2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods passdb_methods;
33 * @file winbindd_util.c
35 * Winbind daemon for NT domain authentication nss module.
39 /* The list of trusted domains. Note that the list can be deleted and
40 recreated using the init_domain_list() function so pointers to
41 individual winbindd_domain structures cannot be made. Keep a copy of
42 the domain name instead. */
44 static struct winbindd_domain *_domain_list = NULL;
47 When was the last scan of trusted domains done?
52 static time_t last_trustdom_scan;
54 struct winbindd_domain *domain_list(void)
58 if ((!_domain_list) && (!init_domain_list())) {
59 smb_panic("Init_domain_list failed");
65 /* Free all entries in the trusted domain list */
67 void free_domain_list(void)
69 struct winbindd_domain *domain = _domain_list;
72 struct winbindd_domain *next = domain->next;
74 DLIST_REMOVE(_domain_list, domain);
80 static bool is_internal_domain(const DOM_SID *sid)
85 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
88 static bool is_in_internal_domain(const DOM_SID *sid)
93 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
97 /* Add a trusted domain to our list of domains */
98 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
99 struct winbindd_methods *methods,
102 struct winbindd_domain *domain;
103 const char *alternative_name = NULL;
105 /* ignore alt_name if we are not in an AD domain */
107 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
108 alternative_name = alt_name;
111 /* We can't call domain_list() as this function is called from
112 init_domain_list() and we'll get stuck in a loop. */
113 for (domain = _domain_list; domain; domain = domain->next) {
114 if (strequal(domain_name, domain->name) ||
115 strequal(domain_name, domain->alt_name))
120 if (alternative_name && *alternative_name)
122 if (strequal(alternative_name, domain->name) ||
123 strequal(alternative_name, domain->alt_name))
131 if (is_null_sid(sid)) {
135 if (sid_equal(sid, &domain->sid)) {
141 /* See if we found a match. Check if we need to update the
144 if ( domain && sid) {
145 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
146 sid_copy( &domain->sid, sid );
151 /* Create new domain entry */
153 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
158 ZERO_STRUCTP(domain);
160 /* prioritise the short name */
161 if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
162 fstrcpy(domain->name, alternative_name);
163 fstrcpy(domain->alt_name, domain_name);
165 fstrcpy(domain->name, domain_name);
166 if (alternative_name) {
167 fstrcpy(domain->alt_name, alternative_name);
171 domain->methods = methods;
172 domain->backend = NULL;
173 domain->internal = is_internal_domain(sid);
174 domain->sequence_number = DOM_SEQUENCE_NONE;
175 domain->last_seq_check = 0;
176 domain->initialized = False;
177 domain->online = is_internal_domain(sid);
178 domain->check_online_timeout = 0;
180 sid_copy(&domain->sid, sid);
183 /* Link to domain list */
184 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
186 wcache_tdc_add_domain( domain );
188 DEBUG(2,("Added domain %s %s %s\n",
189 domain->name, domain->alt_name,
190 &domain->sid?sid_string_dbg(&domain->sid):""));
195 /********************************************************************
196 rescan our domains looking for new trusted domains
197 ********************************************************************/
199 struct trustdom_state {
203 struct winbindd_response *response;
206 static void trustdom_recv(void *private_data, bool success);
207 static void rescan_forest_root_trusts( void );
208 static void rescan_forest_trusts( void );
210 static void add_trusted_domains( struct winbindd_domain *domain )
213 struct winbindd_request *request;
214 struct winbindd_response *response;
215 uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
217 struct trustdom_state *state;
