2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 extern DOM_SID global_sid_Builtin;
28 extern struct winbindd_methods cache_methods;
29 extern struct winbindd_methods passdb_methods;
32 #define DBGC_CLASS DBGC_WINBIND
35 * @file winbindd_util.c
37 * Winbind daemon for NT domain authentication nss module.
42 * Used to clobber name fields that have an undefined value.
44 * Correct code should never look at a field that has this value.
47 static const fstring name_deadbeef = "<deadbeef>";
49 /* The list of trusted domains. Note that the list can be deleted and
50 recreated using the init_domain_list() function so pointers to
51 individual winbindd_domain structures cannot be made. Keep a copy of
52 the domain name instead. */
54 static struct winbindd_domain *_domain_list;
57 When was the last scan of trusted domains done?
62 static time_t last_trustdom_scan;
64 struct winbindd_domain *domain_list(void)
69 if (!init_domain_list())
75 /* Free all entries in the trusted domain list */
77 void free_domain_list(void)
79 struct winbindd_domain *domain = _domain_list;
82 struct winbindd_domain *next = domain->next;
84 DLIST_REMOVE(_domain_list, domain);
90 static BOOL is_internal_domain(const DOM_SID *sid)
95 if (sid_compare_domain(sid, get_global_sam_sid()) == 0)
98 if (sid_compare_domain(sid, &global_sid_Builtin) == 0)
105 /* Add a trusted domain to our list of domains */
106 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
107 struct winbindd_methods *methods,
110 struct winbindd_domain *domain;
111 const char *alternative_name = NULL;
112 static const DOM_SID null_sid;
114 /* ignore alt_name if we are not in an AD domain */
116 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
117 alternative_name = alt_name;
120 /* We can't call domain_list() as this function is called from
121 init_domain_list() and we'll get stuck in a loop. */
122 for (domain = _domain_list; domain; domain = domain->next) {
123 if (strequal(domain_name, domain->name) ||
124 strequal(domain_name, domain->alt_name)) {
127 if (alternative_name && *alternative_name) {
128 if (strequal(alternative_name, domain->name) ||
129 strequal(alternative_name, domain->alt_name)) {
134 if (sid_equal(sid, &null_sid) ) {
136 } else if (sid_equal(sid, &domain->sid)) {
142 /* Create new domain entry */
144 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
149 ZERO_STRUCTP(domain);
151 /* prioritise the short name */
152 if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
153 fstrcpy(domain->name, alternative_name);
154 fstrcpy(domain->alt_name, domain_name);
156 fstrcpy(domain->name, domain_name);
157 if (alternative_name) {
158 fstrcpy(domain->alt_name, alternative_name);
162 domain->methods = methods;
163 domain->backend = NULL;
164 domain->internal = is_internal_domain(sid);
165 domain->sequence_number = DOM_SEQUENCE_NONE;
166 domain->last_seq_check = 0;
167 domain->initialized = False;
169 sid_copy(&domain->sid, sid);
172 /* Link to domain list */
173 DLIST_ADD(_domain_list, domain);
175 DEBUG(2,("Added domain %s %s %s\n",
176 domain->name, domain->alt_name,
177 &domain->sid?sid_string_static(&domain->sid):""));
182 /********************************************************************
183 rescan our domains looking for new trusted domains
184 ********************************************************************/
186 static void add_trusted_domains( struct winbindd_domain *domain )
194 DOM_SID *dom_sids, null_sid;
196 struct winbindd_domain *new_domain;
198 /* trusted domains might be disabled */
199 if (!lp_allow_trusted_domains()) {
