search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:winbind: Even on a domain controller, "our" domain is internal
[Samba/aatanasov.git] / source3 / winbindd / winbindd_util.c
blob5c2ebab8363ef8bcf99ff10e4428b12085b587f1
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_WINBIND
28
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
32
33
34 /**
35 * @file winbindd_util.c
36 *
37 * Winbind daemon for NT domain authentication nss module.
38 **/
39
40
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
45
46 static struct winbindd_domain *_domain_list = NULL;
47
48 struct winbindd_domain *domain_list(void)
49 {
50 /* Initialise list */
51
52 if ((!_domain_list) && (!init_domain_list())) {
53 smb_panic("Init_domain_list failed");
54 }
55
56 return _domain_list;
57 }
58
59 /* Free all entries in the trusted domain list */
60
61 void free_domain_list(void)
62 {
63 struct winbindd_domain *domain = _domain_list;
64
65 while(domain) {
66 struct winbindd_domain *next = domain->next;
67
68 DLIST_REMOVE(_domain_list, domain);
69 SAFE_FREE(domain);
70 domain = next;
71 }
72 }
73
74 static bool is_internal_domain(const DOM_SID *sid)
75 {
76 if (sid == NULL)
77 return False;
78
79 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
80 }
81
82 static bool is_in_internal_domain(const DOM_SID *sid)
83 {
84 if (sid == NULL)
85 return False;
86
87 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
88 }
89
90
91 /* Add a trusted domain to our list of domains */
92 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
93 struct winbindd_methods *methods,
94 const DOM_SID *sid)
95 {
96 struct winbindd_domain *domain;
97 const char *alternative_name = NULL;
98 char *idmap_config_option;
99 const char *param;
100 const char **ignored_domains, **dom;
101
102 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
103 for (dom=ignored_domains; dom && *dom; dom++) {
104 if (gen_fnmatch(*dom, domain_name) == 0) {
105 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
106 return NULL;
107 }
108 }
109
110 /* ignore alt_name if we are not in an AD domain */
111
112 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
113 alternative_name = alt_name;
114 }
115
116 /* We can't call domain_list() as this function is called from
117 init_domain_list() and we'll get stuck in a loop. */
118 for (domain = _domain_list; domain; domain = domain->next) {
119 if (strequal(domain_name, domain->name) ||
120 strequal(domain_name, domain->alt_name))
121 {
122 break;
123 }
124
125 if (alternative_name && *alternative_name)
126 {
127 if (strequal(alternative_name, domain->name) ||
128 strequal(alternative_name, domain->alt_name))
129 {
130 break;
131 }
132 }
133
134 if (sid)
135 {
136 if (is_null_sid(sid)) {
137 continue;
138 }
139
140 if (sid_equal(sid, &domain->sid)) {
141 break;
142 }
143 }
144 }
145
146 /* See if we found a match. Check if we need to update the
147 SID. */
148
149 if ( domain && sid) {
150 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
151 sid_copy( &domain->sid, sid );
152
153 return domain;
154 }
155
156 /* Create new domain entry */
157
158 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
159 return NULL;
160
161 /* Fill in fields */
162
163 ZERO_STRUCTP(domain);
164
165 fstrcpy(domain->name, domain_name);
166 if (alternative_name) {
167 fstrcpy(domain->alt_name, alternative_name);
168 }
169
170 domain->methods = methods;
171 domain->backend = NULL;
172 domain->internal = is_internal_domain(sid);
173 domain->sequence_number = DOM_SEQUENCE_NONE;
174 domain->last_seq_check = 0;
175 domain->initialized = False;
176 domain->online = is_internal_domain(sid);
177 domain->check_online_timeout = 0;
178 domain->dc_probe_pid = (pid_t)-1;
179 if (sid) {
180 sid_copy(&domain->sid, sid);
181 }
182
183 /* Link to domain list */
184 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
185
186 wcache_tdc_add_domain( domain );
187
188 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
189 domain->name);
190 if (idmap_config_option == NULL) {
191 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
192 goto done;
193 }
194
195 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
196
197 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
198 param ? param : "not defined"));
199
200 if (param != NULL) {
201 unsigned low_id, high_id;
202 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
203 DEBUG(1, ("invalid range syntax in %s: %s\n",
204 idmap_config_option, param));
205 goto done;
206 }
207 if (low_id > high_id) {
208 DEBUG(1, ("invalid range in %s: %s\n",
209 idmap_config_option, param));
210 goto done;
211 }
212 domain->have_idmap_config = true;
213 domain->id_range_low = low_id;
214 domain->id_range_high = high_id;
215 }
216
217 done:
218
219 DEBUG(2,("Added domain %s %s %s\n",
220 domain->name, domain->alt_name,
221 &domain->sid?sid_string_dbg(&domain->sid):""));
222
223 return domain;
224 }
225
226 /********************************************************************
