2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #define DBGC_CLASS DBGC_WINBIND
30 * @file winbindd_util.c
32 * Winbind daemon for NT domain authentication nss module.
37 * Used to clobber name fields that have an undefined value.
39 * Correct code should never look at a field that has this value.
42 static const fstring name_deadbeef
= "<deadbeef>";
44 /* The list of trusted domains. Note that the list can be deleted and
45 recreated using the init_domain_list() function so pointers to
46 individual winbindd_domain structures cannot be made. Keep a copy of
47 the domain name instead. */
49 static struct winbindd_domain
*_domain_list
;
51 struct winbindd_domain
*domain_list(void)
61 /* Free all entries in the trusted domain list */
63 void free_domain_list(void)
65 struct winbindd_domain
*domain
= _domain_list
;
68 struct winbindd_domain
*next
= domain
->next
;
70 DLIST_REMOVE(_domain_list
, domain
);
77 /* Add a trusted domain to our list of domains */
78 static struct winbindd_domain
*add_trusted_domain(const char *domain_name
, const char *alt_name
,
79 struct winbindd_methods
*methods
,
82 struct winbindd_domain
*domain
;
84 const char *alternative_name
= NULL
;
86 /* ignore alt_name if we are not in an AD domain */
88 if ( (lp_security() == SEC_ADS
) && alt_name
&& *alt_name
) {
89 alternative_name
= alt_name
;
92 /* We can't call domain_list() as this function is called from
93 init_domain_list() and we'll get stuck in a loop. */
94 for (domain
= _domain_list
; domain
; domain
= domain
->next
) {
95 if (strequal(domain_name
, domain
->name
) ||
96 strequal(domain_name
, domain
->alt_name
)) {
99 if (alternative_name
&& *alternative_name
) {
100 if (strequal(alternative_name
, domain
->name
) ||
101 strequal(alternative_name
, domain
->alt_name
)) {
107 /* Create new domain entry */
109 if ((domain
= (struct winbindd_domain
*)
110 malloc(sizeof(*domain
))) == NULL
)
115 ZERO_STRUCTP(domain
);
117 /* prioritise the short name */
118 if (strchr_m(domain_name
, '.') && alternative_name
&& *alternative_name
) {
119 fstrcpy(domain
->name
, alternative_name
);
120 fstrcpy(domain
->alt_name
, domain_name
);
122 fstrcpy(domain
->name
, domain_name
);
123 if (alternative_name
) {
124 fstrcpy(domain
->alt_name
, alternative_name
);
128 domain
->methods
= methods
;
129 domain
->backend
= NULL
;
130 domain
->sequence_number
= DOM_SEQUENCE_NONE
;
131 domain
->last_seq_check
= 0;
133 sid_copy(&domain
->sid
, sid
);
136 /* see if this is a native mode win2k domain (use realm name if possible) */
138 contact_name
= *domain
->alt_name
? domain
->alt_name
: domain
->name
;
139 domain
->native_mode
= cm_check_for_native_mode_win2k( contact_name
);
141 DEBUG(3,("add_trusted_domain: %s is a %s mode domain\n", contact_name
,
142 domain
->native_mode
? "native" : "mixed (or NT4)" ));
144 /* Link to domain list */
145 DLIST_ADD(_domain_list
, domain
);
147 DEBUG(1,("Added domain %s %s %s\n",
148 domain
->name
, domain
->alt_name
,
149 sid
?sid_string_static(&domain
->sid
):""));
154 /********************************************************************
155 Periodically we need to refresh the trusted domain cache for smbd
156 ********************************************************************/
158 void rescan_trusted_domains( void )
160 static time_t last_scan
;
161 time_t now
= time(NULL
);
162 struct winbindd_domain
*mydomain
= NULL
;
164 /* see if the time has come... */
166 if ( (now
> last_scan
) && ((now
-last_scan
) < WINBINDD_RESCAN_FREQ
) )
169 /* get the handle for our domain */
171 if ( (mydomain
= find_domain_from_name(lp_workgroup())) == NULL
) {
172 DEBUG(0,("rescan_trusted_domains: Can't find my own domain!\n"));
176 /* this will only add new domains we didn't already know about */
178 add_trusted_domains( mydomain
);
185 /********************************************************************
186 rescan our domains looking for new trusted domains
187 ********************************************************************/
189 void add_trusted_domains( struct winbindd_domain
*domain
)
197 DOM_SID
*dom_sids
, null_sid
;
199 struct winbindd_domain
*new_domain
;
201 /* trusted domains might be disabled */
202 if (!lp_allow_trusted_domains()) {
206 DEBUG(1, ("scanning trusted domain list\n"));
208 if (!(mem_ctx
= talloc_init("init_domain_list")))
211 ZERO_STRUCTP(&null_sid
);
215 /* ask the DC what domains it trusts */
217 result
= domain
->methods
->trusted_domains(domain
, mem_ctx
, (unsigned int *)&num_domains
,
218 &names
, &alt_names
, &dom_sids
);
220 if ( NT_STATUS_IS_OK(result
) ) {
222 /* Add each domain to the trusted domain list */
224 for(i
= 0; i
< num_domains
; i
++) {
225 DEBUG(10,("Found domain %s\n", names
[i
]));
226 add_trusted_domain(names
[i
], alt_names
?alt_names
[i
]:NULL
,
227 domain
->methods
, &dom_sids
[i
]);
229 /* if the SID was empty, we better set it now */
231 if ( sid_equal(&dom_sids
[i
], &null_sid
) ) {
233 new_domain
= find_domain_from_name(names
[i
]);
235 /* this should never happen */
237 DEBUG(0,("rescan_trust_domains: can't find the domain I just added! [%s]\n",
242 /* call the cache method; which will operate on the winbindd_domain \
243 passed in and choose either rpc or ads as appropriate */
245 result
= domain
->methods
->domain_sid( new_domain
, &new_domain
->sid
);
247 if ( NT_STATUS_IS_OK(result
) )
248 sid_copy( &dom_sids
[i
], &new_domain
->sid
);
251 /* store trusted domain in the cache */
252 trustdom_cache_store(names
[i
], alt_names
? alt_names
[i
] : NULL
,
253 &dom_sids
[i
], t
+ WINBINDD_RESCAN_FREQ
);
257 talloc_destroy(mem_ctx
);
260 /* Look up global info for the winbind daemon */
261 BOOL
init_domain_list(void)
263 extern struct winbindd_methods cache_methods
;
264 struct winbindd_domain
*domain
;
266 /* Free existing list */
269 /* Add ourselves as the first entry */
271 domain
= add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods
, NULL
);
273 /* get any alternate name for the primary domain */
275 cache_methods
.alternate_name(domain
);
277 /* now we have the correct netbios (short) domain name */
280 set_global_myworkgroup( domain
->name
);
282 if (!secrets_fetch_domain_sid(domain
->name
, &domain
->sid
)) {
283 DEBUG(1, ("Could not fetch sid for our domain %s\n",
288 /* do an initial scan for trusted domains */
289 add_trusted_domains(domain
);
294 /* Given a domain name, return the struct winbindd domain info for it
295 if it is actually working. */
297 struct winbindd_domain
*find_domain_from_name(const char *domain_name
)
299 struct winbindd_domain
*domain
;
301 /* Search through list */
303 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
304 if (strequal(domain_name
, domain
->name
) ||
305 (domain
->alt_name
[0] && strequal(domain_name
, domain
->alt_name
)))
314 /* Given a domain sid, return the struct winbindd domain info for it */
316 struct winbindd_domain
*find_domain_from_sid(DOM_SID
*sid
)
318 struct winbindd_domain
*domain
;
320 /* Search through list */
322 for (domain
= domain_list(); domain
!= NULL
; domain
= domain
->next
) {
323 if (sid_compare_domain(sid
, &domain
->sid
) == 0)
332 /* Lookup a sid in a domain from a name */
334 BOOL
winbindd_lookup_sid_by_name(struct winbindd_domain
*domain
,
335 const char *name
, DOM_SID
*sid
,
336 enum SID_NAME_USE
*type
)
340 /* Don't bother with machine accounts */
342 if (name
[strlen(name
) - 1] == '$')
345 mem_ctx
= talloc_init("lookup_sid_by_name for %s\n", name
);
350 result
= domain
->methods
->name_to_sid(domain
, mem_ctx
, name
, sid
, type
);
352 talloc_destroy(mem_ctx
);
354 /* Return rid and type if lookup successful */
355 if (!NT_STATUS_IS_OK(result
)) {
356 *type
= SID_NAME_UNKNOWN
;
359 return NT_STATUS_IS_OK(result
);
363 * @brief Lookup a name in a domain from a sid.
365 * @param sid Security ID you want to look up.
366 * @param name On success, set to the name corresponding to @p sid.
367 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
368 * @param type On success, contains the type of name: alias, group or
370 * @retval True if the name exists, in which case @p name and @p type
371 * are set, otherwise False.
373 BOOL
winbindd_lookup_name_by_sid(DOM_SID
*sid
,
376 enum SID_NAME_USE
*type
)
382 struct winbindd_domain
*domain
;
384 domain
= find_domain_from_sid(sid
);
387 DEBUG(1,("Can't find domain from sid\n"));
393 if (!(mem_ctx
= talloc_init("winbindd_lookup_name_by_sid")))
396 result
= domain
->methods
->sid_to_name(domain
, mem_ctx
, sid
, &names
, type
);
398 /* Return name and type if successful */
400 if ((rv
= NT_STATUS_IS_OK(result
))) {
401 fstrcpy(dom_name
, domain
->name
);
402 fstrcpy(name
, names
);
404 *type
= SID_NAME_UNKNOWN
;
405 fstrcpy(name
, name_deadbeef
);
408 talloc_destroy(mem_ctx
);
414 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
416 void free_getent_state(struct getent_state
*state
)
418 struct getent_state
*temp
;
420 /* Iterate over state list */
424 while(temp
!= NULL
) {
425 struct getent_state
*next
;
427 /* Free sam entries then list entry */
429 SAFE_FREE(state
->sam_entries
);
430 DLIST_REMOVE(state
, state
);
438 /* Parse winbindd related parameters */
440 BOOL
winbindd_param_init(void)
442 /* Parse winbind uid and winbind_gid parameters */
444 if (!lp_idmap_uid(&server_state
.uid_low
, &server_state
.uid_high
)) {
445 DEBUG(0, ("winbindd: idmap uid range missing or invalid\n"));
446 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
450 if (!lp_idmap_gid(&server_state
.gid_low
, &server_state
.gid_high
)) {
451 DEBUG(0, ("winbindd: idmap gid range missing or invalid\n"));
452 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
459 /* Check if a domain is present in a comma-separated list of domains */
461 BOOL
check_domain_env(char *domain_env
, char *domain
)
464 const char *tmp
= domain_env
;
466 while(next_token(&tmp
, name
, ",", sizeof(fstring
))) {
467 if (strequal(name
, domain
))
474 /* Parse a string of the form DOMAIN/user into a domain and a user */
476 BOOL
parse_domain_user(const char *domuser
, fstring domain
, fstring user
)
478 char *p
= strchr(domuser
,*lp_winbind_separator());
481 fstrcpy(user
, domuser
);
483 if ( lp_winbind_use_default_domain() )
484 fstrcpy(domain
, lp_workgroup());
486 fstrcpy( domain
, "" );
490 fstrcpy(domain
, domuser
);
491 domain
[PTR_DIFF(p
, domuser
)] = 0;
500 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
501 'winbind separator' options.
503 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
507 void fill_domain_username(fstring name
, const char *domain
, const char *user
)
509 if(lp_winbind_use_default_domain() &&
510 !strcmp(lp_workgroup(), domain
)) {
511 strlcpy(name
, user
, sizeof(fstring
));
513 slprintf(name
, sizeof(fstring
) - 1, "%s%s%s",
514 domain
, lp_winbind_separator(),
520 * Winbindd socket accessor functions
523 char *get_winbind_priv_pipe_dir(void)
525 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR
);
528 /* Open the winbindd socket */
530 static int _winbindd_socket
= -1;
531 static int _winbindd_priv_socket
= -1;
533 int open_winbindd_socket(void)
535 if (_winbindd_socket
== -1) {
536 _winbindd_socket
= create_pipe_sock(
537 WINBINDD_SOCKET_DIR
, WINBINDD_SOCKET_NAME
, 0755);
538 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
542 return _winbindd_socket
;
545 int open_winbindd_priv_socket(void)
547 if (_winbindd_priv_socket
== -1) {
548 _winbindd_priv_socket
= create_pipe_sock(
549 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME
, 0750);
550 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
551 _winbindd_priv_socket
));
554 return _winbindd_priv_socket
;
557 /* Close the winbindd socket */
559 void close_winbindd_socket(void)
561 if (_winbindd_socket
!= -1) {
562 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
564 close(_winbindd_socket
);
565 _winbindd_socket
= -1;
567 if (_winbindd_priv_socket
!= -1) {
568 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
569 _winbindd_priv_socket
));
570 close(_winbindd_priv_socket
);
571 _winbindd_priv_socket
= -1;
576 * Client list accessor functions
579 static struct winbindd_cli_state
*_client_list
;
580 static int _num_clients
;
582 /* Return list of all connected clients */
584 struct winbindd_cli_state
*winbindd_client_list(void)
589 /* Add a connection to the list */
591 void winbindd_add_client(struct winbindd_cli_state
*cli
)
593 DLIST_ADD(_client_list
, cli
);
597 /* Remove a client from the list */
599 void winbindd_remove_client(struct winbindd_cli_state
*cli
)
601 DLIST_REMOVE(_client_list
, cli
);
605 /* Close all open clients */
607 void winbindd_kill_all_clients(void)
609 struct winbindd_cli_state
*cl
= winbindd_client_list();
611 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
614 struct winbindd_cli_state
*next
;
617 winbindd_remove_client(cl
);
622 /* Return number of open clients */
624 int winbindd_num_clients(void)
629 /* Help with RID -> SID conversion */
631 DOM_SID
*rid_to_talloced_sid(struct winbindd_domain
*domain
,
636 sid
= talloc(mem_ctx
, sizeof(*sid
));
638 smb_panic("rid_to_to_talloced_sid: talloc for DOM_SID failed!\n");
640 sid_copy(sid
, &domain
->sid
);
641 sid_append_rid(sid
, rid
);
645 /*****************************************************************************
646 For idmap conversion: convert one record to new format
647 Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
649 *****************************************************************************/
650 static int convert_fn(TDB_CONTEXT
*tdb
, TDB_DATA key
, TDB_DATA data
, void *state
)
652 struct winbindd_domain
*domain
;
659 BOOL
*failed
= (BOOL
*)state
;
661 DEBUG(10,("Converting %s\n", key
.dptr
));
663 p
= strchr(key
.dptr
, '/');
668 fstrcpy(dom_name
, key
.dptr
);
671 domain
= find_domain_from_name(dom_name
);
672 if (domain
== NULL
) {
673 /* We must delete the old record. */
674 DEBUG(0,("Unable to find domain %s\n", dom_name
));
675 DEBUG(0,("deleting record %s\n", key
.dptr
));
677 if (tdb_delete(tdb
, key
) != 0) {
678 DEBUG(0, ("Unable to delete record %s\n", key
.dptr
));
688 sid_copy(&sid
, &domain
->sid
);
689 sid_append_rid(&sid
, rid
);
691 sid_to_string(keystr
, &sid
);
693 key2
.dsize
= strlen(keystr
) + 1;
695 if (tdb_store(tdb
, key2
, data
, TDB_INSERT
) != 0) {
696 DEBUG(0,("Unable to add record %s\n", key2
.dptr
));
701 if (tdb_store(tdb
, data
, key2
, TDB_REPLACE
) != 0) {
702 DEBUG(0,("Unable to update record %s\n", data
.dptr
));
707 if (tdb_delete(tdb
, key
) != 0) {
708 DEBUG(0,("Unable to delete record %s\n", key
.dptr
));
716 /* These definitions are from sam/idmap_tdb.c. Replicated here just
717 out of laziness.... :-( */
719 /* High water mark keys */
720 #define HWM_GROUP "GROUP HWM"
721 #define HWM_USER "USER HWM"
723 /* idmap version determines auto-conversion */
724 #define IDMAP_VERSION 2
727 /*****************************************************************************
728 Convert the idmap database from an older version.
729 *****************************************************************************/
731 static BOOL
idmap_convert(const char *idmap_name
)
734 BOOL bigendianheader
;
736 TDB_CONTEXT
*idmap_tdb
;
738 if (!(idmap_tdb
= tdb_open_log(idmap_name
, 0,
741 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
745 bigendianheader
= (idmap_tdb
->flags
& TDB_BIGENDIAN
) ? True
: False
;
747 vers
= tdb_fetch_int32(idmap_tdb
, "IDMAP_VERSION");
749 if (((vers
== -1) && bigendianheader
) || (IREV(vers
) == IDMAP_VERSION
)) {
750 /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
752 * high and low records were created on a
753 * big endian machine and will need byte-reversing.
758 wm
= tdb_fetch_int32(idmap_tdb
, HWM_USER
);
763 wm
= server_state
.uid_low
;
766 if (tdb_store_int32(idmap_tdb
, HWM_USER
, wm
) == -1) {
767 DEBUG(0, ("idmap_convert: Unable to byteswap user hwm in idmap database\n"));
768 tdb_close(idmap_tdb
);
772 wm
= tdb_fetch_int32(idmap_tdb
, HWM_GROUP
);
776 wm
= server_state
.gid_low
;
779 if (tdb_store_int32(idmap_tdb
, HWM_GROUP
, wm
) == -1) {
780 DEBUG(0, ("idmap_convert: Unable to byteswap group hwm in idmap database\n"));
781 tdb_close(idmap_tdb
);
786 /* the old format stored as DOMAIN/rid - now we store the SID direct */
787 tdb_traverse(idmap_tdb
, convert_fn
, &failed
);
790 DEBUG(0, ("Problem during conversion\n"));
791 tdb_close(idmap_tdb
);
795 if (tdb_store_int32(idmap_tdb
, "IDMAP_VERSION", IDMAP_VERSION
) == -1) {
796 DEBUG(0, ("idmap_convert: Unable to dtore idmap version in databse\n"));
797 tdb_close(idmap_tdb
);
801 tdb_close(idmap_tdb
);
805 /*****************************************************************************
806 Convert the idmap database from an older version if necessary
807 *****************************************************************************/
809 BOOL
winbindd_upgrade_idmap(void)
813 SMB_STRUCT_STAT stbuf
;
814 TDB_CONTEXT
*idmap_tdb
;
816 pstrcpy(idmap_name
, lock_path("winbindd_idmap.tdb"));
818 if (!file_exist(idmap_name
, &stbuf
)) {
819 /* nothing to convert return */
823 if (!(idmap_tdb
= tdb_open_log(idmap_name
, 0,
826 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
830 if (tdb_fetch_int32(idmap_tdb
, "IDMAP_VERSION") == IDMAP_VERSION
) {
831 /* nothing to convert return */
832 tdb_close(idmap_tdb
);
836 /* backup_tdb expects the tdb not to be open */
837 tdb_close(idmap_tdb
);
839 DEBUG(0, ("Upgrading winbindd_idmap.tdb from an old version\n"));
841 pstrcpy(backup_name
, idmap_name
);
842 pstrcat(backup_name
, ".bak");
844 if (backup_tdb(idmap_name
, backup_name
) != 0) {
845 DEBUG(0, ("Could not backup idmap database\n"));
849 return idmap_convert(idmap_name
);
852 /*******************************************************************
853 wrapper around retrieving the trust account password
854 *******************************************************************/
856 BOOL
get_trust_pw(const char *domain
, uint8 ret_pwd
[16],
857 time_t *pass_last_set_time
, uint32
*channel
)
862 /* if we are a DC and this is not our domain, then lookup an account
863 for the domain trust */
865 if ( IS_DC
&& !strequal(domain
, lp_workgroup()) && lp_allow_trusted_domains() )
867 if ( !secrets_fetch_trusted_domain_password(domain
, &pwd
, &sid
,
868 pass_last_set_time
) )
870 DEBUG(0, ("get_trust_pw: could not fetch trust account "
871 "password for trusted domain %s\n", domain
));
875 *channel
= SEC_CHAN_DOMAIN
;
876 E_md4hash(pwd
, ret_pwd
);
881 else /* just get the account for our domain (covers
882 ROLE_DOMAIN_MEMBER as well */
884 /* get the machine trust account for our domain */
886 if ( !secrets_fetch_trust_account_password (lp_workgroup(), ret_pwd
,
887 pass_last_set_time
, channel
) )
889 DEBUG(0, ("get_trust_pw: could not fetch trust account "
890 "password for my domain %s\n", domain
));