2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods
;
30 extern struct winbindd_methods builtin_passdb_methods
;
31 extern struct winbindd_methods sam_passdb_methods
;
35 * @file winbindd_util.c
37 * Winbind daemon for NT domain authentication nss module.
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
46 static struct winbindd_domain
*_domain_list
= NULL
;
49 When was the last scan of trusted domains done?
54 static time_t last_trustdom_scan
;
56 struct winbindd_domain
*domain_list(void)
60 if ((!_domain_list
) && (!init_domain_list())) {
61 smb_panic("Init_domain_list failed");
67 /* Free all entries in the trusted domain list */
69 void free_domain_list(void)
71 struct winbindd_domain
*domain
= _domain_list
;
74 struct winbindd_domain
*next
= domain
->next
;
76 DLIST_REMOVE(_domain_list
, domain
);
82 static bool is_internal_domain(const DOM_SID
*sid
)
88 return sid_check_is_builtin(sid
);
90 return (sid_check_is_domain(sid
) || sid_check_is_builtin(sid
));
93 static bool is_in_internal_domain(const DOM_SID
*sid
)
99 return sid_check_is_in_builtin(sid
);
101 return (sid_check_is_in_our_domain(sid
) || sid_check_is_in_builtin(sid
));
105 /* Add a trusted domain to our list of domains */
106 static struct winbindd_domain
*add_trusted_domain(const char *domain_name
, const char *alt_name
,
107 struct winbindd_methods
*methods
,
110 struct winbindd_domain
*domain
;
111 const char *alternative_name
= NULL
;
112 const char **ignored_domains
, **dom
;
114 ignored_domains
= lp_parm_string_list(-1, "winbind", "ignore domains", NULL
);
115 for (dom
=ignored_domains
; dom
&& *dom
; dom
++) {
116 if (gen_fnmatch(*dom
, domain_name
) == 0) {
117 DEBUG(2,("Ignoring domain '%s'\n", domain_name
));
122 /* ignore alt_name if we are not in an AD domain */
124 if ( (lp_security() == SEC_ADS
) && alt_name
&& *alt_name
) {
125 alternative_name
= alt_name
;
128 /* We can't call domain_list() as this function is called from
129 init_domain_list() and we'll get stuck in a loop. */
130 for (domain
= _domain_list
; domain
; domain
= domain
->next
) {
131 if (strequal(domain_name
, domain
->name
) ||
132 strequal(domain_name
, domain
->alt_name
))
137 if (alternative_name
&& *alternative_name
)
139 if (strequal(alternative_name
, domain
->name
) ||
140 strequal(alternative_name
, domain
->alt_name
))
148 if (is_null_sid(sid
)) {
152 if (sid_equal(sid
, &domain
->sid
)) {
158 /* See if we found a match. Check if we need to update the
161 if ( domain
&& sid
) {
162 if ( sid_equal( &domain
->sid
, &global_sid_NULL
) )
163 sid_copy( &domain
->sid
, sid
);
168 /* Create new domain entry */
170 if ((domain
= SMB_MALLOC_P(struct winbindd_domain
)) == NULL
)
175 ZERO_STRUCTP(domain
);
177 fstrcpy(domain
->name
, domain_name
);
178 if (alternative_name
) {
179 fstrcpy(domain
->alt_name
, alternative_name
);
182 domain
->methods
= methods
;
183 domain
->backend
= NULL
;
184 domain
->internal
= is_internal_domain(sid
);
185 domain
->sequence_number
= DOM_SEQUENCE_NONE
;
186 domain
->last_seq_check
= 0;
187 domain
->initialized
= False
;
188 domain
->online
= is_internal_domain(sid
);
189 domain
->check_online_timeout
= 0;
191 sid_copy(&domain
->sid
, sid
);
194 /* Link to domain list */
195 DLIST_ADD_END(_domain_list
, domain
, struct winbindd_domain
*);
197 wcache_tdc_add_domain( domain
);
199 DEBUG(2,("Added domain %s %s %s\n",
200 domain
->name
, domain
->alt_name
,
201 &domain
->sid
?sid_string_dbg(&domain
->sid
):""));
206 /********************************************************************
207 rescan our domains looking for new trusted domains
208 ********************************************************************/
210 struct trustdom_state
{
214 struct winbindd_response
*response
;
217 static void trustdom_recv(void *private_data
, bool success
);
218 static void rescan_forest_root_trusts( void );
219 static void rescan_forest_trusts( void );
221 static void add_trusted_domains( struct winbindd_domain
*domain
)
224 struct winbindd_request
*request
;
225 struct winbindd_response
*response
;
226 uint32 fr_flags
