search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-rpc_cli: make dcerpc_lsa_lookup_sids_generic() public.
[Samba.git] / source3 / winbindd / winbindd_util.c
blob37b65783c8b3a6099051d034210641519d75c521
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25 #include "secrets.h"
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
29
30 #undef DBGC_CLASS
31 #define DBGC_CLASS DBGC_WINBIND
32
33 extern struct winbindd_methods cache_methods;
34
35 /**
36 * @file winbindd_util.cq
37 *
38 * Winbind daemon for NT domain authentication nss module.
39 **/
40
41
42 /* The list of trusted domains. Note that the list can be deleted and
43 recreated using the init_domain_list() function so pointers to
44 individual winbindd_domain structures cannot be made. Keep a copy of
45 the domain name instead. */
46
47 static struct winbindd_domain *_domain_list = NULL;
48
49 struct winbindd_domain *domain_list(void)
50 {
51 /* Initialise list */
52
53 if ((!_domain_list) && (!init_domain_list())) {
54 smb_panic("Init_domain_list failed");
55 }
56
57 return _domain_list;
58 }
59
60 /* Free all entries in the trusted domain list */
61
62 static void free_domain_list(void)
63 {
64 struct winbindd_domain *domain = _domain_list;
65
66 while(domain) {
67 struct winbindd_domain *next = domain->next;
68
69 DLIST_REMOVE(_domain_list, domain);
70 SAFE_FREE(domain);
71 domain = next;
72 }
73 }
74
75 static bool is_internal_domain(const struct dom_sid *sid)
76 {
77 if (sid == NULL)
78 return False;
79
80 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
81 }
82
83 static bool is_in_internal_domain(const struct dom_sid *sid)
84 {
85 if (sid == NULL)
86 return False;
87
88 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
89 }
90
91
92 /* Add a trusted domain to our list of domains */
93 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
94 struct winbindd_methods *methods,
95 const struct dom_sid *sid)
96 {
97 struct winbindd_domain *domain;
98 const char *alternative_name = NULL;
99 char *idmap_config_option;
100 const char *param;
101 const char **ignored_domains, **dom;
102
103 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
104 for (dom=ignored_domains; dom && *dom; dom++) {
105 if (gen_fnmatch(*dom, domain_name) == 0) {
106 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
107 return NULL;
108 }
109 }
110
111 /* ignore alt_name if we are not in an AD domain */
112
113 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
114 alternative_name = alt_name;
115 }
116
117 /* We can't call domain_list() as this function is called from
118 init_domain_list() and we'll get stuck in a loop. */
119 for (domain = _domain_list; domain; domain = domain->next) {
120 if (strequal(domain_name, domain->name) ||
121 strequal(domain_name, domain->alt_name))
122 {
123 break;
124 }
125
126 if (alternative_name && *alternative_name)
127 {
128 if (strequal(alternative_name, domain->name) ||
129 strequal(alternative_name, domain->alt_name))
130 {
131 break;
132 }
133 }
134
135 if (sid)
136 {
137 if (is_null_sid(sid)) {
138 continue;
139 }
140
141 if (dom_sid_equal(sid, &domain->sid)) {
142 break;
143 }
144 }
145 }
146
147 if (domain != NULL) {
148 /*
149 * We found a match. Possibly update the SID
150 */
151 if ((sid != NULL)
152 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
153 sid_copy( &domain->sid, sid );
154 }
155 return domain;
156 }
157
158 /* Create new domain entry */
159
160 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
161 return NULL;
162
163 /* Fill in fields */
164
165 ZERO_STRUCTP(domain);
166
167 domain->children = SMB_MALLOC_ARRAY(
168 struct winbindd_child, lp_winbind_max_domain_connections());
169 if (domain->children == NULL) {
170 SAFE_FREE(domain);
171 return NULL;
172 }
173 memset(domain->children, 0,
174 sizeof(struct winbindd_child)
175 * lp_winbind_max_domain_connections());
176
177 fstrcpy(domain->name, domain_name);
178 if (alternative_name) {
179 fstrcpy(domain->alt_name, alternative_name);
180 }
181
182 domain->methods = methods;
183 domain->backend = NULL;
184 domain->internal = is_internal_domain(sid);
185 domain->sequence_number = DOM_SEQUENCE_NONE;
186 domain->last_seq_check = 0;
187 domain->initialized = False;
188 domain->online = is_internal_domain(sid);
189 domain->check_online_timeout = 0;
190 domain->dc_probe_pid = (pid_t)-1;
191 if (sid) {
192 sid_copy(&domain->sid, sid);
193 }
194
195 /* Link to domain list */
196 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
197
198 wcache_tdc_add_domain( domain );
199
200 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
201 domain->name);
202 if (idmap_config_option == NULL) {
203 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
204 goto done;
205 }
206
207 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
208
