2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods
;
30 extern struct winbindd_methods passdb_methods
;
33 * @file winbindd_util.c
35 * Winbind daemon for NT domain authentication nss module.
39 /* The list of trusted domains. Note that the list can be deleted and
40 recreated using the init_domain_list() function so pointers to
41 individual winbindd_domain structures cannot be made. Keep a copy of
42 the domain name instead. */
44 static struct winbindd_domain
*_domain_list
;
47 When was the last scan of trusted domains done?
52 static time_t last_trustdom_scan
;
54 struct winbindd_domain
*domain_list(void)
58 if ((!_domain_list
) && (!init_domain_list())) {
59 smb_panic("Init_domain_list failed");
65 /* Free all entries in the trusted domain list */
67 void free_domain_list(void)
69 struct winbindd_domain
*domain
= _domain_list
;
72 struct winbindd_domain
*next
= domain
->next
;
74 DLIST_REMOVE(_domain_list
, domain
);
80 static bool is_internal_domain(const DOM_SID
*sid
)
86 return sid_check_is_builtin(sid
);
88 return (sid_check_is_domain(sid
) || sid_check_is_builtin(sid
));
91 static bool is_in_internal_domain(const DOM_SID
*sid
)
97 return sid_check_is_in_builtin(sid
);
99 return (sid_check_is_in_our_domain(sid
) || sid_check_is_in_builtin(sid
));
103 /* Add a trusted domain to our list of domains */
104 static struct winbindd_domain
*add_trusted_domain(const char *domain_name
, const char *alt_name
,
105 struct winbindd_methods
*methods
,
108 struct winbindd_domain
*domain
;
109 const char *alternative_name
= NULL
;
111 /* ignore alt_name if we are not in an AD domain */
113 if ( (lp_security() == SEC_ADS
) && alt_name
&& *alt_name
) {
114 alternative_name
= alt_name
;
117 /* We can't call domain_list() as this function is called from
118 init_domain_list() and we'll get stuck in a loop. */
119 for (domain
= _domain_list
; domain
; domain
= domain
->next
) {
120 if (strequal(domain_name
, domain
->name
) ||
121 strequal(domain_name
, domain
->alt_name
))
126 if (alternative_name
&& *alternative_name
)
128 if (strequal(alternative_name
, domain
->name
) ||
129 strequal(alternative_name
, domain
->alt_name
))
137 if (is_null_sid(sid
)) {
141 if (sid_equal(sid
, &domain
->sid
)) {
147 /* See if we found a match. Check if we need to update the
150 if ( domain
&& sid
) {
151 if ( sid_equal( &domain
->sid
, &global_sid_NULL
) )
152 sid_copy( &domain
->sid
, sid
);
157 /* Create new domain entry */
159 if ((domain
= SMB_MALLOC_P(struct winbindd_domain
)) == NULL
)
164 ZERO_STRUCTP(domain
);
166 /* prioritise the short name */
167 if (strchr_m(domain_name
, '.') && alternative_name
&& *alternative_name
) {
168 fstrcpy(domain
->name
, alternative_name
);
169 fstrcpy(domain
->alt_name
, domain_name
);
171 fstrcpy(domain
->name
, domain_name
);
172 if (alternative_name
) {
173 fstrcpy(domain
->alt_name
, alternative_name
);
177 domain
->methods
= methods
;
178 domain
->backend
= NULL
;
179 domain
->internal
= is_internal_domain(sid
);
180 domain
->sequence_number
= DOM_SEQUENCE_NONE
;
181 domain
->last_seq_check
= 0;
182 domain
->initialized
= False
;
183 domain
->online
= is_internal_domain(sid
);
184 domain
->check_online_timeout
= 0;
186 sid_copy(&domain
->sid
, sid
);
189 /* Link to domain list */
190 DLIST_ADD_END(_domain_list
, domain
, struct winbindd_domain
*);
192 wcache_tdc_add_domain( domain
);
194 DEBUG(2,("Added domain %s %s %s\n",
195 domain
->name
, domain
->alt_name
,
196 &domain
->sid
?sid_string_dbg(&domain
->sid
):""));
201 /********************************************************************
202 rescan our domains looking for new trusted domains
203 ********************************************************************/
205 struct trustdom_state
{
209 struct winbindd_response
*response
;
212 static void trustdom_recv(void *private_data
, bool success
);
213 static void rescan_forest_root_trusts( void );
214 static void rescan_forest_trusts( void );
216 static void add_trusted_domains( struct winbindd_domain