= (NETR_TRUST_FLAG_TREEROOT
|NETR_TRUST_FLAG_IN_FOREST
);
228 struct trustdom_state
*state
;
230 mem_ctx
= talloc_init("add_trusted_domains");
231 if (mem_ctx
== NULL
) {
232 DEBUG(0, ("talloc_init failed\n"));
236 request
= TALLOC_ZERO_P(mem_ctx
, struct winbindd_request
);
237 response
= TALLOC_P(mem_ctx
, struct winbindd_response
);
238 state
= TALLOC_P(mem_ctx
, struct trustdom_state
);
240 if ((request
== NULL
) || (response
== NULL
) || (state
== NULL
)) {
241 DEBUG(0, ("talloc failed\n"));
242 talloc_destroy(mem_ctx
);
246 state
->mem_ctx
= mem_ctx
;
247 state
->response
= response
;
249 /* Flags used to know how to continue the forest trust search */
251 state
->primary
= domain
->primary
;
252 state
->forest_root
= ((domain
->domain_flags
& fr_flags
) == fr_flags
);
254 request
->length
= sizeof(*request
);
255 request
->cmd
= WINBINDD_LIST_TRUSTDOM
;
257 async_domain_request(mem_ctx
, domain
, request
, response
,
258 trustdom_recv
, state
);
261 static void trustdom_recv(void *private_data
, bool success
)
263 struct trustdom_state
*state
=
264 talloc_get_type_abort(private_data
, struct trustdom_state
);
265 struct winbindd_response
*response
= state
->response
;
268 if ((!success
) || (response
->result
!= WINBINDD_OK
)) {
269 DEBUG(1, ("Could not receive trustdoms\n"));
270 talloc_destroy(state
->mem_ctx
);
274 p
= (char *)response
->extra_data
.data
;
276 while ((p
!= NULL
) && (*p
!= '\0')) {
277 char *q
, *sidstr
, *alt_name
;
279 struct winbindd_domain
*domain
;
280 char *alternate_name
= NULL
;
282 alt_name
= strchr(p
, '\\');
283 if (alt_name
== NULL
) {
284 DEBUG(0, ("Got invalid trustdom response\n"));
291 sidstr
= strchr(alt_name
, '\\');
292 if (sidstr
== NULL
) {
293 DEBUG(0, ("Got invalid trustdom response\n"));
300 q
= strchr(sidstr
, '\n');
304 if (!string_to_sid(&sid
, sidstr
)) {
305 /* Allow NULL sid for sibling domains */
306 if ( strcmp(sidstr
,"S-0-0") == 0) {
307 sid_copy( &sid
, &global_sid_NULL
);
309 DEBUG(0, ("Got invalid trustdom response\n"));
314 /* use the real alt_name if we have one, else pass in NULL */
316 if ( !strequal( alt_name
, "(null)" ) )
317 alternate_name
= alt_name
;
319 /* If we have an existing domain structure, calling
320 add_trusted_domain() will update the SID if
321 necessary. This is important because we need the
322 SID for sibling domains */
324 if ( find_domain_from_name_noinit(p
) != NULL
) {
325 domain
= add_trusted_domain(p
, alternate_name
,
329 domain
= add_trusted_domain(p
, alternate_name
,
333 setup_domain_child(domain
,
342 SAFE_FREE(response
->extra_data
.data
);
345 Cases to consider when scanning trusts:
346 (a) we are calling from a child domain (primary && !forest_root)
347 (b) we are calling from the root of the forest (primary && forest_root)
348 (c) we are calling from a trusted forest domain (!primary
352 if ( state
->primary
) {
353 /* If this is our primary domain and we are not in the
354 forest root, we have to scan the root trusts first */
356 if ( !state
->forest_root
)
357 rescan_forest_root_trusts();
359 rescan_forest_trusts();
361 } else if ( state
->forest_root
) {
362 /* Once we have done root forest trust search, we can
363 go on to search the trusted forests */
365 rescan_forest_trusts();
368 talloc_destroy(state
->mem_ctx
);
373 /********************************************************************
374 Scan the trusts of our forest root
375 ********************************************************************/
377 static void rescan_forest_root_trusts( void )
379 struct winbindd_tdc_domain
*dom_list
= NULL
;
380 size_t num_trusts
= 0;
383 /* The only transitive trusts supported by Windows 2003 AD are
384 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
385 first two are handled in forest and listed by
386 DsEnumerateDomainTrusts(). Forest trusts are not so we
387 have to do that ourselves. */
389 if ( !wcache_tdc_fetch_list( &dom_list
, &num_trusts
) )
392 for ( i
=0; i
<num_trusts
; i
++ ) {
393 struct winbindd_domain
*d
= NULL
;
395 /* Find the forest root. Don't necessarily trust
