2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
31 #define DBGC_CLASS DBGC_WINBIND
33 extern struct winbindd_methods cache_methods
;
36 * @file winbindd_util.cq
38 * Winbind daemon for NT domain authentication nss module.
42 /* The list of trusted domains. Note that the list can be deleted and
43 recreated using the init_domain_list() function so pointers to
44 individual winbindd_domain structures cannot be made. Keep a copy of
45 the domain name instead. */
47 static struct winbindd_domain
*_domain_list
= NULL
;
49 struct winbindd_domain
*domain_list(void)
53 if ((!_domain_list
) && (!init_domain_list())) {
54 smb_panic("Init_domain_list failed");
60 /* Free all entries in the trusted domain list */
62 static void free_domain_list(void)
64 struct winbindd_domain
*domain
= _domain_list
;
67 struct winbindd_domain
*next
= domain
->next
;
69 DLIST_REMOVE(_domain_list
, domain
);
75 static bool is_internal_domain(const struct dom_sid
*sid
)
80 return (sid_check_is_our_sam(sid
) || sid_check_is_builtin(sid
));
83 static bool is_in_internal_domain(const struct dom_sid
*sid
)
88 return (sid_check_is_in_our_sam(sid
) || sid_check_is_in_builtin(sid
));
92 /* Add a trusted domain to our list of domains.
93 If the domain already exists in the list,
94 return it and don't re-initialize. */
96 static struct winbindd_domain
*add_trusted_domain(const char *domain_name
, const char *alt_name
,
97 struct winbindd_methods
*methods
,
98 const struct dom_sid
*sid
)
100 struct winbindd_domain
*domain
;
101 const char *alternative_name
= NULL
;
102 char *idmap_config_option
;
104 const char **ignored_domains
, **dom
;
105 int role
= lp_server_role();
107 ignored_domains
= lp_parm_string_list(-1, "winbind", "ignore domains", NULL
);
108 for (dom
=ignored_domains
; dom
&& *dom
; dom
++) {
109 if (gen_fnmatch(*dom
, domain_name
) == 0) {
110 DEBUG(2,("Ignoring domain '%s'\n", domain_name
));
115 /* use alt_name if available to allow DNS lookups */
117 if (alt_name
&& *alt_name
) {
118 alternative_name
= alt_name
;
121 /* We can't call domain_list() as this function is called from
122 init_domain_list() and we'll get stuck in a loop. */
123 for (domain
= _domain_list
; domain
; domain
= domain
->next
) {
124 if (strequal(domain_name
, domain
->name
) ||
125 strequal(domain_name
, domain
->alt_name
))
130 if (alternative_name
&& *alternative_name
)
132 if (strequal(alternative_name
, domain
->name
) ||
133 strequal(alternative_name
, domain
->alt_name
))
141 if (is_null_sid(sid
)) {
145 if (dom_sid_equal(sid
, &domain
->sid
)) {
151 if (domain
!= NULL
) {
153 * We found a match on domain->name or
154 * domain->alt_name. Possibly update the SID
155 * if the stored SID was the NULL SID
156 * and return the matching entry.