209 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
210 param ? param : "not defined"));
211
212 if (param != NULL) {
213 unsigned low_id, high_id;
214 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
215 DEBUG(1, ("invalid range syntax in %s: %s\n",
216 idmap_config_option, param));
217 goto done;
218 }
219 if (low_id > high_id) {
220 DEBUG(1, ("invalid range in %s: %s\n",
221 idmap_config_option, param));
222 goto done;
223 }
224 domain->have_idmap_config = true;
225 domain->id_range_low = low_id;
226 domain->id_range_high = high_id;
227 }
228
229 done:
230
231 DEBUG(2,("Added domain %s %s %s\n",
232 domain->name, domain->alt_name,
233 &domain->sid?sid_string_dbg(&domain->sid):""));
234
235 return domain;
236 }
237
238 bool domain_is_forest_root(const struct winbindd_domain *domain)
239 {
240 const uint32_t fr_flags =
241 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
242
243 return ((domain->domain_flags & fr_flags) == fr_flags);
244 }
245
246 /********************************************************************
247 rescan our domains looking for new trusted domains
248 ********************************************************************/
249
250 struct trustdom_state {
251 struct winbindd_domain *domain;
252 struct winbindd_request request;
253 };
254
255 static void trustdom_list_done(struct tevent_req *req);
256 static void rescan_forest_root_trusts( void );
257 static void rescan_forest_trusts( void );
258
259 static void add_trusted_domains( struct winbindd_domain *domain )
260 {
261 struct trustdom_state *state;
262 struct tevent_req *req;
263
264 state = TALLOC_ZERO_P(NULL, struct trustdom_state);
265 if (state == NULL) {
266 DEBUG(0, ("talloc failed\n"));
267 return;
268 }
269 state->domain = domain;
270
271 state->request.length = sizeof(state->request);
272 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
273
274 req = wb_domain_request_send(state, winbind_event_context(),
275 domain, &state->request);
276 if (req == NULL) {
277 DEBUG(1, ("wb_domain_request_send failed\n"));
278 TALLOC_FREE(state);
279 return;
280 }
281 tevent_req_set_callback(req, trustdom_list_done, state);
282 }
283
284 static void trustdom_list_done(struct tevent_req *req)
285 {
286 struct trustdom_state *state = tevent_req_callback_data(
287 req, struct trustdom_state);
288 struct winbindd_response *response;
289 int res, err;
290 char *p;
291
292 res = wb_domain_request_recv(req, state, &response, &err);
293 if ((res == -1) || (response->result != WINBINDD_OK)) {
294 DEBUG(1, ("Could not receive trustdoms\n"));
295 TALLOC_FREE(state);
296 return;
297 }
298
299 p = (char *)response->extra_data.data;
300
301 while ((p != NULL) && (*p != '\0')) {
302 char *q, *sidstr, *alt_name;
303 struct dom_sid sid;
304 struct winbindd_domain *domain;
305 char *alternate_name = NULL;
306
307 alt_name = strchr(p, '\\');
308 if (alt_name == NULL) {
309 DEBUG(0, ("Got invalid trustdom response\n"));
310 break;
311 }
312
313 *alt_name = '\0';
314 alt_name += 1;
315
316 sidstr = strchr(alt_name, '\\');
317 if (sidstr == NULL) {
318 DEBUG(0, ("Got invalid trustdom response\n"));
319 break;
320 }
321
322 *sidstr = '\0';
323 sidstr += 1;
324
325 q = strchr(sidstr, '\n');
326 if (q != NULL)
327 *q = '\0';
328
329 if (!string_to_sid(&sid, sidstr)) {
330 DEBUG(0, ("Got invalid trustdom response\n"));
331 break;
332 }
333
334 /* use the real alt_name if we have one, else pass in NULL */
335
336 if ( !strequal( alt_name, "(null)" ) )
337 alternate_name = alt_name;
338
339 /* If we have an existing domain structure, calling
340 add_trusted_domain() will update the SID if
341 necessary. This is important because we need the
342 SID for sibling domains */
343
344 if ( find_domain_from_name_noinit(p) != NULL ) {
345 domain = add_trusted_domain(p, alternate_name,
346 &cache_methods,
347 &sid);
348 } else {
349 domain = add_trusted_domain(p, alternate_name,
350 &cache_methods,
351 &sid);
352 if (domain) {
353 setup_domain_child(domain);
354 }
355 }
356 p=q;
357 if (p != NULL)
358 p += 1;
359 }
360
361 /*
362 Cases to consider when scanning trusts:
363 (a) we are calling from a child domain (primary && !forest_root)
364 (b) we are calling from the root of the forest (primary && forest_root)
365 (c) we are calling from a trusted forest domain (!primary
366 && !forest_root)
367 */
368
369 if (state->domain->primary) {
370 /* If this is our primary domain and we are not in the
371 forest root, we have to scan the root trusts first */
372
373 if (!domain_is_forest_root(state->domain))
374 rescan_forest_root_trusts();
375 else
376 rescan_forest_trusts();
377
378 } else if (domain_is_forest_root(state->domain)) {
379 /* Once we have done root forest trust search, we can
380 go on to search the trusted forests */
381
382 rescan_forest_trusts();
383 }
