search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-drs: Add DRSUAPI_DRS_NONGC_RO_REP bit to DRS_OPTIONS
[Samba/fernandojvsilva.git] / source3 / winbindd / winbindd_util.c
blob3e03f4091c5aae1405a2284be76965a7ded94ce0
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_WINBIND
28
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
32
33
34 /**
35 * @file winbindd_util.c
36 *
37 * Winbind daemon for NT domain authentication nss module.
38 **/
39
40
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
45
46 static struct winbindd_domain *_domain_list = NULL;
47
48 struct winbindd_domain *domain_list(void)
49 {
50 /* Initialise list */
51
52 if ((!_domain_list) && (!init_domain_list())) {
53 smb_panic("Init_domain_list failed");
54 }
55
56 return _domain_list;
57 }
58
59 /* Free all entries in the trusted domain list */
60
61 static void free_domain_list(void)
62 {
63 struct winbindd_domain *domain = _domain_list;
64
65 while(domain) {
66 struct winbindd_domain *next = domain->next;
67
68 DLIST_REMOVE(_domain_list, domain);
69 SAFE_FREE(domain);
70 domain = next;
71 }
72 }
73
74 static bool is_internal_domain(const DOM_SID *sid)
75 {
76 if (sid == NULL)
77 return False;
78
79 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
80 }
81
82 static bool is_in_internal_domain(const DOM_SID *sid)
83 {
84 if (sid == NULL)
85 return False;
86
87 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
88 }
89
90
91 /* Add a trusted domain to our list of domains */
92 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
93 struct winbindd_methods *methods,
94 const DOM_SID *sid)
95 {
96 struct winbindd_domain *domain;
97 const char *alternative_name = NULL;
98 char *idmap_config_option;
99 const char *param;
100 const char **ignored_domains, **dom;
101
102 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
103 for (dom=ignored_domains; dom && *dom; dom++) {
104 if (gen_fnmatch(*dom, domain_name) == 0) {
105 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
106 return NULL;
107 }
108 }
109
110 /* ignore alt_name if we are not in an AD domain */
111
112 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
113 alternative_name = alt_name;
114 }
115
116 /* We can't call domain_list() as this function is called from
117 init_domain_list() and we'll get stuck in a loop. */
118 for (domain = _domain_list; domain; domain = domain->next) {
119 if (strequal(domain_name, domain->name) ||
120 strequal(domain_name, domain->alt_name))
121 {
122 break;
123 }
124
125 if (alternative_name && *alternative_name)
126 {
127 if (strequal(alternative_name, domain->name) ||
128 strequal(alternative_name, domain->alt_name))
129 {
130 break;
131 }
132 }
133
134 if (sid)
135 {
136 if (is_null_sid(sid)) {
137 continue;
138 }
139
140 if (sid_equal(sid, &domain->sid)) {
141 break;
142 }
143 }
144 }
145
146 if (domain != NULL) {
147 /*
148 * We found a match. Possibly update the SID
149 */
150 if ((sid != NULL)
151 && sid_equal(&domain->sid, &global_sid_NULL)) {
152 sid_copy( &domain->sid, sid );
153 }
154 return domain;
155 }
156
157 /* Create new domain entry */
158
159 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
160 return NULL;
161
162 /* Fill in fields */
163
164 ZERO_STRUCTP(domain);
165
166 fstrcpy(domain->name, domain_name);
167 if (alternative_name) {
168 fstrcpy(domain->alt_name, alternative_name);
169 }
170
171 domain->methods = methods;
172 domain->backend = NULL;
173 domain->internal = is_internal_domain(sid);
174 domain->sequence_number = DOM_SEQUENCE_NONE;
175 domain->last_seq_check = 0;
176 domain->initialized = False;
177 domain->online = is_internal_domain(sid);
178 domain->check_online_timeout = 0;
179 domain->dc_probe_pid = (pid_t)-1;
180 if (sid) {
181 sid_copy(&domain->sid, sid);
182 }
183
184 /* Link to domain list */
185 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
186
187 wcache_tdc_add_domain( domain );
188
189 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
190 domain->name);
191 if (idmap_config_option == NULL) {
192 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
193 goto done;
194 }
195
196 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
197
198 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
199 param ? param : "not defined"));
200
201 if (param != NULL) {
202 unsigned low_id, high_id;
203 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
204 DEBUG(1, ("invalid range syntax in %s: %s\n",
205 idmap_config_option, param));
206 goto done;
207 }
208 if (low_id > high_id) {
209 DEBUG(1, ("invalid range in %s: %s\n",
210 idmap_config_option, param));
211 goto done;
212 }
213 domain->have_idmap_config = true;
214 domain->id_range_low = low_id;