219 mem_ctx = talloc_init("add_trusted_domains");
220 if (mem_ctx == NULL) {
221 DEBUG(0, ("talloc_init failed\n"));
225 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
226 response = TALLOC_P(mem_ctx, struct winbindd_response);
227 state = TALLOC_P(mem_ctx, struct trustdom_state);
229 if ((request == NULL) || (response == NULL) || (state == NULL)) {
230 DEBUG(0, ("talloc failed\n"));
231 talloc_destroy(mem_ctx);
235 state->mem_ctx = mem_ctx;
236 state->response = response;
238 /* Flags used to know how to continue the forest trust search */
240 state->primary = domain->primary;
241 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
243 request->length = sizeof(*request);
244 request->cmd = WINBINDD_LIST_TRUSTDOM;
246 async_domain_request(mem_ctx, domain, request, response,
247 trustdom_recv, state);
250 static void trustdom_recv(void *private_data, bool success)
252 struct trustdom_state *state =
253 talloc_get_type_abort(private_data, struct trustdom_state);
254 struct winbindd_response *response = state->response;
257 if ((!success) || (response->result != WINBINDD_OK)) {
258 DEBUG(1, ("Could not receive trustdoms\n"));
259 talloc_destroy(state->mem_ctx);
263 p = (char *)response->extra_data.data;
265 while ((p != NULL) && (*p != '\0')) {
266 char *q, *sidstr, *alt_name;
268 struct winbindd_domain *domain;
269 char *alternate_name = NULL;
271 alt_name = strchr(p, '\\');
272 if (alt_name == NULL) {
273 DEBUG(0, ("Got invalid trustdom response\n"));
280 sidstr = strchr(alt_name, '\\');
281 if (sidstr == NULL) {
282 DEBUG(0, ("Got invalid trustdom response\n"));
289 q = strchr(sidstr, '\n');
293 if (!string_to_sid(&sid, sidstr)) {
294 /* Allow NULL sid for sibling domains */
295 if ( strcmp(sidstr,"S-0-0") == 0) {
296 sid_copy( &sid, &global_sid_NULL);
298 DEBUG(0, ("Got invalid trustdom response\n"));
303 /* use the real alt_name if we have one, else pass in NULL */
305 if ( !strequal( alt_name, "(null)" ) )
306 alternate_name = alt_name;
308 /* If we have an existing domain structure, calling
309 add_trusted_domain() will update the SID if
310 necessary. This is important because we need the
311 SID for sibling domains */
313 if ( find_domain_from_name_noinit(p) != NULL ) {
314 domain = add_trusted_domain(p, alternate_name,
318 domain = add_trusted_domain(p, alternate_name,
322 setup_domain_child(domain,
331 SAFE_FREE(response->extra_data.data);
334 Cases to consider when scanning trusts:
335 (a) we are calling from a child domain (primary && !forest_root)
336 (b) we are calling from the root of the forest (primary && forest_root)
337 (c) we are calling from a trusted forest domain (!primary
341 if ( state->primary ) {
342 /* If this is our primary domain and we are not the in the
343 forest root, we have to scan the root trusts first */
345 if ( !state->forest_root )
346 rescan_forest_root_trusts();
348 rescan_forest_trusts();
350 } else if ( state->forest_root ) {
351 /* Once we have done root forest trust search, we can
352 go on to search thing trusted forests */
354 rescan_forest_trusts();
357 talloc_destroy(state->mem_ctx);
362 /********************************************************************
363 Scan the trusts of our forest root
364 ********************************************************************/
366 static void rescan_forest_root_trusts( void )
368 struct winbindd_tdc_domain *dom_list = NULL;
369 size_t num_trusts = 0;
372 /* The only transitive trusts supported by Windows 2003 AD are
373 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
374 first two are handled in forest and listed by
375 DsEnumerateDomainTrusts(). Forest trusts are not so we
376 have to do that ourselves. */
378 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
381 for ( i=0; i<num_trusts; i++ ) {
382 struct winbindd_domain *d = NULL;
384 /* Find the forest root. Don't necessarily trust
385 the domain_list() as our primary domain may not
