trusted domain, which will contact primary domain
1145 * we have to bring primary domain online in trusted domain process
1146 * see, winbindd_dual_pam_auth() --> winbindd_dual_pam_auth_samlogon()
1147 * --> contact_domain = find_our_domain()
1149 if (domain != primary_domain) {
1150 winbindd_flush_negative_conn_cache(primary_domain);
1151 set_domain_online_request(primary_domain);
1157 static void child_msg_dump_event_list(struct messaging_context *msg,
1160 struct server_id server_id,
1163 DEBUG(5,("child_msg_dump_event_list received\n"));
1165 dump_event_list(winbind_event_context());
1168 bool winbindd_reinit_after_fork(const char *logfilename)
1170 struct winbindd_domain *domain;
1171 struct winbindd_child *cl;
1174 status = reinit_after_fork(
1175 winbind_messaging_context(),
1176 winbind_event_context(),
1179 if (!NT_STATUS_IS_OK(status)) {
1180 DEBUG(0,("reinit_after_fork() failed\n"));
1184 close_conns_after_fork();
1186 if (!override_logfile && logfilename) {
1187 lp_set_logfile(logfilename);
1191 if (!winbindd_setup_sig_term_handler(false))
1193 if (!winbindd_setup_sig_hup_handler(override_logfile ? NULL :
1197 /* Stop zombies in children */
1200 /* Don't handle the same messages as our parent. */
1201 messaging_deregister(winbind_messaging_context(),
1202 MSG_SMB_CONF_UPDATED, NULL);
1203 messaging_deregister(winbind_messaging_context(),
1204 MSG_SHUTDOWN, NULL);
1205 messaging_deregister(winbind_messaging_context(),
1206 MSG_WINBIND_OFFLINE, NULL);
1207 messaging_deregister(winbind_messaging_context(),
1208 MSG_WINBIND_ONLINE, NULL);
1209 messaging_deregister(winbind_messaging_context(),
1210 MSG_WINBIND_ONLINESTATUS, NULL);
1211 messaging_deregister(winbind_messaging_context(),
1212 MSG_DUMP_EVENT_LIST, NULL);
1213 messaging_deregister(winbind_messaging_context(),
1214 MSG_WINBIND_DUMP_DOMAIN_LIST, NULL);
1215 messaging_deregister(winbind_messaging_context(),
1218 /* We have destroyed all events in the winbindd_event_context
1219 * in reinit_after_fork(), so clean out all possible pending
1220 * event pointers. */
1222 /* Deal with check_online_events. */
1224 for (domain = domain_list(); domain; domain = domain->next) {
1225 TALLOC_FREE(domain->check_online_event);
1228 /* Ensure we're not handling a credential cache event inherited
1229 * from our parent. */
1231 ccache_remove_all_after_fork();
1233 /* Destroy all possible events in child list. */
1234 for (cl = winbindd_children; cl != NULL; cl = cl->next) {
1235 TALLOC_FREE(cl->lockout_policy_event);
1236 TALLOC_FREE(cl->machine_password_change_event);
1238 /* Children should never be able to send
1239 * each other messages, all messages must
1240 * go through the parent.
1245 * This is a little tricky, children must not
1246 * send an MSG_WINBIND_ONLINE message to idmap_child().
1247 * If we are in a child of our primary domain or
1248 * in the process created by fork_child_dc_connect(),
1249 * and the primary domain cannot go online,
1250 * fork_child_dc_connection() sends MSG_WINBIND_ONLINE
1251 * periodically to idmap_child().
1253 * The sequence is, fork_child_dc_connect() ---> getdcs() --->
1254 * get_dc_name_via_netlogon() ---> cm_connect_netlogon()
1255 * ---> init_dc_connection() ---> cm_open_connection --->
1256 * set_domain_online(), sends MSG_WINBIND_ONLINE to
1257 * idmap_child(). Disallow children sending messages
1258 * to each other, all messages must go through the parent.
1267 * In a child there will be only one domain, reference that here.
1269 static struct winbindd_domain *child_domain;
1271 struct winbindd_domain *wb_child_domain(void)
1273 return child_domain;
1276 static bool fork_domain_child(struct winbindd_child *child)
1279 struct winbindd_cli_state state;
1280 struct winbindd_request request;
1281 struct winbindd_response response;
1282 struct winbindd_domain *primary_domain = NULL;
1284 if (child->domain) {
1285 DEBUG(10, ("fork_domain_child called for domain '%s'\n",
1286 child->domain->name));
1288 DEBUG(10, ("fork_domain_child called without domain.\n"));
1291 if (socketpair(AF_UNIX, SOCK_STREAM, 0, fdpair) != 0) {
1292 DEBUG(0, ("Could not open child pipe: %s\n",
1298 state.pid = sys_getpid();
1299 state.request = &request;
1300 state.response = &response;
1302 child->pid = sys_fork();
1304 if (child->pid == -1) {
1305 DEBUG(0, ("Could not fork: %s\n", strerror(errno)));
1309 if (child->pid != 0) {
1312 child->next = child->prev = NULL;
1313 DLIST_ADD(winbindd_children, child);
1314 child->sock = fdpair[1];
1319 child_domain = child->domain;
1321 DEBUG(10, ("Child process %d\n", (int)sys_getpid()));
1323 state.sock = fdpair[0];
1326 if (!winbindd_reinit_after_fork(child->logfilename)) {
1330 /* Handle online/offline messages. */
1331 messaging_register(winbind_messaging_context(), NULL,
1332 MSG_WINBIND_OFFLINE, child_msg_offline);
1333 messaging_register(winbind_messaging_context(), NULL,
1334 MSG_WINBIND_ONLINE, child_msg_online);
1335 messaging_register(winbind_messaging_context(), NULL,
1336 MSG_DUMP_EVENT_LIST, child_msg_dump_event_list);
1337 messaging_register(winbind_messaging_context(), NULL,
1338 MSG_DEBUG, debug_message);
1339 messaging_register(winbind_messaging_context(), NULL,
1340 MSG_WINBIND_IP_DROPPED,
1341 winbind_msg_ip_dropped);
1344 primary_domain = find_our_domain();
1346 if (primary_domain == NULL) {
1347 smb_panic("no primary domain found");
1350 /* It doesn't matter if we allow cache login,
1351 * try to bring domain online after fork. */
1352 if ( child->domain ) {
1353 child->domain->startup = True;
1354 child->domain->startup_time = time_mono(NULL);
1355 /* we can be in primary domain or in trusted domain
1356 * If we are in trusted domain, set the primary domain
1357 * in start-up mode */
1358 if (!(child->domain->internal)) {
1359 set_domain_online_request(child->domain);
1360 if (!(child->domain->primary)) {
1361 primary_domain->startup = True;
1362 primary_domain->startup_time = time_mono(NULL);
1363 set_domain_online_request(primary_domain);
1369 * We are in idmap child, make sure that we set the
1370 * check_online_event to bring primary domain online.