396 the domain_list() as our primary domain may not
397 have been initialized. */
399 if ( !(dom_list
[i
].trust_flags
& NETR_TRUST_FLAG_TREEROOT
) ) {
403 /* Here's the forest root */
405 d
= find_domain_from_name_noinit( dom_list
[i
].domain_name
);
408 d
= add_trusted_domain( dom_list
[i
].domain_name
,
409 dom_list
[i
].dns_name
,
418 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
419 "for domain tree root %s (%s)\n",
420 d
->name
, d
->alt_name
));
422 d
->domain_flags
= dom_list
[i
].trust_flags
;
423 d
->domain_type
= dom_list
[i
].trust_type
;
424 d
->domain_trust_attribs
= dom_list
[i
].trust_attribs
;
426 add_trusted_domains( d
);
431 TALLOC_FREE( dom_list
);
436 /********************************************************************
437 scan the transitive forest trusts (not our own)
438 ********************************************************************/
441 static void rescan_forest_trusts( void )
443 struct winbindd_domain
*d
= NULL
;
444 struct winbindd_tdc_domain
*dom_list
= NULL
;
445 size_t num_trusts
= 0;
448 /* The only transitive trusts supported by Windows 2003 AD are
449 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
450 first two are handled in forest and listed by
451 DsEnumerateDomainTrusts(). Forest trusts are not so we
452 have to do that ourselves. */
454 if ( !wcache_tdc_fetch_list( &dom_list
, &num_trusts
) )
457 for ( i
=0; i
<num_trusts
; i
++ ) {
458 uint32 flags
= dom_list
[i
].trust_flags
;
459 uint32 type
= dom_list
[i
].trust_type
;
460 uint32 attribs
= dom_list
[i
].trust_attribs
;
462 d
= find_domain_from_name_noinit( dom_list
[i
].domain_name
);
464 /* ignore our primary and internal domains */
466 if ( d
&& (d
->internal
|| d
->primary
) )
469 if ( (flags
& NETR_TRUST_FLAG_INBOUND
) &&
470 (type
== NETR_TRUST_TYPE_UPLEVEL
) &&
471 (attribs
== NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
) )
473 /* add the trusted domain if we don't know
477 d
= add_trusted_domain( dom_list
[i
].domain_name
,
478 dom_list
[i
].dns_name
,
487 DEBUG(10,("Following trust path for domain %s (%s)\n",
488 d
->name
, d
->alt_name
));
489 add_trusted_domains( d
);
493 TALLOC_FREE( dom_list
);
498 /*********************************************************************
499 The process of updating the trusted domain list is a three step
502 (b) ask the root domain in our forest
503 (c) ask the a DC in any Win2003 trusted forests
504 *********************************************************************/
506 void rescan_trusted_domains( void )
508 time_t now
= time(NULL
);
510 /* see if the time has come... */
512 if ((now
>= last_trustdom_scan
) &&
513 ((now
-last_trustdom_scan
) < WINBINDD_RESCAN_FREQ
) )
516 /* I use to clear the cache here and start over but that
517 caused problems in child processes that needed the
518 trust dom list early on. Removing it means we
519 could have some trusted domains listed that have been
520 removed from our primary domain's DC until a full
521 restart. This should be ok since I think this is what
522 Windows does as well. */
524 /* this will only add new domains we didn't already know about
525 in the domain_list()*/
527 add_trusted_domains( find_our_domain() );
529 last_trustdom_scan
= now
;
534 struct init_child_state
{
536 struct winbindd_domain
*domain
;
537 struct winbindd_request
*request
;
538 struct winbindd_response
*response
;
539 void (*continuation
)(void *private_data
, bool success
);
543 static void init_child_recv(void *private_data
, bool success
);
544 static void init_child_getdc_recv(void *private_data
, bool success
);
546 enum winbindd_result
init_child_connection(struct winbindd_domain
*domain
,
547 void (*continuation
)(void *private_data
,
552 struct winbindd_request
*request
;
553 struct winbindd_response
*response
;
554 struct init_child_state
*state
;
555 struct winbindd_domain
*request_domain
;
557 mem_ctx
= talloc_init("init_child_connection");
558 if (mem_ctx
== NULL
) {
559 DEBUG(0, ("talloc_init failed\n"));
560 return WINBINDD_ERROR
;
563 request
= TALLOC_ZERO_P(mem_ctx
, struct winbindd_request
);
564 response
