search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS
[Samba/gebeck_regimport.git] / source / nsswitch / winbindd_util.c
blob29a4ca93ebd896a848c4b4d4321cbfa186e8f920
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_WINBIND
29
30 /**
31 * @file winbindd_util.c
32 *
33 * Winbind daemon for NT domain authentication nss module.
34 **/
35
36
37 /**
38 * Used to clobber name fields that have an undefined value.
39 *
40 * Correct code should never look at a field that has this value.
41 **/
42
43 static const fstring name_deadbeef = "<deadbeef>";
44
45 /* The list of trusted domains. Note that the list can be deleted and
46 recreated using the init_domain_list() function so pointers to
47 individual winbindd_domain structures cannot be made. Keep a copy of
48 the domain name instead. */
49
50 static struct winbindd_domain *_domain_list;
51
52 /**
53 When was the last scan of trusted domains done?
54
55 0 == not ever
56 */
57
58 static time_t last_trustdom_scan;
59
60 struct winbindd_domain *domain_list(void)
61 {
62 /* Initialise list */
63
64 if (!_domain_list)
65 if (!init_domain_list())
66 return NULL;
67
68 return _domain_list;
69 }
70
71 /* Free all entries in the trusted domain list */
72
73 void free_domain_list(void)
74 {
75 struct winbindd_domain *domain = _domain_list;
76
77 while(domain) {
78 struct winbindd_domain *next = domain->next;
79
80 DLIST_REMOVE(_domain_list, domain);
81 SAFE_FREE(domain);
82 domain = next;
83 }
84 }
85
86
87 /* Add a trusted domain to our list of domains */
88 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
89 struct winbindd_methods *methods,
90 DOM_SID *sid)
91 {
92 struct winbindd_domain *domain;
93 const char *alternative_name = NULL;
94 static const DOM_SID null_sid;
95
96 /* ignore alt_name if we are not in an AD domain */
97
98 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
99 alternative_name = alt_name;
100 }
101
102 /* We can't call domain_list() as this function is called from
103 init_domain_list() and we'll get stuck in a loop. */
104 for (domain = _domain_list; domain; domain = domain->next) {
105 if (strequal(domain_name, domain->name) ||
106 strequal(domain_name, domain->alt_name)) {
107 return domain;
108 }
109 if (alternative_name && *alternative_name) {
110 if (strequal(alternative_name, domain->name) ||
111 strequal(alternative_name, domain->alt_name)) {
112 return domain;
113 }
114 }
115 if (sid) {
116 if (sid_equal(sid, &null_sid) ) {
117
118 } else if (sid_equal(sid, &domain->sid)) {
119 return domain;
120 }
121 }
122 }
123
124 /* Create new domain entry */
125
126 if ((domain = (struct winbindd_domain *)
127 malloc(sizeof(*domain))) == NULL)
128 return NULL;
129
130 /* Fill in fields */
131
132 ZERO_STRUCTP(domain);
133
134 /* prioritise the short name */
135 if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
136 fstrcpy(domain->name, alternative_name);
137 fstrcpy(domain->alt_name, domain_name);
138 } else {
139 fstrcpy(domain->name, domain_name);
140 if (alternative_name) {
141 fstrcpy(domain->alt_name, alternative_name);
142 }
143 }
144
145 domain->methods = methods;
146 domain->backend = NULL;
147 domain->sequence_number = DOM_SEQUENCE_NONE;
148 domain->last_seq_check = 0;
149 if (sid) {
150 sid_copy(&domain->sid, sid);
151 }
152
153 /* set flags about native_mode, active_directory */
154
155 set_dc_type_and_flags( domain );
156
157 DEBUG(3,("add_trusted_domain: %s is an %s %s domain\n", domain->name,
158 domain->active_directory ? "ADS" : "NT4",
159 domain->native_mode ? "native mode" :
160 ((domain->active_directory && !domain->native_mode) ? "mixed mode" : "")));
161
162 /* Link to domain list */
163 DLIST_ADD(_domain_list, domain);
164
165 DEBUG(1,("Added domain %s %s %s\n",
166 domain->name, domain->alt_name,
167 sid?sid_string_static(&domain->sid):""));
168
169 return domain;
170 }
171
172 /********************************************************************
173 Periodically we need to refresh the trusted domain cache for smbd
174 ********************************************************************/
175
