search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
winbindd_util: add fill_domain_username_talloc().
[Samba.git] / source / winbindd / winbindd_util.c
bloba2a248b682137cff9ccbc1c651054278efadb872
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_WINBIND
28
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
32
33
34 /**
35 * @file winbindd_util.c
36 *
37 * Winbind daemon for NT domain authentication nss module.
38 **/
39
40
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
45
46 static struct winbindd_domain *_domain_list = NULL;
47
48 /**
49 When was the last scan of trusted domains done?
50
51 0 == not ever
52 */
53
54 static time_t last_trustdom_scan;
55
56 struct winbindd_domain *domain_list(void)
57 {
58 /* Initialise list */
59
60 if ((!_domain_list) && (!init_domain_list())) {
61 smb_panic("Init_domain_list failed");
62 }
63
64 return _domain_list;
65 }
66
67 /* Free all entries in the trusted domain list */
68
69 void free_domain_list(void)
70 {
71 struct winbindd_domain *domain = _domain_list;
72
73 while(domain) {
74 struct winbindd_domain *next = domain->next;
75
76 DLIST_REMOVE(_domain_list, domain);
77 SAFE_FREE(domain);
78 domain = next;
79 }
80 }
81
82 static bool is_internal_domain(const DOM_SID *sid)
83 {
84 if (sid == NULL)
85 return False;
86
87 if ( IS_DC )
88 return sid_check_is_builtin(sid);
89
90 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
91 }
92
93 static bool is_in_internal_domain(const DOM_SID *sid)
94 {
95 if (sid == NULL)
96 return False;
97
98 if ( IS_DC )
99 return sid_check_is_in_builtin(sid);
100
101 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
102 }
103
104
105 /* Add a trusted domain to our list of domains */
106 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
107 struct winbindd_methods *methods,
108 const DOM_SID *sid)
109 {
110 struct winbindd_domain *domain;
111 const char *alternative_name = NULL;
112 const char **ignored_domains, **dom;
113
114 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
115 for (dom=ignored_domains; dom && *dom; dom++) {
116 if (gen_fnmatch(*dom, domain_name) == 0) {
117 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
118 return NULL;
119 }
120 }
121
122 /* ignore alt_name if we are not in an AD domain */
123
124 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
125 alternative_name = alt_name;
126 }
127
128 /* We can't call domain_list() as this function is called from
129 init_domain_list() and we'll get stuck in a loop. */
130 for (domain = _domain_list; domain; domain = domain->next) {
131 if (strequal(domain_name, domain->name) ||
132 strequal(domain_name, domain->alt_name))
133 {
134 break;
135 }
136
137 if (alternative_name && *alternative_name)
138 {
139 if (strequal(alternative_name, domain->name) ||
140 strequal(alternative_name, domain->alt_name))
141 {
142 break;
143 }
144 }
145
146 if (sid)
147 {
148 if (is_null_sid(sid)) {
149 continue;
150 }
151
152 if (sid_equal(sid, &domain->sid)) {
153 break;
154 }
155 }
156 }
157
158 /* See if we found a match. Check if we need to update the
159 SID. */
160
161 if ( domain && sid) {
162 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
163 sid_copy( &domain->sid, sid );
164
165 return domain;
166 }
167
168 /* Create new domain entry */
169
170 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
171 return NULL;
172
173 /* Fill in fields */
174
175 ZERO_STRUCTP(domain);
176
177 fstrcpy(domain->name, domain_name);
178 if (alternative_name) {
179 fstrcpy(domain->alt_name, alternative_name);
180 }
181
182 domain->methods = methods;
183 domain->backend = NULL;
184 domain->internal = is_internal_domain(sid);
185 domain->sequence_number = DOM_SEQUENCE_NONE;
186 domain->last_seq_check = 0;
187 domain->initialized = False;
188 domain->online = is_internal_domain(sid);
189 domain->check_online_timeout = 0;
190 if (sid) {
191 sid_copy(&domain->sid, sid);
192 }
193
194 /* Link to domain list */
195 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
196
197 wcache_tdc_add_domain( domain );
198
199 DEBUG(2,("Added domain %s %s %s\n",
200 domain->name, domain->alt_name,
201 &domain->sid?sid_string_dbg(&domain->sid):""));
202
203 return domain;
204 }
205
206 /********************************************************************
207 rescan our domains looking for new trusted domains
208 ********************************************************************/
209
210 struct trustdom_state {
211 TALLOC_CTX *mem_ctx;
212 bool primary;
213 bool forest_root;
214 struct winbindd_response *response;
215 };
216
217 static void trustdom_recv(void *private_data, bool success);
218 static void rescan_forest_root_trusts( void );
219 static void rescan_forest_trusts( void );
220
221 static void add_trusted_domains( struct winbindd_domain *domain )
222 {
223 TALLOC_CTX *mem_ctx;
224 struct winbindd_request *request;
225 struct winbindd_response *response;
226 uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
227
228 struct trustdom_state *state;
229
230 mem_ctx = talloc_init("add_trusted_domains");
231 if (mem_ctx == NULL) {
232 DEBUG(0, ("talloc_init failed\n"));
233 return;
234 }
235
236 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
237 response = TALLOC_P(mem_ctx, struct winbindd_response);
238 state = TALLOC_P(mem_ctx, struct trustdom_state);
239
240 if ((request == NULL) || (response == NULL) || (state == NULL)) {
