search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
(merge from 3.0)
[Samba.git] / source / nsswitch / winbindd_util.c
blob0f14a7e4131892e39a090ced89eca3da202a3e3b
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "winbindd.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_WINBIND
28
29 /**
30 * @file winbindd_util.c
31 *
32 * Winbind daemon for NT domain authentication nss module.
33 **/
34
35
36 /**
37 * Used to clobber name fields that have an undefined value.
38 *
39 * Correct code should never look at a field that has this value.
40 **/
41
42 static const fstring name_deadbeef = "<deadbeef>";
43
44 /* The list of trusted domains. Note that the list can be deleted and
45 recreated using the init_domain_list() function so pointers to
46 individual winbindd_domain structures cannot be made. Keep a copy of
47 the domain name instead. */
48
49 static struct winbindd_domain *_domain_list;
50
51 struct winbindd_domain *domain_list(void)
52 {
53 /* Initialise list */
54
55 if (!_domain_list)
56 if (!init_domain_list())
57 return NULL;
58
59 return _domain_list;
60 }
61
62 /* Free all entries in the trusted domain list */
63
64 void free_domain_list(void)
65 {
66 struct winbindd_domain *domain = _domain_list;
67
68 while(domain) {
69 struct winbindd_domain *next = domain->next;
70
71 DLIST_REMOVE(_domain_list, domain);
72 SAFE_FREE(domain);
73 domain = next;
74 }
75 }
76
77
78 /* Add a trusted domain to our list of domains */
79 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
80 struct winbindd_methods *methods,
81 DOM_SID *sid)
82 {
83 struct winbindd_domain *domain;
84 char *contact_name;
85 const char *alternative_name = NULL;
86
87 /* ignore alt_name if we are not in an AD domain */
88
89 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
90 alternative_name = alt_name;
91 }
92
93 /* We can't call domain_list() as this function is called from
94 init_domain_list() and we'll get stuck in a loop. */
95 for (domain = _domain_list; domain; domain = domain->next) {
96 if (strequal(domain_name, domain->name) ||
97 strequal(domain_name, domain->alt_name)) {
98 return domain;
99 }
100 if (alternative_name && *alternative_name) {
101 if (strequal(alternative_name, domain->name) ||
102 strequal(alternative_name, domain->alt_name)) {
103 return domain;
104 }
105 }
106 }
107
108 /* Create new domain entry */
109
110 if ((domain = (struct winbindd_domain *)
111 malloc(sizeof(*domain))) == NULL)
112 return NULL;
113
114 /* Fill in fields */
115
116 ZERO_STRUCTP(domain);
117
118 /* prioritise the short name */
119 if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
120 fstrcpy(domain->name, alternative_name);
121 fstrcpy(domain->alt_name, domain_name);
122 } else {
123 fstrcpy(domain->name, domain_name);
124 if (alternative_name) {
125 fstrcpy(domain->alt_name, alternative_name);
126 }
127 }
128
129 domain->methods = methods;
130 domain->backend = NULL;
131 domain->sequence_number = DOM_SEQUENCE_NONE;
132 domain->last_seq_check = 0;
133 if (sid) {
134 sid_copy(&domain->sid, sid);
135 }
136
137 /* see if this is a native mode win2k domain (use realm name if possible) */
138
139 contact_name = *domain->alt_name ? domain->alt_name : domain->name;
140 domain->native_mode = cm_check_for_native_mode_win2k( contact_name );
141
142 DEBUG(3,("add_trusted_domain: %s is a %s mode domain\n", contact_name,
143 domain->native_mode ? "native" : "mixed (or NT4)" ));
144
145 /* Link to domain list */
146 DLIST_ADD(_domain_list, domain);
147
148 DEBUG(1,("Added domain %s %s %s\n",
149 domain->name, domain->alt_name,
150 sid?sid_string_static(&domain->sid):""));
151
152 return domain;
153 }
154
155 /********************************************************************
156 Periodically we need to refresh the trusted domain cache for smbd
157 ********************************************************************/
158
159 void rescan_trusted_domains( void )
160 {
161 static time_t last_scan;
