search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WHATSNEW: Add release notes for Samba 4.0.24.
[Samba.git] / source3 / winbindd / winbindd_util.c
blob2621722f8b6b80030ee32971b85973442a46dc68
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25 #include "secrets.h"
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
29
30 #undef DBGC_CLASS
31 #define DBGC_CLASS DBGC_WINBIND
32
33 extern struct winbindd_methods cache_methods;
34
35 /**
36 * @file winbindd_util.cq
37 *
38 * Winbind daemon for NT domain authentication nss module.
39 **/
40
41
42 /* The list of trusted domains. Note that the list can be deleted and
43 recreated using the init_domain_list() function so pointers to
44 individual winbindd_domain structures cannot be made. Keep a copy of
45 the domain name instead. */
46
47 static struct winbindd_domain *_domain_list = NULL;
48
49 struct winbindd_domain *domain_list(void)
50 {
51 /* Initialise list */
52
53 if ((!_domain_list) && (!init_domain_list())) {
54 smb_panic("Init_domain_list failed");
55 }
56
57 return _domain_list;
58 }
59
60 /* Free all entries in the trusted domain list */
61
62 static void free_domain_list(void)
63 {
64 struct winbindd_domain *domain = _domain_list;
65
66 while(domain) {
67 struct winbindd_domain *next = domain->next;
68
69 DLIST_REMOVE(_domain_list, domain);
70 SAFE_FREE(domain);
71 domain = next;
72 }
73 }
74
75 static bool is_internal_domain(const struct dom_sid *sid)
76 {
77 if (sid == NULL)
78 return False;
79
80 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
81 }
82
83 static bool is_in_internal_domain(const struct dom_sid *sid)
84 {
85 if (sid == NULL)
86 return False;
87
88 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
89 }
90
91
92 /* Add a trusted domain to our list of domains.
93 If the domain already exists in the list,
94 return it and don't re-initialize. */
95
96 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
97 struct winbindd_methods *methods,
98 const struct dom_sid *sid)
99 {
100 struct winbindd_domain *domain;
101 const char *alternative_name = NULL;
102 char *idmap_config_option;
103 const char *param;
104 const char **ignored_domains, **dom;
105 int role = lp_server_role();
106
107 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
108 for (dom=ignored_domains; dom && *dom; dom++) {
109 if (gen_fnmatch(*dom, domain_name) == 0) {
110 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
111 return NULL;
112 }
113 }
114
115 /* use alt_name if available to allow DNS lookups */
116
117 if (alt_name && *alt_name) {
118 alternative_name = alt_name;
119 }
120
121 /* We can't call domain_list() as this function is called from
122 init_domain_list() and we'll get stuck in a loop. */
123 for (domain = _domain_list; domain; domain = domain->next) {
124 if (strequal(domain_name, domain->name) ||
125 strequal(domain_name, domain->alt_name))
126 {
127 break;
128 }
129
130 if (alternative_name && *alternative_name)
131 {
132 if (strequal(alternative_name, domain->name) ||
133 strequal(alternative_name, domain->alt_name))
134 {
135 break;
136 }
137 }
138
139 if (sid)
140 {
141 if (is_null_sid(sid)) {
142 continue;
143 }
144
145 if (dom_sid_equal(sid, &domain->sid)) {
146 break;
147 }
148 }
149 }
150
151 if (domain != NULL) {
152 /*
153 * We found a match on domain->name or
154 * domain->alt_name. Possibly update the SID
155 * if the stored SID was the NULL SID
156 * and return the matching entry.
