2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
32 #define DBGC_CLASS DBGC_WINBIND
34 extern struct winbindd_methods cache_methods
;
37 * @file winbindd_util.cq
39 * Winbind daemon for NT domain authentication nss module.
43 /* The list of trusted domains. Note that the list can be deleted and
44 recreated using the init_domain_list() function so pointers to
45 individual winbindd_domain structures cannot be made. Keep a copy of
46 the domain name instead. */
48 static struct winbindd_domain
*_domain_list
= NULL
;
50 struct winbindd_domain
*domain_list(void)
54 if ((!_domain_list
) && (!init_domain_list())) {
55 smb_panic("Init_domain_list failed");
61 /* Free all entries in the trusted domain list */
63 static void free_domain_list(void)
65 struct winbindd_domain
*domain
= _domain_list
;
68 struct winbindd_domain
*next
= domain
->next
;
70 DLIST_REMOVE(_domain_list
, domain
);
76 static bool is_internal_domain(const struct dom_sid
*sid
)
81 return (sid_check_is_our_sam(sid
) || sid_check_is_builtin(sid
));
84 static bool is_in_internal_domain(const struct dom_sid
*sid
)
89 return (sid_check_is_in_our_sam(sid
) || sid_check_is_in_builtin(sid
));
93 /* Add a trusted domain to our list of domains.
94 If the domain already exists in the list,
95 return it and don't re-initialize. */
97 static struct winbindd_domain
*add_trusted_domain(const char *domain_name
, const char *alt_name
,
98 struct winbindd_methods
*methods
,
99 const struct dom_sid
*sid
)
101 struct winbindd_domain
*domain
;
102 const char *alternative_name
= NULL
;
103 char *idmap_config_option
;
105 const char **ignored_domains
, **dom
;
106 int role
= lp_server_role();
108 ignored_domains
= lp_parm_string_list(-1, "winbind", "ignore domains", NULL
);
109 for (dom
=ignored_domains
; dom
&& *dom
; dom
++) {
110 if (gen_fnmatch(*dom
, domain_name
) == 0) {
111 DEBUG(2,("Ignoring domain '%s'\n", domain_name
));
116 /* use alt_name if available to allow DNS lookups */
118 if (alt_name
&& *alt_name
) {
119 alternative_name
= alt_name
;
122 /* We can't call domain_list() as this function is called from
123 init_domain_list() and we'll get stuck in a loop. */
124 for (domain
= _domain_list
; domain
; domain
= domain
->next
) {
125 if (strequal(domain_name
, domain
->name
) ||
126 strequal(domain_name
, domain
->alt_name
))
131 if (alternative_name
&& *alternative_name
)
133 if (strequal(alternative_name
, domain
->name
) ||
134 strequal(alternative_name
, domain
->alt_name
))
142 if (is_null_sid(sid
)) {
146 if (dom_sid_equal(sid
, &domain
->sid
)) {
152 if (domain
!= NULL
) {
154 * We found a match on domain->name or
155 * domain->alt_name. Possibly update the SID
156 * if the stored SID was the NULL SID
157 * and return the matching entry.
