2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DBGC_CLASS DBGC_WINBIND
31 * @file winbindd_util.c
33 * Winbind daemon for NT domain authentication nss module.
38 * Used to clobber name fields that have an undefined value.
40 * Correct code should never look at a field that has this value.
43 static const fstring name_deadbeef
= "<deadbeef>";
45 /* The list of trusted domains. Note that the list can be deleted and
46 recreated using the init_domain_list() function so pointers to
47 individual winbindd_domain structures cannot be made. Keep a copy of
48 the domain name instead. */
50 static struct winbindd_domain
*_domain_list
;
53 When was the last scan of trusted domains done?
58 static time_t last_trustdom_scan
;
60 struct winbindd_domain
*domain_list(void)
65 if (!init_domain_list())
71 /* Free all entries in the trusted domain list */
73 void free_domain_list(void)
75 struct winbindd_domain
*domain
= _domain_list
;
78 struct winbindd_domain
*next
= domain
->next
;
80 DLIST_REMOVE(_domain_list
, domain
);
86 static BOOL
is_internal_domain(const DOM_SID
*sid
)
88 extern DOM_SID global_sid_Builtin
;
93 if (sid_compare_domain(sid
, get_global_sam_sid()) == 0)
96 if (sid_compare_domain(sid
, &global_sid_Builtin
) == 0)
103 /* Add a trusted domain to our list of domains */
104 static struct winbindd_domain
*add_trusted_domain(const char *domain_name
, const char *alt_name
,
105 struct winbindd_methods
*methods
,
108 struct winbindd_domain
*domain
;
109 const char *alternative_name
= NULL
;
110 static const DOM_SID null_sid
;
112 /* ignore alt_name if we are not in an AD domain */
114 if ( (lp_security() == SEC_ADS
) && alt_name
&& *alt_name
) {
115 alternative_name
= alt_name
;
118 /* We can't call domain_list() as this function is called from
119 init_domain_list() and we'll get stuck in a loop. */
120 for (domain
= _domain_list
; domain
; domain
= domain
->next
) {
121 if (strequal(domain_name
, domain
->name
) ||
122 strequal(domain_name
, domain
->alt_name
)) {
125 if (alternative_name
&& *alternative_name
) {
126 if (strequal(alternative_name
, domain
->name
) ||
127 strequal(alternative_name
, domain
->alt_name
)) {
132 if (sid_equal(sid
, &null_sid
) ) {
134 } else if (sid_equal(sid
, &domain
->sid
)) {
140 /* Create new domain entry */
142 if ((domain
= SMB_MALLOC_P(struct winbindd_domain
)) == NULL
)
147 ZERO_STRUCTP(domain
);
149 /* prioritise the short name */
150 if (strchr_m(domain_name
, '.') && alternative_name
&& *alternative_name
) {
151 fstrcpy(domain
->name
, alternative_name
);
152 fstrcpy(domain
->alt_name
, domain_name
);
154 fstrcpy(domain
->name
, domain_name
);
155 if (alternative_name
) {
156 fstrcpy(domain
->alt_name
, alternative_name
);
160 domain
->methods
= methods
;
161 domain
->backend
= NULL
;
162 domain
->internal
= is_internal_domain(sid
);
163 domain
->sequence_number
= DOM_SEQUENCE_NONE
;
164 domain
->last_seq_check
= 0;
165 domain
->initialized
= False
;
167 sid_copy(&domain
->sid
, sid
);
170 /* Link to domain list */
171 DLIST_ADD(_domain_list
, domain
);
173 DEBUG(2,("Added domain %s %s %s\n",
174 domain
->name
, domain
->alt_name
,
175 &domain
->sid
?sid_string_static(&domain
->sid
):""));
180 /********************************************************************
181 rescan our domains looking for new trusted domains
182 ********************************************************************/
184 static void add_trusted_domains( struct winbindd_domain
*domain
)
186 extern struct winbindd_methods cache_methods
;
193 DOM_SID
*dom_sids
, null_sid
;
195 struct winbindd_domain
*new_domain
;
197 /* trusted domains might be disabled */
198 if (!lp_allow_trusted_domains()) {
202 DEBUG(5, ("scanning trusted domain list\n"));