= TALLOC_P(mem_ctx
, struct winbindd_response
);
565 state
= TALLOC_P(mem_ctx
, struct init_child_state
);
567 if ((request
== NULL
) || (response
== NULL
) || (state
== NULL
)) {
568 DEBUG(0, ("talloc failed\n"));
569 TALLOC_FREE(mem_ctx
);
570 continuation(private_data
, False
);
571 return WINBINDD_ERROR
;
574 request
->length
= sizeof(*request
);
576 state
->mem_ctx
= mem_ctx
;
577 state
->domain
= domain
;
578 state
->request
= request
;
579 state
->response
= response
;
580 state
->continuation
= continuation
;
581 state
->private_data
= private_data
;
583 if (IS_DC
|| domain
->primary
|| domain
->internal
) {
584 /* The primary domain has to find the DC name itself */
585 request
->cmd
= WINBINDD_INIT_CONNECTION
;
586 fstrcpy(request
->domain_name
, domain
->name
);
587 request
->data
.init_conn
.is_primary
= domain
->primary
? true : false;
588 fstrcpy(request
->data
.init_conn
.dcname
, "");
589 async_request(mem_ctx
, &domain
->child
, request
, response
,
590 init_child_recv
, state
);
591 return WINBINDD_PENDING
;
594 /* This is *not* the primary domain, let's ask our DC about a DC
597 request
->cmd
= WINBINDD_GETDCNAME
;
598 fstrcpy(request
->domain_name
, domain
->name
);
600 request_domain
= find_our_domain();
601 async_domain_request(mem_ctx
, request_domain
, request
, response
,
602 init_child_getdc_recv
, state
);
603 return WINBINDD_PENDING
;
606 static void init_child_getdc_recv(void *private_data
, bool success
)
608 struct init_child_state
*state
=
609 talloc_get_type_abort(private_data
, struct init_child_state
);
610 const char *dcname
= "";
612 DEBUG(10, ("Received getdcname response\n"));
614 if (success
&& (state
->response
->result
== WINBINDD_OK
)) {
615 dcname
= state
->response
->data
.dc_name
;
618 state
->request
->cmd
= WINBINDD_INIT_CONNECTION
;
619 fstrcpy(state
->request
->domain_name
, state
->domain
->name
);
620 state
->request
->data
.init_conn
.is_primary
= False
;
621 fstrcpy(state
->request
->data
.init_conn
.dcname
, dcname
);
623 async_request(state
->mem_ctx
, &state
->domain
->child
,
624 state
->request
, state
->response
,
625 init_child_recv
, state
);
628 static void init_child_recv(void *private_data
, bool success
)
630 struct init_child_state
*state
=
631 talloc_get_type_abort(private_data
, struct init_child_state
);
633 DEBUG(5, ("Received child initialization response for domain %s\n",
634 state
->domain
->name
));
636 if ((!success
) || (state
->response
->result
!= WINBINDD_OK
)) {
637 DEBUG(3, ("Could not init child\n"));
638 state
->continuation(state
->private_data
, False
);
639 talloc_destroy(state
->mem_ctx
);
643 fstrcpy(state
->domain
->name
,
644 state
->response
->data
.domain_info
.name
);
645 fstrcpy(state
->domain
->alt_name
,
646 state
->response
->data
.domain_info
.alt_name
);
647 string_to_sid(&state
->domain
->sid
,
648 state
->response
->data
.domain_info
.sid
);
649 state
->domain
->native_mode
=
650 state
->response
->data
.domain_info
.native_mode
;
651 state
->domain
->active_directory
=
652 state
->response
->data
.domain_info
.active_directory
;
654 init_dc_connection(state
->domain
);
656 if (state
->continuation
!= NULL
)
657 state
->continuation(state
->private_data
, True
);
658 talloc_destroy(state
->mem_ctx
);
661 enum winbindd_result
winbindd_dual_init_connection(struct winbindd_domain
*domain
,
662 struct winbindd_cli_state
*state
)
664 /* Ensure null termination */
665 state
->request
.domain_name
666 [sizeof(state
->request
.domain_name
)-1]='\0';
667 state
->request
.data
.init_conn
.dcname
668 [sizeof(state
->request
.data
.init_conn
.dcname
)-1]='\0';
670 if (strlen(state
->request
.data
.init_conn
.dcname
) > 0) {
671 fstrcpy(domain
->dcname
, state
->request
.data
.init_conn
.dcname
);
674 init_dc_connection(domain
);
676 if (!domain
->initialized
) {
677 /* If we return error here we can't do any cached authentication,
678 but we may be in disconnected mode and can't initialize correctly.
679 Do what the previous code did and just return without initialization,
680 once we go online we'll re-initialize.