162 time_t now = time(NULL);
163 struct winbindd_domain *mydomain = NULL;
164
165 /* see if the time has come... */
166
167 if ( (now > last_scan) && ((now-last_scan) < WINBINDD_RESCAN_FREQ) )
168 return;
169
170 if ( (mydomain = find_our_domain()) == NULL ) {
171 DEBUG(0,("rescan_trusted_domains: Can't find my own domain!\n"));
172 return;
173 }
174
175 /* this will only add new domains we didn't already know about */
176
177 add_trusted_domains( mydomain );
178
179 last_scan = now;
180
181 return;
182 }
183
184 /********************************************************************
185 rescan our domains looking for new trusted domains
186 ********************************************************************/
187
188 void add_trusted_domains( struct winbindd_domain *domain )
189 {
190 TALLOC_CTX *mem_ctx;
191 NTSTATUS result;
192 time_t t;
193 char **names;
194 char **alt_names;
195 int num_domains = 0;
196 DOM_SID *dom_sids, null_sid;
197 int i;
198 struct winbindd_domain *new_domain;
199
200 /* trusted domains might be disabled */
201 if (!lp_allow_trusted_domains()) {
202 return;
203 }
204
205 DEBUG(1, ("scanning trusted domain list\n"));
206
207 if (!(mem_ctx = talloc_init("init_domain_list")))
208 return;
209
210 ZERO_STRUCTP(&null_sid);
211
212 t = time(NULL);
213
214 /* ask the DC what domains it trusts */
215
216 result = domain->methods->trusted_domains(domain, mem_ctx, (unsigned int *)&num_domains,
217 &names, &alt_names, &dom_sids);
218
219 if ( NT_STATUS_IS_OK(result) ) {
220
221 /* Add each domain to the trusted domain list */
222
223 for(i = 0; i < num_domains; i++) {
224 DEBUG(10,("Found domain %s\n", names[i]));
225 add_trusted_domain(names[i], alt_names?alt_names[i]:NULL,
226 domain->methods, &dom_sids[i]);
227
228 /* if the SID was empty, we better set it now */
229
230 if ( sid_equal(&dom_sids[i], &null_sid) ) {
231
232 new_domain = find_domain_from_name(names[i]);
233
234 /* this should never happen */
235 if ( !new_domain ) {
236 DEBUG(0,("rescan_trust_domains: can't find the domain I just added! [%s]\n",
237 names[i]));
238 break;
239 }
240
241 /* call the cache method; which will operate on the winbindd_domain \
242 passed in and choose either rpc or ads as appropriate */
243
244 result = domain->methods->domain_sid( new_domain, &new_domain->sid );
245
246 if ( NT_STATUS_IS_OK(result) )
247 sid_copy( &dom_sids[i], &new_domain->sid );
248 }
249
250 /* store trusted domain in the cache */
251 trustdom_cache_store(names[i], alt_names ? alt_names[i] : NULL,
252 &dom_sids[i], t + WINBINDD_RESCAN_FREQ);
253 }
254 }
255
256 talloc_destroy(mem_ctx);
257 }
258
259 /* Look up global info for the winbind daemon */
260 BOOL init_domain_list(void)
261 {
262 extern struct winbindd_methods cache_methods;
263 struct winbindd_domain *domain;
264
265 /* Free existing list */
266 free_domain_list();
267
268 /* Add ourselves as the first entry. It *must* be the first entry */
269
270 domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL);
271
272 domain->primary = True;
273
274 /* get any alternate name for the primary domain */
275
276 cache_methods.alternate_name(domain);
277
278 /* now we have the correct netbios (short) domain name */
279
280 if ( *domain->name )
281 set_global_myworkgroup( domain->name );
282
283 if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
284 DEBUG(1, ("Could not fetch sid for our domain %s\n",
285 domain->name));
286 return False;
287 }
288
289 /* do an initial scan for trusted domains */
290 add_trusted_domains(domain);
291
292 return True;
293 }
294
295 /**
296 * Given a domain name, return the struct winbindd domain info for it
297 *
298 * @note Do *not* pass lp_workgroup() to this function. domain_list
299 * may modify it's value, and free that pointer. Instead, our local
300 * domain may be found by looking at the first entry in domain_list()
301 * directly.
302 *
303 *
304 * @return The domain structure for the named domain, if it is working.
