2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
35 * @file winbindd_util.c
37 * Winbind daemon for NT domain authentication nss module.
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
46 static struct winbindd_domain *_domain_list = NULL;
48 struct winbindd_domain *domain_list(void)
52 if ((!_domain_list) && (!init_domain_list())) {
53 smb_panic("Init_domain_list failed");
59 /* Free all entries in the trusted domain list */
61 static void free_domain_list(void)
63 struct winbindd_domain *domain = _domain_list;
66 struct winbindd_domain *next = domain->next;
68 DLIST_REMOVE(_domain_list, domain);
74 static bool is_internal_domain(const DOM_SID *sid)
79 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
82 static bool is_in_internal_domain(const DOM_SID *sid)
87 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
91 /* Add a trusted domain to our list of domains */
92 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
93 struct winbindd_methods *methods,
96 struct winbindd_domain *domain;
97 const char *alternative_name = NULL;
98 char *idmap_config_option;
100 const char **ignored_domains, **dom;
102 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
103 for (dom=ignored_domains; dom && *dom; dom++) {
104 if (gen_fnmatch(*dom, domain_name) == 0) {
105 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
110 /* ignore alt_name if we are not in an AD domain */
112 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
113 alternative_name = alt_name;
116 /* We can't call domain_list() as this function is called from
117 init_domain_list() and we'll get stuck in a loop. */
118 for (domain = _domain_list; domain; domain = domain->next) {
119 if (strequal(domain_name, domain->name) ||
120 strequal(domain_name, domain->alt_name))
125 if (alternative_name && *alternative_name)
127 if (strequal(alternative_name, domain->name) ||
128 strequal(alternative_name, domain->alt_name))
136 if (is_null_sid(sid)) {
140 if (sid_equal(sid, &domain->sid)) {
146 if (domain != NULL) {
148 * We found a match. Possibly update the SID
151 && sid_equal(&domain->sid, &global_sid_NULL)) {
152 sid_copy( &domain->sid, sid );
157 /* Create new domain entry */
159 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
164 ZERO_STRUCTP(domain);
166 fstrcpy(domain->name, domain_name);
167 if (alternative_name) {
168 fstrcpy(domain->alt_name, alternative_name);
171 domain->methods = methods;
172 domain->backend = NULL;
173 domain->internal = is_internal_domain(sid);
174 domain->sequence_number = DOM_SEQUENCE_NONE;
175 domain->last_seq_check = 0;
176 domain->initialized = False;
177 domain->online = is_internal_domain(sid);
178 domain->check_online_timeout = 0;
179 domain->dc_probe_pid = (pid_t)-1;
181 sid_copy(&domain->sid, sid);
184 /* Link to domain list */
185 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
187 wcache_tdc_add_domain( domain );
189 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
191 if (idmap_config_option == NULL) {
192 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
196 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
198 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
199 param ? param : "not defined"));
202 unsigned low_id, high_id;
203 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
204 DEBUG(1, ("invalid range syntax in %s: %s\n",
205 idmap_config_option, param));
208 if (low_id > high_id) {
209 DEBUG(1, ("invalid range in %s: %s\n",
210 idmap_config_option, param));
213 domain->have_idmap_config = true;
214 domain->id_range_low = low_id;
215 domain->id_range_high = high_id;
220 DEBUG(2,("Added domain %s %s %s\n",
221 domain->name, domain->alt_name,
222 &domain->sid?sid_string_dbg(&domain->sid):""));
227 bool domain_is_forest_root(const struct winbindd_domain *domain)
229 const uint32_t fr_flags =
230 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
232 return ((domain->domain_flags & fr_flags) == fr_flags);
235 /********************************************************************
236 rescan our domains looking for new trusted domains
237 ********************************************************************/