159 && dom_sid_equal(&domain
->sid
, &global_sid_NULL
)) {
160 sid_copy( &domain
->sid
, sid
);
165 /* Create new domain entry */
167 if ((domain
= SMB_MALLOC_P(struct winbindd_domain
)) == NULL
)
172 ZERO_STRUCTP(domain
);
174 domain
->children
= SMB_MALLOC_ARRAY(
175 struct winbindd_child
, lp_winbind_max_domain_connections());
176 if (domain
->children
== NULL
) {
180 memset(domain
->children
, 0,
181 sizeof(struct winbindd_child
)
182 * lp_winbind_max_domain_connections());
184 fstrcpy(domain
->name
, domain_name
);
185 if (alternative_name
) {
186 fstrcpy(domain
->alt_name
, alternative_name
);
189 domain
->methods
= methods
;
190 domain
->backend
= NULL
;
191 domain
->internal
= is_internal_domain(sid
);
192 domain
->sequence_number
= DOM_SEQUENCE_NONE
;
193 domain
->last_seq_check
= 0;
194 domain
->initialized
= False
;
195 domain
->online
= is_internal_domain(sid
);
196 domain
->check_online_timeout
= 0;
197 domain
->dc_probe_pid
= (pid_t
)-1;
199 sid_copy(&domain
->sid
, sid
);
202 /* Is this our primary domain ? */
203 if (strequal(domain_name
, get_global_sam_name()) &&
204 (role
!= ROLE_DOMAIN_MEMBER
)) {
205 domain
->primary
= true;
206 } else if (strequal(domain_name
, lp_workgroup()) &&
207 (role
== ROLE_DOMAIN_MEMBER
)) {
208 domain
->primary
= true;
211 /* Link to domain list */
212 DLIST_ADD_END(_domain_list
, domain
, struct winbindd_domain
*);
214 wcache_tdc_add_domain( domain
);
216 idmap_config_option
= talloc_asprintf(talloc_tos(), "idmap config %s",
218 if (idmap_config_option
== NULL
) {
219 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
223 param
= lp_parm_const_string(-1, idmap_config_option
, "range", NULL
);
225 DEBUG(10, ("%s : range = %s\n", idmap_config_option
,
226 param
? param
: "not defined"));
229 unsigned low_id
, high_id
;
230 if (sscanf(param
, "%u - %u", &low_id
, &high_id
) != 2) {
231 DEBUG(1, ("invalid range syntax in %s: %s\n",
232 idmap_config_option
, param
));
235 if (low_id
> high_id
) {
236 DEBUG(1, ("invalid range in %s: %s\n",
237 idmap_config_option
, param
));
240 domain
->have_idmap_config
= true;
241 domain
->id_range_low
= low_id
;
242 domain
->id_range_high
= high_id
;
247 setup_domain_child(domain
);
249 DEBUG(2,("Added domain %s %s %s\n",
250 domain
->name
, domain
->alt_name
,
251 &domain
->sid
?sid_string_dbg(&domain
->sid
):""));
256 bool domain_is_forest_root(const struct winbindd_domain
*domain
)
258 const uint32_t fr_flags
=
259 (NETR_TRUST_FLAG_TREEROOT
|NETR_TRUST_FLAG_IN_FOREST
);
261 return ((domain
->domain_flags
& fr_flags
) == fr_flags
);
264 /********************************************************************
265 rescan our domains looking for new trusted domains
266 ********************************************************************/
268 struct trustdom_state
{
269 struct winbindd_domain
*domain
;
270 struct winbindd_request request
;
273 static void trustdom_list_done(struct tevent_req
*req
);
274 static void rescan_forest_root_trusts( void );
275 static void rescan_forest_trusts( void );
277 static void add_trusted_domains( struct winbindd_domain
*domain
)
279 struct trustdom_state
*state
;
280 struct tevent_req
*req
;
282 state
= talloc_zero(NULL
, struct trustdom_state
);
284 DEBUG(0, ("talloc failed\n"));
287 state
->domain
= domain
;
289 state
->request
.length
= sizeof(state
->request
);
290 state
->request
.cmd
= WINBINDD_LIST_TRUSTDOM
;
292 req
= wb_domain_request_send(state
, winbind_event_context(),
293 domain
, &state
->request
);
295 DEBUG(1, ("wb_domain_request_send failed\n"));
299 tevent_req_set_callback(req
, trustdom_list_done
, state
);
302 static void trustdom_list_done(struct tevent_req
*req
)
304 struct trustdom_state
*state
= tevent_req_callback_data(
305 req
, struct trustdom_state
);
306 struct winbindd_response
*response
;
310 res
= wb_domain_request_recv(req
, state
, &response
, &err
);
311 if ((res
== -1) || (response
->result
!= WINBINDD_OK
)) {
312 DEBUG(1, ("Could not receive trustdoms\n"));
317 p
= (char *)response
->extra_data
.data
;
319 while ((p
!= NULL
) && (*p
!= '\0')) {
320 char *q
, *sidstr
, *alt_name
;
322 char *alternate_name
= NULL
;
324 alt_name
= strchr(p
, '\\');
325 if (alt_name
== NULL
) {
326 DEBUG(0, ("Got invalid trustdom response\n"));
333 sidstr
= strchr(alt_name
, '\\');
334 if (sidstr
== NULL
) {
335 DEBUG(0, ("Got invalid trustdom response\n"));
342 q
= strchr(sidstr
, '\n');
346 if (!string_to_sid(&sid
, sidstr
)) {
347 DEBUG(0, ("Got invalid trustdom response\n"));
351 /* use the real alt_name if we have one, else pass in NULL */
353 if ( !strequal( alt_name
, "(null)" ) )
354 alternate_name
= alt_name
;
357 * We always call add_trusted_domain() cause on an existing
358 * domain structure, it will update the SID if necessary.