305 */
306
307 struct winbindd_domain *find_domain_from_name(const char *domain_name)
308 {
309 struct winbindd_domain *domain;
310
311 /* Search through list */
312
313 for (domain = domain_list(); domain != NULL; domain = domain->next) {
314 if (strequal(domain_name, domain->name) ||
315 (domain->alt_name[0] && strequal(domain_name, domain->alt_name))) {
316 return domain;
317 }
318 }
319
320 /* Not found */
321
322 return NULL;
323 }
324
325 /* Given a domain sid, return the struct winbindd domain info for it */
326
327 struct winbindd_domain *find_domain_from_sid(DOM_SID *sid)
328 {
329 struct winbindd_domain *domain;
330
331 /* Search through list */
332
333 for (domain = domain_list(); domain != NULL; domain = domain->next) {
334 if (sid_compare_domain(sid, &domain->sid) == 0)
335 return domain;
336 }
337
338 /* Not found */
339
340 return NULL;
341 }
342
343 /* Given a domain sid, return the struct winbindd domain info for it */
344
345 struct winbindd_domain *find_our_domain()
346 {
347 struct winbindd_domain *domain;
348
349 /* Search through list */
350
351 for (domain = domain_list(); domain != NULL; domain = domain->next) {
352 if (domain->primary)
353 return domain;
354 }
355
356 /* Not found */
357
358 return NULL;
359 }
360
361 /* Lookup a sid in a domain from a name */
362
363 BOOL winbindd_lookup_sid_by_name(struct winbindd_domain *domain,
364 const char *name, DOM_SID *sid,
365 enum SID_NAME_USE *type)
366 {
367 NTSTATUS result;
368 TALLOC_CTX *mem_ctx;
369 /* Don't bother with machine accounts */
370
371 if (name[strlen(name) - 1] == '$')
372 return False;
373
374 mem_ctx = talloc_init("lookup_sid_by_name for %s\n", name);
375 if (!mem_ctx)
376 return False;
377
378 /* Lookup name */
379 result = domain->methods->name_to_sid(domain, mem_ctx, name, sid, type);
380
381 talloc_destroy(mem_ctx);
382
383 /* Return rid and type if lookup successful */
384 if (!NT_STATUS_IS_OK(result)) {
385 *type = SID_NAME_UNKNOWN;
386 }
387
388 return NT_STATUS_IS_OK(result);
389 }
390
391 /**
392 * @brief Lookup a name in a domain from a sid.
393 *
394 * @param sid Security ID you want to look up.
395 * @param name On success, set to the name corresponding to @p sid.
396 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
397 * @param type On success, contains the type of name: alias, group or
398 * user.
399 * @retval True if the name exists, in which case @p name and @p type
400 * are set, otherwise False.
401 **/
402 BOOL winbindd_lookup_name_by_sid(DOM_SID *sid,
403 fstring dom_name,
404 fstring name,
405 enum SID_NAME_USE *type)
406 {
407 char *names;
408 NTSTATUS result;
409 TALLOC_CTX *mem_ctx;
410 BOOL rv = False;
411 struct winbindd_domain *domain;
412
413 domain = find_domain_from_sid(sid);
414
415 if (!domain) {
416 DEBUG(1,("Can't find domain from sid\n"));
417 return False;
418 }
419
420 /* Lookup name */
421
422 if (!(mem_ctx = talloc_init("winbindd_lookup_name_by_sid")))
423 return False;
424
425 result = domain->methods->sid_to_name(domain, mem_ctx, sid, &names, type);
426
427 /* Return name and type if successful */
428
429 if ((rv = NT_STATUS_IS_OK(result))) {
430 fstrcpy(dom_name, domain->name);
431 fstrcpy(name, names);
432 } else {
433 *type = SID_NAME_UNKNOWN;
434 fstrcpy(name, name_deadbeef);
435 }
436
437 talloc_destroy(mem_ctx);
438
439 return rv;
440 }
441
442
443 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
444
445 void free_getent_state(struct getent_state *state)
446 {
447 struct getent_state *temp;
448
449 /* Iterate over state list */
450
451 temp = state;
452
453 while(temp != NULL) {
454 struct getent_state *next;
455
456 /* Free sam entries then list entry */
457
458 SAFE_FREE(state->sam_entries);
459 DLIST_REMOVE(state, state);
460 next = temp->next;
461
462 SAFE_FREE(temp);
463 temp = next;
464 }
465 }
466
467 /* Parse winbindd related parameters */
468
469 BOOL winbindd_param_init(void)
470 {
471 /* Parse winbind uid and winbind_gid parameters */
472
473 if (!lp_idmap_uid(&server_state.uid_low, &server_state.uid_high)) {
474 DEBUG(0, ("winbindd: idmap uid range missing or invalid\n"));
475 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
476 return False;
477 }
478
479 if (!lp_idmap_gid(&server_state.gid_low, &server_state.gid_high)) {
480 DEBUG(0, ("winbindd: idmap gid range missing or invalid\n"));
481 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
482 return False;
483 }
484
485 return True;
486 }
487
488 /* Check if a domain is present in a comma-separated list of domains */
489
490 BOOL check_domain_env(char *domain_env, char *domain)
491 {
492 fstring name;
493 const char *tmp = domain_env;
494
495 while(next_token(&tmp, name, ",", sizeof(fstring))) {
496 if (strequal(name, domain))
497 return True;
498 }
499
500 return False;
