2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods passdb_methods;
33 * @file winbindd_util.c
35 * Winbind daemon for NT domain authentication nss module.
38 /* The list of trusted domains. Note that the list can be deleted and
39 recreated using the init_domain_list() function so pointers to
40 individual winbindd_domain structures cannot be made. Keep a copy of
41 the domain name instead. */
43 static struct winbindd_domain *_domain_list;
46 When was the last scan of trusted domains done?
51 static time_t last_trustdom_scan;
53 struct winbindd_domain *domain_list(void)
57 if ((!_domain_list) && (!init_domain_list())) {
58 smb_panic("Init_domain_list failed");
64 /* Free all entries in the trusted domain list */
66 void free_domain_list(void)
68 struct winbindd_domain *domain = _domain_list;
71 struct winbindd_domain *next = domain->next;
73 DLIST_REMOVE(_domain_list, domain);
79 static BOOL is_internal_domain(const DOM_SID *sid)
85 return sid_check_is_builtin(sid);
87 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
90 static BOOL is_in_internal_domain(const DOM_SID *sid)
96 return sid_check_is_in_builtin(sid);
98 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
102 /* Add a trusted domain to our list of domains */
103 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
104 struct winbindd_methods *methods,
107 struct winbindd_domain *domain;
108 const char *alternative_name = NULL;
110 /* ignore alt_name if we are not in an AD domain */
112 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
113 alternative_name = alt_name;
116 /* We can't call domain_list() as this function is called from
117 init_domain_list() and we'll get stuck in a loop. */
118 for (domain = _domain_list; domain; domain = domain->next) {
119 if (strequal(domain_name, domain->name) ||
120 strequal(domain_name, domain->alt_name))
125 if (alternative_name && *alternative_name)
127 if (strequal(alternative_name, domain->name) ||
128 strequal(alternative_name, domain->alt_name))
136 if (is_null_sid(sid)) {
140 if (sid_equal(sid, &domain->sid)) {
146 /* See if we found a match. Check if we need to update the
149 if ( domain && sid) {
150 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
151 sid_copy( &domain->sid, sid );
156 /* Create new domain entry */
158 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
163 ZERO_STRUCTP(domain);
165 /* prioritise the short name */
166 if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
167 fstrcpy(domain->name, alternative_name);
168 fstrcpy(domain->alt_name, domain_name);
170 fstrcpy(domain->name, domain_name);
171 if (alternative_name) {
172 fstrcpy(domain->alt_name, alternative_name);
176 domain->methods = methods;
177 domain->backend = NULL;
178 domain->internal = is_internal_domain(sid);
179 domain->sequence_number = DOM_SEQUENCE_NONE;
180 domain->last_seq_check = 0;
181 domain->initialized = False;
182 domain->online = is_internal_domain(sid);
183 domain->check_online_timeout = 0;
185 sid_copy(&domain->sid, sid);
188 /* Link to domain list */
189 DLIST_ADD(_domain_list, domain);
191 wcache_tdc_add_domain( domain );
193 DEBUG(2,("Added domain %s %s %s\n",
194 domain->name, domain->alt_name,
195 &domain->sid?sid_string_static(&domain->sid):""));
200 /********************************************************************
201 rescan our domains looking for new trusted domains
202 ********************************************************************/
204 struct trustdom_state {
208 struct winbindd_response *response;
211 static void trustdom_recv(void *private_data, BOOL success);
212 static void rescan_forest_root_trusts( void );
213 static void rescan_forest_trusts( void );
215 static void add_trusted_domains( struct winbindd_domain *domain )
218 struct winbindd_request *request;
219 struct winbindd_response *response;
220 uint32 fr_flags = (DS_DOMAIN_TREE_ROOT|DS_DOMAIN_IN_FOREST);
222 struct trustdom_state *state;
224 mem_ctx = talloc_init("add_trusted_domains");
225 if (mem_ctx == NULL) {
226 DEBUG(0, ("talloc_init failed\n"));
230 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
231 response = TALLOC_P(mem_ctx, struct winbindd_response);
232 state = TALLOC_P(mem_ctx, struct trustdom_state);
234 if ((request == NULL) || (response == NULL) || (state == NULL)) {
235 DEBUG(0, ("talloc failed\n"));
236 talloc_destroy(mem_ctx);
240 state->mem_ctx = mem_ctx;
241 state->response = response;
243 /* Flags used to know how to continue the forest trust search */
245 state->primary = domain->primary;
246 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