384
385 TALLOC_FREE(state);
386
387 return;
388 }
389
390 /********************************************************************
391 Scan the trusts of our forest root
392 ********************************************************************/
393
394 static void rescan_forest_root_trusts( void )
395 {
396 struct winbindd_tdc_domain *dom_list = NULL;
397 size_t num_trusts = 0;
398 int i;
399
400 /* The only transitive trusts supported by Windows 2003 AD are
401 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
402 first two are handled in forest and listed by
403 DsEnumerateDomainTrusts(). Forest trusts are not so we
404 have to do that ourselves. */
405
406 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
407 return;
408
409 for ( i=0; i<num_trusts; i++ ) {
410 struct winbindd_domain *d = NULL;
411
412 /* Find the forest root. Don't necessarily trust
413 the domain_list() as our primary domain may not
414 have been initialized. */
415
416 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
417 continue;
418 }
419
420 /* Here's the forest root */
421
422 d = find_domain_from_name_noinit( dom_list[i].domain_name );
423
424 if ( !d ) {
425 d = add_trusted_domain( dom_list[i].domain_name,
426 dom_list[i].dns_name,
427 &cache_methods,
428 &dom_list[i].sid );
429 if (d != NULL) {
430 setup_domain_child(d);
431 }
432 }
433
434 if (d == NULL) {
435 continue;
436 }
437
438 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
439 "for domain tree root %s (%s)\n",
440 d->name, d->alt_name ));
441
442 d->domain_flags = dom_list[i].trust_flags;
443 d->domain_type = dom_list[i].trust_type;
444 d->domain_trust_attribs = dom_list[i].trust_attribs;
445
446 add_trusted_domains( d );
447
448 break;
449 }
450
451 TALLOC_FREE( dom_list );
452
453 return;
454 }
455
456 /********************************************************************
457 scan the transitive forest trusts (not our own)
458 ********************************************************************/
459
460
461 static void rescan_forest_trusts( void )
462 {
463 struct winbindd_domain *d = NULL;
464 struct winbindd_tdc_domain *dom_list = NULL;
465 size_t num_trusts = 0;
466 int i;
467
468 /* The only transitive trusts supported by Windows 2003 AD are
469 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
470 first two are handled in forest and listed by
471 DsEnumerateDomainTrusts(). Forest trusts are not so we
472 have to do that ourselves. */
473
474 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
475 return;
476
477 for ( i=0; i<num_trusts; i++ ) {
478 uint32 flags = dom_list[i].trust_flags;
479 uint32 type = dom_list[i].trust_type;
480 uint32 attribs = dom_list[i].trust_attribs;
481
482 d = find_domain_from_name_noinit( dom_list[i].domain_name );
483
484 /* ignore our primary and internal domains */
485
486 if ( d && (d->internal || d->primary ) )
487 continue;
488
489 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
490 (type == NETR_TRUST_TYPE_UPLEVEL) &&
491 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
492 {
493 /* add the trusted domain if we don't know
494 about it */
495
496 if ( !d ) {
497 d = add_trusted_domain( dom_list[i].domain_name,
498 dom_list[i].dns_name,
499 &cache_methods,
500 &dom_list[i].sid );
501 if (d != NULL) {
502 setup_domain_child(d);
503 }
504 }
505
506 if (d == NULL) {
507 continue;
508 }
509
510 DEBUG(10,("Following trust path for domain %s (%s)\n",
511 d->name, d->alt_name ));
512 add_trusted_domains( d );
513 }
514 }
515
516 TALLOC_FREE( dom_list );
517
518 return;
519 }
520
521 /*********************************************************************
522 The process of updating the trusted domain list is a three step
523 async process:
524 (a) ask our domain
525 (b) ask the root domain in our forest
526 (c) ask the a DC in any Win2003 trusted forests
527 *********************************************************************/
528
529 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
530 struct timeval now, void *private_data)
531 {
532 TALLOC_FREE(te);
533
534 /* I use to clear the cache here and start over but that
535 caused problems in child processes that needed the
536 trust dom list early on. Removing it means we
537 could have some trusted domains listed that have been
538 removed from our primary domain's DC until a full
539 restart. This should be ok since I think this is what
540 Windows does as well. */
541
542 /* this will only add new domains we didn't already know about
543 in the domain_list()*/
544
545 add_trusted_domains( find_our_domain() );
546
547 te = tevent_add_timer(
548 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
549 rescan_trusted_domains, NULL);
550 /*
551 * If te == NULL, there's not much we can do here. Don't fail, the
552 * only thing we miss is new trusted domains.
