s3-winbindd: Fix Bug #6711: trusts to windows 2008 (2008 r2) not working.
[Samba.git] / source3 / winbindd / winbindd.h
blob2e7d09f4424986c177eead585be49d95324af750
1 /*
2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
9 This library is free software; you can redistribute it and/or
10 modify it under the terms of the GNU Lesser General Public
11 License as published by the Free Software Foundation; either
12 version 3 of the License, or (at your option) any later version.
14 This library is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Library General Public License for more details.
19 You should have received a copy of the GNU Lesser General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #ifndef _WINBINDD_H
24 #define _WINBINDD_H
26 #include "nsswitch/winbind_struct_protocol.h"
27 #include "nsswitch/libwbclient/wbclient.h"
28 #include "librpc/gen_ndr/wbint.h"
30 #ifdef HAVE_LIBNSCD
31 #include <libnscd.h>
32 #endif
34 #ifdef HAVE_SYS_MMAN_H
35 #include <sys/mman.h>
36 #endif
38 #undef DBGC_CLASS
39 #define DBGC_CLASS DBGC_WINBIND
41 #define WB_REPLACE_CHAR '_'
43 struct sid_ctr {
44 DOM_SID *sid;
45 bool finished;
46 const char *domain;
47 const char *name;
48 enum lsa_SidType type;
51 struct winbindd_cli_state {
52 struct winbindd_cli_state *prev, *next; /* Linked list pointers */
53 int sock; /* Open socket from client */
54 pid_t pid; /* pid of client */
55 time_t last_access; /* Time of last access (read or write) */
56 bool privileged; /* Is the client 'privileged' */
58 TALLOC_CTX *mem_ctx; /* memory per request */
59 NTSTATUS (*recv_fn)(struct tevent_req *req,
60 struct winbindd_response *presp);
61 struct winbindd_request *request; /* Request from client */
62 struct tevent_queue *out_queue;
63 struct winbindd_response *response; /* Respose to client */
64 bool getpwent_initialized; /* Has getpwent_state been
65 * initialized? */
66 bool getgrent_initialized; /* Has getgrent_state been
67 * initialized? */
68 struct getent_state *getgrent_state; /* State for getgrent() */
70 struct getpwent_state *pwent_state; /* State for getpwent() */
71 struct getgrent_state *grent_state; /* State for getgrent() */
74 /* State between get{pw,gr}ent() calls */
76 struct getent_state {
77 struct getent_state *prev, *next;
78 void *sam_entries;
79 uint32 sam_entry_index, num_sam_entries;
80 bool got_sam_entries;
81 fstring domain_name;
84 struct getpwent_state {
85 struct winbindd_domain *domain;
86 int next_user;
87 int num_users;
88 struct wbint_userinfo *users;
91 struct getgrent_state {
92 struct winbindd_domain *domain;
93 int next_group;
94 int num_groups;
95 struct wbint_Principal *groups;
98 /* Storage for cached getpwent() user entries */
100 struct getpwent_user {
101 fstring name; /* Account name */
102 fstring gecos; /* User information */
103 fstring homedir; /* User Home Directory */
104 fstring shell; /* User Login Shell */
105 DOM_SID user_sid; /* NT user and primary group SIDs */
106 DOM_SID group_sid;
109 /* Our connection to the DC */
111 struct winbindd_cm_conn {
112 struct cli_state *cli;
114 struct rpc_pipe_client *samr_pipe;
115 struct policy_handle sam_connect_handle, sam_domain_handle;
117 struct rpc_pipe_client *lsa_pipe;
118 struct rpc_pipe_client *lsa_pipe_tcp;
119 struct policy_handle lsa_policy;
121 struct rpc_pipe_client *netlogon_pipe;
124 struct winbindd_async_request;
126 /* Async child */
128 struct winbindd_domain;
130 struct winbindd_child_dispatch_table {
131 const char *name;
132 enum winbindd_cmd struct_cmd;
133 enum winbindd_result (*struct_fn)(struct winbindd_domain *domain,
134 struct winbindd_cli_state *state);
137 struct winbindd_child {
138 struct winbindd_child *next, *prev;
140 pid_t pid;
141 struct winbindd_domain *domain;
142 char *logfilename;
144 int sock;
145 struct tevent_queue *queue;
146 struct rpc_pipe_client *rpccli;
148 struct timed_event *lockout_policy_event;
149 struct timed_event *machine_password_change_event;
151 const struct winbindd_child_dispatch_table *table;
154 /* Structures to hold per domain information */
156 struct winbindd_domain {
157 fstring name; /* Domain name (NetBIOS) */
158 fstring alt_name; /* alt Domain name, if any (FQDN for ADS) */
159 fstring forest_name; /* Name of the AD forest we're in */
160 DOM_SID sid; /* SID for this domain */
161 uint32 domain_flags; /* Domain flags from netlogon.h */
162 uint32 domain_type; /* Domain type from netlogon.h */
163 uint32 domain_trust_attribs; /* Trust attribs from netlogon.h */
164 bool initialized; /* Did we already ask for the domain mode? */
165 bool native_mode; /* is this a win2k domain in native mode ? */
166 bool active_directory; /* is this a win2k active directory ? */
167 bool primary; /* is this our primary domain ? */
168 bool internal; /* BUILTIN and member SAM */
169 bool online; /* is this domain available ? */
170 time_t startup_time; /* When we set "startup" true. */
171 bool startup; /* are we in the first 30 seconds after startup_time ? */
173 bool can_do_samlogon_ex; /* Due to the lack of finer control what type
174 * of DC we have, let us try to do a
175 * credential-chain less samlogon_ex call
176 * with AD and schannel. If this fails with
177 * DCERPC_FAULT_OP_RNG_ERROR, then set this
178 * to False. This variable is around so that
179 * we don't have to try _ex every time. */
181 bool can_do_ncacn_ip_tcp;
183 /* Lookup methods for this domain (LDAP or RPC) */
184 struct winbindd_methods *methods;
186 /* the backend methods are used by the cache layer to find the right
187 backend */
188 struct winbindd_methods *backend;
190 /* Private data for the backends (used for connection cache) */
192 void *private_data;
195 * idmap config settings, used to tell the idmap child which
196 * special domain config to use for a mapping
198 bool have_idmap_config;
199 uint32_t id_range_low, id_range_high;
201 /* A working DC */
202 pid_t dc_probe_pid; /* Child we're using to detect the DC. */
203 fstring dcname;
204 struct sockaddr_storage dcaddr;
206 /* Sequence number stuff */
208 time_t last_seq_check;
209 uint32 sequence_number;
210 NTSTATUS last_status;
212 /* The smb connection */
214 struct winbindd_cm_conn conn;
216 /* The child pid we're talking to */
218 struct winbindd_child child;
220 /* Callback we use to try put us back online. */
222 uint32 check_online_timeout;
223 struct timed_event *check_online_event;
225 /* Linked list info */
227 struct winbindd_domain *prev, *next;
230 /* per-domain methods. This is how LDAP vs RPC is selected
232 struct winbindd_methods {
233 /* does this backend provide a consistent view of the data? (ie. is the primary group
234 always correct) */
235 bool consistent;
237 /* get a list of users, returning a wbint_userinfo for each one */
238 NTSTATUS (*query_user_list)(struct winbindd_domain *domain,
239 TALLOC_CTX *mem_ctx,
240 uint32 *num_entries,
241 struct wbint_userinfo **info);
243 /* get a list of domain groups */
244 NTSTATUS (*enum_dom_groups)(struct winbindd_domain *domain,
245 TALLOC_CTX *mem_ctx,
246 uint32 *num_entries,
247 struct acct_info **info);
249 /* get a list of domain local groups */
250 NTSTATUS (*enum_local_groups)(struct winbindd_domain *domain,
251 TALLOC_CTX *mem_ctx,
252 uint32 *num_entries,
253 struct acct_info **info);
255 /* convert one user or group name to a sid */
256 NTSTATUS (*name_to_sid)(struct winbindd_domain *domain,
257 TALLOC_CTX *mem_ctx,
258 const char *domain_name,
259 const char *name,
260 uint32_t flags,
261 DOM_SID *sid,
262 enum lsa_SidType *type);
264 /* convert a sid to a user or group name */
265 NTSTATUS (*sid_to_name)(struct winbindd_domain *domain,
266 TALLOC_CTX *mem_ctx,
267 const DOM_SID *sid,
268 char **domain_name,
269 char **name,
270 enum lsa_SidType *type);
272 NTSTATUS (*rids_to_names)(struct winbindd_domain *domain,
273 TALLOC_CTX *mem_ctx,
274 const DOM_SID *domain_sid,
275 uint32 *rids,
276 size_t num_rids,
277 char **domain_name,
278 char ***names,
279 enum lsa_SidType **types);
281 /* lookup user info for a given SID */
282 NTSTATUS (*query_user)(struct winbindd_domain *domain,
283 TALLOC_CTX *mem_ctx,
284 const DOM_SID *user_sid,
285 struct wbint_userinfo *user_info);
287 /* lookup all groups that a user is a member of. The backend
288 can also choose to lookup by username or rid for this
289 function */
290 NTSTATUS (*lookup_usergroups)(struct winbindd_domain *domain,
291 TALLOC_CTX *mem_ctx,
292 const DOM_SID *user_sid,
293 uint32 *num_groups, DOM_SID **user_gids);
295 /* Lookup all aliases that the sids delivered are member of. This is
296 * to implement 'domain local groups' correctly */
297 NTSTATUS (*lookup_useraliases)(struct winbindd_domain *domain,
298 TALLOC_CTX *mem_ctx,
299 uint32 num_sids,
300 const DOM_SID *sids,
301 uint32 *num_aliases,
302 uint32 **alias_rids);
304 /* find all members of the group with the specified group_rid */
305 NTSTATUS (*lookup_groupmem)(struct winbindd_domain *domain,
306 TALLOC_CTX *mem_ctx,
307 const DOM_SID *group_sid,
308 enum lsa_SidType type,
309 uint32 *num_names,
310 DOM_SID **sid_mem, char ***names,
311 uint32 **name_types);
313 /* return the current global sequence number */
314 NTSTATUS (*sequence_number)(struct winbindd_domain *domain, uint32 *seq);
316 /* return the lockout policy */
317 NTSTATUS (*lockout_policy)(struct winbindd_domain *domain,
318 TALLOC_CTX *mem_ctx,
319 struct samr_DomInfo12 *lockout_policy);
321 /* return the lockout policy */
322 NTSTATUS (*password_policy)(struct winbindd_domain *domain,
323 TALLOC_CTX *mem_ctx,
324 struct samr_DomInfo1 *password_policy);
326 /* enumerate trusted domains */
327 NTSTATUS (*trusted_domains)(struct winbindd_domain *domain,
328 TALLOC_CTX *mem_ctx,
329 uint32 *num_domains,
330 char ***names,
331 char ***alt_names,
332 DOM_SID **dom_sids);
335 /* Filled out by IDMAP backends */
336 struct winbindd_idmap_methods {
337 /* Called when backend is first loaded */
338 bool (*init)(void);
340 bool (*get_sid_from_uid)(uid_t uid, DOM_SID *sid);
341 bool (*get_sid_from_gid)(gid_t gid, DOM_SID *sid);
343 bool (*get_uid_from_sid)(DOM_SID *sid, uid_t *uid);
344 bool (*get_gid_from_sid)(DOM_SID *sid, gid_t *gid);
346 /* Called when backend is unloaded */
347 bool (*close)(void);
348 /* Called to dump backend status */
349 void (*status)(void);
352 /* Data structures for dealing with the trusted domain cache */
354 struct winbindd_tdc_domain {
355 const char *domain_name;
356 const char *dns_name;
357 DOM_SID sid;
358 uint32 trust_flags;
359 uint32 trust_attribs;
360 uint32 trust_type;
363 /* Switch for listing users or groups */
364 enum ent_type {
365 LIST_USERS = 0,
366 LIST_GROUPS,
369 struct WINBINDD_MEMORY_CREDS {
370 struct WINBINDD_MEMORY_CREDS *next, *prev;
371 const char *username; /* lookup key. */
372 uid_t uid;
373 int ref_count;
374 size_t len;
375 uint8_t *nt_hash; /* Base pointer for the following 2 */
376 uint8_t *lm_hash;
377 char *pass;
380 struct WINBINDD_CCACHE_ENTRY {
381 struct WINBINDD_CCACHE_ENTRY *next, *prev;
382 const char *principal_name;
383 const char *ccname;
384 const char *service;
385 const char *username;
386 const char *realm;
387 struct WINBINDD_MEMORY_CREDS *cred_ptr;
388 int ref_count;
389 uid_t uid;
390 time_t create_time;
391 time_t renew_until;
392 time_t refresh_time;
393 struct timed_event *event;
396 #include "winbindd/winbindd_proto.h"
398 #define WINBINDD_ESTABLISH_LOOP 30
399 #define WINBINDD_RESCAN_FREQ lp_winbind_cache_time()
400 #define WINBINDD_PAM_AUTH_KRB5_RENEW_TIME 2592000 /* one month */
401 #define DOM_SEQUENCE_NONE ((uint32)-1)
403 #define IS_DOMAIN_OFFLINE(x) ( lp_winbind_offline_logon() && \
404 ( get_global_winbindd_state_offline() \
405 || !(x)->online ) )
406 #define IS_DOMAIN_ONLINE(x) (!IS_DOMAIN_OFFLINE(x))
408 #endif /* _WINBINDD_H */