239 struct trustdom_state {
243 struct winbindd_response *response;
246 static void trustdom_recv(void *private_data, bool success);
247 static void rescan_forest_root_trusts( void );
248 static void rescan_forest_trusts( void );
250 static void add_trusted_domains( struct winbindd_domain *domain )
253 struct winbindd_request *request;
254 struct winbindd_response *response;
255 struct trustdom_state *state;
257 mem_ctx = talloc_init("add_trusted_domains");
258 if (mem_ctx == NULL) {
259 DEBUG(0, ("talloc_init failed\n"));
263 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
264 response = TALLOC_P(mem_ctx, struct winbindd_response);
265 state = TALLOC_P(mem_ctx, struct trustdom_state);
267 if ((request == NULL) || (response == NULL) || (state == NULL)) {
268 DEBUG(0, ("talloc failed\n"));
269 talloc_destroy(mem_ctx);
273 state->mem_ctx = mem_ctx;
274 state->response = response;
276 /* Flags used to know how to continue the forest trust search */
278 state->primary = domain->primary;
279 state->forest_root = domain_is_forest_root(domain);
281 request->length = sizeof(*request);
282 request->cmd = WINBINDD_LIST_TRUSTDOM;
284 async_domain_request(mem_ctx, domain, request, response,
285 trustdom_recv, state);
288 static void trustdom_recv(void *private_data, bool success)
290 struct trustdom_state *state =
291 talloc_get_type_abort(private_data, struct trustdom_state);
292 struct winbindd_response *response = state->response;
295 if ((!success) || (response->result != WINBINDD_OK)) {
296 DEBUG(1, ("Could not receive trustdoms\n"));
297 talloc_destroy(state->mem_ctx);
301 p = (char *)response->extra_data.data;
303 while ((p != NULL) && (*p != '\0')) {
304 char *q, *sidstr, *alt_name;
306 struct winbindd_domain *domain;
307 char *alternate_name = NULL;
309 alt_name = strchr(p, '\\');
310 if (alt_name == NULL) {
311 DEBUG(0, ("Got invalid trustdom response\n"));
318 sidstr = strchr(alt_name, '\\');
319 if (sidstr == NULL) {
320 DEBUG(0, ("Got invalid trustdom response\n"));
327 q = strchr(sidstr, '\n');
331 if (!string_to_sid(&sid, sidstr)) {
332 DEBUG(0, ("Got invalid trustdom response\n"));
336 /* use the real alt_name if we have one, else pass in NULL */
338 if ( !strequal( alt_name, "(null)" ) )
339 alternate_name = alt_name;
341 /* If we have an existing domain structure, calling
342 add_trusted_domain() will update the SID if
343 necessary. This is important because we need the
344 SID for sibling domains */
346 if ( find_domain_from_name_noinit(p) != NULL ) {
347 domain = add_trusted_domain(p, alternate_name,
351 domain = add_trusted_domain(p, alternate_name,
355 setup_domain_child(domain);
364 Cases to consider when scanning trusts:
365 (a) we are calling from a child domain (primary && !forest_root)
366 (b) we are calling from the root of the forest (primary && forest_root)
367 (c) we are calling from a trusted forest domain (!primary
371 if ( state->primary ) {
372 /* If this is our primary domain and we are not in the
373 forest root, we have to scan the root trusts first */
375 if ( !state->forest_root )
376 rescan_forest_root_trusts();
378 rescan_forest_trusts();
380 } else if ( state->forest_root ) {
381 /* Once we have done root forest trust search, we can
382 go on to search the trusted forests */
384 rescan_forest_trusts();
387 talloc_destroy(state->mem_ctx);
392 /********************************************************************
393 Scan the trusts of our forest root
394 ********************************************************************/
396 static void rescan_forest_root_trusts( void )
398 struct winbindd_tdc_domain *dom_list = NULL;
399 size_t num_trusts = 0;
402 /* The only transitive trusts supported by Windows 2003 AD are
403 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
404 first two are handled in forest and listed by
405 DsEnumerateDomainTrusts(). Forest trusts are not so we
406 have to do that ourselves. */
408 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
411 for ( i=0; i<num_trusts; i++ ) {
412 struct winbindd_domain *d = NULL;
