2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
32 #define DBGC_CLASS DBGC_WINBIND
34 extern struct winbindd_methods cache_methods
;
37 * @file winbindd_util.cq
39 * Winbind daemon for NT domain authentication nss module.
43 /* The list of trusted domains. Note that the list can be deleted and
44 recreated using the init_domain_list() function so pointers to
45 individual winbindd_domain structures cannot be made. Keep a copy of
46 the domain name instead. */
48 static struct winbindd_domain
*_domain_list
= NULL
;
50 struct winbindd_domain
*domain_list(void)
54 if ((!_domain_list
) && (!init_domain_list())) {
55 smb_panic("Init_domain_list failed");
61 /* Free all entries in the trusted domain list */
63 static void free_domain_list(void)
65 struct winbindd_domain
*domain
= _domain_list
;
68 struct winbindd_domain
*next
= domain
->next
;
70 DLIST_REMOVE(_domain_list
, domain
);
76 static bool is_internal_domain(const struct dom_sid
*sid
)
81 return (sid_check_is_our_sam(sid
) || sid_check_is_builtin(sid
));
84 static bool is_in_internal_domain(const struct dom_sid
*sid
)
89 return (sid_check_is_in_our_sam(sid
) || sid_check_is_in_builtin(sid
));
93 /* Add a trusted domain to our list of domains.
94 If the domain already exists in the list,
95 return it and don't re-initialize. */
97 static struct winbindd_domain
*add_trusted_domain(const char *domain_name
, const char *alt_name
,
98 struct winbindd_methods
*methods
,
99 const struct dom_sid
*sid
)
101 struct winbindd_domain
*domain
;
102 const char *alternative_name
= NULL
;
103 char *idmap_config_option
;
105 const char **ignored_domains
, **dom
;
106 int role
= lp_server_role();
108 ignored_domains
= lp_parm_string_list(-1, "winbind", "ignore domains", NULL
);
109 for (dom
=ignored_domains
; dom
&& *dom
; dom
++) {
110 if (gen_fnmatch(*dom
, domain_name
) == 0) {
111 DEBUG(2,("Ignoring domain '%s'\n", domain_name
));
116 /* use alt_name if available to allow DNS lookups */
118 if (alt_name
&& *alt_name
) {
119 alternative_name
= alt_name
;
122 /* We can't call domain_list() as this function is called from
123 init_domain_list() and we'll get stuck in a loop. */
124 for (domain
= _domain_list
; domain
; domain
= domain
->next
) {
125 if (strequal(domain_name
, domain
->name
) ||
126 strequal(domain_name
, domain
->alt_name
))
131 if (alternative_name
&& *alternative_name
)
133 if (strequal(alternative_name
, domain
->name
) ||
134 strequal(alternative_name
, domain
->alt_name
))
142 if (is_null_sid(sid
)) {
146 if (dom_sid_equal(sid
, &domain
->sid
)) {
152 if (domain
!= NULL
) {
154 * We found a match on domain->name or
155 * domain->alt_name. Possibly update the SID
156 * if the stored SID was the NULL SID
157 * and return the matching entry.