215 domain->id_range_high = high_id;
216 }
217
218 done:
219
220 DEBUG(2,("Added domain %s %s %s\n",
221 domain->name, domain->alt_name,
222 &domain->sid?sid_string_dbg(&domain->sid):""));
223
224 return domain;
225 }
226
227 bool domain_is_forest_root(const struct winbindd_domain *domain)
228 {
229 const uint32_t fr_flags =
230 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
231
232 return ((domain->domain_flags & fr_flags) == fr_flags);
233 }
234
235 /********************************************************************
236 rescan our domains looking for new trusted domains
237 ********************************************************************/
238
239 struct trustdom_state {
240 TALLOC_CTX *mem_ctx;
241 bool primary;
242 bool forest_root;
243 struct winbindd_response *response;
244 };
245
246 static void trustdom_recv(void *private_data, bool success);
247 static void rescan_forest_root_trusts( void );
248 static void rescan_forest_trusts( void );
249
250 static void add_trusted_domains( struct winbindd_domain *domain )
251 {
252 TALLOC_CTX *mem_ctx;
253 struct winbindd_request *request;
254 struct winbindd_response *response;
255 struct trustdom_state *state;
256
257 mem_ctx = talloc_init("add_trusted_domains");
258 if (mem_ctx == NULL) {
259 DEBUG(0, ("talloc_init failed\n"));
260 return;
261 }
262
263 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
264 response = TALLOC_P(mem_ctx, struct winbindd_response);
265 state = TALLOC_P(mem_ctx, struct trustdom_state);
266
267 if ((request == NULL) || (response == NULL) || (state == NULL)) {
268 DEBUG(0, ("talloc failed\n"));
269 talloc_destroy(mem_ctx);
270 return;
271 }
272
273 state->mem_ctx = mem_ctx;
274 state->response = response;
275
276 /* Flags used to know how to continue the forest trust search */
277
278 state->primary = domain->primary;
279 state->forest_root = domain_is_forest_root(domain);
280
281 request->length = sizeof(*request);
282 request->cmd = WINBINDD_LIST_TRUSTDOM;
283
284 async_domain_request(mem_ctx, domain, request, response,
285 trustdom_recv, state);
286 }
287
288 static void trustdom_recv(void *private_data, bool success)
289 {
290 struct trustdom_state *state =
291 talloc_get_type_abort(private_data, struct trustdom_state);
292 struct winbindd_response *response = state->response;
293 char *p;
294
295 if ((!success) || (response->result != WINBINDD_OK)) {
296 DEBUG(1, ("Could not receive trustdoms\n"));
297 talloc_destroy(state->mem_ctx);
298 return;
299 }
300
301 p = (char *)response->extra_data.data;
302
303 while ((p != NULL) && (*p != '\0')) {
304 char *q, *sidstr, *alt_name;
305 DOM_SID sid;
306 struct winbindd_domain *domain;
307 char *alternate_name = NULL;
308
309 alt_name = strchr(p, '\\');
310 if (alt_name == NULL) {
311 DEBUG(0, ("Got invalid trustdom response\n"));
312 break;
313 }
314
315 *alt_name = '\0';
316 alt_name += 1;
317
318 sidstr = strchr(alt_name, '\\');
319 if (sidstr == NULL) {
320 DEBUG(0, ("Got invalid trustdom response\n"));
321 break;
322 }
323
324 *sidstr = '\0';
325 sidstr += 1;
326
327 q = strchr(sidstr, '\n');
328 if (q != NULL)
329 *q = '\0';
330
331 if (!string_to_sid(&sid, sidstr)) {
332 DEBUG(0, ("Got invalid trustdom response\n"));
333 break;
334 }
335
336 /* use the real alt_name if we have one, else pass in NULL */
337
338 if ( !strequal( alt_name, "(null)" ) )
339 alternate_name = alt_name;
340
341 /* If we have an existing domain structure, calling
342 add_trusted_domain() will update the SID if
343 necessary. This is important because we need the
344 SID for sibling domains */
345
346 if ( find_domain_from_name_noinit(p) != NULL ) {
347 domain = add_trusted_domain(p, alternate_name,
348 &cache_methods,
349 &sid);
350 } else {
351 domain = add_trusted_domain(p, alternate_name,
352 &cache_methods,
353 &sid);
354 if (domain) {
355 setup_domain_child(domain,
356 &domain->child);
357 }
358 }
359 p=q;
360 if (p != NULL)
361 p += 1;
362 }
363
364 /*
365 Cases to consider when scanning trusts:
366 (a) we are calling from a child domain (primary && !forest_root)
367 (b) we are calling from the root of the forest (primary && forest_root)
368 (c) we are calling from a trusted forest domain (!primary
369 && !forest_root)
370 */
371
372 if ( state->primary ) {
373 /* If this is our primary domain and we are not in the
374 forest root, we have to scan the root trusts first */
375
376 if ( !state->forest_root )
377 rescan_forest_root_trusts();
378 else
379 rescan_forest_trusts();
380
381 } else if ( state->forest_root ) {
382 /* Once we have done root forest trust search, we can
383 go on to search the trusted forests */
384
385 rescan_forest_trusts();
386 }
387