241 DEBUG(0, ("talloc failed\n"));
242 talloc_destroy(mem_ctx);
243 return;
244 }
245
246 state->mem_ctx = mem_ctx;
247 state->response = response;
248
249 /* Flags used to know how to continue the forest trust search */
250
251 state->primary = domain->primary;
252 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
253
254 request->length = sizeof(*request);
255 request->cmd = WINBINDD_LIST_TRUSTDOM;
256
257 async_domain_request(mem_ctx, domain, request, response,
258 trustdom_recv, state);
259 }
260
261 static void trustdom_recv(void *private_data, bool success)
262 {
263 struct trustdom_state *state =
264 talloc_get_type_abort(private_data, struct trustdom_state);
265 struct winbindd_response *response = state->response;
266 char *p;
267
268 if ((!success) || (response->result != WINBINDD_OK)) {
269 DEBUG(1, ("Could not receive trustdoms\n"));
270 talloc_destroy(state->mem_ctx);
271 return;
272 }
273
274 p = (char *)response->extra_data.data;
275
276 while ((p != NULL) && (*p != '\0')) {
277 char *q, *sidstr, *alt_name;
278 DOM_SID sid;
279 struct winbindd_domain *domain;
280 char *alternate_name = NULL;
281
282 alt_name = strchr(p, '\\');
283 if (alt_name == NULL) {
284 DEBUG(0, ("Got invalid trustdom response\n"));
285 break;
286 }
287
288 *alt_name = '\0';
289 alt_name += 1;
290
291 sidstr = strchr(alt_name, '\\');
292 if (sidstr == NULL) {
293 DEBUG(0, ("Got invalid trustdom response\n"));
294 break;
295 }
296
297 *sidstr = '\0';
298 sidstr += 1;
299
300 q = strchr(sidstr, '\n');
301 if (q != NULL)
302 *q = '\0';
303
304 if (!string_to_sid(&sid, sidstr)) {
305 /* Allow NULL sid for sibling domains */
306 if ( strcmp(sidstr,"S-0-0") == 0) {
307 sid_copy( &sid, &global_sid_NULL);
308 } else {
309 DEBUG(0, ("Got invalid trustdom response\n"));
310 break;
311 }
312 }
313
314 /* use the real alt_name if we have one, else pass in NULL */
315
316 if ( !strequal( alt_name, "(null)" ) )
317 alternate_name = alt_name;
318
319 /* If we have an existing domain structure, calling
320 add_trusted_domain() will update the SID if
321 necessary. This is important because we need the
322 SID for sibling domains */
323
324 if ( find_domain_from_name_noinit(p) != NULL ) {
325 domain = add_trusted_domain(p, alternate_name,
326 &cache_methods,
327 &sid);
328 } else {
329 domain = add_trusted_domain(p, alternate_name,
330 &cache_methods,
331 &sid);
332 if (domain) {
333 setup_domain_child(domain,
334 &domain->child);
335 }
336 }
337 p=q;
338 if (p != NULL)
339 p += 1;
340 }
341
342 SAFE_FREE(response->extra_data.data);
343
344 /*
345 Cases to consider when scanning trusts:
346 (a) we are calling from a child domain (primary && !forest_root)
347 (b) we are calling from the root of the forest (primary && forest_root)
348 (c) we are calling from a trusted forest domain (!primary
349 && !forest_root)
350 */
351
352 if ( state->primary ) {
353 /* If this is our primary domain and we are not in the
354 forest root, we have to scan the root trusts first */
355
356 if ( !state->forest_root )
357 rescan_forest_root_trusts();
358 else
359 rescan_forest_trusts();
360
361 } else if ( state->forest_root ) {
362 /* Once we have done root forest trust search, we can
363 go on to search the trusted forests */
364
365 rescan_forest_trusts();
366 }
367
368 talloc_destroy(state->mem_ctx);
369
370 return;
371 }
372
373 /********************************************************************
374 Scan the trusts of our forest root
375 ********************************************************************/
376
377 static void rescan_forest_root_trusts( void )
378 {
379 struct winbindd_tdc_domain *dom_list = NULL;
380 size_t num_trusts = 0;
381 int i;
382
383 /* The only transitive trusts supported by Windows 2003 AD are
384 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
385 first two are handled in forest and listed by
386 DsEnumerateDomainTrusts(). Forest trusts are not so we
387 have to do that ourselves. */
388
389 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
390 return;
391
392 for ( i=0; i<num_trusts; i++ ) {
393 struct winbindd_domain *d = NULL;
394
395 /* Find the forest root. Don't necessarily trust
396 the domain_list() as our primary domain may not
397 have been initialized. */
398
399 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
400 continue;
401 }
402
403 /* Here's the forest root */
404
405 d = find_domain_from_name_noinit( dom_list[i].domain_name );
406
407 if ( !d ) {
408 d = add_trusted_domain( dom_list[i].domain_name,
409 dom_list[i].dns_name,
410 &cache_methods,
411 &dom_list[i].sid );
412 }
413
414 if (d == NULL) {
415 continue;
416 }
417
418 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
419 "for domain tree root %s (%s)\n",
420 d->name, d->alt_name ));
421
422 d->domain_flags = dom_list[i].trust_flags;
423 d->domain_type = dom_list[i].trust_type;
424 d->domain_trust_attribs = dom_list[i].trust_attribs;
425
426 add_trusted_domains( d );
427
428 break;
429 }
430
431 TALLOC_FREE( dom_list );
432
433 return;
434 }
435
436 /********************************************************************
437 scan the transitive forest trusts (not our own)
438 ********************************************************************/
439
440
441 static void rescan_forest_trusts( void )
442 {
443 struct winbindd_domain *d = NULL;
444 struct winbindd_tdc_domain *dom_list = NULL;
445 size_t num_trusts = 0;
446 int i;
447
448 /* The only transitive trusts supported by Windows 2003 AD are
449 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
450 first two are handled in forest and listed by
451 DsEnumerateDomainTrusts(). Forest trusts are not so we
452 have to do that ourselves. */
453
454 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
455 return;
456
457 for ( i=0; i<num_trusts; i++ ) {
458 uint32 flags = dom_list[i].trust_flags;
459 uint32 type = dom_list[i].trust_type;
460 uint32 attribs = dom_list[i].trust_attribs;
461
462 d = find_domain_from_name_noinit( dom_list[i].domain_name );
463
464 /* ignore our primary and internal domains */
465
466 if ( d && (d->internal || d->primary ) )
467 continue;
468
469 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
470 (type == NETR_TRUST_TYPE_UPLEVEL) &&
471 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
472 {
473 /* add the trusted domain if we don't know
474 about it */
475
476 if ( !d ) {
477 d = add_trusted_domain( dom_list[i].domain_name,
478 dom_list[i].dns_name,
479 &cache_methods,
480 &dom_list[i].sid );
481 }
482
483 if (d == NULL) {
484 continue;
485 }
486
487 DEBUG(10,("Following trust path for domain %s (%s)\n",
488 d->name, d->alt_name ));
489 add_trusted_domains( d );
490 }
491 }
492
493 TALLOC_FREE( dom_list );
494
495 return;
496 }
497
498 /*********************************************************************
499 The process of updating the trusted domain list is a three step
500 async process:
501 (a) ask our domain
502 (b) ask the root domain in our forest
503 (c) ask the a DC in any Win2003 trusted forests
504 *********************************************************************/
505
506 void rescan_trusted_domains( void )
507 {
508 time_t now = time(NULL);
509
510 /* see if the time has come... */
511
512 if ((now >= last_trustdom_scan) &&
513 ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
514 return;
515
516 /* I use to clear the cache here and start over but that
517 caused problems in child processes that needed the
518 trust dom list early on. Removing it means we
519 could have some trusted domains listed that have been
520 removed from our primary domain's DC until a full
521 restart. This should be ok since I think this is what
522 Windows does as well. */
523
524 /* this will only add new domains we didn't already know about
525 in the domain_list()*/
526
527 add_trusted_domains( find_our_domain() );
528
529 last_trustdom_scan = now;
530
531 return;
532 }
533
534 struct init_child_state {
535 TALLOC_CTX *mem_ctx;
536 struct winbindd_domain *domain;
537 struct winbindd_request *request;
538 struct winbindd_response *response;
539 void (*continuation)(void *private_data, bool success);
540 void *private_data;
541 };
542
543 static void init_child_recv(void *private_data, bool success);
544 static void init_child_getdc_recv(void *private_data, bool success);
545
546 enum winbindd_result init_child_connection(struct winbindd_domain *domain,
547 void (*continuation)(void *private_data,
548 bool success),
549 void *private_data)
550 {
551 TALLOC_CTX *mem_ctx;
552 struct winbindd_request *request;
553 struct winbindd_response *response;
554 struct init_child_state *state;
555 struct winbindd_domain *request_domain;
556
557 mem_ctx = talloc_init("init_child_connection");
558 if (mem_ctx == NULL) {
559 DEBUG(0, ("talloc_init failed\n"));
560 return WINBINDD_ERROR;
561 }
562
563 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
564 response = TALLOC_P(mem_ctx, struct winbindd_response);
565 state = TALLOC_P(mem_ctx, struct init_child_state);
566
567 if ((request == NULL) || (response == NULL) || (state == NULL)) {
568 DEBUG(0, ("talloc failed\n"));
569 TALLOC_FREE(mem_ctx);
570 continuation(private_data, False);
571 return WINBINDD_ERROR;
572 }
573
574 request->length = sizeof(*request);
575
576 state->mem_ctx = mem_ctx;
577 state->domain = domain;
578 state->request = request;
579 state->response = response;
580 state->continuation = continuation;
581 state->private_data = private_data;
582
583 if (IS_DC || domain->primary || domain->internal ) {
584 /* The primary domain has to find the DC name itself */
585 request->cmd = WINBINDD_INIT_CONNECTION;
586 fstrcpy(request->domain_name, domain->name);
587 request->data.init_conn.is_primary = domain->primary ? true : false;
588 fstrcpy(request->data.init_conn.dcname, "");
589 async_request(mem_ctx, &domain->child, request, response,
590 init_child_recv, state);
591 return WINBINDD_PENDING;
592 }
593
594 /* This is *not* the primary domain, let's ask our DC about a DC
595 * name */
596
597 request->cmd = WINBINDD_GETDCNAME;
598 fstrcpy(request->domain_name, domain->name);
599
600 request_domain = find_our_domain();
601 async_domain_request(mem_ctx, request_domain, request, response,
602 init_child_getdc_recv, state);
603 return WINBINDD_PENDING;
604 }
605
606 static void init_child_getdc_recv(void *private_data, bool success)
607 {
608 struct init_child_state *state =
609 talloc_get_type_abort(private_data, struct init_child_state);
610 const char *dcname = "";
611
612 DEBUG(10, ("Received getdcname response\n"));
613
614 if (success && (state->response->result == WINBINDD_OK)) {
615 dcname = state->response->data.dc_name;
616 }
617
618 state->request->cmd = WINBINDD_INIT_CONNECTION;
619 fstrcpy(state->request->domain_name, state->domain->name);
620 state->request->data.init_conn.is_primary = False;
621 fstrcpy(state->request->data.init_conn.dcname, dcname);
622
623 async_request(state->mem_ctx, &state->domain->child,
624 state->request, state->response,
625 init_child_recv, state);
626 }
627
628 static void init_child_recv(void *private_data, bool success)
629 {
630 struct init_child_state *state =
631 talloc_get_type_abort(private_data, struct init_child_state);
632
633 DEBUG(5, ("Received child initialization response for domain %s\n",
634 state->domain->name));
635
636 if ((!success) || (state->response->result != WINBINDD_OK)) {
637 DEBUG(3, ("Could not init child\n"));
638 state->continuation(state->private_data, False);
639 talloc_destroy(state->mem_ctx);
640 return;
641 }
642
643 fstrcpy(state->domain->name,
644 state->response->data.domain_info.name);
645 fstrcpy(state->domain->alt_name,
646 state->response->data.domain_info.alt_name);
647 string_to_sid(&state->domain->sid,
648 state->response->data.domain_info.sid);
649 state->domain->native_mode =
650 state->response->data.domain_info.native_mode;
651 state->domain->active_directory =
652 state->response->data.domain_info.active_directory;
653
654 init_dc_connection(state->domain);
655
656 if (state->continuation != NULL)
657 state->continuation(state->private_data, True);
658 talloc_destroy(state->mem_ctx);
659 }
660
661 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
662 struct winbindd_cli_state *state)
663 {
664 /* Ensure null termination */
665 state->request.domain_name
666 [sizeof(state->request.domain_name)-1]='\0';
667 state->request.data.init_conn.dcname
668 [sizeof(state->request.data.init_conn.dcname)-1]='\0';
669
670 if (strlen(state->request.data.init_conn.dcname) > 0) {
671 fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
672 }
673
674 init_dc_connection(domain);
675
676 if (!domain->initialized) {
677 /* If we return error here we can't do any cached authentication,
678 but we may be in disconnected mode and can't initialize correctly.
679 Do what the previous code did and just return without initialization,
680 once we go online we'll re-initialize.
681 */
682 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
683 "online = %d\n", domain->name, (int)domain->online ));
684 }
685
686 fstrcpy(state->response.data.domain_info.name, domain->name);
687 fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
688 sid_to_fstring(state->response.data.domain_info.sid, &domain->sid);
689
690 state->response.data.domain_info.native_mode
691 = domain->native_mode;
692 state->response.data.domain_info.active_directory
693 = domain->active_directory;
694 state->response.data.domain_info.primary
695 = domain->primary;
696
697 return WINBINDD_OK;
698 }
699
700 /* Look up global info for the winbind daemon */
701 bool init_domain_list(void)
702 {
703 struct winbindd_domain *domain;
704 int role = lp_server_role();
705
706 /* Free existing list */
707 free_domain_list();
708
709 /* BUILTIN domain */
710
711 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
712 &global_sid_Builtin);
713 if (domain) {
714 setup_domain_child(domain,
715 &domain->child);
716 }
717
718 /* Local SAM */
719
720 domain = add_trusted_domain(get_global_sam_name(), NULL,
721 &sam_passdb_methods, get_global_sam_sid());
722 if (domain) {
723 if ( role != ROLE_DOMAIN_MEMBER ) {
724 domain->primary = True;
725 }
726 setup_domain_child(domain,
727 &domain->child);
728 }
729
730 /* Add ourselves as the first entry. */
731
732 if ( role == ROLE_DOMAIN_MEMBER ) {
733 DOM_SID our_sid;
734
735 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
736 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
737 return False;
738 }
739
740 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
741 &cache_methods, &our_sid);
742 if (domain) {
743 domain->primary = True;
744 setup_domain_child(domain,
745 &domain->child);
746
747 /* Even in the parent winbindd we'll need to
748 talk to the DC, so try and see if we can
749 contact it. Theoretically this isn't neccessary
750 as the init_dc_connection() in init_child_recv()
751 will do this, but we can start detecting the DC
752 early here. */
753 set_domain_online_request(domain);
754 }
755 }
756
757 return True;
758 }
759
760 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
761 {
762 struct winbindd_domain *domain;
763 DOM_SID dom_sid;
764 uint32 rid;
765
766 domain = find_domain_from_name_noinit( name );
767 if ( domain )
768 return;
769
770 sid_copy( &dom_sid, user_sid );
771 if ( !sid_split_rid( &dom_sid, &rid ) )
772 return;
773
774 /* add the newly discovered trusted domain */
775
776 domain = add_trusted_domain( name, NULL, &cache_methods,
777 &dom_sid);
778
779 if ( !domain )
780 return;
781
782 /* assume this is a trust from a one-way transitive
783 forest trust */
784
785 domain->active_directory = True;
786 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
787 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
788 domain->internal = False;
789 domain->online = True;
790
791 setup_domain_child(domain,
792 &domain->child);
793
794 wcache_tdc_add_domain( domain );
795
796 return;
797 }
798
799 /**
800 * Given a domain name, return the struct winbindd domain info for it
801 *
802 * @note Do *not* pass lp_workgroup() to this function. domain_list
803 * may modify it's value, and free that pointer. Instead, our local
804 * domain may be found by calling find_our_domain().
805 * directly.
806 *
807 *
808 * @return The domain structure for the named domain, if it is working.
809 */
810
811 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
812 {
813 struct winbindd_domain *domain;
814
815 /* Search through list */
816
817 for (domain = domain_list(); domain != NULL; domain = domain->next) {
818 if (strequal(domain_name, domain->name) ||
819 (domain->alt_name[0] &&
820 strequal(domain_name, domain->alt_name))) {
821 return domain;
822 }
823 }
824
825 /* Not found */
826
827 return NULL;
828 }
829
830 struct winbindd_domain *find_domain_from_name(const char *domain_name)
831 {
832 struct winbindd_domain *domain;
833
834 domain = find_domain_from_name_noinit(domain_name);
835
836 if (domain == NULL)
837 return NULL;
838
839 if (!domain->initialized)
840 init_dc_connection(domain);
841
842 return domain;
843 }
844
845 /* Given a domain sid, return the struct winbindd domain info for it */
846
847 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
848 {
849 struct winbindd_domain *domain;
850
851 /* Search through list */
852
853 for (domain = domain_list(); domain != NULL; domain = domain->next) {
854 if (sid_compare_domain(sid, &domain->sid) == 0)
855 return domain;
856 }
857
858 /* Not found */
859
860 return NULL;
861 }
862
863 /* Given a domain sid, return the struct winbindd domain info for it */
864
865 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
866 {
867 struct winbindd_domain *domain;
868
869 domain = find_domain_from_sid_noinit(sid);
870
871 if (domain == NULL)
872 return NULL;
873
874 if (!domain->initialized)
875 init_dc_connection(domain);
876
877 return domain;
878 }
879
880 struct winbindd_domain *find_our_domain(void)
881 {
882 struct winbindd_domain *domain;
883
884 /* Search through list */
885
886 for (domain = domain_list(); domain != NULL; domain = domain->next) {
887 if (domain->primary)
888 return domain;
889 }
890
891 smb_panic("Could not find our domain");
892 return NULL;
893 }
894
895 struct winbindd_domain *find_root_domain(void)
896 {
897 struct winbindd_domain *ours = find_our_domain();
898
899 if ( !ours )
900 return NULL;
901
902 if ( strlen(ours->forest_name) == 0 )
903 return NULL;
904
905 return find_domain_from_name( ours->forest_name );
906 }
907
908 struct winbindd_domain *find_builtin_domain(void)
909 {
910 DOM_SID sid;
911 struct winbindd_domain *domain;
912
913 string_to_sid(&sid, "S-1-5-32");
914 domain = find_domain_from_sid(&sid);
915
916 if (domain == NULL) {
917 smb_panic("Could not find BUILTIN domain");
918 }
919
920 return domain;
921 }
922
923 /* Find the appropriate domain to lookup a name or SID */
924
925 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
926 {
927 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
928
929 if ( sid_check_is_in_unix_groups(sid) ||
930 sid_check_is_unix_groups(sid) ||
931 sid_check_is_in_unix_users(sid) ||
932 sid_check_is_unix_users(sid) )
933 {
934 return find_domain_from_sid(get_global_sam_sid());
935 }
936
937 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
938 * one to contact the external DC's. On member servers the internal
939 * domains are different: These are part of the local SAM. */
940
941 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
942
943 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
944 DEBUG(10, ("calling find_domain_from_sid\n"));
945 return find_domain_from_sid(sid);
946 }
947
948 /* On a member server a query for SID or name can always go to our
949 * primary DC. */
950
951 DEBUG(10, ("calling find_our_domain\n"));
952 return find_our_domain();
953 }
954
955 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
956 {
957 if ( strequal(domain_name, unix_users_domain_name() ) ||
958 strequal(domain_name, unix_groups_domain_name() ) )
959 {
960 return find_domain_from_name_noinit( get_global_sam_name() );
961 }
962
963 if (IS_DC || strequal(domain_name, "BUILTIN") ||
964 strequal(domain_name, get_global_sam_name()))
965 return find_domain_from_name_noinit(domain_name);
966
967 /* The "Unix User" and "Unix Group" domain our handled by passdb */
968
969 return find_our_domain();
970 }
971
972 /* Lookup a sid in a domain from a name */
973
974 bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
975 enum winbindd_cmd orig_cmd,
976 struct winbindd_domain *domain,
977 const char *domain_name,
978 const char *name, DOM_SID *sid,
979 enum lsa_SidType *type)
980 {
981 NTSTATUS result;
982
983 /* Lookup name */
984 result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd,
985 domain_name, name, sid, type);
986
987 /* Return sid and type if lookup successful */
988 if (!NT_STATUS_IS_OK(result)) {
989 *type = SID_NAME_UNKNOWN;
990 }
991
992 return NT_STATUS_IS_OK(result);
993 }
994
995 /**
996 * @brief Lookup a name in a domain from a sid.
997 *
998 * @param sid Security ID you want to look up.
999 * @param name On success, set to the name corresponding to @p sid.
1000 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
1001 * @param type On success, contains the type of name: alias, group or
1002 * user.
1003 * @retval True if the name exists, in which case @p name and @p type
1004 * are set, otherwise False.
1005 **/
1006 bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
1007 struct winbindd_domain *domain,
1008 DOM_SID *sid,
1009 char **dom_name,
1010 char **name,
1011 enum lsa_SidType *type)
1012 {
1013 NTSTATUS result;
1014
1015 *dom_name = NULL;
1016 *name = NULL;
1017
1018 /* Lookup name */
1019
1020 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
1021
1022 /* Return name and type if successful */
1023
1024 if (NT_STATUS_IS_OK(result)) {
1025 return True;
1026 }
1027
1028 *type = SID_NAME_UNKNOWN;
1029
1030 return False;
1031 }
1032
1033 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
1034
1035 void free_getent_state(struct getent_state *state)
1036 {
1037 struct getent_state *temp;
1038
1039 /* Iterate over state list */
1040
1041 temp = state;
1042
1043 while(temp != NULL) {
1044 struct getent_state *next = temp->next;
1045
1046 /* Free sam entries then list entry */
1047
1048 SAFE_FREE(state->sam_entries);
1049 DLIST_REMOVE(state, state);
1050
1051 SAFE_FREE(temp);
1052 temp = next;
1053 }
1054 }
1055
1056 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1057
1058 static bool assume_domain(const char *domain)
1059 {
1060 /* never assume the domain on a standalone server */
1061
1062 if ( lp_server_role() == ROLE_STANDALONE )
1063 return False;
1064
1065 /* domain member servers may possibly assume for the domain name */
1066
1067 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1068 if ( !strequal(lp_workgroup(), domain) )
1069 return False;
1070
1071 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1072 return True;
1073 }
1074
1075 /* only left with a domain controller */
1076
1077 if ( strequal(get_global_sam_name(), domain) ) {
1078 return True;
1079 }
1080
1081 return False;
1082 }
1083
1084 /* Parse a string of the form DOMAIN\user into a domain and a user */
1085
1086 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1087 {
1088 char *p = strchr(domuser,*lp_winbind_separator());
1089
1090 if ( !p ) {
1091 fstrcpy(user, domuser);
1092
1093 if ( assume_domain(lp_workgroup())) {
1094 fstrcpy(domain, lp_workgroup());
1095 } else if ((p = strchr(domuser, '@')) != NULL) {
1096 fstrcpy(domain, "");
1097 } else {
1098 return False;
1099 }
1100 } else {
1101 fstrcpy(user, p+1);
1102 fstrcpy(domain, domuser);
1103 domain[PTR_DIFF(p, domuser)] = 0;
1104 }
1105
1106 strupper_m(domain);
1107
1108 return True;
1109 }
1110
1111 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1112 char **domain, char **user)
1113 {
1114 fstring fstr_domain, fstr_user;
1115 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1116 return False;
1117 }
1118 *domain = talloc_strdup(mem_ctx, fstr_domain);
1119 *user = talloc_strdup(mem_ctx, fstr_user);
1120 return ((*domain != NULL) && (*user != NULL));
1121 }
1122
1123 /* add a domain user name to a buffer */
1124 void parse_add_domuser(void *buf, char *domuser, int *len)
1125 {
1126 fstring domain;
1127 char *p, *user;
1128
1129 user = domuser;
1130 p = strchr(domuser, *lp_winbind_separator());
1131
1132 if (p) {
1133
1134 fstrcpy(domain, domuser);
1135 domain[PTR_DIFF(p, domuser)] = 0;
1136 p++;
1137
1138 if (assume_domain(domain)) {
1139
1140 user = p;
1141 *len -= (PTR_DIFF(p, domuser));
1142 }
1143 }
1144
1145 safe_strcpy((char *)buf, user, *len);
1146 }
1147
1148 /* Ensure an incoming username from NSS is fully qualified. Replace the
1149 incoming fstring with DOMAIN <separator> user. Returns the same
1150 values as parse_domain_user() but also replaces the incoming username.
1151 Used to ensure all names are fully qualified within winbindd.
1152 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1153 The protocol definitions of auth_crap, chng_pswd_auth_crap
1154 really should be changed to use this instead of doing things
1155 by hand. JRA. */
1156
1157 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1158 {
1159 if (!parse_domain_user(username_inout, domain, user)) {
1160 return False;
1161 }
1162 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1163 domain, *lp_winbind_separator(),
1164 user);
1165 return True;
1166 }
1167
1168 /*
1169 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1170 'winbind separator' options.
1171 This means:
1172 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1173 lp_workgroup()
1174
1175 If we are a PDC or BDC, and this is for our domain, do likewise.
1176
1177 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1178 username is then unqualified in unix
1179
1180 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1181 */
1182 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1183 {
1184 fstring tmp_user;
1185
1186 fstrcpy(tmp_user, user);
1187 strlower_m(tmp_user);
1188
1189 if (can_assume && assume_domain(domain)) {
1190 strlcpy(name, tmp_user, sizeof(fstring));
1191 } else {
1192 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1193 domain, *lp_winbind_separator(),
1194 tmp_user);
1195 }
1196 }
1197
1198 /**
1199 * talloc version of fill_domain_username()
1200 * return NULL on talloc failure.
1201 */
1202 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1203 const char *domain,
1204 const char *user,
1205 bool can_assume)
1206 {
1207 char *tmp_user, *name;
1208
1209 tmp_user = talloc_strdup(mem_ctx, user);
1210 strlower_m(tmp_user);
1211
1212 if (can_assume && assume_domain(domain)) {
1213 name = tmp_user;
1214 } else {
1215 name = talloc_asprintf(mem_ctx, "%s%c%s",
1216 domain,
1217 *lp_winbind_separator(),
1218 tmp_user);
1219 TALLOC_FREE(tmp_user);
1220 }
1221
1222 return name;
1223 }
1224
1225 /*
1226 * Winbindd socket accessor functions
1227 */
1228
1229 const char *get_winbind_pipe_dir(void)
1230 {
1231 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1232 }
1233
1234 char *get_winbind_priv_pipe_dir(void)
1235 {
1236 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1237 }
1238
1239 /* Open the winbindd socket */
1240
1241 static int _winbindd_socket = -1;
1242 static int _winbindd_priv_socket = -1;
1243
1244 int open_winbindd_socket(void)
1245 {
1246 if (_winbindd_socket == -1) {
1247 _winbindd_socket = create_pipe_sock(
1248 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1249 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1250 _winbindd_socket));
1251 }
1252
1253 return _winbindd_socket;
1254 }
1255
1256 int open_winbindd_priv_socket(void)
1257 {
1258 if (_winbindd_priv_socket == -1) {
1259 _winbindd_priv_socket = create_pipe_sock(
1260 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1261 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1262 _winbindd_priv_socket));
1263 }
1264
1265 return _winbindd_priv_socket;
1266 }
1267
1268 /* Close the winbindd socket */
1269
1270 void close_winbindd_socket(void)
1271 {
1272 if (_winbindd_socket != -1) {
1273 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1274 _winbindd_socket));
1275 close(_winbindd_socket);
1276 _winbindd_socket = -1;
1277 }
1278 if (_winbindd_priv_socket != -1) {
1279 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1280 _winbindd_priv_socket));
1281 close(_winbindd_priv_socket);
1282 _winbindd_priv_socket = -1;
1283 }
1284 }
1285
1286 /*
1287 * Client list accessor functions
1288 */
1289
1290 static struct winbindd_cli_state *_client_list;
1291 static int _num_clients;
1292
1293 /* Return list of all connected clients */
1294
1295 struct winbindd_cli_state *winbindd_client_list(void)
1296 {
1297 return _client_list;
1298 }
1299
1300 /* Add a connection to the list */
1301
1302 void winbindd_add_client(struct winbindd_cli_state *cli)
1303 {
1304 DLIST_ADD(_client_list, cli);
1305 _num_clients++;
1306 }
1307
1308 /* Remove a client from the list */
1309
1310 void winbindd_remove_client(struct winbindd_cli_state *cli)
1311 {
1312 DLIST_REMOVE(_client_list, cli);
1313 _num_clients--;
1314 }
1315
1316 /* Close all open clients */
1317
1318 void winbindd_kill_all_clients(void)
1319 {
1320 struct winbindd_cli_state *cl = winbindd_client_list();
1321
1322 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1323
1324 while (cl) {
1325 struct winbindd_cli_state *next;
1326
1327 next = cl->next;
1328 winbindd_remove_client(cl);
1329 cl = next;
1330 }
1331 }
1332
1333 /* Return number of open clients */
1334
1335 int winbindd_num_clients(void)
1336 {
1337 return _num_clients;
1338 }
1339
1340 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1341 TALLOC_CTX *mem_ctx,
1342 const DOM_SID *user_sid,
1343 uint32 *p_num_groups, DOM_SID **user_sids)
1344 {
1345 struct netr_SamInfo3 *info3 = NULL;
1346 NTSTATUS status = NT_STATUS_NO_MEMORY;
1347 size_t num_groups = 0;
1348
1349 DEBUG(3,(": lookup_usergroups_cached\n"));
1350
1351 *user_sids = NULL;
1352 *p_num_groups = 0;
1353
1354 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1355
1356 if (info3 == NULL) {
1357 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1358 }
1359
1360 if (info3->base.groups.count == 0) {
1361 TALLOC_FREE(info3);
1362 return NT_STATUS_UNSUCCESSFUL;
1363 }
1364
1365 /* Skip Domain local groups outside our domain.
