2 Unix SMB/Netbios implementation.
5 Winbind daemon for ntdom nss module
7 Copyright (C) Tim Potter 2000
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 static void winbindd_kill_connections(struct winbindd_domain *domain);
29 /* Debug connection state */
31 void debug_conn_state(void)
33 struct winbindd_domain *domain;
35 DEBUG(3, ("server: dc=%s, pwdb_init=%d, lsa_hnd=%d\n",
36 server_state.controller,
37 server_state.pwdb_initialised,
38 server_state.lsa_handle_open));
40 for (domain = domain_list; domain; domain = domain->next) {
41 DEBUG(3, ("%s: dc=%s, got_sid=%d, sam_hnd=%d sam_dom_hnd=%d\n",
42 domain->name, domain->controller,
43 domain->got_domain_info, domain->sam_handle_open,
44 domain->sam_dom_handle_open));
48 /* Add a trusted domain to our list of domains */
50 static struct winbindd_domain *add_trusted_domain(char *domain_name)
52 struct winbindd_domain *domain, *tmp;
54 for (tmp = domain_list; tmp != NULL; tmp = tmp->next) {
55 if (strcmp(domain_name, tmp->name) == 0) {
56 DEBUG(3, ("domain %s already in trusted list\n",
62 DEBUG(1, ("adding trusted domain %s\n", domain_name));
64 /* Create new domain entry */
66 if ((domain = (struct winbindd_domain *)malloc(sizeof(*domain))) == NULL) {
75 fstrcpy(domain->name, domain_name);
78 /* Link to domain list */
80 DLIST_ADD(domain_list, domain);
85 /* Look up global info for the winbind daemon */
87 static BOOL get_trusted_domains(void)
91 char **domains = NULL;
96 DEBUG(1, ("getting trusted domain list\n"));
98 /* Add our workgroup - keep handle to look up trusted domains */
99 if (!add_trusted_domain(lp_workgroup())) {
100 DEBUG(0, ("could not add record for domain %s\n",
105 /* Enumerate list of trusted domains */
106 result = wb_lsa_enum_trust_dom(&server_state.lsa_handle, &enum_ctx,
107 &num_doms, &domains, &sids);
109 if (!result || !domains) return False;
111 /* Add each domain to the trusted domain list */
112 for(i = 0; i < num_doms; i++) {
113 if (!add_trusted_domain(domains[i])) {
114 DEBUG(0, ("could not add record for domain %s\n",
123 /* Open sam and sam domain handles */
125 static BOOL open_sam_handles(struct winbindd_domain *domain)
127 /* Get domain info (sid and controller name) */
129 if (!domain->got_domain_info) {
130 domain->got_domain_info = get_domain_info(domain);
131 if (!domain->got_domain_info) return False;
134 /* Shut down existing sam handles */
136 if (domain->sam_dom_handle_open) {
137 wb_samr_close(&domain->sam_dom_handle);
138 domain->sam_dom_handle_open = False;
141 if (domain->sam_handle_open) {
142 wb_samr_close(&domain->sam_handle);
143 domain->sam_handle_open = False;
146 /* Open sam handle */
148 domain->sam_handle_open =
149 wb_samr_connect(domain->controller,
150 SEC_RIGHTS_MAXIMUM_ALLOWED,
151 &domain->sam_handle);
153 if (!domain->sam_handle_open) return False;
155 /* Open sam domain handle */
157 domain->sam_dom_handle_open =
158 wb_samr_open_domain(&domain->sam_handle,
159 SEC_RIGHTS_MAXIMUM_ALLOWED,
161 &domain->sam_dom_handle);
163 if (!domain->sam_dom_handle_open) return False;
168 static BOOL rpc_hnd_ok(CLI_POLICY_HND *hnd)
170 return hnd->cli->fd != -1;
173 /* Return true if the SAM domain handles are open and responding. */
175 BOOL domain_handles_open(struct winbindd_domain *domain)
180 /* Check we haven't checked too recently */
184 if ((t - domain->last_check) < WINBINDD_ESTABLISH_LOOP) {
185 return domain->sam_handle_open &&
186 domain->sam_dom_handle_open;
189 DEBUG(3, ("checking domain handles for domain %s\n", domain->name));
192 domain->last_check = t;
194 /* Open sam handles if they are marked as closed */
196 if (!domain->sam_handle_open || !domain->sam_dom_handle_open) {
198 DEBUG(3, ("opening sam handles\n"));
199 return open_sam_handles(domain);
202 /* Check sam handles are ok - the domain controller may have failed
203 and we need to move to a BDC. */
205 if (!rpc_hnd_ok(&domain->sam_handle) ||
206 !rpc_hnd_ok(&domain->sam_dom_handle)) {