203 DEBUG(5, ("scanning trusted domain list\n"));
205 if (!(mem_ctx = talloc_init("init_domain_list")))
208 ZERO_STRUCTP(&null_sid);
212 /* ask the DC what domains it trusts */
214 result = domain->methods->trusted_domains(domain, mem_ctx, (unsigned int *)&num_domains,
215 &names, &alt_names, &dom_sids);
217 if ( NT_STATUS_IS_OK(result) ) {
219 /* Add each domain to the trusted domain list */
221 for(i = 0; i < num_domains; i++) {
222 DEBUG(10,("Found domain %s\n", names[i]));
223 add_trusted_domain(names[i], alt_names?alt_names[i]:NULL,
224 &cache_methods, &dom_sids[i]);
226 /* if the SID was empty, we better set it now */
228 if ( sid_equal(&dom_sids[i], &null_sid) ) {
230 new_domain = find_domain_from_name(names[i]);
232 /* this should never happen */
234 DEBUG(0,("rescan_trust_domains: can't find the domain I just added! [%s]\n",
239 /* call the cache method; which will operate on the winbindd_domain \
240 passed in and choose either rpc or ads as appropriate */
242 result = domain->methods->domain_sid( new_domain, &new_domain->sid );
244 if ( NT_STATUS_IS_OK(result) )
245 sid_copy( &dom_sids[i], &new_domain->sid );
248 /* store trusted domain in the cache */
249 trustdom_cache_store(names[i], alt_names ? alt_names[i] : NULL,
250 &dom_sids[i], t + WINBINDD_RESCAN_FREQ);
254 talloc_destroy(mem_ctx);
257 /********************************************************************
258 Periodically we need to refresh the trusted domain cache for smbd
259 ********************************************************************/
261 void rescan_trusted_domains( void )
263 time_t now = time(NULL);
264 struct winbindd_domain *mydomain = NULL;
266 /* see if the time has come... */
268 if ( (now > last_trustdom_scan) && ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
271 if ( (mydomain = find_our_domain()) == NULL ) {
272 DEBUG(0,("rescan_trusted_domains: Can't find my own domain!\n"));
276 /* this will only add new domains we didn't already know about */
278 add_trusted_domains( mydomain );
280 last_trustdom_scan = now;
285 /* Look up global info for the winbind daemon */
286 BOOL init_domain_list(void)
288 struct winbindd_domain *domain;
290 /* Free existing list */
293 /* Add ourselves as the first entry. */
296 domain = add_trusted_domain(get_global_sam_name(), NULL,
297 &passdb_methods, get_global_sam_sid());
300 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
301 &cache_methods, NULL);
303 /* set flags about native_mode, active_directory */
304 set_dc_type_and_flags(domain);
307 domain->primary = True;
309 /* get any alternate name for the primary domain */
311 cache_methods.alternate_name(domain);
313 /* now we have the correct netbios (short) domain name */
316 set_global_myworkgroup( domain->name );
318 if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
319 DEBUG(1, ("Could not fetch sid for our domain %s\n",
324 /* do an initial scan for trusted domains */
325 add_trusted_domains(domain);
328 /* Add our local SAM domains */
330 add_trusted_domain("BUILTIN", NULL, &passdb_methods,
331 &global_sid_Builtin);
334 add_trusted_domain(get_global_sam_name(), NULL,
335 &passdb_methods, get_global_sam_sid());
338 /* avoid rescanning this right away */
339 last_trustdom_scan = time(NULL);
344 * Given a domain name, return the struct winbindd domain info for it
346 * @note Do *not* pass lp_workgroup() to this function. domain_list
347 * may modify it's value, and free that pointer. Instead, our local
348 * domain may be found by calling find_our_domain().
352 * @return The domain structure for the named domain, if it is working.