160 && dom_sid_equal(&domain
->sid
, &global_sid_NULL
)) {
161 sid_copy( &domain
->sid
, sid
);
166 /* Create new domain entry */
167 domain
= talloc_zero(NULL
, struct winbindd_domain
);
168 if (domain
== NULL
) {
172 domain
->children
= talloc_zero_array(domain
,
173 struct winbindd_child
,
174 lp_winbind_max_domain_connections());
175 if (domain
->children
== NULL
) {
180 domain
->name
= talloc_strdup(domain
, domain_name
);
181 if (domain
->name
== NULL
) {
186 if (alternative_name
) {
187 domain
->alt_name
= talloc_strdup(domain
, alternative_name
);
188 if (domain
->alt_name
== NULL
) {
194 domain
->methods
= methods
;
195 domain
->backend
= NULL
;
196 domain
->internal
= is_internal_domain(sid
);
197 domain
->sequence_number
= DOM_SEQUENCE_NONE
;
198 domain
->last_seq_check
= 0;
199 domain
->initialized
= False
;
200 domain
->online
= is_internal_domain(sid
);
201 domain
->check_online_timeout
= 0;
202 domain
->dc_probe_pid
= (pid_t
)-1;
204 sid_copy(&domain
->sid
, sid
);
207 /* Is this our primary domain ? */
208 if (strequal(domain_name
, get_global_sam_name()) &&
209 (role
!= ROLE_DOMAIN_MEMBER
)) {
210 domain
->primary
= true;
211 } else if (strequal(domain_name
, lp_workgroup()) &&
212 (role
== ROLE_DOMAIN_MEMBER
)) {
213 domain
->primary
= true;
216 /* Link to domain list */
217 DLIST_ADD_END(_domain_list
, domain
, struct winbindd_domain
*);
219 wcache_tdc_add_domain( domain
);
221 idmap_config_option
= talloc_asprintf(talloc_tos(), "idmap config %s",
223 if (idmap_config_option
== NULL
) {
224 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
228 param
= lp_parm_const_string(-1, idmap_config_option
, "range", NULL
);
230 DEBUG(10, ("%s : range = %s\n", idmap_config_option
,
231 param
? param
: "not defined"));
234 unsigned low_id
, high_id
;
235 if (sscanf(param
, "%u - %u", &low_id
, &high_id
) != 2) {
236 DEBUG(1, ("invalid range syntax in %s: %s\n",
237 idmap_config_option
, param
));
240 if (low_id
> high_id
) {
241 DEBUG(1, ("invalid range in %s: %s\n",
242 idmap_config_option
, param
));
245 domain
->have_idmap_config
= true;
246 domain
->id_range_low
= low_id
;
247 domain
->id_range_high
= high_id
;
252 setup_domain_child(domain
);
254 DEBUG(2,("Added domain %s %s %s\n",
255 domain
->name
, domain
->alt_name
,
256 &domain
->sid
?sid_string_dbg(&domain
->sid
):""));
261 bool domain_is_forest_root(const struct winbindd_domain
*domain
)
263 const uint32_t fr_flags
=
264 (NETR_TRUST_FLAG_TREEROOT
|NETR_TRUST_FLAG_IN_FOREST
);
266 return ((domain
->domain_flags
& fr_flags
) == fr_flags
);
269 /********************************************************************
270 rescan our domains looking for new trusted domains
271 ********************************************************************/
273 struct trustdom_state
{
274 struct winbindd_domain
*domain
;
275 struct winbindd_request request
;
278 static void trustdom_list_done(struct tevent_req
*req
);
279 static void rescan_forest_root_trusts( void );
280 static void rescan_forest_trusts( void );
282 static void add_trusted_domains( struct winbindd_domain
*domain
)
284 struct trustdom_state
*state
;
285 struct tevent_req
*req
;
287 state
= talloc_zero(NULL
, struct trustdom_state
);
289 DEBUG(0, ("talloc failed\n"));
292 state
->domain
= domain
;
294 state
->request
.length
= sizeof(state
->request
);
295 state
->request
.cmd
= WINBINDD_LIST_TRUSTDOM
;
297 req
= wb_domain_request_send(state
, winbind_event_context(),
298 domain
, &state
->request
);
300 DEBUG(1, ("wb_domain_request_send failed\n"));
304 tevent_req_set_callback(req
, trustdom_list_done
, state
);
307 static void trustdom_list_done(struct tevent_req
*req
)
309 struct trustdom_state
*state
= tevent_req_callback_data(
310 req
, struct trustdom_state
);
311 struct winbindd_response
*response
;
315 res
= wb_domain_request_recv(req
, state
, &response
, &err
);
316 if ((res
== -1) || (response
->result
!= WINBINDD_OK
)) {
317 DEBUG(1, ("Could not receive trustdoms\n"));
322 p
= (char *)response
->extra_data
.data
;
324 while ((p
!= NULL
) && (*p
!= '\0')) {
325 char *q
, *sidstr
, *alt_name
;
327 char *alternate_name
= NULL
;
329 alt_name
= strchr(p
, '\\');
330 if (alt_name
== NULL
) {
331 DEBUG(0, ("Got invalid trustdom response\n"));
338 sidstr
= strchr(alt_name
, '\\');
339 if (sidstr
== NULL
) {
340 DEBUG(0, ("Got invalid trustdom response\n"));
347 q
= strchr(sidstr
, '\n');
351 if (!string_to_sid(&sid
, sidstr
)) {
352 DEBUG(0, ("Got invalid trustdom response\n"));
356 /* use the real alt_name if we have one, else pass in NULL */
358 if ( !strequal( alt_name
, "(null)" ) )
359 alternate_name
= alt_name
;
362 * We always call add_trusted_domain() cause on an existing
363 * domain structure, it will update the SID if necessary.