227 rescan our domains looking for new trusted domains
228 ********************************************************************/
229
230 struct trustdom_state {
231 TALLOC_CTX *mem_ctx;
232 bool primary;
233 bool forest_root;
234 struct winbindd_response *response;
235 };
236
237 static void trustdom_recv(void *private_data, bool success);
238 static void rescan_forest_root_trusts( void );
239 static void rescan_forest_trusts( void );
240
241 static void add_trusted_domains( struct winbindd_domain *domain )
242 {
243 TALLOC_CTX *mem_ctx;
244 struct winbindd_request *request;
245 struct winbindd_response *response;
246 uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
247
248 struct trustdom_state *state;
249
250 mem_ctx = talloc_init("add_trusted_domains");
251 if (mem_ctx == NULL) {
252 DEBUG(0, ("talloc_init failed\n"));
253 return;
254 }
255
256 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
257 response = TALLOC_P(mem_ctx, struct winbindd_response);
258 state = TALLOC_P(mem_ctx, struct trustdom_state);
259
260 if ((request == NULL) || (response == NULL) || (state == NULL)) {
261 DEBUG(0, ("talloc failed\n"));
262 talloc_destroy(mem_ctx);
263 return;
264 }
265
266 state->mem_ctx = mem_ctx;
267 state->response = response;
268
269 /* Flags used to know how to continue the forest trust search */
270
271 state->primary = domain->primary;
272 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
273
274 request->length = sizeof(*request);
275 request->cmd = WINBINDD_LIST_TRUSTDOM;
276
277 async_domain_request(mem_ctx, domain, request, response,
278 trustdom_recv, state);
279 }
280
281 static void trustdom_recv(void *private_data, bool success)
282 {
283 struct trustdom_state *state =
284 talloc_get_type_abort(private_data, struct trustdom_state);
285 struct winbindd_response *response = state->response;
286 char *p;
287
288 if ((!success) || (response->result != WINBINDD_OK)) {
289 DEBUG(1, ("Could not receive trustdoms\n"));
290 talloc_destroy(state->mem_ctx);
291 return;
292 }
293
294 p = (char *)response->extra_data.data;
295
296 while ((p != NULL) && (*p != '\0')) {
297 char *q, *sidstr, *alt_name;
298 DOM_SID sid;
299 struct winbindd_domain *domain;
300 char *alternate_name = NULL;
301
302 alt_name = strchr(p, '\\');
303 if (alt_name == NULL) {
304 DEBUG(0, ("Got invalid trustdom response\n"));
305 break;
306 }
307
308 *alt_name = '\0';
309 alt_name += 1;
310
311 sidstr = strchr(alt_name, '\\');
312 if (sidstr == NULL) {
313 DEBUG(0, ("Got invalid trustdom response\n"));
314 break;
315 }
316
317 *sidstr = '\0';
318 sidstr += 1;
319
320 q = strchr(sidstr, '\n');
321 if (q != NULL)
322 *q = '\0';
323
324 if (!string_to_sid(&sid, sidstr)) {
325 /* Allow NULL sid for sibling domains */
326 if ( strcmp(sidstr,"S-0-0") == 0) {
327 sid_copy( &sid, &global_sid_NULL);
328 } else {
329 DEBUG(0, ("Got invalid trustdom response\n"));
330 break;
331 }
332 }
333
334 /* use the real alt_name if we have one, else pass in NULL */
335
336 if ( !strequal( alt_name, "(null)" ) )
337 alternate_name = alt_name;
338
339 /* If we have an existing domain structure, calling
340 add_trusted_domain() will update the SID if
341 necessary. This is important because we need the
342 SID for sibling domains */
343
344 if ( find_domain_from_name_noinit(p) != NULL ) {
345 domain = add_trusted_domain(p, alternate_name,
346 &cache_methods,
347 &sid);
348 } else {
349 domain = add_trusted_domain(p, alternate_name,
350 &cache_methods,
351 &sid);
352 if (domain) {
353 setup_domain_child(domain,
354 &domain->child);
355 }
356 }
357 p=q;
358 if (p != NULL)
359 p += 1;
360 }
361
362 /*
363 Cases to consider when scanning trusts:
364 (a) we are calling from a child domain (primary && !forest_root)
365 (b) we are calling from the root of the forest (primary && forest_root)
366 (c) we are calling from a trusted forest domain (!primary
367 && !forest_root)
368 */
369
370 if ( state->primary ) {
371 /* If this is our primary domain and we are not in the
372 forest root, we have to scan the root trusts first */
373
374 if ( !state->forest_root )
375 rescan_forest_root_trusts();
376 else
377 rescan_forest_trusts();
378
379 } else if ( state->forest_root ) {
380 /* Once we have done root forest trust search, we can
381 go on to search the trusted forests */
382
383 rescan_forest_trusts();
384 }
385
386 talloc_destroy(state->mem_ctx);
387
388 return;
389 }
390
391 /********************************************************************
392 Scan the trusts of our forest root
393 ********************************************************************/
394
395 static void rescan_forest_root_trusts( void )
396 {
397 struct winbindd_tdc_domain *dom_list = NULL;
398 size_t num_trusts = 0;
399 int i;
400
401 /* The only transitive trusts supported by Windows 2003 AD are
402 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
403 first two are handled in forest and listed by
404 DsEnumerateDomainTrusts(). Forest trusts are not so we