*domain
)
219 struct winbindd_request
*request
;
220 struct winbindd_response
*response
;
221 uint32 fr_flags
= (DS_DOMAIN_TREE_ROOT
|DS_DOMAIN_IN_FOREST
);
223 struct trustdom_state
*state
;
225 mem_ctx
= talloc_init("add_trusted_domains");
226 if (mem_ctx
== NULL
) {
227 DEBUG(0, ("talloc_init failed\n"));
231 request
= TALLOC_ZERO_P(mem_ctx
, struct winbindd_request
);
232 response
= TALLOC_P(mem_ctx
, struct winbindd_response
);
233 state
= TALLOC_P(mem_ctx
, struct trustdom_state
);
235 if ((request
== NULL
) || (response
== NULL
) || (state
== NULL
)) {
236 DEBUG(0, ("talloc failed\n"));
237 talloc_destroy(mem_ctx
);
241 state
->mem_ctx
= mem_ctx
;
242 state
->response
= response
;
244 /* Flags used to know how to continue the forest trust search */
246 state
->primary
= domain
->primary
;
247 state
->forest_root
= ((domain
->domain_flags
& fr_flags
) == fr_flags
);
249 request
->length
= sizeof(*request
);
250 request
->cmd
= WINBINDD_LIST_TRUSTDOM
;
252 async_domain_request(mem_ctx
, domain
, request
, response
,
253 trustdom_recv
, state
);
256 static void trustdom_recv(void *private_data
, bool success
)
258 struct trustdom_state
*state
=
259 talloc_get_type_abort(private_data
, struct trustdom_state
);
260 struct winbindd_response
*response
= state
->response
;
263 if ((!success
) || (response
->result
!= WINBINDD_OK
)) {
264 DEBUG(1, ("Could not receive trustdoms\n"));
265 talloc_destroy(state
->mem_ctx
);
269 p
= (char *)response
->extra_data
.data
;
271 while ((p
!= NULL
) && (*p
!= '\0')) {
272 char *q
, *sidstr
, *alt_name
;
274 struct winbindd_domain
*domain
;
275 char *alternate_name
= NULL
;
277 alt_name
= strchr(p
, '\\');
278 if (alt_name
== NULL
) {
279 DEBUG(0, ("Got invalid trustdom response\n"));
286 sidstr
= strchr(alt_name
, '\\');
287 if (sidstr
== NULL
) {
288 DEBUG(0, ("Got invalid trustdom response\n"));
295 q
= strchr(sidstr
, '\n');
299 if (!string_to_sid(&sid
, sidstr
)) {
300 /* Allow NULL sid for sibling domains */
301 if ( strcmp(sidstr
,"S-0-0") == 0) {
302 sid_copy( &sid
, &global_sid_NULL
);
304 DEBUG(0, ("Got invalid trustdom response\n"));
309 /* use the real alt_name if we have one, else pass in NULL */
311 if ( !strequal( alt_name
, "(null)" ) )
312 alternate_name
= alt_name
;
314 /* If we have an existing domain structure, calling
315 add_trusted_domain() will update the SID if
316 necessary. This is important because we need the
317 SID for sibling domains */
319 if ( find_domain_from_name_noinit(p
) != NULL
) {
320 domain
= add_trusted_domain(p
, alternate_name
,
324 domain
= add_trusted_domain(p
, alternate_name
,
328 setup_domain_child(domain
,
337 SAFE_FREE(response
->extra_data
.data
);
340 Cases to consider when scanning trusts:
341 (a) we are calling from a child domain (primary && !forest_root)
342 (b) we are calling from the root of the forest (primary && forest_root)
343 (c) we are calling from a trusted forest domain (!primary
347 if ( state
->primary
) {
348 /* If this is our primary domain and we are not the in the
349 forest root, we have to scan the root trusts first */
351 if ( !state
->forest_root
)
352 rescan_forest_root_trusts();
354 rescan_forest_trusts();
356 } else if ( state
->forest_root
) {
357 /* Once we have done root forest trust search, we can
358 go on to search thing trusted forests */
360 rescan_forest_trusts();
363 talloc_destroy(state
->mem_ctx
);
368 /********************************************************************
369 Scan the trusts of our forest root
370 ********************************************************************/
372 static void rescan_forest_root_trusts( void )
374 struct winbindd_tdc_domain
*dom_list
= NULL
;
375 size_t num_trusts
= 0;
378 /* The only transitive trusts supported by Windows 2003 AD are
379 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
380 first two are handled in forest and listed by
381 DsEnumerateDomainTrusts(). Forest trusts are not so we
382 have to do that ourselves. */
384 if ( !wcache_tdc_fetch_list( &dom_list