682 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
683 "online = %d\n", domain
->name
, (int)domain
->online
));
686 fstrcpy(state
->response
.data
.domain_info
.name
, domain
->name
);
687 fstrcpy(state
->response
.data
.domain_info
.alt_name
, domain
->alt_name
);
688 sid_to_fstring(state
->response
.data
.domain_info
.sid
, &domain
->sid
);
690 state
->response
.data
.domain_info
.native_mode
691 = domain
->native_mode
;
692 state
->response
.data
.domain_info
.active_directory
693 = domain
->active_directory
;
694 state
->response
.data
.domain_info
.primary
700 /* Look up global info for the winbind daemon */
701 bool init_domain_list(void)
703 struct winbindd_domain
*domain
;
704 int role
= lp_server_role();
706 /* Free existing list */
711 domain
= add_trusted_domain("BUILTIN", NULL
, &builtin_passdb_methods
,
712 &global_sid_Builtin
);
714 setup_domain_child(domain
,
720 domain
= add_trusted_domain(get_global_sam_name(), NULL
,
721 &sam_passdb_methods
, get_global_sam_sid());
723 if ( role
!= ROLE_DOMAIN_MEMBER
) {
724 domain
->primary
= True
;
726 setup_domain_child(domain
,
730 /* Add ourselves as the first entry. */
732 if ( role
== ROLE_DOMAIN_MEMBER
) {
735 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid
)) {
736 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
740 domain
= add_trusted_domain( lp_workgroup(), lp_realm(),
741 &cache_methods
, &our_sid
);
743 domain
->primary
= True
;
744 setup_domain_child(domain
,
747 /* Even in the parent winbindd we'll need to
748 talk to the DC, so try and see if we can
749 contact it. Theoretically this isn't neccessary
750 as the init_dc_connection() in init_child_recv()
751 will do this, but we can start detecting the DC
753 set_domain_online_request(domain
);
760 void check_domain_trusted( const char *name
, const DOM_SID
*user_sid
)
762 struct winbindd_domain
*domain
;
766 domain
= find_domain_from_name_noinit( name
);
770 sid_copy( &dom_sid
, user_sid
);
771 if ( !sid_split_rid( &dom_sid
, &rid
) )
774 /* add the newly discovered trusted domain */
776 domain
= add_trusted_domain( name
, NULL
, &cache_methods
,
782 /* assume this is a trust from a one-way transitive
785 domain
->active_directory
= True
;
786 domain
->domain_flags
= NETR_TRUST_FLAG_OUTBOUND
;
787 domain
->domain_type
= NETR_TRUST_TYPE_UPLEVEL
;
788 domain
->internal
= False
;
789 domain
->online
= True
;
791 setup_domain_child(domain
,
794 wcache_tdc_add_domain( domain
);
800 * Given a domain name, return the struct winbindd domain info for it
802 * @note Do *not* pass lp_workgroup() to this function. domain_list
803 * may modify it's value, and free that pointer. Instead, our local
804 * domain may be found by calling find_our_domain().
808 * @return The domain structure for the named domain, if it is working.
811 struct winbindd_domain
*find_domain_from_name_noinit(const char *domain_name
)
813 struct winbindd_domain
*domain
;
815 /* Search through list */
817 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
818 if (strequal(domain_name
, domain
->name
) ||
819 (domain
->alt_name
[0] &&
820 strequal(domain_name
, domain
->alt_name
))) {
830 struct winbindd_domain
*find_domain_from_name(const char *domain_name
)
832 struct winbindd_domain
*domain
;
834 domain
= find_domain_from_name_noinit(domain_name
);
839 if (!domain
->initialized
)
840 init_dc_connection(domain
);
845 /* Given a domain sid, return the struct winbindd domain info for it */
847 struct winbindd_domain
*find_domain_from_sid_noinit(const DOM_SID
*sid
)
849 struct winbindd_domain
*domain
;
851 /* Search through list */
853 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
854 if (sid_compare_domain(sid
, &domain
->sid
) == 0)
863 /* Given a domain sid, return the struct winbindd domain info for it */
865 struct winbindd_domain
*find_domain_from_sid(const DOM_SID
*sid
)
867 struct winbindd_domain
*domain
;
869 domain
= find_domain_from_sid_noinit(sid
);
874 if (!domain
->initialized
)
875 init_dc_connection(domain
);
880 struct winbindd_domain
*find_our_domain(void)
882 struct winbindd_domain
*domain
;
884 /* Search through list */
886 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
891 smb_panic("Could not find our domain");
895 struct winbindd_domain
*find_root_domain(void)
897 struct winbindd_domain
*ours
= find_our_domain();
902 if ( strlen(ours
->forest_name
) == 0 )
905 return find_domain_from_name( ours
->forest_name
);
908 struct winbindd_domain
*find_builtin_domain(void)
911 struct winbindd_domain
*domain
;
913 string_to_sid(&sid
, "S-1-5-32");
914 domain
= find_domain_from_sid(&sid
);
916 if (domain
== NULL
) {
917 smb_panic("Could not find BUILTIN domain");
923 /* Find the appropriate domain to lookup a name or SID */
925 struct winbindd_domain
*find_lookup_domain_from_sid(const DOM_SID
*sid
)
927 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
929 if ( sid_check_is_in_unix_groups(sid
) ||
