search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Machines are people too!
[Samba.git] / source / nsswitch / winbindd_util.c
blob18946652e265ec4f95fdfafe448eb81adb8f8705
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_WINBIND
29
30 /**
31 * @file winbindd_util.c
32 *
33 * Winbind daemon for NT domain authentication nss module.
34 **/
35
36
37 /**
38 * Used to clobber name fields that have an undefined value.
39 *
40 * Correct code should never look at a field that has this value.
41 **/
42
43 static const fstring name_deadbeef = "<deadbeef>";
44
45 /* The list of trusted domains. Note that the list can be deleted and
46 recreated using the init_domain_list() function so pointers to
47 individual winbindd_domain structures cannot be made. Keep a copy of
48 the domain name instead. */
49
50 static struct winbindd_domain *_domain_list;
51
52 struct winbindd_domain *domain_list(void)
53 {
54 /* Initialise list */
55
56 if (!_domain_list)
57 if (!init_domain_list())
58 return NULL;
59
60 return _domain_list;
61 }
62
63 /* Free all entries in the trusted domain list */
64
65 void free_domain_list(void)
66 {
67 struct winbindd_domain *domain = _domain_list;
68
69 while(domain) {
70 struct winbindd_domain *next = domain->next;
71
72 DLIST_REMOVE(_domain_list, domain);
73 SAFE_FREE(domain);
74 domain = next;
75 }
76 }
77
78
79 /* Add a trusted domain to our list of domains */
80 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
81 struct winbindd_methods *methods,
82 DOM_SID *sid)
83 {
84 struct winbindd_domain *domain;
85 const char *alternative_name = NULL;
86
87 /* ignore alt_name if we are not in an AD domain */
88
89 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
90 alternative_name = alt_name;
91 }
92
93 /* We can't call domain_list() as this function is called from
94 init_domain_list() and we'll get stuck in a loop. */
95 for (domain = _domain_list; domain; domain = domain->next) {
96 if (strequal(domain_name, domain->name) ||
97 strequal(domain_name, domain->alt_name)) {
98 return domain;
99 }
100 if (alternative_name && *alternative_name) {
101 if (strequal(alternative_name, domain->name) ||
102 strequal(alternative_name, domain->alt_name)) {
103 return domain;
104 }
105 }
106 }
107
108 /* Create new domain entry */
109
110 if ((domain = (struct winbindd_domain *)
111 malloc(sizeof(*domain))) == NULL)
112 return NULL;
113
114 /* Fill in fields */
115
116 ZERO_STRUCTP(domain);
117
118 /* prioritise the short name */
119 if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
120 fstrcpy(domain->name, alternative_name);
121 fstrcpy(domain->alt_name, domain_name);
122 } else {
123 fstrcpy(domain->name, domain_name);
124 if (alternative_name) {
125 fstrcpy(domain->alt_name, alternative_name);
126 }
127 }
128
129 domain->methods = methods;
130 domain->backend = NULL;
131 domain->sequence_number = DOM_SEQUENCE_NONE;
132 domain->last_seq_check = 0;
133 if (sid) {
134 sid_copy(&domain->sid, sid);
135 }
136
137 /* see if this is a native mode win2k domain */
138
139 domain->native_mode = cm_check_for_native_mode_win2k( domain );
140
141 DEBUG(3,("add_trusted_domain: %s is a %s mode domain\n", domain->name,
142 domain->native_mode ? "native" : "mixed (or NT4)" ));
143
144 /* Link to domain list */
145 DLIST_ADD(_domain_list, domain);
146
147 DEBUG(1,("Added domain %s %s %s\n",
148 domain->name, domain->alt_name,
149 sid?sid_string_static(&domain->sid):""));
150
151 return domain;
152 }
153
154 /********************************************************************
155 Periodically we need to refresh the trusted domain cache for smbd
156 ********************************************************************/
157
158 void rescan_trusted_domains( void )
159 {
160 static time_t last_scan;
161 time_t now = time(NULL);
162 struct winbindd_domain *mydomain = NULL;
163
164 /* see if the time has come... */
165
166 if ( (now > last_scan) && ((now-last_scan) < WINBINDD_RESCAN_FREQ) )
167 return;
168
169 if ( (mydomain = find_our_domain()) == NULL ) {
170 DEBUG(0,("rescan_trusted_domains: Can't find my own domain!\n"));
171 return;
172 }
173
174 /* this will only add new domains we didn't already know about */
175
176 add_trusted_domains( mydomain );
177
178 last_scan = now;
179
180 return;
181 }
182
183 /********************************************************************
184 rescan our domains looking for new trusted domains
185 ********************************************************************/
186
187 void add_trusted_domains( struct winbindd_domain *domain )
188 {
189 TALLOC_CTX *mem_ctx;
190 NTSTATUS result;
191 time_t t;
192 char **names;
193 char **alt_names;
194 int num_domains = 0;
195 DOM_SID *dom_sids, null_sid;
196 int i;
197 struct winbindd_domain *new_domain;
198
199 /* trusted domains might be disabled */
200 if (!lp_allow_trusted_domains()) {
201 return;
202 }
203
204 DEBUG(5, ("scanning trusted domain list\n"));
205
206 if (!(mem_ctx = talloc_init("init_domain_list")))
207 return;
208
209 ZERO_STRUCTP(&null_sid);
210
211 t = time(NULL);
212
213 /* ask the DC what domains it trusts */
214
215 result = domain->methods->trusted_domains(domain, mem_ctx, (unsigned int *)&num_domains,
216 &names, &alt_names, &dom_sids);
217
218 if ( NT_STATUS_IS_OK(result) ) {
219
220 /* Add each domain to the trusted domain list */
221
222 for(i = 0; i < num_domains; i++) {
223 DEBUG(10,("Found domain %s\n", names[i]));
224 add_trusted_domain(names[i], alt_names?alt_names[i]:NULL,
225 domain->methods, &dom_sids[i]);
226
227 /* if the SID was empty, we better set it now */
228
229 if ( sid_equal(&dom_sids[i], &null_sid) ) {
230
231 new_domain = find_domain_from_name(names[i]);
232
233 /* this should never happen */
234 if ( !new_domain ) {
235 DEBUG(0,("rescan_trust_domains: can't find the domain I just added! [%s]\n",
236 names[i]));
237 break;
238 }
239
240 /* call the cache method; which will operate on the winbindd_domain \
241 passed in and choose either rpc or ads as appropriate */
242
243 result = domain->methods->domain_sid( new_domain, &new_domain->sid );
244
245 if ( NT_STATUS_IS_OK(result) )
246 sid_copy( &dom_sids[i], &new_domain->sid );
247 }
248
249 /* store trusted domain in the cache */
250 trustdom_cache_store(names[i], alt_names ? alt_names[i] : NULL,
251 &dom_sids[i], t + WINBINDD_RESCAN_FREQ);
252 }
253 }
254
255 talloc_destroy(mem_ctx);
256 }
257
258 /* Look up global info for the winbind daemon */
259 BOOL init_domain_list(void)
260 {
261 extern struct winbindd_methods cache_methods;
262 struct winbindd_domain *domain;
263
264 /* Free existing list */
265 free_domain_list();
266
267 /* Add ourselves as the first entry. It *must* be the first entry */
268
269 domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL);
270
271 domain->primary = True;
272
273 /* get any alternate name for the primary domain */
274
275 cache_methods.alternate_name(domain);
276
277 /* now we have the correct netbios (short) domain name */
278
279 if ( *domain->name )
280 set_global_myworkgroup( domain->name );
281
282 if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
283 DEBUG(1, ("Could not fetch sid for our domain %s\n",
284 domain->name));
285 return False;
286 }
287
288 /* do an initial scan for trusted domains */
289 add_trusted_domains(domain);
290
291 return True;
292 }
293
294 /**
295 * Given a domain name, return the struct winbindd domain info for it
296 *
297 * @note Do *not* pass lp_workgroup() to this function. domain_list
298 * may modify it's value, and free that pointer. Instead, our local
299 * domain may be found by calling find_our_domain().
300 * directly.
301 *
302 *
303 * @return The domain structure for the named domain, if it is working.
304 */
305
306 struct winbindd_domain *find_domain_from_name(const char *domain_name)
307 {
308 struct winbindd_domain *domain;
309
310 /* Search through list */
311
312 for (domain = domain_list(); domain != NULL; domain = domain->next) {
313 if (strequal(domain_name, domain->name) ||
314 (domain->alt_name[0] && strequal(domain_name, domain->alt_name))) {
315 return domain;
316 }
317 }
318
319 /* Not found */
320
321 return NULL;
322 }
323
324 /* Given a domain sid, return the struct winbindd domain info for it */
325
326 struct winbindd_domain *find_domain_from_sid(DOM_SID *sid)
327 {
328 struct winbindd_domain *domain;
329
330 /* Search through list */
331
332 for (domain = domain_list(); domain != NULL; domain = domain->next) {
333 if (sid_compare_domain(sid, &domain->sid) == 0)
334 return domain;
335 }
336
337 /* Not found */
338
339 return NULL;
340 }
341
342 /* Given a domain sid, return the struct winbindd domain info for it */
343
344 struct winbindd_domain *find_our_domain(void)
345 {
346 struct winbindd_domain *domain;
347
348 /* Search through list */
349
350 for (domain = domain_list(); domain != NULL; domain = domain->next) {
351 if (domain->primary)
352 return domain;
353 }
354
355 /* Not found */
356
357 return NULL;
358 }
359
360 /* Lookup a sid in a domain from a name */
361
362 BOOL winbindd_lookup_sid_by_name(struct winbindd_domain *domain,
363 const char *name, DOM_SID *sid,
364 enum SID_NAME_USE *type)
365 {
366 NTSTATUS result;
367 TALLOC_CTX *mem_ctx;
368
369 mem_ctx = talloc_init("lookup_sid_by_name for %s\n", name);
370 if (!mem_ctx)
371 return False;
372
373 /* Lookup name */
374 result = domain->methods->name_to_sid(domain, mem_ctx, name, sid, type);
375
376 talloc_destroy(mem_ctx);
377
378 /* Return rid and type if lookup successful */
379 if (!NT_STATUS_IS_OK(result)) {
380 *type = SID_NAME_UNKNOWN;
381 }
382
383 return NT_STATUS_IS_OK(result);
384 }
385
386 /**
387 * @brief Lookup a name in a domain from a sid.
388 *
389 * @param sid Security ID you want to look up.
390 * @param name On success, set to the name corresponding to @p sid.
391 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
392 * @param type On success, contains the type of name: alias, group or
393 * user.
394 * @retval True if the name exists, in which case @p name and @p type
395 * are set, otherwise False.
396 **/
397 BOOL winbindd_lookup_name_by_sid(DOM_SID *sid,
398 fstring dom_name,
399 fstring name,
400 enum SID_NAME_USE *type)
401 {
402 char *names;
403 NTSTATUS result;
404 TALLOC_CTX *mem_ctx;
405 BOOL rv = False;
406 struct winbindd_domain *domain;
407
408 domain = find_domain_from_sid(sid);
409
410 if (!domain) {
411 DEBUG(1,("Can't find domain from sid\n"));
412 return False;
413 }
414
415 /* Lookup name */
416
417 if (!(mem_ctx = talloc_init("winbindd_lookup_name_by_sid")))
418 return False;
419
420 result = domain->methods->sid_to_name(domain, mem_ctx, sid, &names, type);
421
422 /* Return name and type if successful */
423
424 if ((rv = NT_STATUS_IS_OK(result))) {
425 fstrcpy(dom_name, domain->name);
426 fstrcpy(name, names);
427 } else {
428 *type = SID_NAME_UNKNOWN;
429 fstrcpy(name, name_deadbeef);
430 }
431
432 talloc_destroy(mem_ctx);
433
434 return rv;
435 }
436
437
438 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
439
440 void free_getent_state(struct getent_state *state)
441 {
442 struct getent_state *temp;
443
444 /* Iterate over state list */
445
446 temp = state;
447
448 while(temp != NULL) {
449 struct getent_state *next;
450
451 /* Free sam entries then list entry */
452
453 SAFE_FREE(state->sam_entries);
454 DLIST_REMOVE(state, state);
455 next = temp->next;
456
457 SAFE_FREE(temp);
458 temp = next;
459 }
460 }
461
462 /* Parse winbindd related parameters */
463
464 BOOL winbindd_param_init(void)
465 {
466 /* Parse winbind uid and winbind_gid parameters */
467
468 if (!lp_idmap_uid(&server_state.uid_low, &server_state.uid_high)) {
469 DEBUG(0, ("winbindd: idmap uid range missing or invalid\n"));
470 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
471 return False;
472 }
473
474 if (!lp_idmap_gid(&server_state.gid_low, &server_state.gid_high)) {
475 DEBUG(0, ("winbindd: idmap gid range missing or invalid\n"));
476 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
477 return False;
478 }
479
480 return True;
481 }
482
483 /* Check if a domain is present in a comma-separated list of domains */
484
485 BOOL check_domain_env(char *domain_env, char *domain)
486 {
487 fstring name;
488 const char *tmp = domain_env;
489
490 while(next_token(&tmp, name, ",", sizeof(fstring))) {
491 if (strequal(name, domain))
492 return True;
493 }
494
495 return False;
496 }
497
498 /* Is this a domain which we may assume no DOMAIN\ prefix? */
499
500 static BOOL assume_domain(const char *domain) {
501 if ((lp_winbind_use_default_domain()
502 || lp_winbind_trusted_domains_only()) &&
503 strequal(lp_workgroup(), domain))
504 return True;
505
506 if (strequal(get_global_sam_name(), domain))
507 return True;
508
509 return False;
510 }
511
512 /* Parse a string of the form DOMAIN/user into a domain and a user */
513
514 BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
515 {
516 char *p = strchr(domuser,*lp_winbind_separator());
517
518 if ( !p ) {
519 fstrcpy(user, domuser);
520
521 if ( assume_domain(lp_workgroup())) {
522 fstrcpy(domain, lp_workgroup());
523 } else {
524 fstrcpy( domain, get_global_sam_name() );
525 }
526 }
527 else {
528 fstrcpy(user, p+1);
529 fstrcpy(domain, domuser);
530 domain[PTR_DIFF(p, domuser)] = 0;
531 }
532
533 strupper_m(domain);
534
535 return True;
536 }
537
538 /*
539 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
540 'winbind separator' options.
541 This means:
542 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
543 lp_workgroup()
544
545 If we are a PDC or BDC, and this is for our domain, do likewise.
546
547 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
548 username is then unqualified in unix
549
550 */
551 void fill_domain_username(fstring name, const char *domain, const char *user)
552 {
553 if (assume_domain(domain)) {
554 strlcpy(name, user, sizeof(fstring));
555 } else {
556 slprintf(name, sizeof(fstring) - 1, "%s%s%s",
557 domain, lp_winbind_separator(),
558 user);
559 }
560 }
561
562 /*
563 * Winbindd socket accessor functions
564 */
565
566 char *get_winbind_priv_pipe_dir(void)
567 {
568 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
569 }
570
571 /* Open the winbindd socket */
572
573 static int _winbindd_socket = -1;
574 static int _winbindd_priv_socket = -1;
575
576 int open_winbindd_socket(void)
577 {
578 if (_winbindd_socket == -1) {
579 _winbindd_socket = create_pipe_sock(
580 WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME, 0755);
581 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
582 _winbindd_socket));
583 }
584
585 return _winbindd_socket;
586 }
587
588 int open_winbindd_priv_socket(void)
589 {
590 if (_winbindd_priv_socket == -1) {
591 _winbindd_priv_socket = create_pipe_sock(
592 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
593 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
594 _winbindd_priv_socket));
595 }
596
597 return _winbindd_priv_socket;
598 }
599
600 /* Close the winbindd socket */
601
602 void close_winbindd_socket(void)
603 {
604 if (_winbindd_socket != -1) {
605 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
606 _winbindd_socket));
607 close(_winbindd_socket);
608 _winbindd_socket = -1;
609 }
610 if (_winbindd_priv_socket != -1) {
611 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
612 _winbindd_priv_socket));
613 close(_winbindd_priv_socket);
614 _winbindd_priv_socket = -1;
615 }
616 }
617
618 /*
619 * Client list accessor functions
620 */
621
622 static struct winbindd_cli_state *_client_list;
623 static int _num_clients;
624
625 /* Return list of all connected clients */
626
627 struct winbindd_cli_state *winbindd_client_list(void)
628 {
629 return _client_list;
630 }
631
632 /* Add a connection to the list */
633
634 void winbindd_add_client(struct winbindd_cli_state *cli)
635 {
636 DLIST_ADD(_client_list, cli);
637 _num_clients++;
638 }
639
640 /* Remove a client from the list */
641
642 void winbindd_remove_client(struct winbindd_cli_state *cli)
643 {
644 DLIST_REMOVE(_client_list, cli);
645 _num_clients--;
646 }
647
648 /* Close all open clients */
649
650 void winbindd_kill_all_clients(void)
651 {
652 struct winbindd_cli_state *cl = winbindd_client_list();
653
654 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
655
656 while (cl) {
657 struct winbindd_cli_state *next;
658
659 next = cl->next;
660 winbindd_remove_client(cl);
661 cl = next;
662 }
663 }
664
665 /* Return number of open clients */
666
667 int winbindd_num_clients(void)
668 {
669 return _num_clients;
670 }
671
672 /* Help with RID -> SID conversion */
673
674 DOM_SID *rid_to_talloced_sid(struct winbindd_domain *domain,
675 TALLOC_CTX *mem_ctx,
676 uint32 rid)
677 {
678 DOM_SID *sid;
679 sid = talloc(mem_ctx, sizeof(*sid));
680 if (!sid) {
681 smb_panic("rid_to_to_talloced_sid: talloc for DOM_SID failed!\n");
682 }
683 sid_copy(sid, &domain->sid);
684 sid_append_rid(sid, rid);
685 return sid;
686 }
687
688 /*****************************************************************************
689 For idmap conversion: convert one record to new format
690 Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
691 instead of the SID.
692 *****************************************************************************/
693 static int convert_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA data, void *state)
694 {
695 struct winbindd_domain *domain;
696 char *p;
697 DOM_SID sid;
698 uint32 rid;
699 fstring keystr;
700 fstring dom_name;
701 TDB_DATA key2;
702 BOOL *failed = (BOOL *)state;
703
704 DEBUG(10,("Converting %s\n", key.dptr));
705
706 p = strchr(key.dptr, '/');
707 if (!p)
708 return 0;
709
710 *p = 0;
711 fstrcpy(dom_name, key.dptr);
712 *p++ = '/';
713
714 domain = find_domain_from_name(dom_name);
715 if (domain == NULL) {
716 /* We must delete the old record. */
717 DEBUG(0,("Unable to find domain %s\n", dom_name ));
718 DEBUG(0,("deleting record %s\n", key.dptr ));
719
720 if (tdb_delete(tdb, key) != 0) {
721 DEBUG(0, ("Unable to delete record %s\n", key.dptr));
722 *failed = True;
723 return -1;
724 }
725
726 return 0;
727 }
728
729 rid = atoi(p);
730
731 sid_copy(&sid, &domain->sid);
732 sid_append_rid(&sid, rid);
733
734 sid_to_string(keystr, &sid);
735 key2.dptr = keystr;
736 key2.dsize = strlen(keystr) + 1;
737
738 if (tdb_store(tdb, key2, data, TDB_INSERT) != 0) {
739 DEBUG(0,("Unable to add record %s\n", key2.dptr ));
740 *failed = True;
741 return -1;
742 }
743
744 if (tdb_store(tdb, data, key2, TDB_REPLACE) != 0) {
745 DEBUG(0,("Unable to update record %s\n", data.dptr ));
746 *failed = True;
747 return -1;
748 }
749
750 if (tdb_delete(tdb, key) != 0) {
751 DEBUG(0,("Unable to delete record %s\n", key.dptr ));
752 *failed = True;
753 return -1;
754 }
755
756 return 0;
757 }
758
759 /* These definitions are from sam/idmap_tdb.c. Replicated here just
760 out of laziness.... :-( */
761
762 /* High water mark keys */
763 #define HWM_GROUP "GROUP HWM"
764 #define HWM_USER "USER HWM"
765
766 /* idmap version determines auto-conversion */
767 #define IDMAP_VERSION 2
768
769
770 /*****************************************************************************
771 Convert the idmap database from an older version.
772 *****************************************************************************/
773
774 static BOOL idmap_convert(const char *idmap_name)
775 {
776 int32 vers;
777 BOOL bigendianheader;
778 BOOL failed = False;
779 TDB_CONTEXT *idmap_tdb;
780
781 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
782 TDB_DEFAULT, O_RDWR,
783 0600))) {
784 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
785 return False;
786 }
787
788 bigendianheader = (idmap_tdb->flags & TDB_BIGENDIAN) ? True : False;
789
790 vers = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
791
792 if (((vers == -1) && bigendianheader) || (IREV(vers) == IDMAP_VERSION)) {
793 /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
794 /*
795 * high and low records were created on a
796 * big endian machine and will need byte-reversing.
797 */
798
799 int32 wm;
800
801 wm = tdb_fetch_int32(idmap_tdb, HWM_USER);
802
803 if (wm != -1) {
804 wm = IREV(wm);
805 } else {
806 wm = server_state.uid_low;
807 }
808
809 if (tdb_store_int32(idmap_tdb, HWM_USER, wm) == -1) {
810 DEBUG(0, ("idmap_convert: Unable to byteswap user hwm in idmap database\n"));
811 tdb_close(idmap_tdb);
812 return False;
813 }
814
815 wm = tdb_fetch_int32(idmap_tdb, HWM_GROUP);
816 if (wm != -1) {
817 wm = IREV(wm);
818 } else {
819 wm = server_state.gid_low;
820 }
821
822 if (tdb_store_int32(idmap_tdb, HWM_GROUP, wm) == -1) {
823 DEBUG(0, ("idmap_convert: Unable to byteswap group hwm in idmap database\n"));
824 tdb_close(idmap_tdb);
825 return False;
826 }
827 }
828
829 /* the old format stored as DOMAIN/rid - now we store the SID direct */
830 tdb_traverse(idmap_tdb, convert_fn, &failed);
831
832 if (failed) {
833 DEBUG(0, ("Problem during conversion\n"));
834 tdb_close(idmap_tdb);
835 return False;
836 }
837
838 if (tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION) == -1) {
839 DEBUG(0, ("idmap_convert: Unable to dtore idmap version in databse\n"));
840 tdb_close(idmap_tdb);
841 return False;
842 }
843
844 tdb_close(idmap_tdb);
845 return True;
846 }
847
848 /*****************************************************************************
849 Convert the idmap database from an older version if necessary
850 *****************************************************************************/
851
852 BOOL winbindd_upgrade_idmap(void)
853 {
854 pstring idmap_name;
855 pstring backup_name;
856 SMB_STRUCT_STAT stbuf;
857 TDB_CONTEXT *idmap_tdb;
858
859 pstrcpy(idmap_name, lock_path("winbindd_idmap.tdb"));
860
861 if (!file_exist(idmap_name, &stbuf)) {
862 /* nothing to convert return */
863 return True;
864 }
865
866 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
867 TDB_DEFAULT, O_RDWR,
868 0600))) {
869 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
870 return False;
871 }
872
873 if (tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION") == IDMAP_VERSION) {
874 /* nothing to convert return */
875 tdb_close(idmap_tdb);
876 return True;
877 }
878
879 /* backup_tdb expects the tdb not to be open */
880 tdb_close(idmap_tdb);
881
882 DEBUG(0, ("Upgrading winbindd_idmap.tdb from an old version\n"));
883
884 pstrcpy(backup_name, idmap_name);
885 pstrcat(backup_name, ".bak");
886
887 if (backup_tdb(idmap_name, backup_name) != 0) {
888 DEBUG(0, ("Could not backup idmap database\n"));
889 return False;
890 }
891
892 return idmap_convert(idmap_name);
893 }
894
895 /*******************************************************************
896 wrapper around retrieving the trust account password
897 *******************************************************************/
898
899 BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16],
900 time_t *pass_last_set_time, uint32 *channel)
901 {
902 DOM_SID sid;
903 char *pwd;
904
905 /* if we are a DC and this is not our domain, then lookup an account
906 for the domain trust */
907
908 if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() )
909 {
910 if ( !secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
911 pass_last_set_time) )
912 {
913 DEBUG(0, ("get_trust_pw: could not fetch trust account "
914 "password for trusted domain %s\n", domain));
915 return False;
916 }
917
918 *channel = SEC_CHAN_DOMAIN;
919 E_md4hash(pwd, ret_pwd);
920 SAFE_FREE(pwd);
921
922 return True;
923 }
924 else /* just get the account for our domain (covers
925 ROLE_DOMAIN_MEMBER as well */
926 {
927 /* get the machine trust account for our domain */
928
929 if ( !secrets_fetch_trust_account_password (lp_workgroup(), ret_pwd,
930 pass_last_set_time, channel) )
931 {
932 DEBUG(0, ("get_trust_pw: could not fetch trust account "
933 "password for my domain %s\n", domain));
934 return False;
935 }
936
937 return True;
938 }
939
940 /* Failure */
941 }
942
Samba GIT mirror