search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
winbind: fix build warning.
[Samba.git] / source / winbindd / winbindd_util.c
blobabc3df8eaf763f0b2e973c5dfed8d0c2c35b089f
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_WINBIND
28
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
32
33
34 /**
35 * @file winbindd_util.c
36 *
37 * Winbind daemon for NT domain authentication nss module.
38 **/
39
40
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
45
46 static struct winbindd_domain *_domain_list = NULL;
47
48 /**
49 When was the last scan of trusted domains done?
50
51 0 == not ever
52 */
53
54 static time_t last_trustdom_scan;
55
56 struct winbindd_domain *domain_list(void)
57 {
58 /* Initialise list */
59
60 if ((!_domain_list) && (!init_domain_list())) {
61 smb_panic("Init_domain_list failed");
62 }
63
64 return _domain_list;
65 }
66
67 /* Free all entries in the trusted domain list */
68
69 void free_domain_list(void)
70 {
71 struct winbindd_domain *domain = _domain_list;
72
73 while(domain) {
74 struct winbindd_domain *next = domain->next;
75
76 DLIST_REMOVE(_domain_list, domain);
77 SAFE_FREE(domain);
78 domain = next;
79 }
80 }
81
82 static bool is_internal_domain(const DOM_SID *sid)
83 {
84 if (sid == NULL)
85 return False;
86
87 if ( IS_DC )
88 return sid_check_is_builtin(sid);
89
90 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
91 }
92
93 static bool is_in_internal_domain(const DOM_SID *sid)
94 {
95 if (sid == NULL)
96 return False;
97
98 if ( IS_DC )
99 return sid_check_is_in_builtin(sid);
100
101 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
102 }
103
104
105 /* Add a trusted domain to our list of domains */
106 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
107 struct winbindd_methods *methods,
108 const DOM_SID *sid)
109 {
110 struct winbindd_domain *domain;
111 const char *alternative_name = NULL;
112 const char **ignored_domains, **dom;
113
114 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
115 for (dom=ignored_domains; dom && *dom; dom++) {
116 if (gen_fnmatch(*dom, domain_name) == 0) {
117 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
118 return NULL;
119 }
120 }
121
122 /* ignore alt_name if we are not in an AD domain */
123
124 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
125 alternative_name = alt_name;
126 }
127
128 /* We can't call domain_list() as this function is called from
129 init_domain_list() and we'll get stuck in a loop. */
130 for (domain = _domain_list; domain; domain = domain->next) {
131 if (strequal(domain_name, domain->name) ||
132 strequal(domain_name, domain->alt_name))
133 {
134 break;
135 }
136
137 if (alternative_name && *alternative_name)
138 {
139 if (strequal(alternative_name, domain->name) ||
140 strequal(alternative_name, domain->alt_name))
141 {
142 break;
143 }
144 }
145
146 if (sid)
147 {
148 if (is_null_sid(sid)) {
149 continue;
150 }
151
152 if (sid_equal(sid, &domain->sid)) {
153 break;
154 }
155 }
156 }
157
158 /* See if we found a match. Check if we need to update the
159 SID. */
160
161 if ( domain && sid) {
162 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
163 sid_copy( &domain->sid, sid );
164
165 return domain;
166 }
167
168 /* Create new domain entry */
169
170 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
171 return NULL;
172
173 /* Fill in fields */
174
175 ZERO_STRUCTP(domain);
176
177 fstrcpy(domain->name, domain_name);
178 if (alternative_name) {
179 fstrcpy(domain->alt_name, alternative_name);
180 }
181
182 domain->methods = methods;
183 domain->backend = NULL;
184 domain->internal = is_internal_domain(sid);
185 domain->sequence_number = DOM_SEQUENCE_NONE;
186 domain->last_seq_check = 0;
187 domain->initialized = False;
188 domain->online = is_internal_domain(sid);
189 domain->check_online_timeout = 0;
190 if (sid) {
191 sid_copy(&domain->sid, sid);
192 }
193
194 /* Link to domain list */
195 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
196
197 wcache_tdc_add_domain( domain );
198
199 DEBUG(2,("Added domain %s %s %s\n",
200 domain->name, domain->alt_name,
201 &domain->sid?sid_string_dbg(&domain->sid):""));
202
203 return domain;
204 }
205
206 /********************************************************************
207 rescan our domains looking for new trusted domains
208 ********************************************************************/
209
210 struct trustdom_state {
211 TALLOC_CTX *mem_ctx;
212 bool primary;
213 bool forest_root;
214 struct winbindd_response *response;
215 };
216
217 static void trustdom_recv(void *private_data, bool success);
218 static void rescan_forest_root_trusts( void );
219 static void rescan_forest_trusts( void );
220
221 static void add_trusted_domains( struct winbindd_domain *domain )
222 {
223 TALLOC_CTX *mem_ctx;
224 struct winbindd_request *request;
225 struct winbindd_response *response;
226 uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
227
228 struct trustdom_state *state;
229
230 mem_ctx = talloc_init("add_trusted_domains");
231 if (mem_ctx == NULL) {
232 DEBUG(0, ("talloc_init failed\n"));
233 return;
234 }
235
236 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
237 response = TALLOC_P(mem_ctx, struct winbindd_response);
238 state = TALLOC_P(mem_ctx, struct trustdom_state);