930 sid_check_is_unix_groups(sid
) ||
931 sid_check_is_in_unix_users(sid
) ||
932 sid_check_is_unix_users(sid
) )
934 return find_domain_from_sid(get_global_sam_sid());
937 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
938 * one to contact the external DC's. On member servers the internal
939 * domains are different: These are part of the local SAM. */
941 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid
)));
943 if (IS_DC
|| is_internal_domain(sid
) || is_in_internal_domain(sid
)) {
944 DEBUG(10, ("calling find_domain_from_sid\n"));
945 return find_domain_from_sid(sid
);
948 /* On a member server a query for SID or name can always go to our
951 DEBUG(10, ("calling find_our_domain\n"));
952 return find_our_domain();
955 struct winbindd_domain
*find_lookup_domain_from_name(const char *domain_name
)
957 if ( strequal(domain_name
, unix_users_domain_name() ) ||
958 strequal(domain_name
, unix_groups_domain_name() ) )
960 return find_domain_from_name_noinit( get_global_sam_name() );
963 if (IS_DC
|| strequal(domain_name
, "BUILTIN") ||
964 strequal(domain_name
, get_global_sam_name()))
965 return find_domain_from_name_noinit(domain_name
);
967 /* The "Unix User" and "Unix Group" domain our handled by passdb */
969 return find_our_domain();
972 /* Lookup a sid in a domain from a name */
974 bool winbindd_lookup_sid_by_name(TALLOC_CTX
*mem_ctx
,
975 enum winbindd_cmd orig_cmd
,
976 struct winbindd_domain
*domain
,
977 const char *domain_name
,
978 const char *name
, DOM_SID
*sid
,
979 enum lsa_SidType
*type
)
984 result
= domain
->methods
->name_to_sid(domain
, mem_ctx
, orig_cmd
,
985 domain_name
, name
, sid
, type
);
987 /* Return sid and type if lookup successful */
988 if (!NT_STATUS_IS_OK(result
)) {
989 *type
= SID_NAME_UNKNOWN
;
992 return NT_STATUS_IS_OK(result
);
996 * @brief Lookup a name in a domain from a sid.
998 * @param sid Security ID you want to look up.
999 * @param name On success, set to the name corresponding to @p sid.
1000 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
1001 * @param type On success, contains the type of name: alias, group or
1003 * @retval True if the name exists, in which case @p name and @p type
1004 * are set, otherwise False.
1006 bool winbindd_lookup_name_by_sid(TALLOC_CTX
*mem_ctx
,
1007 struct winbindd_domain
*domain
,
1011 enum lsa_SidType
*type
)
1020 result
= domain
->methods
->sid_to_name(domain
, mem_ctx
, sid
, dom_name
, name
, type
);
1022 /* Return name and type if successful */
1024 if (NT_STATUS_IS_OK(result
)) {
1028 *type
= SID_NAME_UNKNOWN
;
1033 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
1035 void free_getent_state(struct getent_state
*state
)
1037 struct getent_state
*temp
;
1039 /* Iterate over state list */
1043 while(temp
!= NULL
) {
1044 struct getent_state
*next
= temp
->next
;
1046 /* Free sam entries then list entry */
1048 SAFE_FREE(state
->sam_entries
);
1049 DLIST_REMOVE(state
, state
);
1056 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1058 static bool assume_domain(const char *domain
)
1060 /* never assume the domain on a standalone server */
1062 if ( lp_server_role() == ROLE_STANDALONE
)
1065 /* domain member servers may possibly assume for the domain name */
1067 if ( lp_server_role() == ROLE_DOMAIN_MEMBER
) {
1068 if ( !strequal(lp_workgroup(), domain
) )
1071 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1075 /* only left with a domain controller */
1077 if ( strequal(get_global_sam_name(), domain
) ) {
1084 /* Parse a string of the form DOMAIN\user into a domain and a user */
1086 bool parse_domain_user(const char *domuser
, fstring domain
, fstring user
)
1088 char *p
= strchr(domuser
,*lp_winbind_separator());
1091 fstrcpy(user
, domuser
);
1093 if ( assume_domain(lp_workgroup())) {
1094 fstrcpy(domain
, lp_workgroup());
1095 } else if ((p
= strchr(domuser
, '@')) != NULL
) {
1096 fstrcpy(domain
, "");
1102 fstrcpy(domain
, domuser
);
1103 domain
[PTR_DIFF(p
, domuser
)] = 0;
1111 bool parse_domain_user_talloc(TALLOC_CTX
*mem_ctx
, const char *domuser
,
1112 char **domain
, char **user
)
1114 fstring fstr_domain
, fstr_user
;
1115 if (!parse_domain_user(domuser
, fstr_domain
, fstr_user
)) {
1118 *domain
= talloc_strdup(mem_ctx
, fstr_domain
);
1119 *user
= talloc_strdup(mem_ctx
, fstr_user
);
1120 return ((*domain
!= NULL
) && (*user
!= NULL
));
1123 /* add a domain user name to a buffer */
1124 void parse_add_domuser(void *buf
, char *domuser
, int *len
)
1130 p
= strchr(domuser
, *lp_winbind_separator());
1134 fstrcpy(domain
, domuser
);
1135 domain
[PTR_DIFF(p
, domuser
)] = 0;
1138 if (assume_domain(domain
)) {
1141 *len
-= (PTR_DIFF(p
, domuser
));
1145 safe_strcpy((char *)buf
, user
, *len
);
1148 /* Ensure an incoming username from NSS is fully qualified. Replace the
1149 incoming fstring with DOMAIN <separator> user. Returns the same
1150 values as parse_domain_user() but also replaces the incoming username.