359 * This is important because we need the SID for sibling
362 (void)add_trusted_domain(p
, alternate_name
,
371 Cases to consider when scanning trusts:
372 (a) we are calling from a child domain (primary && !forest_root)
373 (b) we are calling from the root of the forest (primary && forest_root)
374 (c) we are calling from a trusted forest domain (!primary
378 if (state
->domain
->primary
) {
379 /* If this is our primary domain and we are not in the
380 forest root, we have to scan the root trusts first */
382 if (!domain_is_forest_root(state
->domain
))
383 rescan_forest_root_trusts();
385 rescan_forest_trusts();
387 } else if (domain_is_forest_root(state
->domain
)) {
388 /* Once we have done root forest trust search, we can
389 go on to search the trusted forests */
391 rescan_forest_trusts();
399 /********************************************************************
400 Scan the trusts of our forest root
401 ********************************************************************/
403 static void rescan_forest_root_trusts( void )
405 struct winbindd_tdc_domain
*dom_list
= NULL
;
406 size_t num_trusts
= 0;
409 /* The only transitive trusts supported by Windows 2003 AD are
410 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
411 first two are handled in forest and listed by
412 DsEnumerateDomainTrusts(). Forest trusts are not so we
413 have to do that ourselves. */
415 if ( !wcache_tdc_fetch_list( &dom_list
, &num_trusts
) )
418 for ( i
=0; i
<num_trusts
; i
++ ) {
419 struct winbindd_domain
*d
= NULL
;
421 /* Find the forest root. Don't necessarily trust
422 the domain_list() as our primary domain may not
423 have been initialized. */
425 if ( !(dom_list
[i
].trust_flags
& NETR_TRUST_FLAG_TREEROOT
) ) {
429 /* Here's the forest root */
431 d
= find_domain_from_name_noinit( dom_list
[i
].domain_name
);
434 d
= add_trusted_domain( dom_list
[i
].domain_name
,
435 dom_list
[i
].dns_name
,
444 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
445 "for domain tree root %s (%s)\n",
446 d
->name
, d
->alt_name
));
448 d
->domain_flags
= dom_list
[i
].trust_flags
;
449 d
->domain_type
= dom_list
[i
].trust_type
;
450 d
->domain_trust_attribs
= dom_list
[i
].trust_attribs
;
452 add_trusted_domains( d
);
457 TALLOC_FREE( dom_list
);
462 /********************************************************************
463 scan the transitive forest trusts (not our own)
464 ********************************************************************/
467 static void rescan_forest_trusts( void )
469 struct winbindd_domain
*d
= NULL
;
470 struct winbindd_tdc_domain
*dom_list
= NULL
;
471 size_t num_trusts
= 0;
474 /* The only transitive trusts supported by Windows 2003 AD are
475 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
476 first two are handled in forest and listed by
477 DsEnumerateDomainTrusts(). Forest trusts are not so we
478 have to do that ourselves. */
480 if ( !wcache_tdc_fetch_list( &dom_list
, &num_trusts
) )
483 for ( i
=0; i
<num_trusts
; i
++ ) {
484 uint32 flags
= dom_list
[i
].trust_flags
;
485 uint32 type
= dom_list
[i
].trust_type
;
486 uint32 attribs
= dom_list
[i
].trust_attribs
;
488 d
= find_domain_from_name_noinit( dom_list
[i
].domain_name
);
490 /* ignore our primary and internal domains */
492 if ( d
&& (d
->internal
|| d
->primary
) )
495 if ( (flags
& NETR_TRUST_FLAG_INBOUND
) &&
496 (type
== NETR_TRUST_TYPE_UPLEVEL
) &&
497 (attribs
== NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
) )
499 /* add the trusted domain if we don't know
503 d
= add_trusted_domain( dom_list
[i
].domain_name
,
504 dom_list
[i
].dns_name
,
513 DEBUG(10,("Following trust path for domain %s (%s)\n",
514 d
->name
, d
->alt_name
));
515 add_trusted_domains( d
);
519 TALLOC_FREE( dom_list
);
524 /*********************************************************************
525 The process of updating the trusted domain list is a three step
