search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r22704: Implement three step method for enumerating domain trusts.
[Samba.git] / source / nsswitch / winbindd_util.c
blob56de808c2dc56cf13764c04932272f92313f162b
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_WINBIND
29
30 extern struct winbindd_methods cache_methods;
31 extern struct winbindd_methods passdb_methods;
32
33 /**
34 * @file winbindd_util.c
35 *
36 * Winbind daemon for NT domain authentication nss module.
37 **/
38
39 /* The list of trusted domains. Note that the list can be deleted and
40 recreated using the init_domain_list() function so pointers to
41 individual winbindd_domain structures cannot be made. Keep a copy of
42 the domain name instead. */
43
44 static struct winbindd_domain *_domain_list;
45
46 /**
47 When was the last scan of trusted domains done?
48
49 0 == not ever
50 */
51
52 static time_t last_trustdom_scan;
53
54 struct winbindd_domain *domain_list(void)
55 {
56 /* Initialise list */
57
58 if ((!_domain_list) && (!init_domain_list())) {
59 smb_panic("Init_domain_list failed\n");
60 }
61
62 return _domain_list;
63 }
64
65 /* Free all entries in the trusted domain list */
66
67 void free_domain_list(void)
68 {
69 struct winbindd_domain *domain = _domain_list;
70
71 while(domain) {
72 struct winbindd_domain *next = domain->next;
73
74 DLIST_REMOVE(_domain_list, domain);
75 SAFE_FREE(domain);
76 domain = next;
77 }
78 }
79
80 static BOOL is_internal_domain(const DOM_SID *sid)
81 {
82 if (sid == NULL)
83 return False;
84
85 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
86 }
87
88 static BOOL is_in_internal_domain(const DOM_SID *sid)
89 {
90 if (sid == NULL)
91 return False;
92
93 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
94 }
95
96
97 /* Add a trusted domain to our list of domains */
98 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
99 struct winbindd_methods *methods,
100 const DOM_SID *sid)
101 {
102 struct winbindd_domain *domain;
103 const char *alternative_name = NULL;
104
105 /* ignore alt_name if we are not in an AD domain */
106
107 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
108 alternative_name = alt_name;
109 }
110
111 /* We can't call domain_list() as this function is called from
112 init_domain_list() and we'll get stuck in a loop. */
113 for (domain = _domain_list; domain; domain = domain->next) {
114 if (strequal(domain_name, domain->name) ||
115 strequal(domain_name, domain->alt_name))
116 {
117 break;
118 }
119
120 if (alternative_name && *alternative_name)
121 {
122 if (strequal(alternative_name, domain->name) ||
123 strequal(alternative_name, domain->alt_name))
124 {
125 break;
126 }
127 }
128
129 if (sid)
130 {
131 if (is_null_sid(sid)) {
132 continue;
133 }
134
135 if (sid_equal(sid, &domain->sid)) {
136 break;
137 }
138 }
139 }
140
141 /* See if we found a match. Check if we need to update the
142 SID. */
143
144 if ( domain ) {
145 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
146 sid_copy( &domain->sid, sid );
147
148 return domain;
149 }
150
151 /* Create new domain entry */
152
153 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
154 return NULL;
155
156 /* Fill in fields */
157
158 ZERO_STRUCTP(domain);
159
160 /* prioritise the short name */
161 if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
162 fstrcpy(domain->name, alternative_name);
163 fstrcpy(domain->alt_name, domain_name);
164 } else {
165 fstrcpy(domain->name, domain_name);
166 if (alternative_name) {
167 fstrcpy(domain->alt_name, alternative_name);
168 }
169 }
170
171 domain->methods = methods;
172 domain->backend = NULL;
173 domain->internal = is_internal_domain(sid);
174 domain->sequence_number = DOM_SEQUENCE_NONE;
175 domain->last_seq_check = 0;
176 domain->initialized = False;
177 domain->online = is_internal_domain(sid);
178 domain->check_online_timeout = 0;
179 if (sid) {
180 sid_copy(&domain->sid, sid);
181 }
182
183 /* Link to domain list */
184 DLIST_ADD(_domain_list, domain);
185
186 wcache_tdc_add_domain( domain );
187
188 DEBUG(2,("Added domain %s %s %s\n",