239
240 if ((request == NULL) || (response == NULL) || (state == NULL)) {
241 DEBUG(0, ("talloc failed\n"));
242 talloc_destroy(mem_ctx);
243 return;
244 }
245
246 state->mem_ctx = mem_ctx;
247 state->response = response;
248
249 /* Flags used to know how to continue the forest trust search */
250
251 state->primary = domain->primary;
252 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
253
254 request->length = sizeof(*request);
255 request->cmd = WINBINDD_LIST_TRUSTDOM;
256
257 async_domain_request(mem_ctx, domain, request, response,
258 trustdom_recv, state);
259 }
260
261 static void trustdom_recv(void *private_data, bool success)
262 {
263 struct trustdom_state *state =
264 talloc_get_type_abort(private_data, struct trustdom_state);
265 struct winbindd_response *response = state->response;
266 char *p;
267
268 if ((!success) || (response->result != WINBINDD_OK)) {
269 DEBUG(1, ("Could not receive trustdoms\n"));
270 talloc_destroy(state->mem_ctx);
271 return;
272 }
273
274 p = (char *)response->extra_data.data;
275
276 while ((p != NULL) && (*p != '\0')) {
277 char *q, *sidstr, *alt_name;
278 DOM_SID sid;
279 struct winbindd_domain *domain;
280 char *alternate_name = NULL;
281
282 alt_name = strchr(p, '\\');
283 if (alt_name == NULL) {
284 DEBUG(0, ("Got invalid trustdom response\n"));
285 break;
286 }
287
288 *alt_name = '\0';
289 alt_name += 1;
290
291 sidstr = strchr(alt_name, '\\');
292 if (sidstr == NULL) {
293 DEBUG(0, ("Got invalid trustdom response\n"));
294 break;
295 }
296
297 *sidstr = '\0';
298 sidstr += 1;
299
300 q = strchr(sidstr, '\n');
301 if (q != NULL)
302 *q = '\0';
303
304 if (!string_to_sid(&sid, sidstr)) {
305 /* Allow NULL sid for sibling domains */
306 if ( strcmp(sidstr,"S-0-0") == 0) {
307 sid_copy( &sid, &global_sid_NULL);
308 } else {
309 DEBUG(0, ("Got invalid trustdom response\n"));
310 break;
311 }
312 }
313
314 /* use the real alt_name if we have one, else pass in NULL */
315
316 if ( !strequal( alt_name, "(null)" ) )
317 alternate_name = alt_name;
318
319 /* If we have an existing domain structure, calling
320 add_trusted_domain() will update the SID if
321 necessary. This is important because we need the
322 SID for sibling domains */
323
324 if ( find_domain_from_name_noinit(p) != NULL ) {
325 domain = add_trusted_domain(p, alternate_name,
326 &cache_methods,
327 &sid);
328 } else {
329 domain = add_trusted_domain(p, alternate_name,
330 &cache_methods,
331 &sid);
332 if (domain) {
333 setup_domain_child(domain,
334 &domain->child);
335 }
336 }
337 p=q;
338 if (p != NULL)
339 p += 1;
340 }
341
342 SAFE_FREE(response->extra_data.data);
343
344 /*
345 Cases to consider when scanning trusts:
346 (a) we are calling from a child domain (primary && !forest_root)
347 (b) we are calling from the root of the forest (primary && forest_root)
348 (c) we are calling from a trusted forest domain (!primary
349 && !forest_root)
350 */
351
352 if ( state->primary ) {
353 /* If this is our primary domain and we are not in the
354 forest root, we have to scan the root trusts first */
355
356 if ( !state->forest_root )
357 rescan_forest_root_trusts();
358 else
359 rescan_forest_trusts();
360
361 } else if ( state->forest_root ) {
362 /* Once we have done root forest trust search, we can
363 go on to search the trusted forests */
364
365 rescan_forest_trusts();
366 }
367
368 talloc_destroy(state->mem_ctx);
369
370 return;
371 }
372
373 /********************************************************************
374 Scan the trusts of our forest root
375 ********************************************************************/
376
377 static void rescan_forest_root_trusts( void )
378 {
379 struct winbindd_tdc_domain *dom_list = NULL;
380 size_t num_trusts = 0;
381 int i;
382
383 /* The only transitive trusts supported by Windows 2003 AD are
384 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
385 first two are handled in forest and listed by
386 DsEnumerateDomainTrusts(). Forest trusts are not so we
387 have to do that ourselves. */
388
389 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
390 return;
391
392 for ( i=0; i<num_trusts; i++ ) {
393 struct winbindd_domain *d = NULL;
394
395 /* Find the forest root. Don't necessarily trust
396 the domain_list() as our primary domain may not
397 have been initialized. */
398
399 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
400 continue;
401 }
402
403 /* Here's the forest root */
404
405 d = find_domain_from_name_noinit( dom_list[i].domain_name );
406
407 if ( !d ) {
408 d = add_trusted_domain( dom_list[i].domain_name,
409 dom_list[i].dns_name,
410 &cache_methods,
411 &dom_list[i].sid );
412 }
413
414 if (d == NULL) {
415 continue;
416 }
417
418 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
419 "for domain tree root %s (%s)\n",
420 d->name, d->alt_name ));
421
422 d->domain_flags = dom_list[i].trust_flags;
423 d->domain_type = dom_list[i].trust_type;
424 d->domain_trust_attribs = dom_list[i].trust_attribs;
425
426 add_trusted_domains( d );
427
428 break;
429 }
430
431 TALLOC_FREE( dom_list );
432
433 return;
434 }
435
436 /********************************************************************
437 scan the transitive forest trusts (not our own)
438 ********************************************************************/