405 have to do that ourselves. */
406
407 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
408 return;
409
410 for ( i=0; i<num_trusts; i++ ) {
411 struct winbindd_domain *d = NULL;
412
413 /* Find the forest root. Don't necessarily trust
414 the domain_list() as our primary domain may not
415 have been initialized. */
416
417 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
418 continue;
419 }
420
421 /* Here's the forest root */
422
423 d = find_domain_from_name_noinit( dom_list[i].domain_name );
424
425 if ( !d ) {
426 d = add_trusted_domain( dom_list[i].domain_name,
427 dom_list[i].dns_name,
428 &cache_methods,
429 &dom_list[i].sid );
430 }
431
432 if (d == NULL) {
433 continue;
434 }
435
436 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
437 "for domain tree root %s (%s)\n",
438 d->name, d->alt_name ));
439
440 d->domain_flags = dom_list[i].trust_flags;
441 d->domain_type = dom_list[i].trust_type;
442 d->domain_trust_attribs = dom_list[i].trust_attribs;
443
444 add_trusted_domains( d );
445
446 break;
447 }
448
449 TALLOC_FREE( dom_list );
450
451 return;
452 }
453
454 /********************************************************************
455 scan the transitive forest trusts (not our own)
456 ********************************************************************/
457
458
459 static void rescan_forest_trusts( void )
460 {
461 struct winbindd_domain *d = NULL;
462 struct winbindd_tdc_domain *dom_list = NULL;
463 size_t num_trusts = 0;
464 int i;
465
466 /* The only transitive trusts supported by Windows 2003 AD are
467 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
468 first two are handled in forest and listed by
469 DsEnumerateDomainTrusts(). Forest trusts are not so we
470 have to do that ourselves. */
471
472 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
473 return;
474
475 for ( i=0; i<num_trusts; i++ ) {
476 uint32 flags = dom_list[i].trust_flags;
477 uint32 type = dom_list[i].trust_type;
478 uint32 attribs = dom_list[i].trust_attribs;
479
480 d = find_domain_from_name_noinit( dom_list[i].domain_name );
481
482 /* ignore our primary and internal domains */
483
484 if ( d && (d->internal || d->primary ) )
485 continue;
486
487 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
488 (type == NETR_TRUST_TYPE_UPLEVEL) &&
489 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
490 {
491 /* add the trusted domain if we don't know
492 about it */
493
494 if ( !d ) {
495 d = add_trusted_domain( dom_list[i].domain_name,
496 dom_list[i].dns_name,
497 &cache_methods,
498 &dom_list[i].sid );
499 }
500
501 if (d == NULL) {
502 continue;
503 }
504
505 DEBUG(10,("Following trust path for domain %s (%s)\n",
506 d->name, d->alt_name ));
507 add_trusted_domains( d );
508 }
509 }
510
511 TALLOC_FREE( dom_list );
512
513 return;
514 }
515
516 /*********************************************************************
517 The process of updating the trusted domain list is a three step
518 async process:
519 (a) ask our domain
520 (b) ask the root domain in our forest
521 (c) ask the a DC in any Win2003 trusted forests
522 *********************************************************************/
523
524 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
525 struct timeval now, void *private_data)
526 {
527 TALLOC_FREE(te);
528
529 /* I use to clear the cache here and start over but that
530 caused problems in child processes that needed the
531 trust dom list early on. Removing it means we
532 could have some trusted domains listed that have been
533 removed from our primary domain's DC until a full
534 restart. This should be ok since I think this is what
535 Windows does as well. */
536
537 /* this will only add new domains we didn't already know about
538 in the domain_list()*/
539
540 add_trusted_domains( find_our_domain() );
541
542 te = tevent_add_timer(
543 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
544 rescan_trusted_domains, NULL);
545 /*
546 * If te == NULL, there's not much we can do here. Don't fail, the
547 * only thing we miss is new trusted domains.
548 */
549
550 return;
551 }
552
553 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
554 struct winbindd_cli_state *state)
555 {
556 /* Ensure null termination */
557 state->request->domain_name
558 [sizeof(state->request->domain_name)-1]='\0';
559 state->request->data.init_conn.dcname
560 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
561
562 if (strlen(state->request->data.init_conn.dcname) > 0) {
563 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
564 }
565
566 if (domain->internal) {
567 domain->initialized = true;
568 } else {
569 init_dc_connection(domain);
570 }
571
572 if (!domain->initialized) {
573 /* If we return error here we can't do any cached authentication,
574 but we may be in disconnected mode and can't initialize correctly.
575 Do what the previous code did and just return without initialization,
576 once we go online we'll re-initialize.
577 */
578 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
579 "online = %d\n", domain->name, (int)domain->online ));
580 }
581
582 fstrcpy(state->response->data.domain_info.name, domain->name);
583 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
584 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
585
586 state->response->data.domain_info.native_mode
587 = domain->native_mode;
588 state->response->data.domain_info.active_directory
589 = domain->active_directory;
590 state->response->data.domain_info.primary
591 = domain->primary;
592
593 return WINBINDD_OK;
594 }
595
596 /* Look up global info for the winbind daemon */
597 bool init_domain_list(void)
598 {
599 struct winbindd_domain *domain;
600 int role = lp_server_role();
601
602 /* Free existing list */
603 free_domain_list();
604
605 /* BUILTIN domain */
606
607 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
608 &global_sid_Builtin);
609 if (domain) {
610 setup_domain_child(domain,
611 &domain->child);
612 }
613
614 /* Local SAM */
615
616 domain = add_trusted_domain(get_global_sam_name(), NULL,
617 &sam_passdb_methods, get_global_sam_sid());
618 if (domain) {
619 if ( role != ROLE_DOMAIN_MEMBER ) {
620 domain->primary = True;
621 }
622 setup_domain_child(domain,
623 &domain->child);
624 }
625
626 /* Add ourselves as the first entry. */
627
628 if ( role == ROLE_DOMAIN_MEMBER ) {
629 DOM_SID our_sid;
630
631 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
632 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
633 return False;
634 }
635
636 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
637 &cache_methods, &our_sid);
638 if (domain) {
639 domain->primary = True;
640 setup_domain_child(domain,
641 &domain->child);
642
643 /* Even in the parent winbindd we'll need to
644 talk to the DC, so try and see if we can
645 contact it. Theoretically this isn't neccessary
646 as the init_dc_connection() in init_child_recv()
647 will do this, but we can start detecting the DC
648 early here. */
649 set_domain_online_request(domain);
650 }
651 }
652
653 return True;
654 }
655
656 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
657 {
658 struct winbindd_domain *domain;
659 DOM_SID dom_sid;
660 uint32 rid;
661
662 /* Check if we even care */
663
664 if (!lp_allow_trusted_domains())
665 return;
666
667 domain = find_domain_from_name_noinit( name );
668 if ( domain )
669 return;
670
671 sid_copy( &dom_sid, user_sid );
672 if ( !sid_split_rid( &dom_sid, &rid ) )
673 return;
674
675 /* add the newly discovered trusted domain */
676
677 domain = add_trusted_domain( name, NULL, &cache_methods,
678 &dom_sid);
679
680 if ( !domain )
681 return;
682
683 /* assume this is a trust from a one-way transitive
684 forest trust */
685
686 domain->active_directory = True;
687 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
688 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
689 domain->internal = False;
690 domain->online = True;
691
692 setup_domain_child(domain,
693 &domain->child);
694
695 wcache_tdc_add_domain( domain );
696
697 return;
698 }
699
700 /**
701 * Given a domain name, return the struct winbindd domain info for it
702 *
703 * @note Do *not* pass lp_workgroup() to this function. domain_list
704 * may modify it's value, and free that pointer. Instead, our local
705 * domain may be found by calling find_our_domain().
706 * directly.
707 *
708 *
709 * @return The domain structure for the named domain, if it is working.
710 */
711
712 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
713 {
714 struct winbindd_domain *domain;
715
716 /* Search through list */
717
718 for (domain = domain_list(); domain != NULL; domain = domain->next) {
719 if (strequal(domain_name, domain->name) ||
720 (domain->alt_name[0] &&
721 strequal(domain_name, domain->alt_name))) {
722 return domain;
723 }
724 }
725
726 /* Not found */
727
728 return NULL;
729 }
730
731 struct winbindd_domain *find_domain_from_name(const char *domain_name)
732 {
733 struct winbindd_domain *domain;
734
735 domain = find_domain_from_name_noinit(domain_name);
736
737 if (domain == NULL)
738 return NULL;
739
740 if (!domain->initialized)
741 init_dc_connection(domain);
742
743 return domain;
744 }
745
746 /* Given a domain sid, return the struct winbindd domain info for it */
747
748 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
749 {
750 struct winbindd_domain *domain;
751
752 /* Search through list */
753
754 for (domain = domain_list(); domain != NULL; domain = domain->next) {
755 if (sid_compare_domain(sid, &domain->sid) == 0)
756 return domain;
757 }
758
759 /* Not found */
760
761 return NULL;
762 }
763
764 /* Given a domain sid, return the struct winbindd domain info for it */
765
766 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
767 {
768 struct winbindd_domain *domain;
769
770 domain = find_domain_from_sid_noinit(sid);
771
772 if (domain == NULL)
773 return NULL;
774
775 if (!domain->initialized)
776 init_dc_connection(domain);
777
778 return domain;
779 }
780
781 struct winbindd_domain *find_our_domain(void)
782 {
783 struct winbindd_domain *domain;
784
785 /* Search through list */
786
787 for (domain = domain_list(); domain != NULL; domain = domain->next) {
788 if (domain->primary)
789 return domain;
790 }
791
792 smb_panic("Could not find our domain");
793 return NULL;
794 }
795
796 struct winbindd_domain *find_root_domain(void)
797 {
798 struct winbindd_domain *ours = find_our_domain();
799
800 if ( !ours )
801 return NULL;
802
803 if ( strlen(ours->forest_name) == 0 )
804 return NULL;
805
806 return find_domain_from_name( ours->forest_name );
807 }
808
809 struct winbindd_domain *find_builtin_domain(void)
810 {
811 DOM_SID sid;
812 struct winbindd_domain *domain;
813
814 string_to_sid(&sid, "S-1-5-32");
815 domain = find_domain_from_sid(&sid);
816
817 if (domain == NULL) {
818 smb_panic("Could not find BUILTIN domain");
819 }
820
821 return domain;
822 }
823
824 /* Find the appropriate domain to lookup a name or SID */
825
826 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
827 {
828 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
829
830 if ( sid_check_is_in_unix_groups(sid) ||
831 sid_check_is_unix_groups(sid) ||
832 sid_check_is_in_unix_users(sid) ||
833 sid_check_is_unix_users(sid) )
834 {
835 return find_domain_from_sid(get_global_sam_sid());
836 }
837
838 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
839 * one to contact the external DC's. On member servers the internal
840 * domains are different: These are part of the local SAM. */
841
842 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
843
844 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
845 DEBUG(10, ("calling find_domain_from_sid\n"));
846 return find_domain_from_sid(sid);
847 }
848
849 /* On a member server a query for SID or name can always go to our
850 * primary DC. */
851
852 DEBUG(10, ("calling find_our_domain\n"));
853 return find_our_domain();
854 }
855
856 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
857 {
858 if ( strequal(domain_name, unix_users_domain_name() ) ||
859 strequal(domain_name, unix_groups_domain_name() ) )
860 {
861 /*
862 * The "Unix User" and "Unix Group" domain our handled by
863 * passdb
864 */
865 return find_domain_from_name_noinit( get_global_sam_name() );
866 }
867
868 if (IS_DC || strequal(domain_name, "BUILTIN") ||
869 strequal(domain_name, get_global_sam_name()))
870 return find_domain_from_name_noinit(domain_name);
871
872
873 return find_our_domain();
874 }
875
876 /* Lookup a sid in a domain from a name */
877
878 bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
879 enum winbindd_cmd orig_cmd,
880 struct winbindd_domain *domain,
881 const char *domain_name,
882 const char *name, DOM_SID *sid,
883 enum lsa_SidType *type)
884 {
885 NTSTATUS result;
886
887 /*
888 * For all but LOOKUPNAME we have to avoid nss calls to avoid
889 * recursion
890 */
891 result = domain->methods->name_to_sid(
892 domain, mem_ctx, domain_name, name,
893 orig_cmd == WINBINDD_LOOKUPNAME ? 0 : LOOKUP_NAME_NO_NSS,
894 sid, type);
895
896 /* Return sid and type if lookup successful */
897 if (!NT_STATUS_IS_OK(result)) {
898 *type = SID_NAME_UNKNOWN;
899 }
900
901 return NT_STATUS_IS_OK(result);
902 }
903
904 /**
905 * @brief Lookup a name in a domain from a sid.
906 *
907 * @param sid Security ID you want to look up.
908 * @param name On success, set to the name corresponding to @p sid.
909 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
910 * @param type On success, contains the type of name: alias, group or
911 * user.
912 * @retval True if the name exists, in which case @p name and @p type
913 * are set, otherwise False.
914 **/
915 bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
916 struct winbindd_domain *domain,
917 DOM_SID *sid,
918 char **dom_name,
919 char **name,
920 enum lsa_SidType *type)
921 {
922 NTSTATUS result;
923
924 *dom_name = NULL;
925 *name = NULL;
926
927 /* Lookup name */
928
929 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
930
931 /* Return name and type if successful */
932
933 if (NT_STATUS_IS_OK(result)) {
934 return True;
935 }
936
937 *type = SID_NAME_UNKNOWN;
938
939 return False;
940 }
941
942 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
943
944 void free_getent_state(struct getent_state *state)
945 {
946 struct getent_state *temp;
947
948 /* Iterate over state list */
949
950 temp = state;
951
952 while(temp != NULL) {
953 struct getent_state *next = temp->next;
954
955 /* Free sam entries then list entry */
956
957 SAFE_FREE(state->sam_entries);
958 DLIST_REMOVE(state, state);
959
960 SAFE_FREE(temp);
961 temp = next;
962 }
963 }
964
965 /* Is this a domain which we may assume no DOMAIN\ prefix? */
966
967 static bool assume_domain(const char *domain)
968 {
969 /* never assume the domain on a standalone server */
970
971 if ( lp_server_role() == ROLE_STANDALONE )
972 return False;
973
974 /* domain member servers may possibly assume for the domain name */
975
976 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
977 if ( !strequal(lp_workgroup(), domain) )
978 return False;
979
980 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
981 return True;
982 }
983
984 /* only left with a domain controller */
985
986 if ( strequal(get_global_sam_name(), domain) ) {
987 return True;
988 }
989
990 return False;
991 }
992
993 /* Parse a string of the form DOMAIN\user into a domain and a user */
994
995 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
996 {
997 char *p = strchr(domuser,*lp_winbind_separator());
998
999 if ( !p ) {
1000 fstrcpy(user, domuser);
1001
1002 if ( assume_domain(lp_workgroup())) {
1003 fstrcpy(domain, lp_workgroup());
1004 } else if ((p = strchr(domuser, '@')) != NULL) {
1005 fstrcpy(domain, p + 1);
1006 user[PTR_DIFF(p, domuser)] = 0;
1007 } else {
1008 return False;
1009 }
1010 } else {
1011 fstrcpy(user, p+1);
1012 fstrcpy(domain, domuser);
1013 domain[PTR_DIFF(p, domuser)] = 0;
1014 }
1015
1016 strupper_m(domain);
1017
1018 return True;
1019 }
1020
1021 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1022 char **domain, char **user)
1023 {
1024 fstring fstr_domain, fstr_user;
1025 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1026 return False;
1027 }
1028 *domain = talloc_strdup(mem_ctx, fstr_domain);
1029 *user = talloc_strdup(mem_ctx, fstr_user);
1030 return ((*domain != NULL) && (*user != NULL));
1031 }
1032
1033 /* add a domain user name to a buffer */
1034 void parse_add_domuser(void *buf, char *domuser, int *len)
1035 {
1036 fstring domain;
1037 char *p, *user;
1038
1039 user = domuser;
1040 p = strchr(domuser, *lp_winbind_separator());
1041
1042 if (p) {
1043
1044 fstrcpy(domain, domuser);
1045 domain[PTR_DIFF(p, domuser)] = 0;
1046 p++;
1047
1048 if (assume_domain(domain)) {
1049
1050 user = p;
1051 *len -= (PTR_DIFF(p, domuser));
1052 }
1053 }
1054
1055 safe_strcpy((char *)buf, user, *len);
1056 }
1057
1058 /* Ensure an incoming username from NSS is fully qualified. Replace the
1059 incoming fstring with DOMAIN <separator> user. Returns the same
1060 values as parse_domain_user() but also replaces the incoming username.
1061 Used to ensure all names are fully qualified within winbindd.
1062 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1063 The protocol definitions of auth_crap, chng_pswd_auth_crap
1064 really should be changed to use this instead of doing things
1065 by hand. JRA. */
1066
1067 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1068 {
1069 if (!parse_domain_user(username_inout, domain, user)) {
1070 return False;
1071 }
1072 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1073 domain, *lp_winbind_separator(),
1074 user);
1075 return True;
1076 }
1077
1078 /*
1079 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1080 'winbind separator' options.
1081 This means:
1082 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1083 lp_workgroup()
1084
1085 If we are a PDC or BDC, and this is for our domain, do likewise.
1086
1087 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1088 username is then unqualified in unix
1089
1090 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1091 */
1092 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1093 {
1094 fstring tmp_user;
1095
1096 fstrcpy(tmp_user, user);
1097 strlower_m(tmp_user);
1098
1099 if (can_assume && assume_domain(domain)) {
1100 strlcpy(name, tmp_user, sizeof(fstring));
1101 } else {
1102 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1103 domain, *lp_winbind_separator(),
1104 tmp_user);
1105 }
1106 }
1107
1108 /**
1109 * talloc version of fill_domain_username()
1110 * return NULL on talloc failure.
1111 */
1112 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1113 const char *domain,
1114 const char *user,
1115 bool can_assume)
1116 {
1117 char *tmp_user, *name;
1118
1119 tmp_user = talloc_strdup(mem_ctx, user);
1120 strlower_m(tmp_user);
1121
1122 if (can_assume && assume_domain(domain)) {
1123 name = tmp_user;
1124 } else {
1125 name = talloc_asprintf(mem_ctx, "%s%c%s",
1126 domain,
1127 *lp_winbind_separator(),
1128 tmp_user);
1129 TALLOC_FREE(tmp_user);
1130 }
1131
1132 return name;
1133 }
1134
1135 /*
1136 * Winbindd socket accessor functions
1137 */
1138
1139 const char *get_winbind_pipe_dir(void)
1140 {
1141 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1142 }
1143
1144 char *get_winbind_priv_pipe_dir(void)
1145 {
1146 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1147 }
1148
1149 /* Open the winbindd socket */
1150
1151 static int _winbindd_socket = -1;
1152 static int _winbindd_priv_socket = -1;
1153
1154 int open_winbindd_socket(void)
1155 {
1156 if (_winbindd_socket == -1) {
1157 _winbindd_socket = create_pipe_sock(
1158 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1159 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1160 _winbindd_socket));
1161 }
1162
1163 return _winbindd_socket;
1164 }
1165
1166 int open_winbindd_priv_socket(void)
1167 {
1168 if (_winbindd_priv_socket == -1) {
1169 _winbindd_priv_socket = create_pipe_sock(
1170 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1171 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1172 _winbindd_priv_socket));
1173 }
1174
1175 return _winbindd_priv_socket;
1176 }
1177
1178 /*
1179 * Client list accessor functions
1180 */
1181
1182 static struct winbindd_cli_state *_client_list;
1183 static int _num_clients;
1184
1185 /* Return list of all connected clients */
1186
1187 struct winbindd_cli_state *winbindd_client_list(void)
1188 {
1189 return _client_list;
1190 }
1191
1192 /* Add a connection to the list */
1193
1194 void winbindd_add_client(struct winbindd_cli_state *cli)
1195 {
1196 DLIST_ADD(_client_list, cli);
1197 _num_clients++;
1198 }
1199
1200 /* Remove a client from the list */
1201
1202 void winbindd_remove_client(struct winbindd_cli_state *cli)
1203 {
1204 DLIST_REMOVE(_client_list, cli);
1205 _num_clients--;
1206 }
1207
1208 /* Close all open clients */
1209
1210 void winbindd_kill_all_clients(void)
1211 {
1212 struct winbindd_cli_state *cl = winbindd_client_list();
1213
1214 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1215
1216 while (cl) {
1217 struct winbindd_cli_state *next;
1218
1219 next = cl->next;
1220 winbindd_remove_client(cl);
1221 cl = next;
1222 }
1223 }
1224
1225 /* Return number of open clients */
1226
1227 int winbindd_num_clients(void)
1228 {
1229 return _num_clients;
1230 }
1231
1232 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1233 TALLOC_CTX *mem_ctx,
1234 const DOM_SID *user_sid,
1235 uint32 *p_num_groups, DOM_SID **user_sids)
1236 {
1237 struct netr_SamInfo3 *info3 = NULL;
1238 NTSTATUS status = NT_STATUS_NO_MEMORY;
1239 size_t num_groups = 0;
1240
1241 DEBUG(3,(": lookup_usergroups_cached\n"));
1242
1243 *user_sids = NULL;
1244 *p_num_groups = 0;
1245
1246 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1247
1248 if (info3 == NULL) {
1249 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1250 }
1251
1252 if (info3->base.groups.count == 0) {
1253 TALLOC_FREE(info3);
1254 return NT_STATUS_UNSUCCESSFUL;
1255 }
1256
1257 /* Skip Domain local groups outside our domain.
1258 We'll get these from the getsidaliases() RPC call. */
1259 status = sid_array_from_info3(mem_ctx, info3,
1260 user_sids,
1261 &num_groups,
1262 false, true);
1263
1264 if (!NT_STATUS_IS_OK(status)) {
1265 TALLOC_FREE(info3);
1266 return status;
1267 }
1268
1269 TALLOC_FREE(info3);
1270 *p_num_groups = num_groups;
1271 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1272
1273 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1274
1275 return status;
1276 }
1277
1278 /*********************************************************************
1279 We use this to remove spaces from user and group names
1280 ********************************************************************/
1281
1282 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1283 struct winbindd_domain *domain,
1284 const char *name,
1285 char **normalized)
1286 {
1287 NTSTATUS nt_status;
1288
1289 if (!name || !normalized) {
1290 return NT_STATUS_INVALID_PARAMETER;
1291 }
1292
1293 if (!lp_winbind_normalize_names()) {
1294 return NT_STATUS_PROCEDURE_NOT_FOUND;
1295 }
1296
1297 /* Alias support and whitespace replacement are mutually
1298 exclusive */
1299
1300 nt_status = resolve_username_to_alias(mem_ctx, domain,
1301 name, normalized );
1302 if (NT_STATUS_IS_OK(nt_status)) {
1303 /* special return code to let the caller know we
1304 mapped to an alias */
1305 return NT_STATUS_FILE_RENAMED;
1306 }
1307
1308 /* check for an unreachable domain */
1309
1310 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1311 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1312 domain->name));
1313 set_domain_offline(domain);
1314 return nt_status;
1315 }
1316
1317 /* deal with whitespace */
1318
1319 *normalized = talloc_strdup(mem_ctx, name);
1320 if (!(*normalized)) {
1321 return NT_STATUS_NO_MEMORY;
1322 }
1323
1324 all_string_sub( *normalized, " ", "_", 0 );
1325
1326 return NT_STATUS_OK;
1327 }
1328
1329 /*********************************************************************
1330 We use this to do the inverse of normalize_name_map()
1331 ********************************************************************/
1332
1333 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1334 char *name,
1335 char **normalized)
1336 {
1337 NTSTATUS nt_status;
1338 struct winbindd_domain *domain = find_our_domain();
1339
1340 if (!name || !normalized) {
1341 return NT_STATUS_INVALID_PARAMETER;