189 domain->name, domain->alt_name,
190 &domain->sid?sid_string_static(&domain->sid):""));
191
192 return domain;
193 }
194
195 /********************************************************************
196 rescan our domains looking for new trusted domains
197 ********************************************************************/
198
199 struct trustdom_state {
200 TALLOC_CTX *mem_ctx;
201 BOOL primary;
202 BOOL forest_root;
203 struct winbindd_response *response;
204 };
205
206 static void trustdom_recv(void *private_data, BOOL success);
207 static void rescan_forest_root_trusts( void );
208 static void rescan_forest_trusts( void );
209
210 static void add_trusted_domains( struct winbindd_domain *domain )
211 {
212 TALLOC_CTX *mem_ctx;
213 struct winbindd_request *request;
214 struct winbindd_response *response;
215 uint32 fr_flags = (DS_DOMAIN_TREE_ROOT|DS_DOMAIN_IN_FOREST);
216
217 struct trustdom_state *state;
218
219 mem_ctx = talloc_init("add_trusted_domains");
220 if (mem_ctx == NULL) {
221 DEBUG(0, ("talloc_init failed\n"));
222 return;
223 }
224
225 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
226 response = TALLOC_P(mem_ctx, struct winbindd_response);
227 state = TALLOC_P(mem_ctx, struct trustdom_state);
228
229 if ((request == NULL) || (response == NULL) || (state == NULL)) {
230 DEBUG(0, ("talloc failed\n"));
231 talloc_destroy(mem_ctx);
232 return;
233 }
234
235 state->mem_ctx = mem_ctx;
236 state->response = response;
237
238 /* Flags used to know how to continue the forest trust search */
239
240 state->primary = domain->primary;
241 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
242
243 request->length = sizeof(*request);
244 request->cmd = WINBINDD_LIST_TRUSTDOM;
245
246 async_domain_request(mem_ctx, domain, request, response,
247 trustdom_recv, state);
248 }
249
250 static void trustdom_recv(void *private_data, BOOL success)
251 {
252 struct trustdom_state *state =
253 talloc_get_type_abort(private_data, struct trustdom_state);
254 struct winbindd_response *response = state->response;
255 char *p;
256
257 if ((!success) || (response->result != WINBINDD_OK)) {
258 DEBUG(1, ("Could not receive trustdoms\n"));
259 talloc_destroy(state->mem_ctx);
260 return;
261 }
262
263 p = (char *)response->extra_data.data;
264
265 while ((p != NULL) && (*p != '\0')) {
266 char *q, *sidstr, *alt_name;
267 DOM_SID sid;
268 struct winbindd_domain *domain;
269 char *alternate_name = NULL;
270
271 alt_name = strchr(p, '\\');
272 if (alt_name == NULL) {
273 DEBUG(0, ("Got invalid trustdom response\n"));
274 break;
275 }
276
277 *alt_name = '\0';
278 alt_name += 1;
279
280 sidstr = strchr(alt_name, '\\');
281 if (sidstr == NULL) {
282 DEBUG(0, ("Got invalid trustdom response\n"));
283 break;
284 }
285
286 *sidstr = '\0';
287 sidstr += 1;
288
289 q = strchr(sidstr, '\n');
290 if (q != NULL)
291 *q = '\0';
292
293 if (!string_to_sid(&sid, sidstr)) {
294 /* Allow NULL sid for sibling domains */
295 if ( strcmp(sidstr,"S-0-0") == 0) {
296 sid_copy( &sid, &global_sid_NULL);
297 } else {
298 DEBUG(0, ("Got invalid trustdom response\n"));
299 break;
300 }
301 }
302
303 /* use the real alt_name if we have one, else pass in NULL */
304
305 if ( !strequal( alt_name, "(null)" ) )
306 alternate_name = alt_name;
307
308 /* If we have an existing domain structure, calling
309 add_trusted_domain() will update the SID if
310 necessary. This is important because we need the
311 SID for sibling domains */
312
313 if ( find_domain_from_name_noinit(p) != NULL ) {
314 domain = add_trusted_domain(p, alternate_name,
315 &cache_methods,
316 &sid);
317 } else {
318 domain = add_trusted_domain(p, alternate_name,
319 &cache_methods,
320 &sid);
321 setup_domain_child(domain, &domain->child, NULL);
322 }
323 p=q;
324 if (p != NULL)
325 p += 1;
326 }
327
328 SAFE_FREE(response->extra_data.data);
329
330 /*
331 Cases to consider when scanning trusts:
332 (a) we are calling from a child domain (primary && !forest_root)
333 (b) we are calling from the root of the forest (primary && forest_root)
334 (c) we are calling from a trusted forest domain (!primary