439
440
441 static void rescan_forest_trusts( void )
442 {
443 struct winbindd_domain *d = NULL;
444 struct winbindd_tdc_domain *dom_list = NULL;
445 size_t num_trusts = 0;
446 int i;
447
448 /* The only transitive trusts supported by Windows 2003 AD are
449 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
450 first two are handled in forest and listed by
451 DsEnumerateDomainTrusts(). Forest trusts are not so we
452 have to do that ourselves. */
453
454 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
455 return;
456
457 for ( i=0; i<num_trusts; i++ ) {
458 uint32 flags = dom_list[i].trust_flags;
459 uint32 type = dom_list[i].trust_type;
460 uint32 attribs = dom_list[i].trust_attribs;
461
462 d = find_domain_from_name_noinit( dom_list[i].domain_name );
463
464 /* ignore our primary and internal domains */
465
466 if ( d && (d->internal || d->primary ) )
467 continue;
468
469 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
470 (type == NETR_TRUST_TYPE_UPLEVEL) &&
471 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
472 {
473 /* add the trusted domain if we don't know
474 about it */
475
476 if ( !d ) {
477 d = add_trusted_domain( dom_list[i].domain_name,
478 dom_list[i].dns_name,
479 &cache_methods,
480 &dom_list[i].sid );
481 }
482
483 if (d == NULL) {
484 continue;
485 }
486
487 DEBUG(10,("Following trust path for domain %s (%s)\n",
488 d->name, d->alt_name ));
489 add_trusted_domains( d );
490 }
491 }
492
493 TALLOC_FREE( dom_list );
494
495 return;
496 }
497
498 /*********************************************************************
499 The process of updating the trusted domain list is a three step
500 async process:
501 (a) ask our domain
502 (b) ask the root domain in our forest
503 (c) ask the a DC in any Win2003 trusted forests
504 *********************************************************************/
505
506 void rescan_trusted_domains( void )
507 {
508 time_t now = time(NULL);
509
510 /* see if the time has come... */
511
512 if ((now >= last_trustdom_scan) &&
513 ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
514 return;
515
516 /* I use to clear the cache here and start over but that
517 caused problems in child processes that needed the
518 trust dom list early on. Removing it means we
519 could have some trusted domains listed that have been
520 removed from our primary domain's DC until a full
521 restart. This should be ok since I think this is what
522 Windows does as well. */
523
524 /* this will only add new domains we didn't already know about
525 in the domain_list()*/
526
527 add_trusted_domains( find_our_domain() );
528
529 last_trustdom_scan = now;
530
531 return;
532 }
533
534 struct init_child_state {
535 TALLOC_CTX *mem_ctx;
536 struct winbindd_domain *domain;
537 struct winbindd_request *request;
538 struct winbindd_response *response;
539 void (*continuation)(void *private_data, bool success);
540 void *private_data;
541 };
542
543 static void init_child_recv(void *private_data, bool success);
544 static void init_child_getdc_recv(void *private_data, bool success);
545
546 enum winbindd_result init_child_connection(struct winbindd_domain *domain,
547 void (*continuation)(void *private_data,
548 bool success),
549 void *private_data)
550 {
551 TALLOC_CTX *mem_ctx;
552 struct winbindd_request *request;
553 struct winbindd_response *response;
554 struct init_child_state *state;
555 struct winbindd_domain *request_domain;
556
557 mem_ctx = talloc_init("init_child_connection");
558 if (mem_ctx == NULL) {
559 DEBUG(0, ("talloc_init failed\n"));
560 return WINBINDD_ERROR;
561 }
562
563 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
564 response = TALLOC_P(mem_ctx, struct winbindd_response);
565 state = TALLOC_P(mem_ctx, struct init_child_state);
566
567 if ((request == NULL) || (response == NULL) || (state == NULL)) {
568 DEBUG(0, ("talloc failed\n"));
569 TALLOC_FREE(mem_ctx);
570 continuation(private_data, False);
571 return WINBINDD_ERROR;
572 }
573
574 request->length = sizeof(*request);
575
576 state->mem_ctx = mem_ctx;
577 state->domain = domain;
578 state->request = request;
579 state->response = response;
580 state->continuation = continuation;
581 state->private_data = private_data;
582
583 if (IS_DC || domain->primary || domain->internal ) {
584 /* The primary domain has to find the DC name itself */
585 request->cmd = WINBINDD_INIT_CONNECTION;
586 fstrcpy(request->domain_name, domain->name);
587 request->data.init_conn.is_primary = domain->primary ? true : false;
588 fstrcpy(request->data.init_conn.dcname, "");
589 async_request(mem_ctx, &domain->child, request, response,
590 init_child_recv, state);
591 return WINBINDD_PENDING;
592 }
593
594 /* This is *not* the primary domain, let's ask our DC about a DC
595 * name */
596
597 request->cmd = WINBINDD_GETDCNAME;
598 fstrcpy(request->domain_name, domain->name);
599
600 request_domain = find_our_domain();
601 async_domain_request(mem_ctx, request_domain, request, response,
602 init_child_getdc_recv, state);
603 return WINBINDD_PENDING;
604 }
605
606 static void init_child_getdc_recv(void *private_data, bool success)
607 {
608 struct init_child_state *state =
609 talloc_get_type_abort(private_data, struct init_child_state);