248 request->length = sizeof(*request);
249 request->cmd = WINBINDD_LIST_TRUSTDOM;
251 async_domain_request(mem_ctx, domain, request, response,
252 trustdom_recv, state);
255 static void trustdom_recv(void *private_data, BOOL success)
257 struct trustdom_state *state =
258 talloc_get_type_abort(private_data, struct trustdom_state);
259 struct winbindd_response *response = state->response;
262 if ((!success) || (response->result != WINBINDD_OK)) {
263 DEBUG(1, ("Could not receive trustdoms\n"));
264 talloc_destroy(state->mem_ctx);
268 p = (char *)response->extra_data.data;
270 while ((p != NULL) && (*p != '\0')) {
271 char *q, *sidstr, *alt_name;
273 struct winbindd_domain *domain;
274 char *alternate_name = NULL;
276 alt_name = strchr(p, '\\');
277 if (alt_name == NULL) {
278 DEBUG(0, ("Got invalid trustdom response\n"));
285 sidstr = strchr(alt_name, '\\');
286 if (sidstr == NULL) {
287 DEBUG(0, ("Got invalid trustdom response\n"));
294 q = strchr(sidstr, '\n');
298 if (!string_to_sid(&sid, sidstr)) {
299 /* Allow NULL sid for sibling domains */
300 if ( strcmp(sidstr,"S-0-0") == 0) {
301 sid_copy( &sid, &global_sid_NULL);
303 DEBUG(0, ("Got invalid trustdom response\n"));
308 /* use the real alt_name if we have one, else pass in NULL */
310 if ( !strequal( alt_name, "(null)" ) )
311 alternate_name = alt_name;
313 /* If we have an existing domain structure, calling
314 add_trusted_domain() will update the SID if
315 necessary. This is important because we need the
316 SID for sibling domains */
318 if ( find_domain_from_name_noinit(p) != NULL ) {
319 domain = add_trusted_domain(p, alternate_name,
323 domain = add_trusted_domain(p, alternate_name,
327 setup_domain_child(domain, &domain->child, NULL);
335 SAFE_FREE(response->extra_data.data);
338 Cases to consider when scanning trusts:
339 (a) we are calling from a child domain (primary && !forest_root)
340 (b) we are calling from the root of the forest (primary && forest_root)
341 (c) we are calling from a trusted forest domain (!primary
345 if ( state->primary ) {
346 /* If this is our primary domain and we are not the in the
347 forest root, we have to scan the root trusts first */
349 if ( !state->forest_root )
350 rescan_forest_root_trusts();
352 rescan_forest_trusts();
354 } else if ( state->forest_root ) {
355 /* Once we have done root forest trust search, we can
356 go on to search thing trusted forests */
358 rescan_forest_trusts();
361 talloc_destroy(state->mem_ctx);
366 /********************************************************************
367 Scan the trusts of our forest root
368 ********************************************************************/
370 static void rescan_forest_root_trusts( void )
372 struct winbindd_tdc_domain *dom_list = NULL;
373 size_t num_trusts = 0;
376 /* The only transitive trusts supported by Windows 2003 AD are
377 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
378 first two are handled in forest and listed by
379 DsEnumerateDomainTrusts(). Forest trusts are not so we
380 have to do that ourselves. */
382 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
385 for ( i=0; i<num_trusts; i++ ) {
386 struct winbindd_domain *d = NULL;
388 /* Find the forest root. Don't necessarily trust
389 the domain_list() as our primary domain may not
390 have been initialized. */
392 if ( !(dom_list[i].trust_flags & DS_DOMAIN_TREE_ROOT) ) {
396 /* Here's the forest root */
398 d = find_domain_from_name_noinit( dom_list[i].domain_name );
401 d = add_trusted_domain( dom_list[i].domain_name,
402 dom_list[i].dns_name,
407 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
408 "for domain tree root %s (%s)\n",
409 d->name, d->alt_name ));
411 d->domain_flags = dom_list[i].trust_flags;
412 d->domain_type = dom_list[i].trust_type;
413 d->domain_trust_attribs = dom_list[i].trust_attribs;
415 add_trusted_domains( d );
420 TALLOC_FREE( dom_list );
425 /********************************************************************
426 scan the transitive forest trists (not our own)
427 ********************************************************************/
430 static void rescan_forest_trusts( void )
432 struct winbindd_domain *d = NULL;
433 struct winbindd_tdc_domain *dom_list = NULL;
434 size_t num_trusts = 0;
437 /* The only transitive trusts supported by Windows 2003 AD are
438 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
439 first two are handled in forest and listed by
440 DsEnumerateDomainTrusts(). Forest trusts are not so we
441 have to do that ourselves. */