386 have been initialized. */
388 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
392 /* Here's the forest root */
394 d = find_domain_from_name_noinit( dom_list[i].domain_name );
397 d = add_trusted_domain( dom_list[i].domain_name,
398 dom_list[i].dns_name,
403 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
404 "for domain tree root %s (%s)\n",
405 d->name, d->alt_name ));
407 d->domain_flags = dom_list[i].trust_flags;
408 d->domain_type = dom_list[i].trust_type;
409 d->domain_trust_attribs = dom_list[i].trust_attribs;
411 add_trusted_domains( d );
416 TALLOC_FREE( dom_list );
421 /********************************************************************
422 scan the transitive forest trists (not our own)
423 ********************************************************************/
426 static void rescan_forest_trusts( void )
428 struct winbindd_domain *d = NULL;
429 struct winbindd_tdc_domain *dom_list = NULL;
430 size_t num_trusts = 0;
433 /* The only transitive trusts supported by Windows 2003 AD are
434 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
435 first two are handled in forest and listed by
436 DsEnumerateDomainTrusts(). Forest trusts are not so we
437 have to do that ourselves. */
439 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
442 for ( i=0; i<num_trusts; i++ ) {
443 uint32 flags = dom_list[i].trust_flags;
444 uint32 type = dom_list[i].trust_type;
445 uint32 attribs = dom_list[i].trust_attribs;
447 d = find_domain_from_name_noinit( dom_list[i].domain_name );
449 /* ignore our primary and internal domains */
451 if ( d && (d->internal || d->primary ) )
454 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
455 (type == NETR_TRUST_TYPE_UPLEVEL) &&
456 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
458 /* add the trusted domain if we don't know
462 d = add_trusted_domain( dom_list[i].domain_name,
463 dom_list[i].dns_name,
468 DEBUG(10,("Following trust path for domain %s (%s)\n",
469 d->name, d->alt_name ));
470 add_trusted_domains( d );
474 TALLOC_FREE( dom_list );
479 /*********************************************************************
480 The process of updating the trusted domain list is a three step
483 (b) ask the root domain in our forest
484 (c) ask the a DC in any Win2003 trusted forests
485 *********************************************************************/
487 void rescan_trusted_domains( void )
489 time_t now = time(NULL);
491 /* see if the time has come... */
493 if ((now >= last_trustdom_scan) &&
494 ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
497 /* I use to clear the cache here and start over but that
498 caused problems in child processes that needed the
499 trust dom list early on. Removing it means we
500 could have some trusted domains listed that have been
501 removed from our primary domain's DC until a full
502 restart. This should be ok since I think this is what
503 Windows does as well. */
505 /* this will only add new domains we didn't already know about
506 in the domain_list()*/
508 add_trusted_domains( find_our_domain() );
510 last_trustdom_scan = now;
515 struct init_child_state {
517 struct winbindd_domain *domain;
518 struct winbindd_request *request;
519 struct winbindd_response *response;
520 void (*continuation)(void *private_data, bool success);
524 static void init_child_recv(void *private_data, bool success);
525 static void init_child_getdc_recv(void *private_data, bool success);
527 enum winbindd_result init_child_connection(struct winbindd_domain *domain,
528 void (*continuation)(void *private_data,
533 struct winbindd_request *request;
534 struct winbindd_response *response;
535 struct init_child_state *state;
536 struct winbindd_domain *request_domain;
538 mem_ctx = talloc_init("init_child_connection");
539 if (mem_ctx == NULL) {
540 DEBUG(0, ("talloc_init failed\n"));
541 return WINBINDD_ERROR;