176 void rescan_trusted_domains( void )
177 {
178 time_t now = time(NULL);
179 struct winbindd_domain *mydomain = NULL;
180
181 /* see if the time has come... */
182
183 if ( (now > last_trustdom_scan) && ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
184 return;
185
186 if ( (mydomain = find_our_domain()) == NULL ) {
187 DEBUG(0,("rescan_trusted_domains: Can't find my own domain!\n"));
188 return;
189 }
190
191 /* this will only add new domains we didn't already know about */
192
193 add_trusted_domains( mydomain );
194
195 last_trustdom_scan = now;
196
197 return;
198 }
199
200 /********************************************************************
201 rescan our domains looking for new trusted domains
202 ********************************************************************/
203
204 void add_trusted_domains( struct winbindd_domain *domain )
205 {
206 TALLOC_CTX *mem_ctx;
207 NTSTATUS result;
208 time_t t;
209 char **names;
210 char **alt_names;
211 int num_domains = 0;
212 DOM_SID *dom_sids, null_sid;
213 int i;
214 struct winbindd_domain *new_domain;
215
216 /* trusted domains might be disabled */
217 if (!lp_allow_trusted_domains()) {
218 return;
219 }
220
221 DEBUG(5, ("scanning trusted domain list\n"));
222
223 if (!(mem_ctx = talloc_init("init_domain_list")))
224 return;
225
226 ZERO_STRUCTP(&null_sid);
227
228 t = time(NULL);
229
230 /* ask the DC what domains it trusts */
231
232 result = domain->methods->trusted_domains(domain, mem_ctx, (unsigned int *)&num_domains,
233 &names, &alt_names, &dom_sids);
234
235 if ( NT_STATUS_IS_OK(result) ) {
236
237 /* Add each domain to the trusted domain list */
238
239 for(i = 0; i < num_domains; i++) {
240 DEBUG(10,("Found domain %s\n", names[i]));
241 add_trusted_domain(names[i], alt_names?alt_names[i]:NULL,
242 domain->methods, &dom_sids[i]);
243
244 /* if the SID was empty, we better set it now */
245
246 if ( sid_equal(&dom_sids[i], &null_sid) ) {
247
248 new_domain = find_domain_from_name(names[i]);
249
250 /* this should never happen */
251 if ( !new_domain ) {
252 DEBUG(0,("rescan_trust_domains: can't find the domain I just added! [%s]\n",
253 names[i]));
254 break;
255 }
256
257 /* call the cache method; which will operate on the winbindd_domain \
258 passed in and choose either rpc or ads as appropriate */
259
260 result = domain->methods->domain_sid( new_domain, &new_domain->sid );
261
262 if ( NT_STATUS_IS_OK(result) )
263 sid_copy( &dom_sids[i], &new_domain->sid );
264 }
265
266 /* store trusted domain in the cache */
267 trustdom_cache_store(names[i], alt_names ? alt_names[i] : NULL,
268 &dom_sids[i], t + WINBINDD_RESCAN_FREQ);
269 }
270 }
271
272 talloc_destroy(mem_ctx);
273 }
274
275 /* Look up global info for the winbind daemon */
276 BOOL init_domain_list(void)
277 {
278 extern struct winbindd_methods cache_methods;
279 struct winbindd_domain *domain;
280
281 /* Free existing list */
282 free_domain_list();
283
284 /* Add ourselves as the first entry. */
285
286 domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL);
287
288 domain->primary = True;
289
290 /* get any alternate name for the primary domain */
291
292 cache_methods.alternate_name(domain);
293
294 /* now we have the correct netbios (short) domain name */
295
296 if ( *domain->name )
297 set_global_myworkgroup( domain->name );
298
299 if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
300 DEBUG(1, ("Could not fetch sid for our domain %s\n",
301 domain->name));
302 return False;
303 }
304
305 /* do an initial scan for trusted domains */
306 add_trusted_domains(domain);
307
308 /* avoid rescanning this right away */
309 last_trustdom_scan = time(NULL);
310 return True;
311 }
312
313 /**
314 * Given a domain name, return the struct winbindd domain info for it
315 *
316 * @note Do *not* pass lp_workgroup() to this function. domain_list
317 * may modify it's value, and free that pointer. Instead, our local
318 * domain may be found by calling find_our_domain().
319 * directly.
320 *
321 *
322 * @return The domain structure for the named domain, if it is working.
323 */
324
325 struct winbindd_domain *find_domain_from_name(const char *domain_name)
326 {
327 struct winbindd_domain *domain;
328
329 /* Search through list */
330
331 for (domain = domain_list(); domain != NULL; domain = domain->next) {
332 if (strequal(domain_name, domain->name) ||
333 (domain->alt_name[0] && strequal(domain_name, domain->alt_name))) {
334 return domain;
335 }
336 }
337
338 /* Not found */
339
340 return NULL;
341 }
342
343 /* Given a domain sid, return the struct winbindd domain info for it */
344
345 struct winbindd_domain *find_domain_from_sid(DOM_SID *sid)
346 {
347 struct winbindd_domain *domain;
348
349 /* Search through list */
350
351 for (domain = domain_list(); domain != NULL; domain = domain->next) {
352 if (sid_compare_domain(sid, &domain->sid) == 0)
353 return domain;
354 }
355
356 /* Not found */
357
358 return NULL;
359 }
360
361 /* Given a domain sid, return the struct winbindd domain info for it */
362
363 struct winbindd_domain *find_our_domain(void)
364 {
365 struct winbindd_domain *domain;
366
367 /* Search through list */
368
369 for (domain = domain_list(); domain != NULL; domain = domain->next) {
370 if (domain->primary)
371 return domain;
372 }
373
374 /* Not found */
375
376 return NULL;
377 }
378
379 /* Lookup a sid in a domain from a name */
380
381 BOOL winbindd_lookup_sid_by_name(struct winbindd_domain *domain,
382 const char *name, DOM_SID *sid,
383 enum SID_NAME_USE *type)
384 {
385 NTSTATUS result;
386 TALLOC_CTX *mem_ctx;
387
388 mem_ctx = talloc_init("lookup_sid_by_name for %s\n", name);
389 if (!mem_ctx)
390 return False;
391
392 /* Lookup name */
393 result = domain->methods->name_to_sid(domain, mem_ctx, name, sid, type);
394
395 talloc_destroy(mem_ctx);
396
397 /* Return rid and type if lookup successful */
398 if (!NT_STATUS_IS_OK(result)) {
399 *type = SID_NAME_UNKNOWN;
400 }
401
402 return NT_STATUS_IS_OK(result);
403 }
404
405 /**
406 * @brief Lookup a name in a domain from a sid.
407 *
408 * @param sid Security ID you want to look up.
409 * @param name On success, set to the name corresponding to @p sid.
410 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
411 * @param type On success, contains the type of name: alias, group or
412 * user.
413 * @retval True if the name exists, in which case @p name and @p type
414 * are set, otherwise False.
415 **/
416 BOOL winbindd_lookup_name_by_sid(DOM_SID *sid,
417 fstring dom_name,
418 fstring name,
419 enum SID_NAME_USE *type)
420 {
421 char *names;
422 NTSTATUS result;
423 TALLOC_CTX *mem_ctx;
424 BOOL rv = False;
425 struct winbindd_domain *domain;
426
427 domain = find_domain_from_sid(sid);
428
429 if (!domain) {
430 DEBUG(1,("Can't find domain from sid\n"));
431 return False;
432 }
433
434 /* Lookup name */
435
436 if (!(mem_ctx = talloc_init("winbindd_lookup_name_by_sid")))
437 return False;
438
439 result = domain->methods->sid_to_name(domain, mem_ctx, sid, &names, type);
440
441 /* Return name and type if successful */
442
443 if ((rv = NT_STATUS_IS_OK(result))) {
444 fstrcpy(dom_name, domain->name);
445 fstrcpy(name, names);
446 } else {
447 *type = SID_NAME_UNKNOWN;
448 fstrcpy(name, name_deadbeef);
449 }
450
451 talloc_destroy(mem_ctx);
452
453 return rv;
454 }
455
456
457 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
458
459 void free_getent_state(struct getent_state *state)
460 {
461 struct getent_state *temp;
462
463 /* Iterate over state list */
464
465 temp = state;
466
467 while(temp != NULL) {
468 struct getent_state *next;
469
470 /* Free sam entries then list entry */
471
472 SAFE_FREE(state->sam_entries);
473 DLIST_REMOVE(state, state);
474 next = temp->next;
475
476 SAFE_FREE(temp);
477 temp = next;
478 }
479 }
480
481 /* Parse winbindd related parameters */
482
483 BOOL winbindd_param_init(void)
484 {
485 /* Parse winbind uid and winbind_gid parameters */
486
487 if (!lp_idmap_uid(&server_state.uid_low, &server_state.uid_high)) {
488 DEBUG(0, ("winbindd: idmap uid range missing or invalid\n"));
489 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
490 return False;
491 }
492
493 if (!lp_idmap_gid(&server_state.gid_low, &server_state.gid_high)) {
494 DEBUG(0, ("winbindd: idmap gid range missing or invalid\n"));
495 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
496 return False;
497 }
498
499 return True;
500 }
501
502 /* Check if a domain is present in a comma-separated list of domains */
503
504 BOOL check_domain_env(char *domain_env, char *domain)
505 {
506 fstring name;
507 const char *tmp = domain_env;
508
509 while(next_token(&tmp, name, ",", sizeof(fstring))) {
510 if (strequal(name, domain))
511 return True;
512 }
513
514 return False;
515 }
516
517 /* Is this a domain which we may assume no DOMAIN\ prefix? */
518
519 static BOOL assume_domain(const char *domain) {
520 if ((lp_winbind_use_default_domain()
521 || lp_winbind_trusted_domains_only()) &&
522 strequal(lp_workgroup(), domain))
523 return True;
524
525 if (strequal(get_global_sam_name(), domain))
526 return True;
527
528 return False;
529 }
530
531 /* Parse a string of the form DOMAIN/user into a domain and a user */
532
533 BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
534 {
535 char *p = strchr(domuser,*lp_winbind_separator());
536
537 if ( !p ) {
538 fstrcpy(user, domuser);
539
540 if ( assume_domain(lp_workgroup())) {
541 fstrcpy(domain, lp_workgroup());
542 } else {
543 fstrcpy( domain, get_global_sam_name() );
544 }
545 }
546 else {
547 fstrcpy(user, p+1);
548 fstrcpy(domain, domuser);
549 domain[PTR_DIFF(p, domuser)] = 0;
550 }
551
552 strupper_m(domain);
553
554 return True;
555 }
556
557 /*
558 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
559 'winbind separator' options.
560 This means:
561 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
562 lp_workgroup()
563
564 If we are a PDC or BDC, and this is for our domain, do likewise.
565
566 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
567 username is then unqualified in unix
568
569 */
570 void fill_domain_username(fstring name, const char *domain, const char *user)
571 {
572 if (assume_domain(domain)) {
573 strlcpy(name, user, sizeof(fstring));
574 } else {
575 slprintf(name, sizeof(fstring) - 1, "%s%s%s",
576 domain, lp_winbind_separator(),
577 user);
578 }
579 }
580
581 /*
582 * Winbindd socket accessor functions
583 */
584
585 char *get_winbind_priv_pipe_dir(void)
586 {
587 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
588 }
589
590 /* Open the winbindd socket */
591
592 static int _winbindd_socket = -1;
593 static int _winbindd_priv_socket = -1;
594
595 int open_winbindd_socket(void)
596 {
597 if (_winbindd_socket == -1) {
598 _winbindd_socket = create_pipe_sock(
599 WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME, 0755);
600 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
601 _winbindd_socket));
602 }
603
604 return _winbindd_socket;
605 }
606
607 int open_winbindd_priv_socket(void)
608 {
609 if (_winbindd_priv_socket == -1) {
610 _winbindd_priv_socket = create_pipe_sock(
611 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
612 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
613 _winbindd_priv_socket));
614 }
615
616 return _winbindd_priv_socket;
617 }
618
619 /* Close the winbindd socket */
620
621 void close_winbindd_socket(void)
622 {
623 if (_winbindd_socket != -1) {
624 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
625 _winbindd_socket));
626 close(_winbindd_socket);
627 _winbindd_socket = -1;
628 }
629 if (_winbindd_priv_socket != -1) {
630 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
631 _winbindd_priv_socket));
632 close(_winbindd_priv_socket);
633 _winbindd_priv_socket = -1;
634 }
635 }
636
637 /*
638 * Client list accessor functions
639 */
640
641 static struct winbindd_cli_state *_client_list;
642 static int _num_clients;
643
644 /* Return list of all connected clients */
645
646 struct winbindd_cli_state *winbindd_client_list(void)
647 {
648 return _client_list;
649 }
650
651 /* Add a connection to the list */
652
653 void winbindd_add_client(struct winbindd_cli_state *cli)
654 {
655 DLIST_ADD(_client_list, cli);
656 _num_clients++;
657 }
658
659 /* Remove a client from the list */
660
661 void winbindd_remove_client(struct winbindd_cli_state *cli)
662 {
663 DLIST_REMOVE(_client_list, cli);
664 _num_clients--;
665 }
666
667 /* Close all open clients */
668
669 void winbindd_kill_all_clients(void)
670 {
671 struct winbindd_cli_state *cl = winbindd_client_list();
672
673 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
674
675 while (cl) {
676 struct winbindd_cli_state *next;
677
678 next = cl->next;
679 winbindd_remove_client(cl);
680 cl = next;
681 }
682 }
683
684 /* Return number of open clients */
685
686 int winbindd_num_clients(void)
687 {
688 return _num_clients;
689 }
690
691 /* Help with RID -> SID conversion */
692
693 DOM_SID *rid_to_talloced_sid(struct winbindd_domain *domain,
694 TALLOC_CTX *mem_ctx,
695 uint32 rid)
696 {
697 DOM_SID *sid;
698 sid = talloc(mem_ctx, sizeof(*sid));
699 if (!sid) {
700 smb_panic("rid_to_to_talloced_sid: talloc for DOM_SID failed!\n");
701 }
702 sid_copy(sid, &domain->sid);
703 sid_append_rid(sid, rid);
704 return sid;
705 }
706
707 /*****************************************************************************
708 For idmap conversion: convert one record to new format
709 Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
710 instead of the SID.
711 *****************************************************************************/
712 static int convert_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA data, void *state)
713 {
714 struct winbindd_domain *domain;
715 char *p;
716 DOM_SID sid;
717 uint32 rid;
718 fstring keystr;
719 fstring dom_name;
720 TDB_DATA key2;
721 BOOL *failed = (BOOL *)state;
722
723 DEBUG(10,("Converting %s\n", key.dptr));
724
725 p = strchr(key.dptr, '/');
726 if (!p)
727 return 0;
728
729 *p = 0;
730 fstrcpy(dom_name, key.dptr);
731 *p++ = '/';
732
733 domain = find_domain_from_name(dom_name);
734 if (domain == NULL) {
735 /* We must delete the old record. */
736 DEBUG(0,("Unable to find domain %s\n", dom_name ));
737 DEBUG(0,("deleting record %s\n", key.dptr ));
738
739 if (tdb_delete(tdb, key) != 0) {
740 DEBUG(0, ("Unable to delete record %s\n", key.dptr));
741 *failed = True;
742 return -1;
743 }
744
745 return 0;
746 }
747
748 rid = atoi(p);
749
750 sid_copy(&sid, &domain->sid);
751 sid_append_rid(&sid, rid);
752
753 sid_to_string(keystr, &sid);
754 key2.dptr = keystr;
755 key2.dsize = strlen(keystr) + 1;
756
757 if (tdb_store(tdb, key2, data, TDB_INSERT) != 0) {
758 DEBUG(0,("Unable to add record %s\n", key2.dptr ));
759 *failed = True;
760 return -1;
761 }
762
763 if (tdb_store(tdb, data, key2, TDB_REPLACE) != 0) {
764 DEBUG(0,("Unable to update record %s\n", data.dptr ));
765 *failed = True;
766 return -1;
767 }
768
769 if (tdb_delete(tdb, key) != 0) {
770 DEBUG(0,("Unable to delete record %s\n", key.dptr ));
771 *failed = True;
772 return -1;
773 }
774
775 return 0;
776 }
777
778 /* These definitions are from sam/idmap_tdb.c. Replicated here just
779 out of laziness.... :-( */
780
781 /* High water mark keys */
782 #define HWM_GROUP "GROUP HWM"
783 #define HWM_USER "USER HWM"
784
785 /* idmap version determines auto-conversion */
786 #define IDMAP_VERSION 2
787
788
789 /*****************************************************************************
790 Convert the idmap database from an older version.
791 *****************************************************************************/
792
793 static BOOL idmap_convert(const char *idmap_name)
794 {
795 int32 vers;
796 BOOL bigendianheader;
797 BOOL failed = False;
798 TDB_CONTEXT *idmap_tdb;
799
800 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
801 TDB_DEFAULT, O_RDWR,
802 0600))) {
803 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
804 return False;
805 }
806
807 bigendianheader = (idmap_tdb->flags & TDB_BIGENDIAN) ? True : False;
808
809 vers = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
810
811 if (((vers == -1) && bigendianheader) || (IREV(vers) == IDMAP_VERSION)) {
812 /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
813 /*
814 * high and low records were created on a
815 * big endian machine and will need byte-reversing.
816 */
817
818 int32 wm;
819
820 wm = tdb_fetch_int32(idmap_tdb, HWM_USER);
821
822 if (wm != -1) {
823 wm = IREV(wm);
824 } else {
825 wm = server_state.uid_low;
826 }
827
828 if (tdb_store_int32(idmap_tdb, HWM_USER, wm) == -1) {
829 DEBUG(0, ("idmap_convert: Unable to byteswap user hwm in idmap database\n"));
830 tdb_close(idmap_tdb);
831 return False;
832 }
833
834 wm = tdb_fetch_int32(idmap_tdb, HWM_GROUP);
835 if (wm != -1) {
836 wm = IREV(wm);
837 } else {
838 wm = server_state.gid_low;
839 }
840
841 if (tdb_store_int32(idmap_tdb, HWM_GROUP, wm) == -1) {
842 DEBUG(0, ("idmap_convert: Unable to byteswap group hwm in idmap database\n"));
843 tdb_close(idmap_tdb);
844 return False;
845 }
846 }
847
848 /* the old format stored as DOMAIN/rid - now we store the SID direct */
849 tdb_traverse(idmap_tdb, convert_fn, &failed);
850
851 if (failed) {
852 DEBUG(0, ("Problem during conversion\n"));
853 tdb_close(idmap_tdb);
854 return False;
855 }
856
857 if (tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION) == -1) {
858 DEBUG(0, ("idmap_convert: Unable to dtore idmap version in databse\n"));
859 tdb_close(idmap_tdb);
860 return False;
861 }
862
863 tdb_close(idmap_tdb);
864 return True;
865 }
866
867 /*****************************************************************************
868 Convert the idmap database from an older version if necessary
869 *****************************************************************************/
870
871 BOOL winbindd_upgrade_idmap(void)
872 {
873 pstring idmap_name;
874 pstring backup_name;
875 SMB_STRUCT_STAT stbuf;
876 TDB_CONTEXT *idmap_tdb;
877
878 pstrcpy(idmap_name, lock_path("winbindd_idmap.tdb"));
879
880 if (!file_exist(idmap_name, &stbuf)) {
881 /* nothing to convert return */
882 return True;
883 }
884
885 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
886 TDB_DEFAULT, O_RDWR,
887 0600))) {
888 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
889 return False;
890 }
891
892 if (tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION") == IDMAP_VERSION) {
893 /* nothing to convert return */
894 tdb_close(idmap_tdb);
895 return True;
896 }
897
898 /* backup_tdb expects the tdb not to be open */
899 tdb_close(idmap_tdb);
900
901 DEBUG(0, ("Upgrading winbindd_idmap.tdb from an old version\n"));
902
903 pstrcpy(backup_name, idmap_name);
904 pstrcat(backup_name, ".bak");
905
906 if (backup_tdb(idmap_name, backup_name) != 0) {
907 DEBUG(0, ("Could not backup idmap database\n"));
908 return False;
909 }
910
911 return idmap_convert(idmap_name);
912 }
913
914 /*******************************************************************
915 wrapper around retrieving the trust account password
916 *******************************************************************/
917
918 BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16],
919 time_t *pass_last_set_time, uint32 *channel)
920 {
921 DOM_SID sid;
922 char *pwd;
923
924 /* if we are a DC and this is not our domain, then lookup an account
925 for the domain trust */
926
927 if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() )
928 {
929 if ( !secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
930 pass_last_set_time) )
931 {
932 DEBUG(0, ("get_trust_pw: could not fetch trust account "
933 "password for trusted domain %s\n", domain));
934 return False;
935 }
936
937 *channel = SEC_CHAN_DOMAIN;
938 E_md4hash(pwd, ret_pwd);
939 SAFE_FREE(pwd);
940
941 return True;
942 }
943 else /* just get the account for our domain (covers
944 ROLE_DOMAIN_MEMBER as well */
945 {
946 /* get the machine trust account for our domain */
947
948 if ( !secrets_fetch_trust_account_password (lp_workgroup(), ret_pwd,
949 pass_last_set_time, channel) )
950 {
951 DEBUG(0, ("get_trust_pw: could not fetch trust account "
952 "password for my domain %s\n", domain));
953 return False;
954 }
955
956 return True;
957 }
958
959 /* Failure */
960 }
961
reg import