204 if (!(mem_ctx
= talloc_init("init_domain_list")))
207 ZERO_STRUCTP(&null_sid
);
211 /* ask the DC what domains it trusts */
213 result
= domain
->methods
->trusted_domains(domain
, mem_ctx
, (unsigned int *)&num_domains
,
214 &names
, &alt_names
, &dom_sids
);
216 if ( NT_STATUS_IS_OK(result
) ) {
218 /* Add each domain to the trusted domain list */
220 for(i
= 0; i
< num_domains
; i
++) {
221 DEBUG(10,("Found domain %s\n", names
[i
]));
222 add_trusted_domain(names
[i
], alt_names
?alt_names
[i
]:NULL
,
223 &cache_methods
, &dom_sids
[i
]);
225 /* if the SID was empty, we better set it now */
227 if ( sid_equal(&dom_sids
[i
], &null_sid
) ) {
229 new_domain
= find_domain_from_name(names
[i
]);
231 /* this should never happen */
233 DEBUG(0,("rescan_trust_domains: can't find the domain I just added! [%s]\n",
238 /* call the cache method; which will operate on the winbindd_domain \
239 passed in and choose either rpc or ads as appropriate */
241 result
= domain
->methods
->domain_sid( new_domain
, &new_domain
->sid
);
243 if ( NT_STATUS_IS_OK(result
) )
244 sid_copy( &dom_sids
[i
], &new_domain
->sid
);
247 /* store trusted domain in the cache */
248 trustdom_cache_store(names
[i
], alt_names
? alt_names
[i
] : NULL
,
249 &dom_sids
[i
], t
+ WINBINDD_RESCAN_FREQ
);
253 talloc_destroy(mem_ctx
);
256 /********************************************************************
257 Periodically we need to refresh the trusted domain cache for smbd
258 ********************************************************************/
260 void rescan_trusted_domains( void )
262 time_t now
= time(NULL
);
263 struct winbindd_domain
*mydomain
= NULL
;
265 /* see if the time has come... */
267 if ( (now
> last_trustdom_scan
) && ((now
-last_trustdom_scan
) < WINBINDD_RESCAN_FREQ
) )
270 if ( (mydomain
= find_our_domain()) == NULL
) {
271 DEBUG(0,("rescan_trusted_domains: Can't find my own domain!\n"));
275 /* this will only add new domains we didn't already know about */
277 add_trusted_domains( mydomain
);
279 last_trustdom_scan
= now
;
284 /* Look up global info for the winbind daemon */
285 BOOL
init_domain_list(void)
287 extern DOM_SID global_sid_Builtin
;
288 extern struct winbindd_methods cache_methods
;
289 extern struct winbindd_methods passdb_methods
;
290 struct winbindd_domain
*domain
;
292 /* Free existing list */
295 /* Add ourselves as the first entry. */
298 domain
= add_trusted_domain(get_global_sam_name(), NULL
,
299 &passdb_methods
, get_global_sam_sid());
302 domain
= add_trusted_domain( lp_workgroup(), lp_realm(),
303 &cache_methods
, NULL
);
305 /* set flags about native_mode, active_directory */
306 set_dc_type_and_flags(domain
);
309 domain
->primary
= True
;
311 /* get any alternate name for the primary domain */
313 cache_methods
.alternate_name(domain
);
315 /* now we have the correct netbios (short) domain name */
318 set_global_myworkgroup( domain
->name
);
320 if (!secrets_fetch_domain_sid(domain
->name
, &domain
->sid
)) {
321 DEBUG(1, ("Could not fetch sid for our domain %s\n",
326 /* do an initial scan for trusted domains */
327 add_trusted_domains(domain
);
330 /* Add our local SAM domains */
332 add_trusted_domain("BUILTIN", NULL
, &passdb_methods
,
333 &global_sid_Builtin
);
336 add_trusted_domain(get_global_sam_name(), NULL
,
337 &passdb_methods
, get_global_sam_sid());
340 /* avoid rescanning this right away */
341 last_trustdom_scan
= time(NULL
);
346 * Given a domain name, return the struct winbindd domain info for it
348 * @note Do *not* pass lp_workgroup() to this function. domain_list
349 * may modify it's value, and free that pointer. Instead, our local
350 * domain may be found by calling find_our_domain().