160 && dom_sid_equal(&domain
->sid
, &global_sid_NULL
)) {
161 sid_copy( &domain
->sid
, sid
);
166 /* Create new domain entry */
167 domain
= talloc_zero(NULL
, struct winbindd_domain
);
168 if (domain
== NULL
) {
172 domain
->children
= talloc_zero_array(domain
,
173 struct winbindd_child
,
174 lp_winbind_max_domain_connections());
175 if (domain
->children
== NULL
) {
180 domain
->name
= talloc_strdup(domain
, domain_name
);
181 if (domain
->name
== NULL
) {
186 if (alternative_name
) {
187 domain
->alt_name
= talloc_strdup(domain
, alternative_name
);
188 if (domain
->alt_name
== NULL
) {
194 domain
->methods
= methods
;
195 domain
->backend
= NULL
;
196 domain
->internal
= is_internal_domain(sid
);
197 domain
->sequence_number
= DOM_SEQUENCE_NONE
;
198 domain
->last_seq_check
= 0;
199 domain
->initialized
= False
;
200 domain
->online
= is_internal_domain(sid
);
201 domain
->check_online_timeout
= 0;
202 domain
->dc_probe_pid
= (pid_t
)-1;
204 sid_copy(&domain
->sid
, sid
);
207 /* Is this our primary domain ? */
208 if (strequal(domain_name
, get_global_sam_name()) &&
209 (role
!= ROLE_DOMAIN_MEMBER
)) {
210 domain
->primary
= true;
211 } else if (strequal(domain_name
, lp_workgroup()) &&
212 (role
== ROLE_DOMAIN_MEMBER
)) {
213 domain
->primary
= true;
216 if (domain
->primary
) {
217 if (role
== ROLE_ACTIVE_DIRECTORY_DC
) {
218 domain
->active_directory
= true;
220 if (lp_security() == SEC_ADS
) {
221 domain
->active_directory
= true;
225 /* Link to domain list */
226 DLIST_ADD_END(_domain_list
, domain
, struct winbindd_domain
*);
228 wcache_tdc_add_domain( domain
);
230 idmap_config_option
= talloc_asprintf(talloc_tos(), "idmap config %s",
232 if (idmap_config_option
== NULL
) {
233 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
237 param
= lp_parm_const_string(-1, idmap_config_option
, "range", NULL
);
239 DEBUG(10, ("%s : range = %s\n", idmap_config_option
,
240 param
? param
: "not defined"));
243 unsigned low_id
, high_id
;
244 if (sscanf(param
, "%u - %u", &low_id
, &high_id
) != 2) {
245 DEBUG(1, ("invalid range syntax in %s: %s\n",
246 idmap_config_option
, param
));
249 if (low_id
> high_id
) {
250 DEBUG(1, ("invalid range in %s: %s\n",
251 idmap_config_option
, param
));
254 domain
->have_idmap_config
= true;
255 domain
->id_range_low
= low_id
;
256 domain
->id_range_high
= high_id
;
261 setup_domain_child(domain
);
263 DEBUG(2,("Added domain %s %s %s\n",
264 domain
->name
, domain
->alt_name
,
265 &domain
->sid
?sid_string_dbg(&domain
->sid
):""));
270 bool domain_is_forest_root(const struct winbindd_domain
*domain
)
272 const uint32_t fr_flags
=
273 (NETR_TRUST_FLAG_TREEROOT
|NETR_TRUST_FLAG_IN_FOREST
);
275 return ((domain
->domain_flags
& fr_flags
) == fr_flags
);
278 /********************************************************************
279 rescan our domains looking for new trusted domains
280 ********************************************************************/
282 struct trustdom_state
{
283 struct winbindd_domain
*domain
;
284 struct winbindd_request request
;
287 static void trustdom_list_done(struct tevent_req
*req
);
288 static void rescan_forest_root_trusts( void );
289 static void rescan_forest_trusts( void );
291 static void add_trusted_domains( struct winbindd_domain
*domain
)
293 struct trustdom_state
*state
;
294 struct tevent_req
*req
;
296 state
= talloc_zero(NULL
, struct trustdom_state
);
298 DEBUG(0, ("talloc failed\n"));
301 state
->domain
= domain
;
303 state
->request
.length
= sizeof(state
->request
);
304 state
->request
.cmd
= WINBINDD_LIST_TRUSTDOM
;
306 req
= wb_domain_request_send(state
, winbind_event_context(),
307 domain
, &state
->request
);
309 DEBUG(1, ("wb_domain_request_send failed\n"));
313 tevent_req_set_callback(req
, trustdom_list_done
, state
);
316 static void trustdom_list_done(struct tevent_req
*req
)
318 struct trustdom_state
*state
= tevent_req_callback_data(
319 req
, struct trustdom_state
);
320 struct winbindd_response
*response
;
324 res
= wb_domain_request_recv(req
, state
, &response
, &err
);
325 if ((res
== -1) || (response
->result
!= WINBINDD_OK
)) {
326 DEBUG(1, ("Could not receive trustdoms\n"));
331 p
= (char *)response
->extra_data
.data
;
333 while ((p
!= NULL
) && (*p
!= '\0')) {
334 char *q
, *sidstr
, *alt_name
;
336 char *alternate_name
= NULL
;
338 alt_name
= strchr(p
, '\\');
339 if (alt_name
== NULL
) {
340 DEBUG(0, ("Got invalid trustdom response\n"));
347 sidstr
= strchr(alt_name
, '\\');
348 if (sidstr
== NULL
) {
349 DEBUG(0, ("Got invalid trustdom response\n"));
356 q
= strchr(sidstr
, '\n');
360 if (!string_to_sid(&sid
, sidstr
)) {
361 DEBUG(0, ("Got invalid trustdom response\n"));
365 /* use the real alt_name if we have one, else pass in NULL */
367 if ( !strequal( alt_name
, "(null)" ) )
368 alternate_name
= alt_name
;
371 * We always call add_trusted_domain() cause on an existing
372 * domain structure, it will update the SID if necessary.