544 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
545 response = TALLOC_P(mem_ctx, struct winbindd_response);
546 state = TALLOC_P(mem_ctx, struct init_child_state);
548 if ((request == NULL) || (response == NULL) || (state == NULL)) {
549 DEBUG(0, ("talloc failed\n"));
550 TALLOC_FREE(mem_ctx);
551 continuation(private_data, False);
552 return WINBINDD_ERROR;
555 request->length = sizeof(*request);
557 state->mem_ctx = mem_ctx;
558 state->domain = domain;
559 state->request = request;
560 state->response = response;
561 state->continuation = continuation;
562 state->private_data = private_data;
564 if (IS_DC || domain->primary || domain->internal ) {
565 /* The primary domain has to find the DC name itself */
566 request->cmd = WINBINDD_INIT_CONNECTION;
567 fstrcpy(request->domain_name, domain->name);
568 request->data.init_conn.is_primary = domain->primary ? true : false;
569 fstrcpy(request->data.init_conn.dcname, "");
570 async_request(mem_ctx, &domain->child, request, response,
571 init_child_recv, state);
572 return WINBINDD_PENDING;
575 /* This is *not* the primary domain, let's ask our DC about a DC
578 request->cmd = WINBINDD_GETDCNAME;
579 fstrcpy(request->domain_name, domain->name);
581 request_domain = find_our_domain();
582 async_domain_request(mem_ctx, request_domain, request, response,
583 init_child_getdc_recv, state);
584 return WINBINDD_PENDING;
587 static void init_child_getdc_recv(void *private_data, bool success)
589 struct init_child_state *state =
590 talloc_get_type_abort(private_data, struct init_child_state);
591 const char *dcname = "";
593 DEBUG(10, ("Received getdcname response\n"));
595 if (success && (state->response->result == WINBINDD_OK)) {
596 dcname = state->response->data.dc_name;
599 state->request->cmd = WINBINDD_INIT_CONNECTION;
600 fstrcpy(state->request->domain_name, state->domain->name);
601 state->request->data.init_conn.is_primary = False;
602 fstrcpy(state->request->data.init_conn.dcname, dcname);
604 async_request(state->mem_ctx, &state->domain->child,
605 state->request, state->response,
606 init_child_recv, state);
609 static void init_child_recv(void *private_data, bool success)
611 struct init_child_state *state =
612 talloc_get_type_abort(private_data, struct init_child_state);
614 DEBUG(5, ("Received child initialization response for domain %s\n",
615 state->domain->name));
617 if ((!success) || (state->response->result != WINBINDD_OK)) {
618 DEBUG(3, ("Could not init child\n"));
619 state->continuation(state->private_data, False);
620 talloc_destroy(state->mem_ctx);
624 fstrcpy(state->domain->name,
625 state->response->data.domain_info.name);
626 fstrcpy(state->domain->alt_name,
627 state->response->data.domain_info.alt_name);
628 string_to_sid(&state->domain->sid,
629 state->response->data.domain_info.sid);
630 state->domain->native_mode =
631 state->response->data.domain_info.native_mode;
632 state->domain->active_directory =
633 state->response->data.domain_info.active_directory;
635 init_dc_connection(state->domain);
637 if (state->continuation != NULL)
638 state->continuation(state->private_data, True);
639 talloc_destroy(state->mem_ctx);
642 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
643 struct winbindd_cli_state *state)
645 /* Ensure null termination */
646 state->request.domain_name
647 [sizeof(state->request.domain_name)-1]='\0';
648 state->request.data.init_conn.dcname
649 [sizeof(state->request.data.init_conn.dcname)-1]='\0';
651 if (strlen(state->request.data.init_conn.dcname) > 0) {
652 fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
655 init_dc_connection(domain);
657 if (!domain->initialized) {
658 /* If we return error here we can't do any cached authentication,
659 but we may be in disconnected mode and can't initialize correctly.
660 Do what the previous code did and just return without initialization,
661 once we go online we'll re-initialize.