157 */
158 if ((sid != NULL)
159 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
160 sid_copy( &domain->sid, sid );
161 }
162 return domain;
163 }
164
165 /* Create new domain entry */
166
167 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
168 return NULL;
169
170 /* Fill in fields */
171
172 ZERO_STRUCTP(domain);
173
174 domain->children = SMB_MALLOC_ARRAY(
175 struct winbindd_child, lp_winbind_max_domain_connections());
176 if (domain->children == NULL) {
177 SAFE_FREE(domain);
178 return NULL;
179 }
180 memset(domain->children, 0,
181 sizeof(struct winbindd_child)
182 * lp_winbind_max_domain_connections());
183
184 fstrcpy(domain->name, domain_name);
185 if (alternative_name) {
186 fstrcpy(domain->alt_name, alternative_name);
187 }
188
189 domain->methods = methods;
190 domain->backend = NULL;
191 domain->internal = is_internal_domain(sid);
192 domain->sequence_number = DOM_SEQUENCE_NONE;
193 domain->last_seq_check = 0;
194 domain->initialized = False;
195 domain->online = is_internal_domain(sid);
196 domain->check_online_timeout = 0;
197 domain->dc_probe_pid = (pid_t)-1;
198 if (sid) {
199 sid_copy(&domain->sid, sid);
200 }
201
202 /* Is this our primary domain ? */
203 if (strequal(domain_name, get_global_sam_name()) &&
204 (role != ROLE_DOMAIN_MEMBER)) {
205 domain->primary = true;
206 } else if (strequal(domain_name, lp_workgroup()) &&
207 (role == ROLE_DOMAIN_MEMBER)) {
208 domain->primary = true;
209 }
210
211 /* Link to domain list */
212 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
213
214 wcache_tdc_add_domain( domain );
215
216 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
217 domain->name);
218 if (idmap_config_option == NULL) {
219 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
220 goto done;
221 }
222
223 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
224
225 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
226 param ? param : "not defined"));
227
228 if (param != NULL) {
229 unsigned low_id, high_id;
230 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
231 DEBUG(1, ("invalid range syntax in %s: %s\n",
232 idmap_config_option, param));
233 goto done;
234 }
235 if (low_id > high_id) {
236 DEBUG(1, ("invalid range in %s: %s\n",
237 idmap_config_option, param));
238 goto done;
239 }
240 domain->have_idmap_config = true;
241 domain->id_range_low = low_id;
242 domain->id_range_high = high_id;
243 }
244
245 done:
246
247 setup_domain_child(domain);
248
249 DEBUG(2,("Added domain %s %s %s\n",
250 domain->name, domain->alt_name,
251 &domain->sid?sid_string_dbg(&domain->sid):""));
252
253 return domain;
254 }
255
256 bool domain_is_forest_root(const struct winbindd_domain *domain)
257 {
258 const uint32_t fr_flags =
259 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
260
261 return ((domain->domain_flags & fr_flags) == fr_flags);
262 }
263
264 /********************************************************************
265 rescan our domains looking for new trusted domains
266 ********************************************************************/
267
268 struct trustdom_state {
269 struct winbindd_domain *domain;
270 struct winbindd_request request;
271 };
272
273 static void trustdom_list_done(struct tevent_req *req);
274 static void rescan_forest_root_trusts( void );
275 static void rescan_forest_trusts( void );
276
277 static void add_trusted_domains( struct winbindd_domain *domain )
278 {
279 struct trustdom_state *state;
280 struct tevent_req *req;
281
282 state = talloc_zero(NULL, struct trustdom_state);
283 if (state == NULL) {
284 DEBUG(0, ("talloc failed\n"));
285 return;
286 }
287 state->domain = domain;
288
289 state->request.length = sizeof(state->request);
290 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
291
292 req = wb_domain_request_send(state, winbind_event_context(),
293 domain, &state->request);
294 if (req == NULL) {
295 DEBUG(1, ("wb_domain_request_send failed\n"));
296 TALLOC_FREE(state);
297 return;
298 }
299 tevent_req_set_callback(req, trustdom_list_done, state);
300 }
301
302 static void trustdom_list_done(struct tevent_req *req)
303 {
304 struct trustdom_state *state = tevent_req_callback_data(
305 req, struct trustdom_state);
306 struct winbindd_response *response;
307 int res, err;
308 char *p;
309
310 res = wb_domain_request_recv(req, state, &response, &err);
311 if ((res == -1) || (response->result != WINBINDD_OK)) {
312 DEBUG(1, ("Could not receive trustdoms\n"));
313 TALLOC_FREE(state);
314 return;
315 }
316
317 p = (char *)response->extra_data.data;
318
319 while ((p != NULL) && (*p != '\0')) {
320 char *q, *sidstr, *alt_name;
321 struct dom_sid sid;
322 char *alternate_name = NULL;
323
324 alt_name = strchr(p, '\\');
325 if (alt_name == NULL) {
326 DEBUG(0, ("Got invalid trustdom response\n"));
327 break;
328 }
329
330 *alt_name = '\0';
331 alt_name += 1;
332
333 sidstr = strchr(alt_name, '\\');
334 if (sidstr == NULL) {
335 DEBUG(0, ("Got invalid trustdom response\n"));
336 break;
337 }
338
339 *sidstr = '\0';
340 sidstr += 1;
341
342 q = strchr(sidstr, '\n');
343 if (q != NULL)
344 *q = '\0';
345
346 if (!string_to_sid(&sid, sidstr)) {
347 DEBUG(0, ("Got invalid trustdom response\n"));
348 break;
349 }
350
351 /* use the real alt_name if we have one, else pass in NULL */
352
353 if ( !strequal( alt_name, "(null)" ) )
354 alternate_name = alt_name;
355
356 /*
357 * We always call add_trusted_domain() cause on an existing
358 * domain structure, it will update the SID if necessary.