364 * This is important because we need the SID for sibling
367 (void)add_trusted_domain(p
, alternate_name
,
377 Cases to consider when scanning trusts:
378 (a) we are calling from a child domain (primary && !forest_root)
379 (b) we are calling from the root of the forest (primary && forest_root)
380 (c) we are calling from a trusted forest domain (!primary
384 if (state
->domain
->primary
) {
385 /* If this is our primary domain and we are not in the
386 forest root, we have to scan the root trusts first */
388 if (!domain_is_forest_root(state
->domain
))
389 rescan_forest_root_trusts();
391 rescan_forest_trusts();
393 } else if (domain_is_forest_root(state
->domain
)) {
394 /* Once we have done root forest trust search, we can
395 go on to search the trusted forests */
397 rescan_forest_trusts();
405 /********************************************************************
406 Scan the trusts of our forest root
407 ********************************************************************/
409 static void rescan_forest_root_trusts( void )
411 struct winbindd_tdc_domain
*dom_list
= NULL
;
412 size_t num_trusts
= 0;
415 /* The only transitive trusts supported by Windows 2003 AD are
416 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
417 first two are handled in forest and listed by
418 DsEnumerateDomainTrusts(). Forest trusts are not so we
419 have to do that ourselves. */
421 if ( !wcache_tdc_fetch_list( &dom_list
, &num_trusts
) )
424 for ( i
=0; i
<num_trusts
; i
++ ) {
425 struct winbindd_domain
*d
= NULL
;
427 /* Find the forest root. Don't necessarily trust
428 the domain_list() as our primary domain may not
429 have been initialized. */
431 if ( !(dom_list
[i
].trust_flags
& NETR_TRUST_FLAG_TREEROOT
) ) {
435 /* Here's the forest root */
437 d
= find_domain_from_name_noinit( dom_list
[i
].domain_name
);
440 d
= add_trusted_domain( dom_list
[i
].domain_name
,
441 dom_list
[i
].dns_name
,
450 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
451 "for domain tree root %s (%s)\n",
452 d
->name
, d
->alt_name
));
454 d
->domain_flags
= dom_list
[i
].trust_flags
;
455 d
->domain_type
= dom_list
[i
].trust_type
;
456 d
->domain_trust_attribs
= dom_list
[i
].trust_attribs
;
458 add_trusted_domains( d
);
463 TALLOC_FREE( dom_list
);
468 /********************************************************************
469 scan the transitive forest trusts (not our own)
470 ********************************************************************/
473 static void rescan_forest_trusts( void )
475 struct winbindd_domain
*d
= NULL
;
476 struct winbindd_tdc_domain
*dom_list
= NULL
;
477 size_t num_trusts
= 0;
480 /* The only transitive trusts supported by Windows 2003 AD are
481 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
482 first two are handled in forest and listed by
483 DsEnumerateDomainTrusts(). Forest trusts are not so we
484 have to do that ourselves. */
486 if ( !wcache_tdc_fetch_list( &dom_list
, &num_trusts
) )
489 for ( i
=0; i
<num_trusts
; i
++ ) {
490 uint32 flags
= dom_list
[i
].trust_flags
;
491 uint32 type
= dom_list
[i
].trust_type
;
492 uint32 attribs
= dom_list
[i
].trust_attribs
;
494 d
= find_domain_from_name_noinit( dom_list
[i
].domain_name
);
496 /* ignore our primary and internal domains */
498 if ( d
&& (d
->internal
|| d
->primary
) )
501 if ( (flags
& NETR_TRUST_FLAG_INBOUND
) &&
502 (type
== LSA_TRUST_TYPE_UPLEVEL
) &&
503 (attribs
== LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
) )
505 /* add the trusted domain if we don't know
509 d
= add_trusted_domain( dom_list
[i
].domain_name
,
510 dom_list
[i
].dns_name
,
519 DEBUG(10,("Following trust path for domain %s (%s)\n",
520 d
->name
, d
->alt_name
));
521 add_trusted_domains( d
);
525 TALLOC_FREE( dom_list
);
530 /*********************************************************************
531 The process of updating the trusted domain list is a three step
534 (b) ask the root domain in our forest
535 (c) ask the a DC in any Win2003 trusted forests
536 *********************************************************************/
538 void rescan_trusted_domains(struct tevent_context
*ev
, struct tevent_timer
*te
,
539 struct timeval now
, void *private_data
)
543 /* I use to clear the cache here and start over but that
544 caused problems in child processes that needed the
545 trust dom list early on. Removing it means we
546 could have some trusted domains listed that have been
547 removed from our primary domain's DC until a full
548 restart. This should be ok since I think this is what
549 Windows does as well. */
551 /* this will only add new domains we didn't already know about
552 in the domain_list()*/
554 add_trusted_domains( find_our_domain() );
556 te
= tevent_add_timer(
557 ev
, NULL
, timeval_current_ofs(WINBINDD_RESCAN_FREQ
, 0),
558 rescan_trusted_domains
, NULL
);
560 * If te == NULL, there's not much we can do here. Don't fail, the
561 * only thing we miss is new trusted domains.