1342 }
1343
1344 if (!lp_winbind_normalize_names()) {
1345 return NT_STATUS_PROCEDURE_NOT_FOUND;
1346 }
1347
1348 /* Alias support and whitespace replacement are mutally
1349 exclusive */
1350
1351 /* When mapping from an alias to a username, we don't know the
1352 domain. But we only need a domain structure to cache
1353 a successful lookup , so just our own domain structure for
1354 the seqnum. */
1355
1356 nt_status = resolve_alias_to_username(mem_ctx, domain,
1357 name, normalized);
1358 if (NT_STATUS_IS_OK(nt_status)) {
1359 /* Special return code to let the caller know we mapped
1360 from an alias */
1361 return NT_STATUS_FILE_RENAMED;
1362 }
1363
1364 /* check for an unreachable domain */
1365
1366 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1367 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1368 domain->name));
1369 set_domain_offline(domain);
1370 return nt_status;
1371 }
1372
1373 /* deal with whitespace */
1374
1375 *normalized = talloc_strdup(mem_ctx, name);
1376 if (!(*normalized)) {
1377 return NT_STATUS_NO_MEMORY;
1378 }
1379
1380 all_string_sub(*normalized, "_", " ", 0);
1381
1382 return NT_STATUS_OK;
1383 }
1384
1385 /*********************************************************************
1386 ********************************************************************/
1387
1388 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1389 {
1390 struct winbindd_tdc_domain *tdc = NULL;
1391 TALLOC_CTX *frame = talloc_stackframe();
1392 bool ret = false;
1393
1394 /* We can contact the domain if it is our primary domain */
1395
1396 if (domain->primary) {
1397 return true;
1398 }
1399
1400 /* Trust the TDC cache and not the winbindd_domain flags */
1401
1402 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1403 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1404 domain->name));
1405 return false;
1406 }
1407
1408 /* Can always contact a domain that is in out forest */
1409
1410 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1411 ret = true;
1412 goto done;
1413 }
1414
1415 /*
1416 * On a _member_ server, we cannot contact the domain if it
1417 * is running AD and we have no inbound trust.
1418 */
1419
1420 if (!IS_DC &&
1421 domain->active_directory &&
1422 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1423 {
1424 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1425 "and we have no inbound trust.\n", domain->name));
1426 goto done;
1427 }
1428
1429 /* Assume everything else is ok (probably not true but what
1430 can you do?) */
1431
1432 ret = true;
1433
1434 done:
1435 talloc_destroy(frame);
1436
1437 return ret;
1438 }
1439
1440 /*********************************************************************
1441 ********************************************************************/
1442
1443 bool winbindd_internal_child(struct winbindd_child *child)
1444 {
1445 if ((child == idmap_child()) || (child == locator_child())) {
1446 return True;
1447 }
1448
1449 return False;
1450 }
1451
1452 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1453
1454 /*********************************************************************
1455 ********************************************************************/
1456
1457 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1458 {
1459 char *var = NULL;
1460 char addr[INET6_ADDRSTRLEN];
1461 const char *kdc = NULL;
1462 int lvl = 11;
1463
1464 if (!domain || !domain->alt_name || !*domain->alt_name) {
1465 return;
1466 }
1467
1468 if (domain->initialized && !domain->active_directory) {
1469 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1470 domain->alt_name));
1471 return;
1472 }
1473
1474 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1475 kdc = addr;
1476 if (!*kdc) {
1477 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1478 domain->alt_name));
1479 kdc = domain->dcname;
1480 }
1481
1482 if (!kdc || !*kdc) {
1483 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1484 domain->alt_name));
1485 return;
1486 }
1487
1488 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1489 domain->alt_name) == -1) {
1490 return;
1491 }
1492
1493 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1494 var, kdc));
1495
1496 setenv(var, kdc, 1);
1497 free(var);
1498 }
1499
1500 /*********************************************************************
1501 ********************************************************************/
1502
1503 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1504 {
1505 struct winbindd_domain *our_dom = find_our_domain();
1506
1507 winbindd_set_locator_kdc_env(domain);
1508
1509 if (domain != our_dom) {
1510 winbindd_set_locator_kdc_env(our_dom);
1511 }
1512 }
1513
1514 /*********************************************************************
1515 ********************************************************************/
1516
1517 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1518 {
1519 char *var = NULL;
1520
1521 if (!domain || !domain->alt_name || !*domain->alt_name) {
1522 return;
1523 }
1524
1525 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1526 domain->alt_name) == -1) {
1527 return;
1528 }
1529
1530 unsetenv(var);
1531 free(var);
1532 }
1533 #else
1534
1535 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1536 {
1537 return;
1538 }
1539
1540 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1541 {
1542 return;
1543 }
1544
1545 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1546
1547 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1548 {
1549 resp->data.auth.nt_status = NT_STATUS_V(result);
1550 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1551
1552 /* we might have given a more useful error above */
1553 if (*resp->data.auth.error_string == '\0')
1554 fstrcpy(resp->data.auth.error_string,
1555 get_friendly_nt_error_msg(result));
1556 resp->data.auth.pam_error = nt_status_to_pam(result);
1557 }
aatanasov's samba4 branch