610 const char *dcname = "";
611
612 DEBUG(10, ("Received getdcname response\n"));
613
614 if (success && (state->response->result == WINBINDD_OK)) {
615 dcname = state->response->data.dc_name;
616 }
617
618 state->request->cmd = WINBINDD_INIT_CONNECTION;
619 fstrcpy(state->request->domain_name, state->domain->name);
620 state->request->data.init_conn.is_primary = False;
621 fstrcpy(state->request->data.init_conn.dcname, dcname);
622
623 async_request(state->mem_ctx, &state->domain->child,
624 state->request, state->response,
625 init_child_recv, state);
626 }
627
628 static void init_child_recv(void *private_data, bool success)
629 {
630 struct init_child_state *state =
631 talloc_get_type_abort(private_data, struct init_child_state);
632
633 DEBUG(5, ("Received child initialization response for domain %s\n",
634 state->domain->name));
635
636 if ((!success) || (state->response->result != WINBINDD_OK)) {
637 DEBUG(3, ("Could not init child\n"));
638 state->continuation(state->private_data, False);
639 talloc_destroy(state->mem_ctx);
640 return;
641 }
642
643 fstrcpy(state->domain->name,
644 state->response->data.domain_info.name);
645 fstrcpy(state->domain->alt_name,
646 state->response->data.domain_info.alt_name);
647 string_to_sid(&state->domain->sid,
648 state->response->data.domain_info.sid);
649 state->domain->native_mode =
650 state->response->data.domain_info.native_mode;
651 state->domain->active_directory =
652 state->response->data.domain_info.active_directory;
653
654 init_dc_connection(state->domain);
655
656 if (state->continuation != NULL)
657 state->continuation(state->private_data, True);
658 talloc_destroy(state->mem_ctx);
659 }
660
661 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
662 struct winbindd_cli_state *state)
663 {
664 /* Ensure null termination */
665 state->request.domain_name
666 [sizeof(state->request.domain_name)-1]='\0';
667 state->request.data.init_conn.dcname
668 [sizeof(state->request.data.init_conn.dcname)-1]='\0';
669
670 if (strlen(state->request.data.init_conn.dcname) > 0) {
671 fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
672 }
673
674 init_dc_connection(domain);
675
676 if (!domain->initialized) {
677 /* If we return error here we can't do any cached authentication,
678 but we may be in disconnected mode and can't initialize correctly.
679 Do what the previous code did and just return without initialization,
680 once we go online we'll re-initialize.
681 */
682 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
683 "online = %d\n", domain->name, (int)domain->online ));
684 }
685
686 fstrcpy(state->response.data.domain_info.name, domain->name);
687 fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
688 sid_to_fstring(state->response.data.domain_info.sid, &domain->sid);
689
690 state->response.data.domain_info.native_mode
691 = domain->native_mode;
692 state->response.data.domain_info.active_directory
693 = domain->active_directory;
694 state->response.data.domain_info.primary
695 = domain->primary;
696
697 return WINBINDD_OK;
698 }
699
700 /* Look up global info for the winbind daemon */
701 bool init_domain_list(void)
702 {
703 struct winbindd_domain *domain;
704 int role = lp_server_role();
705
706 /* Free existing list */
707 free_domain_list();
708
709 /* BUILTIN domain */
710
711 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
712 &global_sid_Builtin);
713 if (domain) {
714 setup_domain_child(domain,
715 &domain->child);
716 }
717
718 /* Local SAM */
719
720 domain = add_trusted_domain(get_global_sam_name(), NULL,
721 &sam_passdb_methods, get_global_sam_sid());
722 if (domain) {
723 if ( role != ROLE_DOMAIN_MEMBER ) {
724 domain->primary = True;
725 }
726 setup_domain_child(domain,
727 &domain->child);
728 }
729
730 /* Add ourselves as the first entry. */
731
732 if ( role == ROLE_DOMAIN_MEMBER ) {
733 DOM_SID our_sid;
734
735 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
736 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
737 return False;
738 }
739
740 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
741 &cache_methods, &our_sid);
742 if (domain) {
743 domain->primary = True;
744 setup_domain_child(domain,
745 &domain->child);
746
747 /* Even in the parent winbindd we'll need to
748 talk to the DC, so try and see if we can
749 contact it. Theoretically this isn't neccessary
750 as the init_dc_connection() in init_child_recv()
751 will do this, but we can start detecting the DC
752 early here. */
753 set_domain_online_request(domain);
754 }
755 }
756
757 return True;
758 }
759
760 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
761 {
762 struct winbindd_domain *domain;
763 DOM_SID dom_sid;
764 uint32 rid;
765
766 domain = find_domain_from_name_noinit( name );
767 if ( domain )
768 return;
769
770 sid_copy( &dom_sid, user_sid );
771 if ( !sid_split_rid( &dom_sid, &rid ) )
772 return;
773
774 /* add the newly discovered trusted domain */
775
776 domain = add_trusted_domain( name, NULL, &cache_methods,
777 &dom_sid);
778
779 if ( !domain )
780 return;
781
782 /* assume this is a trust from a one-way transitive
783 forest trust */
784
785 domain->active_directory = True;
786 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
787 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