335 && !forest_root)
336 */
337
338 if ( state->primary ) {
339 /* If this is our primary domain and we are not the in the
340 forest root, we have to scan the root trusts first */
341
342 if ( !state->forest_root )
343 rescan_forest_root_trusts();
344 else
345 rescan_forest_trusts();
346
347 } else if ( state->forest_root ) {
348 /* Once we have done root forest trust search, we can
349 go on to search thing trusted forests */
350
351 rescan_forest_trusts();
352 }
353
354 talloc_destroy(state->mem_ctx);
355
356 return;
357 }
358
359 /********************************************************************
360 Scan the trusts of our forest root
361 ********************************************************************/
362
363 static void rescan_forest_root_trusts( void )
364 {
365 struct winbindd_tdc_domain *dom_list = NULL;
366 size_t num_trusts = 0;
367 int i;
368
369 /* The only transitive trusts supported by Windows 2003 AD are
370 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
371 first two are handled in forest and listed by
372 DsEnumerateDomainTrusts(). Forest trusts are not so we
373 have to do that ourselves. */
374
375 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
376 return;
377
378 for ( i=0; i<num_trusts; i++ ) {
379 struct winbindd_domain *d = NULL;
380
381 /* Find the forest root. Don't necessarily trust
382 the domain_list() as our primary domain may not
383 have been initialized. */
384
385 if ( !(dom_list[i].trust_flags & DS_DOMAIN_TREE_ROOT) ) {
386 continue;
387 }
388
389 /* Here's the forest root */
390
391 d = find_domain_from_name_noinit( dom_list[i].domain_name );
392
393 if ( !d ) {
394 d = add_trusted_domain( dom_list[i].domain_name,
395 dom_list[i].dns_name,
396 &cache_methods,
397 &dom_list[i].sid );
398 }
399
400 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
401 "for domain tree root %s (%s)\n",
402 d->name, d->alt_name ));
403
404 d->domain_flags = dom_list[i].trust_flags;
405 d->domain_type = dom_list[i].trust_type;
406 d->domain_trust_attribs = dom_list[i].trust_attribs;
407
408 add_trusted_domains( d );
409
410 break;
411 }
412
413 TALLOC_FREE( dom_list );
414
415 return;
416 }
417
418 /********************************************************************
419 scan the transitive forest trists (not our own)
420 ********************************************************************/
421
422
423 static void rescan_forest_trusts( void )
424 {
425 struct winbindd_domain *d = NULL;
426 struct winbindd_tdc_domain *dom_list = NULL;
427 size_t num_trusts = 0;
428 int i;
429
430 /* The only transitive trusts supported by Windows 2003 AD are
431 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
432 first two are handled in forest and listed by
433 DsEnumerateDomainTrusts(). Forest trusts are not so we
434 have to do that ourselves. */
435
436 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
437 return;
438
439 for ( i=0; i<num_trusts; i++ ) {
440 uint32 flags = dom_list[i].trust_flags;
441 uint32 type = dom_list[i].trust_type;
442 uint32 attribs = dom_list[i].trust_attribs;
443
444 d = find_domain_from_name_noinit( dom_list[i].domain_name );
445
446 /* ignore our primary and internal domains */
447
448 if ( d && (d->internal || d->primary ) )
449 continue;
450
451 if ( (flags & DS_DOMAIN_DIRECT_INBOUND) &&
452 (type == DS_DOMAIN_TRUST_TYPE_UPLEVEL) &&
453 (attribs == DS_DOMAIN_TRUST_ATTRIB_FOREST_TRANSITIVE) )
454 {
455 /* add the trusted domain if we don't know
456 about it */
457
458 if ( !d ) {
459 d = add_trusted_domain( dom_list[i].domain_name,
460 dom_list[i].dns_name,
461 &cache_methods,
462 &dom_list[i].sid );
463 }
464
465 DEBUG(10,("Following trust path for domain %s (%s)\n",
466 d->name, d->alt_name ));
467 add_trusted_domains( d );
468 }
469 }
470
471 TALLOC_FREE( dom_list );
472
473 return;
474 }
475
476 /*********************************************************************
477 The process of updating the trusted domain list is a three step
478 async process:
479 (a) ask our domain
480 (b) ask the root domain in our forest
481 (c) ask the a DC in any Win2003 trusted forests