355 struct winbindd_domain *find_domain_from_name(const char *domain_name)
357 struct winbindd_domain *domain;
359 /* Search through list */
361 for (domain = domain_list(); domain != NULL; domain = domain->next) {
362 if (strequal(domain_name, domain->name) ||
363 (domain->alt_name[0] && strequal(domain_name, domain->alt_name))) {
364 if (!domain->initialized)
365 set_dc_type_and_flags(domain);
376 /* Given a domain sid, return the struct winbindd domain info for it */
378 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
380 struct winbindd_domain *domain;
382 /* Search through list */
384 for (domain = domain_list(); domain != NULL; domain = domain->next) {
385 if (sid_compare_domain(sid, &domain->sid) == 0) {
386 if (!domain->initialized)
387 set_dc_type_and_flags(domain);
397 /* Given a domain sid, return the struct winbindd domain info for it */
399 struct winbindd_domain *find_our_domain(void)
401 struct winbindd_domain *domain;
403 /* Search through list */
405 for (domain = domain_list(); domain != NULL; domain = domain->next) {
415 /* Find the appropriate domain to lookup a name or SID */
417 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
419 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
420 * one to contact the external DC's. On member servers the internal
421 * domains are different: These are part of the local SAM. */
423 if (IS_DC || is_internal_domain(sid))
424 return find_domain_from_sid(sid);
426 /* On a member server a query for SID or name can always go to our
429 return find_our_domain();
432 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
434 if (IS_DC || strequal(domain_name, "BUILTIN") ||
435 strequal(domain_name, get_global_sam_name()))
436 return find_domain_from_name(domain_name);
438 return find_our_domain();
441 /* Lookup a sid in a domain from a name */
443 BOOL winbindd_lookup_sid_by_name(struct winbindd_domain *domain,
444 const char *domain_name,
445 const char *name, DOM_SID *sid,
446 enum SID_NAME_USE *type)
451 mem_ctx = talloc_init("lookup_sid_by_name for %s\\%s\n",
457 result = domain->methods->name_to_sid(domain, mem_ctx, domain_name, name, sid, type);
459 talloc_destroy(mem_ctx);
461 /* Return rid and type if lookup successful */
462 if (!NT_STATUS_IS_OK(result)) {
463 *type = SID_NAME_UNKNOWN;
466 return NT_STATUS_IS_OK(result);
470 * @brief Lookup a name in a domain from a sid.
472 * @param sid Security ID you want to look up.
473 * @param name On success, set to the name corresponding to @p sid.
474 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
475 * @param type On success, contains the type of name: alias, group or
477 * @retval True if the name exists, in which case @p name and @p type
478 * are set, otherwise False.
480 BOOL winbindd_lookup_name_by_sid(DOM_SID *sid,
483 enum SID_NAME_USE *type)
490 struct winbindd_domain *domain;
492 domain = find_lookup_domain_from_sid(sid);
495 DEBUG(1,("Can't find domain from sid\n"));
501 if (!(mem_ctx = talloc_init("winbindd_lookup_name_by_sid")))
504 result = domain->methods->sid_to_name(domain, mem_ctx, sid, &dom_names, &names, type);
506 /* Return name and type if successful */
508 if ((rv = NT_STATUS_IS_OK(result))) {
509 fstrcpy(dom_name, dom_names);
510 fstrcpy(name, names);
512 *type = SID_NAME_UNKNOWN;
513 fstrcpy(name, name_deadbeef);
516 talloc_destroy(mem_ctx);
522 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
524 void free_getent_state(struct getent_state *state)
526 struct getent_state *temp;
528 /* Iterate over state list */
532 while(temp != NULL) {
533 struct getent_state *next;
535 /* Free sam entries then list entry */
537 SAFE_FREE(state->sam_entries);
538 DLIST_REMOVE(state, state);
546 /* Parse winbindd related parameters */
548 BOOL winbindd_param_init(void)
550 /* Parse winbind uid and winbind_gid parameters */
552 if (!lp_idmap_uid(&server_state.uid_low, &server_state.uid_high)) {
553 DEBUG(0, ("winbindd: idmap uid range missing or invalid\n"));
554 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
558 if (!lp_idmap_gid(&server_state.gid_low, &server_state.gid_high)) {
559 DEBUG(0, ("winbindd: idmap gid range missing or invalid\n"));
560 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
567 /* Check if a domain is present in a comma-separated list of domains */
569 BOOL check_domain_env(char *domain_env, char *domain)
572 const char *tmp = domain_env;
574 while(next_token(&tmp, name, ",", sizeof(fstring))) {
575 if (strequal(name, domain))
582 /* Is this a domain which we may assume no DOMAIN\ prefix? */
584 static BOOL assume_domain(const char *domain) {
585 if ((lp_winbind_use_default_domain()
586 || lp_winbind_trusted_domains_only()) &&
587 strequal(lp_workgroup(), domain))
590 if (strequal(get_global_sam_name(), domain))
596 /* Parse a string of the form DOMAIN/user into a domain and a user */
598 BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
600 char *p = strchr(domuser,*lp_winbind_separator());
603 fstrcpy(user, domuser);
605 if ( assume_domain(lp_workgroup())) {
606 fstrcpy(domain, lp_workgroup());
608 fstrcpy( domain, get_global_sam_name() );
613 fstrcpy(domain, domuser);
614 domain[PTR_DIFF(p, domuser)] = 0;
623 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
624 'winbind separator' options.