553 */
554
555 return;
556 }
557
558 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
559 struct winbindd_cli_state *state)
560 {
561 /* Ensure null termination */
562 state->request->domain_name
563 [sizeof(state->request->domain_name)-1]='\0';
564 state->request->data.init_conn.dcname
565 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
566
567 if (strlen(state->request->data.init_conn.dcname) > 0) {
568 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
569 }
570
571 if (domain->internal) {
572 domain->initialized = true;
573 } else {
574 init_dc_connection(domain);
575 }
576
577 if (!domain->initialized) {
578 /* If we return error here we can't do any cached authentication,
579 but we may be in disconnected mode and can't initialize correctly.
580 Do what the previous code did and just return without initialization,
581 once we go online we'll re-initialize.
582 */
583 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
584 "online = %d\n", domain->name, (int)domain->online ));
585 }
586
587 fstrcpy(state->response->data.domain_info.name, domain->name);
588 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
589 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
590
591 state->response->data.domain_info.native_mode
592 = domain->native_mode;
593 state->response->data.domain_info.active_directory
594 = domain->active_directory;
595 state->response->data.domain_info.primary
596 = domain->primary;
597
598 return WINBINDD_OK;
599 }
600
601 /* Look up global info for the winbind daemon */
602 bool init_domain_list(void)
603 {
604 struct winbindd_domain *domain;
605 int role = lp_server_role();
606
607 /* Free existing list */
608 free_domain_list();
609
610 /* BUILTIN domain */
611
612 domain = add_trusted_domain("BUILTIN", NULL, &cache_methods,
613 &global_sid_Builtin);
614 if (domain) {
615 setup_domain_child(domain);
616 }
617
618 /* Local SAM */
619
620 domain = add_trusted_domain(get_global_sam_name(), NULL,
621 &cache_methods, get_global_sam_sid());
622 if (domain) {
623 if ( role != ROLE_DOMAIN_MEMBER ) {
624 domain->primary = True;
625 }
626 setup_domain_child(domain);
627 }
628
629 /* Add ourselves as the first entry. */
630
631 if ( role == ROLE_DOMAIN_MEMBER ) {
632 struct dom_sid our_sid;
633
634 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
635 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
636 return False;
637 }
638
639 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
640 &cache_methods, &our_sid);
641 if (domain) {
642 domain->primary = True;
643 setup_domain_child(domain);
644
645 /* Even in the parent winbindd we'll need to
646 talk to the DC, so try and see if we can
647 contact it. Theoretically this isn't neccessary
648 as the init_dc_connection() in init_child_recv()
649 will do this, but we can start detecting the DC
650 early here. */
651 set_domain_online_request(domain);
652 }
653 }
654
655 return True;
656 }
657
658 /**
659 * Given a domain name, return the struct winbindd domain info for it
660 *
661 * @note Do *not* pass lp_workgroup() to this function. domain_list
662 * may modify it's value, and free that pointer. Instead, our local
663 * domain may be found by calling find_our_domain().
664 * directly.
665 *
666 *
667 * @return The domain structure for the named domain, if it is working.
668 */
669
670 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
671 {
672 struct winbindd_domain *domain;
673
674 /* Search through list */
675
676 for (domain = domain_list(); domain != NULL; domain = domain->next) {
677 if (strequal(domain_name, domain->name) ||
678 (domain->alt_name[0] &&
679 strequal(domain_name, domain->alt_name))) {
680 return domain;
681 }
682 }
683
684 /* Not found */
685
686 return NULL;
687 }
688
689 struct winbindd_domain *find_domain_from_name(const char *domain_name)
690 {
691 struct winbindd_domain *domain;
692
693 domain = find_domain_from_name_noinit(domain_name);
694
695 if (domain == NULL)
696 return NULL;
697
698 if (!domain->initialized)
699 init_dc_connection(domain);
700
701 return domain;
702 }
703
704 /* Given a domain sid, return the struct winbindd domain info for it */
705
706 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
707 {
708 struct winbindd_domain *domain;
709
710 /* Search through list */
711
712 for (domain = domain_list(); domain != NULL; domain = domain->next) {
713 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
714 return domain;
715 }
716
717 /* Not found */
718
719 return NULL;
720 }
721
722 /* Given a domain sid, return the struct winbindd domain info for it */
723
724 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
725 {
726 struct winbindd_domain *domain;
727
728 domain = find_domain_from_sid_noinit(sid);
729
730 if (domain == NULL)
731 return NULL;
732
733 if (!domain->initialized)
734 init_dc_connection(domain);
735
736 return domain;
737 }
738
739 struct winbindd_domain *find_our_domain(void)
740 {
741 struct winbindd_domain *domain;
742
743 /* Search through list */
744
745 for (domain = domain_list(); domain != NULL; domain = domain->next) {
746 if (domain->primary)
747 return domain;
748 }
749
750 smb_panic("Could not find our domain");
751 return NULL;
752 }
753
754 struct winbindd_domain *find_root_domain(void)
755 {
756 struct winbindd_domain *ours = find_our_domain();
757
758 if (ours->forest_name[0] == '\0') {
759 return NULL;
760 }
761
762 return find_domain_from_name( ours->forest_name );
763 }
764
765 struct winbindd_domain *find_builtin_domain(void)
766 {
767 struct winbindd_domain *domain;
768
769 domain = find_domain_from_sid(&global_sid_Builtin);
770 if (domain == NULL) {
771 smb_panic("Could not find BUILTIN domain");
772 }
773
774 return domain;
775 }
776
777 /* Find the appropriate domain to lookup a name or SID */
778
779 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
780 {
781 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
782
783 if ( sid_check_is_in_unix_groups(sid) ||
784 sid_check_is_unix_groups(sid) ||
785 sid_check_is_in_unix_users(sid) ||
786 sid_check_is_unix_users(sid) )
787 {
788 return find_domain_from_sid(get_global_sam_sid());
789 }
790
791 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
792 * one to contact the external DC's. On member servers the internal
793 * domains are different: These are part of the local SAM. */
794
795 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
796
797 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
798 DEBUG(10, ("calling find_domain_from_sid\n"));
799 return find_domain_from_sid(sid);
800 }
801
802 /* On a member server a query for SID or name can always go to our
803 * primary DC. */
804
805 DEBUG(10, ("calling find_our_domain\n"));
806 return find_our_domain();
807 }
808
809 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
810 {
811 if ( strequal(domain_name, unix_users_domain_name() ) ||
812 strequal(domain_name, unix_groups_domain_name() ) )
813 {
814 /*
815 * The "Unix User" and "Unix Group" domain our handled by
816 * passdb
817 */
818 return find_domain_from_name_noinit( get_global_sam_name() );
819 }
820
821 if (IS_DC || strequal(domain_name, "BUILTIN") ||
822 strequal(domain_name, get_global_sam_name()))
823 return find_domain_from_name_noinit(domain_name);
824
825
826 return find_our_domain();
827 }
828
829 /* Is this a domain which we may assume no DOMAIN\ prefix? */
830
831 static bool assume_domain(const char *domain)
832 {
833 /* never assume the domain on a standalone server */
834
835 if ( lp_server_role() == ROLE_STANDALONE )
836 return False;
837
838 /* domain member servers may possibly assume for the domain name */
839
840 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
841 if ( !strequal(lp_workgroup(), domain) )
842 return False;
843
844 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
845 return True;
846 }
847
848 /* only left with a domain controller */
849
850 if ( strequal(get_global_sam_name(), domain) ) {
851 return True;
852 }
853
854 return False;
855 }
856
857 /* Parse a string of the form DOMAIN\user into a domain and a user */
858
859 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
860 {
861 char *p = strchr(domuser,*lp_winbind_separator());
862
863 if ( !p ) {
864 fstrcpy(user, domuser);
865
866 if ( assume_domain(lp_workgroup())) {
867 fstrcpy(domain, lp_workgroup());
868 } else if ((p = strchr(domuser, '@')) != NULL) {
869 fstrcpy(domain, p + 1);
870 user[PTR_DIFF(p, domuser)] = 0;
871 } else {
872 return False;
873 }
874 } else {
875 fstrcpy(user, p+1);
876 fstrcpy(domain, domuser);
877 domain[PTR_DIFF(p, domuser)] = 0;
878 }
879
880 strupper_m(domain);
881
882 return True;
883 }
884
885 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
886 char **domain, char **user)
887 {
888 fstring fstr_domain, fstr_user;
889 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
890 return False;
891 }
892 *domain = talloc_strdup(mem_ctx, fstr_domain);
893 *user = talloc_strdup(mem_ctx, fstr_user);
894 return ((*domain != NULL) && (*user != NULL));
895 }
896
897 /* Ensure an incoming username from NSS is fully qualified. Replace the
898 incoming fstring with DOMAIN <separator> user. Returns the same
899 values as parse_domain_user() but also replaces the incoming username.