482 *********************************************************************/
483
484 void rescan_trusted_domains( void )
485 {
486 time_t now = time(NULL);
487
488 /* see if the time has come... */
489
490 if ((now >= last_trustdom_scan) &&
491 ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
492 return;
493
494 /* clear the TRUSTDOM cache first */
495
496 wcache_tdc_clear();
497
498 /* this will only add new domains we didn't already know about
499 in the domain_list()*/
500
501 add_trusted_domains( find_our_domain() );
502
503 last_trustdom_scan = now;
504
505 return;
506 }
507
508 struct init_child_state {
509 TALLOC_CTX *mem_ctx;
510 struct winbindd_domain *domain;
511 struct winbindd_request *request;
512 struct winbindd_response *response;
513 void (*continuation)(void *private_data, BOOL success);
514 void *private_data;
515 };
516
517 static void init_child_recv(void *private_data, BOOL success);
518 static void init_child_getdc_recv(void *private_data, BOOL success);
519
520 enum winbindd_result init_child_connection(struct winbindd_domain *domain,
521 void (*continuation)(void *private_data,
522 BOOL success),
523 void *private_data)
524 {
525 TALLOC_CTX *mem_ctx;
526 struct winbindd_request *request;
527 struct winbindd_response *response;
528 struct init_child_state *state;
529 struct winbindd_domain *request_domain;
530
531 mem_ctx = talloc_init("init_child_connection");
532 if (mem_ctx == NULL) {
533 DEBUG(0, ("talloc_init failed\n"));
534 return WINBINDD_ERROR;
535 }
536
537 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
538 response = TALLOC_P(mem_ctx, struct winbindd_response);
539 state = TALLOC_P(mem_ctx, struct init_child_state);
540
541 if ((request == NULL) || (response == NULL) || (state == NULL)) {
542 DEBUG(0, ("talloc failed\n"));
543 TALLOC_FREE(mem_ctx);
544 continuation(private_data, False);
545 return WINBINDD_ERROR;
546 }
547
548 request->length = sizeof(*request);
549
550 state->mem_ctx = mem_ctx;
551 state->domain = domain;
552 state->request = request;
553 state->response = response;
554 state->continuation = continuation;
555 state->private_data = private_data;
556
557 if (IS_DC || domain->primary) {
558 /* The primary domain has to find the DC name itself */
559 request->cmd = WINBINDD_INIT_CONNECTION;
560 fstrcpy(request->domain_name, domain->name);
561 request->data.init_conn.is_primary = True;
562 fstrcpy(request->data.init_conn.dcname, "");
563 async_request(mem_ctx, &domain->child, request, response,
564 init_child_recv, state);
565 return WINBINDD_PENDING;
566 }
567
568 /* This is *not* the primary domain, let's ask our DC about a DC
569 * name */
570
571 request->cmd = WINBINDD_GETDCNAME;
572 fstrcpy(request->domain_name, domain->name);
573
574 request_domain = find_our_domain();
575
576 async_domain_request(mem_ctx, request_domain, request, response,
577 init_child_getdc_recv, state);
578 return WINBINDD_PENDING;
579 }
580
581 static void init_child_getdc_recv(void *private_data, BOOL success)
582 {
583 struct init_child_state *state =
584 talloc_get_type_abort(private_data, struct init_child_state);
585 const char *dcname = "";
586
587 DEBUG(10, ("Received getdcname response\n"));
588
589 if (success && (state->response->result == WINBINDD_OK)) {
590 dcname = state->response->data.dc_name;
591 }
592
593 state->request->cmd = WINBINDD_INIT_CONNECTION;
594 fstrcpy(state->request->domain_name, state->domain->name);
595 state->request->data.init_conn.is_primary = False;
596 fstrcpy(state->request->data.init_conn.dcname, dcname);
597
598 async_request(state->mem_ctx, &state->domain->child,
599 state->request, state->response,
600 init_child_recv, state);
601 }
602
603 static void init_child_recv(void *private_data, BOOL success)
604 {
605 struct init_child_state *state =
606 talloc_get_type_abort(private_data, struct init_child_state);
607
608 DEBUG(5, ("Received child initialization response for domain %s\n",
609 state->domain->name));
610
611 if ((!success) || (state->response->result != WINBINDD_OK)) {
612 DEBUG(3, ("Could not init child\n"));