1372 if (child == idmap_child()) {
1373 set_domain_online_request(primary_domain);
1376 /* We might be in the idmap child...*/
1377 if (child->domain && !(child->domain->internal) &&
1378 lp_winbind_offline_logon()) {
1380 set_domain_online_request(child->domain);
1382 if (primary_domain && (primary_domain != child->domain)) {
1383 /* We need to talk to the primary
1384 * domain as well as the trusted
1385 * domain inside a trusted domain
1388 * set_dc_type_and_flags_trustinfo()
1391 set_domain_online_request(primary_domain);
1394 child->lockout_policy_event = event_add_timed(
1395 winbind_event_context(), NULL, timeval_zero(),
1396 account_lockout_policy_handler,
1400 if (child->domain && child->domain->primary &&
1401 !USE_KERBEROS_KEYTAB &&
1402 lp_server_role() == ROLE_DOMAIN_MEMBER) {
1404 struct timeval next_change;
1406 if (calculate_next_machine_pwd_change(child->domain->name,
1408 child->machine_password_change_event = event_add_timed(
1409 winbind_event_context(), NULL, next_change,
1410 machine_password_change_handler,
1418 struct pollfd *pfds;
1423 TALLOC_CTX *frame = talloc_stackframe();
1424 struct iovec iov[2];
1428 if (run_events_poll(winbind_event_context(), 0, NULL, 0)) {
1433 if (child->domain && child->domain->startup &&
1434 (time_mono(NULL) > child->domain->startup_time + 30)) {
1435 /* No longer in "startup" mode. */
1436 DEBUG(10,("fork_domain_child: domain %s no longer in 'startup' mode.\n",
1437 child->domain->name ));
1438 child->domain->startup = False;
1441 pfds = TALLOC_ZERO_P(talloc_tos(), struct pollfd);
1443 DEBUG(1, ("talloc failed\n"));
1447 pfds->fd = state.sock;
1448 pfds->events = POLLIN|POLLHUP;
1453 if (!event_add_to_poll_args(
1454 winbind_event_context(), talloc_tos(),
1455 &pfds, &num_pfds, &timeout)) {
1456 DEBUG(1, ("event_add_to_poll_args failed\n"));
1459 tp = get_timed_events_timeout(winbind_event_context(), &t);
1461 DEBUG(11,("select will use timeout of %u.%u seconds\n",
1462 (unsigned int)tp->tv_sec, (unsigned int)tp->tv_usec ));
1465 ret = sys_poll(pfds, num_pfds, timeout);
1467 if (run_events_poll(winbind_event_context(), ret,
1469 /* We got a signal - continue. */
1477 DEBUG(11,("nothing is ready yet, continue\n"));
1482 if (ret == -1 && errno == EINTR) {
1483 /* We got a signal - continue. */
1488 if (ret == -1 && errno != EINTR) {
1489 DEBUG(0,("poll error occured\n"));
1495 /* fetch a request from the main daemon */
1496 status = child_read_request(&state);
1498 if (!NT_STATUS_IS_OK(status)) {
1499 /* we lost contact with our parent */
1503 DEBUG(4,("child daemon request %d\n", (int)state.request->cmd));
1505 ZERO_STRUCTP(state.response);
1506 state.request->null_term = '\0';
1507 state.mem_ctx = frame;
1508 child_process_request(child, &state);
1510 DEBUG(4, ("Finished processing child request %d\n",
1511 (int)state.request->cmd));
1513 SAFE_FREE(state.request->extra_data.data);
1515 iov[0].iov_base = (void *)state.response;
1516 iov[0].iov_len = sizeof(struct winbindd_response);
1519 if (state.response->length > sizeof(struct winbindd_response)) {
1521 (void *)state.response->extra_data.data;
1522 iov[1].iov_len = state.response->length-iov[0].iov_len;
1526 DEBUG(10, ("Writing %d bytes to parent\n",
1527 (int)state.response->length));
1529 if (write_data_iov(state.sock, iov, iov_count) !=
1530 state.response->length) {
1531 DEBUG(0, ("Could not write result\n"));
1538 void winbind_msg_ip_dropped_parent(struct messaging_context *msg_ctx,
1541 struct server_id server_id,
1544 struct winbindd_child *child;
1546 winbind_msg_ip_dropped(msg_ctx, private_data, msg_type,
1550 for (child = winbindd_children; child != NULL; child = child->next) {
1551 messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
1552 msg_type, data->data, data->length);