388 talloc_destroy(state->mem_ctx);
389
390 return;
391 }
392
393 /********************************************************************
394 Scan the trusts of our forest root
395 ********************************************************************/
396
397 static void rescan_forest_root_trusts( void )
398 {
399 struct winbindd_tdc_domain *dom_list = NULL;
400 size_t num_trusts = 0;
401 int i;
402
403 /* The only transitive trusts supported by Windows 2003 AD are
404 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
405 first two are handled in forest and listed by
406 DsEnumerateDomainTrusts(). Forest trusts are not so we
407 have to do that ourselves. */
408
409 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
410 return;
411
412 for ( i=0; i<num_trusts; i++ ) {
413 struct winbindd_domain *d = NULL;
414
415 /* Find the forest root. Don't necessarily trust
416 the domain_list() as our primary domain may not
417 have been initialized. */
418
419 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
420 continue;
421 }
422
423 /* Here's the forest root */
424
425 d = find_domain_from_name_noinit( dom_list[i].domain_name );
426
427 if ( !d ) {
428 d = add_trusted_domain( dom_list[i].domain_name,
429 dom_list[i].dns_name,
430 &cache_methods,
431 &dom_list[i].sid );
432 }
433
434 if (d == NULL) {
435 continue;
436 }
437
438 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
439 "for domain tree root %s (%s)\n",
440 d->name, d->alt_name ));
441
442 d->domain_flags = dom_list[i].trust_flags;
443 d->domain_type = dom_list[i].trust_type;
444 d->domain_trust_attribs = dom_list[i].trust_attribs;
445
446 add_trusted_domains( d );
447
448 break;
449 }
450
451 TALLOC_FREE( dom_list );
452
453 return;
454 }
455
456 /********************************************************************
457 scan the transitive forest trusts (not our own)
458 ********************************************************************/
459
460
461 static void rescan_forest_trusts( void )
462 {
463 struct winbindd_domain *d = NULL;
464 struct winbindd_tdc_domain *dom_list = NULL;
465 size_t num_trusts = 0;
466 int i;
467
468 /* The only transitive trusts supported by Windows 2003 AD are
469 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
470 first two are handled in forest and listed by
471 DsEnumerateDomainTrusts(). Forest trusts are not so we
472 have to do that ourselves. */
473
474 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
475 return;
476
477 for ( i=0; i<num_trusts; i++ ) {
478 uint32 flags = dom_list[i].trust_flags;
479 uint32 type = dom_list[i].trust_type;
480 uint32 attribs = dom_list[i].trust_attribs;
481
482 d = find_domain_from_name_noinit( dom_list[i].domain_name );
483
484 /* ignore our primary and internal domains */
485
486 if ( d && (d->internal || d->primary ) )
487 continue;
488
489 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
490 (type == NETR_TRUST_TYPE_UPLEVEL) &&
491 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
492 {
493 /* add the trusted domain if we don't know
494 about it */
495
496 if ( !d ) {
497 d = add_trusted_domain( dom_list[i].domain_name,
498 dom_list[i].dns_name,
499 &cache_methods,
500 &dom_list[i].sid );
501 }
502
503 if (d == NULL) {
504 continue;
505 }
506
507 DEBUG(10,("Following trust path for domain %s (%s)\n",
508 d->name, d->alt_name ));
509 add_trusted_domains( d );
510 }
511 }
512
513 TALLOC_FREE( dom_list );
514
515 return;
516 }
517
518 /*********************************************************************
519 The process of updating the trusted domain list is a three step
520 async process:
521 (a) ask our domain
522 (b) ask the root domain in our forest
523 (c) ask the a DC in any Win2003 trusted forests
524 *********************************************************************/
525
526 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
527 struct timeval now, void *private_data)
528 {
529 TALLOC_FREE(te);
530
531 /* I use to clear the cache here and start over but that
532 caused problems in child processes that needed the
533 trust dom list early on. Removing it means we
534 could have some trusted domains listed that have been
535 removed from our primary domain's DC until a full
536 restart. This should be ok since I think this is what
537 Windows does as well. */
538
539 /* this will only add new domains we didn't already know about
540 in the domain_list()*/
541
542 add_trusted_domains( find_our_domain() );
543
544 te = tevent_add_timer(
545 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
546 rescan_trusted_domains, NULL);
547 /*
548 * If te == NULL, there's not much we can do here. Don't fail, the
549 * only thing we miss is new trusted domains.