373 * This is important because we need the SID for sibling
376 (void)add_trusted_domain(p
, alternate_name
,
386 Cases to consider when scanning trusts:
387 (a) we are calling from a child domain (primary && !forest_root)
388 (b) we are calling from the root of the forest (primary && forest_root)
389 (c) we are calling from a trusted forest domain (!primary
393 if (state
->domain
->primary
) {
394 /* If this is our primary domain and we are not in the
395 forest root, we have to scan the root trusts first */
397 if (!domain_is_forest_root(state
->domain
))
398 rescan_forest_root_trusts();
400 rescan_forest_trusts();
402 } else if (domain_is_forest_root(state
->domain
)) {
403 /* Once we have done root forest trust search, we can
404 go on to search the trusted forests */
406 rescan_forest_trusts();
414 /********************************************************************
415 Scan the trusts of our forest root
416 ********************************************************************/
418 static void rescan_forest_root_trusts( void )
420 struct winbindd_tdc_domain
*dom_list
= NULL
;
421 size_t num_trusts
= 0;
424 /* The only transitive trusts supported by Windows 2003 AD are
425 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
426 first two are handled in forest and listed by
427 DsEnumerateDomainTrusts(). Forest trusts are not so we
428 have to do that ourselves. */
430 if ( !wcache_tdc_fetch_list( &dom_list
, &num_trusts
) )
433 for ( i
=0; i
<num_trusts
; i
++ ) {
434 struct winbindd_domain
*d
= NULL
;
436 /* Find the forest root. Don't necessarily trust
437 the domain_list() as our primary domain may not
438 have been initialized. */
440 if ( !(dom_list
[i
].trust_flags
& NETR_TRUST_FLAG_TREEROOT
) ) {
444 /* Here's the forest root */
446 d
= find_domain_from_name_noinit( dom_list
[i
].domain_name
);
449 d
= add_trusted_domain( dom_list
[i
].domain_name
,
450 dom_list
[i
].dns_name
,
459 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
460 "for domain tree root %s (%s)\n",
461 d
->name
, d
->alt_name
));
463 d
->domain_flags
= dom_list
[i
].trust_flags
;
464 d
->domain_type
= dom_list
[i
].trust_type
;
465 d
->domain_trust_attribs
= dom_list
[i
].trust_attribs
;
467 add_trusted_domains( d
);
472 TALLOC_FREE( dom_list
);
477 /********************************************************************
478 scan the transitive forest trusts (not our own)
479 ********************************************************************/
482 static void rescan_forest_trusts( void )
484 struct winbindd_domain
*d
= NULL
;
485 struct winbindd_tdc_domain
*dom_list
= NULL
;
486 size_t num_trusts
= 0;
489 /* The only transitive trusts supported by Windows 2003 AD are
490 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
491 first two are handled in forest and listed by
492 DsEnumerateDomainTrusts(). Forest trusts are not so we
493 have to do that ourselves. */
495 if ( !wcache_tdc_fetch_list( &dom_list
, &num_trusts
) )
498 for ( i
=0; i
<num_trusts
; i
++ ) {
499 uint32 flags
= dom_list
[i
].trust_flags
;
500 uint32 type
= dom_list
[i
].trust_type
;
501 uint32 attribs
= dom_list
[i
].trust_attribs
;
503 d
= find_domain_from_name_noinit( dom_list
[i
].domain_name
);
505 /* ignore our primary and internal domains */
507 if ( d
&& (d
->internal
|| d
->primary
) )
510 if ( (flags
& NETR_TRUST_FLAG_INBOUND
) &&
511 (type
== LSA_TRUST_TYPE_UPLEVEL
) &&
512 (attribs
== LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
) )
514 /* add the trusted domain if we don't know
518 d
= add_trusted_domain( dom_list
[i
].domain_name
,
519 dom_list
[i
].dns_name
,
528 DEBUG(10,("Following trust path for domain %s (%s)\n",
529 d
->name
, d
->alt_name
));
530 add_trusted_domains( d
);
534 TALLOC_FREE( dom_list
);
539 /*********************************************************************
540 The process of updating the trusted domain list is a three step
543 (b) ask the root domain in our forest
544 (c) ask the a DC in any Win2003 trusted forests
545 *********************************************************************/
547 void rescan_trusted_domains(struct tevent_context
*ev
, struct tevent_timer
*te
,
548 struct timeval now
, void *private_data
)
552 /* I use to clear the cache here and start over but that
553 caused problems in child processes that needed the
554 trust dom list early on. Removing it means we
555 could have some trusted domains listed that have been
556 removed from our primary domain's DC until a full
557 restart. This should be ok since I think this is what
558 Windows does as well. */
560 /* this will only add new domains we didn't already know about
561 in the domain_list()*/
563 add_trusted_domains( find_our_domain() );
565 te
= tevent_add_timer(
566 ev
, NULL
, timeval_current_ofs(WINBINDD_RESCAN_FREQ
, 0),
567 rescan_trusted_domains
, NULL
);
569 * If te == NULL, there's not much we can do here. Don't fail, the
570 * only thing we miss is new trusted domains.
576 enum winbindd_result
winbindd_dual_init_connection(struct winbindd_domain
*domain
,
577 struct winbindd_cli_state
*state
)
579 /* Ensure null termination */
580 state
->request
->domain_name
581 [sizeof(state
->request
->domain_name
)-1]='\0';
582 state
->request
->data
.init_conn
.dcname
583 [sizeof(state
->request
->data
.init_conn
.dcname
)-1]='\0';
585 if (strlen(state
->request
->data
.init_conn
.dcname
) > 0) {
586 fstrcpy(domain
->dcname
, state
->request
->data
.init_conn
.dcname
);
589 init_dc_connection(domain
, false);
591 if (!domain
->initialized
) {
592 /* If we return error here we can't do any cached authentication,
593 but we may be in disconnected mode and can't initialize correctly.
594 Do what the previous code did and just return without initialization,
595 once we go online we'll re-initialize.
597 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
598 "online = %d\n", domain
->name
, (int)domain
->online
));
601 fstrcpy(state
->response
->data
.domain_info
.name
, domain
->name
);
602 fstrcpy(state
->response
->data
.domain_info
.alt_name
, domain
->alt_name
);
603 sid_to_fstring(state
->response
->data
.domain_info
.sid
, &domain
->sid
);
605 state
->response
->data
.domain_info
.native_mode
606 = domain
->native_mode
;
607 state
->response
->data
.domain_info
.active_directory
608 = domain
->active_directory
;
609 state
->response
->data
.domain_info
.primary
615 /* Look up global info for the winbind daemon */
616 bool init_domain_list(void)
618 int role
= lp_server_role();
620 /* Free existing list */
625 (void)add_trusted_domain("BUILTIN", NULL
, &cache_methods
,
626 &global_sid_Builtin
);
630 if ( role
== ROLE_ACTIVE_DIRECTORY_DC
) {
631 struct winbindd_domain
*domain
;
632 enum netr_SchannelType sec_chan_type
;
633 const char *account_name
;
634 struct samr_Password current_nt_hash
;
637 domain
= add_trusted_domain(get_global_sam_name(), lp_dnsdomain(),
638 &cache_methods
, get_global_sam_sid());
639 if (domain
== NULL
) {
640 DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n"));
645 * We need to call this to find out if we are an RODC
647 ok
= get_trust_pw_hash(domain
->name
,
648 current_nt_hash
.hash
,
652 DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n"));
655 if (sec_chan_type
== SEC_CHAN_RODC
) {
660 (void)add_trusted_domain(get_global_sam_name(), NULL
,
661 &cache_methods
, get_global_sam_sid());
663 /* Add ourselves as the first entry. */
665 if ( role
== ROLE_DOMAIN_MEMBER
) {
666 struct winbindd_domain
*domain
;
667 struct dom_sid our_sid
;
669 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid
)) {
670 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
674 domain
= add_trusted_domain( lp_workgroup(), lp_realm(),
675 &cache_methods
, &our_sid
);
677 /* Even in the parent winbindd we'll need to
678 talk to the DC, so try and see if we can
679 contact it. Theoretically this isn't neccessary
680 as the init_dc_connection() in init_child_recv()
681 will do this, but we can start detecting the DC
683 set_domain_online_request(domain
);
691 * Given a domain name, return the struct winbindd domain info for it
693 * @note Do *not* pass lp_workgroup() to this function. domain_list
694 * may modify it's value, and free that pointer. Instead, our local
695 * domain may be found by calling find_our_domain().
699 * @return The domain structure for the named domain, if it is working.
702 struct winbindd_domain
*find_domain_from_name_noinit(const char *domain_name
)
704 struct winbindd_domain
*domain
;
706 /* Search through list */
708 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
709 if (strequal(domain_name
, domain
->name
) ||
710 (domain
->alt_name
!= NULL
&&
711 strequal(domain_name
, domain
->alt_name
))) {
721 struct winbindd_domain
*find_domain_from_name(const char *domain_name
)
723 struct winbindd_domain
*domain
;
725 domain
= find_domain_from_name_noinit(domain_name
);
730 if (!domain
->initialized
)
731 init_dc_connection(domain
, false);
736 /* Given a domain sid, return the struct winbindd domain info for it */
738 struct winbindd_domain
*find_domain_from_sid_noinit(const struct dom_sid
*sid
)
740 struct winbindd_domain
*domain
;
742 /* Search through list */
744 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
745 if (dom_sid_compare_domain(sid
, &domain
->sid
) == 0)
754 /* Given a domain sid, return the struct winbindd domain info for it */
756 struct winbindd_domain
*find_domain_from_sid(const struct dom_sid
*sid
)
758 struct winbindd_domain
*domain
;
760 domain
= find_domain_from_sid_noinit(sid
);
765 if (!domain
->initialized
)
766 init_dc_connection(domain
, false);
771 struct winbindd_domain
*find_our_domain(void)
773 struct winbindd_domain
*domain
;
775 /* Search through list */
777 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
782 smb_panic("Could not find our domain");
786 struct winbindd_domain
*find_root_domain(void)
788 struct winbindd_domain
*ours
= find_our_domain();
790 if (ours
->forest_name
== NULL
) {
794 return find_domain_from_name( ours
->forest_name
);
797 struct winbindd_domain
*find_builtin_domain(void)
799 struct winbindd_domain
*domain
;
801 domain
= find_domain_from_sid(&global_sid_Builtin
);
802 if (domain
== NULL
) {
803 smb_panic("Could not find BUILTIN domain");
809 /* Find the appropriate domain to lookup a name or SID */
811 struct winbindd_domain
*find_lookup_domain_from_sid(const struct dom_sid
*sid
)
813 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
815 if ( sid_check_is_in_unix_groups(sid
) ||
816 sid_check_is_unix_groups(sid
) ||
817 sid_check_is_in_unix_users(sid
) ||
818 sid_check_is_unix_users(sid
) )
820 return find_domain_from_sid(get_global_sam_sid());
823 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
824 * one to contact the external DC's. On member servers the internal
825 * domains are different: These are part of the local SAM. */
827 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid
)));
829 if (IS_DC
|| is_internal_domain(sid
) || is_in_internal_domain(sid
)) {
830 DEBUG(10, ("calling find_domain_from_sid\n"));
831 return find_domain_from_sid(sid
);
834 /* On a member server a query for SID or name can always go to our
837 DEBUG(10, ("calling find_our_domain\n"));
838 return find_our_domain();
841 struct winbindd_domain
*find_lookup_domain_from_name(const char *domain_name
)
843 if ( strequal(domain_name
, unix_users_domain_name() ) ||
844 strequal(domain_name
, unix_groups_domain_name() ) )
847 * The "Unix User" and "Unix Group" domain our handled by
850 return find_domain_from_name_noinit( get_global_sam_name() );
853 if (IS_DC
|| strequal(domain_name
, "BUILTIN") ||
854 strequal(domain_name
, get_global_sam_name()))
855 return find_domain_from_name_noinit(domain_name
);
858 return find_our_domain();
861 /* Is this a domain which we may assume no DOMAIN\ prefix? */
863 static bool assume_domain(const char *domain
)
865 /* never assume the domain on a standalone server */
867 if ( lp_server_role() == ROLE_STANDALONE
)
870 /* domain member servers may possibly assume for the domain name */
872 if ( lp_server_role() == ROLE_DOMAIN_MEMBER
) {
873 if ( !strequal(lp_workgroup(), domain
) )
876 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
880 /* only left with a domain controller */
882 if ( strequal(get_global_sam_name(), domain
) ) {
889 /* Parse a string of the form DOMAIN\user into a domain and a user */
891 bool parse_domain_user(const char *domuser