613 state->continuation(state->private_data, False);
614 talloc_destroy(state->mem_ctx);
615 return;
616 }
617
618 fstrcpy(state->domain->name,
619 state->response->data.domain_info.name);
620 fstrcpy(state->domain->alt_name,
621 state->response->data.domain_info.alt_name);
622 string_to_sid(&state->domain->sid,
623 state->response->data.domain_info.sid);
624 state->domain->native_mode =
625 state->response->data.domain_info.native_mode;
626 state->domain->active_directory =
627 state->response->data.domain_info.active_directory;
628 state->domain->sequence_number =
629 state->response->data.domain_info.sequence_number;
630
631 init_dc_connection(state->domain);
632
633 if (state->continuation != NULL)
634 state->continuation(state->private_data, True);
635 talloc_destroy(state->mem_ctx);
636 }
637
638 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
639 struct winbindd_cli_state *state)
640 {
641 /* Ensure null termination */
642 state->request.domain_name
643 [sizeof(state->request.domain_name)-1]='\0';
644 state->request.data.init_conn.dcname
645 [sizeof(state->request.data.init_conn.dcname)-1]='\0';
646
647 if (strlen(state->request.data.init_conn.dcname) > 0) {
648 fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
649 }
650
651 init_dc_connection(domain);
652
653 if (!domain->initialized) {
654 /* If we return error here we can't do any cached authentication,
655 but we may be in disconnected mode and can't initialize correctly.
656 Do what the previous code did and just return without initialization,
657 once we go online we'll re-initialize.
658 */
659 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
660 "online = %d\n", domain->name, (int)domain->online ));
661 }
662
663 fstrcpy(state->response.data.domain_info.name, domain->name);
664 fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
665 fstrcpy(state->response.data.domain_info.sid,
666 sid_string_static(&domain->sid));
667
668 state->response.data.domain_info.native_mode
669 = domain->native_mode;
670 state->response.data.domain_info.active_directory
671 = domain->active_directory;
672 state->response.data.domain_info.primary
673 = domain->primary;
674 state->response.data.domain_info.sequence_number =
675 domain->sequence_number;
676
677 return WINBINDD_OK;
678 }
679
680 /* Look up global info for the winbind daemon */
681 BOOL init_domain_list(void)
682 {
683 struct winbindd_domain *domain;
684 int role = lp_server_role();
685
686 /* Free existing list */
687 free_domain_list();
688
689 /* Add ourselves as the first entry. */
690
691 if ( role == ROLE_DOMAIN_MEMBER ) {
692 DOM_SID our_sid;
693
694 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
695 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
696 return False;
697 }
698
699 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
700 &cache_methods, &our_sid);
701 domain->primary = True;
702 setup_domain_child(domain, &domain->child, NULL);
703
704 /* Even in the parent winbindd we'll need to
705 talk to the DC, so try and see if we can
706 contact it. Theoretically this isn't neccessary
707 as the init_dc_connection() in init_child_recv()
708 will do this, but we can start detecting the DC
709 early here. */
710 set_domain_online_request(domain);
711 }
712
713 /* Local SAM */
714
715 domain = add_trusted_domain(get_global_sam_name(), NULL,
716 &passdb_methods, get_global_sam_sid());
717 if ( role != ROLE_DOMAIN_MEMBER ) {
718 domain->primary = True;
719 }
720 setup_domain_child(domain, &domain->child, NULL);
721
722 /* BUILTIN domain */
723
724 domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
725 &global_sid_Builtin);
726 setup_domain_child(domain, &domain->child, NULL);
727
728 return True;
729 }
730
731 /**
732 * Given a domain name, return the struct winbindd domain info for it
733 *
734 * @note Do *not* pass lp_workgroup() to this function. domain_list
735 * may modify it's value, and free that pointer. Instead, our local
736 * domain may be found by calling find_our_domain().
737 * directly.
738 *
739 *
740 * @return The domain structure for the named domain, if it is working.