414 /* Find the forest root. Don't necessarily trust
415 the domain_list() as our primary domain may not
416 have been initialized. */
418 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
422 /* Here's the forest root */
424 d = find_domain_from_name_noinit( dom_list[i].domain_name );
427 d = add_trusted_domain( dom_list[i].domain_name,
428 dom_list[i].dns_name,
437 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
438 "for domain tree root %s (%s)\n",
439 d->name, d->alt_name ));
441 d->domain_flags = dom_list[i].trust_flags;
442 d->domain_type = dom_list[i].trust_type;
443 d->domain_trust_attribs = dom_list[i].trust_attribs;
445 add_trusted_domains( d );
450 TALLOC_FREE( dom_list );
455 /********************************************************************
456 scan the transitive forest trusts (not our own)
457 ********************************************************************/
460 static void rescan_forest_trusts( void )
462 struct winbindd_domain *d = NULL;
463 struct winbindd_tdc_domain *dom_list = NULL;
464 size_t num_trusts = 0;
467 /* The only transitive trusts supported by Windows 2003 AD are
468 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
469 first two are handled in forest and listed by
470 DsEnumerateDomainTrusts(). Forest trusts are not so we
471 have to do that ourselves. */
473 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
476 for ( i=0; i<num_trusts; i++ ) {
477 uint32 flags = dom_list[i].trust_flags;
478 uint32 type = dom_list[i].trust_type;
479 uint32 attribs = dom_list[i].trust_attribs;
481 d = find_domain_from_name_noinit( dom_list[i].domain_name );
483 /* ignore our primary and internal domains */
485 if ( d && (d->internal || d->primary ) )
488 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
489 (type == NETR_TRUST_TYPE_UPLEVEL) &&
490 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
492 /* add the trusted domain if we don't know
496 d = add_trusted_domain( dom_list[i].domain_name,
497 dom_list[i].dns_name,
506 DEBUG(10,("Following trust path for domain %s (%s)\n",
507 d->name, d->alt_name ));
508 add_trusted_domains( d );
512 TALLOC_FREE( dom_list );
517 /*********************************************************************
518 The process of updating the trusted domain list is a three step
521 (b) ask the root domain in our forest
522 (c) ask the a DC in any Win2003 trusted forests
523 *********************************************************************/
525 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
526 struct timeval now, void *private_data)
530 /* I use to clear the cache here and start over but that
531 caused problems in child processes that needed the
532 trust dom list early on. Removing it means we
533 could have some trusted domains listed that have been
534 removed from our primary domain's DC until a full
535 restart. This should be ok since I think this is what
536 Windows does as well. */
538 /* this will only add new domains we didn't already know about
539 in the domain_list()*/
541 add_trusted_domains( find_our_domain() );
543 te = tevent_add_timer(
544 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
545 rescan_trusted_domains, NULL);
547 * If te == NULL, there's not much we can do here. Don't fail, the
548 * only thing we miss is new trusted domains.
554 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
555 struct winbindd_cli_state *state)
557 /* Ensure null termination */
558 state->request->domain_name
559 [sizeof(state->request->domain_name)-1]='\0';
560 state->request->data.init_conn.dcname
561 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
563 if (strlen(state->request->data.init_conn.dcname) > 0) {
564 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
567 if (domain->internal) {
568 domain->initialized = true;
570 init_dc_connection(domain);
573 if (!domain->initialized) {
574 /* If we return error here we can't do any cached authentication,
575 but we may be in disconnected mode and can't initialize correctly.
576 Do what the previous code did and just return without initialization,
577 once we go online we'll re-initialize.