359 * This is important because we need the SID for sibling
360 * domains.
361 */
362 (void)add_trusted_domain(p, alternate_name,
363 &cache_methods,
364 &sid);
365 p=q;
366 if (p != NULL)
367 p += 1;
368 }
369
370 /*
371 Cases to consider when scanning trusts:
372 (a) we are calling from a child domain (primary && !forest_root)
373 (b) we are calling from the root of the forest (primary && forest_root)
374 (c) we are calling from a trusted forest domain (!primary
375 && !forest_root)
376 */
377
378 if (state->domain->primary) {
379 /* If this is our primary domain and we are not in the
380 forest root, we have to scan the root trusts first */
381
382 if (!domain_is_forest_root(state->domain))
383 rescan_forest_root_trusts();
384 else
385 rescan_forest_trusts();
386
387 } else if (domain_is_forest_root(state->domain)) {
388 /* Once we have done root forest trust search, we can
389 go on to search the trusted forests */
390
391 rescan_forest_trusts();
392 }
393
394 TALLOC_FREE(state);
395
396 return;
397 }
398
399 /********************************************************************
400 Scan the trusts of our forest root
401 ********************************************************************/
402
403 static void rescan_forest_root_trusts( void )
404 {
405 struct winbindd_tdc_domain *dom_list = NULL;
406 size_t num_trusts = 0;
407 int i;
408
409 /* The only transitive trusts supported by Windows 2003 AD are
410 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
411 first two are handled in forest and listed by
412 DsEnumerateDomainTrusts(). Forest trusts are not so we
413 have to do that ourselves. */
414
415 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
416 return;
417
418 for ( i=0; i<num_trusts; i++ ) {
419 struct winbindd_domain *d = NULL;
420
421 /* Find the forest root. Don't necessarily trust
422 the domain_list() as our primary domain may not
423 have been initialized. */
424
425 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
426 continue;
427 }
428
429 /* Here's the forest root */
430
431 d = find_domain_from_name_noinit( dom_list[i].domain_name );
432
433 if ( !d ) {
434 d = add_trusted_domain( dom_list[i].domain_name,
435 dom_list[i].dns_name,
436 &cache_methods,
437 &dom_list[i].sid );
438 }
439
440 if (d == NULL) {
441 continue;
442 }
443
444 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
445 "for domain tree root %s (%s)\n",
446 d->name, d->alt_name ));
447
448 d->domain_flags = dom_list[i].trust_flags;
449 d->domain_type = dom_list[i].trust_type;
450 d->domain_trust_attribs = dom_list[i].trust_attribs;
451
452 add_trusted_domains( d );
453
454 break;
455 }
456
457 TALLOC_FREE( dom_list );
458
459 return;
460 }
461
462 /********************************************************************
463 scan the transitive forest trusts (not our own)
464 ********************************************************************/
465
466
467 static void rescan_forest_trusts( void )
468 {
469 struct winbindd_domain *d = NULL;
470 struct winbindd_tdc_domain *dom_list = NULL;
471 size_t num_trusts = 0;
472 int i;
473
474 /* The only transitive trusts supported by Windows 2003 AD are
475 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
476 first two are handled in forest and listed by
477 DsEnumerateDomainTrusts(). Forest trusts are not so we
478 have to do that ourselves. */
479
480 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
481 return;
482
483 for ( i=0; i<num_trusts; i++ ) {
484 uint32 flags = dom_list[i].trust_flags;
485 uint32 type = dom_list[i].trust_type;
486 uint32 attribs = dom_list[i].trust_attribs;
487
488 d = find_domain_from_name_noinit( dom_list[i].domain_name );
489
490 /* ignore our primary and internal domains */
491
492 if ( d && (d->internal || d->primary ) )
493 continue;
494
495 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
496 (type == NETR_TRUST_TYPE_UPLEVEL) &&
497 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
498 {
499 /* add the trusted domain if we don't know
500 about it */
501
502 if ( !d ) {
503 d = add_trusted_domain( dom_list[i].domain_name,
504 dom_list[i].dns_name,
505 &cache_methods,
506 &dom_list[i].sid );
507 }
508
509 if (d == NULL) {
510 continue;
511 }
512
513 DEBUG(10,("Following trust path for domain %s (%s)\n",
514 d->name, d->alt_name ));
515 add_trusted_domains( d );
516 }
517 }
518
519 TALLOC_FREE( dom_list );
520
521 return;
522 }
523
524 /*********************************************************************
525 The process of updating the trusted domain list is a three step
526 async process:
527 (a) ask our domain
528 (b) ask the root domain in our forest
529 (c) ask the a DC in any Win2003 trusted forests
530 *********************************************************************/
531
532 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
533 struct timeval now, void *private_data)
534 {
535 TALLOC_FREE(te);
536
537 /* I use to clear the cache here and start over but that
538 caused problems in child processes that needed the
539 trust dom list early on. Removing it means we
540 could have some trusted domains listed that have been
541 removed from our primary domain's DC until a full
542 restart. This should be ok since I think this is what
543 Windows does as well. */
544
545 /* this will only add new domains we didn't already know about
546 in the domain_list()*/
547
548 add_trusted_domains( find_our_domain() );
549
550 te = tevent_add_timer(
551 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
552 rescan_trusted_domains, NULL);
553 /*
554 * If te == NULL, there's not much we can do here. Don't fail, the
555 * only thing we miss is new trusted domains.