208 /* We want to close the current connection but attempt
209 to open a new set, possibly to a new dc. If this
210 doesn't work then return False as we have no dc
213 DEBUG(3, ("sam handles not responding\n"));
215 winbindd_kill_connections(domain);
219 result = domain->sam_handle_open && domain->sam_dom_handle_open;
224 /* Shut down connections to all domain controllers */
226 static void winbindd_kill_connections(struct winbindd_domain *domain)
228 /* Kill all connections */
231 struct winbindd_domain *tmp;
233 for (tmp = domain_list; tmp; tmp = tmp->next) {
234 winbindd_kill_connections(domain);
240 /* Log a level 0 message - this is probably a domain controller
243 if (!domain->controller[0])
246 DEBUG(0, ("killing connections to domain %s with controller %s\n",
247 domain->name, domain->controller));
251 /* Close LSA connections if we are killing connections to the dc
252 that has them open. */
254 if (strequal(server_state.controller, domain->controller)) {
255 server_state.pwdb_initialised = False;
256 server_state.lsa_handle_open = False;
257 wb_lsa_close(&server_state.lsa_handle);
260 /* Close domain sam handles but don't free them as this
261 severely traumatises the getent state. The connections
262 will be reopened later. */
264 if (domain->sam_dom_handle_open) {
265 wb_samr_close(&domain->sam_dom_handle);
266 domain->sam_dom_handle_open = False;
269 if (domain->sam_handle_open) {
270 wb_samr_close(&domain->sam_handle);
271 domain->sam_handle_open = False;
274 /* Re-lookup domain info which includes domain controller name */
276 domain->got_domain_info = False;
279 /* Kill connections to all servers */
281 void winbindd_kill_all_connections(void)
283 struct winbindd_domain *domain;
285 /* Iterate over domain list */
287 domain = domain_list;
290 struct winbindd_domain *next;
292 /* Kill conections */
294 winbindd_kill_connections(domain);
296 /* Remove domain from list */
299 DLIST_REMOVE(domain_list, domain);
306 static BOOL get_any_dc_name(char *domain, fstring srv_name)
308 struct in_addr *ip_list, dc_ip;
309 extern pstring global_myname;
312 /* Lookup domain controller name */
314 if (!get_dc_list(False, domain, &ip_list, &count))
317 /* Firstly choose a PDC/BDC who has the same network address as any
318 of our interfaces. */
320 for (i = 0; i < count; i++) {
321 if(!is_local_net(ip_list[i]))
325 i = (sys_random() % count);
331 if (!lookup_pdc_name(global_myname, domain, &dc_ip, srv_name))
337 /* Attempt to connect to all domain controllers we know about */
339 void establish_connections(BOOL force_reestablish)
344 /* Check we haven't checked too recently */
347 if ((t - lastt < WINBINDD_ESTABLISH_LOOP) && !force_reestablish) {
352 DEBUG(3, ("establishing connections\n"));
355 /* Maybe the connection died - if so then close up and restart */
357 if (server_state.pwdb_initialised &&
358 server_state.lsa_handle_open &&
359 !rpc_hnd_ok(&server_state.lsa_handle)) {
360 winbindd_kill_connections(NULL);
363 if (!server_state.pwdb_initialised) {
365 /* Lookup domain controller name */
367 if (!get_any_dc_name(lp_workgroup(),
368 server_state.controller)) {
369 DEBUG(3, ("could not find any domain controllers "
370 "for domain %s\n", lp_workgroup()));
374 /* Initialise password database and sids */
376 /* server_state.pwdb_initialised = pwdb_initialise(False); */
377 server_state.pwdb_initialised = True;
379 if (!server_state.pwdb_initialised) {
380 DEBUG(3, ("could not initialise pwdb\n"));
385 /* Open lsa handle if it isn't already open */
387 if (!server_state.lsa_handle_open) {
389 server_state.lsa_handle_open =
390 wb_lsa_open_policy(server_state.controller,
391 False, SEC_RIGHTS_MAXIMUM_ALLOWED,
392 &server_state.lsa_handle);
394 if (!server_state.lsa_handle_open) {
395 DEBUG(0, ("error opening lsa handle on dc %s\n",
396 server_state.controller));
400 /* Now we can talk to the server we can get some info */
402 get_trusted_domains();