567 enum winbindd_result
winbindd_dual_init_connection(struct winbindd_domain
*domain
,
568 struct winbindd_cli_state
*state
)
570 /* Ensure null termination */
571 state
->request
->domain_name
572 [sizeof(state
->request
->domain_name
)-1]='\0';
573 state
->request
->data
.init_conn
.dcname
574 [sizeof(state
->request
->data
.init_conn
.dcname
)-1]='\0';
576 if (strlen(state
->request
->data
.init_conn
.dcname
) > 0) {
577 fstrcpy(domain
->dcname
, state
->request
->data
.init_conn
.dcname
);
580 init_dc_connection(domain
, false);
582 if (!domain
->initialized
) {
583 /* If we return error here we can't do any cached authentication,
584 but we may be in disconnected mode and can't initialize correctly.
585 Do what the previous code did and just return without initialization,
586 once we go online we'll re-initialize.
588 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
589 "online = %d\n", domain
->name
, (int)domain
->online
));
592 fstrcpy(state
->response
->data
.domain_info
.name
, domain
->name
);
593 fstrcpy(state
->response
->data
.domain_info
.alt_name
, domain
->alt_name
);
594 sid_to_fstring(state
->response
->data
.domain_info
.sid
, &domain
->sid
);
596 state
->response
->data
.domain_info
.native_mode
597 = domain
->native_mode
;
598 state
->response
->data
.domain_info
.active_directory
599 = domain
->active_directory
;
600 state
->response
->data
.domain_info
.primary
606 /* Look up global info for the winbind daemon */
607 bool init_domain_list(void)
609 int role
= lp_server_role();
611 /* Free existing list */
616 (void)add_trusted_domain("BUILTIN", NULL
, &cache_methods
,
617 &global_sid_Builtin
);
621 if ( role
== ROLE_ACTIVE_DIRECTORY_DC
) {
622 struct winbindd_domain
*domain
;
623 enum netr_SchannelType sec_chan_type
;
624 const char *account_name
;
625 struct samr_Password current_nt_hash
;
628 domain
= add_trusted_domain(get_global_sam_name(), lp_dnsdomain(),
629 &cache_methods
, get_global_sam_sid());
630 if (domain
== NULL
) {
631 DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n"));
636 * We need to call this to find out if we are an RODC
638 ok
= get_trust_pw_hash(domain
->name
,
639 current_nt_hash
.hash
,
643 DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n"));
646 if (sec_chan_type
== SEC_CHAN_RODC
) {
651 (void)add_trusted_domain(get_global_sam_name(), NULL
,
652 &cache_methods
, get_global_sam_sid());
654 /* Add ourselves as the first entry. */
656 if ( role
== ROLE_DOMAIN_MEMBER
) {
657 struct winbindd_domain
*domain
;
658 struct dom_sid our_sid
;
660 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid
)) {
661 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
665 domain
= add_trusted_domain( lp_workgroup(), lp_realm(),
666 &cache_methods
, &our_sid
);
668 /* Even in the parent winbindd we'll need to
669 talk to the DC, so try and see if we can
670 contact it. Theoretically this isn't neccessary
671 as the init_dc_connection() in init_child_recv()
672 will do this, but we can start detecting the DC
674 set_domain_online_request(domain
);
682 * Given a domain name, return the struct winbindd domain info for it
684 * @note Do *not* pass lp_workgroup() to this function. domain_list
685 * may modify it's value, and free that pointer. Instead, our local
686 * domain may be found by calling find_our_domain().
690 * @return The domain structure for the named domain, if it is working.
693 struct winbindd_domain
*find_domain_from_name_noinit(const char *domain_name
)
695 struct winbindd_domain
*domain
;
697 /* Search through list */
699 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
700 if (strequal(domain_name
, domain
->name
) ||
701 (domain
->alt_name
!= NULL
&&
702 strequal(domain_name
, domain
->alt_name
))) {
712 struct winbindd_domain
*find_domain_from_name(const char *domain_name
)
714 struct winbindd_domain
*domain
;
716 domain
= find_domain_from_name_noinit(domain_name
);
721 if (!domain
->initialized
)
722 init_dc_connection(domain
, false);
727 /* Given a domain sid, return the struct winbindd domain info for it */
729 struct winbindd_domain
*find_domain_from_sid_noinit(const struct dom_sid
*sid
)
731 struct winbindd_domain
*domain
;
733 /* Search through list */
735 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
736 if (dom_sid_compare_domain(sid
, &domain
->sid
) == 0)
745 /* Given a domain sid, return the struct winbindd domain info for it */
747 struct winbindd_domain
*find_domain_from_sid(const struct dom_sid
*sid
)
749 struct winbindd_domain
*domain
;
751 domain
= find_domain_from_sid_noinit(sid
);
756 if (!domain
->initialized
)
757 init_dc_connection(domain
, false);
762 struct winbindd_domain
*find_our_domain(void)
764 struct winbindd_domain
*domain
;
766 /* Search through list */
768 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
773 smb_panic("Could not find our domain");
777 struct winbindd_domain
*find_root_domain(void)
779 struct winbindd_domain
*ours
= find_our_domain();
781 if (ours
->forest_name
== NULL
) {
785 return find_domain_from_name( ours
->forest_name
);
788 struct winbindd_domain
*find_builtin_domain(void)
790 struct winbindd_domain
*domain
;
792 domain
= find_domain_from_sid(&global_sid_Builtin
);
793 if (domain
== NULL
) {
794 smb_panic("Could not find BUILTIN domain");
800 /* Find the appropriate domain to lookup a name or SID */
802 struct winbindd_domain
*find_lookup_domain_from_sid(const struct dom_sid
*sid
)
804 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
806 if ( sid_check_is_in_unix_groups(sid
) ||
807 sid_check_is_unix_groups(sid
) ||
808 sid_check_is_in_unix_users(sid
) ||
809 sid_check_is_unix_users(sid
) )
811 return find_domain_from_sid(get_global_sam_sid());
814 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
815 * one to contact the external DC's. On member servers the internal
816 * domains are different: These are part of the local SAM. */
818 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid
)));
820 if (IS_DC
|| is_internal_domain(sid
) || is_in_internal_domain(sid
)) {
821 DEBUG(10, ("calling find_domain_from_sid\n"));
822 return find_domain_from_sid(sid
);
825 /* On a member server a query for SID or name can always go to our
828 DEBUG(10, ("calling find_our_domain\n"));
829 return find_our_domain();
832 struct winbindd_domain
*find_lookup_domain_from_name(const char *domain_name
)
834 if ( strequal(domain_name
, unix_users_domain_name() ) ||
835 strequal(domain_name
, unix_groups_domain_name() ) )
838 * The "Unix User" and "Unix Group" domain our handled by
841 return find_domain_from_name_noinit( get_global_sam_name() );
844 if (IS_DC
|| strequal(domain_name
, "BUILTIN") ||
845 strequal(domain_name
, get_global_sam_name()))
846 return find_domain_from_name_noinit(domain_name
);
849 return find_our_domain();
852 /* Is this a domain which we may assume no DOMAIN\ prefix? */
854 static bool assume_domain(const char *domain
)
856 /* never assume the domain on a standalone server */
858 if ( lp_server_role() == ROLE_STANDALONE
)
861 /* domain member servers may possibly assume for the domain name */
863 if ( lp_server_role() == ROLE_DOMAIN_MEMBER
) {
864 if ( !strequal(lp_workgroup(), domain
) )
867 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
871 /* only left with a domain controller */
873 if ( strequal(get_global_sam_name(), domain
) ) {
880 /* Parse a string of the form DOMAIN\user into a domain and a user */
882 bool parse_domain_user(const char *domuser