663 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
664 "online = %d\n", domain->name, (int)domain->online ));
667 fstrcpy(state->response.data.domain_info.name, domain->name);
668 fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
669 sid_to_fstring(state->response.data.domain_info.sid, &domain->sid);
671 state->response.data.domain_info.native_mode
672 = domain->native_mode;
673 state->response.data.domain_info.active_directory
674 = domain->active_directory;
675 state->response.data.domain_info.primary
681 /* Look up global info for the winbind daemon */
682 bool init_domain_list(void)
684 struct winbindd_domain *domain;
685 int role = lp_server_role();
687 /* Free existing list */
692 domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
693 &global_sid_Builtin);
695 setup_domain_child(domain,
701 domain = add_trusted_domain(get_global_sam_name(), NULL,
702 &passdb_methods, get_global_sam_sid());
704 if ( role != ROLE_DOMAIN_MEMBER ) {
705 domain->primary = True;
707 setup_domain_child(domain,
711 /* Add ourselves as the first entry. */
713 if ( role == ROLE_DOMAIN_MEMBER ) {
716 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
717 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
721 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
722 &cache_methods, &our_sid);
724 domain->primary = True;
725 setup_domain_child(domain,
728 /* Even in the parent winbindd we'll need to
729 talk to the DC, so try and see if we can
730 contact it. Theoretically this isn't neccessary
731 as the init_dc_connection() in init_child_recv()
732 will do this, but we can start detecting the DC
734 set_domain_online_request(domain);
741 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
743 struct winbindd_domain *domain;
747 domain = find_domain_from_name_noinit( name );
751 sid_copy( &dom_sid, user_sid );
752 if ( !sid_split_rid( &dom_sid, &rid ) )
755 /* add the newly discovered trusted domain */
757 domain = add_trusted_domain( name, NULL, &cache_methods,
763 /* assume this is a trust from a one-way transitive
766 domain->active_directory = True;
767 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
768 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
769 domain->internal = False;
770 domain->online = True;
772 setup_domain_child(domain,
775 wcache_tdc_add_domain( domain );
781 * Given a domain name, return the struct winbindd domain info for it
783 * @note Do *not* pass lp_workgroup() to this function. domain_list
784 * may modify it's value, and free that pointer. Instead, our local
785 * domain may be found by calling find_our_domain().
789 * @return The domain structure for the named domain, if it is working.
792 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
794 struct winbindd_domain *domain;
796 /* Search through list */
798 for (domain = domain_list(); domain != NULL; domain = domain->next) {
799 if (strequal(domain_name, domain->name) ||
800 (domain->alt_name[0] &&
801 strequal(domain_name, domain->alt_name))) {
811 struct winbindd_domain *find_domain_from_name(const char *domain_name)
813 struct winbindd_domain *domain;
815 domain = find_domain_from_name_noinit(domain_name);
820 if (!domain->initialized)
821 init_dc_connection(domain);
826 /* Given a domain sid, return the struct winbindd domain info for it */
828 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
830 struct winbindd_domain *domain;
832 /* Search through list */
834 for (domain = domain_list(); domain != NULL; domain = domain->next) {
835 if (sid_compare_domain(sid, &domain->sid) == 0)
844 /* Given a domain sid, return the struct winbindd domain info for it */
846 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
848 struct winbindd_domain *domain;
850 domain = find_domain_from_sid_noinit(sid);
855 if (!domain->initialized)
856 init_dc_connection(domain);
861 struct winbindd_domain *find_our_domain(void)
863 struct winbindd_domain *domain;
865 /* Search through list */
867 for (domain = domain_list(); domain != NULL; domain = domain->next) {
872 smb_panic("Could not find our domain");
876 struct winbindd_domain *find_root_domain(void)
878 struct winbindd_domain *ours = find_our_domain();
883 if ( strlen(ours->forest_name) == 0 )
886 return find_domain_from_name( ours->forest_name );
889 struct winbindd_domain *find_builtin_domain(void)
892 struct winbindd_domain *domain;
894 string_to_sid(&sid, "S-1-5-32");
895 domain = find_domain_from_sid(&sid);
897 if (domain == NULL) {
898 smb_panic("Could not find BUILTIN domain");