408 /* Connect to a domain controller using get_any_dc_name() to discover
409 the domain name and sid */
411 BOOL lookup_domain_sid(char *domain_name, struct winbindd_domain *domain)
417 char **domains = NULL;
418 DOM_SID *sids = NULL;
420 if (domain == NULL) {
424 DEBUG(1, ("looking up sid for domain %s\n", domain_name));
426 /* Get controller name for domain */
428 if (!get_any_dc_name(domain_name, domain->controller)) {
429 DEBUG(0, ("Could not resolve domain controller for domain %s\n",
434 /* Do a level 5 query info policy if we are looking up our own SID */
436 if (strequal(domain_name, lp_workgroup())) {
437 return wb_lsa_query_info_pol(&server_state.lsa_handle, 0x05,
438 level5_dom, &domain->sid);
441 /* Use lsaenumdomains to get sid for this domain */
443 res = wb_lsa_enum_trust_dom(&server_state.lsa_handle, &enum_ctx,
444 &num_doms, &domains, &sids);
446 /* Look for domain name */
448 if (res && domains && sids) {
452 for(i = 0; i < num_doms; i++) {
453 if (strequal(domain_name, domains[i])) {
454 sid_copy(&domain->sid, &sids[i]);
466 /* Lookup domain controller and sid for a domain */
468 BOOL get_domain_info(struct winbindd_domain *domain)
472 DEBUG(1, ("Getting domain info for domain %s\n", domain->name));
474 /* Lookup domain sid */
476 if (!lookup_domain_sid(domain->name, domain)) {
477 DEBUG(0, ("could not find sid for domain %s\n", domain->name));
479 /* Could be a DC failure - shut down connections to this domain */
481 winbindd_kill_connections(domain);
488 domain->got_domain_info = 1;
490 sid_to_string(sid_str, &domain->sid);
491 DEBUG(1, ("found sid %s for domain %s\n", sid_str, domain->name));
496 /* Lookup a sid in a domain from a name */
498 BOOL winbindd_lookup_sid_by_name(char *name, DOM_SID *sid,
499 enum SID_NAME_USE *type)
501 int num_sids = 0, num_names = 1;
502 DOM_SID *sids = NULL;
503 uint32 *types = NULL;
506 /* Don't bother with machine accounts */
508 if (name[strlen(name) - 1] == '$') {
514 res = wb_lsa_lookup_names(&server_state.lsa_handle, num_names,
515 (char **)&name, &sids, &types, &num_sids);
517 /* Return rid and type if lookup successful */
523 if ((sid != NULL) && (sids != NULL)) {
524 sid_copy(sid, &sids[0]);
527 /* Return name type */
529 if ((type != NULL) && (types != NULL)) {
537 /* Lookup a name in a domain from a sid */
539 BOOL winbindd_lookup_name_by_sid(DOM_SID *sid, fstring name,
540 enum SID_NAME_USE *type)
542 int num_sids = 1, num_names = 0;
543 uint32 *types = NULL;
549 res = wb_lsa_lookup_sids(&server_state.lsa_handle, num_sids, sid,
550 &names, &types, &num_names);
552 /* Return name and type if successful */
558 if ((names != NULL) && (name != NULL)) {
559 fstrcpy(name, names[0]);
562 /* Return name type */
564 if ((type != NULL) && (types != NULL)) {
572 /* Lookup user information from a rid */
574 BOOL winbindd_lookup_userinfo(struct winbindd_domain *domain,
575 uint32 user_rid, SAM_USERINFO_CTR **user_info)
577 return wb_get_samr_query_userinfo(&domain->sam_dom_handle, 0x15,
578 user_rid, user_info);
581 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
583 BOOL winbindd_lookup_usergroups(struct winbindd_domain *domain,
584 uint32 user_rid, uint32 *num_groups,
585 DOM_GID **user_groups)
590 if (!wb_samr_open_user(&domain->sam_dom_handle,
591 SEC_RIGHTS_MAXIMUM_ALLOWED,
592 user_rid, &user_pol)) {
596 if (!NT_STATUS_IS_OK(cli_samr_query_usergroups(domain->sam_dom_handle.cli,
597 domain->sam_dom_handle.mem_ctx,
598 &user_pol, num_groups, user_groups))) {
606 cli_samr_close(domain->sam_dom_handle.cli,
607 domain->sam_dom_handle.mem_ctx, &user_pol);
612 /* Lookup group membership given a rid */
614 BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain,
615 uint32 group_rid, uint32 *num_names,
616 uint32 **rid_mem, char ***names,
619 return wb_sam_query_groupmem(&domain->sam_dom_handle, group_rid,
620 num_names, rid_mem, names, name_types);
623 /* Globals for domain list stuff */
625 struct winbindd_domain *domain_list = NULL;
627 /* Given a domain name, return the struct winbindd domain info for it
628 if it is actually working. */
630 struct winbindd_domain *find_domain_from_name(char *domain_name)
632 struct winbindd_domain *tmp;
634 /* Search through list */
636 for (tmp = domain_list; tmp != NULL; tmp = tmp->next) {
637 if (strcmp(domain_name, tmp->name) == 0) {
639 if (!tmp->got_domain_info) {
640 get_domain_info(tmp);
643 return tmp->got_domain_info ? tmp : NULL;
652 /* Given a domain name, return the struct winbindd domain info for it */
654 struct winbindd_domain *find_domain_from_sid(DOM_SID *sid)
656 struct winbindd_domain *tmp;
658 /* Search through list */
659 for (tmp = domain_list; tmp != NULL; tmp = tmp->next) {
660 if (sid_equal(sid, &tmp->sid)) {
661 if (!tmp->got_domain_info) return NULL;
670 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
672 void free_getent_state(struct getent_state *state)
674 struct getent_state *temp;
676 /* Iterate over state list */
680 while(temp != NULL) {
681 struct getent_state *next;
683 /* Free sam entries then list entry */
685 SAFE_FREE(state->sam_entries);
686 DLIST_REMOVE(state, state);
694 /* Parse list of arguments to winbind uid or winbind gid parameters */
696 static BOOL parse_id_list(char *paramstr, BOOL is_user)
698 uid_t id_low, id_high = 0;
700 /* Give a nicer error message if no parameters specified */
702 if (strequal(paramstr, "")) {
703 DEBUG(0, ("winbind %s parameter missing\n", is_user ? "uid" : "gid"));
709 if (sscanf(paramstr, "%u-%u", &id_low, &id_high) != 2) {
710 DEBUG(0, ("winbind %s parameter invalid\n",
711 is_user ? "uid" : "gid"));
718 server_state.uid_low = id_low;
719 server_state.uid_high = id_high;
721 server_state.gid_low = id_low;
722 server_state.gid_high = id_high;
728 /* Initialise trusted domain info */
730 BOOL winbindd_param_init(void)
732 /* Parse winbind uid and winbind_gid parameters */
734 if (!(parse_id_list(lp_winbind_uid(), True) &&
735 parse_id_list(lp_winbind_gid(), False))) {
739 /* Check for reversed uid and gid ranges */
741 if (server_state.uid_low > server_state.uid_high) {
742 DEBUG(0, ("uid range invalid\n"));
746 if (server_state.gid_low > server_state.gid_high) {
747 DEBUG(0, ("gid range invalid\n"));
754 /* find the sequence number for a domain */
756 uint32 domain_sequence_number(char *domain_name)
758 struct winbindd_domain *domain;
761 domain = find_domain_from_name(domain_name);
762 if (!domain) return DOM_SEQUENCE_NONE;
764 if (!wb_samr_query_dom_info(&domain->sam_dom_handle, 2, &ctr)) {
766 /* If this fails, something bad has gone wrong */
768 winbindd_kill_connections(domain);
770 DEBUG(2,("domain sequence query failed\n"));
771 return DOM_SEQUENCE_NONE;
774 DEBUG(4,("got domain sequence number for %s of %u\n",
775 domain_name, (unsigned)ctr.info.inf2.seq_num));
777 return ctr.info.inf2.seq_num;
780 /* Query display info for a domain. This returns enough information plus a
781 bit extra to give an overview of domain users for the User Manager
784 NTSTATUS winbindd_query_dispinfo(struct winbindd_domain *domain,
785 uint32 *start_ndx, uint16 info_level,
786 uint32 *num_entries, SAM_DISPINFO_CTR *ctr)
788 return wb_samr_query_dispinfo(&domain->sam_dom_handle, start_ndx,
789 info_level, num_entries, ctr);
792 /* Check if a domain is present in a comma-separated list of domains */
794 BOOL check_domain_env(char *domain_env, char *domain)
797 char *tmp = domain_env;
799 while(next_token(&tmp, name, ",", sizeof(fstring))) {
800 if (strequal(name, domain)) {
809 /* Parse a string of the form DOMAIN/user into a domain and a user */
811 void parse_domain_user(char *domuser, fstring domain, fstring user)
814 char *sep = lp_winbind_separator();
815 if (!sep) sep = "\\";
816 p = strchr(domuser,*sep);
817 if (!p) p = strchr(domuser,'\\');
820 fstrcpy(user, domuser);
825 fstrcpy(domain, domuser);
826 domain[PTR_DIFF(p, domuser)] = 0;