501 }
502
503 /* Is this a domain which we may assume no DOMAIN\ prefix? */
504
505 static BOOL assume_domain(const char *domain) {
506 if ((lp_winbind_use_default_domain()
507 || lp_winbind_trusted_domains_only()) &&
508 strequal(lp_workgroup(), domain))
509 return True;
510
511 if (strequal(get_global_sam_name(), domain))
512 return True;
513
514 return False;
515 }
516
517 /* Parse a string of the form DOMAIN/user into a domain and a user */
518
519 BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
520 {
521 char *p = strchr(domuser,*lp_winbind_separator());
522
523 if ( !p ) {
524 fstrcpy(user, domuser);
525
526 if ( assume_domain(lp_workgroup())) {
527 fstrcpy(domain, lp_workgroup());
528 } else {
529 fstrcpy( domain, get_global_sam_name() );
530 }
531 }
532 else {
533 fstrcpy(user, p+1);
534 fstrcpy(domain, domuser);
535 domain[PTR_DIFF(p, domuser)] = 0;
536 }
537
538 strupper_m(domain);
539
540 return True;
541 }
542
543 /*
544 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
545 'winbind separator' options.
546 This means:
547 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
548 lp_workgroup()
549
550 If we are a PDC or BDC, and this is for our domain, do likewise.
551
552 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
553 username is then unqualified in unix
554
555 */
556 void fill_domain_username(fstring name, const char *domain, const char *user)
557 {
558 if (assume_domain(domain)) {
559 strlcpy(name, user, sizeof(fstring));
560 } else {
561 slprintf(name, sizeof(fstring) - 1, "%s%s%s",
562 domain, lp_winbind_separator(),
563 user);
564 }
565 }
566
567 /*
568 * Winbindd socket accessor functions
569 */
570
571 char *get_winbind_priv_pipe_dir(void)
572 {
573 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
574 }
575
576 /* Open the winbindd socket */
577
578 static int _winbindd_socket = -1;
579 static int _winbindd_priv_socket = -1;
580
581 int open_winbindd_socket(void)
582 {
583 if (_winbindd_socket == -1) {
584 _winbindd_socket = create_pipe_sock(
585 WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME, 0755);
586 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
587 _winbindd_socket));
588 }
589
590 return _winbindd_socket;
591 }
592
593 int open_winbindd_priv_socket(void)
594 {
595 if (_winbindd_priv_socket == -1) {
596 _winbindd_priv_socket = create_pipe_sock(
597 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
598 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
599 _winbindd_priv_socket));
600 }
601
602 return _winbindd_priv_socket;
603 }
604
605 /* Close the winbindd socket */
606
607 void close_winbindd_socket(void)
608 {
609 if (_winbindd_socket != -1) {
610 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
611 _winbindd_socket));
612 close(_winbindd_socket);
613 _winbindd_socket = -1;
614 }
615 if (_winbindd_priv_socket != -1) {
616 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
617 _winbindd_priv_socket));
618 close(_winbindd_priv_socket);
619 _winbindd_priv_socket = -1;
620 }
621 }
622
623 /*
624 * Client list accessor functions
625 */
626
627 static struct winbindd_cli_state *_client_list;
628 static int _num_clients;
629
630 /* Return list of all connected clients */
631
632 struct winbindd_cli_state *winbindd_client_list(void)
633 {
634 return _client_list;
635 }
636
637 /* Add a connection to the list */
638
639 void winbindd_add_client(struct winbindd_cli_state *cli)
640 {
641 DLIST_ADD(_client_list, cli);
642 _num_clients++;
643 }
644
645 /* Remove a client from the list */
646
647 void winbindd_remove_client(struct winbindd_cli_state *cli)
648 {
649 DLIST_REMOVE(_client_list, cli);
650 _num_clients--;
651 }
652
653 /* Close all open clients */
654
655 void winbindd_kill_all_clients(void)
656 {
657 struct winbindd_cli_state *cl = winbindd_client_list();
658
659 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
660
661 while (cl) {
662 struct winbindd_cli_state *next;
663
664 next = cl->next;
665 winbindd_remove_client(cl);
666 cl = next;
667 }
668 }
669
670 /* Return number of open clients */
671
672 int winbindd_num_clients(void)
673 {
674 return _num_clients;
675 }
676
677 /* Help with RID -> SID conversion */
678
679 DOM_SID *rid_to_talloced_sid(struct winbindd_domain *domain,
680 TALLOC_CTX *mem_ctx,
681 uint32 rid)
682 {
683 DOM_SID *sid;
684 sid = talloc(mem_ctx, sizeof(*sid));
685 if (!sid) {
686 smb_panic("rid_to_to_talloced_sid: talloc for DOM_SID failed!\n");
687 }
688 sid_copy(sid, &domain->sid);
689 sid_append_rid(sid, rid);
690 return sid;
691 }
692
693 /*****************************************************************************
694 For idmap conversion: convert one record to new format
695 Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
696 instead of the SID.