741 */
742
743 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
744 {
745 struct winbindd_domain *domain;
746
747 /* Search through list */
748
749 for (domain = domain_list(); domain != NULL; domain = domain->next) {
750 if (strequal(domain_name, domain->name) ||
751 (domain->alt_name[0] &&
752 strequal(domain_name, domain->alt_name))) {
753 return domain;
754 }
755 }
756
757 /* Not found */
758
759 return NULL;
760 }
761
762 struct winbindd_domain *find_domain_from_name(const char *domain_name)
763 {
764 struct winbindd_domain *domain;
765
766 domain = find_domain_from_name_noinit(domain_name);
767
768 if (domain == NULL)
769 return NULL;
770
771 if (!domain->initialized)
772 init_dc_connection(domain);
773
774 return domain;
775 }
776
777 /* Given a domain sid, return the struct winbindd domain info for it */
778
779 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
780 {
781 struct winbindd_domain *domain;
782
783 /* Search through list */
784
785 for (domain = domain_list(); domain != NULL; domain = domain->next) {
786 if (sid_compare_domain(sid, &domain->sid) == 0)
787 return domain;
788 }
789
790 /* Not found */
791
792 return NULL;
793 }
794
795 /* Given a domain sid, return the struct winbindd domain info for it */
796
797 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
798 {
799 struct winbindd_domain *domain;
800
801 domain = find_domain_from_sid_noinit(sid);
802
803 if (domain == NULL)
804 return NULL;
805
806 if (!domain->initialized)
807 init_dc_connection(domain);
808
809 return domain;
810 }
811
812 struct winbindd_domain *find_our_domain(void)
813 {
814 struct winbindd_domain *domain;
815
816 /* Search through list */
817
818 for (domain = domain_list(); domain != NULL; domain = domain->next) {
819 if (domain->primary)
820 return domain;
821 }
822
823 smb_panic("Could not find our domain\n");
824 return NULL;
825 }
826
827 struct winbindd_domain *find_root_domain(void)
828 {
829 struct winbindd_domain *ours = find_our_domain();
830
831 if ( !ours )
832 return NULL;
833
834 if ( strlen(ours->forest_name) == 0 )
835 return NULL;
836
837 return find_domain_from_name( ours->forest_name );
838 }
839
840 struct winbindd_domain *find_builtin_domain(void)
841 {
842 DOM_SID sid;
843 struct winbindd_domain *domain;
844
845 string_to_sid(&sid, "S-1-5-32");
846 domain = find_domain_from_sid(&sid);
847
848 if (domain == NULL)
849 smb_panic("Could not find BUILTIN domain\n");
850
851 return domain;
852 }
853
854 /* Find the appropriate domain to lookup a name or SID */
855
856 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
857 {
858 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
859 * one to contact the external DC's. On member servers the internal
860 * domains are different: These are part of the local SAM. */
861
862 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n",
863 sid_string_static(sid)));
864
865 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
866 DEBUG(10, ("calling find_domain_from_sid\n"));
867 return find_domain_from_sid(sid);
868 }
869
870 /* On a member server a query for SID or name can always go to our
871 * primary DC. */
872
873 DEBUG(10, ("calling find_our_domain\n"));
874 return find_our_domain();
875 }
876
877 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
878 {
879 if (IS_DC || strequal(domain_name, "BUILTIN") ||
880 strequal(domain_name, get_global_sam_name()))
881 return find_domain_from_name_noinit(domain_name);
882
883 return find_our_domain();
884 }
885
886 /* Lookup a sid in a domain from a name */
887
888 BOOL winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
889 struct winbindd_domain *domain,
890 const char *domain_name,
891 const char *name, DOM_SID *sid,
892 enum lsa_SidType *type)
893 {
894 NTSTATUS result;
895
896 /* Lookup name */
897 result = domain->methods->name_to_sid(domain, mem_ctx, domain_name, name, sid, type);
898
899 /* Return sid and type if lookup successful */
900 if (!NT_STATUS_IS_OK(result)) {
901 *type = SID_NAME_UNKNOWN;
902 }
903
904 return NT_STATUS_IS_OK(result);
905 }
906
907 /**
908 * @brief Lookup a name in a domain from a sid.
909 *
910 * @param sid Security ID you want to look up.
911 * @param name On success, set to the name corresponding to @p sid.