, &num_trusts
) )
387 for ( i
=0; i
<num_trusts
; i
++ ) {
388 struct winbindd_domain
*d
= NULL
;
390 /* Find the forest root. Don't necessarily trust
391 the domain_list() as our primary domain may not
392 have been initialized. */
394 if ( !(dom_list
[i
].trust_flags
& DS_DOMAIN_TREE_ROOT
) ) {
398 /* Here's the forest root */
400 d
= find_domain_from_name_noinit( dom_list
[i
].domain_name
);
403 d
= add_trusted_domain( dom_list
[i
].domain_name
,
404 dom_list
[i
].dns_name
,
409 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
410 "for domain tree root %s (%s)\n",
411 d
->name
, d
->alt_name
));
413 d
->domain_flags
= dom_list
[i
].trust_flags
;
414 d
->domain_type
= dom_list
[i
].trust_type
;
415 d
->domain_trust_attribs
= dom_list
[i
].trust_attribs
;
417 add_trusted_domains( d
);
422 TALLOC_FREE( dom_list
);
427 /********************************************************************
428 scan the transitive forest trists (not our own)
429 ********************************************************************/
432 static void rescan_forest_trusts( void )
434 struct winbindd_domain
*d
= NULL
;
435 struct winbindd_tdc_domain
*dom_list
= NULL
;
436 size_t num_trusts
= 0;
439 /* The only transitive trusts supported by Windows 2003 AD are
440 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
441 first two are handled in forest and listed by
442 DsEnumerateDomainTrusts(). Forest trusts are not so we
443 have to do that ourselves. */
445 if ( !wcache_tdc_fetch_list( &dom_list
, &num_trusts
) )
448 for ( i
=0; i
<num_trusts
; i
++ ) {
449 uint32 flags
= dom_list
[i
].trust_flags
;
450 uint32 type
= dom_list
[i
].trust_type
;
451 uint32 attribs
= dom_list
[i
].trust_attribs
;
453 d
= find_domain_from_name_noinit( dom_list
[i
].domain_name
);
455 /* ignore our primary and internal domains */
457 if ( d
&& (d
->internal
|| d
->primary
) )
460 if ( (flags
& DS_DOMAIN_DIRECT_INBOUND
) &&
461 (type
== DS_DOMAIN_TRUST_TYPE_UPLEVEL
) &&
462 (attribs
== DS_DOMAIN_TRUST_ATTRIB_FOREST_TRANSITIVE
) )
464 /* add the trusted domain if we don't know
468 d
= add_trusted_domain( dom_list
[i
].domain_name
,
469 dom_list
[i
].dns_name
,
474 DEBUG(10,("Following trust path for domain %s (%s)\n",
475 d
->name
, d
->alt_name
));
476 add_trusted_domains( d
);
480 TALLOC_FREE( dom_list
);
485 /*********************************************************************
486 The process of updating the trusted domain list is a three step
489 (b) ask the root domain in our forest
490 (c) ask the a DC in any Win2003 trusted forests
491 *********************************************************************/
493 void rescan_trusted_domains( void )
495 time_t now
= time(NULL
);
497 /* see if the time has come... */
499 if ((now
>= last_trustdom_scan
) &&
500 ((now
-last_trustdom_scan
) < WINBINDD_RESCAN_FREQ
) )
503 /* clear the TRUSTDOM cache first */
507 /* this will only add new domains we didn't already know about
508 in the domain_list()*/
510 add_trusted_domains( find_our_domain() );
512 last_trustdom_scan
= now
;
517 struct init_child_state
{
519 struct winbindd_domain
*domain
;
520 struct winbindd_request
*request
;
521 struct winbindd_response
*response
;
522 void (*continuation
)(void *private_data
, bool success
);
526 static void init_child_recv(void *private_data
, bool success
);
527 static void init_child_getdc_recv(void *private_data
, bool success
);
529 enum winbindd_result
init_child_connection(struct winbindd_domain
*domain
,
530 void (*continuation
)(void *private_data
,
535 struct winbindd_request
*request
;
536 struct winbindd_response
*response
;
537 struct init_child_state
*state
;
538 struct winbindd_domain
*request_domain
;
540 mem_ctx
= talloc_init("init_child_connection");
541 if (mem_ctx
== NULL
) {
542 DEBUG(0, ("talloc_init failed\n"));
543 return WINBINDD_ERROR
;
546 request
= TALLOC_ZERO_P(mem_ctx
, struct winbindd_request
);
547 response
= TALLOC_P(mem_ctx
, struct winbindd_response
);
548 state
= TALLOC_P(mem_ctx