900 Used to ensure all names are fully qualified within winbindd.
901 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
902 The protocol definitions of auth_crap, chng_pswd_auth_crap
903 really should be changed to use this instead of doing things
904 by hand. JRA. */
905
906 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
907 {
908 if (!parse_domain_user(username_inout, domain, user)) {
909 return False;
910 }
911 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
912 domain, *lp_winbind_separator(),
913 user);
914 return True;
915 }
916
917 /*
918 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
919 'winbind separator' options.
920 This means:
921 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
922 lp_workgroup()
923
924 If we are a PDC or BDC, and this is for our domain, do likewise.
925
926 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
927 username is then unqualified in unix
928
929 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
930 */
931 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
932 {
933 fstring tmp_user;
934
935 fstrcpy(tmp_user, user);
936 strlower_m(tmp_user);
937
938 if (can_assume && assume_domain(domain)) {
939 strlcpy(name, tmp_user, sizeof(fstring));
940 } else {
941 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
942 domain, *lp_winbind_separator(),
943 tmp_user);
944 }
945 }
946
947 /**
948 * talloc version of fill_domain_username()
949 * return NULL on talloc failure.
950 */
951 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
952 const char *domain,
953 const char *user,
954 bool can_assume)
955 {
956 char *tmp_user, *name;
957
958 tmp_user = talloc_strdup(mem_ctx, user);
959 strlower_m(tmp_user);
960
961 if (can_assume && assume_domain(domain)) {
962 name = tmp_user;
963 } else {
964 name = talloc_asprintf(mem_ctx, "%s%c%s",
965 domain,
966 *lp_winbind_separator(),
967 tmp_user);
968 TALLOC_FREE(tmp_user);
969 }
970
971 return name;
972 }
973
974 /*
975 * Client list accessor functions
976 */
977
978 static struct winbindd_cli_state *_client_list;
979 static int _num_clients;
980
981 /* Return list of all connected clients */
982
983 struct winbindd_cli_state *winbindd_client_list(void)
984 {
985 return _client_list;
986 }
987
988 /* Add a connection to the list */
989
990 void winbindd_add_client(struct winbindd_cli_state *cli)
991 {
992 DLIST_ADD(_client_list, cli);
993 _num_clients++;
994 }
995
996 /* Remove a client from the list */
997
998 void winbindd_remove_client(struct winbindd_cli_state *cli)
999 {
1000 DLIST_REMOVE(_client_list, cli);
1001 _num_clients--;
1002 }
1003
1004 /* Return number of open clients */
1005
1006 int winbindd_num_clients(void)
1007 {
1008 return _num_clients;
1009 }
1010
1011 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1012 TALLOC_CTX *mem_ctx,
1013 const struct dom_sid *user_sid,
1014 uint32_t *p_num_groups, struct dom_sid **user_sids)
1015 {
1016 struct netr_SamInfo3 *info3 = NULL;
1017 NTSTATUS status = NT_STATUS_NO_MEMORY;
1018 uint32_t num_groups = 0;
1019
1020 DEBUG(3,(": lookup_usergroups_cached\n"));
1021
1022 *user_sids = NULL;
1023 *p_num_groups = 0;
1024
1025 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1026
1027 if (info3 == NULL) {
1028 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1029 }
1030
1031 if (info3->base.groups.count == 0) {
1032 TALLOC_FREE(info3);
1033 return NT_STATUS_UNSUCCESSFUL;
1034 }
1035
1036 /*
1037 * Before bug #7843 the "Domain Local" groups were added with a
1038 * lookupuseraliases call, but this isn't done anymore for our domain
1039 * so we need to resolve resource groups here.