, fstring domain
, fstring user
)
884 char *p
= strchr(domuser
,*lp_winbind_separator());
887 fstrcpy(user
, domuser
);
889 if ( assume_domain(lp_workgroup())) {
890 fstrcpy(domain
, lp_workgroup());
891 } else if ((p
= strchr(domuser
, '@')) != NULL
) {
892 fstrcpy(domain
, p
+ 1);
893 user
[PTR_DIFF(p
, domuser
)] = 0;
899 fstrcpy(domain
, domuser
);
900 domain
[PTR_DIFF(p
, domuser
)] = 0;
903 return strupper_m(domain
);
906 bool parse_domain_user_talloc(TALLOC_CTX
*mem_ctx
, const char *domuser
,
907 char **domain
, char **user
)
909 fstring fstr_domain
, fstr_user
;
910 if (!parse_domain_user(domuser
, fstr_domain
, fstr_user
)) {
913 *domain
= talloc_strdup(mem_ctx
, fstr_domain
);
914 *user
= talloc_strdup(mem_ctx
, fstr_user
);
915 return ((*domain
!= NULL
) && (*user
!= NULL
));
918 /* Ensure an incoming username from NSS is fully qualified. Replace the
919 incoming fstring with DOMAIN <separator> user. Returns the same
920 values as parse_domain_user() but also replaces the incoming username.
921 Used to ensure all names are fully qualified within winbindd.
922 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
923 The protocol definitions of auth_crap, chng_pswd_auth_crap
924 really should be changed to use this instead of doing things
927 bool canonicalize_username(fstring username_inout
, fstring domain
, fstring user
)
929 if (!parse_domain_user(username_inout
, domain
, user
)) {
932 slprintf(username_inout
, sizeof(fstring
) - 1, "%s%c%s",
933 domain
, *lp_winbind_separator(),
939 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
940 'winbind separator' options.
942 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
945 If we are a PDC or BDC, and this is for our domain, do likewise.
947 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
948 username is then unqualified in unix
950 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
952 void fill_domain_username(fstring name
, const char *domain
, const char *user
, bool can_assume
)
956 fstrcpy(tmp_user
, user
);
957 (void)strlower_m(tmp_user
);
959 if (can_assume
&& assume_domain(domain
)) {
960 strlcpy(name
, tmp_user
, sizeof(fstring
));
962 slprintf(name
, sizeof(fstring
) - 1, "%s%c%s",
963 domain
, *lp_winbind_separator(),
969 * talloc version of fill_domain_username()
970 * return NULL on talloc failure.
972 char *fill_domain_username_talloc(TALLOC_CTX
*mem_ctx
,
977 char *tmp_user
, *name
;
979 tmp_user
= talloc_strdup(mem_ctx
, user
);
980 if (!strlower_m(tmp_user
)) {
981 TALLOC_FREE(tmp_user
);
985 if (can_assume
&& assume_domain(domain
)) {
988 name
= talloc_asprintf(mem_ctx
, "%s%c%s",
990 *lp_winbind_separator(),
992 TALLOC_FREE(tmp_user
);
999 * Client list accessor functions
1002 static struct winbindd_cli_state
*_client_list
;
1003 static int _num_clients
;
1005 /* Return list of all connected clients */
1007 struct winbindd_cli_state
*winbindd_client_list(void)
1009 return _client_list
;
1012 /* Add a connection to the list */
1014 void winbindd_add_client(struct winbindd_cli_state
*cli
)
1016 DLIST_ADD(_client_list
, cli
);
1020 /* Remove a client from the list */
1022 void winbindd_remove_client(struct winbindd_cli_state
*cli
)
1024 DLIST_REMOVE(_client_list
, cli
);
1028 /* Return number of open clients */
1030 int winbindd_num_clients(void)
1032 return _num_clients
;
1035 NTSTATUS
lookup_usergroups_cached(struct winbindd_domain
*domain
,
1036 TALLOC_CTX
*mem_ctx
,
1037 const struct dom_sid
*user_sid
,
1038 uint32_t *p_num_groups
, struct dom_sid
**user_sids
)
1040 struct netr_SamInfo3
*info3
= NULL
;
1041 NTSTATUS status
= NT_STATUS_NO_MEMORY
;
1042 uint32_t num_groups
= 0;
1044 DEBUG(3,(": lookup_usergroups_cached\n"));
1049 info3
= netsamlogon_cache_get(mem_ctx
, user_sid
);
1051 if (info3
== NULL
) {
1052 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1055 if (info3
->base
.groups
.count
== 0) {
1057 return NT_STATUS_UNSUCCESSFUL
;
1061 * Before bug #7843 the "Domain Local" groups were added with a
1062 * lookupuseraliases call, but this isn't done anymore for our domain
1063 * so we need to resolve resource groups here.
1065 * When to use Resource Groups:
1066 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1068 status
= sid_array_from_info3(mem_ctx
, info3
,
1073 if (!NT_STATUS_IS_OK(status
)) {
1079 *p_num_groups
= num_groups
;
1080 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
1082 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1087 /*********************************************************************
1088 We use this to remove spaces from user and group names
1089 ********************************************************************/
1091 NTSTATUS
normalize_name_map(TALLOC_CTX
*mem_ctx
,
1092 struct winbindd_domain
*domain
,
1098 if (!name
|| !normalized
) {
1099 return NT_STATUS_INVALID_PARAMETER
;
1102 if (!lp_winbind_normalize_names()) {
1103 return NT_STATUS_PROCEDURE_NOT_FOUND
;
1106 /* Alias support and whitespace replacement are mutually
1109 nt_status
= resolve_username_to_alias(mem_ctx
, domain
,
1111 if (NT_STATUS_IS_OK(nt_status
)) {
1112 /* special return code to let the caller know we
1113 mapped to an alias */
1114 return NT_STATUS_FILE_RENAMED
;
1117 /* check for an unreachable domain */
1119 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
)) {
1120 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1122 set_domain_offline(domain
);
1126 /* deal with whitespace */
1128 *normalized
= talloc_strdup(mem_ctx
, name
);
1129 if (!(*normalized
)) {
1130 return NT_STATUS_NO_MEMORY
;
1133 all_string_sub( *normalized
, " ", "_", 0 );
1135 return NT_STATUS_OK
;
1138 /*********************************************************************
1139 We use this to do the inverse of normalize_name_map()
1140 ********************************************************************/
1142 NTSTATUS
normalize_name_unmap(TALLOC_CTX
*mem_ctx
,
1147 struct winbindd_domain
*domain
= find_our_domain();
1149 if (!name
|| !normalized
) {
1150 return NT_STATUS_INVALID_PARAMETER
;
1153 if (!lp_winbind_normalize_names()) {
1154 return NT_STATUS_PROCEDURE_NOT_FOUND
;
1157 /* Alias support and whitespace replacement are mutally
1160 /* When mapping from an alias to a username, we don't know the
1161 domain. But we only need a domain structure to cache
1162 a successful lookup , so just our own domain structure for
1165 nt_status
= resolve_alias_to_username(mem_ctx
, domain
,
1167 if (NT_STATUS_IS_OK(nt_status
)) {
1168 /* Special return code to let the caller know we mapped
1170 return NT_STATUS_FILE_RENAMED
;
1173 /* check for an unreachable domain */
1175 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
)) {
1176 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1178 set_domain_offline(domain
);
1182 /* deal with whitespace */
1184 *normalized
= talloc_strdup(mem_ctx
, name
);
1185 if (!(*normalized
)) {
1186 return NT_STATUS_NO_MEMORY
;
1189 all_string_sub(*normalized
, "_", " ", 0);
1191 return NT_STATUS_OK
;
1194 /*********************************************************************
1195 ********************************************************************/
1197 bool winbindd_can_contact_domain(struct winbindd_domain
*domain
)
1199 struct winbindd_tdc_domain
*tdc
= NULL
;
1200 TALLOC_CTX
*frame
= talloc_stackframe();
1203 /* We can contact the domain if it is our primary domain */
1205 if (domain
->primary
) {
1210 /* Trust the TDC cache and not the winbindd_domain flags */
1212 if ((tdc
= wcache_tdc_fetch_domain(frame
, domain
->name
)) == NULL
) {
1213 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1219 /* Can always contact a domain that is in out forest */
1221 if (tdc
->trust_flags
& NETR_TRUST_FLAG_IN_FOREST
) {
1227 * On a _member_ server, we cannot contact the domain if it
1228 * is running AD and we have no inbound trust.