, struct init_child_state
);
550 if ((request
== NULL
) || (response
== NULL
) || (state
== NULL
)) {
551 DEBUG(0, ("talloc failed\n"));
552 TALLOC_FREE(mem_ctx
);
553 continuation(private_data
, False
);
554 return WINBINDD_ERROR
;
557 request
->length
= sizeof(*request
);
559 state
->mem_ctx
= mem_ctx
;
560 state
->domain
= domain
;
561 state
->request
= request
;
562 state
->response
= response
;
563 state
->continuation
= continuation
;
564 state
->private_data
= private_data
;
566 if (IS_DC
|| domain
->primary
|| domain
->internal
) {
567 /* The primary domain has to find the DC name itself */
568 request
->cmd
= WINBINDD_INIT_CONNECTION
;
569 fstrcpy(request
->domain_name
, domain
->name
);
570 request
->data
.init_conn
.is_primary
= domain
->internal
? False
: True
;
571 fstrcpy(request
->data
.init_conn
.dcname
, "");
572 async_request(mem_ctx
, &domain
->child
, request
, response
,
573 init_child_recv
, state
);
574 return WINBINDD_PENDING
;
577 /* This is *not* the primary domain, let's ask our DC about a DC
580 request
->cmd
= WINBINDD_GETDCNAME
;
581 fstrcpy(request
->domain_name
, domain
->name
);
583 request_domain
= find_our_domain();
584 async_domain_request(mem_ctx
, request_domain
, request
, response
,
585 init_child_getdc_recv
, state
);
586 return WINBINDD_PENDING
;
589 static void init_child_getdc_recv(void *private_data
, bool success
)
591 struct init_child_state
*state
=
592 talloc_get_type_abort(private_data
, struct init_child_state
);
593 const char *dcname
= "";
595 DEBUG(10, ("Received getdcname response\n"));
597 if (success
&& (state
->response
->result
== WINBINDD_OK
)) {
598 dcname
= state
->response
->data
.dc_name
;
601 state
->request
->cmd
= WINBINDD_INIT_CONNECTION
;
602 fstrcpy(state
->request
->domain_name
, state
->domain
->name
);
603 state
->request
->data
.init_conn
.is_primary
= False
;
604 fstrcpy(state
->request
->data
.init_conn
.dcname
, dcname
);
606 async_request(state
->mem_ctx
, &state
->domain
->child
,
607 state
->request
, state
->response
,
608 init_child_recv
, state
);
611 static void init_child_recv(void *private_data
, bool success
)
613 struct init_child_state
*state
=
614 talloc_get_type_abort(private_data
, struct init_child_state
);
616 DEBUG(5, ("Received child initialization response for domain %s\n",
617 state
->domain
->name
));
619 if ((!success
) || (state
->response
->result
!= WINBINDD_OK
)) {
620 DEBUG(3, ("Could not init child\n"));
621 state
->continuation(state
->private_data
, False
);
622 talloc_destroy(state
->mem_ctx
);
626 fstrcpy(state
->domain
->name
,
627 state
->response
->data
.domain_info
.name
);
628 fstrcpy(state
->domain
->alt_name
,
629 state
->response
->data
.domain_info
.alt_name
);
630 string_to_sid(&state
->domain
->sid
,
631 state
->response
->data
.domain_info
.sid
);
632 state
->domain
->native_mode
=
633 state
->response
->data
.domain_info
.native_mode
;
634 state
->domain
->active_directory
=
635 state
->response
->data
.domain_info
.active_directory
;
637 init_dc_connection(state
->domain
);
639 if (state
->continuation
!= NULL
)
640 state
->continuation(state
->private_data
, True
);
641 talloc_destroy(state
->mem_ctx
);
644 enum winbindd_result
winbindd_dual_init_connection(struct winbindd_domain
*domain
,
645 struct winbindd_cli_state
*state
)
647 /* Ensure null termination */
648 state
->request
.domain_name
649 [sizeof(state
->request
.domain_name
)-1]='\0';
650 state
->request
.data
.init_conn
.dcname
651 [sizeof(state
->request
.data
.init_conn
.dcname
)-1]='\0';
653 if (strlen(state
->request
.data
.init_conn
.dcname
) > 0) {
654 fstrcpy(domain
->dcname
, state
->request
.data
.init_conn
.dcname
);
657 init_dc_connection(domain
);
659 if (!domain
->initialized
) {
660 /* If we return error here we can't do any cached authentication,
661 but we may be in disconnected mode and can't initialize correctly.
662 Do what the previous code did and just return without initialization,
663 once we go online we'll re-initialize.