528 (b) ask the root domain in our forest
529 (c) ask the a DC in any Win2003 trusted forests
530 *********************************************************************/
532 void rescan_trusted_domains(struct tevent_context
*ev
, struct tevent_timer
*te
,
533 struct timeval now
, void *private_data
)
537 /* I use to clear the cache here and start over but that
538 caused problems in child processes that needed the
539 trust dom list early on. Removing it means we
540 could have some trusted domains listed that have been
541 removed from our primary domain's DC until a full
542 restart. This should be ok since I think this is what
543 Windows does as well. */
545 /* this will only add new domains we didn't already know about
546 in the domain_list()*/
548 add_trusted_domains( find_our_domain() );
550 te
= tevent_add_timer(
551 ev
, NULL
, timeval_current_ofs(WINBINDD_RESCAN_FREQ
, 0),
552 rescan_trusted_domains
, NULL
);
554 * If te == NULL, there's not much we can do here. Don't fail, the
555 * only thing we miss is new trusted domains.
561 enum winbindd_result
winbindd_dual_init_connection(struct winbindd_domain
*domain
,
562 struct winbindd_cli_state
*state
)
564 /* Ensure null termination */
565 state
->request
->domain_name
566 [sizeof(state
->request
->domain_name
)-1]='\0';
567 state
->request
->data
.init_conn
.dcname
568 [sizeof(state
->request
->data
.init_conn
.dcname
)-1]='\0';
570 if (strlen(state
->request
->data
.init_conn
.dcname
) > 0) {
571 fstrcpy(domain
->dcname
, state
->request
->data
.init_conn
.dcname
);
574 if (domain
->internal
) {
575 domain
->initialized
= true;
577 init_dc_connection(domain
);
580 if (!domain
->initialized
) {
581 /* If we return error here we can't do any cached authentication,
582 but we may be in disconnected mode and can't initialize correctly.
583 Do what the previous code did and just return without initialization,
584 once we go online we'll re-initialize.
586 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
587 "online = %d\n", domain
->name
, (int)domain
->online
));
590 fstrcpy(state
->response
->data
.domain_info
.name
, domain
->name
);
591 fstrcpy(state
->response
->data
.domain_info
.alt_name
, domain
->alt_name
);
592 sid_to_fstring(state
->response
->data
.domain_info
.sid
, &domain
->sid
);
594 state
->response
->data
.domain_info
.native_mode
595 = domain
->native_mode
;
596 state
->response
->data
.domain_info
.active_directory
597 = domain
->active_directory
;
598 state
->response
->data
.domain_info
.primary
604 /* Look up global info for the winbind daemon */
605 bool init_domain_list(void)
607 int role
= lp_server_role();
609 /* Free existing list */
614 (void)add_trusted_domain("BUILTIN", NULL
, &cache_methods
,
615 &global_sid_Builtin
);
619 (void)add_trusted_domain(get_global_sam_name(), NULL
,
620 &cache_methods
, get_global_sam_sid());
622 /* Add ourselves as the first entry. */
624 if ( role
== ROLE_DOMAIN_MEMBER
) {
625 struct winbindd_domain
*domain
;
626 struct dom_sid our_sid
;
628 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid
)) {
629 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
633 domain
= add_trusted_domain( lp_workgroup(), lp_realm(),
634 &cache_methods
, &our_sid
);
636 /* Even in the parent winbindd we'll need to
637 talk to the DC, so try and see if we can
638 contact it. Theoretically this isn't neccessary
639 as the init_dc_connection() in init_child_recv()
640 will do this, but we can start detecting the DC
642 set_domain_online_request(domain
);
650 * Given a domain name, return the struct winbindd domain info for it
652 * @note Do *not* pass lp_workgroup() to this function. domain_list
653 * may modify it's value, and free that pointer. Instead, our local
654 * domain may be found by calling find_our_domain().
658 * @return The domain structure for the named domain, if it is working.