788 domain->internal = False;
789 domain->online = True;
790
791 setup_domain_child(domain,
792 &domain->child);
793
794 wcache_tdc_add_domain( domain );
795
796 return;
797 }
798
799 /**
800 * Given a domain name, return the struct winbindd domain info for it
801 *
802 * @note Do *not* pass lp_workgroup() to this function. domain_list
803 * may modify it's value, and free that pointer. Instead, our local
804 * domain may be found by calling find_our_domain().
805 * directly.
806 *
807 *
808 * @return The domain structure for the named domain, if it is working.
809 */
810
811 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
812 {
813 struct winbindd_domain *domain;
814
815 /* Search through list */
816
817 for (domain = domain_list(); domain != NULL; domain = domain->next) {
818 if (strequal(domain_name, domain->name) ||
819 (domain->alt_name[0] &&
820 strequal(domain_name, domain->alt_name))) {
821 return domain;
822 }
823 }
824
825 /* Not found */
826
827 return NULL;
828 }
829
830 struct winbindd_domain *find_domain_from_name(const char *domain_name)
831 {
832 struct winbindd_domain *domain;
833
834 domain = find_domain_from_name_noinit(domain_name);
835
836 if (domain == NULL)
837 return NULL;
838
839 if (!domain->initialized)
840 init_dc_connection(domain);
841
842 return domain;
843 }
844
845 /* Given a domain sid, return the struct winbindd domain info for it */
846
847 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
848 {
849 struct winbindd_domain *domain;
850
851 /* Search through list */
852
853 for (domain = domain_list(); domain != NULL; domain = domain->next) {
854 if (sid_compare_domain(sid, &domain->sid) == 0)
855 return domain;
856 }
857
858 /* Not found */
859
860 return NULL;
861 }
862
863 /* Given a domain sid, return the struct winbindd domain info for it */
864
865 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
866 {
867 struct winbindd_domain *domain;
868
869 domain = find_domain_from_sid_noinit(sid);
870
871 if (domain == NULL)
872 return NULL;
873
874 if (!domain->initialized)
875 init_dc_connection(domain);
876
877 return domain;
878 }
879
880 struct winbindd_domain *find_our_domain(void)
881 {
882 struct winbindd_domain *domain;
883
884 /* Search through list */
885
886 for (domain = domain_list(); domain != NULL; domain = domain->next) {
887 if (domain->primary)
888 return domain;
889 }
890
891 smb_panic("Could not find our domain");
892 return NULL;
893 }
894
895 struct winbindd_domain *find_root_domain(void)
896 {
897 struct winbindd_domain *ours = find_our_domain();
898
899 if ( !ours )
900 return NULL;
901
902 if ( strlen(ours->forest_name) == 0 )
903 return NULL;
904
905 return find_domain_from_name( ours->forest_name );
906 }
907
908 struct winbindd_domain *find_builtin_domain(void)
909 {
910 DOM_SID sid;
911 struct winbindd_domain *domain;
912
913 string_to_sid(&sid, "S-1-5-32");
914 domain = find_domain_from_sid(&sid);
915
916 if (domain == NULL) {
917 smb_panic("Could not find BUILTIN domain");
918 }
919
920 return domain;
921 }
922
923 /* Find the appropriate domain to lookup a name or SID */
924
925 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
926 {
927 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
928
929 if ( sid_check_is_in_unix_groups(sid) ||
930 sid_check_is_unix_groups(sid) ||
931 sid_check_is_in_unix_users(sid) ||
932 sid_check_is_unix_users(sid) )
933 {
934 return find_domain_from_sid(get_global_sam_sid());
935 }
936
937 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
938 * one to contact the external DC's. On member servers the internal
939 * domains are different: These are part of the local SAM. */
940
941 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
942
943 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
944 DEBUG(10, ("calling find_domain_from_sid\n"));
945 return find_domain_from_sid(sid);
946 }
947
948 /* On a member server a query for SID or name can always go to our
949 * primary DC. */
950
951 DEBUG(10, ("calling find_our_domain\n"));
952 return find_our_domain();
953 }
954
955 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
956 {
957 if ( strequal(domain_name, unix_users_domain_name() ) ||
958 strequal(domain_name, unix_groups_domain_name() ) )
959 {
960 return find_domain_from_name_noinit( get_global_sam_name() );
961 }
962
963 if (IS_DC || strequal(domain_name, "BUILTIN") ||
964 strequal(domain_name, get_global_sam_name()))
965 return find_domain_from_name_noinit(domain_name);
966
967 /* The "Unix User" and "Unix Group" domain our handled by passdb */
968
969 return find_our_domain();
970 }
971
972 /* Lookup a sid in a domain from a name */
973
974 bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
975 enum winbindd_cmd orig_cmd,
976 struct winbindd_domain *domain,
977 const char *domain_name,
978 const char *name, DOM_SID *sid,
979 enum lsa_SidType *type)
980 {
981 NTSTATUS result;
982
983 /* Lookup name */
984 result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd,
985 domain_name, name, sid, type);
986
987 /* Return sid and type if lookup successful */
988 if (!NT_STATUS_IS_OK(result)) {
989 *type = SID_NAME_UNKNOWN;
990 }
991
992 return NT_STATUS_IS_OK(result);
993 }
994
995 /**
996 * @brief Lookup a name in a domain from a sid.
997 *
998 * @param sid Security ID you want to look up.
999 * @param name On success, set to the name corresponding to @p sid.
1000 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
1001 * @param type On success, contains the type of name: alias, group or
1002 * user.
1003 * @retval True if the name exists, in which case @p name and @p type
1004 * are set, otherwise False.
1005 **/
1006 bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
1007 struct winbindd_domain *domain,
1008 DOM_SID *sid,
1009 char **dom_name,
1010 char **name,
1011 enum lsa_SidType *type)
1012 {
1013 NTSTATUS result;
1014
1015 *dom_name = NULL;
1016 *name = NULL;
1017
1018 /* Lookup name */
1019
1020 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
1021
1022 /* Return name and type if successful */
1023
1024 if (NT_STATUS_IS_OK(result)) {
1025 return True;
1026 }
1027
1028 *type = SID_NAME_UNKNOWN;
1029
1030 return False;
1031 }
1032
1033 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
1034
1035 void free_getent_state(struct getent_state *state)
1036 {
1037 struct getent_state *temp;
1038
1039 /* Iterate over state list */
1040
1041 temp = state;
1042
1043 while(temp != NULL) {
1044 struct getent_state *next = temp->next;
1045
1046 /* Free sam entries then list entry */
1047
1048 SAFE_FREE(state->sam_entries);
1049 DLIST_REMOVE(state, state);
1050
1051 SAFE_FREE(temp);
1052 temp = next;
1053 }
1054 }
1055
1056 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1057
1058 static bool assume_domain(const char *domain)
1059 {
1060 /* never assume the domain on a standalone server */
1061
1062 if ( lp_server_role() == ROLE_STANDALONE )
1063 return False;
1064
1065 /* domain member servers may possibly assume for the domain name */
1066
1067 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1068 if ( !strequal(lp_workgroup(), domain) )
1069 return False;
1070
1071 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1072 return True;
1073 }
1074
1075 /* only left with a domain controller */
1076
1077 if ( strequal(get_global_sam_name(), domain) ) {
1078 return True;
1079 }
1080
1081 return False;
1082 }
1083
1084 /* Parse a string of the form DOMAIN\user into a domain and a user */
1085
1086 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1087 {
1088 char *p = strchr(domuser,*lp_winbind_separator());
1089
1090 if ( !p ) {
1091 fstrcpy(user, domuser);
1092
1093 if ( assume_domain(lp_workgroup())) {
1094 fstrcpy(domain, lp_workgroup());
1095 } else if ((p = strchr(domuser, '@')) != NULL) {
1096 fstrcpy(domain, "");
1097 } else {
1098 return False;
1099 }
1100 } else {
1101 fstrcpy(user, p+1);
1102 fstrcpy(domain, domuser);
1103 domain[PTR_DIFF(p, domuser)] = 0;
1104 }
1105
1106 strupper_m(domain);
1107
1108 return True;
1109 }
1110
1111 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1112 char **domain, char **user)
1113 {
1114 fstring fstr_domain, fstr_user;
1115 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1116 return False;
1117 }
1118 *domain = talloc_strdup(mem_ctx, fstr_domain);
1119 *user = talloc_strdup(mem_ctx, fstr_user);
1120 return ((*domain != NULL) && (*user != NULL));
1121 }
1122
1123 /* add a domain user name to a buffer */
1124 void parse_add_domuser(void *buf, char *domuser, int *len)
1125 {
1126 fstring domain;
1127 char *p, *user;
1128
1129 user = domuser;
1130 p = strchr(domuser, *lp_winbind_separator());
1131
1132 if (p) {
1133
1134 fstrcpy(domain, domuser);
1135 domain[PTR_DIFF(p, domuser)] = 0;
1136 p++;
1137
1138 if (assume_domain(domain)) {
1139
1140 user = p;
1141 *len -= (PTR_DIFF(p, domuser));
1142 }
1143 }
1144
1145 safe_strcpy(buf, user, *len);
1146 }
1147
1148 /* Ensure an incoming username from NSS is fully qualified. Replace the
1149 incoming fstring with DOMAIN <separator> user. Returns the same
1150 values as parse_domain_user() but also replaces the incoming username.