1040 *
1041 * When to use Resource Groups:
1042 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1043 */
1044 status = sid_array_from_info3(mem_ctx, info3,
1045 user_sids,
1046 &num_groups,
1047 false);
1048
1049 if (!NT_STATUS_IS_OK(status)) {
1050 TALLOC_FREE(info3);
1051 return status;
1052 }
1053
1054 TALLOC_FREE(info3);
1055 *p_num_groups = num_groups;
1056 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1057
1058 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1059
1060 return status;
1061 }
1062
1063 /*********************************************************************
1064 We use this to remove spaces from user and group names
1065 ********************************************************************/
1066
1067 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1068 struct winbindd_domain *domain,
1069 const char *name,
1070 char **normalized)
1071 {
1072 NTSTATUS nt_status;
1073
1074 if (!name || !normalized) {
1075 return NT_STATUS_INVALID_PARAMETER;
1076 }
1077
1078 if (!lp_winbind_normalize_names()) {
1079 return NT_STATUS_PROCEDURE_NOT_FOUND;
1080 }
1081
1082 /* Alias support and whitespace replacement are mutually
1083 exclusive */
1084
1085 nt_status = resolve_username_to_alias(mem_ctx, domain,
1086 name, normalized );
1087 if (NT_STATUS_IS_OK(nt_status)) {
1088 /* special return code to let the caller know we
1089 mapped to an alias */
1090 return NT_STATUS_FILE_RENAMED;
1091 }
1092
1093 /* check for an unreachable domain */
1094
1095 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1096 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1097 domain->name));
1098 set_domain_offline(domain);
1099 return nt_status;
1100 }
1101
1102 /* deal with whitespace */
1103
1104 *normalized = talloc_strdup(mem_ctx, name);
1105 if (!(*normalized)) {
1106 return NT_STATUS_NO_MEMORY;
1107 }
1108
1109 all_string_sub( *normalized, " ", "_", 0 );
1110
1111 return NT_STATUS_OK;
1112 }
1113
1114 /*********************************************************************
1115 We use this to do the inverse of normalize_name_map()
1116 ********************************************************************/
1117
1118 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1119 char *name,
1120 char **normalized)
1121 {
1122 NTSTATUS nt_status;
1123 struct winbindd_domain *domain = find_our_domain();
1124
1125 if (!name || !normalized) {
1126 return NT_STATUS_INVALID_PARAMETER;
1127 }
1128
1129 if (!lp_winbind_normalize_names()) {
1130 return NT_STATUS_PROCEDURE_NOT_FOUND;
1131 }
1132
1133 /* Alias support and whitespace replacement are mutally
1134 exclusive */
1135
1136 /* When mapping from an alias to a username, we don't know the
1137 domain. But we only need a domain structure to cache
1138 a successful lookup , so just our own domain structure for
1139 the seqnum. */
1140
1141 nt_status = resolve_alias_to_username(mem_ctx, domain,
1142 name, normalized);
1143 if (NT_STATUS_IS_OK(nt_status)) {
1144 /* Special return code to let the caller know we mapped
1145 from an alias */
1146 return NT_STATUS_FILE_RENAMED;
1147 }
1148
1149 /* check for an unreachable domain */
1150
1151 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1152 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1153 domain->name));
1154 set_domain_offline(domain);
1155 return nt_status;
1156 }
1157
1158 /* deal with whitespace */
1159
1160 *normalized = talloc_strdup(mem_ctx, name);
1161 if (!(*normalized)) {
1162 return NT_STATUS_NO_MEMORY;
1163 }
1164
1165 all_string_sub(*normalized, "_", " ", 0);
1166
1167 return NT_STATUS_OK;
1168 }
1169
1170 /*********************************************************************
1171 ********************************************************************/
1172
1173 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1174 {
1175 struct winbindd_tdc_domain *tdc = NULL;
1176 TALLOC_CTX *frame = talloc_stackframe();
1177 bool ret = false;
1178
1179 /* We can contact the domain if it is our primary domain */
1180
1181 if (domain->primary) {
1182 return true;
1183 }
1184
1185 /* Trust the TDC cache and not the winbindd_domain flags */
1186
1187 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1188 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1189 domain->name));
1190 return false;
1191 }
1192
1193 /* Can always contact a domain that is in out forest */
1194
1195 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1196 ret = true;
1197 goto done;
1198 }
1199
1200 /*
1201 * On a _member_ server, we cannot contact the domain if it
1202 * is running AD and we have no inbound trust.