904 /* Find the appropriate domain to lookup a name or SID */
906 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
908 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
910 if ( sid_check_is_in_unix_groups(sid) ||
911 sid_check_is_unix_groups(sid) ||
912 sid_check_is_in_unix_users(sid) ||
913 sid_check_is_unix_users(sid) )
915 return find_domain_from_sid(get_global_sam_sid());
918 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
919 * one to contact the external DC's. On member servers the internal
920 * domains are different: These are part of the local SAM. */
922 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
924 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
925 DEBUG(10, ("calling find_domain_from_sid\n"));
926 return find_domain_from_sid(sid);
929 /* On a member server a query for SID or name can always go to our
932 DEBUG(10, ("calling find_our_domain\n"));
933 return find_our_domain();
936 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
938 if ( strequal(domain_name, unix_users_domain_name() ) ||
939 strequal(domain_name, unix_groups_domain_name() ) )
941 return find_domain_from_name_noinit( get_global_sam_name() );
944 if (IS_DC || strequal(domain_name, "BUILTIN") ||
945 strequal(domain_name, get_global_sam_name()))
946 return find_domain_from_name_noinit(domain_name);
948 /* The "Unix User" and "Unix Group" domain our handled by passdb */
950 return find_our_domain();
953 /* Lookup a sid in a domain from a name */
955 bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
956 enum winbindd_cmd orig_cmd,
957 struct winbindd_domain *domain,
958 const char *domain_name,
959 const char *name, DOM_SID *sid,
960 enum lsa_SidType *type)
965 result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd,
966 domain_name, name, sid, type);
968 /* Return sid and type if lookup successful */
969 if (!NT_STATUS_IS_OK(result)) {
970 *type = SID_NAME_UNKNOWN;
973 return NT_STATUS_IS_OK(result);
977 * @brief Lookup a name in a domain from a sid.
979 * @param sid Security ID you want to look up.
980 * @param name On success, set to the name corresponding to @p sid.
981 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
982 * @param type On success, contains the type of name: alias, group or
984 * @retval True if the name exists, in which case @p name and @p type
985 * are set, otherwise False.
987 bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
988 struct winbindd_domain *domain,
992 enum lsa_SidType *type)
1001 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
1003 /* Return name and type if successful */
1005 if (NT_STATUS_IS_OK(result)) {
1009 *type = SID_NAME_UNKNOWN;
1014 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
1016 void free_getent_state(struct getent_state *state)
1018 struct getent_state *temp;
1020 /* Iterate over state list */
1024 while(temp != NULL) {
1025 struct getent_state *next;
1027 /* Free sam entries then list entry */
1029 SAFE_FREE(state->sam_entries);
1030 DLIST_REMOVE(state, state);
1038 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1040 static bool assume_domain(const char *domain)
1042 /* never assume the domain on a standalone server */
1044 if ( lp_server_role() == ROLE_STANDALONE )
1047 /* domain member servers may possibly assume for the domain name */
1049 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1050 if ( !strequal(lp_workgroup(), domain) )
1053 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1057 /* only left with a domain controller */
1059 if ( strequal(get_global_sam_name(), domain) ) {
1066 /* Parse a string of the form DOMAIN\user into a domain and a user */
1068 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1070 char *p = strchr(domuser,*lp_winbind_separator());
1073 fstrcpy(user, domuser);
1075 if ( assume_domain(lp_workgroup())) {
1076 fstrcpy(domain, lp_workgroup());
1077 } else if ((p = strchr(domuser, '@')) != NULL) {
1078 fstrcpy(domain, "");
1084 fstrcpy(domain, domuser);
1085 domain[PTR_DIFF(p, domuser)] = 0;
1093 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1094 char **domain, char **user)
1096 fstring fstr_domain, fstr_user;
1097 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1100 *domain = talloc_strdup(mem_ctx, fstr_domain);
1101 *user = talloc_strdup(mem_ctx, fstr_user);
1102 return ((*domain != NULL) && (*user != NULL));
1105 /* Ensure an incoming username from NSS is fully qualified. Replace the
1106 incoming fstring with DOMAIN <separator> user. Returns the same
1107 values as parse_domain_user() but also replaces the incoming username.