697 *****************************************************************************/
698 static int convert_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA data, void *state)
699 {
700 struct winbindd_domain *domain;
701 char *p;
702 DOM_SID sid;
703 uint32 rid;
704 fstring keystr;
705 fstring dom_name;
706 TDB_DATA key2;
707 BOOL *failed = (BOOL *)state;
708
709 DEBUG(10,("Converting %s\n", key.dptr));
710
711 p = strchr(key.dptr, '/');
712 if (!p)
713 return 0;
714
715 *p = 0;
716 fstrcpy(dom_name, key.dptr);
717 *p++ = '/';
718
719 domain = find_domain_from_name(dom_name);
720 if (domain == NULL) {
721 /* We must delete the old record. */
722 DEBUG(0,("Unable to find domain %s\n", dom_name ));
723 DEBUG(0,("deleting record %s\n", key.dptr ));
724
725 if (tdb_delete(tdb, key) != 0) {
726 DEBUG(0, ("Unable to delete record %s\n", key.dptr));
727 *failed = True;
728 return -1;
729 }
730
731 return 0;
732 }
733
734 rid = atoi(p);
735
736 sid_copy(&sid, &domain->sid);
737 sid_append_rid(&sid, rid);
738
739 sid_to_string(keystr, &sid);
740 key2.dptr = keystr;
741 key2.dsize = strlen(keystr) + 1;
742
743 if (tdb_store(tdb, key2, data, TDB_INSERT) != 0) {
744 DEBUG(0,("Unable to add record %s\n", key2.dptr ));
745 *failed = True;
746 return -1;
747 }
748
749 if (tdb_store(tdb, data, key2, TDB_REPLACE) != 0) {
750 DEBUG(0,("Unable to update record %s\n", data.dptr ));
751 *failed = True;
752 return -1;
753 }
754
755 if (tdb_delete(tdb, key) != 0) {
756 DEBUG(0,("Unable to delete record %s\n", key.dptr ));
757 *failed = True;
758 return -1;
759 }
760
761 return 0;
762 }
763
764 /* These definitions are from sam/idmap_tdb.c. Replicated here just
765 out of laziness.... :-( */
766
767 /* High water mark keys */
768 #define HWM_GROUP "GROUP HWM"
769 #define HWM_USER "USER HWM"
770
771 /* idmap version determines auto-conversion */
772 #define IDMAP_VERSION 2
773
774
775 /*****************************************************************************
776 Convert the idmap database from an older version.
777 *****************************************************************************/
778
779 static BOOL idmap_convert(const char *idmap_name)
780 {
781 int32 vers;
782 BOOL bigendianheader;
783 BOOL failed = False;
784 TDB_CONTEXT *idmap_tdb;
785
786 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
787 TDB_DEFAULT, O_RDWR,
788 0600))) {
789 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
790 return False;
791 }
792
793 bigendianheader = (idmap_tdb->flags & TDB_BIGENDIAN) ? True : False;
794
795 vers = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
796
797 if (((vers == -1) && bigendianheader) || (IREV(vers) == IDMAP_VERSION)) {
798 /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
799 /*
800 * high and low records were created on a
801 * big endian machine and will need byte-reversing.