1151 Used to ensure all names are fully qualified within winbindd.
1152 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1153 The protocol definitions of auth_crap, chng_pswd_auth_crap
1154 really should be changed to use this instead of doing things
1155 by hand. JRA. */
1156
1157 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1158 {
1159 if (!parse_domain_user(username_inout, domain, user)) {
1160 return False;
1161 }
1162 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1163 domain, *lp_winbind_separator(),
1164 user);
1165 return True;
1166 }
1167
1168 /*
1169 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1170 'winbind separator' options.
1171 This means:
1172 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1173 lp_workgroup()
1174
1175 If we are a PDC or BDC, and this is for our domain, do likewise.
1176
1177 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1178 username is then unqualified in unix
1179
1180 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1181 */
1182 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1183 {
1184 fstring tmp_user;
1185
1186 fstrcpy(tmp_user, user);
1187 strlower_m(tmp_user);
1188
1189 if (can_assume && assume_domain(domain)) {
1190 strlcpy(name, tmp_user, sizeof(fstring));
1191 } else {
1192 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1193 domain, *lp_winbind_separator(),
1194 tmp_user);
1195 }
1196 }
1197
1198 /*
1199 * Winbindd socket accessor functions
1200 */
1201
1202 const char *get_winbind_pipe_dir(void)
1203 {
1204 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1205 }
1206
1207 char *get_winbind_priv_pipe_dir(void)
1208 {
1209 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1210 }
1211
1212 /* Open the winbindd socket */
1213
1214 static int _winbindd_socket = -1;
1215 static int _winbindd_priv_socket = -1;
1216
1217 int open_winbindd_socket(void)
1218 {
1219 if (_winbindd_socket == -1) {
1220 _winbindd_socket = create_pipe_sock(
1221 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1222 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1223 _winbindd_socket));
1224 }
1225
1226 return _winbindd_socket;
1227 }
1228
1229 int open_winbindd_priv_socket(void)
1230 {
1231 if (_winbindd_priv_socket == -1) {
1232 _winbindd_priv_socket = create_pipe_sock(
1233 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1234 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1235 _winbindd_priv_socket));
1236 }
1237
1238 return _winbindd_priv_socket;
1239 }
1240
1241 /* Close the winbindd socket */
1242
1243 void close_winbindd_socket(void)
1244 {
1245 if (_winbindd_socket != -1) {
1246 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1247 _winbindd_socket));
1248 close(_winbindd_socket);
1249 _winbindd_socket = -1;
1250 }
1251 if (_winbindd_priv_socket != -1) {
1252 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1253 _winbindd_priv_socket));
1254 close(_winbindd_priv_socket);
1255 _winbindd_priv_socket = -1;
1256 }
1257 }
1258
1259 /*
1260 * Client list accessor functions
1261 */
1262
1263 static struct winbindd_cli_state *_client_list;
1264 static int _num_clients;
1265
1266 /* Return list of all connected clients */
1267
1268 struct winbindd_cli_state *winbindd_client_list(void)
1269 {
1270 return _client_list;
1271 }
1272
1273 /* Add a connection to the list */
1274
1275 void winbindd_add_client(struct winbindd_cli_state *cli)
1276 {
1277 DLIST_ADD(_client_list, cli);
1278 _num_clients++;
1279 }
1280
1281 /* Remove a client from the list */
1282
1283 void winbindd_remove_client(struct winbindd_cli_state *cli)
1284 {
1285 DLIST_REMOVE(_client_list, cli);
1286 _num_clients--;
1287 }
1288
1289 /* Close all open clients */
1290
1291 void winbindd_kill_all_clients(void)
1292 {
1293 struct winbindd_cli_state *cl = winbindd_client_list();
1294
1295 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1296
1297 while (cl) {
1298 struct winbindd_cli_state *next;
1299
1300 next = cl->next;
1301 winbindd_remove_client(cl);
1302 cl = next;
1303 }
1304 }
1305
1306 /* Return number of open clients */
1307
1308 int winbindd_num_clients(void)
1309 {
1310 return _num_clients;
1311 }
1312
1313 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1314 TALLOC_CTX *mem_ctx,
1315 const DOM_SID *user_sid,
1316 uint32 *p_num_groups, DOM_SID **user_sids)
1317 {
1318 struct netr_SamInfo3 *info3 = NULL;
1319 NTSTATUS status = NT_STATUS_NO_MEMORY;
1320 size_t num_groups = 0;
1321
1322 DEBUG(3,(": lookup_usergroups_cached\n"));
1323
1324 *user_sids = NULL;
1325 *p_num_groups = 0;
1326
1327 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1328
1329 if (info3 == NULL) {
1330 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1331 }
1332
1333 if (info3->base.groups.count == 0) {
1334 TALLOC_FREE(info3);
1335 return NT_STATUS_UNSUCCESSFUL;
1336 }
1337
1338 /* Skip Domain local groups outside our domain.
1339 We'll get these from the getsidaliases() RPC call. */
1340 status = sid_array_from_info3(mem_ctx, info3,
1341 user_sids,
1342 &num_groups,
1343 false, true);
1344
1345 if (!NT_STATUS_IS_OK(status)) {
1346 TALLOC_FREE(info3);
1347 return status;
1348 }
1349
1350 TALLOC_FREE(info3);
1351 *p_num_groups = num_groups;
1352 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1353
1354 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1355
1356 return status;
1357 }
1358
1359 /*********************************************************************
1360 We use this to remove spaces from user and group names
1361 ********************************************************************/
1362
1363 void ws_name_replace( char *name, char replace )
1364 {
1365 char replace_char[2] = { 0x0, 0x0 };
1366
1367 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1368 return;
1369
1370 replace_char[0] = replace;
1371 all_string_sub( name, " ", replace_char, 0 );
1372
1373 return;
1374 }
1375
1376 /*********************************************************************
1377 We use this to do the inverse of ws_name_replace()
1378 ********************************************************************/
1379
1380 void ws_name_return( char *name, char replace )
1381 {
1382 char replace_char[2] = { 0x0, 0x0 };
1383
1384 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1385 return;
1386
1387 replace_char[0] = replace;
1388 all_string_sub( name, replace_char, " ", 0 );
1389
1390 return;
1391 }
1392
1393 /*********************************************************************
1394 ********************************************************************/
1395
1396 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1397 {
1398 struct winbindd_tdc_domain *tdc = NULL;
1399 TALLOC_CTX *frame = talloc_stackframe();
1400 bool ret = false;
1401
1402 /* We can contact the domain if it is our primary domain */
1403
1404 if (domain->primary) {
1405 return true;
1406 }
1407
1408 /* Trust the TDC cache and not the winbindd_domain flags */
1409
1410 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1411 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1412 domain->name));
1413 return false;
1414 }
1415
1416 /* Can always contact a domain that is in out forest */
1417
1418 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1419 ret = true;
1420 goto done;
1421 }
1422
1423 /*
1424 * On a _member_ server, we cannot contact the domain if it
1425 * is running AD and we have no inbound trust.
1426 */
1427
1428 if (!IS_DC &&
1429 domain->active_directory &&
1430 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1431 {
1432 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1433 "and we have no inbound trust.\n", domain->name));
1434 goto done;
1435 }
1436
1437 /* Assume everything else is ok (probably not true but what
1438 can you do?) */
1439
1440 ret = true;
1441
1442 done:
1443 talloc_destroy(frame);
1444
1445 return ret;
1446 }
1447
1448 /*********************************************************************
1449 ********************************************************************/
1450
1451 bool winbindd_internal_child(struct winbindd_child *child)
1452 {
1453 if ((child == idmap_child()) || (child == locator_child())) {
1454 return True;
1455 }
1456
1457 return False;
1458 }
1459
1460 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1461
1462 /*********************************************************************
1463 ********************************************************************/
1464
1465 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1466 {
1467 char *var = NULL;
1468 char addr[INET6_ADDRSTRLEN];
1469 const char *kdc = NULL;
1470 int lvl = 11;
1471
1472 if (!domain || !domain->alt_name || !*domain->alt_name) {
1473 return;
1474 }
1475
1476 if (domain->initialized && !domain->active_directory) {
1477 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1478 domain->alt_name));
1479 return;
1480 }
1481
1482 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1483 kdc = addr;
1484 if (!*kdc) {
1485 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1486 domain->alt_name));
1487 kdc = domain->dcname;
1488 }
1489
1490 if (!kdc || !*kdc) {
1491 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1492 domain->alt_name));
1493 return;
1494 }
1495
1496 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1497 domain->alt_name) == -1) {
1498 return;
1499 }
1500
1501 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1502 var, kdc));
1503
1504 setenv(var, kdc, 1);
1505 free(var);
1506 }
1507
1508 /*********************************************************************
1509 ********************************************************************/
1510
1511 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1512 {
1513 struct winbindd_domain *our_dom = find_our_domain();
1514
1515 winbindd_set_locator_kdc_env(domain);
1516
1517 if (domain != our_dom) {
1518 winbindd_set_locator_kdc_env(our_dom);
1519 }
1520 }
1521
1522 /*********************************************************************
1523 ********************************************************************/
1524
1525 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1526 {
1527 char *var = NULL;
1528
1529 if (!domain || !domain->alt_name || !*domain->alt_name) {
1530 return;
1531 }
1532
1533 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1534 domain->alt_name) == -1) {
1535 return;
1536 }
1537
1538 unsetenv(var);
1539 free(var);
1540 }
1541 #else
1542
1543 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1544 {
1545 return;
1546 }
1547
1548 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1549 {
1550 return;
1551 }
1552
1553 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
Samba GIT mirror