1151 Used to ensure all names are fully qualified within winbindd.
1152 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1153 The protocol definitions of auth_crap, chng_pswd_auth_crap
1154 really should be changed to use this instead of doing things
1157 bool canonicalize_username(fstring username_inout
, fstring domain
, fstring user
)
1159 if (!parse_domain_user(username_inout
, domain
, user
)) {
1162 slprintf(username_inout
, sizeof(fstring
) - 1, "%s%c%s",
1163 domain
, *lp_winbind_separator(),
1169 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1170 'winbind separator' options.
1172 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1175 If we are a PDC or BDC, and this is for our domain, do likewise.
1177 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1178 username is then unqualified in unix
1180 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1182 void fill_domain_username(fstring name
, const char *domain
, const char *user
, bool can_assume
)
1186 fstrcpy(tmp_user
, user
);
1187 strlower_m(tmp_user
);
1189 if (can_assume
&& assume_domain(domain
)) {
1190 strlcpy(name
, tmp_user
, sizeof(fstring
));
1192 slprintf(name
, sizeof(fstring
) - 1, "%s%c%s",
1193 domain
, *lp_winbind_separator(),
1199 * talloc version of fill_domain_username()
1200 * return NULL on talloc failure.
1202 char *fill_domain_username_talloc(TALLOC_CTX
*mem_ctx
,
1207 char *tmp_user
, *name
;
1209 tmp_user
= talloc_strdup(mem_ctx
, user
);
1210 strlower_m(tmp_user
);
1212 if (can_assume
&& assume_domain(domain
)) {
1215 name
= talloc_asprintf(mem_ctx
, "%s%c%s",
1217 *lp_winbind_separator(),
1219 TALLOC_FREE(tmp_user
);
1226 * Winbindd socket accessor functions
1229 const char *get_winbind_pipe_dir(void)
1231 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR
);
1234 char *get_winbind_priv_pipe_dir(void)
1236 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR
);
1239 /* Open the winbindd socket */
1241 static int _winbindd_socket
= -1;
1242 static int _winbindd_priv_socket
= -1;
1244 int open_winbindd_socket(void)
1246 if (_winbindd_socket
== -1) {
1247 _winbindd_socket
= create_pipe_sock(
1248 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME
, 0755);
1249 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1253 return _winbindd_socket
;
1256 int open_winbindd_priv_socket(void)
1258 if (_winbindd_priv_socket
== -1) {
1259 _winbindd_priv_socket
= create_pipe_sock(
1260 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME
, 0750);
1261 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1262 _winbindd_priv_socket
));
1265 return _winbindd_priv_socket
;
1268 /* Close the winbindd socket */
1270 void close_winbindd_socket(void)
1272 if (_winbindd_socket
!= -1) {
1273 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1275 close(_winbindd_socket
);
1276 _winbindd_socket
= -1;
1278 if (_winbindd_priv_socket
!= -1) {
1279 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1280 _winbindd_priv_socket
));
1281 close(_winbindd_priv_socket
);
1282 _winbindd_priv_socket
= -1;
1287 * Client list accessor functions
1290 static struct winbindd_cli_state
*_client_list
;
1291 static int _num_clients
;
1293 /* Return list of all connected clients */
1295 struct winbindd_cli_state
*winbindd_client_list(void)
1297 return _client_list
;
1300 /* Add a connection to the list */
1302 void winbindd_add_client(struct winbindd_cli_state
*cli
)
1304 DLIST_ADD(_client_list
, cli
);
1308 /* Remove a client from the list */
1310 void winbindd_remove_client(struct winbindd_cli_state
*cli
)
1312 DLIST_REMOVE(_client_list
, cli
);
1316 /* Close all open clients */
1318 void winbindd_kill_all_clients(void)
1320 struct winbindd_cli_state
*cl
= winbindd_client_list();
1322 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1325 struct winbindd_cli_state
*next
;
1328 winbindd_remove_client(cl
);
1333 /* Return number of open clients */
1335 int winbindd_num_clients(void)
1337 return _num_clients
;
1340 NTSTATUS
lookup_usergroups_cached(struct winbindd_domain
*domain
,
1341 TALLOC_CTX
*mem_ctx
,
1342 const DOM_SID
*user_sid
,
1343 uint32
*p_num_groups
, DOM_SID
**user_sids
)
1345 struct netr_SamInfo3
*info3
= NULL
;
1346 NTSTATUS status
= NT_STATUS_NO_MEMORY
;
1347 size_t num_groups
= 0;
1349 DEBUG(3,(": lookup_usergroups_cached\n"));
1354 info3
= netsamlogon_cache_get(mem_ctx
, user_sid
);
1356 if (info3
== NULL
) {
1357 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1360 if (info3
->base
.groups
.count
== 0) {
1362 return NT_STATUS_UNSUCCESSFUL
;
1365 /* Skip Domain local groups outside our domain.