1366 We'll get these from the getsidaliases() RPC call. */
1367 status = sid_array_from_info3(mem_ctx, info3,
1368 user_sids,
1369 &num_groups,
1370 false, true);
1371
1372 if (!NT_STATUS_IS_OK(status)) {
1373 TALLOC_FREE(info3);
1374 return status;
1375 }
1376
1377 TALLOC_FREE(info3);
1378 *p_num_groups = num_groups;
1379 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1380
1381 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1382
1383 return status;
1384 }
1385
1386 /*********************************************************************
1387 We use this to remove spaces from user and group names
1388 ********************************************************************/
1389
1390 void ws_name_replace( char *name, char replace )
1391 {
1392 char replace_char[2] = { 0x0, 0x0 };
1393
1394 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1395 return;
1396
1397 replace_char[0] = replace;
1398 all_string_sub( name, " ", replace_char, 0 );
1399
1400 return;
1401 }
1402
1403 /*********************************************************************
1404 We use this to do the inverse of ws_name_replace()
1405 ********************************************************************/
1406
1407 void ws_name_return( char *name, char replace )
1408 {
1409 char replace_char[2] = { 0x0, 0x0 };
1410
1411 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1412 return;
1413
1414 replace_char[0] = replace;
1415 all_string_sub( name, replace_char, " ", 0 );
1416
1417 return;
1418 }
1419
1420 /*********************************************************************
1421 ********************************************************************/
1422
1423 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1424 {
1425 struct winbindd_tdc_domain *tdc = NULL;
1426 TALLOC_CTX *frame = talloc_stackframe();
1427 bool ret = false;
1428
1429 /* We can contact the domain if it is our primary domain */
1430
1431 if (domain->primary) {
1432 return true;
1433 }
1434
1435 /* Trust the TDC cache and not the winbindd_domain flags */
1436
1437 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1438 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1439 domain->name));
1440 return false;
1441 }
1442
1443 /* Can always contact a domain that is in out forest */
1444
1445 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1446 ret = true;
1447 goto done;
1448 }
1449
1450 /*
1451 * On a _member_ server, we cannot contact the domain if it
1452 * is running AD and we have no inbound trust.
1453 */
1454
1455 if (!IS_DC &&
1456 domain->active_directory &&
1457 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1458 {
1459 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1460 "and we have no inbound trust.\n", domain->name));
1461 goto done;
1462 }
1463
1464 /* Assume everything else is ok (probably not true but what
1465 can you do?) */
1466
1467 ret = true;
1468
1469 done:
1470 talloc_destroy(frame);
1471
1472 return ret;
1473 }
1474
1475 /*********************************************************************
1476 ********************************************************************/
1477
1478 bool winbindd_internal_child(struct winbindd_child *child)
1479 {
1480 if ((child == idmap_child()) || (child == locator_child())) {
1481 return True;
1482 }
1483
1484 return False;
1485 }
1486
1487 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1488
1489 /*********************************************************************
1490 ********************************************************************/
1491
1492 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1493 {
1494 char *var = NULL;
1495 char addr[INET6_ADDRSTRLEN];
1496 const char *kdc = NULL;
1497 int lvl = 11;
1498
1499 if (!domain || !domain->alt_name || !*domain->alt_name) {
1500 return;
1501 }
1502
1503 if (domain->initialized && !domain->active_directory) {
1504 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1505 domain->alt_name));
1506 return;
1507 }
1508
1509 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1510 kdc = addr;
1511 if (!*kdc) {
1512 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1513 domain->alt_name));
1514 kdc = domain->dcname;
1515 }
1516
1517 if (!kdc || !*kdc) {
1518 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1519 domain->alt_name));
1520 return;
1521 }
1522
1523 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1524 domain->alt_name) == -1) {
1525 return;
1526 }
1527
1528 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1529 var, kdc));
1530
1531 setenv(var, kdc, 1);
1532 free(var);
1533 }
1534
1535 /*********************************************************************
1536 ********************************************************************/
1537
1538 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1539 {
1540 struct winbindd_domain *our_dom = find_our_domain();
1541
1542 winbindd_set_locator_kdc_env(domain);
1543
1544 if (domain != our_dom) {
1545 winbindd_set_locator_kdc_env(our_dom);
1546 }
1547 }
1548
1549 /*********************************************************************
1550 ********************************************************************/
1551
1552 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1553 {
1554 char *var = NULL;
1555
1556 if (!domain || !domain->alt_name || !*domain->alt_name) {
1557 return;
1558 }
1559
1560 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1561 domain->alt_name) == -1) {
1562 return;
1563 }
1564
1565 unsetenv(var);
1566 free(var);
1567 }
1568 #else
1569
1570 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1571 {
1572 return;
1573 }
1574
1575 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1576 {
1577 return;
1578 }
1579
1580 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
Samba GIT mirror