912 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
913 * @param type On success, contains the type of name: alias, group or
914 * user.
915 * @retval True if the name exists, in which case @p name and @p type
916 * are set, otherwise False.
917 **/
918 BOOL winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
919 struct winbindd_domain *domain,
920 DOM_SID *sid,
921 char **dom_name,
922 char **name,
923 enum lsa_SidType *type)
924 {
925 NTSTATUS result;
926
927 *dom_name = NULL;
928 *name = NULL;
929
930 /* Lookup name */
931
932 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
933
934 /* Return name and type if successful */
935
936 if (NT_STATUS_IS_OK(result)) {
937 return True;
938 }
939
940 *type = SID_NAME_UNKNOWN;
941
942 return False;
943 }
944
945 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
946
947 void free_getent_state(struct getent_state *state)
948 {
949 struct getent_state *temp;
950
951 /* Iterate over state list */
952
953 temp = state;
954
955 while(temp != NULL) {
956 struct getent_state *next;
957
958 /* Free sam entries then list entry */
959
960 SAFE_FREE(state->sam_entries);
961 DLIST_REMOVE(state, state);
962 next = temp->next;
963
964 SAFE_FREE(temp);
965 temp = next;
966 }
967 }
968
969 /* Is this a domain which we may assume no DOMAIN\ prefix? */
970
971 static BOOL assume_domain(const char *domain)
972 {
973 /* never assume the domain on a standalone server */
974
975 if ( lp_server_role() == ROLE_STANDALONE )
976 return False;
977
978 /* domain member servers may possibly assume for the domain name */
979
980 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
981 if ( !strequal(lp_workgroup(), domain) )
982 return False;
983
984 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
985 return True;
986 }
987
988 /* only left with a domain controller */
989
990 if ( strequal(get_global_sam_name(), domain) ) {
991 return True;
992 }
993
994 return False;
995 }
996
997 /* Parse a string of the form DOMAIN\user into a domain and a user */
998
999 BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
1000 {
1001 char *p = strchr(domuser,*lp_winbind_separator());
1002
1003 if ( !p ) {
1004 fstrcpy(user, domuser);
1005
1006 if ( assume_domain(lp_workgroup())) {
1007 fstrcpy(domain, lp_workgroup());
1008 } else {
1009 return False;
1010 }
1011 } else {
1012 fstrcpy(user, p+1);
1013 fstrcpy(domain, domuser);
1014 domain[PTR_DIFF(p, domuser)] = 0;
1015 }
1016
1017 strupper_m(domain);
1018
1019 return True;
1020 }
1021
1022 BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1023 char **domain, char **user)
1024 {
1025 fstring fstr_domain, fstr_user;
1026 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1027 return False;
1028 }
1029 *domain = talloc_strdup(mem_ctx, fstr_domain);
1030 *user = talloc_strdup(mem_ctx, fstr_user);
1031 return ((*domain != NULL) && (*user != NULL));
1032 }
1033
1034 /* Ensure an incoming username from NSS is fully qualified. Replace the
1035 incoming fstring with DOMAIN <separator> user. Returns the same
1036 values as parse_domain_user() but also replaces the incoming username.
1037 Used to ensure all names are fully qualified within winbindd.
1038 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1039 The protocol definitions of auth_crap, chng_pswd_auth_crap
1040 really should be changed to use this instead of doing things
1041 by hand. JRA. */
1042
1043 BOOL canonicalize_username(fstring username_inout, fstring domain, fstring user)
1044 {
1045 if (!parse_domain_user(username_inout, domain, user)) {
1046 return False;
1047 }
1048 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1049 domain, *lp_winbind_separator(),
1050 user);
1051 return True;
1052 }
1053
1054 /*
1055 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1056 'winbind separator' options.