1366 We'll get these from the getsidaliases() RPC call. */
1367 status
= sid_array_from_info3(mem_ctx
, info3
,
1372 if (!NT_STATUS_IS_OK(status
)) {
1378 *p_num_groups
= num_groups
;
1379 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
1381 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1386 /*********************************************************************
1387 We use this to remove spaces from user and group names
1388 ********************************************************************/
1390 void ws_name_replace( char *name
, char replace
)
1392 char replace_char
[2] = { 0x0, 0x0 };
1394 if ( !lp_winbind_normalize_names() || (replace
== '\0') )
1397 replace_char
[0] = replace
;
1398 all_string_sub( name
, " ", replace_char
, 0 );
1403 /*********************************************************************
1404 We use this to do the inverse of ws_name_replace()
1405 ********************************************************************/
1407 void ws_name_return( char *name
, char replace
)
1409 char replace_char
[2] = { 0x0, 0x0 };
1411 if ( !lp_winbind_normalize_names() || (replace
== '\0') )
1414 replace_char
[0] = replace
;
1415 all_string_sub( name
, replace_char
, " ", 0 );
1420 /*********************************************************************
1421 ********************************************************************/
1423 bool winbindd_can_contact_domain(struct winbindd_domain
*domain
)
1425 struct winbindd_tdc_domain
*tdc
= NULL
;
1426 TALLOC_CTX
*frame
= talloc_stackframe();
1429 /* We can contact the domain if it is our primary domain */
1431 if (domain
->primary
) {
1435 /* Trust the TDC cache and not the winbindd_domain flags */
1437 if ((tdc
= wcache_tdc_fetch_domain(frame
, domain
->name
)) == NULL
) {
1438 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1443 /* Can always contact a domain that is in out forest */
1445 if (tdc
->trust_flags
& NETR_TRUST_FLAG_IN_FOREST
) {
1451 * On a _member_ server, we cannot contact the domain if it
1452 * is running AD and we have no inbound trust.
1456 domain
->active_directory
&&
1457 ((tdc
->trust_flags
& NETR_TRUST_FLAG_INBOUND
) != NETR_TRUST_FLAG_INBOUND
))
1459 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1460 "and we have no inbound trust.\n", domain
->name
));
1464 /* Assume everything else is ok (probably not true but what
1470 talloc_destroy(frame
);
1475 /*********************************************************************
1476 ********************************************************************/
1478 bool winbindd_internal_child(struct winbindd_child
*child
)
1480 if ((child
== idmap_child()) || (child
== locator_child())) {
1487 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1489 /*********************************************************************
1490 ********************************************************************/
1492 static void winbindd_set_locator_kdc_env(const struct winbindd_domain
*domain
)
1495 char addr
[INET6_ADDRSTRLEN
];
1496 const char *kdc
= NULL
;
1499 if (!domain
|| !domain
->alt_name
|| !*domain
->alt_name
) {
1503 if (domain
->initialized
&& !domain
->active_directory
) {
1504 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s not AD\n",
1509 print_sockaddr(addr
, sizeof(addr
), &domain
->dcaddr
);
1512 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1514 kdc
= domain
->dcname
;
1517 if (!kdc
|| !*kdc
) {
1518 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1523 if (asprintf_strupper_m(&var
, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS
,
1524 domain
->alt_name
) == -1) {
1528 DEBUG(lvl
,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1531 setenv(var
, kdc
, 1);
1535 /*********************************************************************
1536 ********************************************************************/
1538 void winbindd_set_locator_kdc_envs(const struct winbindd_domain
*domain
)
1540 struct winbindd_domain
*our_dom
= find_our_domain();
1542 winbindd_set_locator_kdc_env(domain
);
1544 if (domain
!= our_dom
) {
1545 winbindd_set_locator_kdc_env(our_dom
);
1549 /*********************************************************************
1550 ********************************************************************/
1552 void winbindd_unset_locator_kdc_env(const struct winbindd_domain
*domain
)
1556 if (!domain
|| !domain
->alt_name
|| !*domain
->alt_name
) {
1560 if (asprintf_strupper_m(&var
, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS
,
1561 domain
->alt_name
) == -1) {
1570 void winbindd_set_locator_kdc_envs(const struct winbindd_domain
*domain
)
1575 void winbindd_unset_locator_kdc_env(const struct winbindd_domain
*domain
)
1580 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */