source/nsswitch/winbindd_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Winbind daemon for ntdom nss module
   5
   6    Copyright (C) Tim Potter 2000-2001
   7    Copyright (C) 2001 by Martin Pool <mbp@samba.org>
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "winbindd.h"
  25 #include "sids.h"
  26
  27 /**
  28  * @file winbindd_util.c
  29  *
  30  * Winbind daemon for NT domain authentication nss module.
  31  **/
  32
  33
  34 /**
  35  * Used to clobber name fields that have an undefined value.
  36  *
  37  * Correct code should never look at a field that has this value.
  38  **/
  39
  40 static const fstring name_deadbeef = "<deadbeef>";
  41
  42 /* The list of trusted domains.  Note that the list can be deleted and
  43    recreated using the init_domain_list() function so pointers to
  44    individual winbindd_domain structures cannot be made.  Keep a copy of
  45    the domain name instead. */
  46
  47 static struct winbindd_domain *_domain_list;
  48
  49 struct winbindd_domain *domain_list(void)
  50 {
  51         /* Initialise list */
  52
  53         if (!_domain_list)
  54                 init_domain_list();
  55
  56         return _domain_list;
  57 }
  58
  59 /* Free all entries in the trusted domain list */
  60
  61 void free_domain_list(void)
  62 {
  63         struct winbindd_domain *domain = _domain_list;
  64
  65         while(domain) {
  66                 struct winbindd_domain *next = domain->next;
  67
  68                 DLIST_REMOVE(_domain_list, domain);
  69                 SAFE_FREE(domain);
  70                 domain = next;
  71         }
  72 }
  73
  74 /* Add a trusted domain to our list of domains */
  75
  76 static struct winbindd_domain *add_trusted_domain(char *domain_name,
  77                                                   struct winbindd_methods *methods)
  78 {
  79         struct winbindd_domain *domain;
  80
  81         /* We can't call domain_list() as this function is called from
  82            init_domain_list() and we'll get stuck in a loop. */
  83
  84         for (domain = _domain_list; domain; domain = domain->next) {
  85                 if (strcmp(domain_name, domain->name) == 0) {
  86                         DEBUG(3, ("domain %s already in domain list\n",
  87                                   domain_name));
  88                         return domain;
  89                 }
  90         }
  91
  92         /* Create new domain entry */
  93
  94         if ((domain = (struct winbindd_domain *)
  95              malloc(sizeof(*domain))) == NULL)
  96                 return NULL;
  97
  98         /* Fill in fields */
  99
 100         ZERO_STRUCTP(domain);
 101
 102         fstrcpy(domain->name, domain_name);
 103         domain->methods = methods;
 104         domain->sequence_number = DOM_SEQUENCE_NONE;
 105         domain->last_seq_check = 0;
 106
 107         /* Link to domain list */
 108
 109         DLIST_ADD(_domain_list, domain);
 110
 111         return domain;
 112 }
 113
 114 /* Look up global info for the winbind daemon */
 115
 116 BOOL init_domain_list(void)
 117 {
 118         NTSTATUS result;
 119         TALLOC_CTX *mem_ctx;
 120         extern struct winbindd_methods cache_methods;
 121         struct winbindd_domain *domain;
 122         DOM_SID *dom_sids;
 123         char **names;
 124         int num_domains = 0;
 125
 126         if (!(mem_ctx = talloc_init_named("init_domain_list")))
 127                 return False;
 128
 129         /* Free existing list */
 130
 131         free_domain_list();
 132
 133         /* Add ourselves as the first entry */
 134
 135         domain = add_trusted_domain(lp_workgroup(), &cache_methods);
 136
 137         /* Now we *must* get the domain sid for our primary domain. Go into
 138            a holding pattern until that is available */
 139
 140         result = cache_methods.domain_sid(domain, &domain->sid);
 141         while (!NT_STATUS_IS_OK(result)) {
 142                 sleep(10);
 143                 DEBUG(1,("Retrying startup domain sid fetch for %s\n",
 144                          domain->name));
 145                 result = cache_methods.domain_sid(domain, &domain->sid);
 146         }
 147
 148         DEBUG(1,("Added domain %s (%s)\n",
 149                  domain->name,
 150                  sid_string_static(&domain->sid)));
 151
 152         DEBUG(1, ("getting trusted domain list\n"));
 153
 154         result = cache_methods.trusted_domains(domain, mem_ctx, (uint *)&num_domains,
 155                                                &names, &dom_sids);
 156
 157         /* Add each domain to the trusted domain list */
 158         if (NT_STATUS_IS_OK(result)) {
 159                 int i;
 160                 for(i = 0; i < num_domains; i++) {
 161                         domain = add_trusted_domain(names[i], &cache_methods);
 162                         if (!domain) continue;
 163                         sid_copy(&domain->sid, &dom_sids[i]);
 164                         DEBUG(1,("Added domain %s (%s)\n",
 165                                  domain->name,
 166                                  sid_string_static(&domain->sid)));
 167                 }
 168         }
 169
 170         talloc_destroy(mem_ctx);
 171         return True;
 172 }
 173
 174 /* Given a domain name, return the struct winbindd domain info for it
 175    if it is actually working. */
 176
 177 struct winbindd_domain *find_domain_from_name(const char *domain_name)
 178 {
 179         struct winbindd_domain *domain;
 180
 181         /* Search through list */
 182
 183         for (domain = domain_list(); domain != NULL; domain = domain->next) {
 184                 if (strequal(domain_name, domain->name) ||
 185                     strequal(domain_name, domain->full_name))
 186                         return domain;
 187         }
 188
 189         /* Not found */
 190
 191         return NULL;
 192 }
 193
 194 /* Given a domain sid, return the struct winbindd domain info for it */
 195
 196 struct winbindd_domain *find_domain_from_sid(DOM_SID *sid)
 197 {
 198         struct winbindd_domain *domain;
 199
 200         /* Search through list */
 201
 202         for (domain = domain_list(); domain != NULL; domain = domain->next) {
 203                 if (sid_compare_domain(sid, &domain->sid) == 0)
 204                         return domain;
 205         }
 206
 207         /* Not found */
 208
 209         return NULL;
 210 }
 211
 212 /* Lookup a sid in a domain from a name */
 213
 214 BOOL winbindd_lookup_sid_by_name(struct winbindd_domain *domain,
 215                                  const char *name, DOM_SID *sid,
 216                                  enum SID_NAME_USE *type)
 217 {
 218         NTSTATUS result;
 219
 220         /* Don't bother with machine accounts */
 221
 222         if (name[strlen(name) - 1] == '$')
 223                 return False;
 224
 225         /* Lookup name */
 226         result = domain->methods->name_to_sid(domain, name, sid, type);
 227
 228         /* Return rid and type if lookup successful */
 229         if (!NT_STATUS_IS_OK(result)) {
 230                 *type = SID_NAME_UNKNOWN;
 231         }
 232
 233         return NT_STATUS_IS_OK(result);
 234 }
 235
 236 /**
 237  * @brief Lookup a name in a domain from a sid.
 238  *
 239  * @param sid Security ID you want to look up.
 240  *
 241  * @param name On success, set to the name corresponding to @p sid.
 242  *
 243  * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
 244  *
 245  * @param type On success, contains the type of name: alias, group or
 246  * user.
 247  *
 248  * @retval True if the name exists, in which case @p name and @p type
 249  * are set, otherwise False.