1108 Used to ensure all names are fully qualified within winbindd.
1109 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1110 The protocol definitions of auth_crap, chng_pswd_auth_crap
1111 really should be changed to use this instead of doing things
1114 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1116 if (!parse_domain_user(username_inout, domain, user)) {
1119 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1120 domain, *lp_winbind_separator(),
1126 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1127 'winbind separator' options.
1129 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1132 If we are a PDC or BDC, and this is for our domain, do likewise.
1134 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1135 username is then unqualified in unix
1137 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1139 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1143 fstrcpy(tmp_user, user);
1144 strlower_m(tmp_user);
1146 if (can_assume && assume_domain(domain)) {
1147 strlcpy(name, tmp_user, sizeof(fstring));
1149 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1150 domain, *lp_winbind_separator(),
1156 * Winbindd socket accessor functions
1159 const char *get_winbind_pipe_dir(void)
1161 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1164 char *get_winbind_priv_pipe_dir(void)
1166 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1169 /* Open the winbindd socket */
1171 static int _winbindd_socket = -1;
1172 static int _winbindd_priv_socket = -1;
1174 int open_winbindd_socket(void)
1176 if (_winbindd_socket == -1) {
1177 _winbindd_socket = create_pipe_sock(
1178 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1179 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1183 return _winbindd_socket;
1186 int open_winbindd_priv_socket(void)
1188 if (_winbindd_priv_socket == -1) {
1189 _winbindd_priv_socket = create_pipe_sock(
1190 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1191 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1192 _winbindd_priv_socket));
1195 return _winbindd_priv_socket;
1198 /* Close the winbindd socket */
1200 void close_winbindd_socket(void)
1202 if (_winbindd_socket != -1) {
1203 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1205 close(_winbindd_socket);
1206 _winbindd_socket = -1;
1208 if (_winbindd_priv_socket != -1) {
1209 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1210 _winbindd_priv_socket));
1211 close(_winbindd_priv_socket);
1212 _winbindd_priv_socket = -1;
1217 * Client list accessor functions
1220 static struct winbindd_cli_state *_client_list;
1221 static int _num_clients;
1223 /* Return list of all connected clients */
1225 struct winbindd_cli_state *winbindd_client_list(void)
1227 return _client_list;
1230 /* Add a connection to the list */
1232 void winbindd_add_client(struct winbindd_cli_state *cli)
1234 DLIST_ADD(_client_list, cli);
1238 /* Remove a client from the list */
1240 void winbindd_remove_client(struct winbindd_cli_state *cli)
1242 DLIST_REMOVE(_client_list, cli);
1246 /* Close all open clients */
1248 void winbindd_kill_all_clients(void)
1250 struct winbindd_cli_state *cl = winbindd_client_list();
1252 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1255 struct winbindd_cli_state *next;
1258 winbindd_remove_client(cl);
1263 /* Return number of open clients */
1265 int winbindd_num_clients(void)
1267 return _num_clients;
1270 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1271 TALLOC_CTX *mem_ctx,
1272 const DOM_SID *user_sid,
1273 uint32 *p_num_groups, DOM_SID **user_sids)
1275 struct netr_SamInfo3 *info3 = NULL;
1276 NTSTATUS status = NT_STATUS_NO_MEMORY;
1278 size_t num_groups = 0;
1279 DOM_SID group_sid, primary_group;
1281 DEBUG(3,(": lookup_usergroups_cached\n"));
1287 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1289 if (info3 == NULL) {
1290 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1293 if (info3->base.groups.count == 0) {
1295 return NT_STATUS_UNSUCCESSFUL;
1298 /* always add the primary group to the sid array */
1299 sid_compose(&primary_group, info3->base.domain_sid, info3->base.rid);
1301 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
1303 if (!NT_STATUS_IS_OK(status)) {
1308 for (i=0; i < info3->base.groups.count; i++) {
1309 sid_copy(&group_sid, info3->base.domain_sid);
1310 sid_append_rid(&group_sid, info3->base.groups.rids[i].rid);
1312 status = add_sid_to_array(mem_ctx, &group_sid, user_sids,
1314 if (!NT_STATUS_IS_OK(status)) {
1320 /* Add any Universal groups in the other_sids list */
1322 for (i=0; i < info3->sidcount; i++) {
1323 /* Skip Domain local groups outside our domain.