556 */
557
558 return;
559 }
560
561 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
562 struct winbindd_cli_state *state)
563 {
564 /* Ensure null termination */
565 state->request->domain_name
566 [sizeof(state->request->domain_name)-1]='\0';
567 state->request->data.init_conn.dcname
568 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
569
570 if (strlen(state->request->data.init_conn.dcname) > 0) {
571 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
572 }
573
574 if (domain->internal) {
575 domain->initialized = true;
576 } else {
577 init_dc_connection(domain);
578 }
579
580 if (!domain->initialized) {
581 /* If we return error here we can't do any cached authentication,
582 but we may be in disconnected mode and can't initialize correctly.
583 Do what the previous code did and just return without initialization,
584 once we go online we'll re-initialize.
585 */
586 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
587 "online = %d\n", domain->name, (int)domain->online ));
588 }
589
590 fstrcpy(state->response->data.domain_info.name, domain->name);
591 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
592 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
593
594 state->response->data.domain_info.native_mode
595 = domain->native_mode;
596 state->response->data.domain_info.active_directory
597 = domain->active_directory;
598 state->response->data.domain_info.primary
599 = domain->primary;
600
601 return WINBINDD_OK;
602 }
603
604 /* Look up global info for the winbind daemon */
605 bool init_domain_list(void)
606 {
607 int role = lp_server_role();
608
609 /* Free existing list */
610 free_domain_list();
611
612 /* BUILTIN domain */
613
614 (void)add_trusted_domain("BUILTIN", NULL, &cache_methods,
615 &global_sid_Builtin);
616
617 /* Local SAM */
618
619 (void)add_trusted_domain(get_global_sam_name(), NULL,
620 &cache_methods, get_global_sam_sid());
621
622 /* Add ourselves as the first entry. */
623
624 if ( role == ROLE_DOMAIN_MEMBER ) {
625 struct winbindd_domain *domain;
626 struct dom_sid our_sid;
627
628 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
629 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
630 return False;
631 }
632
633 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
634 &cache_methods, &our_sid);
635 if (domain) {
636 /* Even in the parent winbindd we'll need to
637 talk to the DC, so try and see if we can
638 contact it. Theoretically this isn't neccessary
639 as the init_dc_connection() in init_child_recv()
640 will do this, but we can start detecting the DC
641 early here. */
642 set_domain_online_request(domain);
643 }
644 }
645
646 return True;
647 }
648
649 /**
650 * Given a domain name, return the struct winbindd domain info for it
651 *
652 * @note Do *not* pass lp_workgroup() to this function. domain_list
653 * may modify it's value, and free that pointer. Instead, our local
654 * domain may be found by calling find_our_domain().
655 * directly.
656 *
657 *
658 * @return The domain structure for the named domain, if it is working.