802 */
803
804 int32 wm;
805
806 wm = tdb_fetch_int32(idmap_tdb, HWM_USER);
807
808 if (wm != -1) {
809 wm = IREV(wm);
810 } else {
811 wm = server_state.uid_low;
812 }
813
814 if (tdb_store_int32(idmap_tdb, HWM_USER, wm) == -1) {
815 DEBUG(0, ("idmap_convert: Unable to byteswap user hwm in idmap database\n"));
816 tdb_close(idmap_tdb);
817 return False;
818 }
819
820 wm = tdb_fetch_int32(idmap_tdb, HWM_GROUP);
821 if (wm != -1) {
822 wm = IREV(wm);
823 } else {
824 wm = server_state.gid_low;
825 }
826
827 if (tdb_store_int32(idmap_tdb, HWM_GROUP, wm) == -1) {
828 DEBUG(0, ("idmap_convert: Unable to byteswap group hwm in idmap database\n"));
829 tdb_close(idmap_tdb);
830 return False;
831 }
832 }
833
834 /* the old format stored as DOMAIN/rid - now we store the SID direct */
835 tdb_traverse(idmap_tdb, convert_fn, &failed);
836
837 if (failed) {
838 DEBUG(0, ("Problem during conversion\n"));
839 tdb_close(idmap_tdb);
840 return False;
841 }
842
843 if (tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION) == -1) {
844 DEBUG(0, ("idmap_convert: Unable to dtore idmap version in databse\n"));
845 tdb_close(idmap_tdb);
846 return False;
847 }
848
849 tdb_close(idmap_tdb);
850 return True;
851 }
852
853 /*****************************************************************************
854 Convert the idmap database from an older version if necessary
855 *****************************************************************************/
856
857 BOOL winbindd_upgrade_idmap(void)
858 {
859 pstring idmap_name;
860 pstring backup_name;
861 SMB_STRUCT_STAT stbuf;
862 TDB_CONTEXT *idmap_tdb;
863
864 pstrcpy(idmap_name, lock_path("winbindd_idmap.tdb"));
865
866 if (!file_exist(idmap_name, &stbuf)) {
867 /* nothing to convert return */
868 return True;
869 }
870
871 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
872 TDB_DEFAULT, O_RDWR,
873 0600))) {
874 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
875 return False;
876 }
877
878 if (tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION") == IDMAP_VERSION) {
879 /* nothing to convert return */
880 tdb_close(idmap_tdb);
881 return True;
882 }
883
884 /* backup_tdb expects the tdb not to be open */
885 tdb_close(idmap_tdb);
886
887 DEBUG(0, ("Upgrading winbindd_idmap.tdb from an old version\n"));
888
889 pstrcpy(backup_name, idmap_name);
890 pstrcat(backup_name, ".bak");
891
892 if (backup_tdb(idmap_name, backup_name) != 0) {
893 DEBUG(0, ("Could not backup idmap database\n"));
894 return False;
895 }
896
897 return idmap_convert(idmap_name);
898 }
899
900 /*******************************************************************
901 wrapper around retrieving the trust account password
902 *******************************************************************/
903
904 BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16],
905 time_t *pass_last_set_time, uint32 *channel)
906 {
907 DOM_SID sid;
908 char *pwd;
909
910 /* if we are a DC and this is not our domain, then lookup an account
911 for the domain trust */
912
913 if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() )
914 {
915 if ( !secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
916 pass_last_set_time) )
917 {
918 DEBUG(0, ("get_trust_pw: could not fetch trust account "
919 "password for trusted domain %s\n", domain));
920 return False;
921 }
922
923 *channel = SEC_CHAN_DOMAIN;
924 E_md4hash(pwd, ret_pwd);
925 SAFE_FREE(pwd);
926
927 return True;
928 }
929 else /* just get the account for our domain (covers
930 ROLE_DOMAIN_MEMBER as well */
931 {
932 /* get the machine trust account for our domain */
933
934 if ( !secrets_fetch_trust_account_password (lp_workgroup(), ret_pwd,
935 pass_last_set_time, channel) )
936 {
937 DEBUG(0, ("get_trust_pw: could not fetch trust account "
938 "password for my domain %s\n", domain));
939 return False;
940 }
941
942 return True;
943 }
944
945 /* Failure */
946 }
947
Samba GIT mirror