665 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
666 "online = %d\n", domain
->name
, (int)domain
->online
));
669 fstrcpy(state
->response
.data
.domain_info
.name
, domain
->name
);
670 fstrcpy(state
->response
.data
.domain_info
.alt_name
, domain
->alt_name
);
671 sid_to_fstring(state
->response
.data
.domain_info
.sid
, &domain
->sid
);
673 state
->response
.data
.domain_info
.native_mode
674 = domain
->native_mode
;
675 state
->response
.data
.domain_info
.active_directory
676 = domain
->active_directory
;
677 state
->response
.data
.domain_info
.primary
683 /* Look up global info for the winbind daemon */
684 bool init_domain_list(void)
686 struct winbindd_domain
*domain
;
687 int role
= lp_server_role();
689 /* Free existing list */
694 domain
= add_trusted_domain("BUILTIN", NULL
, &passdb_methods
,
695 &global_sid_Builtin
);
697 setup_domain_child(domain
,
703 domain
= add_trusted_domain(get_global_sam_name(), NULL
,
704 &passdb_methods
, get_global_sam_sid());
706 if ( role
!= ROLE_DOMAIN_MEMBER
) {
707 domain
->primary
= True
;
709 setup_domain_child(domain
,
713 /* Add ourselves as the first entry. */
715 if ( role
== ROLE_DOMAIN_MEMBER
) {
718 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid
)) {
719 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
723 domain
= add_trusted_domain( lp_workgroup(), lp_realm(),
724 &cache_methods
, &our_sid
);
726 domain
->primary
= True
;
727 setup_domain_child(domain
,
730 /* Even in the parent winbindd we'll need to
731 talk to the DC, so try and see if we can
732 contact it. Theoretically this isn't neccessary
733 as the init_dc_connection() in init_child_recv()
734 will do this, but we can start detecting the DC
736 set_domain_online_request(domain
);
743 void check_domain_trusted( const char *name
, const DOM_SID
*user_sid
)
745 struct winbindd_domain
*domain
;
749 domain
= find_domain_from_name_noinit( name
);
753 sid_copy( &dom_sid
, user_sid
);
754 if ( !sid_split_rid( &dom_sid
, &rid
) )
757 /* add the newly discovered trusted domain */
759 domain
= add_trusted_domain( name
, NULL
, &cache_methods
,
765 /* assume this is a trust from a one-way transitive
768 domain
->active_directory
= True
;
769 domain
->domain_flags
= DS_DOMAIN_DIRECT_OUTBOUND
;
770 domain
->domain_type
= DS_DOMAIN_TRUST_TYPE_UPLEVEL
;
771 domain
->internal
= False
;
772 domain
->online
= True
;
774 setup_domain_child(domain
,
777 wcache_tdc_add_domain( domain
);
783 * Given a domain name, return the struct winbindd domain info for it
785 * @note Do *not* pass lp_workgroup() to this function. domain_list
786 * may modify it's value, and free that pointer. Instead, our local
787 * domain may be found by calling find_our_domain().
791 * @return The domain structure for the named domain, if it is working.
794 struct winbindd_domain
*find_domain_from_name_noinit(const char *domain_name
)
796 struct winbindd_domain
*domain
;
798 /* Search through list */
800 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
801 if (strequal(domain_name
, domain
->name
) ||
802 (domain
->alt_name
[0] &&
803 strequal(domain_name
, domain
->alt_name
))) {
813 struct winbindd_domain
*find_domain_from_name(const char *domain_name
)
815 struct winbindd_domain
*domain
;
817 domain
= find_domain_from_name_noinit(domain_name
);
822 if (!domain
->initialized
)
823 init_dc_connection(domain
);
828 /* Given a domain sid, return the struct winbindd domain info for it */
830 struct winbindd_domain
*find_domain_from_sid_noinit(const DOM_SID
*sid
)
832 struct winbindd_domain
*domain
;
834 /* Search through list */
836 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
837 if (sid_compare_domain(sid
, &domain
->sid
) == 0)
846 /* Given a domain sid, return the struct winbindd domain info for it */
848 struct winbindd_domain
*find_domain_from_sid(const DOM_SID
*sid
)
850 struct winbindd_domain
*domain
;
852 domain
= find_domain_from_sid_noinit(sid
);
857 if (!domain
->initialized
)
858 init_dc_connection(domain
);
863 struct winbindd_domain
*find_our_domain(void)
865 struct winbindd_domain
*domain
;
867 /* Search through list */
869 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
874 smb_panic("Could not find our domain");
878 struct winbindd_domain
*find_root_domain(void)
880 struct winbindd_domain
*ours
= find_our_domain();
885 if ( strlen(ours
->forest_name
) == 0 )
888 return find_domain_from_name( ours
->forest_name
);
891 struct winbindd_domain
*find_builtin_domain(void)
894 struct winbindd_domain
*domain
;
896 string_to_sid(&sid
, "S-1-5-32");
897 domain
= find_domain_from_sid(&sid
);
899 if (domain
== NULL
) {
900 smb_panic("Could not find BUILTIN domain");
906 /* Find the appropriate domain to lookup a name or SID */