354 * @return The domain structure for the named domain, if it is working.
357 struct winbindd_domain
*find_domain_from_name(const char *domain_name
)
359 struct winbindd_domain
*domain
;
361 /* Search through list */
363 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
364 if (strequal(domain_name
, domain
->name
) ||
365 (domain
->alt_name
[0] && strequal(domain_name
, domain
->alt_name
))) {
366 if (!domain
->initialized
)
367 set_dc_type_and_flags(domain
);
378 /* Given a domain sid, return the struct winbindd domain info for it */
380 struct winbindd_domain
*find_domain_from_sid(const DOM_SID
*sid
)
382 struct winbindd_domain
*domain
;
384 /* Search through list */
386 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
387 if (sid_compare_domain(sid
, &domain
->sid
) == 0) {
388 if (!domain
->initialized
)
389 set_dc_type_and_flags(domain
);
399 /* Given a domain sid, return the struct winbindd domain info for it */
401 struct winbindd_domain
*find_our_domain(void)
403 struct winbindd_domain
*domain
;
405 /* Search through list */
407 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
417 /* Find the appropriate domain to lookup a name or SID */
419 struct winbindd_domain
*find_lookup_domain_from_sid(const DOM_SID
*sid
)
421 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
422 * one to contact the external DC's. On member servers the internal
423 * domains are different: These are part of the local SAM. */
425 if (IS_DC
|| is_internal_domain(sid
))
426 return find_domain_from_sid(sid
);
428 /* On a member server a query for SID or name can always go to our
431 return find_our_domain();
434 struct winbindd_domain
*find_lookup_domain_from_name(const char *domain_name
)
436 if (IS_DC
|| strequal(domain_name
, "BUILTIN") ||
437 strequal(domain_name
, get_global_sam_name()))
438 return find_domain_from_name(domain_name
);
440 return find_our_domain();
443 /* Lookup a sid in a domain from a name */
445 BOOL
winbindd_lookup_sid_by_name(struct winbindd_domain
*domain
,
446 const char *domain_name
,
447 const char *name
, DOM_SID
*sid
,
448 enum SID_NAME_USE
*type
)
453 mem_ctx
= talloc_init("lookup_sid_by_name for %s\\%s\n",
459 result
= domain
->methods
->name_to_sid(domain
, mem_ctx
, domain_name
, name
, sid
, type
);
461 talloc_destroy(mem_ctx
);
463 /* Return rid and type if lookup successful */
464 if (!NT_STATUS_IS_OK(result
)) {
465 *type
= SID_NAME_UNKNOWN
;
468 return NT_STATUS_IS_OK(result
);
472 * @brief Lookup a name in a domain from a sid.
474 * @param sid Security ID you want to look up.
475 * @param name On success, set to the name corresponding to @p sid.
476 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
477 * @param type On success, contains the type of name: alias, group or
479 * @retval True if the name exists, in which case @p name and @p type
480 * are set, otherwise False.
