search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
VERSION: Raise version number up to 3.0.36.
[Samba.git] / source / nsswitch / winbindd_util.c
blobe72cd7cadb62e071da80c77ccd1e4277668d3b05
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_WINBIND
29
30 extern struct winbindd_methods cache_methods;
31 extern struct winbindd_methods builtin_passdb_methods;
32 extern struct winbindd_methods sam_passdb_methods;
33
34 /**
35 * @file winbindd_util.c
36 *
37 * Winbind daemon for NT domain authentication nss module.
38 **/
39
40
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
45
46 static struct winbindd_domain *_domain_list;
47
48 /**
49 When was the last scan of trusted domains done?
50
51 0 == not ever
52 */
53
54 static time_t last_trustdom_scan;
55
56 struct winbindd_domain *domain_list(void)
57 {
58 /* Initialise list */
59
60 if ((!_domain_list) && (!init_domain_list())) {
61 smb_panic("Init_domain_list failed\n");
62 }
63
64 return _domain_list;
65 }
66
67 /* Free all entries in the trusted domain list */
68
69 void free_domain_list(void)
70 {
71 struct winbindd_domain *domain = _domain_list;
72
73 while(domain) {
74 struct winbindd_domain *next = domain->next;
75
76 DLIST_REMOVE(_domain_list, domain);
77 SAFE_FREE(domain);
78 domain = next;
79 }
80 }
81
82 static BOOL is_internal_domain(const DOM_SID *sid)
83 {
84 if (sid == NULL)
85 return False;
86
87 if ( IS_DC )
88 return sid_check_is_builtin(sid);
89
90 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
91 }
92
93 static BOOL is_in_internal_domain(const DOM_SID *sid)
94 {
95 if (sid == NULL)
96 return False;
97
98 if ( IS_DC )
99 return sid_check_is_in_builtin(sid);
100
101 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
102 }
103
104
105 /* Add a trusted domain to our list of domains */
106 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
107 struct winbindd_methods *methods,
108 const DOM_SID *sid)
109 {
110 struct winbindd_domain *domain;
111 const char *alternative_name = NULL;
112
113 /* ignore alt_name if we are not in an AD domain */
114
115 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
116 alternative_name = alt_name;
117 }
118
119 /* We can't call domain_list() as this function is called from
120 init_domain_list() and we'll get stuck in a loop. */
121 for (domain = _domain_list; domain; domain = domain->next) {
122 if (strequal(domain_name, domain->name) ||
123 strequal(domain_name, domain->alt_name)) {
124 return domain;
125 }
126 if (alternative_name && *alternative_name) {
127 if (strequal(alternative_name, domain->name) ||
128 strequal(alternative_name, domain->alt_name)) {
129 return domain;
130 }
131 }
132 if (sid) {
133 if (is_null_sid(sid)) {
134
135 } else if (sid_equal(sid, &domain->sid)) {
136 return domain;
137 }
138 }
139 }
140
141 /* Create new domain entry */
142
143 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
144 return NULL;
145
146 /* Fill in fields */
147
148 ZERO_STRUCTP(domain);
149
150 fstrcpy(domain->name, domain_name);
151 if (alternative_name) {
152 fstrcpy(domain->alt_name, alternative_name);
153 }
154
155 domain->methods = methods;
156 domain->backend = NULL;
157 domain->internal = is_internal_domain(sid);
158 domain->sequence_number = DOM_SEQUENCE_NONE;
159 domain->last_seq_check = 0;
160 domain->initialized = False;
161 domain->online = is_internal_domain(sid);
162 domain->check_online_timeout = 0;
163 if (sid) {
164 sid_copy(&domain->sid, sid);
165 }
166
167 /* Link to domain list */
168 DLIST_ADD(_domain_list, domain);
169
170 DEBUG(2,("Added domain %s %s %s\n",
171 domain->name, domain->alt_name,
172 &domain->sid?sid_string_static(&domain->sid):""));
173
174 return domain;
175 }
176
177 /********************************************************************
178 rescan our domains looking for new trusted domains
179 ********************************************************************/
180
181 struct trustdom_state {
182 TALLOC_CTX *mem_ctx;
183 struct winbindd_response *response;
184 };
185
186 static void trustdom_recv(void *private_data, BOOL success);
187
188 static void add_trusted_domains( struct winbindd_domain *domain )