908 struct winbindd_domain
*find_lookup_domain_from_sid(const DOM_SID
*sid
)
910 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
912 if ( sid_check_is_in_unix_groups(sid
) ||
913 sid_check_is_unix_groups(sid
) ||
914 sid_check_is_in_unix_users(sid
) ||
915 sid_check_is_unix_users(sid
) )
917 return find_domain_from_sid(get_global_sam_sid());
920 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
921 * one to contact the external DC's. On member servers the internal
922 * domains are different: These are part of the local SAM. */
924 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid
)));
926 if (IS_DC
|| is_internal_domain(sid
) || is_in_internal_domain(sid
)) {
927 DEBUG(10, ("calling find_domain_from_sid\n"));
928 return find_domain_from_sid(sid
);
931 /* On a member server a query for SID or name can always go to our
934 DEBUG(10, ("calling find_our_domain\n"));
935 return find_our_domain();
938 struct winbindd_domain
*find_lookup_domain_from_name(const char *domain_name
)
940 if ( strequal(domain_name
, unix_users_domain_name() ) ||
941 strequal(domain_name
, unix_groups_domain_name() ) )
943 return find_domain_from_name_noinit( get_global_sam_name() );
946 if (IS_DC
|| strequal(domain_name
, "BUILTIN") ||
947 strequal(domain_name
, get_global_sam_name()))
948 return find_domain_from_name_noinit(domain_name
);
950 /* The "Unix User" and "Unix Group" domain our handled by passdb */
952 return find_our_domain();
955 /* Lookup a sid in a domain from a name */
957 bool winbindd_lookup_sid_by_name(TALLOC_CTX
*mem_ctx
,
958 enum winbindd_cmd orig_cmd
,
959 struct winbindd_domain
*domain
,
960 const char *domain_name
,
961 const char *name
, DOM_SID
*sid
,
962 enum lsa_SidType
*type
)
967 result
= domain
->methods
->name_to_sid(domain
, mem_ctx
, orig_cmd
,
968 domain_name
, name
, sid
, type
);
970 /* Return sid and type if lookup successful */
971 if (!NT_STATUS_IS_OK(result
)) {
972 *type
= SID_NAME_UNKNOWN
;
975 return NT_STATUS_IS_OK(result
);
979 * @brief Lookup a name in a domain from a sid.
981 * @param sid Security ID you want to look up.
982 * @param name On success, set to the name corresponding to @p sid.
983 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
984 * @param type On success, contains the type of name: alias, group or
986 * @retval True if the name exists, in which case @p name and @p type
987 * are set, otherwise False.
989 bool winbindd_lookup_name_by_sid(TALLOC_CTX
*mem_ctx
,
990 struct winbindd_domain
*domain
,
994 enum lsa_SidType
*type
)
1003 result
= domain
->methods
->sid_to_name(domain
, mem_ctx
, sid
, dom_name
, name
, type
);
1005 /* Return name and type if successful */
1007 if (NT_STATUS_IS_OK(result
)) {
1011 *type
= SID_NAME_UNKNOWN
;
1016 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
1018 void free_getent_state(struct getent_state
*state
)
1020 struct getent_state
*temp
;
1022 /* Iterate over state list */
1026 while(temp
!= NULL
) {
1027 struct getent_state
*next
;
1029 /* Free sam entries then list entry */
1031 SAFE_FREE(state
->sam_entries
);
1032 DLIST_REMOVE(state
, state
);
1040 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1042 static bool assume_domain(const char *domain
)
1044 /* never assume the domain on a standalone server */
1046 if ( lp_server_role() == ROLE_STANDALONE
)
1049 /* domain member servers may possibly assume for the domain name */
1051 if ( lp_server_role() == ROLE_DOMAIN_MEMBER
) {
1052 if ( !strequal(lp_workgroup(), domain
) )
1055 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1059 /* only left with a domain controller */
1061 if ( strequal(get_global_sam_name(), domain
) ) {
1068 /* Parse a string of the form DOMAIN\user into a domain and a user */
1070 bool parse_domain_user(const char *domuser
, fstring domain
, fstring user
)
1072 char *p
= strchr(domuser
,*lp_winbind_separator());
1075 fstrcpy(user
, domuser
);
1077 if ( assume_domain(lp_workgroup())) {
1078 fstrcpy(domain
, lp_workgroup());
1079 } else if ((p
= strchr(domuser
, '@')) != NULL
) {
1080 fstrcpy(domain
, "");
1086 fstrcpy(domain
, domuser
);
1087 domain
[PTR_DIFF(p
, domuser
)] = 0;
1095 bool parse_domain_user_talloc(TALLOC_CTX
*mem_ctx
, const char *domuser
,
1096 char **domain
, char **user
)
1098 fstring fstr_domain
, fstr_user
;
1099 if (!parse_domain_user(domuser
, fstr_domain
, fstr_user
)) {
1102 *domain
= talloc_strdup(mem_ctx
, fstr_domain
);
1103 *user
= talloc_strdup(mem_ctx
, fstr_user
);
1104 return ((*domain
!= NULL
) && (*user
!= NULL
));
1107 /* Ensure an incoming username from NSS is fully qualified. Replace the
1108 incoming fstring with DOMAIN <separator> user. Returns the same
1109 values as parse_domain_user() but also replaces the incoming username.