482 BOOL
winbindd_lookup_name_by_sid(DOM_SID
*sid
,
485 enum SID_NAME_USE
*type
)
492 struct winbindd_domain
*domain
;
494 domain
= find_lookup_domain_from_sid(sid
);
497 DEBUG(1,("Can't find domain from sid\n"));
503 if (!(mem_ctx
= talloc_init("winbindd_lookup_name_by_sid")))
506 result
= domain
->methods
->sid_to_name(domain
, mem_ctx
, sid
, &dom_names
, &names
, type
);
508 /* Return name and type if successful */
510 if ((rv
= NT_STATUS_IS_OK(result
))) {
511 fstrcpy(dom_name
, dom_names
);
512 fstrcpy(name
, names
);
514 *type
= SID_NAME_UNKNOWN
;
515 fstrcpy(name
, name_deadbeef
);
518 talloc_destroy(mem_ctx
);
524 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
526 void free_getent_state(struct getent_state
*state
)
528 struct getent_state
*temp
;
530 /* Iterate over state list */
534 while(temp
!= NULL
) {
535 struct getent_state
*next
;
537 /* Free sam entries then list entry */
539 SAFE_FREE(state
->sam_entries
);
540 DLIST_REMOVE(state
, state
);
548 /* Parse winbindd related parameters */
550 BOOL
winbindd_param_init(void)
552 /* Parse winbind uid and winbind_gid parameters */
554 if (!lp_idmap_uid(&server_state
.uid_low
, &server_state
.uid_high
)) {
555 DEBUG(0, ("winbindd: idmap uid range missing or invalid\n"));
556 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
560 if (!lp_idmap_gid(&server_state
.gid_low
, &server_state
.gid_high
)) {
561 DEBUG(0, ("winbindd: idmap gid range missing or invalid\n"));
562 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
569 /* Check if a domain is present in a comma-separated list of domains */
571 BOOL
check_domain_env(char *domain_env
, char *domain
)
574 const char *tmp
= domain_env
;
576 while(next_token(&tmp
, name
, ",", sizeof(fstring
))) {
577 if (strequal(name
, domain
))
584 /* Is this a domain which we may assume no DOMAIN\ prefix? */
586 static BOOL
assume_domain(const char *domain
) {
587 if ((lp_winbind_use_default_domain()
588 || lp_winbind_trusted_domains_only()) &&
589 strequal(lp_workgroup(), domain
))
592 if (strequal(get_global_sam_name(), domain
))
598 /* Parse a string of the form DOMAIN/user into a domain and a user */
600 BOOL
parse_domain_user(const char *domuser
, fstring domain
, fstring user
)
602 char *p
= strchr(domuser
,*lp_winbind_separator());
605 fstrcpy(user
, domuser
);
607 if ( assume_domain(lp_workgroup())) {
608 fstrcpy(domain
, lp_workgroup());
610 fstrcpy( domain
, get_global_sam_name() );
615 fstrcpy(domain
, domuser
);
616 domain
[PTR_DIFF(p
, domuser
)] = 0;
625 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
626 'winbind separator' options.
628 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
631 If we are a PDC or BDC, and this is for our domain, do likewise.
633 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
634 username is then unqualified in unix
637 void fill_domain_username(fstring name
, const char *domain
, const char *user
)
641 if (assume_domain(domain
)) {
642 strlcpy(name
, user
, sizeof(fstring
));
644 slprintf(name
, sizeof(fstring
) - 1, "%s%c%s",
645 domain
, *lp_winbind_separator(),
651 * Winbindd socket accessor functions
654 char *get_winbind_priv_pipe_dir(void)
656 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR
);
659 /* Open the winbindd socket */
661 static int _winbindd_socket
= -1;
662 static int _winbindd_priv_socket
= -1;
664 int open_winbindd_socket(void)
666 if (_winbindd_socket
== -1) {
667 _winbindd_socket
= create_pipe_sock(
668 WINBINDD_SOCKET_DIR
, WINBINDD_SOCKET_NAME
, 0755);
669 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
673 return _winbindd_socket
;
676 int open_winbindd_priv_socket(void)
678 if (_winbindd_priv_socket
== -1) {
679 _winbindd_priv_socket
= create_pipe_sock(
680 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME
, 0750);
681 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
682 _winbindd_priv_socket
));
685 return _winbindd_priv_socket
;
688 /* Close the winbindd socket */
690 void close_winbindd_socket(void)
692 if (_winbindd_socket
!= -1) {
693 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