443 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
446 for ( i=0; i<num_trusts; i++ ) {
447 uint32 flags = dom_list[i].trust_flags;
448 uint32 type = dom_list[i].trust_type;
449 uint32 attribs = dom_list[i].trust_attribs;
451 d = find_domain_from_name_noinit( dom_list[i].domain_name );
453 /* ignore our primary and internal domains */
455 if ( d && (d->internal || d->primary ) )
458 if ( (flags & DS_DOMAIN_DIRECT_INBOUND) &&
459 (type == DS_DOMAIN_TRUST_TYPE_UPLEVEL) &&
460 (attribs == DS_DOMAIN_TRUST_ATTRIB_FOREST_TRANSITIVE) )
462 /* add the trusted domain if we don't know
466 d = add_trusted_domain( dom_list[i].domain_name,
467 dom_list[i].dns_name,
472 DEBUG(10,("Following trust path for domain %s (%s)\n",
473 d->name, d->alt_name ));
474 add_trusted_domains( d );
478 TALLOC_FREE( dom_list );
483 /*********************************************************************
484 The process of updating the trusted domain list is a three step
487 (b) ask the root domain in our forest
488 (c) ask the a DC in any Win2003 trusted forests
489 *********************************************************************/
491 void rescan_trusted_domains( void )
493 time_t now = time(NULL);
495 /* see if the time has come... */
497 if ((now >= last_trustdom_scan) &&
498 ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
501 /* clear the TRUSTDOM cache first */
505 /* this will only add new domains we didn't already know about
506 in the domain_list()*/
508 add_trusted_domains( find_our_domain() );
510 last_trustdom_scan = now;
515 struct init_child_state {
517 struct winbindd_domain *domain;
518 struct winbindd_request *request;
519 struct winbindd_response *response;
520 void (*continuation)(void *private_data, BOOL success);
524 static void init_child_recv(void *private_data, BOOL success);
525 static void init_child_getdc_recv(void *private_data, BOOL success);
527 enum winbindd_result init_child_connection(struct winbindd_domain *domain,
528 void (*continuation)(void *private_data,
533 struct winbindd_request *request;
534 struct winbindd_response *response;
535 struct init_child_state *state;
536 struct winbindd_domain *request_domain;
538 mem_ctx = talloc_init("init_child_connection");
539 if (mem_ctx == NULL) {
540 DEBUG(0, ("talloc_init failed\n"));
541 return WINBINDD_ERROR;
544 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
545 response = TALLOC_P(mem_ctx, struct winbindd_response);
546 state = TALLOC_P(mem_ctx, struct init_child_state);
548 if ((request == NULL) || (response == NULL) || (state == NULL)) {
549 DEBUG(0, ("talloc failed\n"));
550 TALLOC_FREE(mem_ctx);
551 continuation(private_data, False);
552 return WINBINDD_ERROR;
555 request->length = sizeof(*request);
557 state->mem_ctx = mem_ctx;
558 state->domain = domain;
559 state->request = request;
560 state->response = response;
561 state->continuation = continuation;
562 state->private_data = private_data;
564 if (IS_DC || domain->primary || domain->internal ) {
565 /* The primary domain has to find the DC name itself */
566 request->cmd = WINBINDD_INIT_CONNECTION;
567 fstrcpy(request->domain_name, domain->name);
568 request->data.init_conn.is_primary = domain->internal ? False : True;
569 fstrcpy(request->data.init_conn.dcname, "");
570 async_request(mem_ctx, &domain->child, request, response,
571 init_child_recv, state);
572 return WINBINDD_PENDING;
575 /* This is *not* the primary domain, let's ask our DC about a DC
578 request->cmd = WINBINDD_GETDCNAME;
579 fstrcpy(request->domain_name, domain->name);
581 request_domain = find_our_domain();
582 async_domain_request(mem_ctx, request_domain, request, response,
583 init_child_getdc_recv, state);
584 return WINBINDD_PENDING;
587 static void init_child_getdc_recv(void *private_data, BOOL success)
589 struct init_child_state *state =
590 talloc_get_type_abort(private_data, struct init_child_state);
591 const char *dcname = "";
593 DEBUG(10, ("Received getdcname response\n"));
595 if (success && (state->response->result == WINBINDD_OK)) {
596 dcname = state->response->data.dc_name;
599 state->request->cmd = WINBINDD_INIT_CONNECTION;
600 fstrcpy(state->request->domain_name, state->domain->name);
601 state->request->data.init_conn.is_primary = False;
602 fstrcpy(state->request->data.init_conn.dcname, dcname);
604 async_request(state->mem_ctx, &state->domain->child,
605 state->request, state->response,
606 init_child_recv, state);
609 static void init_child_recv(void *private_data, BOOL success)
611 struct init_child_state *state =
612 talloc_get_type_abort(private_data, struct init_child_state);