189 {
190 TALLOC_CTX *mem_ctx;
191 struct winbindd_request *request;
192 struct winbindd_response *response;
193
194 struct trustdom_state *state;
195
196 mem_ctx = talloc_init("add_trusted_domains");
197 if (mem_ctx == NULL) {
198 DEBUG(0, ("talloc_init failed\n"));
199 return;
200 }
201
202 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
203 response = TALLOC_P(mem_ctx, struct winbindd_response);
204 state = TALLOC_P(mem_ctx, struct trustdom_state);
205
206 if ((request == NULL) || (response == NULL) || (state == NULL)) {
207 DEBUG(0, ("talloc failed\n"));
208 talloc_destroy(mem_ctx);
209 return;
210 }
211
212 state->mem_ctx = mem_ctx;
213 state->response = response;
214
215 request->length = sizeof(*request);
216 request->cmd = WINBINDD_LIST_TRUSTDOM;
217
218 async_domain_request(mem_ctx, domain, request, response,
219 trustdom_recv, state);
220 }
221
222 static void trustdom_recv(void *private_data, BOOL success)
223 {
224 struct trustdom_state *state =
225 talloc_get_type_abort(private_data, struct trustdom_state);
226 struct winbindd_response *response = state->response;
227 char *p;
228
229 if ((!success) || (response->result != WINBINDD_OK)) {
230 DEBUG(1, ("Could not receive trustdoms\n"));
231 talloc_destroy(state->mem_ctx);
232 return;
233 }
234
235 p = (char *)response->extra_data.data;
236
237 while ((p != NULL) && (*p != '\0')) {
238 char *q, *sidstr, *alt_name;
239 DOM_SID sid;
240
241 alt_name = strchr(p, '\\');
242 if (alt_name == NULL) {
243 DEBUG(0, ("Got invalid trustdom response\n"));
244 break;
245 }
246
247 *alt_name = '\0';
248 alt_name += 1;
249
250 sidstr = strchr(alt_name, '\\');
251 if (sidstr == NULL) {
252 DEBUG(0, ("Got invalid trustdom response\n"));
253 break;
254 }
255
256 *sidstr = '\0';
257 sidstr += 1;
258
259 q = strchr(sidstr, '\n');
260 if (q != NULL)
261 *q = '\0';
262
263 if (!string_to_sid(&sid, sidstr)) {
264 /* Allow NULL sid for sibling domains */
265 if ( strcmp(sidstr,"S-0-0") == 0) {
266 sid_copy( &sid, &global_sid_NULL);
267 } else {
268 DEBUG(0, ("Got invalid trustdom response\n"));
269 break;
270 }
271 }
272
273 if (find_domain_from_name_noinit(p) == NULL) {
274 struct winbindd_domain *domain;
275 char *alternate_name = NULL;
276
277 /* use the real alt_name if we have one, else pass in NULL */
278
279 if ( !strequal( alt_name, "(null)" ) )
280 alternate_name = alt_name;
281
282 domain = add_trusted_domain(p, alternate_name,
283 &cache_methods,
284 &sid);
285 setup_domain_child(domain, &domain->child, NULL);
286 }
287 p=q;
288 if (p != NULL)
289 p += 1;
290 }
291
292 SAFE_FREE(response->extra_data.data);
293 talloc_destroy(state->mem_ctx);
294 }
295
296 /********************************************************************
297 Periodically we need to refresh the trusted domain cache for smbd
298 ********************************************************************/
299
300 void rescan_trusted_domains( void )
301 {
302 time_t now = time(NULL);
303
304 /* see if the time has come... */
305
306 if ((now >= last_trustdom_scan) &&
307 ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
308 return;
309
310 /* this will only add new domains we didn't already know about */
311
312 add_trusted_domains( find_our_domain() );
313
314 last_trustdom_scan = now;
315
316 return;
317 }
318
319 struct init_child_state {
320 TALLOC_CTX *mem_ctx;
321 struct winbindd_domain *domain;
322 struct winbindd_request *request;
323 struct winbindd_response *response;
324 void (*continuation)(void *private_data, BOOL success);
325 void *private_data;
326 };
327
328 static void init_child_recv(void *private_data, BOOL success);
329 static void init_child_getdc_recv(void *private_data, BOOL success);
330
331 enum winbindd_result init_child_connection(struct winbindd_domain *domain,
332 void (*continuation)(void *private_data,
333 BOOL success),
334 void *private_data)
335 {
336 TALLOC_CTX *mem_ctx;
337 struct winbindd_request *request;
338 struct winbindd_response *response;
339 struct init_child_state *state;
340 struct winbindd_domain *request_domain;
341
342 mem_ctx = talloc_init("init_child_connection");
343 if (mem_ctx == NULL) {
344 DEBUG(0, ("talloc_init failed\n"));
345 return WINBINDD_ERROR;
346 }
347
348 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
349 response = TALLOC_P(mem_ctx, struct winbindd_response);
350 state = TALLOC_P(mem_ctx, struct init_child_state);
351
352 if ((request == NULL) || (response == NULL) || (state == NULL)) {
353 DEBUG(0, ("talloc failed\n"));
354 TALLOC_FREE(mem_ctx);
355 continuation(private_data, False);
356 return WINBINDD_ERROR;
357 }
358
359 request->length = sizeof(*request);
360
361 state->mem_ctx = mem_ctx;
362 state->domain = domain;
363 state->request = request;
364 state->response = response;
365 state->continuation = continuation;
366 state->private_data = private_data;
367
368 if (IS_DC || domain->primary) {
369 /* The primary domain has to find the DC name itself */
370 request->cmd = WINBINDD_INIT_CONNECTION;
371 fstrcpy(request->domain_name, domain->name);
372 request->data.init_conn.is_primary = True;
373 fstrcpy(request->data.init_conn.dcname, "");
374 async_request(mem_ctx, &domain->child, request, response,
375 init_child_recv, state);
376 return WINBINDD_PENDING;
377 }
378
379 /* This is *not* the primary domain, let's ask our DC about a DC
380 * name */
381
382 request->cmd = WINBINDD_GETDCNAME;
383 fstrcpy(request->domain_name, domain->name);
384
385 request_domain = find_our_domain();
386
387 async_domain_request(mem_ctx, request_domain, request, response,
388 init_child_getdc_recv, state);
389 return WINBINDD_PENDING;
390 }
391
392 static void init_child_getdc_recv(void *private_data, BOOL success)
393 {
394 struct init_child_state *state =
395 talloc_get_type_abort(private_data, struct init_child_state);
396 const char *dcname = "";
397
398 DEBUG(10, ("Received getdcname response\n"));
399
400 if (success && (state->response->result == WINBINDD_OK)) {
401 dcname = state->response->data.dc_name;
402 }
403
404 state->request->cmd = WINBINDD_INIT_CONNECTION;
405 fstrcpy(state->request->domain_name, state->domain->name);
406 state->request->data.init_conn.is_primary = False;
407 fstrcpy(state->request->data.init_conn.dcname, dcname);
408
409 async_request(state->mem_ctx, &state->domain->child,
410 state->request, state->response,
411 init_child_recv, state);
412 }
413
414 static void init_child_recv(void *private_data, BOOL success)
415 {
416 struct init_child_state *state =
417 talloc_get_type_abort(private_data, struct init_child_state);
418
419 DEBUG(5, ("Received child initialization response for domain %s\n",
420 state->domain->name));
421
422 if ((!success) || (state->response->result != WINBINDD_OK)) {
423 DEBUG(3, ("Could not init child\n"));
424 state->continuation(state->private_data, False);
425 talloc_destroy(state->mem_ctx);
426 return;
427 }
428
429 fstrcpy(state->domain->name,
430 state->response->data.domain_info.name);
431 fstrcpy(state->domain->alt_name,
432 state->response->data.domain_info.alt_name);
433 string_to_sid(&state->domain->sid,
434 state->response->data.domain_info.sid);
435 state->domain->native_mode =
436 state->response->data.domain_info.native_mode;
437 state->domain->active_directory =
438 state->response->data.domain_info.active_directory;
439 state->domain->sequence_number =
440 state->response->data.domain_info.sequence_number;
441
442 init_dc_connection(state->domain);
443
444 if (state->continuation != NULL)
445 state->continuation(state->private_data, True);
446 talloc_destroy(state->mem_ctx);
447 }
448
449 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
450 struct winbindd_cli_state *state)
451 {
452 /* Ensure null termination */
453 state->request.domain_name
454 [sizeof(state->request.domain_name)-1]='\0';
455 state->request.data.init_conn.dcname
456 [sizeof(state->request.data.init_conn.dcname)-1]='\0';
457
458 if (strlen(state->request.data.init_conn.dcname) > 0) {
459 fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
460 }
461
462 init_dc_connection(domain);
463
464 if (!domain->initialized) {
465 /* If we return error here we can't do any cached authentication,
466 but we may be in disconnected mode and can't initialize correctly.
467 Do what the previous code did and just return without initialization,
468 once we go online we'll re-initialize.
469 */
470 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
471 "online = %d\n", domain->name, (int)domain->online ));
472 }
473
474 fstrcpy(state->response.data.domain_info.name, domain->name);
475 fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
476 fstrcpy(state->response.data.domain_info.sid,
477 sid_string_static(&domain->sid));
478
479 state->response.data.domain_info.native_mode
480 = domain->native_mode;
481 state->response.data.domain_info.active_directory
482 = domain->active_directory;
483 state->response.data.domain_info.primary
484 = domain->primary;
485 state->response.data.domain_info.sequence_number =
486 domain->sequence_number;
487
488 return WINBINDD_OK;
489 }
490
491 /* Look up global info for the winbind daemon */
492 BOOL init_domain_list(void)
493 {
494 struct winbindd_domain *domain;
495 int role = lp_server_role();
496
497 /* Free existing list */
498 free_domain_list();
499
500 /* Add ourselves as the first entry. */
501
502 if ( role == ROLE_DOMAIN_MEMBER ) {
503 DOM_SID our_sid;
504
505 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
506 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
507 return False;
508 }
509
510 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
511 &cache_methods, &our_sid);
512 domain->primary = True;
513 setup_domain_child(domain, &domain->child, NULL);
514
515 /* Even in the parent winbindd we'll need to
516 talk to the DC, so try and see if we can
517 contact it. Theoretically this isn't neccessary
518 as the init_dc_connection() in init_child_recv()
519 will do this, but we can start detecting the DC
520 early here. */
521 set_domain_online_request(domain);
522 }
523
524 /* Local SAM */
525
526 domain = add_trusted_domain(get_global_sam_name(), NULL,
527 &sam_passdb_methods, get_global_sam_sid());
528 if ( role != ROLE_DOMAIN_MEMBER ) {
529 domain->primary = True;
530 }
531 setup_domain_child(domain, &domain->child, NULL);
532
533 /* BUILTIN domain */
534
535 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
536 &global_sid_Builtin);
537 setup_domain_child(domain, &domain->child, NULL);
538
539 return True;
540 }
541
542 /**
543 * Given a domain name, return the struct winbindd domain info for it
544 *
545 * @note Do *not* pass lp_workgroup() to this function. domain_list
546 * may modify it's value, and free that pointer. Instead, our local
547 * domain may be found by calling find_our_domain().
548 * directly.
549 *
550 *
551 * @return The domain structure for the named domain, if it is working.
552 */
553
554 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
555 {
556 struct winbindd_domain *domain;
557
558 /* Search through list */
559
560 for (domain = domain_list(); domain != NULL; domain = domain->next) {
561 if (strequal(domain_name, domain->name) ||
562 (domain->alt_name[0] &&
563 strequal(domain_name, domain->alt_name))) {
564 return domain;
565 }
566 }
567
568 /* Not found */
569
570 return NULL;
571 }
572
573 struct winbindd_domain *find_domain_from_name(const char *domain_name)
574 {
575 struct winbindd_domain *domain;
576
577 domain = find_domain_from_name_noinit(domain_name);
578
579 if (domain == NULL)
580 return NULL;
581
582 if (!domain->initialized)
583 init_dc_connection(domain);
584
585 return domain;
586 }
587
588 /* Given a domain sid, return the struct winbindd domain info for it */
589
590 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
591 {
592 struct winbindd_domain *domain;
593
594 /* Search through list */
595
596 for (domain = domain_list(); domain != NULL; domain = domain->next) {
597 if (sid_compare_domain(sid, &domain->sid) == 0)
598 return domain;
599 }
600
601 /* Not found */
602
603 return NULL;
604 }
605
606 /* Given a domain sid, return the struct winbindd domain info for it */
607
608 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
609 {
610 struct winbindd_domain *domain;
611
612 domain = find_domain_from_sid_noinit(sid);
613
614 if (domain == NULL)
615 return NULL;
616
617 if (!domain->initialized)
618 init_dc_connection(domain);
619
620 return domain;
621 }
622
623 struct winbindd_domain *find_our_domain(void)
624 {
625 struct winbindd_domain *domain;
626
627 /* Search through list */
628
629 for (domain = domain_list(); domain != NULL; domain = domain->next) {
630 if (domain->primary)
631 return domain;
632 }
633
634 smb_panic("Could not find our domain\n");
635 return NULL;
636 }
637
638 struct winbindd_domain *find_root_domain(void)
639 {
640 struct winbindd_domain *ours = find_our_domain();
641
642 if ( !ours )
643 return NULL;
644
645 if ( strlen(ours->forest_name) == 0 )
646 return NULL;
647
648 return find_domain_from_name( ours->forest_name );
649 }
650
651 struct winbindd_domain *find_builtin_domain(void)
652 {
653 DOM_SID sid;
654 struct winbindd_domain *domain;
655
656 string_to_sid(&sid, "S-1-5-32");
657 domain = find_domain_from_sid(&sid);
658
659 if (domain == NULL)
660 smb_panic("Could not find BUILTIN domain\n");
661
662 return domain;
663 }
664
665 /* Find the appropriate domain to lookup a name or SID */
666
667 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
668 {
669 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
670 * one to contact the external DC's. On member servers the internal
671 * domains are different: These are part of the local SAM. */
672
673 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n",
674 sid_string_static(sid)));
675
676 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
677 DEBUG(10, ("calling find_domain_from_sid\n"));
678 return find_domain_from_sid(sid);
679 }
680
681 /* On a member server a query for SID or name can always go to our
682 * primary DC. */
683
684 DEBUG(10, ("calling find_our_domain\n"));
685 return find_our_domain();
686 }
687
688 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
689 {
690 if (IS_DC || strequal(domain_name, "BUILTIN") ||
691 strequal(domain_name, get_global_sam_name()))
692 return find_domain_from_name_noinit(domain_name);
693
694 return find_our_domain();
695 }
696
697 /* Lookup a sid in a domain from a name */
698
699 BOOL winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
700 struct winbindd_domain *domain,
701 const char *domain_name,
702 const char *name, DOM_SID *sid,
703 enum lsa_SidType *type)
704 {
705 NTSTATUS result;
706
707 /* Lookup name */
708 result = domain->methods->name_to_sid(domain, mem_ctx, domain_name, name, sid, type);
709
710 /* Return sid and type if lookup successful */
711 if (!NT_STATUS_IS_OK(result)) {
712 *type = SID_NAME_UNKNOWN;
713 }
714
715 return NT_STATUS_IS_OK(result);
716 }
717
718 /**
719 * @brief Lookup a name in a domain from a sid.
720 *
721 * @param sid Security ID you want to look up.
722 * @param name On success, set to the name corresponding to @p sid.
723 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
724 * @param type On success, contains the type of name: alias, group or
725 * user.
726 * @retval True if the name exists, in which case @p name and @p type
727 * are set, otherwise False.
728 **/
729 BOOL winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
730 DOM_SID *sid,
731 char **dom_name,
732 char **name,
733 enum lsa_SidType *type)
734 {
735 NTSTATUS result;
736 struct winbindd_domain *domain;
737
738 *dom_name = NULL;
739 *name = NULL;
740
741 domain = find_lookup_domain_from_sid(sid);
742
743 if (!domain) {
744 DEBUG(1,("Can't find domain from sid\n"));
745 return False;
746 }
747
748 /* Lookup name */
749
750 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
751
752 /* Return name and type if successful */
753
754 if (NT_STATUS_IS_OK(result)) {
755 return True;
756 }
757
758 *type = SID_NAME_UNKNOWN;
759
760 return False;
761 }
762
763 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
764
765 void free_getent_state(struct getent_state *state)
766 {
767 struct getent_state *temp;
768
769 /* Iterate over state list */
770
771 temp = state;
772
773 while(temp != NULL) {
774 struct getent_state *next = temp->next;
775
776 /* Free sam entries then list entry */
777
778 SAFE_FREE(state->sam_entries);
779 DLIST_REMOVE(state, state);
780
781 SAFE_FREE(temp);
782 temp = next;
783 }
784 }
785
786 /* Is this a domain which we may assume no DOMAIN\ prefix? */
787
788 static BOOL assume_domain(const char *domain)
789 {
790 /* never assume the domain on a standalone server */
791
792 if ( lp_server_role() == ROLE_STANDALONE )
793 return False;
794
795 /* domain member servers may possibly assume for the domain name */
796
797 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
798 if ( !strequal(lp_workgroup(), domain) )
799 return False;
800
801 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
802 return True;
803 }
804
805 /* only left with a domain controller */
806
807 if ( strequal(get_global_sam_name(), domain) ) {
808 return True;
809 }
810
811 return False;
812 }
813
814 /* Parse a string of the form DOMAIN\user into a domain and a user */
815
816 BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
817 {
818 char *p = strchr(domuser,*lp_winbind_separator());
819
820 if ( !p ) {
821 fstrcpy(user, domuser);
822
823 if ( assume_domain(lp_workgroup())) {
824 fstrcpy(domain, lp_workgroup());
825 } else {
826 return False;
827 }
828 } else {
829 fstrcpy(user, p+1);
830 fstrcpy(domain, domuser);
831 domain[PTR_DIFF(p, domuser)] = 0;
832 }
833
834 strupper_m(domain);
835
836 return True;
837 }
838
839 BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
840 char **domain, char **user)
841 {
842 fstring fstr_domain, fstr_user;
843 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
844 return False;
845 }
846 *domain = talloc_strdup(mem_ctx, fstr_domain);
847 *user = talloc_strdup(mem_ctx, fstr_user);
848 return ((*domain != NULL) && (*user != NULL));
849 }
850
851 /* Ensure an incoming username from NSS is fully qualified. Replace the
852 incoming fstring with DOMAIN <separator> user. Returns the same
853 values as parse_domain_user() but also replaces the incoming username.
854 Used to ensure all names are fully qualified within winbindd.
855 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
856 The protocol definitions of auth_crap, chng_pswd_auth_crap
857 really should be changed to use this instead of doing things
858 by hand. JRA. */
859
860 BOOL canonicalize_username(fstring username_inout, fstring domain, fstring user)
861 {
862 if (!parse_domain_user(username_inout, domain, user)) {
863 return False;
864 }
865 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
866 domain, *lp_winbind_separator(),
867 user);
868 return True;
869 }
870
871 /*
872 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
873 'winbind separator' options.
874 This means:
875 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
876 lp_workgroup()
877
878 If we are a PDC or BDC, and this is for our domain, do likewise.
879
880 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
881 username is then unqualified in unix
882
883 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
884 */
885 void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume)
886 {
887 fstring tmp_user;
888
889 fstrcpy(tmp_user, user);
890 strlower_m(tmp_user);
891
892 if (can_assume && assume_domain(domain)) {
893 strlcpy(name, tmp_user, sizeof(fstring));
894 } else {
895 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
896 domain, *lp_winbind_separator(),
897 tmp_user);
898 }
899 }
900
901 /*
902 * Winbindd socket accessor functions
903 */
904
905 char *get_winbind_priv_pipe_dir(void)
906 {
907 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
908 }
909
910 /* Open the winbindd socket */
911
912 static int _winbindd_socket = -1;
913 static int _winbindd_priv_socket = -1;
914
915 int open_winbindd_socket(void)
916 {
917 if (_winbindd_socket == -1) {
918 _winbindd_socket = create_pipe_sock(
919 WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME, 0755);
920 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
921 _winbindd_socket));
922 }
923
924 return _winbindd_socket;
925 }
926
927 int open_winbindd_priv_socket(void)
928 {
929 if (_winbindd_priv_socket == -1) {
930 _winbindd_priv_socket = create_pipe_sock(
931 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
932 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
933 _winbindd_priv_socket));
934 }
935
936 return _winbindd_priv_socket;
937 }
938
939 /* Close the winbindd socket */
940
941 void close_winbindd_socket(void)
942 {
943 if (_winbindd_socket != -1) {
944 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
945 _winbindd_socket));
946 close(_winbindd_socket);
947 _winbindd_socket = -1;
948 }
949 if (_winbindd_priv_socket != -1) {
950 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
951 _winbindd_priv_socket));
952 close(_winbindd_priv_socket);
953 _winbindd_priv_socket = -1;
954 }
955 }
956
957 /*
958 * Client list accessor functions
959 */
960
961 static struct winbindd_cli_state *_client_list;
962 static int _num_clients;
963
964 /* Return list of all connected clients */
965
966 struct winbindd_cli_state *winbindd_client_list(void)
967 {
968 return _client_list;
969 }
970
971 /* Add a connection to the list */
972
973 void winbindd_add_client(struct winbindd_cli_state *cli)
974 {
975 DLIST_ADD(_client_list, cli);
976 _num_clients++;
977 }
978
979 /* Remove a client from the list */
980
981 void winbindd_remove_client(struct winbindd_cli_state *cli)
982 {
983 DLIST_REMOVE(_client_list, cli);
984 _num_clients--;
985 }
986
987 /* Close all open clients */
988
989 void winbindd_kill_all_clients(void)
990 {
991 struct winbindd_cli_state *cl = winbindd_client_list();
992
993 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
994
995 while (cl) {
996 struct winbindd_cli_state *next;
997
998 next = cl->next;
999 winbindd_remove_client(cl);
1000 cl = next;
1001 }
1002 }
1003
1004 /* Return number of open clients */
1005
1006 int winbindd_num_clients(void)
1007 {
1008 return _num_clients;
1009 }
1010
1011 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1012 TALLOC_CTX *mem_ctx,
1013 const DOM_SID *user_sid,
1014 uint32 *p_num_groups, DOM_SID **user_sids)
1015 {
1016 NET_USER_INFO_3 *info3 = NULL;
1017 NTSTATUS status = NT_STATUS_NO_MEMORY;
1018 int i;
1019 size_t num_groups = 0;
1020 DOM_SID group_sid, primary_group;
1021
1022 DEBUG(3,(": lookup_usergroups_cached\n"));
1023
1024 *user_sids = NULL;
1025 num_groups = 0;
1026 *p_num_groups = 0;
1027
1028 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1029
1030 if (info3 == NULL) {
1031 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1032 }
1033
1034 if (info3->num_groups == 0) {
1035 TALLOC_FREE(info3);
1036 return NT_STATUS_UNSUCCESSFUL;
1037 }
1038
1039 /* always add the primary group to the sid array */
1040 sid_compose(&primary_group, &info3->dom_sid.sid, info3->user_rid);
1041
1042 if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) {
1043 TALLOC_FREE(info3);
1044 return NT_STATUS_NO_MEMORY;
1045 }
1046
1047 for (i=0; i<info3->num_groups; i++) {
1048 sid_copy(&group_sid, &info3->dom_sid.sid);
1049 sid_append_rid(&group_sid, info3->gids[i].g_rid);
1050
1051 if (!add_sid_to_array(mem_ctx, &group_sid, user_sids,
1052 &num_groups)) {
1053 TALLOC_FREE(info3);
1054 return NT_STATUS_NO_MEMORY;
1055 }
1056 }
1057
1058 TALLOC_FREE(info3);
1059 *p_num_groups = num_groups;
1060 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1061
1062 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1063
1064 return status;
1065 }
1066
1067 /*********************************************************************
1068 We use this to remove spaces from user and group names
1069 ********************************************************************/
1070
1071 void ws_name_replace( char *name, char replace )
1072 {
1073 char replace_char[2] = { 0x0, 0x0 };
1074
1075 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1076 return;
1077
1078 replace_char[0] = replace;
1079 all_string_sub( name, " ", replace_char, 0 );
1080
1081 return;
1082 }
1083
1084 /*********************************************************************
1085 We use this to do the inverse of ws_name_replace()
1086 ********************************************************************/
1087
1088 void ws_name_return( char *name, char replace )
1089 {
1090 char replace_char[2] = { 0x0, 0x0 };
1091
1092 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1093 return;
1094
1095 replace_char[0] = replace;
1096 all_string_sub( name, replace_char, " ", 0 );
1097
1098 return;
1099 }
Samba GIT mirror