1110 Used to ensure all names are fully qualified within winbindd.
1111 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1112 The protocol definitions of auth_crap, chng_pswd_auth_crap
1113 really should be changed to use this instead of doing things
1116 bool canonicalize_username(fstring username_inout
, fstring domain
, fstring user
)
1118 if (!parse_domain_user(username_inout
, domain
, user
)) {
1121 slprintf(username_inout
, sizeof(fstring
) - 1, "%s%c%s",
1122 domain
, *lp_winbind_separator(),
1128 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1129 'winbind separator' options.
1131 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1134 If we are a PDC or BDC, and this is for our domain, do likewise.
1136 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1137 username is then unqualified in unix
1139 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1141 void fill_domain_username(fstring name
, const char *domain
, const char *user
, bool can_assume
)
1145 fstrcpy(tmp_user
, user
);
1146 strlower_m(tmp_user
);
1148 if (can_assume
&& assume_domain(domain
)) {
1149 strlcpy(name
, tmp_user
, sizeof(fstring
));
1151 slprintf(name
, sizeof(fstring
) - 1, "%s%c%s",
1152 domain
, *lp_winbind_separator(),
1158 * Winbindd socket accessor functions
1161 const char *get_winbind_pipe_dir(void)
1163 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR
);
1166 char *get_winbind_priv_pipe_dir(void)
1168 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR
);
1171 /* Open the winbindd socket */
1173 static int _winbindd_socket
= -1;
1174 static int _winbindd_priv_socket
= -1;
1176 int open_winbindd_socket(void)
1178 if (_winbindd_socket
== -1) {
1179 _winbindd_socket
= create_pipe_sock(
1180 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME
, 0755);
1181 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1185 return _winbindd_socket
;
1188 int open_winbindd_priv_socket(void)
1190 if (_winbindd_priv_socket
== -1) {
1191 _winbindd_priv_socket
= create_pipe_sock(
1192 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME
, 0750);
1193 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1194 _winbindd_priv_socket
));
1197 return _winbindd_priv_socket
;
1200 /* Close the winbindd socket */
1202 void close_winbindd_socket(void)
1204 if (_winbindd_socket
!= -1) {
1205 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1207 close(_winbindd_socket
);
1208 _winbindd_socket
= -1;
1210 if (_winbindd_priv_socket
!= -1) {
1211 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1212 _winbindd_priv_socket
));
1213 close(_winbindd_priv_socket
);
1214 _winbindd_priv_socket
= -1;
1219 * Client list accessor functions
1222 static struct winbindd_cli_state
*_client_list
;
1223 static int _num_clients
;
1225 /* Return list of all connected clients */
1227 struct winbindd_cli_state
*winbindd_client_list(void)
1229 return _client_list
;
1232 /* Add a connection to the list */
1234 void winbindd_add_client(struct winbindd_cli_state
*cli
)
1236 DLIST_ADD(_client_list
, cli
);
1240 /* Remove a client from the list */
1242 void winbindd_remove_client(struct winbindd_cli_state
*cli
)
1244 DLIST_REMOVE(_client_list
, cli
);
1248 /* Close all open clients */
1250 void winbindd_kill_all_clients(void)
1252 struct winbindd_cli_state
*cl
= winbindd_client_list();
1254 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1257 struct winbindd_cli_state
*next
;
1260 winbindd_remove_client(cl
);
1265 /* Return number of open clients */
1267 int winbindd_num_clients(void)
1269 return _num_clients
;
1272 NTSTATUS
lookup_usergroups_cached(struct winbindd_domain
*domain
,
1273 TALLOC_CTX
*mem_ctx
,
1274 const DOM_SID
*user_sid
,
1275 uint32
*p_num_groups
, DOM_SID
**user_sids
)
1277 NET_USER_INFO_3
*info3
= NULL
;
1278 NTSTATUS status
= NT_STATUS_NO_MEMORY
;
1280 size_t num_groups
= 0;
1281 DOM_SID group_sid
, primary_group
;
1283 DEBUG(3,(": lookup_usergroups_cached\n"));
1289 info3
= netsamlogon_cache_get(mem_ctx
, user_sid
);
1291 if (info3
== NULL
) {
1292 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1295 if (info3
->num_groups
== 0) {
1297 return NT_STATUS_UNSUCCESSFUL
;
1300 /* always add the primary group to the sid array */
1301 sid_compose(&primary_group
, &info3
->dom_sid
.sid
, info3
->user_rid
);
1303 if (!add_sid_to_array(mem_ctx
, &primary_group
, user_sids
, &num_groups
)) {
1305 return NT_STATUS_NO_MEMORY
;
1308 for (i
=0; i
<info3
->num_groups
; i
++) {
1309 sid_copy(&group_sid
, &info3
->dom_sid
.sid
);
1310 sid_append_rid(&group_sid
, info3
->gids
[i
].g_rid
);
1312 if (!add_sid_to_array(mem_ctx
, &group_sid
, user_sids
,
1315 return NT_STATUS_NO_MEMORY
;
1319 /* Add any Universal groups in the other_sids list */
1321 for (i
=0; i
<info3
->num_other_sids
; i
++) {
1322 /* Skip Domain local groups outside our domain.