1324 We'll get these from the getsidaliases() RPC call. */
1325 if (info3->sids[i].attributes & SE_GROUP_RESOURCE)
1328 status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
1329 user_sids, &num_groups);
1330 if (!NT_STATUS_IS_OK(status)) {
1338 *p_num_groups = num_groups;
1339 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1341 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1346 /*********************************************************************
1347 We use this to remove spaces from user and group names
1348 ********************************************************************/
1350 void ws_name_replace( char *name, char replace )
1352 char replace_char[2] = { 0x0, 0x0 };
1354 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1357 replace_char[0] = replace;
1358 all_string_sub( name, " ", replace_char, 0 );
1363 /*********************************************************************
1364 We use this to do the inverse of ws_name_replace()
1365 ********************************************************************/
1367 void ws_name_return( char *name, char replace )
1369 char replace_char[2] = { 0x0, 0x0 };
1371 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1374 replace_char[0] = replace;
1375 all_string_sub( name, replace_char, " ", 0 );
1380 /*********************************************************************
1381 ********************************************************************/
1383 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1385 struct winbindd_tdc_domain *tdc = NULL;
1386 TALLOC_CTX *frame = talloc_stackframe();
1389 /* We can contact the domain if it is our primary domain */
1391 if (domain->primary) {
1395 /* Trust the TDC cache and not the winbindd_domain flags */
1397 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1398 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1403 /* Can always contact a domain that is in out forest */
1405 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1411 * On a _member_ server, we cannot contact the domain if it
1412 * is running AD and we have no inbound trust.
1416 domain->active_directory &&
1417 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1419 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1420 "and we have no inbound trust.\n", domain->name));
1424 /* Assume everything else is ok (probably not true but what
1430 talloc_destroy(frame);
1435 /*********************************************************************
1436 ********************************************************************/
1438 bool winbindd_internal_child(struct winbindd_child *child)
1440 if ((child == idmap_child()) || (child == locator_child())) {
1447 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1449 /*********************************************************************
1450 ********************************************************************/
1452 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1455 char addr[INET6_ADDRSTRLEN];
1456 const char *kdc = NULL;
1459 if (!domain || !domain->alt_name || !*domain->alt_name) {
1463 if (domain->initialized && !domain->active_directory) {
1464 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1469 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1472 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1474 kdc = domain->dcname;
1477 if (!kdc || !*kdc) {
1478 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1483 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1484 domain->alt_name) == -1) {
1488 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1491 setenv(var, kdc, 1);
1495 /*********************************************************************
1496 ********************************************************************/
1498 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1500 struct winbindd_domain *our_dom = find_our_domain();
1502 winbindd_set_locator_kdc_env(domain);
1504 if (domain != our_dom) {
1505 winbindd_set_locator_kdc_env(our_dom);
1509 /*********************************************************************
1510 ********************************************************************/
1512 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1516 if (!domain || !domain->alt_name || !*domain->alt_name) {
1520 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1521 domain->alt_name) == -1) {
1530 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1535 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1540 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
git.samba.org / nivanova / samba-autobuild / .git / blob