695 close(_winbindd_socket
);
696 _winbindd_socket
= -1;
698 if (_winbindd_priv_socket
!= -1) {
699 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
700 _winbindd_priv_socket
));
701 close(_winbindd_priv_socket
);
702 _winbindd_priv_socket
= -1;
707 * Client list accessor functions
710 static struct winbindd_cli_state
*_client_list
;
711 static int _num_clients
;
713 /* Return list of all connected clients */
715 struct winbindd_cli_state
*winbindd_client_list(void)
720 /* Add a connection to the list */
722 void winbindd_add_client(struct winbindd_cli_state
*cli
)
724 DLIST_ADD(_client_list
, cli
);
728 /* Remove a client from the list */
730 void winbindd_remove_client(struct winbindd_cli_state
*cli
)
732 DLIST_REMOVE(_client_list
, cli
);
736 /* Demote a client to be the last in the list */
738 void winbindd_demote_client(struct winbindd_cli_state
*cli
)
740 struct winbindd_cli_state
*tmp
;
741 DLIST_DEMOTE(_client_list
, cli
, tmp
);
744 /* Close all open clients */
746 void winbindd_kill_all_clients(void)
748 struct winbindd_cli_state
*cl
= winbindd_client_list();
750 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
753 struct winbindd_cli_state
*next
;
756 winbindd_remove_client(cl
);
761 /* Return number of open clients */
763 int winbindd_num_clients(void)
768 /* Help with RID -> SID conversion */
770 DOM_SID
*rid_to_talloced_sid(struct winbindd_domain
*domain
,
775 sid
= TALLOC_P(mem_ctx
, DOM_SID
);
777 smb_panic("rid_to_to_talloced_sid: talloc for DOM_SID failed!\n");
779 sid_copy(sid
, &domain
->sid
);
780 sid_append_rid(sid
, rid
);
784 /*****************************************************************************
785 For idmap conversion: convert one record to new format
786 Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
788 *****************************************************************************/
789 static int convert_fn(TDB_CONTEXT
*tdb
, TDB_DATA key
, TDB_DATA data
, void *state
)
791 struct winbindd_domain
*domain
;
798 BOOL
*failed
= (BOOL
*)state
;
800 DEBUG(10,("Converting %s\n", key
.dptr
));
802 p
= strchr(key
.dptr
, '/');
807 fstrcpy(dom_name
, key
.dptr
);
810 domain
= find_domain_from_name(dom_name
);
811 if (domain
== NULL
) {
812 /* We must delete the old record. */
813 DEBUG(0,("Unable to find domain %s\n", dom_name
));
814 DEBUG(0,("deleting record %s\n", key
.dptr
));
816 if (tdb_delete(tdb
, key
) != 0) {
817 DEBUG(0, ("Unable to delete record %s\n", key
.dptr
));
827 sid_copy(&sid
, &domain
->sid
);
828 sid_append_rid(&sid
, rid
);
830 sid_to_string(keystr
, &sid
);
832 key2
.dsize
= strlen(keystr
) + 1;
834 if (tdb_store(tdb
, key2
, data
, TDB_INSERT
) != 0) {
835 DEBUG(0,("Unable to add record %s\n", key2
.dptr
));
840 if (tdb_store(tdb
, data
, key2
, TDB_REPLACE
) != 0) {
841 DEBUG(0,("Unable to update record %s\n", data
.dptr
));
846 if (tdb_delete(tdb
, key
) != 0) {
847 DEBUG(0,("Unable to delete record %s\n", key
.dptr
));
855 /* These definitions are from sam/idmap_tdb.c. Replicated here just
856 out of laziness.... :-( */
858 /* High water mark keys */
859 #define HWM_GROUP "GROUP HWM"
860 #define HWM_USER "USER HWM"
862 /* idmap version determines auto-conversion */
863 #define IDMAP_VERSION 2
866 /*****************************************************************************
867 Convert the idmap database from an older version.
868 *****************************************************************************/
870 static BOOL
idmap_convert(const char *idmap_name
)
873 BOOL bigendianheader
;
875 TDB_CONTEXT
*idmap_tdb
;
877 if (!(idmap_tdb
= tdb_open_log(idmap_name
, 0,
880 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
884 bigendianheader
= (idmap_tdb
->flags
& TDB_BIGENDIAN
) ? True
: False
;
886 vers
= tdb_fetch_int32(idmap_tdb
, "IDMAP_VERSION");
888 if (((vers
== -1) && bigendianheader
) || (IREV(vers
) == IDMAP_VERSION
)) {
889 /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
891 * high and low records were created on a
892 * big endian machine and will need byte-reversing.