550 */
551
552 return;
553 }
554
555 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
556 struct winbindd_cli_state *state)
557 {
558 /* Ensure null termination */
559 state->request->domain_name
560 [sizeof(state->request->domain_name)-1]='\0';
561 state->request->data.init_conn.dcname
562 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
563
564 if (strlen(state->request->data.init_conn.dcname) > 0) {
565 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
566 }
567
568 if (domain->internal) {
569 domain->initialized = true;
570 } else {
571 init_dc_connection(domain);
572 }
573
574 if (!domain->initialized) {
575 /* If we return error here we can't do any cached authentication,
576 but we may be in disconnected mode and can't initialize correctly.
577 Do what the previous code did and just return without initialization,
578 once we go online we'll re-initialize.
579 */
580 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
581 "online = %d\n", domain->name, (int)domain->online ));
582 }
583
584 fstrcpy(state->response->data.domain_info.name, domain->name);
585 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
586 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
587
588 state->response->data.domain_info.native_mode
589 = domain->native_mode;
590 state->response->data.domain_info.active_directory
591 = domain->active_directory;
592 state->response->data.domain_info.primary
593 = domain->primary;
594
595 return WINBINDD_OK;
596 }
597
598 /* Look up global info for the winbind daemon */
599 bool init_domain_list(void)
600 {
601 struct winbindd_domain *domain;
602 int role = lp_server_role();
603
604 /* Free existing list */
605 free_domain_list();
606
607 /* BUILTIN domain */
608
609 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
610 &global_sid_Builtin);
611 if (domain) {
612 setup_domain_child(domain,
613 &domain->child);
614 }
615
616 /* Local SAM */
617
618 domain = add_trusted_domain(get_global_sam_name(), NULL,
619 &sam_passdb_methods, get_global_sam_sid());
620 if (domain) {
621 if ( role != ROLE_DOMAIN_MEMBER ) {
622 domain->primary = True;
623 }
624 setup_domain_child(domain,
625 &domain->child);
626 }
627
628 /* Add ourselves as the first entry. */
629
630 if ( role == ROLE_DOMAIN_MEMBER ) {
631 DOM_SID our_sid;
632
633 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
634 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
635 return False;
636 }
637
638 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
639 &cache_methods, &our_sid);
640 if (domain) {
641 domain->primary = True;
642 setup_domain_child(domain,
643 &domain->child);
644
645 /* Even in the parent winbindd we'll need to
646 talk to the DC, so try and see if we can
647 contact it. Theoretically this isn't neccessary
648 as the init_dc_connection() in init_child_recv()
649 will do this, but we can start detecting the DC
650 early here. */
651 set_domain_online_request(domain);
652 }
653 }
654
655 return True;
656 }
657
658 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
659 {
660 struct winbindd_domain *domain;
661 DOM_SID dom_sid;
662 uint32 rid;
663
664 /* Check if we even care */
665
666 if (!lp_allow_trusted_domains())
667 return;
668
669 domain = find_domain_from_name_noinit( name );
670 if ( domain )
671 return;
672
673 sid_copy( &dom_sid, user_sid );
674 if ( !sid_split_rid( &dom_sid, &rid ) )
675 return;
676
677 /* add the newly discovered trusted domain */
678
679 domain = add_trusted_domain( name, NULL, &cache_methods,
680 &dom_sid);
681
682 if ( !domain )
683 return;
684
685 /* assume this is a trust from a one-way transitive
686 forest trust */
687
688 domain->active_directory = True;
689 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
690 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
691 domain->internal = False;
692 domain->online = True;
693
694 setup_domain_child(domain,
695 &domain->child);
696
697 wcache_tdc_add_domain( domain );
698
699 return;
700 }
701
702 /**
703 * Given a domain name, return the struct winbindd domain info for it
704 *
705 * @note Do *not* pass lp_workgroup() to this function. domain_list
706 * may modify it's value, and free that pointer. Instead, our local
707 * domain may be found by calling find_our_domain().
708 * directly.
709 *
710 *
711 * @return The domain structure for the named domain, if it is working.
712 */
713
714 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
715 {
716 struct winbindd_domain *domain;
717
718 /* Search through list */
719
720 for (domain = domain_list(); domain != NULL; domain = domain->next) {
721 if (strequal(domain_name, domain->name) ||
722 (domain->alt_name[0] &&
723 strequal(domain_name, domain->alt_name))) {
724 return domain;
725 }
726 }
727
728 /* Not found */
729
730 return NULL;
731 }
732
733 struct winbindd_domain *find_domain_from_name(const char *domain_name)
734 {
735 struct winbindd_domain *domain;
736
737 domain = find_domain_from_name_noinit(domain_name);
738
739 if (domain == NULL)
740 return NULL;
741
742 if (!domain->initialized)
743 init_dc_connection(domain);
744
745 return domain;
746 }
747
748 /* Given a domain sid, return the struct winbindd domain info for it */
749
750 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
751 {
752 struct winbindd_domain *domain;
753
754 /* Search through list */
755
756 for (domain = domain_list(); domain != NULL; domain = domain->next) {
757 if (sid_compare_domain(sid, &domain->sid) == 0)
758 return domain;
759 }
760
761 /* Not found */
762
763 return NULL;
764 }
765
766 /* Given a domain sid, return the struct winbindd domain info for it */
767
768 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
769 {
770 struct winbindd_domain *domain;
771
772 domain = find_domain_from_sid_noinit(sid);
773
774 if (domain == NULL)
775 return NULL;
776
777 if (!domain->initialized)
778 init_dc_connection(domain);
779
780 return domain;
781 }
782
783 struct winbindd_domain *find_our_domain(void)
784 {
785 struct winbindd_domain *domain;
786
787 /* Search through list */
788
789 for (domain = domain_list(); domain != NULL; domain = domain->next) {
790 if (domain->primary)
791 return domain;
792 }
793
794 smb_panic("Could not find our domain");
795 return NULL;
796 }
797
798 struct winbindd_domain *find_root_domain(void)
799 {
800 struct winbindd_domain *ours = find_our_domain();
801
802 if (ours->forest_name[0] == '\0') {
803 return NULL;
804 }
805
806 return find_domain_from_name( ours->forest_name );
807 }
808
809 struct winbindd_domain *find_builtin_domain(void)
810 {
811 struct winbindd_domain *domain;
812
813 domain = find_domain_from_sid(&global_sid_Builtin);
814 if (domain == NULL) {
815 smb_panic("Could not find BUILTIN domain");
816 }
817
818 return domain;
819 }
820
821 /* Find the appropriate domain to lookup a name or SID */
822
823 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
824 {
825 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
826
827 if ( sid_check_is_in_unix_groups(sid) ||
828 sid_check_is_unix_groups(sid) ||
829 sid_check_is_in_unix_users(sid) ||
830 sid_check_is_unix_users(sid) )
831 {
832 return find_domain_from_sid(get_global_sam_sid());
833 }
834
835 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
836 * one to contact the external DC's. On member servers the internal
837 * domains are different: These are part of the local SAM. */
838
839 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
840
841 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
842 DEBUG(10, ("calling find_domain_from_sid\n"));
843 return find_domain_from_sid(sid);
844 }
845
846 /* On a member server a query for SID or name can always go to our
847 * primary DC. */
848
849 DEBUG(10, ("calling find_our_domain\n"));
850 return find_our_domain();
851 }
852
853 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
854 {
855 if ( strequal(domain_name, unix_users_domain_name() ) ||
856 strequal(domain_name, unix_groups_domain_name() ) )
857 {
858 /*
859 * The "Unix User" and "Unix Group" domain our handled by
860 * passdb
861 */
862 return find_domain_from_name_noinit( get_global_sam_name() );
863 }
864
865 if (IS_DC || strequal(domain_name, "BUILTIN") ||
866 strequal(domain_name, get_global_sam_name()))
867 return find_domain_from_name_noinit(domain_name);
868
869
870 return find_our_domain();
871 }
872
873 /* Is this a domain which we may assume no DOMAIN\ prefix? */
874
875 static bool assume_domain(const char *domain)
876 {
877 /* never assume the domain on a standalone server */
878
879 if ( lp_server_role() == ROLE_STANDALONE )
880 return False;
881
882 /* domain member servers may possibly assume for the domain name */
883
884 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
885 if ( !strequal(lp_workgroup(), domain) )
886 return False;
887
888 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
889 return True;
890 }
891
892 /* only left with a domain controller */
893
894 if ( strequal(get_global_sam_name(), domain) ) {
895 return True;
896 }
897
898 return False;
899 }
900
901 /* Parse a string of the form DOMAIN\user into a domain and a user */
902
903 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
904 {
905 char *p = strchr(domuser,*lp_winbind_separator());
906
907 if ( !p ) {
908 fstrcpy(user, domuser);
909
910 if ( assume_domain(lp_workgroup())) {
911 fstrcpy(domain, lp_workgroup());
912 } else if ((p = strchr(domuser, '@')) != NULL) {
913 fstrcpy(domain, p + 1);
914 user[PTR_DIFF(p, domuser)] = 0;
915 } else {
916 return False;
917 }
918 } else {
919 fstrcpy(user, p+1);
920 fstrcpy(domain, domuser);
921 domain[PTR_DIFF(p, domuser)] = 0;
922 }
923
924 strupper_m(domain);
925
926 return True;
927 }
928
929 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
930 char **domain, char **user)
931 {
932 fstring fstr_domain, fstr_user;
933 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
934 return False;
935 }
936 *domain = talloc_strdup(mem_ctx, fstr_domain);
937 *user = talloc_strdup(mem_ctx, fstr_user);
938 return ((*domain != NULL) && (*user != NULL));
939 }
940
941 /* add a domain user name to a buffer */
942 void parse_add_domuser(void *buf, char *domuser, int *len)
943 {
944 fstring domain;
945 char *p, *user;
946
947 user = domuser;
948 p = strchr(domuser, *lp_winbind_separator());
949
950 if (p) {
951
952 fstrcpy(domain, domuser);
953 domain[PTR_DIFF(p, domuser)] = 0;
954 p++;
955
956 if (assume_domain(domain)) {
957
958 user = p;
959 *len -= (PTR_DIFF(p, domuser));
960 }
961 }
962
963 safe_strcpy((char *)buf, user, *len);
964 }
965
966 /* Ensure an incoming username from NSS is fully qualified. Replace the
967 incoming fstring with DOMAIN <separator> user. Returns the same
968 values as parse_domain_user() but also replaces the incoming username.
969 Used to ensure all names are fully qualified within winbindd.
970 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
971 The protocol definitions of auth_crap, chng_pswd_auth_crap
972 really should be changed to use this instead of doing things
973 by hand. JRA. */
974
975 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
976 {
977 if (!parse_domain_user(username_inout, domain, user)) {
978 return False;
979 }
980 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
981 domain, *lp_winbind_separator(),
982 user);
983 return True;
984 }
985
986 /*
987 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
988 'winbind separator' options.
989 This means:
990 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
991 lp_workgroup()
992
993 If we are a PDC or BDC, and this is for our domain, do likewise.
994
995 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
996 username is then unqualified in unix
997
998 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
999 */
1000 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1001 {
1002 fstring tmp_user;
1003
1004 fstrcpy(tmp_user, user);
1005 strlower_m(tmp_user);
1006
1007 if (can_assume && assume_domain(domain)) {
1008 strlcpy(name, tmp_user, sizeof(fstring));
1009 } else {
1010 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1011 domain, *lp_winbind_separator(),
1012 tmp_user);
1013 }
1014 }
1015
1016 /**
1017 * talloc version of fill_domain_username()
1018 * return NULL on talloc failure.
1019 */
1020 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1021 const char *domain,
1022 const char *user,
1023 bool can_assume)
1024 {
1025 char *tmp_user, *name;
1026
1027 tmp_user = talloc_strdup(mem_ctx, user);
1028 strlower_m(tmp_user);
1029
1030 if (can_assume && assume_domain(domain)) {
1031 name = tmp_user;
1032 } else {
1033 name = talloc_asprintf(mem_ctx, "%s%c%s",
1034 domain,
1035 *lp_winbind_separator(),
1036 tmp_user);
1037 TALLOC_FREE(tmp_user);
1038 }
1039
1040 return name;
1041 }
1042
1043 /*
1044 * Winbindd socket accessor functions
1045 */
1046
1047 const char *get_winbind_pipe_dir(void)
1048 {
1049 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1050 }
1051
1052 char *get_winbind_priv_pipe_dir(void)
1053 {
1054 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1055 }
1056
1057 /* Open the winbindd socket */
1058
1059 static int _winbindd_socket = -1;
1060 static int _winbindd_priv_socket = -1;
1061
1062 int open_winbindd_socket(void)
1063 {
1064 if (_winbindd_socket == -1) {
1065 _winbindd_socket = create_pipe_sock(
1066 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1067 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1068 _winbindd_socket));
1069 }
1070
1071 return _winbindd_socket;
1072 }
1073
1074 int open_winbindd_priv_socket(void)
1075 {
1076 if (_winbindd_priv_socket == -1) {
1077 _winbindd_priv_socket = create_pipe_sock(
1078 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1079 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1080 _winbindd_priv_socket));
1081 }
1082
1083 return _winbindd_priv_socket;
1084 }
1085
1086 /*
1087 * Client list accessor functions
1088 */
1089
1090 static struct winbindd_cli_state *_client_list;
1091 static int _num_clients;
1092
1093 /* Return list of all connected clients */
1094
1095 struct winbindd_cli_state *winbindd_client_list(void)
1096 {
1097 return _client_list;
1098 }
1099
1100 /* Add a connection to the list */
1101
1102 void winbindd_add_client(struct winbindd_cli_state *cli)
1103 {
1104 DLIST_ADD(_client_list, cli);
1105 _num_clients++;
1106 }
1107
1108 /* Remove a client from the list */
1109
1110 void winbindd_remove_client(struct winbindd_cli_state *cli)
1111 {
1112 DLIST_REMOVE(_client_list, cli);
1113 _num_clients--;
1114 }
1115
1116 /* Close all open clients */
1117
1118 void winbindd_kill_all_clients(void)
1119 {
1120 struct winbindd_cli_state *cl = winbindd_client_list();
1121
1122 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1123
1124 while (cl) {
1125 struct winbindd_cli_state *next;
1126
1127 next = cl->next;
1128 winbindd_remove_client(cl);
1129 cl = next;
1130 }
1131 }
1132
1133 /* Return number of open clients */
1134
1135 int winbindd_num_clients(void)
1136 {
1137 return _num_clients;
1138 }
1139
1140 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1141 TALLOC_CTX *mem_ctx,
1142 const DOM_SID *user_sid,
1143 uint32 *p_num_groups, DOM_SID **user_sids)
1144 {
1145 struct netr_SamInfo3 *info3 = NULL;
1146 NTSTATUS status = NT_STATUS_NO_MEMORY;
1147 size_t num_groups = 0;
1148
1149 DEBUG(3,(": lookup_usergroups_cached\n"));
1150
1151 *user_sids = NULL;
1152 *p_num_groups = 0;
1153
1154 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1155
1156 if (info3 == NULL) {
1157 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1158 }
1159
1160 if (info3->base.groups.count == 0) {
1161 TALLOC_FREE(info3);
1162 return NT_STATUS_UNSUCCESSFUL;
1163 }
1164
1165 /* Skip Domain local groups outside our domain.
1166 We'll get these from the getsidaliases() RPC call. */
1167 status = sid_array_from_info3(mem_ctx, info3,
1168 user_sids,
1169 &num_groups,
1170 false, true);
1171
1172 if (!NT_STATUS_IS_OK(status)) {
1173 TALLOC_FREE(info3);
1174 return status;
1175 }
1176
1177 TALLOC_FREE(info3);
1178 *p_num_groups = num_groups;
1179 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1180
1181 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1182
1183 return status;
1184 }
1185
1186 /*********************************************************************
1187 We use this to remove spaces from user and group names
1188 ********************************************************************/
1189
1190 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1191 struct winbindd_domain *domain,
1192 const char *name,
1193 char **normalized)
1194 {
1195 NTSTATUS nt_status;
1196
1197 if (!name || !normalized) {
1198 return NT_STATUS_INVALID_PARAMETER;
1199 }
1200
1201 if (!lp_winbind_normalize_names()) {
1202 return NT_STATUS_PROCEDURE_NOT_FOUND;
1203 }
1204
1205 /* Alias support and whitespace replacement are mutually
1206 exclusive */
1207
1208 nt_status = resolve_username_to_alias(mem_ctx, domain,
1209 name, normalized );
1210 if (NT_STATUS_IS_OK(nt_status)) {
1211 /* special return code to let the caller know we
1212 mapped to an alias */
1213 return NT_STATUS_FILE_RENAMED;
1214 }
1215
1216 /* check for an unreachable domain */
1217
1218 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1219 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1220 domain->name));
1221 set_domain_offline(domain);
1222 return nt_status;
1223 }
1224
1225 /* deal with whitespace */
1226
1227 *normalized = talloc_strdup(mem_ctx, name);
1228 if (!(*normalized)) {
1229 return NT_STATUS_NO_MEMORY;
1230 }
1231
1232 all_string_sub( *normalized, " ", "_", 0 );
1233
1234 return NT_STATUS_OK;
1235 }
1236
1237 /*********************************************************************
1238 We use this to do the inverse of normalize_name_map()
1239 ********************************************************************/
1240
1241 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1242 char *name,
1243 char **normalized)
1244 {
1245 NTSTATUS nt_status;
1246 struct winbindd_domain *domain = find_our_domain();
1247
1248 if (!name || !normalized) {
1249 return NT_STATUS_INVALID_PARAMETER;
1250 }
1251
1252 if (!lp_winbind_normalize_names()) {
1253 return NT_STATUS_PROCEDURE_NOT_FOUND;
1254 }
1255
1256 /* Alias support and whitespace replacement are mutally
1257 exclusive */
1258
1259 /* When mapping from an alias to a username, we don't know the
1260 domain. But we only need a domain structure to cache
1261 a successful lookup , so just our own domain structure for
1262 the seqnum. */
1263
1264 nt_status = resolve_alias_to_username(mem_ctx, domain,
1265 name, normalized);
1266 if (NT_STATUS_IS_OK(nt_status)) {
1267 /* Special return code to let the caller know we mapped
1268 from an alias */
1269 return NT_STATUS_FILE_RENAMED;
1270 }
1271
1272 /* check for an unreachable domain */
1273
1274 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1275 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1276 domain->name));
1277 set_domain_offline(domain);
1278 return nt_status;
1279 }
1280
1281 /* deal with whitespace */
1282
1283 *normalized = talloc_strdup(mem_ctx, name);
1284 if (!(*normalized)) {
1285 return NT_STATUS_NO_MEMORY;
1286 }
1287
1288 all_string_sub(*normalized, "_", " ", 0);
1289
1290 return NT_STATUS_OK;
1291 }
1292
1293 /*********************************************************************
1294 ********************************************************************/
1295
1296 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1297 {
1298 struct winbindd_tdc_domain *tdc = NULL;
1299 TALLOC_CTX *frame = talloc_stackframe();
1300 bool ret = false;
1301
1302 /* We can contact the domain if it is our primary domain */
1303
1304 if (domain->primary) {
1305 return true;
1306 }
1307
1308 /* Trust the TDC cache and not the winbindd_domain flags */
1309
1310 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1311 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1312 domain->name));
1313 return false;
1314 }
1315
1316 /* Can always contact a domain that is in out forest */
1317
1318 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1319 ret = true;
1320 goto done;
1321 }
1322
1323 /*
1324 * On a _member_ server, we cannot contact the domain if it
1325 * is running AD and we have no inbound trust.