659 */
660
661 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
662 {
663 struct winbindd_domain *domain;
664
665 /* Search through list */
666
667 for (domain = domain_list(); domain != NULL; domain = domain->next) {
668 if (strequal(domain_name, domain->name) ||
669 (domain->alt_name[0] &&
670 strequal(domain_name, domain->alt_name))) {
671 return domain;
672 }
673 }
674
675 /* Not found */
676
677 return NULL;
678 }
679
680 struct winbindd_domain *find_domain_from_name(const char *domain_name)
681 {
682 struct winbindd_domain *domain;
683
684 domain = find_domain_from_name_noinit(domain_name);
685
686 if (domain == NULL)
687 return NULL;
688
689 if (!domain->initialized)
690 init_dc_connection(domain);
691
692 return domain;
693 }
694
695 /* Given a domain sid, return the struct winbindd domain info for it */
696
697 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
698 {
699 struct winbindd_domain *domain;
700
701 /* Search through list */
702
703 for (domain = domain_list(); domain != NULL; domain = domain->next) {
704 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
705 return domain;
706 }
707
708 /* Not found */
709
710 return NULL;
711 }
712
713 /* Given a domain sid, return the struct winbindd domain info for it */
714
715 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
716 {
717 struct winbindd_domain *domain;
718
719 domain = find_domain_from_sid_noinit(sid);
720
721 if (domain == NULL)
722 return NULL;
723
724 if (!domain->initialized)
725 init_dc_connection(domain);
726
727 return domain;
728 }
729
730 struct winbindd_domain *find_our_domain(void)
731 {
732 struct winbindd_domain *domain;
733
734 /* Search through list */
735
736 for (domain = domain_list(); domain != NULL; domain = domain->next) {
737 if (domain->primary)
738 return domain;
739 }
740
741 smb_panic("Could not find our domain");
742 return NULL;
743 }
744
745 struct winbindd_domain *find_root_domain(void)
746 {
747 struct winbindd_domain *ours = find_our_domain();
748
749 if (ours->forest_name[0] == '\0') {
750 return NULL;
751 }
752
753 return find_domain_from_name( ours->forest_name );
754 }
755
756 struct winbindd_domain *find_builtin_domain(void)
757 {
758 struct winbindd_domain *domain;
759
760 domain = find_domain_from_sid(&global_sid_Builtin);
761 if (domain == NULL) {
762 smb_panic("Could not find BUILTIN domain");
763 }
764
765 return domain;
766 }
767
768 /* Find the appropriate domain to lookup a name or SID */
769
770 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
771 {
772 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
773
774 if ( sid_check_is_in_unix_groups(sid) ||
775 sid_check_is_unix_groups(sid) ||
776 sid_check_is_in_unix_users(sid) ||
777 sid_check_is_unix_users(sid) )
778 {
779 return find_domain_from_sid(get_global_sam_sid());
780 }
781
782 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
783 * one to contact the external DC's. On member servers the internal
784 * domains are different: These are part of the local SAM. */
785
786 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
787
788 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
789 DEBUG(10, ("calling find_domain_from_sid\n"));
790 return find_domain_from_sid(sid);
791 }
792
793 /* On a member server a query for SID or name can always go to our
794 * primary DC. */
795
796 DEBUG(10, ("calling find_our_domain\n"));
797 return find_our_domain();
798 }
799
800 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
801 {
802 if ( strequal(domain_name, unix_users_domain_name() ) ||
803 strequal(domain_name, unix_groups_domain_name() ) )
804 {
805 /*
806 * The "Unix User" and "Unix Group" domain our handled by
807 * passdb
808 */
809 return find_domain_from_name_noinit( get_global_sam_name() );
810 }
811
812 if (IS_DC || strequal(domain_name, "BUILTIN") ||
813 strequal(domain_name, get_global_sam_name()))
814 return find_domain_from_name_noinit(domain_name);
815
816
817 return find_our_domain();
818 }
819
820 /* Is this a domain which we may assume no DOMAIN\ prefix? */
821
822 static bool assume_domain(const char *domain)
823 {
824 /* never assume the domain on a standalone server */
825
826 if ( lp_server_role() == ROLE_STANDALONE )
827 return False;
828
829 /* domain member servers may possibly assume for the domain name */
830
831 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
832 if ( !strequal(lp_workgroup(), domain) )
833 return False;
834
835 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
836 return True;
837 }
838
839 /* only left with a domain controller */
840
841 if ( strequal(get_global_sam_name(), domain) ) {
842 return True;
843 }
844
845 return False;
846 }
847
848 /* Parse a string of the form DOMAIN\user into a domain and a user */
849
850 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
851 {
852 char *p = strchr(domuser,*lp_winbind_separator());
853
854 if ( !p ) {
855 fstrcpy(user, domuser);
856
857 if ( assume_domain(lp_workgroup())) {
858 fstrcpy(domain, lp_workgroup());
859 } else if ((p = strchr(domuser, '@')) != NULL) {
860 fstrcpy(domain, p + 1);
861 user[PTR_DIFF(p, domuser)] = 0;
862 } else {
863 return False;
864 }
865 } else {
866 fstrcpy(user, p+1);
867 fstrcpy(domain, domuser);
868 domain[PTR_DIFF(p, domuser)] = 0;
869 }
870
871 return strupper_m(domain);
872 }
873
874 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
875 char **domain, char **user)
876 {
877 fstring fstr_domain, fstr_user;
878 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
879 return False;
880 }
881 *domain = talloc_strdup(mem_ctx, fstr_domain);
882 *user = talloc_strdup(mem_ctx, fstr_user);
883 return ((*domain != NULL) && (*user != NULL));
884 }
885
886 /* Ensure an incoming username from NSS is fully qualified. Replace the
887 incoming fstring with DOMAIN <separator> user. Returns the same
888 values as parse_domain_user() but also replaces the incoming username.