1323 We'll get these from the getsidaliases() RPC call. */
1324 if (info3
->other_sids_attrib
[i
] & SE_GROUP_RESOURCE
)
1327 if (!add_sid_to_array(mem_ctx
, &info3
->other_sids
[i
].sid
,
1328 user_sids
, &num_groups
))
1331 return NT_STATUS_NO_MEMORY
;
1337 *p_num_groups
= num_groups
;
1338 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
1340 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1345 /*********************************************************************
1346 We use this to remove spaces from user and group names
1347 ********************************************************************/
1349 void ws_name_replace( char *name
, char replace
)
1351 char replace_char
[2] = { 0x0, 0x0 };
1353 if ( !lp_winbind_normalize_names() || (replace
== '\0') )
1356 replace_char
[0] = replace
;
1357 all_string_sub( name
, " ", replace_char
, 0 );
1362 /*********************************************************************
1363 We use this to do the inverse of ws_name_replace()
1364 ********************************************************************/
1366 void ws_name_return( char *name
, char replace
)
1368 char replace_char
[2] = { 0x0, 0x0 };
1370 if ( !lp_winbind_normalize_names() || (replace
== '\0') )
1373 replace_char
[0] = replace
;
1374 all_string_sub( name
, replace_char
, " ", 0 );
1379 /*********************************************************************
1380 ********************************************************************/
1382 bool winbindd_can_contact_domain( struct winbindd_domain
*domain
)
1384 /* We can contact the domain if it is our primary domain */
1386 if ( domain
->primary
)
1389 /* Can always contact a domain that is in out forest */
1391 if ( domain
->domain_flags
& DS_DOMAIN_IN_FOREST
)
1394 /* We cannot contact the domain if it is running AD and
1395 we have no inbound trust */
1397 if ( domain
->active_directory
&&
1398 ((domain
->domain_flags
&DS_DOMAIN_DIRECT_INBOUND
) != DS_DOMAIN_DIRECT_INBOUND
) )
1403 /* Assume everything else is ok (probably not true but what
1409 /*********************************************************************
1410 ********************************************************************/
1412 bool winbindd_internal_child(struct winbindd_child
*child
)
1414 if ((child
== idmap_child()) || (child
== locator_child())) {
1421 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1423 /*********************************************************************
1424 ********************************************************************/
1426 static void winbindd_set_locator_kdc_env(const struct winbindd_domain
*domain
)
1429 char addr
[INET6_ADDRSTRLEN
];
1430 const char *kdc
= NULL
;
1433 if (!domain
|| !domain
->alt_name
|| !*domain
->alt_name
) {
1437 if (domain
->initialized
&& !domain
->active_directory
) {
1438 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s not AD\n",
1443 print_sockaddr(addr
, sizeof(addr
), &domain
->dcaddr
);
1446 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1448 kdc
= domain
->dcname
;
1451 if (!kdc
|| !*kdc
) {
1452 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1457 if (asprintf_strupper_m(&var
, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS
,
1458 domain
->alt_name
) == -1) {
1462 DEBUG(lvl
,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1465 setenv(var
, kdc
, 1);
1469 /*********************************************************************
1470 ********************************************************************/
1472 void winbindd_set_locator_kdc_envs(const struct winbindd_domain
*domain
)
1474 struct winbindd_domain
*our_dom
= find_our_domain();
1476 winbindd_set_locator_kdc_env(domain
);
1478 if (domain
!= our_dom
) {
1479 winbindd_set_locator_kdc_env(our_dom
);
1483 /*********************************************************************
1484 ********************************************************************/
1486 void winbindd_unset_locator_kdc_env(const struct winbindd_domain
*domain
)
1490 if (!domain
|| !domain
->alt_name
|| !*domain
->alt_name
) {
1494 if (asprintf_strupper_m(&var
, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS
,
1495 domain
->alt_name
) == -1) {
1504 void winbindd_set_locator_kdc_envs(const struct winbindd_domain
*domain
)
1509 void winbindd_unset_locator_kdc_env(const struct winbindd_domain
*domain
)
1514 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */