search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Apply some more of Derrell Lipman's changes.
[Samba/gebeck_regimport.git] / source3 / nsswitch / winbindd_util.c
blob6ac5c48285a9c17fcdb2a7c38a1e915b9cf434a9
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_WINBIND
29
30 /**
31 * @file winbindd_util.c
32 *
33 * Winbind daemon for NT domain authentication nss module.
34 **/
35
36
37 /**
38 * Used to clobber name fields that have an undefined value.
39 *
40 * Correct code should never look at a field that has this value.
41 **/
42
43 static const fstring name_deadbeef = "<deadbeef>";
44
45 /* The list of trusted domains. Note that the list can be deleted and
46 recreated using the init_domain_list() function so pointers to
47 individual winbindd_domain structures cannot be made. Keep a copy of
48 the domain name instead. */
49
50 static struct winbindd_domain *_domain_list;
51
52 /**
53 When was the last scan of trusted domains done?
54
55 0 == not ever
56 */
57
58 static time_t last_trustdom_scan;
59
60 struct winbindd_domain *domain_list(void)
61 {
62 /* Initialise list */
63
64 if (!_domain_list)
65 if (!init_domain_list())
66 return NULL;
67
68 return _domain_list;
69 }
70
71 /* Free all entries in the trusted domain list */
72
73 void free_domain_list(void)
74 {
75 struct winbindd_domain *domain = _domain_list;
76
77 while(domain) {
78 struct winbindd_domain *next = domain->next;
79
80 DLIST_REMOVE(_domain_list, domain);
81 SAFE_FREE(domain);
82 domain = next;
83 }
84 }
85
86
87 /* Add a trusted domain to our list of domains */
88 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
89 struct winbindd_methods *methods,
90 DOM_SID *sid)
91 {
92 struct winbindd_domain *domain;
93 const char *alternative_name = NULL;
94 static const DOM_SID null_sid;
95
96 /* ignore alt_name if we are not in an AD domain */
97
98 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
99 alternative_name = alt_name;
100 }
101
102 /* We can't call domain_list() as this function is called from
103 init_domain_list() and we'll get stuck in a loop. */
104 for (domain = _domain_list; domain; domain = domain->next) {
105 if (strequal(domain_name, domain->name) ||
106 strequal(domain_name, domain->alt_name)) {
107 return domain;
108 }
109 if (alternative_name && *alternative_name) {
110 if (strequal(alternative_name, domain->name) ||
111 strequal(alternative_name, domain->alt_name)) {
112 return domain;
113 }
114 }
115 if (sid) {
116 if (sid_equal(sid, &null_sid) ) {
117
118 } else if (sid_equal(sid, &domain->sid)) {
119 return domain;
120 }
121 }
122 }
123
124 /* Create new domain entry */
125
126 if ((domain = (struct winbindd_domain *)malloc(sizeof(*domain))) == NULL)
127 return NULL;
128
129 /* Fill in fields */
130
131 ZERO_STRUCTP(domain);
132
133 /* prioritise the short name */
134 if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
135 fstrcpy(domain->name, alternative_name);
136 fstrcpy(domain->alt_name, domain_name);
137 } else {
138 fstrcpy(domain->name, domain_name);
139 if (alternative_name) {
140 fstrcpy(domain->alt_name, alternative_name);
141 }
142 }
143
144 domain->methods = methods;
145 domain->backend = NULL;
146 domain->sequence_number = DOM_SEQUENCE_NONE;
147 domain->last_seq_check = 0;
148 if (sid) {
149 sid_copy(&domain->sid, sid);
150 }
151
152 /* set flags about native_mode, active_directory */
153
154 if (!domain->internal)
155 set_dc_type_and_flags( domain );
156
157 DEBUG(3,("add_trusted_domain: %s is an %s %s domain\n", domain->name,
158 domain->active_directory ? "ADS" : "NT4",
159 domain->native_mode ? "native mode" :
160 ((domain->active_directory && !domain->native_mode) ? "mixed mode" : "")));
161
162 /* Link to domain list */
163 DLIST_ADD(_domain_list, domain);
164
165 DEBUG(1,("Added domain %s %s %s\n",
166 domain->name, domain->alt_name,
167 &domain->sid?sid_string_static(&domain->sid):""));
168
169 return domain;
170 }
171
172 /********************************************************************
173 rescan our domains looking for new trusted domains
174 ********************************************************************/
175
176 static void add_trusted_domains( struct winbindd_domain *domain )
177 {
178 TALLOC_CTX *mem_ctx;
179 NTSTATUS result;
180 time_t t;
181 char **names;
182 char **alt_names;
183 int num_domains = 0;
184 DOM_SID *dom_sids, null_sid;
185 int i;
186 struct winbindd_domain *new_domain;
187
188 /* trusted domains might be disabled */
189 if (!lp_allow_trusted_domains()) {
190 return;
191 }
192
193 DEBUG(5, ("scanning trusted domain list\n"));
194
195 if (!(mem_ctx = talloc_init("init_domain_list")))
196 return;
197
198 ZERO_STRUCTP(&null_sid);
199
200 t = time(NULL);
201
202 /* ask the DC what domains it trusts */
203
204 result = domain->methods->trusted_domains(domain, mem_ctx, (unsigned int *)&num_domains,
205 &names, &alt_names, &dom_sids);
206
207 if ( NT_STATUS_IS_OK(result) ) {
208
209 /* Add each domain to the trusted domain list */
210
211 for(i = 0; i < num_domains; i++) {
212 DEBUG(10,("Found domain %s\n", names[i]));
213 add_trusted_domain(names[i], alt_names?alt_names[i]:NULL,
214 domain->methods, &dom_sids[i]);
215
216 /* if the SID was empty, we better set it now */
217
218 if ( sid_equal(&dom_sids[i], &null_sid) ) {
219
220 new_domain = find_domain_from_name(names[i]);
221
222 /* this should never happen */
223 if ( !new_domain ) {
224 DEBUG(0,("rescan_trust_domains: can't find the domain I just added! [%s]\n",
225 names[i]));
226 break;
227 }
228
229 /* call the cache method; which will operate on the winbindd_domain \
230 passed in and choose either rpc or ads as appropriate */
231
232 result = domain->methods->domain_sid( new_domain, &new_domain->sid );
233
234 if ( NT_STATUS_IS_OK(result) )
235 sid_copy( &dom_sids[i], &new_domain->sid );
236 }
237
238 /* store trusted domain in the cache */
239 trustdom_cache_store(names[i], alt_names ? alt_names[i] : NULL,
240 &dom_sids[i], t + WINBINDD_RESCAN_FREQ);
241 }
242 }
243
244 talloc_destroy(mem_ctx);
245 }
246
247 /********************************************************************
248 Periodically we need to refresh the trusted domain cache for smbd
249 ********************************************************************/
250
251 void rescan_trusted_domains( void )
252 {
253 time_t now = time(NULL);
254 struct winbindd_domain *mydomain = NULL;
255
256 /* see if the time has come... */
257
258 if ( (now > last_trustdom_scan) && ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
259 return;
260
261 if ( (mydomain = find_our_domain()) == NULL ) {
262 DEBUG(0,("rescan_trusted_domains: Can't find my own domain!\n"));
263 return;
264 }
265
266 /* this will only add new domains we didn't already know about */
267
268 add_trusted_domains( mydomain );
269
270 last_trustdom_scan = now;
271
272 return;
273 }
274
275 /* Look up global info for the winbind daemon */
276 BOOL init_domain_list(void)
277 {
278 extern struct winbindd_methods cache_methods;
279 struct winbindd_domain *domain;
280
281 /* Free existing list */
282 free_domain_list();
283
284 /* Add ourselves as the first entry. */
285
286 domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL);
287
288 domain->primary = True;
289
290 /* get any alternate name for the primary domain */
291
292 cache_methods.alternate_name(domain);
293
294 /* now we have the correct netbios (short) domain name */
295
296 if ( *domain->name )
297 set_global_myworkgroup( domain->name );
298
299 if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
300 DEBUG(1, ("Could not fetch sid for our domain %s\n",
301 domain->name));
302 return False;
303 }
304
305 /* do an initial scan for trusted domains */
306 add_trusted_domains(domain);
307
308 /* Add our local SAM domains */
309 {
310 DOM_SID sid;
311 extern struct winbindd_methods passdb_methods;
312 struct winbindd_domain *dom;
313
314 string_to_sid(&sid, "S-1-5-32");
315
316 dom = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
317 &sid);
318 dom->internal = True;
319
320 dom = add_trusted_domain(get_global_sam_name(), NULL,
321 &passdb_methods,
322 get_global_sam_sid());
323 dom->internal = True;
324 }
325
326 /* avoid rescanning this right away */
327 last_trustdom_scan = time(NULL);
328 return True;
329 }
330
331 /**
332 * Given a domain name, return the struct winbindd domain info for it
333 *
334 * @note Do *not* pass lp_workgroup() to this function. domain_list
335 * may modify it's value, and free that pointer. Instead, our local
336 * domain may be found by calling find_our_domain().
337 * directly.
338 *
339 *
340 * @return The domain structure for the named domain, if it is working.
341 */
342
343 struct winbindd_domain *find_domain_from_name(const char *domain_name)
344 {
345 struct winbindd_domain *domain;
346
347 /* Search through list */
348
349 for (domain = domain_list(); domain != NULL; domain = domain->next) {
350 if (strequal(domain_name, domain->name) ||
351 (domain->alt_name[0] && strequal(domain_name, domain->alt_name))) {
352 return domain;
353 }
354 }
355
356 /* Not found */
357
358 return NULL;
359 }
360
361 /* Given a domain sid, return the struct winbindd domain info for it */
362
363 struct winbindd_domain *find_domain_from_sid(DOM_SID *sid)
364 {
365 struct winbindd_domain *domain;
366
367 /* Search through list */
368
369 for (domain = domain_list(); domain != NULL; domain = domain->next) {
370 if (sid_compare_domain(sid, &domain->sid) == 0)
371 return domain;
372 }
373
374 /* Not found */
375
376 return NULL;
377 }
378
379 /* Given a domain sid, return the struct winbindd domain info for it */
380
381 struct winbindd_domain *find_our_domain(void)
382 {
383 struct winbindd_domain *domain;
384
385 /* Search through list */
386
387 for (domain = domain_list(); domain != NULL; domain = domain->next) {
388 if (domain->primary)
389 return domain;
390 }
391
392 /* Not found */
393
394 return NULL;
395 }
396
397 /* Lookup a sid in a domain from a name */
398
399 BOOL winbindd_lookup_sid_by_name(struct winbindd_domain *domain,
400 const char *name, DOM_SID *sid,
401 enum SID_NAME_USE *type)
402 {
403 NTSTATUS result;
404 TALLOC_CTX *mem_ctx;
405
406 mem_ctx = talloc_init("lookup_sid_by_name for %s\n", name);
407 if (!mem_ctx)
408 return False;
409
410 /* Lookup name */
411 result = domain->methods->name_to_sid(domain, mem_ctx, name, sid, type);
412
413 talloc_destroy(mem_ctx);
414
415 /* Return rid and type if lookup successful */
416 if (!NT_STATUS_IS_OK(result)) {
417 *type = SID_NAME_UNKNOWN;
418 }
419
420 return NT_STATUS_IS_OK(result);
421 }
422
423 /**
424 * @brief Lookup a name in a domain from a sid.
425 *
426 * @param sid Security ID you want to look up.
427 * @param name On success, set to the name corresponding to @p sid.
428 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
429 * @param type On success, contains the type of name: alias, group or
430 * user.
431 * @retval True if the name exists, in which case @p name and @p type
432 * are set, otherwise False.
433 **/
434 BOOL winbindd_lookup_name_by_sid(DOM_SID *sid,
435 fstring dom_name,
436 fstring name,
437 enum SID_NAME_USE *type)
438 {
439 char *names;
440 NTSTATUS result;
441 TALLOC_CTX *mem_ctx;
442 BOOL rv = False;
443 struct winbindd_domain *domain;
444
445 domain = find_domain_from_sid(sid);
446
447 if (!domain) {
448 DEBUG(1,("Can't find domain from sid\n"));
449 return False;
450 }
451
452 /* Lookup name */
453
454 if (!(mem_ctx = talloc_init("winbindd_lookup_name_by_sid")))
455 return False;
456
457 result = domain->methods->sid_to_name(domain, mem_ctx, sid, &names, type);
458
459 /* Return name and type if successful */
460
461 if ((rv = NT_STATUS_IS_OK(result))) {
462 fstrcpy(dom_name, domain->name);
463 fstrcpy(name, names);
464 } else {
465 *type = SID_NAME_UNKNOWN;
466 fstrcpy(name, name_deadbeef);
467 }
468
469 talloc_destroy(mem_ctx);
470
471 return rv;
472 }
473
474
475 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
476
477 void free_getent_state(struct getent_state *state)
478 {
479 struct getent_state *temp;
480
481 /* Iterate over state list */
482
483 temp = state;
484
485 while(temp != NULL) {
486 struct getent_state *next;
487
488 /* Free sam entries then list entry */
489
490 SAFE_FREE(state->sam_entries);
491 DLIST_REMOVE(state, state);
492 next = temp->next;
493
494 SAFE_FREE(temp);
495 temp = next;
496 }
497 }
498
499 /* Parse winbindd related parameters */
500
501 BOOL winbindd_param_init(void)
502 {
503 /* Parse winbind uid and winbind_gid parameters */
504
505 if (!lp_idmap_uid(&server_state.uid_low, &server_state.uid_high)) {
506 DEBUG(0, ("winbindd: idmap uid range missing or invalid\n"));
507 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
508 return False;
509 }
510
511 if (!lp_idmap_gid(&server_state.gid_low, &server_state.gid_high)) {
512 DEBUG(0, ("winbindd: idmap gid range missing or invalid\n"));
513 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
514 return False;
515 }
516
517 return True;
518 }
519
520 /* Check if a domain is present in a comma-separated list of domains */
521
522 BOOL check_domain_env(char *domain_env, char *domain)
523 {
524 fstring name;
525 const char *tmp = domain_env;
526
527 while(next_token(&tmp, name, ",", sizeof(fstring))) {
528 if (strequal(name, domain))
529 return True;
530 }
531
532 return False;
533 }
534
535 /* Is this a domain which we may assume no DOMAIN\ prefix? */
536
537 static BOOL assume_domain(const char *domain) {
538 if ((lp_winbind_use_default_domain()
539 || lp_winbind_trusted_domains_only()) &&
540 strequal(lp_workgroup(), domain))
541 return True;
542
543 if (strequal(get_global_sam_name(), domain))
544 return True;
545
546 return False;
547 }
548
549 /* Parse a string of the form DOMAIN/user into a domain and a user */
550
551 BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
552 {
553 char *p = strchr(domuser,*lp_winbind_separator());
554
555 if ( !p ) {
556 fstrcpy(user, domuser);
557
558 if ( assume_domain(lp_workgroup())) {
559 fstrcpy(domain, lp_workgroup());
560 } else {
561 fstrcpy( domain, get_global_sam_name() );
562 }
563 }
564 else {
565 fstrcpy(user, p+1);
566 fstrcpy(domain, domuser);
567 domain[PTR_DIFF(p, domuser)] = 0;
568 }
569
570 strupper_m(domain);
571
572 return True;
573 }
574
575 /*
576 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
577 'winbind separator' options.
578 This means:
579 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
580 lp_workgroup()
581
582 If we are a PDC or BDC, and this is for our domain, do likewise.
583
584 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
585 username is then unqualified in unix
586
587 */
588 void fill_domain_username(fstring name, const char *domain, const char *user)
589 {
590 if (assume_domain(domain)) {
591 strlcpy(name, user, sizeof(fstring));
592 } else {
593 slprintf(name, sizeof(fstring) - 1, "%s%s%s",
594 domain, lp_winbind_separator(),
595 user);
596 }
597 }
598
599 /*
600 * Winbindd socket accessor functions
601 */
602
603 char *get_winbind_priv_pipe_dir(void)
604 {
605 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
606 }
607
608 /* Open the winbindd socket */
609
610 static int _winbindd_socket = -1;
611 static int _winbindd_priv_socket = -1;
612
613 int open_winbindd_socket(void)
614 {
615 if (_winbindd_socket == -1) {
616 _winbindd_socket = create_pipe_sock(
617 WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME, 0755);
618 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
619 _winbindd_socket));
620 }
621
622 return _winbindd_socket;
623 }
624
625 int open_winbindd_priv_socket(void)
626 {
627 if (_winbindd_priv_socket == -1) {
628 _winbindd_priv_socket = create_pipe_sock(
629 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
630 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
631 _winbindd_priv_socket));
632 }
633
634 return _winbindd_priv_socket;
635 }
636
637 /* Close the winbindd socket */
638
639 void close_winbindd_socket(void)
640 {
641 if (_winbindd_socket != -1) {
642 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
643 _winbindd_socket));
644 close(_winbindd_socket);
645 _winbindd_socket = -1;
646 }
647 if (_winbindd_priv_socket != -1) {
648 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
649 _winbindd_priv_socket));
650 close(_winbindd_priv_socket);
651 _winbindd_priv_socket = -1;
652 }
653 }
654
655 /*
656 * Client list accessor functions
657 */
658
659 static struct winbindd_cli_state *_client_list;
660 static int _num_clients;
661
662 /* Return list of all connected clients */
663
664 struct winbindd_cli_state *winbindd_client_list(void)
665 {
666 return _client_list;
667 }
668
669 /* Add a connection to the list */
670
671 void winbindd_add_client(struct winbindd_cli_state *cli)
672 {
673 DLIST_ADD(_client_list, cli);
674 _num_clients++;
675 }
676
677 /* Remove a client from the list */
678
679 void winbindd_remove_client(struct winbindd_cli_state *cli)
680 {
681 DLIST_REMOVE(_client_list, cli);
682 _num_clients--;
683 }
684
685 /* Close all open clients */
686
687 void winbindd_kill_all_clients(void)
688 {
689 struct winbindd_cli_state *cl = winbindd_client_list();
690
691 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
692
693 while (cl) {
694 struct winbindd_cli_state *next;
695
696 next = cl->next;
697 winbindd_remove_client(cl);
698 cl = next;
699 }
700 }
701
702 /* Return number of open clients */
703
704 int winbindd_num_clients(void)
705 {
706 return _num_clients;
707 }
708
709 /* Help with RID -> SID conversion */
710
711 DOM_SID *rid_to_talloced_sid(struct winbindd_domain *domain,
712 TALLOC_CTX *mem_ctx,
713 uint32 rid)
714 {
715 DOM_SID *sid;
716 sid = talloc(mem_ctx, sizeof(*sid));
717 if (!sid) {
718 smb_panic("rid_to_to_talloced_sid: talloc for DOM_SID failed!\n");
719 }
720 sid_copy(sid, &domain->sid);
721 sid_append_rid(sid, rid);
722 return sid;
723 }
724
725 /*****************************************************************************
726 For idmap conversion: convert one record to new format
727 Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
728 instead of the SID.
729 *****************************************************************************/
730 static int convert_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA data, void *state)
731 {
732 struct winbindd_domain *domain;
733 char *p;
734 DOM_SID sid;
735 uint32 rid;
736 fstring keystr;
737 fstring dom_name;
738 TDB_DATA key2;
739 BOOL *failed = (BOOL *)state;
740
741 DEBUG(10,("Converting %s\n", key.dptr));
742
743 p = strchr(key.dptr, '/');
744 if (!p)
745 return 0;
746
747 *p = 0;
748 fstrcpy(dom_name, key.dptr);
749 *p++ = '/';
750
751 domain = find_domain_from_name(dom_name);
752 if (domain == NULL) {
753 /* We must delete the old record. */
754 DEBUG(0,("Unable to find domain %s\n", dom_name ));
755 DEBUG(0,("deleting record %s\n", key.dptr ));
756
757 if (tdb_delete(tdb, key) != 0) {
758 DEBUG(0, ("Unable to delete record %s\n", key.dptr));
759 *failed = True;
760 return -1;
761 }
762
763 return 0;
764 }
765
766 rid = atoi(p);
767
768 sid_copy(&sid, &domain->sid);
769 sid_append_rid(&sid, rid);
770
771 sid_to_string(keystr, &sid);
772 key2.dptr = keystr;
773 key2.dsize = strlen(keystr) + 1;
774
775 if (tdb_store(tdb, key2, data, TDB_INSERT) != 0) {
776 DEBUG(0,("Unable to add record %s\n", key2.dptr ));
777 *failed = True;
778 return -1;
779 }
780
781 if (tdb_store(tdb, data, key2, TDB_REPLACE) != 0) {
782 DEBUG(0,("Unable to update record %s\n", data.dptr ));
783 *failed = True;
784 return -1;
785 }
786
787 if (tdb_delete(tdb, key) != 0) {
788 DEBUG(0,("Unable to delete record %s\n", key.dptr ));
789 *failed = True;
790 return -1;
791 }
792
793 return 0;
794 }
795
796 /* These definitions are from sam/idmap_tdb.c. Replicated here just
797 out of laziness.... :-( */
798
799 /* High water mark keys */
800 #define HWM_GROUP "GROUP HWM"
801 #define HWM_USER "USER HWM"
802
803 /* idmap version determines auto-conversion */
804 #define IDMAP_VERSION 2
805
806
807 /*****************************************************************************
808 Convert the idmap database from an older version.
809 *****************************************************************************/
810
811 static BOOL idmap_convert(const char *idmap_name)
812 {
813 int32 vers;
814 BOOL bigendianheader;
815 BOOL failed = False;
816 TDB_CONTEXT *idmap_tdb;
817
818 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
819 TDB_DEFAULT, O_RDWR,
820 0600))) {
821 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
822 return False;
823 }
824
825 bigendianheader = (idmap_tdb->flags & TDB_BIGENDIAN) ? True : False;
826
827 vers = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
828
829 if (((vers == -1) && bigendianheader) || (IREV(vers) == IDMAP_VERSION)) {
830 /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
831 /*
832 * high and low records were created on a
833 * big endian machine and will need byte-reversing.
834 */
835
836 int32 wm;
837
838 wm = tdb_fetch_int32(idmap_tdb, HWM_USER);
839
840 if (wm != -1) {
841 wm = IREV(wm);
842 } else {
843 wm = server_state.uid_low;
844 }
845
846 if (tdb_store_int32(idmap_tdb, HWM_USER, wm) == -1) {
847 DEBUG(0, ("idmap_convert: Unable to byteswap user hwm in idmap database\n"));
848 tdb_close(idmap_tdb);
849 return False;
850 }
851
852 wm = tdb_fetch_int32(idmap_tdb, HWM_GROUP);
853 if (wm != -1) {
854 wm = IREV(wm);
855 } else {
856 wm = server_state.gid_low;
857 }
858
859 if (tdb_store_int32(idmap_tdb, HWM_GROUP, wm) == -1) {
860 DEBUG(0, ("idmap_convert: Unable to byteswap group hwm in idmap database\n"));
861 tdb_close(idmap_tdb);
862 return False;
863 }
864 }
865
866 /* the old format stored as DOMAIN/rid - now we store the SID direct */
867 tdb_traverse(idmap_tdb, convert_fn, &failed);
868
869 if (failed) {
870 DEBUG(0, ("Problem during conversion\n"));
871 tdb_close(idmap_tdb);
872 return False;
873 }
874
875 if (tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION) == -1) {
876 DEBUG(0, ("idmap_convert: Unable to dtore idmap version in databse\n"));
877 tdb_close(idmap_tdb);
878 return False;
879 }
880
881 tdb_close(idmap_tdb);
882 return True;
883 }
884
885 /*****************************************************************************
886 Convert the idmap database from an older version if necessary
887 *****************************************************************************/
888
889 BOOL winbindd_upgrade_idmap(void)
890 {
891 pstring idmap_name;
892 pstring backup_name;
893 SMB_STRUCT_STAT stbuf;
894 TDB_CONTEXT *idmap_tdb;
895
896 pstrcpy(idmap_name, lock_path("winbindd_idmap.tdb"));
897
898 if (!file_exist(idmap_name, &stbuf)) {
899 /* nothing to convert return */
900 return True;
901 }
902
903 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
904 TDB_DEFAULT, O_RDWR,
905 0600))) {
906 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
907 return False;
908 }
909
910 if (tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION") == IDMAP_VERSION) {
911 /* nothing to convert return */
912 tdb_close(idmap_tdb);
913 return True;
914 }
915
916 /* backup_tdb expects the tdb not to be open */
917 tdb_close(idmap_tdb);
918
919 DEBUG(0, ("Upgrading winbindd_idmap.tdb from an old version\n"));
920
921 pstrcpy(backup_name, idmap_name);
922 pstrcat(backup_name, ".bak");
923
924 if (backup_tdb(idmap_name, backup_name) != 0) {
925 DEBUG(0, ("Could not backup idmap database\n"));
926 return False;
927 }
928
929 return idmap_convert(idmap_name);
930 }
931
932 /*******************************************************************
933 wrapper around retrieving the trust account password
934 *******************************************************************/
935
936 BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16],
937 time_t *pass_last_set_time, uint32 *channel)
938 {
939 DOM_SID sid;
940 char *pwd;
941
942 /* if we are a DC and this is not our domain, then lookup an account
943 for the domain trust */
944
945 if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() )
946 {
947 if ( !secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
948 pass_last_set_time) )
949 {
950 DEBUG(0, ("get_trust_pw: could not fetch trust account "
951 "password for trusted domain %s\n", domain));
952 return False;
953 }
954
955 *channel = SEC_CHAN_DOMAIN;
956 E_md4hash(pwd, ret_pwd);
957 SAFE_FREE(pwd);
958
959 return True;
960 }
961 else /* just get the account for our domain (covers
962 ROLE_DOMAIN_MEMBER as well */
963 {
964 /* get the machine trust account for our domain */
965
966 if ( !secrets_fetch_trust_account_password (lp_workgroup(), ret_pwd,
967 pass_last_set_time, channel) )
968 {
969 DEBUG(0, ("get_trust_pw: could not fetch trust account "
970 "password for my domain %s\n", domain));
971 return False;
972 }
973
974 return True;
975 }
976
977 /* Failure */
978 }
979
reg import