889 Used to ensure all names are fully qualified within winbindd.
890 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
891 The protocol definitions of auth_crap, chng_pswd_auth_crap
892 really should be changed to use this instead of doing things
893 by hand. JRA. */
894
895 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
896 {
897 if (!parse_domain_user(username_inout, domain, user)) {
898 return False;
899 }
900 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
901 domain, *lp_winbind_separator(),
902 user);
903 return True;
904 }
905
906 /*
907 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
908 'winbind separator' options.
909 This means:
910 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
911 lp_workgroup()
912
913 If we are a PDC or BDC, and this is for our domain, do likewise.
914
915 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
916 username is then unqualified in unix
917
918 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
919 */
920 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
921 {
922 fstring tmp_user;
923
924 fstrcpy(tmp_user, user);
925 (void)strlower_m(tmp_user);
926
927 if (can_assume && assume_domain(domain)) {
928 strlcpy(name, tmp_user, sizeof(fstring));
929 } else {
930 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
931 domain, *lp_winbind_separator(),
932 tmp_user);
933 }
934 }
935
936 /**
937 * talloc version of fill_domain_username()
938 * return NULL on talloc failure.
939 */
940 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
941 const char *domain,
942 const char *user,
943 bool can_assume)
944 {
945 char *tmp_user, *name;
946
947 tmp_user = talloc_strdup(mem_ctx, user);
948 if (!strlower_m(tmp_user)) {
949 TALLOC_FREE(tmp_user);
950 return NULL;
951 }
952
953 if (can_assume && assume_domain(domain)) {
954 name = tmp_user;
955 } else {
956 name = talloc_asprintf(mem_ctx, "%s%c%s",
957 domain,
958 *lp_winbind_separator(),
959 tmp_user);
960 TALLOC_FREE(tmp_user);
961 }
962
963 return name;
964 }
965
966 /*
967 * Client list accessor functions
968 */
969
970 static struct winbindd_cli_state *_client_list;
971 static int _num_clients;
972
973 /* Return list of all connected clients */
974
975 struct winbindd_cli_state *winbindd_client_list(void)
976 {
977 return _client_list;
978 }
979
980 /* Add a connection to the list */
981
982 void winbindd_add_client(struct winbindd_cli_state *cli)
983 {
984 DLIST_ADD(_client_list, cli);
985 _num_clients++;
986 }
987
988 /* Remove a client from the list */
989
990 void winbindd_remove_client(struct winbindd_cli_state *cli)
991 {
992 DLIST_REMOVE(_client_list, cli);
993 _num_clients--;
994 }
995
996 /* Return number of open clients */
997
998 int winbindd_num_clients(void)
999 {
1000 return _num_clients;
1001 }
1002
1003 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1004 TALLOC_CTX *mem_ctx,
1005 const struct dom_sid *user_sid,
1006 uint32_t *p_num_groups, struct dom_sid **user_sids)
1007 {
1008 struct netr_SamInfo3 *info3 = NULL;
1009 NTSTATUS status = NT_STATUS_NO_MEMORY;
1010 uint32_t num_groups = 0;
1011
1012 DEBUG(3,(": lookup_usergroups_cached\n"));
1013
1014 *user_sids = NULL;
1015 *p_num_groups = 0;
1016
1017 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1018
1019 if (info3 == NULL) {
1020 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1021 }
1022
1023 if (info3->base.groups.count == 0) {
1024 TALLOC_FREE(info3);
1025 return NT_STATUS_UNSUCCESSFUL;
1026 }
1027
1028 /*
1029 * Before bug #7843 the "Domain Local" groups were added with a
1030 * lookupuseraliases call, but this isn't done anymore for our domain
1031 * so we need to resolve resource groups here.
1032 *
1033 * When to use Resource Groups:
1034 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1035 */
1036 status = sid_array_from_info3(mem_ctx, info3,
1037 user_sids,
1038 &num_groups,
1039 false);
1040
1041 if (!NT_STATUS_IS_OK(status)) {
1042 TALLOC_FREE(info3);
1043 return status;
1044 }
1045
1046 TALLOC_FREE(info3);
1047 *p_num_groups = num_groups;
1048 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1049
1050 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1051
1052 return status;
1053 }
1054
1055 /*********************************************************************
1056 We use this to remove spaces from user and group names
1057 ********************************************************************/
1058
1059 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1060 struct winbindd_domain *domain,
1061 const char *name,
1062 char **normalized)
1063 {
1064 NTSTATUS nt_status;
1065
1066 if (!name || !normalized) {
1067 return NT_STATUS_INVALID_PARAMETER;
1068 }
1069
1070 if (!lp_winbind_normalize_names()) {
1071 return NT_STATUS_PROCEDURE_NOT_FOUND;
1072 }
1073
1074 /* Alias support and whitespace replacement are mutually
1075 exclusive */
1076
1077 nt_status = resolve_username_to_alias(mem_ctx, domain,
1078 name, normalized );
1079 if (NT_STATUS_IS_OK(nt_status)) {
1080 /* special return code to let the caller know we
1081 mapped to an alias */
1082 return NT_STATUS_FILE_RENAMED;
1083 }
1084
1085 /* check for an unreachable domain */
1086
1087 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1088 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1089 domain->name));
1090 set_domain_offline(domain);
1091 return nt_status;
1092 }
1093
1094 /* deal with whitespace */
1095
1096 *normalized = talloc_strdup(mem_ctx, name);
1097 if (!(*normalized)) {
1098 return NT_STATUS_NO_MEMORY;
1099 }
1100
1101 all_string_sub( *normalized, " ", "_", 0 );
1102
1103 return NT_STATUS_OK;
1104 }
1105
1106 /*********************************************************************
1107 We use this to do the inverse of normalize_name_map()
1108 ********************************************************************/
1109
1110 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1111 char *name,
1112 char **normalized)
1113 {
1114 NTSTATUS nt_status;
1115 struct winbindd_domain *domain = find_our_domain();
1116
1117 if (!name || !normalized) {
1118 return NT_STATUS_INVALID_PARAMETER;
1119 }
1120
1121 if (!lp_winbind_normalize_names()) {
1122 return NT_STATUS_PROCEDURE_NOT_FOUND;
1123 }
1124
1125 /* Alias support and whitespace replacement are mutally
1126 exclusive */
1127
1128 /* When mapping from an alias to a username, we don't know the
1129 domain. But we only need a domain structure to cache
1130 a successful lookup , so just our own domain structure for
1131 the seqnum. */
1132
1133 nt_status = resolve_alias_to_username(mem_ctx, domain,
1134 name, normalized);
1135 if (NT_STATUS_IS_OK(nt_status)) {
1136 /* Special return code to let the caller know we mapped
1137 from an alias */
1138 return NT_STATUS_FILE_RENAMED;
1139 }
1140
1141 /* check for an unreachable domain */
1142
1143 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1144 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1145 domain->name));
1146 set_domain_offline(domain);
1147 return nt_status;
1148 }
1149
1150 /* deal with whitespace */
1151
1152 *normalized = talloc_strdup(mem_ctx, name);
1153 if (!(*normalized)) {
1154 return NT_STATUS_NO_MEMORY;
1155 }
1156
1157 all_string_sub(*normalized, "_", " ", 0);
1158
1159 return NT_STATUS_OK;
1160 }
1161
1162 /*********************************************************************
1163 ********************************************************************/
1164
1165 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1166 {
1167 struct winbindd_tdc_domain *tdc = NULL;
1168 TALLOC_CTX *frame = talloc_stackframe();
1169 bool ret = false;
1170
1171 /* We can contact the domain if it is our primary domain */
1172
1173 if (domain->primary) {
1174 ret = true;
1175 goto done;
1176 }
1177
1178 /* Trust the TDC cache and not the winbindd_domain flags */
1179
1180 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1181 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1182 domain->name));
1183 ret = false;
1184 goto done;
1185 }
1186
1187 /* Can always contact a domain that is in out forest */
1188
1189 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1190 ret = true;
1191 goto done;
1192 }
1193
1194 /*
1195 * On a _member_ server, we cannot contact the domain if it
1196 * is running AD and we have no inbound trust.
1197 */
1198
1199 if (!IS_DC &&
1200 domain->active_directory &&
1201 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1202 {
1203 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1204 "and we have no inbound trust.\n", domain->name));
1205 goto done;
1206 }
1207
1208 /* Assume everything else is ok (probably not true but what
1209 can you do?) */
1210
1211 ret = true;
1212
1213 done:
1214 talloc_destroy(frame);
1215
1216 return ret;
1217 }
1218
1219 /*********************************************************************
1220 ********************************************************************/
1221
1222 bool winbindd_internal_child(struct winbindd_child *child)
1223 {
1224 if ((child == idmap_child()) || (child == locator_child())) {
1225 return True;
1226 }
1227
1228 return False;
1229 }
1230
1231 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1232
1233 /*********************************************************************
1234 ********************************************************************/
1235
1236 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1237 {
1238 char *var = NULL;
1239 char addr[INET6_ADDRSTRLEN];
1240 const char *kdc = NULL;
1241 int lvl = 11;
1242
1243 if (!domain || !domain->alt_name || !*domain->alt_name) {
1244 return;
1245 }
1246
1247 if (domain->initialized && !domain->active_directory) {
1248 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1249 domain->alt_name));
1250 return;
1251 }
1252
1253 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1254 kdc = addr;
1255 if (!*kdc) {
1256 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1257 domain->alt_name));
1258 kdc = domain->dcname;
1259 }
1260
1261 if (!kdc || !*kdc) {
1262 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1263 domain->alt_name));
1264 return;
1265 }
1266
1267 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1268 domain->alt_name) == -1) {
1269 return;
1270 }
1271
1272 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1273 var, kdc));
1274
1275 setenv(var, kdc, 1);
1276 free(var);
1277 }
1278
1279 /*********************************************************************
1280 ********************************************************************/
1281
1282 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1283 {
1284 struct winbindd_domain *our_dom = find_our_domain();
1285
1286 winbindd_set_locator_kdc_env(domain);
1287
1288 if (domain != our_dom) {
1289 winbindd_set_locator_kdc_env(our_dom);
1290 }
1291 }
1292
1293 /*********************************************************************
1294 ********************************************************************/
1295
1296 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1297 {
1298 char *var = NULL;
1299
1300 if (!domain || !domain->alt_name || !*domain->alt_name) {
1301 return;
1302 }
1303
1304 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1305 domain->alt_name) == -1) {
1306 return;
1307 }
1308
1309 unsetenv(var);
1310 free(var);
1311 }
1312 #else
1313
1314 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1315 {
1316 return;
1317 }
1318
1319 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1320 {
1321 return;
1322 }
1323
1324 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1325
1326 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1327 {
1328 resp->data.auth.nt_status = NT_STATUS_V(result);
1329 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1330
1331 /* we might have given a more useful error above */
1332 if (*resp->data.auth.error_string == '\0')
1333 fstrcpy(resp->data.auth.error_string,
1334 get_friendly_nt_error_msg(result));
1335 resp->data.auth.pam_error = nt_status_to_pam(result);
1336 }
1337
1338 bool is_domain_offline(const struct winbindd_domain *domain)
1339 {
1340 if (!lp_winbind_offline_logon()) {
1341 return false;
1342 }
1343 if (get_global_winbindd_state_offline()) {
1344 return true;
1345 }
1346 return !domain->online;
1347 }
1348
1349 bool is_domain_online(const struct winbindd_domain *domain)
1350 {
1351 return !is_domain_offline(domain);
1352 }
1353
1354 /**
1355 * Parse an char array into a list of sids.
1356 *
1357 * The input sidstr should consist of 0-terminated strings
1358 * representing sids, separated by newline characters '\n'.
1359 * The list is terminated by an empty string, i.e.
1360 * character '\0' directly following a character '\n'
1361 * (or '\0' right at the start of sidstr).
1362 */
1363 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1364 struct dom_sid **sids, uint32_t *num_sids)
1365 {
1366 const char *p;
1367
1368 p = sidstr;
1369 if (p == NULL)
1370 return False;
1371
1372 while (p[0] != '\0') {
1373 struct dom_sid sid;
1374 const char *q = NULL;
1375
1376 if (!dom_sid_parse_endp(p, &sid, &q)) {
1377 DEBUG(1, ("Could not parse sid %s\n", p));
1378 return false;
1379 }
1380 if ((q == NULL) || (q[0] != '\n')) {
1381 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1382 return false;
1383 }
1384 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
1385 num_sids)))
1386 {
1387 return False;
1388 }
1389 p = q+1;
1390 }
1391 return True;
1392 }
Samba GIT mirror