579 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
580 "online = %d\n", domain->name, (int)domain->online ));
583 fstrcpy(state->response->data.domain_info.name, domain->name);
584 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
585 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
587 state->response->data.domain_info.native_mode
588 = domain->native_mode;
589 state->response->data.domain_info.active_directory
590 = domain->active_directory;
591 state->response->data.domain_info.primary
597 /* Look up global info for the winbind daemon */
598 bool init_domain_list(void)
600 struct winbindd_domain *domain;
601 int role = lp_server_role();
603 /* Free existing list */
608 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
609 &global_sid_Builtin);
611 setup_domain_child(domain);
616 domain = add_trusted_domain(get_global_sam_name(), NULL,
617 &sam_passdb_methods, get_global_sam_sid());
619 if ( role != ROLE_DOMAIN_MEMBER ) {
620 domain->primary = True;
622 setup_domain_child(domain);
625 /* Add ourselves as the first entry. */
627 if ( role == ROLE_DOMAIN_MEMBER ) {
630 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
631 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
635 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
636 &cache_methods, &our_sid);
638 domain->primary = True;
639 setup_domain_child(domain);
641 /* Even in the parent winbindd we'll need to
642 talk to the DC, so try and see if we can
643 contact it. Theoretically this isn't neccessary
644 as the init_dc_connection() in init_child_recv()
645 will do this, but we can start detecting the DC
647 set_domain_online_request(domain);
654 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
656 struct winbindd_domain *domain;
660 /* Check if we even care */
662 if (!lp_allow_trusted_domains())
665 domain = find_domain_from_name_noinit( name );
669 sid_copy( &dom_sid, user_sid );
670 if ( !sid_split_rid( &dom_sid, &rid ) )
673 /* add the newly discovered trusted domain */
675 domain = add_trusted_domain( name, NULL, &cache_methods,
681 /* assume this is a trust from a one-way transitive
684 domain->active_directory = True;
685 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
686 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
687 domain->internal = False;
688 domain->online = True;
690 setup_domain_child(domain);
692 wcache_tdc_add_domain( domain );
698 * Given a domain name, return the struct winbindd domain info for it
700 * @note Do *not* pass lp_workgroup() to this function. domain_list
701 * may modify it's value, and free that pointer. Instead, our local
702 * domain may be found by calling find_our_domain().
706 * @return The domain structure for the named domain, if it is working.
709 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
711 struct winbindd_domain *domain;
713 /* Search through list */
715 for (domain = domain_list(); domain != NULL; domain = domain->next) {
716 if (strequal(domain_name, domain->name) ||
717 (domain->alt_name[0] &&
718 strequal(domain_name, domain->alt_name))) {
728 struct winbindd_domain *find_domain_from_name(const char *domain_name)
730 struct winbindd_domain *domain;
732 domain = find_domain_from_name_noinit(domain_name);
737 if (!domain->initialized)
738 init_dc_connection(domain);
743 /* Given a domain sid, return the struct winbindd domain info for it */
745 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
747 struct winbindd_domain *domain;
749 /* Search through list */
751 for (domain = domain_list(); domain != NULL; domain = domain->next) {
752 if (sid_compare_domain(sid, &domain->sid) == 0)
761 /* Given a domain sid, return the struct winbindd domain info for it */
763 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
765 struct winbindd_domain *domain;
767 domain = find_domain_from_sid_noinit(sid);
772 if (!domain->initialized)
773 init_dc_connection(domain);
778 struct winbindd_domain *find_our_domain(void)
780 struct winbindd_domain *domain;
782 /* Search through list */
784 for (domain = domain_list(); domain != NULL; domain = domain->next) {
789 smb_panic("Could not find our domain");
793 struct winbindd_domain *find_root_domain(void)
795 struct winbindd_domain *ours = find_our_domain();
797 if (ours->forest_name[0] == '\0') {
801 return find_domain_from_name( ours->forest_name );
804 struct winbindd_domain *find_builtin_domain(void)
806 struct winbindd_domain *domain;
808 domain = find_domain_from_sid(&global_sid_Builtin);
809 if (domain == NULL) {
810 smb_panic("Could not find BUILTIN domain");