1057 This means:
1058 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1059 lp_workgroup()
1060
1061 If we are a PDC or BDC, and this is for our domain, do likewise.
1062
1063 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1064 username is then unqualified in unix
1065
1066 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1067 */
1068 void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume)
1069 {
1070 fstring tmp_user;
1071
1072 fstrcpy(tmp_user, user);
1073 strlower_m(tmp_user);
1074
1075 if (can_assume && assume_domain(domain)) {
1076 strlcpy(name, tmp_user, sizeof(fstring));
1077 } else {
1078 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1079 domain, *lp_winbind_separator(),
1080 tmp_user);
1081 }
1082 }
1083
1084 /*
1085 * Winbindd socket accessor functions
1086 */
1087
1088 char *get_winbind_priv_pipe_dir(void)
1089 {
1090 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1091 }
1092
1093 /*
1094 * Client list accessor functions
1095 */
1096
1097 static struct winbindd_cli_state *_client_list;
1098 static int _num_clients;
1099
1100 /* Return list of all connected clients */
1101
1102 struct winbindd_cli_state *winbindd_client_list(void)
1103 {
1104 return _client_list;
1105 }
1106
1107 /* Add a connection to the list */
1108
1109 void winbindd_add_client(struct winbindd_cli_state *cli)
1110 {
1111 DLIST_ADD(_client_list, cli);
1112 _num_clients++;
1113 }
1114
1115 /* Remove a client from the list */
1116
1117 void winbindd_remove_client(struct winbindd_cli_state *cli)
1118 {
1119 DLIST_REMOVE(_client_list, cli);
1120 _num_clients--;
1121 }
1122
1123 /* Close all open clients */
1124
1125 void winbindd_kill_all_clients(void)
1126 {
1127 struct winbindd_cli_state *cl = winbindd_client_list();
1128
1129 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1130
1131 while (cl) {
1132 struct winbindd_cli_state *next;
1133
1134 next = cl->next;
1135 winbindd_remove_client(cl);
1136 cl = next;
1137 }
1138 }
1139
1140 /* Return number of open clients */
1141
1142 int winbindd_num_clients(void)
1143 {
1144 return _num_clients;
1145 }
1146
1147 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1148 TALLOC_CTX *mem_ctx,
1149 const DOM_SID *user_sid,
1150 uint32 *p_num_groups, DOM_SID **user_sids)
1151 {
1152 NET_USER_INFO_3 *info3 = NULL;
1153 NTSTATUS status = NT_STATUS_NO_MEMORY;
1154 int i;
1155 size_t num_groups = 0;
1156 DOM_SID group_sid, primary_group;
1157
1158 DEBUG(3,(": lookup_usergroups_cached\n"));
1159
1160 *user_sids = NULL;
1161 num_groups = 0;
1162 *p_num_groups = 0;
1163
1164 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1165
1166 if (info3 == NULL) {
1167 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1168 }
1169
1170 if (info3->num_groups == 0) {
1171 TALLOC_FREE(info3);
1172 return NT_STATUS_UNSUCCESSFUL;
1173 }
1174
1175 /* always add the primary group to the sid array */
1176 sid_compose(&primary_group, &info3->dom_sid.sid, info3->user_rid);
1177
1178 if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) {
1179 TALLOC_FREE(info3);
1180 return NT_STATUS_NO_MEMORY;
1181 }
1182
1183 for (i=0; i<info3->num_groups; i++) {
1184 sid_copy(&group_sid, &info3->dom_sid.sid);
1185 sid_append_rid(&group_sid, info3->gids[i].g_rid);
1186
1187 if (!add_sid_to_array(mem_ctx, &group_sid, user_sids,
1188 &num_groups)) {
1189 TALLOC_FREE(info3);
1190 return NT_STATUS_NO_MEMORY;
1191 }
1192 }
1193
1194 TALLOC_FREE(info3);
1195 *p_num_groups = num_groups;
1196 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1197
1198 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1199
1200 return status;
1201 }
1202
1203 /*********************************************************************
1204 We use this to remove spaces from user and group names
1205 ********************************************************************/
1206
1207 void ws_name_replace( char *name, char replace )
1208 {
1209 char replace_char[2] = { 0x0, 0x0 };
1210
1211 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1212 return;
1213
1214 replace_char[0] = replace;
1215 all_string_sub( name, " ", replace_char, 0 );
1216
1217 return;
1218 }
1219
1220 /*********************************************************************
1221 We use this to do the inverse of ws_name_replace()
1222 ********************************************************************/
1223
1224 void ws_name_return( char *name, char replace )
1225 {
1226 char replace_char[2] = { 0x0, 0x0 };
1227
1228 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1229 return;
1230
1231 replace_char[0] = replace;
1232 all_string_sub( name, replace_char, " ", 0 );
1233
1234 return;
1235 }
Samba GIT mirror