1203 */
1204
1205 if (!IS_DC &&
1206 domain->active_directory &&
1207 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1208 {
1209 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1210 "and we have no inbound trust.\n", domain->name));
1211 goto done;
1212 }
1213
1214 /* Assume everything else is ok (probably not true but what
1215 can you do?) */
1216
1217 ret = true;
1218
1219 done:
1220 talloc_destroy(frame);
1221
1222 return ret;
1223 }
1224
1225 /*********************************************************************
1226 ********************************************************************/
1227
1228 bool winbindd_internal_child(struct winbindd_child *child)
1229 {
1230 if ((child == idmap_child()) || (child == locator_child())) {
1231 return True;
1232 }
1233
1234 return False;
1235 }
1236
1237 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1238
1239 /*********************************************************************
1240 ********************************************************************/
1241
1242 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1243 {
1244 char *var = NULL;
1245 char addr[INET6_ADDRSTRLEN];
1246 const char *kdc = NULL;
1247 int lvl = 11;
1248
1249 if (!domain || !domain->alt_name || !*domain->alt_name) {
1250 return;
1251 }
1252
1253 if (domain->initialized && !domain->active_directory) {
1254 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1255 domain->alt_name));
1256 return;
1257 }
1258
1259 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1260 kdc = addr;
1261 if (!*kdc) {
1262 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1263 domain->alt_name));
1264 kdc = domain->dcname;
1265 }
1266
1267 if (!kdc || !*kdc) {
1268 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1269 domain->alt_name));
1270 return;
1271 }
1272
1273 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1274 domain->alt_name) == -1) {
1275 return;
1276 }
1277
1278 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1279 var, kdc));
1280
1281 setenv(var, kdc, 1);
1282 free(var);
1283 }
1284
1285 /*********************************************************************
1286 ********************************************************************/
1287
1288 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1289 {
1290 struct winbindd_domain *our_dom = find_our_domain();
1291
1292 winbindd_set_locator_kdc_env(domain);
1293
1294 if (domain != our_dom) {
1295 winbindd_set_locator_kdc_env(our_dom);
1296 }
1297 }
1298
1299 /*********************************************************************
1300 ********************************************************************/
1301
1302 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1303 {
1304 char *var = NULL;
1305
1306 if (!domain || !domain->alt_name || !*domain->alt_name) {
1307 return;
1308 }
1309
1310 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1311 domain->alt_name) == -1) {
1312 return;
1313 }
1314
1315 unsetenv(var);
1316 free(var);
1317 }
1318 #else
1319
1320 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1321 {
1322 return;
1323 }
1324
1325 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1326 {
1327 return;
1328 }
1329
1330 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1331
1332 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1333 {
1334 resp->data.auth.nt_status = NT_STATUS_V(result);
1335 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1336
1337 /* we might have given a more useful error above */
1338 if (*resp->data.auth.error_string == '\0')
1339 fstrcpy(resp->data.auth.error_string,
1340 get_friendly_nt_error_msg(result));
1341 resp->data.auth.pam_error = nt_status_to_pam(result);
1342 }
1343
1344 bool is_domain_offline(const struct winbindd_domain *domain)
1345 {
1346 if (!lp_winbind_offline_logon()) {
1347 return false;
1348 }
1349 if (get_global_winbindd_state_offline()) {
1350 return true;
1351 }
1352 return !domain->online;
1353 }
1354
1355 bool is_domain_online(const struct winbindd_domain *domain)
1356 {
1357 return !is_domain_offline(domain);
1358 }
1359
1360 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1361 struct dom_sid **sids, uint32_t *num_sids)
1362 {
1363 const char *p;
1364
1365 p = sidstr;
1366 if (p == NULL)
1367 return False;
1368
1369 while (p[0] != '\0') {
1370 struct dom_sid sid;
1371 const char *q = NULL;
1372
1373 if (!dom_sid_parse_endp(p, &sid, &q)) {
1374 DEBUG(1, ("Could not parse sid %s\n", p));
1375 return false;
1376 }
1377 if ((q == NULL) || (q[0] != '\n')) {
1378 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1379 return false;
1380 }
1381 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
1382 num_sids)))
1383 {
1384 return False;
1385 }
1386 p = q+1;
1387 }
1388 return True;
1389 }
Samba GIT mirror