897 wm
= tdb_fetch_int32(idmap_tdb
, HWM_USER
);
902 wm
= server_state
.uid_low
;
905 if (tdb_store_int32(idmap_tdb
, HWM_USER
, wm
) == -1) {
906 DEBUG(0, ("idmap_convert: Unable to byteswap user hwm in idmap database\n"));
907 tdb_close(idmap_tdb
);
911 wm
= tdb_fetch_int32(idmap_tdb
, HWM_GROUP
);
915 wm
= server_state
.gid_low
;
918 if (tdb_store_int32(idmap_tdb
, HWM_GROUP
, wm
) == -1) {
919 DEBUG(0, ("idmap_convert: Unable to byteswap group hwm in idmap database\n"));
920 tdb_close(idmap_tdb
);
925 /* the old format stored as DOMAIN/rid - now we store the SID direct */
926 tdb_traverse(idmap_tdb
, convert_fn
, &failed
);
929 DEBUG(0, ("Problem during conversion\n"));
930 tdb_close(idmap_tdb
);
934 if (tdb_store_int32(idmap_tdb
, "IDMAP_VERSION", IDMAP_VERSION
) == -1) {
935 DEBUG(0, ("idmap_convert: Unable to dtore idmap version in databse\n"));
936 tdb_close(idmap_tdb
);
940 tdb_close(idmap_tdb
);
944 /*****************************************************************************
945 Convert the idmap database from an older version if necessary
946 *****************************************************************************/
948 BOOL
winbindd_upgrade_idmap(void)
952 SMB_STRUCT_STAT stbuf
;
953 TDB_CONTEXT
*idmap_tdb
;
955 pstrcpy(idmap_name
, lock_path("winbindd_idmap.tdb"));
957 if (!file_exist(idmap_name
, &stbuf
)) {
958 /* nothing to convert return */
962 if (!(idmap_tdb
= tdb_open_log(idmap_name
, 0,
965 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
969 if (tdb_fetch_int32(idmap_tdb
, "IDMAP_VERSION") == IDMAP_VERSION
) {
970 /* nothing to convert return */
971 tdb_close(idmap_tdb
);
975 /* backup_tdb expects the tdb not to be open */
976 tdb_close(idmap_tdb
);
978 DEBUG(0, ("Upgrading winbindd_idmap.tdb from an old version\n"));
980 pstrcpy(backup_name
, idmap_name
);
981 pstrcat(backup_name
, ".bak");
983 if (backup_tdb(idmap_name
, backup_name
) != 0) {
984 DEBUG(0, ("Could not backup idmap database\n"));
988 return idmap_convert(idmap_name
);
991 /*******************************************************************
992 wrapper around retrieving the trust account password
993 *******************************************************************/
995 BOOL
get_trust_pw(const char *domain
, uint8 ret_pwd
[16],
996 time_t *pass_last_set_time
, uint32
*channel
)
1001 /* if we are a DC and this is not our domain, then lookup an account
1002 for the domain trust */
1004 if ( IS_DC
&& !strequal(domain
, lp_workgroup()) && lp_allow_trusted_domains() )
1006 if ( !secrets_fetch_trusted_domain_password(domain
, &pwd
, &sid
,
1007 pass_last_set_time
) )
1009 DEBUG(0, ("get_trust_pw: could not fetch trust account "
1010 "password for trusted domain %s\n", domain
));
1014 *channel
= SEC_CHAN_DOMAIN
;
1015 E_md4hash(pwd
, ret_pwd
);
1020 else /* just get the account for our domain (covers
1021 ROLE_DOMAIN_MEMBER as well */
1023 /* get the machine trust account for our domain */
1025 if ( !secrets_fetch_trust_account_password (lp_workgroup(), ret_pwd
,
1026 pass_last_set_time
, channel
) )
1028 DEBUG(0, ("get_trust_pw: could not fetch trust account "
1029 "password for my domain %s\n", domain
));