 250  **/
 251 BOOL winbindd_lookup_name_by_sid(DOM_SID *sid,
 252                                  fstring dom_name,
 253                                  fstring name,
 254                                  enum SID_NAME_USE *type)
 255 {
 256         char *names;
 257         NTSTATUS result;
 258         TALLOC_CTX *mem_ctx;
 259         BOOL rv = False;
 260         struct winbindd_domain *domain;
 261
 262         domain = find_domain_from_sid(sid);
 263
 264         if (!domain) {
 265                 DEBUG(1,("Can't find domain from sid\n"));
 266                 return False;
 267         }
 268
 269         /* Lookup name */
 270
 271         if (!(mem_ctx = talloc_init_named("winbindd_lookup_name_by_sid")))
 272                 return False;
 273
 274         result = domain->methods->sid_to_name(domain, mem_ctx, sid, &names, type);
 275
 276         /* Return name and type if successful */
 277
 278         if ((rv = NT_STATUS_IS_OK(result))) {
 279                 fstrcpy(dom_name, domain->name);
 280                 fstrcpy(name, names);
 281         } else {
 282                 *type = SID_NAME_UNKNOWN;
 283                 fstrcpy(name, name_deadbeef);
 284         }
 285
 286         talloc_destroy(mem_ctx);
 287
 288         return rv;
 289 }
 290
 291
 292 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
 293
 294 void free_getent_state(struct getent_state *state)
 295 {
 296         struct getent_state *temp;
 297
 298         /* Iterate over state list */
 299
 300         temp = state;
 301
 302         while(temp != NULL) {
 303                 struct getent_state *next;
 304
 305                 /* Free sam entries then list entry */
 306
 307                 SAFE_FREE(state->sam_entries);
 308                 DLIST_REMOVE(state, state);
 309                 next = temp->next;
 310
 311                 SAFE_FREE(temp);
 312                 temp = next;
 313         }
 314 }
 315
 316 /* Initialise trusted domain info */
 317
 318 BOOL winbindd_param_init(void)
 319 {
 320         /* Parse winbind uid and winbind_gid parameters */
 321
 322         if (!lp_winbind_uid(&server_state.uid_low, &server_state.uid_high)) {
 323                 DEBUG(0, ("winbind uid range missing or invalid\n"));
 324                 return False;
 325         }
 326
 327         if (!lp_winbind_gid(&server_state.gid_low, &server_state.gid_high)) {
 328                 DEBUG(0, ("winbind gid range missing or invalid\n"));
 329                 return False;
 330         }
 331
 332         return True;
 333 }
 334
 335 /* Check if a domain is present in a comma-separated list of domains */
 336
 337 BOOL check_domain_env(char *domain_env, char *domain)
 338 {
 339         fstring name;
 340         char *tmp = domain_env;
 341
 342         while(next_token(&tmp, name, ",", sizeof(fstring))) {
 343                 if (strequal(name, domain))
 344                         return True;
 345         }
 346
 347         return False;
 348 }
 349
 350 /* Parse a string of the form DOMAIN/user into a domain and a user */
 351 extern fstring global_myworkgroup;
 352
 353 BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
 354 {
 355         char *p = strchr(domuser,*lp_winbind_separator());
 356
 357         if (!(p || lp_winbind_use_default_domain()))
 358                 return False;
 359
 360         if(!p && lp_winbind_use_default_domain()) {
 361                 fstrcpy(user, domuser);
 362                 fstrcpy(domain, global_myworkgroup);
 363         } else {
 364                 fstrcpy(user, p+1);
 365                 fstrcpy(domain, domuser);
 366                 domain[PTR_DIFF(p, domuser)] = 0;
 367         }
 368         strupper(domain);
 369         return True;
 370 }
 371
 372 /*
 373     Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
 374     'winbind separator' options.
 375     This means:
 376         - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
 377         global_myworkgroup
 378
 379 */
 380 void fill_domain_username(fstring name, const char *domain, const char *user)
 381 {
 382         if(lp_winbind_use_default_domain() &&
 383             !strcmp(global_myworkgroup, domain)) {
 384                 strlcpy(name, user, sizeof(fstring));
 385         } else {
 386                 slprintf(name, sizeof(fstring) - 1, "%s%s%s",
 387                          domain, lp_winbind_separator(),
 388                          user);
 389         }
 390 }