, fstring domain
, fstring user
)
893 char *p
= strchr(domuser
,*lp_winbind_separator());
896 fstrcpy(user
, domuser
);
898 if ( assume_domain(lp_workgroup())) {
899 fstrcpy(domain
, lp_workgroup());
900 } else if ((p
= strchr(domuser
, '@')) != NULL
) {
901 fstrcpy(domain
, p
+ 1);
902 user
[PTR_DIFF(p
, domuser
)] = 0;
908 fstrcpy(domain
, domuser
);
909 domain
[PTR_DIFF(p
, domuser
)] = 0;
912 return strupper_m(domain
);
915 bool parse_domain_user_talloc(TALLOC_CTX
*mem_ctx
, const char *domuser
,
916 char **domain
, char **user
)
918 fstring fstr_domain
, fstr_user
;
919 if (!parse_domain_user(domuser
, fstr_domain
, fstr_user
)) {
922 *domain
= talloc_strdup(mem_ctx
, fstr_domain
);
923 *user
= talloc_strdup(mem_ctx
, fstr_user
);
924 return ((*domain
!= NULL
) && (*user
!= NULL
));
927 /* Ensure an incoming username from NSS is fully qualified. Replace the
928 incoming fstring with DOMAIN <separator> user. Returns the same
929 values as parse_domain_user() but also replaces the incoming username.
930 Used to ensure all names are fully qualified within winbindd.
931 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
932 The protocol definitions of auth_crap, chng_pswd_auth_crap
933 really should be changed to use this instead of doing things
936 bool canonicalize_username(fstring username_inout
, fstring domain
, fstring user
)
938 if (!parse_domain_user(username_inout
, domain
, user
)) {
941 slprintf(username_inout
, sizeof(fstring
) - 1, "%s%c%s",
942 domain
, *lp_winbind_separator(),
948 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
949 'winbind separator' options.
951 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
954 If we are a PDC or BDC, and this is for our domain, do likewise.
956 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
957 username is then unqualified in unix
959 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
961 void fill_domain_username(fstring name
, const char *domain
, const char *user
, bool can_assume
)
965 fstrcpy(tmp_user
, user
);
966 (void)strlower_m(tmp_user
);
968 if (can_assume
&& assume_domain(domain
)) {
969 strlcpy(name
, tmp_user
, sizeof(fstring
));
971 slprintf(name
, sizeof(fstring
) - 1, "%s%c%s",
972 domain
, *lp_winbind_separator(),
978 * talloc version of fill_domain_username()
979 * return NULL on talloc failure.
981 char *fill_domain_username_talloc(TALLOC_CTX
*mem_ctx
,
986 char *tmp_user
, *name
;
988 tmp_user
= talloc_strdup(mem_ctx
, user
);
989 if (!strlower_m(tmp_user
)) {
990 TALLOC_FREE(tmp_user
);
994 if (can_assume
&& assume_domain(domain
)) {
997 name
= talloc_asprintf(mem_ctx
, "%s%c%s",
999 *lp_winbind_separator(),
1001 TALLOC_FREE(tmp_user
);
1008 * Client list accessor functions
1011 static struct winbindd_cli_state
*_client_list
;
1012 static int _num_clients
;
1014 /* Return list of all connected clients */
1016 struct winbindd_cli_state
*winbindd_client_list(void)
1018 return _client_list
;
1021 /* Add a connection to the list */
1023 void winbindd_add_client(struct winbindd_cli_state
*cli
)
1025 DLIST_ADD(_client_list
, cli
);
1029 /* Remove a client from the list */
1031 void winbindd_remove_client(struct winbindd_cli_state
*cli
)
1033 DLIST_REMOVE(_client_list
, cli
);
1037 /* Return number of open clients */
1039 int winbindd_num_clients(void)
1041 return _num_clients
;
1044 NTSTATUS
lookup_usergroups_cached(struct winbindd_domain
*domain
,
1045 TALLOC_CTX
*mem_ctx
,
1046 const struct dom_sid
*user_sid
,
1047 uint32_t *p_num_groups
, struct dom_sid
**user_sids
)
1049 struct netr_SamInfo3
*info3
= NULL
;
1050 NTSTATUS status
= NT_STATUS_NO_MEMORY
;
1051 uint32_t num_groups
= 0;
1053 DEBUG(3,(": lookup_usergroups_cached\n"));
1058 info3
= netsamlogon_cache_get(mem_ctx
, user_sid
);
1060 if (info3
== NULL
) {
1061 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
1064 if (info3
->base
.groups
.count
== 0) {
1066 return NT_STATUS_UNSUCCESSFUL
;
1070 * Before bug #7843 the "Domain Local" groups were added with a
1071 * lookupuseraliases call, but this isn't done anymore for our domain
1072 * so we need to resolve resource groups here.
1074 * When to use Resource Groups:
1075 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1077 status
= sid_array_from_info3(mem_ctx
, info3
,
1082 if (!NT_STATUS_IS_OK(status
)) {
1088 *p_num_groups
= num_groups
;
1089 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
1091 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1096 /*********************************************************************
1097 We use this to remove spaces from user and group names
1098 ********************************************************************/
1100 NTSTATUS
normalize_name_map(TALLOC_CTX
*mem_ctx
,
1101 struct winbindd_domain
*domain
,
1107 if (!name
|| !normalized
) {
1108 return NT_STATUS_INVALID_PARAMETER
;
1111 if (!lp_winbind_normalize_names()) {
1112 return NT_STATUS_PROCEDURE_NOT_FOUND
;
1115 /* Alias support and whitespace replacement are mutually
1118 nt_status
= resolve_username_to_alias(mem_ctx
, domain
,
1120 if (NT_STATUS_IS_OK(nt_status
)) {
1121 /* special return code to let the caller know we
1122 mapped to an alias */
1123 return NT_STATUS_FILE_RENAMED
;
1126 /* check for an unreachable domain */
1128 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
)) {
1129 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1131 set_domain_offline(domain
);
1135 /* deal with whitespace */
1137 *normalized
= talloc_strdup(mem_ctx
, name
);
1138 if (!(*normalized
)) {
1139 return NT_STATUS_NO_MEMORY
;
1142 all_string_sub( *normalized
, " ", "_", 0 );
1144 return NT_STATUS_OK
;
1147 /*********************************************************************
1148 We use this to do the inverse of normalize_name_map()
1149 ********************************************************************/
1151 NTSTATUS
normalize_name_unmap(TALLOC_CTX
*mem_ctx
,
1156 struct winbindd_domain
*domain
= find_our_domain();
1158 if (!name
|| !normalized
) {
1159 return NT_STATUS_INVALID_PARAMETER
;
1162 if (!lp_winbind_normalize_names()) {
1163 return NT_STATUS_PROCEDURE_NOT_FOUND
;
1166 /* Alias support and whitespace replacement are mutally
1169 /* When mapping from an alias to a username, we don't know the
1170 domain. But we only need a domain structure to cache
1171 a successful lookup , so just our own domain structure for
1174 nt_status
= resolve_alias_to_username(mem_ctx
, domain
,
1176 if (NT_STATUS_IS_OK(nt_status
)) {
1177 /* Special return code to let the caller know we mapped
1179 return NT_STATUS_FILE_RENAMED
;
1182 /* check for an unreachable domain */
1184 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
)) {
1185 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1187 set_domain_offline(domain
);
1191 /* deal with whitespace */
1193 *normalized
= talloc_strdup(mem_ctx
, name
);
1194 if (!(*normalized
)) {
1195 return NT_STATUS_NO_MEMORY
;
1198 all_string_sub(*normalized
, "_", " ", 0);
1200 return NT_STATUS_OK
;
1203 /*********************************************************************
1204 ********************************************************************/
1206 bool winbindd_can_contact_domain(struct winbindd_domain
*domain
)
1208 struct winbindd_tdc_domain
*tdc
= NULL
;
1209 TALLOC_CTX
*frame
= talloc_stackframe();
1212 /* We can contact the domain if it is our primary domain */
1214 if (domain
->primary
) {
1219 /* Trust the TDC cache and not the winbindd_domain flags */
1221 if ((tdc
= wcache_tdc_fetch_domain(frame
, domain
->name
)) == NULL
) {
1222 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1228 /* Can always contact a domain that is in out forest */
1230 if (tdc
->trust_flags
& NETR_TRUST_FLAG_IN_FOREST
) {
1236 * On a _member_ server, we cannot contact the domain if it
1237 * is running AD and we have no inbound trust.
1241 domain
->active_directory
&&
1242 ((tdc
->trust_flags
& NETR_TRUST_FLAG_INBOUND
) != NETR_TRUST_FLAG_INBOUND
))
1244 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1245 "and we have no inbound trust.\n", domain
->name
));
1249 /* Assume everything else is ok (probably not true but what
1255 talloc_destroy(frame
);
1260 /*********************************************************************
1261 ********************************************************************/
1263 bool winbindd_internal_child(struct winbindd_child
*child
)
1265 if ((child
== idmap_child()) || (child
== locator_child())) {
1272 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1274 /*********************************************************************
1275 ********************************************************************/
1277 static void winbindd_set_locator_kdc_env(const struct winbindd_domain
*domain
)
1280 char addr
[INET6_ADDRSTRLEN
];
1281 const char *kdc
= NULL
;
1284 if (!domain
|| !domain
->alt_name
|| !*domain
->alt_name
) {
1288 if (domain
->initialized
&& !domain
->active_directory
) {
1289 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s not AD\n",
1294 print_sockaddr(addr
, sizeof(addr
), &domain
->dcaddr
);
1297 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1299 kdc
= domain
->dcname
;
1302 if (!kdc
|| !*kdc
) {
1303 DEBUG(lvl
,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1308 if (asprintf_strupper_m(&var
, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS
,
1309 domain
->alt_name
) == -1) {
1313 DEBUG(lvl
,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1316 setenv(var
, kdc
, 1);
1320 /*********************************************************************
1321 ********************************************************************/
1323 void winbindd_set_locator_kdc_envs(const struct winbindd_domain
*domain
)
1325 struct winbindd_domain
*our_dom
= find_our_domain();
1327 winbindd_set_locator_kdc_env(domain
);
1329 if (domain
!= our_dom
) {
1330 winbindd_set_locator_kdc_env(our_dom
);
1334 /*********************************************************************
1335 ********************************************************************/
1337 void winbindd_unset_locator_kdc_env(const struct winbindd_domain
*domain
)
1341 if (!domain
|| !domain
->alt_name
|| !*domain
->alt_name
) {
1345 if (asprintf_strupper_m(&var
, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS
,
1346 domain
->alt_name
) == -1) {
1355 void winbindd_set_locator_kdc_envs(const struct winbindd_domain
*domain
)
1360 void winbindd_unset_locator_kdc_env(const struct winbindd_domain
*domain
)
1365 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1367 void set_auth_errors(struct winbindd_response
*resp
, NTSTATUS result
)
1369 resp
->data
.auth
.nt_status
= NT_STATUS_V(result
);
1370 fstrcpy(resp
->data
.auth
.nt_status_string
, nt_errstr(result
));
1372 /* we might have given a more useful error above */
1373 if (*resp
->data
.auth
.error_string
== '\0')
1374 fstrcpy(resp
->data
.auth
.error_string
,
1375 get_friendly_nt_error_msg(result
));
1376 resp
->data
.auth
.pam_error
= nt_status_to_pam(result
);
1379 bool is_domain_offline(const struct winbindd_domain
*domain
)
1381 if (!lp_winbind_offline_logon()) {
1384 if (get_global_winbindd_state_offline()) {
1387 return !domain
->online
;
1390 bool is_domain_online(const struct winbindd_domain
*domain
)
1392 return !is_domain_offline(domain
);
1396 * Parse an char array into a list of sids.
1398 * The input sidstr should consist of 0-terminated strings
1399 * representing sids, separated by newline characters '\n'.
1400 * The list is terminated by an empty string, i.e.
1401 * character '\0' directly following a character '\n'
1402 * (or '\0' right at the start of sidstr).
1404 bool parse_sidlist(TALLOC_CTX
*mem_ctx
, const char *sidstr
,
1405 struct dom_sid
**sids
, uint32_t *num_sids
)
1413 while (p
[0] != '\0') {
1415 const char *q
= NULL
;
1417 if (!dom_sid_parse_endp(p
, &sid
, &q
)) {
1418 DEBUG(1, ("Could not parse sid %s\n", p
));
1421 if ((q
== NULL
) || (q
[0] != '\n')) {
1422 DEBUG(1, ("Got invalid sidstr: %s\n", p
));
1425 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx
, &sid
, sids
,