661 struct winbindd_domain
*find_domain_from_name_noinit(const char *domain_name
)
663 struct winbindd_domain
*domain
;
665 /* Search through list */
667 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
668 if (strequal(domain_name
, domain
->name
) ||
669 (domain
->alt_name
[0] &&
670 strequal(domain_name
, domain
->alt_name
))) {
680 struct winbindd_domain
*find_domain_from_name(const char *domain_name
)
682 struct winbindd_domain
*domain
;
684 domain
= find_domain_from_name_noinit(domain_name
);
689 if (!domain
->initialized
)
690 init_dc_connection(domain
);
695 /* Given a domain sid, return the struct winbindd domain info for it */
697 struct winbindd_domain
*find_domain_from_sid_noinit(const struct dom_sid
*sid
)
699 struct winbindd_domain
*domain
;
701 /* Search through list */
703 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
704 if (dom_sid_compare_domain(sid
, &domain
->sid
) == 0)
713 /* Given a domain sid, return the struct winbindd domain info for it */
715 struct winbindd_domain
*find_domain_from_sid(const struct dom_sid
*sid
)
717 struct winbindd_domain
*domain
;
719 domain
= find_domain_from_sid_noinit(sid
);
724 if (!domain
->initialized
)
725 init_dc_connection(domain
);
730 struct winbindd_domain
*find_our_domain(void)
732 struct winbindd_domain
*domain
;
734 /* Search through list */
736 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
741 smb_panic("Could not find our domain");
745 struct winbindd_domain
*find_root_domain(void)
747 struct winbindd_domain
*ours
= find_our_domain();
749 if (ours
->forest_name
[0] == '\0') {
753 return find_domain_from_name( ours
->forest_name
);
756 struct winbindd_domain
*find_builtin_domain(void)
758 struct winbindd_domain
*domain
;
760 domain
= find_domain_from_sid(&global_sid_Builtin
);
761 if (domain
== NULL
) {
762 smb_panic("Could not find BUILTIN domain");
768 /* Find the appropriate domain to lookup a name or SID */
770 struct winbindd_domain
*find_lookup_domain_from_sid(const struct dom_sid
*sid
)
772 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
774 if ( sid_check_is_in_unix_groups(sid
) ||
775 sid_check_is_unix_groups(sid
) ||
776 sid_check_is_in_unix_users(sid
) ||
777 sid_check_is_unix_users(sid
) )
779 return find_domain_from_sid(get_global_sam_sid());
782 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
783 * one to contact the external DC's. On member servers the internal
784 * domains are different: These are part of the local SAM. */
786 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid
)));
788 if (IS_DC
|| is_internal_domain(sid
) || is_in_internal_domain(sid
)) {
789 DEBUG(10, ("calling find_domain_from_sid\n"));
790 return find_domain_from_sid(sid
);
793 /* On a member server a query for SID or name can always go to our
796 DEBUG(10, ("calling find_our_domain\n"));
797 return find_our_domain();
800 struct winbindd_domain
*find_lookup_domain_from_name(const char *domain_name
)
802 if ( strequal(domain_name
, unix_users_domain_name() ) ||
803 strequal(domain_name
, unix_groups_domain_name() ) )
806 * The "Unix User" and "Unix Group" domain our handled by
809 return find_domain_from_name_noinit( get_global_sam_name() );
812 if (IS_DC
|| strequal(domain_name
, "BUILTIN") ||
813 strequal(domain_name
, get_global_sam_name()))
814 return find_domain_from_name_noinit(domain_name
);
817 return find_our_domain();
820 /* Is this a domain which we may assume no DOMAIN\ prefix? */
822 static bool assume_domain(const char *domain
)
824 /* never assume the domain on a standalone server */
826 if ( lp_server_role() == ROLE_STANDALONE
)
829 /* domain member servers may possibly assume for the domain name */
831 if ( lp_server_role() == ROLE_DOMAIN_MEMBER
) {
832 if ( !strequal(lp_workgroup(), domain
) )
835 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
839 /* only left with a domain controller */
841 if ( strequal(get_global_sam_name(), domain
) ) {
848 /* Parse a string of the form DOMAIN\user into a domain and a user */
850 bool parse_domain_user(const char *domuser
, fstring domain