1232 domain
->active_directory
&&
1233 ((tdc
->trust_flags
& NETR_TRUST_FLAG_INBOUND
) != NETR_TRUST_FLAG_INBOUND
))
1235 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1236 "and we have no inbound trust.\n", domain
->name
));
1240 /* Assume everything else is ok (probably not true but what
1246 talloc_destroy(frame
);
1251 /*********************************************************************
1252 ********************************************************************/
1254 bool winbindd_internal_child(struct winbindd_child
*child
)
1256 if ((child
== idmap_child()) || (child
== locator_child())) {
1263 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1265 /*********************************************************************
1266 ********************************************************************/
1268 static void winbindd_set_locator_kdc_env(const struct winbindd_domain
*domain
)
1271 char addr
[INET6_ADDRSTRLEN
];
1272 const char *kdc
= NULL
;
1275 if (!domain
|| !domain
->alt_name
|| !*domain
->alt_name
) {
1279 if (domain
->initialized
&& !domain
->active_directory
) {
1280 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s not AD\n",
1285 print_sockaddr(addr
, sizeof(addr
), &domain
->dcaddr
);
1288 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1290 kdc
= domain
->dcname
;
1293 if (!kdc
|| !*kdc
) {
1294 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1299 if (asprintf_strupper_m(&var
, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS
,
1300 domain
->alt_name
) == -1) {
1304 DEBUG(lvl
,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1307 setenv(var
, kdc
, 1);
1311 /*********************************************************************
1312 ********************************************************************/
1314 void winbindd_set_locator_kdc_envs(const struct winbindd_domain
*domain
)
1316 struct winbindd_domain
*our_dom
= find_our_domain();
1318 winbindd_set_locator_kdc_env(domain
);
1320 if (domain
!= our_dom
) {
1321 winbindd_set_locator_kdc_env(our_dom
);
1325 /*********************************************************************
1326 ********************************************************************/
1328 void winbindd_unset_locator_kdc_env(const struct winbindd_domain
*domain
)
1332 if (!domain
|| !domain
->alt_name
|| !*domain
->alt_name
) {
1336 if (asprintf_strupper_m(&var
, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS
,
1337 domain
->alt_name
) == -1) {
1346 void winbindd_set_locator_kdc_envs(const struct winbindd_domain
*domain
)
1351 void winbindd_unset_locator_kdc_env(const struct winbindd_domain
*domain
)
1356 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1358 void set_auth_errors(struct winbindd_response
*resp
, NTSTATUS result
)
1360 resp
->data
.auth
.nt_status
= NT_STATUS_V(result
);
1361 fstrcpy(resp
->data
.auth
.nt_status_string
, nt_errstr(result
));
1363 /* we might have given a more useful error above */
1364 if (*resp
->data
.auth
.error_string
== '\0')
1365 fstrcpy(resp
->data
.auth
.error_string
,
1366 get_friendly_nt_error_msg(result
));
1367 resp
->data
.auth
.pam_error
= nt_status_to_pam(result
);
1370 bool is_domain_offline(const struct winbindd_domain
*domain
)
1372 if (!lp_winbind_offline_logon()) {
1375 if (get_global_winbindd_state_offline()) {
1378 return !domain
->online
;
1381 bool is_domain_online(const struct winbindd_domain
*domain
)
1383 return !is_domain_offline(domain
);
1387 * Parse an char array into a list of sids.
1389 * The input sidstr should consist of 0-terminated strings
1390 * representing sids, separated by newline characters '\n'.
1391 * The list is terminated by an empty string, i.e.
1392 * character '\0' directly following a character '\n'
1393 * (or '\0' right at the start of sidstr).
1395 bool parse_sidlist(TALLOC_CTX
*mem_ctx
, const char *sidstr
,
1396 struct dom_sid
**sids
, uint32_t *num_sids
)
1404 while (p
[0] != '\0') {
1406 const char *q
= NULL
;
1408 if (!dom_sid_parse_endp(p
, &sid
, &q
)) {
1409 DEBUG(1, ("Could not parse sid %s\n", p
));
1412 if ((q
== NULL
) || (q
[0] != '\n')) {
1413 DEBUG(1, ("Got invalid sidstr: %s\n", p
));
1416 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx
, &sid
, sids
,