1326 */
1327
1328 if (!IS_DC &&
1329 domain->active_directory &&
1330 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1331 {
1332 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1333 "and we have no inbound trust.\n", domain->name));
1334 goto done;
1335 }
1336
1337 /* Assume everything else is ok (probably not true but what
1338 can you do?) */
1339
1340 ret = true;
1341
1342 done:
1343 talloc_destroy(frame);
1344
1345 return ret;
1346 }
1347
1348 /*********************************************************************
1349 ********************************************************************/
1350
1351 bool winbindd_internal_child(struct winbindd_child *child)
1352 {
1353 if ((child == idmap_child()) || (child == locator_child())) {
1354 return True;
1355 }
1356
1357 return False;
1358 }
1359
1360 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1361
1362 /*********************************************************************
1363 ********************************************************************/
1364
1365 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1366 {
1367 char *var = NULL;
1368 char addr[INET6_ADDRSTRLEN];
1369 const char *kdc = NULL;
1370 int lvl = 11;
1371
1372 if (!domain || !domain->alt_name || !*domain->alt_name) {
1373 return;
1374 }
1375
1376 if (domain->initialized && !domain->active_directory) {
1377 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1378 domain->alt_name));
1379 return;
1380 }
1381
1382 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1383 kdc = addr;
1384 if (!*kdc) {
1385 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1386 domain->alt_name));
1387 kdc = domain->dcname;
1388 }
1389
1390 if (!kdc || !*kdc) {
1391 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1392 domain->alt_name));
1393 return;
1394 }
1395
1396 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1397 domain->alt_name) == -1) {
1398 return;
1399 }
1400
1401 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1402 var, kdc));
1403
1404 setenv(var, kdc, 1);
1405 free(var);
1406 }
1407
1408 /*********************************************************************
1409 ********************************************************************/
1410
1411 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1412 {
1413 struct winbindd_domain *our_dom = find_our_domain();
1414
1415 winbindd_set_locator_kdc_env(domain);
1416
1417 if (domain != our_dom) {
1418 winbindd_set_locator_kdc_env(our_dom);
1419 }
1420 }
1421
1422 /*********************************************************************
1423 ********************************************************************/
1424
1425 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1426 {
1427 char *var = NULL;
1428
1429 if (!domain || !domain->alt_name || !*domain->alt_name) {
1430 return;
1431 }
1432
1433 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1434 domain->alt_name) == -1) {
1435 return;
1436 }
1437
1438 unsetenv(var);
1439 free(var);
1440 }
1441 #else
1442
1443 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1444 {
1445 return;
1446 }
1447
1448 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1449 {
1450 return;
1451 }
1452
1453 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1454
1455 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1456 {
1457 resp->data.auth.nt_status = NT_STATUS_V(result);
1458 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1459
1460 /* we might have given a more useful error above */
1461 if (*resp->data.auth.error_string == '\0')
1462 fstrcpy(resp->data.auth.error_string,
1463 get_friendly_nt_error_msg(result));
1464 resp->data.auth.pam_error = nt_status_to_pam(result);
1465 }
1466
1467 bool is_domain_offline(const struct winbindd_domain *domain)
1468 {
1469 if (!lp_winbind_offline_logon()) {
1470 return false;
1471 }
1472 if (get_global_winbindd_state_offline()) {
1473 return true;
1474 }
1475 return !domain->online;
1476 }
fernandojvsilva's samba4 branch