, fstring user
)
852 char *p
= strchr(domuser
,*lp_winbind_separator());
855 fstrcpy(user
, domuser
);
857 if ( assume_domain(lp_workgroup())) {
858 fstrcpy(domain
, lp_workgroup());
859 } else if ((p
= strchr(domuser
, '@')) != NULL
) {
860 fstrcpy(domain
, p
+ 1);
861 user
[PTR_DIFF(p
, domuser
)] = 0;
867 fstrcpy(domain
, domuser
);
868 domain
[PTR_DIFF(p
, domuser
)] = 0;
871 return strupper_m(domain
);
874 bool parse_domain_user_talloc(TALLOC_CTX
*mem_ctx
, const char *domuser
,
875 char **domain
, char **user
)
877 fstring fstr_domain
, fstr_user
;
878 if (!parse_domain_user(domuser
, fstr_domain
, fstr_user
)) {
881 *domain
= talloc_strdup(mem_ctx
, fstr_domain
);
882 *user
= talloc_strdup(mem_ctx
, fstr_user
);
883 return ((*domain
!= NULL
) && (*user
!= NULL
));
886 /* Ensure an incoming username from NSS is fully qualified. Replace the
887 incoming fstring with DOMAIN <separator> user. Returns the same
888 values as parse_domain_user() but also replaces the incoming username.
889 Used to ensure all names are fully qualified within winbindd.
890 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
891 The protocol definitions of auth_crap, chng_pswd_auth_crap
892 really should be changed to use this instead of doing things
895 bool canonicalize_username(fstring username_inout
, fstring domain
, fstring user
)
897 if (!parse_domain_user(username_inout
, domain
, user
)) {
900 slprintf(username_inout
, sizeof(fstring
) - 1, "%s%c%s",
901 domain
, *lp_winbind_separator(),
907 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
908 'winbind separator' options.
910 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
913 If we are a PDC or BDC, and this is for our domain, do likewise.
915 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
916 username is then unqualified in unix
918 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
920 void fill_domain_username(fstring name
, const char *domain
, const char *user
, bool can_assume
)
924 fstrcpy(tmp_user
, user
);
925 (void)strlower_m(tmp_user
);
927 if (can_assume
&& assume_domain(domain
)) {
928 strlcpy(name
, tmp_user
, sizeof(fstring
));
930 slprintf(name
, sizeof(fstring
) - 1, "%s%c%s",
931 domain
, *lp_winbind_separator(),
937 * talloc version of fill_domain_username()
938 * return NULL on talloc failure.
940 char *fill_domain_username_talloc(TALLOC_CTX
*mem_ctx
,
945 char *tmp_user
, *name
;
947 tmp_user
= talloc_strdup(mem_ctx
, user
);
948 if (!strlower_m(tmp_user
)) {
949 TALLOC_FREE(tmp_user
);
953 if (can_assume
&& assume_domain(domain
)) {
956 name
= talloc_asprintf(mem_ctx
, "%s%c%s",
958 *lp_winbind_separator(),
960 TALLOC_FREE(tmp_user
);
967 * Client list accessor functions
970 static struct winbindd_cli_state
*_client_list
;
971 static int _num_clients
;
973 /* Return list of all connected clients */
975 struct winbindd_cli_state
*winbindd_client_list(void)
980 /* Add a connection to the list */
982 void winbindd_add_client(struct winbindd_cli_state
*cli
)
984 DLIST_ADD(_client_list
, cli
);
988 /* Remove a client from the list */
990 void winbindd_remove_client(struct winbindd_cli_state
*cli
)
992 DLIST_REMOVE(_client_list
, cli
);
996 /* Return number of open clients */
998 int winbindd_num_clients(void)
1000 return _num_clients
;
1003 NTSTATUS
lookup_usergroups_cached(struct winbindd_domain
*domain
,
1004 TALLOC_CTX
*mem_ctx
,
1005 const struct dom_sid
*user_sid
,
1006 uint32_t *p_num_groups
, struct dom_sid
**user_sids
)
1008 struct netr_SamInfo3
*info3
= NULL
;
1009 NTSTATUS status
= NT_STATUS_NO_MEMORY
;
1010 uint32_t num_groups
= 0;
1012 DEBUG(3,(": lookup_usergroups_cached\n"));
1017 info3
= netsamlogon_cache_get(mem_ctx
, user_sid
);
1019 if (info3
== NULL
) {
1020 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1023 if (info3
->base
.groups
.count
== 0) {
1025 return NT_STATUS_UNSUCCESSFUL
;
1029 * Before bug #7843 the "Domain Local" groups were added with a
1030 * lookupuseraliases call, but this isn't done anymore for our domain
1031 * so we need to resolve resource groups here.
1033 * When to use Resource Groups:
1034 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1036 status
= sid_array_from_info3(mem_ctx
, info3
,
1041 if (!NT_STATUS_IS_OK(status
)) {
1047 *p_num_groups
= num_groups
;
1048 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
1050 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1055 /*********************************************************************
1056 We use this to remove spaces from user and group names
1057 ********************************************************************/
1059 NTSTATUS
normalize_name_map(TALLOC_CTX
*mem_ctx
,
1060 struct winbindd_domain
*domain
,
1066 if (!name
|| !normalized
) {
1067 return NT_STATUS_INVALID_PARAMETER
;
1070 if (!lp_winbind_normalize_names()) {
1071 return NT_STATUS_PROCEDURE_NOT_FOUND
;
1074 /* Alias support and whitespace replacement are mutually
1077 nt_status
= resolve_username_to_alias(mem_ctx
, domain
,
1079 if (NT_STATUS_IS_OK(nt_status
)) {
1080 /* special return code to let the caller know we
1081 mapped to an alias */
1082 return NT_STATUS_FILE_RENAMED
;
1085 /* check for an unreachable domain */
1087 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
)) {
1088 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1090 set_domain_offline(domain
);
1094 /* deal with whitespace */
1096 *normalized
= talloc_strdup(mem_ctx
, name
);
1097 if (!(*normalized
)) {
1098 return NT_STATUS_NO_MEMORY
;
1101 all_string_sub( *normalized
, " ", "_", 0 );
1103 return NT_STATUS_OK
;
1106 /*********************************************************************
1107 We use this to do the inverse of normalize_name_map()
1108 ********************************************************************/
1110 NTSTATUS
normalize_name_unmap(TALLOC_CTX
*mem_ctx
,
1115 struct winbindd_domain
*domain
= find_our_domain();
1117 if (!name
|| !normalized
) {
1118 return NT_STATUS_INVALID_PARAMETER
;
1121 if (!lp_winbind_normalize_names()) {
1122 return NT_STATUS_PROCEDURE_NOT_FOUND
;
1125 /* Alias support and whitespace replacement are mutally
1128 /* When mapping from an alias to a username, we don't know the
1129 domain. But we only need a domain structure to cache
1130 a successful lookup , so just our own domain structure for
1133 nt_status
= resolve_alias_to_username(mem_ctx
, domain
,
1135 if (NT_STATUS_IS_OK(nt_status
)) {
1136 /* Special return code to let the caller know we mapped
1138 return NT_STATUS_FILE_RENAMED
;
1141 /* check for an unreachable domain */
1143 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
)) {
1144 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1146 set_domain_offline(domain
);
1150 /* deal with whitespace */
1152 *normalized
= talloc_strdup(mem_ctx
, name
);
1153 if (!(*normalized
)) {
1154 return NT_STATUS_NO_MEMORY
;
1157 all_string_sub(*normalized
, "_", " ", 0);
1159 return NT_STATUS_OK
;
1162 /*********************************************************************
1163 ********************************************************************/
1165 bool winbindd_can_contact_domain(struct winbindd_domain
*domain
)
1167 struct winbindd_tdc_domain
*tdc
= NULL
;
1168 TALLOC_CTX
*frame
= talloc_stackframe();
1171 /* We can contact the domain if it is our primary domain */
1173 if (domain
->primary
) {
1178 /* Trust the TDC cache and not the winbindd_domain flags */
1180 if ((tdc
= wcache_tdc_fetch_domain(frame
, domain
->name
)) == NULL
) {
1181 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1187 /* Can always contact a domain that is in out forest */
1189 if (tdc
->trust_flags
& NETR_TRUST_FLAG_IN_FOREST
) {
1195 * On a _member_ server, we cannot contact the domain if it
1196 * is running AD and we have no inbound trust.
1200 domain
->active_directory
&&
1201 ((tdc
->trust_flags
& NETR_TRUST_FLAG_INBOUND
) != NETR_TRUST_FLAG_INBOUND
))
1203 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1204 "and we have no inbound trust.\n", domain
->name
));
1208 /* Assume everything else is ok (probably not true but what
1214 talloc_destroy(frame
);
1219 /*********************************************************************
1220 ********************************************************************/
1222 bool winbindd_internal_child(struct winbindd_child
*child
)
1224 if ((child
== idmap_child()) || (child
== locator_child())) {
1231 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1233 /*********************************************************************
1234 ********************************************************************/
1236 static void winbindd_set_locator_kdc_env(const struct winbindd_domain
*domain
)
1239 char addr
[INET6_ADDRSTRLEN
];
1240 const char *kdc
= NULL
;
1243 if (!domain
|| !domain
->alt_name
|| !*domain
->alt_name
) {
1247 if (domain
->initialized
&& !domain
->active_directory
) {
1248 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s not AD\n",
1253 print_sockaddr(addr
, sizeof(addr
), &domain
->dcaddr
);
1256 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1258 kdc
= domain
->dcname
;
1261 if (!kdc
|| !*kdc
) {
1262 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1267 if (asprintf_strupper_m(&var
, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS
,
1268 domain
->alt_name
) == -1) {
1272 DEBUG(lvl
,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1275 setenv(var
, kdc
, 1);
1279 /*********************************************************************
1280 ********************************************************************/
1282 void winbindd_set_locator_kdc_envs(const struct winbindd_domain
*domain
)
1284 struct winbindd_domain
*our_dom
= find_our_domain();
1286 winbindd_set_locator_kdc_env(domain
);
1288 if (domain
!= our_dom
) {
1289 winbindd_set_locator_kdc_env(our_dom
);
1293 /*********************************************************************
1294 ********************************************************************/
1296 void winbindd_unset_locator_kdc_env(const struct winbindd_domain
*domain
)
1300 if (!domain
|| !domain
->alt_name
|| !*domain
->alt_name
) {
1304 if (asprintf_strupper_m(&var
, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS
,
1305 domain
->alt_name
) == -1) {
1314 void winbindd_set_locator_kdc_envs(const struct winbindd_domain
*domain
)
1319 void winbindd_unset_locator_kdc_env(const struct winbindd_domain
*domain
)
1324 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1326 void set_auth_errors(struct winbindd_response
*resp
, NTSTATUS result
)
1328 resp
->data
.auth
.nt_status
= NT_STATUS_V(result
);
1329 fstrcpy(resp
->data
.auth
.nt_status_string
, nt_errstr(result
));
1331 /* we might have given a more useful error above */
1332 if (*resp
->data
.auth
.error_string
== '\0')
1333 fstrcpy(resp
->data
.auth
.error_string
,
1334 get_friendly_nt_error_msg(result
));
1335 resp
->data
.auth
.pam_error
= nt_status_to_pam(result
);
1338 bool is_domain_offline(const struct winbindd_domain
*domain
)
1340 if (!lp_winbind_offline_logon()) {
1343 if (get_global_winbindd_state_offline()) {
1346 return !domain
->online
;
1349 bool is_domain_online(const struct winbindd_domain
*domain
)
1351 return !is_domain_offline(domain
);
1355 * Parse an char array into a list of sids.
1357 * The input sidstr should consist of 0-terminated strings
1358 * representing sids, separated by newline characters '\n'.
1359 * The list is terminated by an empty string, i.e.
1360 * character '\0' directly following a character '\n'
1361 * (or '\0' right at the start of sidstr).
1363 bool parse_sidlist(TALLOC_CTX
*mem_ctx
, const char *sidstr
,
1364 struct dom_sid
**sids
, uint32_t *num_sids
)
1372 while (p
[0] != '\0') {
1374 const char *q
= NULL
;
1376 if (!dom_sid_parse_endp(p
, &sid
, &q
)) {
1377 DEBUG(1, ("Could not parse sid %s\n", p
));
1380 if ((q
== NULL
) || (q
[0] != '\n')) {
1381 DEBUG(1, ("Got invalid sidstr: %s\n", p
));
1384 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx
, &sid
, sids
,