614 DEBUG(5, ("Received child initialization response for domain %s\n",
615 state->domain->name));
617 if ((!success) || (state->response->result != WINBINDD_OK)) {
618 DEBUG(3, ("Could not init child\n"));
619 state->continuation(state->private_data, False);
620 talloc_destroy(state->mem_ctx);
624 fstrcpy(state->domain->name,
625 state->response->data.domain_info.name);
626 fstrcpy(state->domain->alt_name,
627 state->response->data.domain_info.alt_name);
628 string_to_sid(&state->domain->sid,
629 state->response->data.domain_info.sid);
630 state->domain->native_mode =
631 state->response->data.domain_info.native_mode;
632 state->domain->active_directory =
633 state->response->data.domain_info.active_directory;
634 state->domain->sequence_number =
635 state->response->data.domain_info.sequence_number;
637 init_dc_connection(state->domain);
639 if (state->continuation != NULL)
640 state->continuation(state->private_data, True);
641 talloc_destroy(state->mem_ctx);
644 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
645 struct winbindd_cli_state *state)
647 /* Ensure null termination */
648 state->request.domain_name
649 [sizeof(state->request.domain_name)-1]='\0';
650 state->request.data.init_conn.dcname
651 [sizeof(state->request.data.init_conn.dcname)-1]='\0';
653 if (strlen(state->request.data.init_conn.dcname) > 0) {
654 fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
657 init_dc_connection(domain);
659 if (!domain->initialized) {
660 /* If we return error here we can't do any cached authentication,
661 but we may be in disconnected mode and can't initialize correctly.
662 Do what the previous code did and just return without initialization,
663 once we go online we'll re-initialize.
665 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
666 "online = %d\n", domain->name, (int)domain->online ));
669 fstrcpy(state->response.data.domain_info.name, domain->name);
670 fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
671 fstrcpy(state->response.data.domain_info.sid,
672 sid_string_static(&domain->sid));
674 state->response.data.domain_info.native_mode
675 = domain->native_mode;
676 state->response.data.domain_info.active_directory
677 = domain->active_directory;
678 state->response.data.domain_info.primary
680 state->response.data.domain_info.sequence_number =
681 domain->sequence_number;
686 /* Look up global info for the winbind daemon */
687 BOOL init_domain_list(void)
689 struct winbindd_domain *domain;
690 int role = lp_server_role();
692 /* Free existing list */
695 /* Add ourselves as the first entry. */
697 if ( role == ROLE_DOMAIN_MEMBER ) {
700 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
701 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
705 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
706 &cache_methods, &our_sid);
708 domain->primary = True;
709 setup_domain_child(domain, &domain->child, NULL);
711 /* Even in the parent winbindd we'll need to
712 talk to the DC, so try and see if we can
713 contact it. Theoretically this isn't neccessary
714 as the init_dc_connection() in init_child_recv()
715 will do this, but we can start detecting the DC
717 set_domain_online_request(domain);
723 domain = add_trusted_domain(get_global_sam_name(), NULL,
724 &passdb_methods, get_global_sam_sid());
726 if ( role != ROLE_DOMAIN_MEMBER ) {
727 domain->primary = True;
729 setup_domain_child(domain, &domain->child, NULL);
734 domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
735 &global_sid_Builtin);
737 setup_domain_child(domain, &domain->child, NULL);
743 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
745 struct winbindd_domain *domain;
749 domain = find_domain_from_name_noinit( name );
753 sid_copy( &dom_sid, user_sid );
754 if ( !sid_split_rid( &dom_sid, &rid ) )
757 /* add the newly discovered trusted domain */
759 domain = add_trusted_domain( name, NULL, &cache_methods,
765 /* assume this is a trust from a one-way transitive
768 domain->active_directory = True;
769 domain->domain_flags = DS_DOMAIN_DIRECT_OUTBOUND;
770 domain->domain_type = DS_DOMAIN_TRUST_TYPE_UPLEVEL;
771 domain->internal = False;
772 domain->online = True;
774 setup_domain_child(domain, &domain->child, NULL);
776 wcache_tdc_add_domain( domain );
782 * Given a domain name, return the struct winbindd domain info for it
784 * @note Do *not* pass lp_workgroup() to this function. domain_list
785 * may modify it's value, and free that pointer. Instead, our local
786 * domain may be found by calling find_our_domain().
790 * @return The domain structure for the named domain, if it is working.
793 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
795 struct winbindd_domain *domain;
797 /* Search through list */
799 for (domain = domain_list(); domain != NULL; domain = domain->next) {
800 if (strequal(domain_name, domain->name) ||
801 (domain->alt_name[0] &&
802 strequal(domain_name, domain->alt_name))) {
812 struct winbindd_domain *find_domain_from_name(const char *domain_name)
814 struct winbindd_domain *domain;
816 domain = find_domain_from_name_noinit(domain_name);
821 if (!domain->initialized)
822 init_dc_connection(domain);
827 /* Given a domain sid, return the struct winbindd domain info for it */
829 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
831 struct winbindd_domain *domain;
833 /* Search through list */
835 for (domain = domain_list(); domain != NULL; domain = domain->next) {
836 if (sid_compare_domain(sid, &domain->sid) == 0)
845 /* Given a domain sid, return the struct winbindd domain info for it */
847 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
849 struct winbindd_domain *domain;
851 domain = find_domain_from_sid_noinit(sid);
856 if (!domain->initialized)
857 init_dc_connection(domain);
862 struct winbindd_domain *find_our_domain(void)
864 struct winbindd_domain *domain;
866 /* Search through list */
868 for (domain = domain_list(); domain != NULL; domain = domain->next) {
873 smb_panic("Could not find our domain");
877 struct winbindd_domain *find_root_domain(void)
879 struct winbindd_domain *ours = find_our_domain();
884 if ( strlen(ours->forest_name) == 0 )
887 return find_domain_from_name( ours->forest_name );
890 struct winbindd_domain *find_builtin_domain(void)
893 struct winbindd_domain *domain;
895 string_to_sid(&sid, "S-1-5-32");
896 domain = find_domain_from_sid(&sid);
898 if (domain == NULL) {
899 smb_panic("Could not find BUILTIN domain");
905 /* Find the appropriate domain to lookup a name or SID */
907 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
909 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
911 if ( sid_check_is_in_unix_groups(sid) ||
912 sid_check_is_unix_groups(sid) ||
913 sid_check_is_in_unix_users(sid) ||
914 sid_check_is_unix_users(sid) )
916 return find_domain_from_sid(get_global_sam_sid());
919 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
920 * one to contact the external DC's. On member servers the internal
921 * domains are different: These are part of the local SAM. */
923 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n",
924 sid_string_static(sid)));
926 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
927 DEBUG(10, ("calling find_domain_from_sid\n"));
928 return find_domain_from_sid(sid);
931 /* On a member server a query for SID or name can always go to our
934 DEBUG(10, ("calling find_our_domain\n"));
935 return find_our_domain();
938 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
940 if ( strequal(domain_name, unix_users_domain_name() ) ||
941 strequal(domain_name, unix_groups_domain_name() ) )
943 return find_domain_from_name_noinit( get_global_sam_name() );
946 if (IS_DC || strequal(domain_name, "BUILTIN") ||
947 strequal(domain_name, get_global_sam_name()))
948 return find_domain_from_name_noinit(domain_name);
950 /* The "Unix User" and "Unix Group" domain our handled by passdb */
952 return find_our_domain();
955 /* Lookup a sid in a domain from a name */
957 BOOL winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
958 enum winbindd_cmd orig_cmd,
959 struct winbindd_domain *domain,
960 const char *domain_name,
961 const char *name, DOM_SID *sid,
962 enum lsa_SidType *type)
967 result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd,
968 domain_name, name, sid, type);
970 /* Return sid and type if lookup successful */
971 if (!NT_STATUS_IS_OK(result)) {
972 *type = SID_NAME_UNKNOWN;
975 return NT_STATUS_IS_OK(result);
979 * @brief Lookup a name in a domain from a sid.
981 * @param sid Security ID you want to look up.
982 * @param name On success, set to the name corresponding to @p sid.
983 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
984 * @param type On success, contains the type of name: alias, group or
986 * @retval True if the name exists, in which case @p name and @p type
987 * are set, otherwise False.
989 BOOL winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
990 struct winbindd_domain *domain,
994 enum lsa_SidType *type)
1003 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
1005 /* Return name and type if successful */
1007 if (NT_STATUS_IS_OK(result)) {
1011 *type = SID_NAME_UNKNOWN;
1016 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
1018 void free_getent_state(struct getent_state *state)
1020 struct getent_state *temp;
1022 /* Iterate over state list */
1026 while(temp != NULL) {
1027 struct getent_state *next;
1029 /* Free sam entries then list entry */
1031 SAFE_FREE(state->sam_entries);
1032 DLIST_REMOVE(state, state);
1040 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1042 static BOOL assume_domain(const char *domain)
1044 /* never assume the domain on a standalone server */
1046 if ( lp_server_role() == ROLE_STANDALONE )
1049 /* domain member servers may possibly assume for the domain name */
1051 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1052 if ( !strequal(lp_workgroup(), domain) )
1055 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1059 /* only left with a domain controller */
1061 if ( strequal(get_global_sam_name(), domain) ) {
1068 /* Parse a string of the form DOMAIN\user into a domain and a user */
1070 BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
1072 char *p = strchr(domuser,*lp_winbind_separator());
1075 fstrcpy(user, domuser);
1077 if ( assume_domain(lp_workgroup())) {
1078 fstrcpy(domain, lp_workgroup());
1079 } else if ((p = strchr(domuser, '@')) != NULL) {
1080 fstrcpy(domain, "");
1086 fstrcpy(domain, domuser);
1087 domain[PTR_DIFF(p, domuser)] = 0;
1095 BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1096 char **domain, char **user)
1098 fstring fstr_domain, fstr_user;
1099 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1102 *domain = talloc_strdup(mem_ctx, fstr_domain);
1103 *user = talloc_strdup(mem_ctx, fstr_user);
1104 return ((*domain != NULL) && (*user != NULL));
1107 /* Ensure an incoming username from NSS is fully qualified. Replace the
1108 incoming fstring with DOMAIN <separator> user. Returns the same
1109 values as parse_domain_user() but also replaces the incoming username.
1110 Used to ensure all names are fully qualified within winbindd.
1111 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1112 The protocol definitions of auth_crap, chng_pswd_auth_crap
1113 really should be changed to use this instead of doing things
1116 BOOL canonicalize_username(fstring username_inout, fstring domain, fstring user)
1118 if (!parse_domain_user(username_inout, domain, user)) {
1121 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1122 domain, *lp_winbind_separator(),
1128 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1129 'winbind separator' options.
1131 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1134 If we are a PDC or BDC, and this is for our domain, do likewise.
1136 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1137 username is then unqualified in unix
1139 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1141 void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume)
1145 fstrcpy(tmp_user, user);
1146 strlower_m(tmp_user);
1148 if (can_assume && assume_domain(domain)) {
1149 strlcpy(name, tmp_user, sizeof(fstring));
1151 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1152 domain, *lp_winbind_separator(),
1158 * Winbindd socket accessor functions
1161 char *get_winbind_priv_pipe_dir(void)
1163 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1167 * Client list accessor functions
1170 static struct winbindd_cli_state *_client_list;
1171 static int _num_clients;
1173 /* Return list of all connected clients */
1175 struct winbindd_cli_state *winbindd_client_list(void)
1177 return _client_list;
1180 /* Add a connection to the list */
1182 void winbindd_add_client(struct winbindd_cli_state *cli)
1184 DLIST_ADD(_client_list, cli);
1188 /* Remove a client from the list */
1190 void winbindd_remove_client(struct winbindd_cli_state *cli)
1192 DLIST_REMOVE(_client_list, cli);
1196 /* Close all open clients */
1198 void winbindd_kill_all_clients(void)
1200 struct winbindd_cli_state *cl = winbindd_client_list();
1202 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1205 struct winbindd_cli_state *next;
1208 winbindd_remove_client(cl);
1213 /* Return number of open clients */
1215 int winbindd_num_clients(void)
1217 return _num_clients;
1220 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1221 TALLOC_CTX *mem_ctx,
1222 const DOM_SID *user_sid,
1223 uint32 *p_num_groups, DOM_SID **user_sids)
1225 NET_USER_INFO_3 *info3 = NULL;
1226 NTSTATUS status = NT_STATUS_NO_MEMORY;
1228 size_t num_groups = 0;
1229 DOM_SID group_sid, primary_group;
1231 DEBUG(3,(": lookup_usergroups_cached\n"));
1237 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1239 if (info3 == NULL) {
1240 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1243 if (info3->num_groups == 0) {
1245 return NT_STATUS_UNSUCCESSFUL;
1248 /* always add the primary group to the sid array */
1249 sid_compose(&primary_group, &info3->dom_sid.sid, info3->user_rid);
1251 if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) {
1253 return NT_STATUS_NO_MEMORY;
1256 for (i=0; i<info3->num_groups; i++) {
1257 sid_copy(&group_sid, &info3->dom_sid.sid);
1258 sid_append_rid(&group_sid, info3->gids[i].g_rid);
1260 if (!add_sid_to_array(mem_ctx, &group_sid, user_sids,
1263 return NT_STATUS_NO_MEMORY;
1267 /* Add any Universal groups in the other_sids list */
1269 for (i=0; i<info3->num_other_sids; i++) {
1270 /* Skip Domain local groups outside our domain.
1271 We'll get these from the getsidaliases() RPC call. */
1272 if (info3->other_sids_attrib[i] & SE_GROUP_RESOURCE)
1275 if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid,
1276 user_sids, &num_groups))
1279 return NT_STATUS_NO_MEMORY;
1285 *p_num_groups = num_groups;
1286 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1288 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1293 /*********************************************************************
1294 We use this to remove spaces from user and group names
1295 ********************************************************************/
1297 void ws_name_replace( char *name, char replace )
1299 char replace_char[2] = { 0x0, 0x0 };
1301 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1304 replace_char[0] = replace;
1305 all_string_sub( name, " ", replace_char, 0 );
1310 /*********************************************************************
1311 We use this to do the inverse of ws_name_replace()
1312 ********************************************************************/
1314 void ws_name_return( char *name, char replace )
1316 char replace_char[2] = { 0x0, 0x0 };
1318 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1321 replace_char[0] = replace;
1322 all_string_sub( name, replace_char, " ", 0 );
1327 /*********************************************************************
1328 ********************************************************************/
1330 BOOL winbindd_can_contact_domain( struct winbindd_domain *domain )
1332 /* We can contact the domain if it is our primary domain */
1334 if ( domain->primary )
1337 /* Can always contact a domain that is in out forest */
1339 if ( domain->domain_flags & DS_DOMAIN_IN_FOREST )
1342 /* We cannot contact the domain if it is running AD and
1343 we have no inbound trust */
1345 if ( domain->active_directory &&
1346 ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) )
1351 /* Assume everything else is ok (probably not true but what
1357 /*********************************************************************
1358 ********************************************************************/
1360 BOOL winbindd_internal_child(struct winbindd_child *child)
1362 if ((child == idmap_child()) || (child == locator_child())) {
1369 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1371 /*********************************************************************
1372 ********************************************************************/
1374 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1377 const char *kdc = NULL;
1380 if (!domain || !domain->alt_name || !*domain->alt_name) {
1384 if (domain->initialized && !domain->active_directory) {
1385 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1390 kdc = inet_ntoa(domain->dcaddr.sin_addr);
1392 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1394 kdc = domain->dcname;
1397 if (!kdc || !*kdc) {
1398 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1403 if (asprintf(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1404 strupper_static(domain->alt_name)) == -1) {
1408 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1411 setenv(var, kdc, 1);
1415 /*********************************************************************
1416 ********************************************************************/
1418 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1420 struct winbindd_domain *our_dom = find_our_domain();
1422 winbindd_set_locator_kdc_env(domain);
1424 if (domain != our_dom) {
1425 winbindd_set_locator_kdc_env(our_dom);
1429 /*********************************************************************
1430 ********************************************************************/
1432 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1436 if (!domain || !domain->alt_name || !*domain->alt_name) {
1440 if (asprintf(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1441 strupper_static(domain->alt_name)) == -1) {
1450 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1455 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1460 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
git.samba.org / sfrench / samba-autobuild / .git / blob