816 /* Find the appropriate domain to lookup a name or SID */
818 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
820 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
822 if ( sid_check_is_in_unix_groups(sid) ||
823 sid_check_is_unix_groups(sid) ||
824 sid_check_is_in_unix_users(sid) ||
825 sid_check_is_unix_users(sid) )
827 return find_domain_from_sid(get_global_sam_sid());
830 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
831 * one to contact the external DC's. On member servers the internal
832 * domains are different: These are part of the local SAM. */
834 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
836 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
837 DEBUG(10, ("calling find_domain_from_sid\n"));
838 return find_domain_from_sid(sid);
841 /* On a member server a query for SID or name can always go to our
844 DEBUG(10, ("calling find_our_domain\n"));
845 return find_our_domain();
848 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
850 if ( strequal(domain_name, unix_users_domain_name() ) ||
851 strequal(domain_name, unix_groups_domain_name() ) )
854 * The "Unix User" and "Unix Group" domain our handled by
857 return find_domain_from_name_noinit( get_global_sam_name() );
860 if (IS_DC || strequal(domain_name, "BUILTIN") ||
861 strequal(domain_name, get_global_sam_name()))
862 return find_domain_from_name_noinit(domain_name);
865 return find_our_domain();
868 /* Is this a domain which we may assume no DOMAIN\ prefix? */
870 static bool assume_domain(const char *domain)
872 /* never assume the domain on a standalone server */
874 if ( lp_server_role() == ROLE_STANDALONE )
877 /* domain member servers may possibly assume for the domain name */
879 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
880 if ( !strequal(lp_workgroup(), domain) )
883 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
887 /* only left with a domain controller */
889 if ( strequal(get_global_sam_name(), domain) ) {
896 /* Parse a string of the form DOMAIN\user into a domain and a user */
898 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
900 char *p = strchr(domuser,*lp_winbind_separator());
903 fstrcpy(user, domuser);
905 if ( assume_domain(lp_workgroup())) {
906 fstrcpy(domain, lp_workgroup());
907 } else if ((p = strchr(domuser, '@')) != NULL) {
908 fstrcpy(domain, p + 1);
909 user[PTR_DIFF(p, domuser)] = 0;
915 fstrcpy(domain, domuser);
916 domain[PTR_DIFF(p, domuser)] = 0;
924 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
925 char **domain, char **user)
927 fstring fstr_domain, fstr_user;
928 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
931 *domain = talloc_strdup(mem_ctx, fstr_domain);
932 *user = talloc_strdup(mem_ctx, fstr_user);
933 return ((*domain != NULL) && (*user != NULL));
936 /* add a domain user name to a buffer */
937 void parse_add_domuser(void *buf, char *domuser, int *len)
943 p = strchr(domuser, *lp_winbind_separator());
947 fstrcpy(domain, domuser);
948 domain[PTR_DIFF(p, domuser)] = 0;
951 if (assume_domain(domain)) {
954 *len -= (PTR_DIFF(p, domuser));
958 safe_strcpy((char *)buf, user, *len);
961 /* Ensure an incoming username from NSS is fully qualified. Replace the
962 incoming fstring with DOMAIN <separator> user. Returns the same
963 values as parse_domain_user() but also replaces the incoming username.
964 Used to ensure all names are fully qualified within winbindd.
965 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
966 The protocol definitions of auth_crap, chng_pswd_auth_crap
967 really should be changed to use this instead of doing things
970 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
972 if (!parse_domain_user(username_inout, domain, user)) {
975 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
976 domain, *lp_winbind_separator(),
982 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
983 'winbind separator' options.
985 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
988 If we are a PDC or BDC, and this is for our domain, do likewise.
990 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
991 username is then unqualified in unix
993 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
995 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
999 fstrcpy(tmp_user, user);
1000 strlower_m(tmp_user);
1002 if (can_assume && assume_domain(domain)) {
1003 strlcpy(name, tmp_user, sizeof(fstring));
1005 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1006 domain, *lp_winbind_separator(),
1012 * talloc version of fill_domain_username()
1013 * return NULL on talloc failure.
1015 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1020 char *tmp_user, *name;
1022 tmp_user = talloc_strdup(mem_ctx, user);
1023 strlower_m(tmp_user);
1025 if (can_assume && assume_domain(domain)) {
1028 name = talloc_asprintf(mem_ctx, "%s%c%s",
1030 *lp_winbind_separator(),
1032 TALLOC_FREE(tmp_user);
1039 * Winbindd socket accessor functions
1042 const char *get_winbind_pipe_dir(void)
1044 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1047 char *get_winbind_priv_pipe_dir(void)
1049 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1052 /* Open the winbindd socket */
1054 static int _winbindd_socket = -1;
1055 static int _winbindd_priv_socket = -1;
1057 int open_winbindd_socket(void)
1059 if (_winbindd_socket == -1) {
1060 _winbindd_socket = create_pipe_sock(
1061 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1062 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1066 return _winbindd_socket;
1069 int open_winbindd_priv_socket(void)
1071 if (_winbindd_priv_socket == -1) {
1072 _winbindd_priv_socket = create_pipe_sock(
1073 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1074 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1075 _winbindd_priv_socket));
1078 return _winbindd_priv_socket;
1082 * Client list accessor functions
1085 static struct winbindd_cli_state *_client_list;
1086 static int _num_clients;
1088 /* Return list of all connected clients */
1090 struct winbindd_cli_state *winbindd_client_list(void)
1092 return _client_list;
1095 /* Add a connection to the list */
1097 void winbindd_add_client(struct winbindd_cli_state *cli)
1099 DLIST_ADD(_client_list, cli);
1103 /* Remove a client from the list */
1105 void winbindd_remove_client(struct winbindd_cli_state *cli)
1107 DLIST_REMOVE(_client_list, cli);
1111 /* Close all open clients */
1113 void winbindd_kill_all_clients(void)
1115 struct winbindd_cli_state *cl = winbindd_client_list();
1117 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1120 struct winbindd_cli_state *next;
1123 winbindd_remove_client(cl);
1128 /* Return number of open clients */
1130 int winbindd_num_clients(void)
1132 return _num_clients;
1135 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1136 TALLOC_CTX *mem_ctx,
1137 const DOM_SID *user_sid,
1138 uint32 *p_num_groups, DOM_SID **user_sids)
1140 struct netr_SamInfo3 *info3 = NULL;
1141 NTSTATUS status = NT_STATUS_NO_MEMORY;
1142 size_t num_groups = 0;
1144 DEBUG(3,(": lookup_usergroups_cached\n"));
1149 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1151 if (info3 == NULL) {
1152 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1155 if (info3->base.groups.count == 0) {
1157 return NT_STATUS_UNSUCCESSFUL;
1160 /* Skip Domain local groups outside our domain.
1161 We'll get these from the getsidaliases() RPC call. */
1162 status = sid_array_from_info3(mem_ctx, info3,
1167 if (!NT_STATUS_IS_OK(status)) {
1173 *p_num_groups = num_groups;
1174 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1176 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1181 /*********************************************************************
1182 We use this to remove spaces from user and group names
1183 ********************************************************************/
1185 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1186 struct winbindd_domain *domain,
1192 if (!name || !normalized) {
1193 return NT_STATUS_INVALID_PARAMETER;
1196 if (!lp_winbind_normalize_names()) {
1197 return NT_STATUS_PROCEDURE_NOT_FOUND;
1200 /* Alias support and whitespace replacement are mutually
1203 nt_status = resolve_username_to_alias(mem_ctx, domain,
1205 if (NT_STATUS_IS_OK(nt_status)) {
1206 /* special return code to let the caller know we
1207 mapped to an alias */
1208 return NT_STATUS_FILE_RENAMED;
1211 /* check for an unreachable domain */
1213 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1214 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1216 set_domain_offline(domain);
1220 /* deal with whitespace */
1222 *normalized = talloc_strdup(mem_ctx, name);
1223 if (!(*normalized)) {
1224 return NT_STATUS_NO_MEMORY;
1227 all_string_sub( *normalized, " ", "_", 0 );
1229 return NT_STATUS_OK;
1232 /*********************************************************************
1233 We use this to do the inverse of normalize_name_map()
1234 ********************************************************************/
1236 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1241 struct winbindd_domain *domain = find_our_domain();
1243 if (!name || !normalized) {
1244 return NT_STATUS_INVALID_PARAMETER;
1247 if (!lp_winbind_normalize_names()) {
1248 return NT_STATUS_PROCEDURE_NOT_FOUND;
1251 /* Alias support and whitespace replacement are mutally
1254 /* When mapping from an alias to a username, we don't know the
1255 domain. But we only need a domain structure to cache
1256 a successful lookup , so just our own domain structure for
1259 nt_status = resolve_alias_to_username(mem_ctx, domain,
1261 if (NT_STATUS_IS_OK(nt_status)) {
1262 /* Special return code to let the caller know we mapped
1264 return NT_STATUS_FILE_RENAMED;
1267 /* check for an unreachable domain */
1269 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1270 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1272 set_domain_offline(domain);
1276 /* deal with whitespace */
1278 *normalized = talloc_strdup(mem_ctx, name);
1279 if (!(*normalized)) {
1280 return NT_STATUS_NO_MEMORY;
1283 all_string_sub(*normalized, "_", " ", 0);
1285 return NT_STATUS_OK;
1288 /*********************************************************************
1289 ********************************************************************/
1291 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1293 struct winbindd_tdc_domain *tdc = NULL;
1294 TALLOC_CTX *frame = talloc_stackframe();
1297 /* We can contact the domain if it is our primary domain */
1299 if (domain->primary) {
1303 /* Trust the TDC cache and not the winbindd_domain flags */
1305 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1306 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1311 /* Can always contact a domain that is in out forest */
1313 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1319 * On a _member_ server, we cannot contact the domain if it
1320 * is running AD and we have no inbound trust.
1324 domain->active_directory &&
1325 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1327 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1328 "and we have no inbound trust.\n", domain->name));
1332 /* Assume everything else is ok (probably not true but what
1338 talloc_destroy(frame);
1343 /*********************************************************************
1344 ********************************************************************/
1346 bool winbindd_internal_child(struct winbindd_child *child)
1348 if ((child == idmap_child()) || (child == locator_child())) {
1355 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1357 /*********************************************************************
1358 ********************************************************************/
1360 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1363 char addr[INET6_ADDRSTRLEN];
1364 const char *kdc = NULL;
1367 if (!domain || !domain->alt_name || !*domain->alt_name) {
1371 if (domain->initialized && !domain->active_directory) {
1372 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1377 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1380 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1382 kdc = domain->dcname;
1385 if (!kdc || !*kdc) {
1386 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1391 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1392 domain->alt_name) == -1) {
1396 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1399 setenv(var, kdc, 1);
1403 /*********************************************************************
1404 ********************************************************************/
1406 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1408 struct winbindd_domain *our_dom = find_our_domain();
1410 winbindd_set_locator_kdc_env(domain);
1412 if (domain != our_dom) {
1413 winbindd_set_locator_kdc_env(our_dom);
1417 /*********************************************************************
1418 ********************************************************************/
1420 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1424 if (!domain || !domain->alt_name || !*domain->alt_name) {
1428 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1429 domain->alt_name) == -1) {
1438 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1443 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1448 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1450 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1452 resp->data.auth.nt_status = NT_STATUS_V(result);
1453 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1455 /* we might have given a more useful error above */
1456 if (*resp->data.auth.error_string == '\0')
1457 fstrcpy(resp->data.auth.error_string,
1458 get_friendly_nt_error_msg(result));
1459 resp->data.auth.pam_error = nt_status_to_pam(result);
1462 bool is_domain_offline(const struct winbindd_domain *domain)
1464 if (!lp_winbind_offline_logon()) {
1467 if (get_global_winbindd_state_offline()) {
1470 return !domain->online;
git.samba.org / sfrench / samba-autobuild / .git / blob