626 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
629 If we are a PDC or BDC, and this is for our domain, do likewise.
631 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
632 username is then unqualified in unix
635 void fill_domain_username(fstring name, const char *domain, const char *user)
637 strlower_m(CONST_DISCARD(char *, user));
639 if (assume_domain(domain)) {
640 strlcpy(name, user, sizeof(fstring));
642 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
643 domain, *lp_winbind_separator(),
649 * Winbindd socket accessor functions
652 char *get_winbind_priv_pipe_dir(void)
654 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
657 /* Open the winbindd socket */
659 static int _winbindd_socket = -1;
660 static int _winbindd_priv_socket = -1;
662 int open_winbindd_socket(void)
664 if (_winbindd_socket == -1) {
665 _winbindd_socket = create_pipe_sock(
666 WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME, 0755);
667 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
671 return _winbindd_socket;
674 int open_winbindd_priv_socket(void)
676 if (_winbindd_priv_socket == -1) {
677 _winbindd_priv_socket = create_pipe_sock(
678 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
679 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
680 _winbindd_priv_socket));
683 return _winbindd_priv_socket;
686 /* Close the winbindd socket */
688 void close_winbindd_socket(void)
690 if (_winbindd_socket != -1) {
691 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
693 close(_winbindd_socket);
694 _winbindd_socket = -1;
696 if (_winbindd_priv_socket != -1) {
697 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
698 _winbindd_priv_socket));
699 close(_winbindd_priv_socket);
700 _winbindd_priv_socket = -1;
705 * Client list accessor functions
708 static struct winbindd_cli_state *_client_list;
709 static int _num_clients;
711 /* Return list of all connected clients */
713 struct winbindd_cli_state *winbindd_client_list(void)
718 /* Add a connection to the list */
720 void winbindd_add_client(struct winbindd_cli_state *cli)
722 DLIST_ADD(_client_list, cli);
726 /* Remove a client from the list */
728 void winbindd_remove_client(struct winbindd_cli_state *cli)
730 DLIST_REMOVE(_client_list, cli);
734 /* Demote a client to be the last in the list */
736 void winbindd_demote_client(struct winbindd_cli_state *cli)
738 struct winbindd_cli_state *tmp;
739 DLIST_DEMOTE(_client_list, cli, tmp);
742 /* Close all open clients */
744 void winbindd_kill_all_clients(void)
746 struct winbindd_cli_state *cl = winbindd_client_list();
748 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
751 struct winbindd_cli_state *next;
754 winbindd_remove_client(cl);
759 /* Return number of open clients */
761 int winbindd_num_clients(void)
766 /* Help with RID -> SID conversion */
768 DOM_SID *rid_to_talloced_sid(struct winbindd_domain *domain,
773 sid = TALLOC_P(mem_ctx, DOM_SID);
775 smb_panic("rid_to_to_talloced_sid: talloc for DOM_SID failed!\n");
777 sid_copy(sid, &domain->sid);
778 sid_append_rid(sid, rid);
782 /*****************************************************************************
783 For idmap conversion: convert one record to new format
784 Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
786 *****************************************************************************/
787 static int convert_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA data, void *state)
789 struct winbindd_domain *domain;
796 BOOL *failed = (BOOL *)state;
798 DEBUG(10,("Converting %s\n", key.dptr));
800 p = strchr(key.dptr, '/');
805 fstrcpy(dom_name, key.dptr);
808 domain = find_domain_from_name(dom_name);
809 if (domain == NULL) {
810 /* We must delete the old record. */
811 DEBUG(0,("Unable to find domain %s\n", dom_name ));
812 DEBUG(0,("deleting record %s\n", key.dptr ));
814 if (tdb_delete(tdb, key) != 0) {
815 DEBUG(0, ("Unable to delete record %s\n", key.dptr));
825 sid_copy(&sid, &domain->sid);
826 sid_append_rid(&sid, rid);
828 sid_to_string(keystr, &sid);
830 key2.dsize = strlen(keystr) + 1;
832 if (tdb_store(tdb, key2, data, TDB_INSERT) != 0) {
833 DEBUG(0,("Unable to add record %s\n", key2.dptr ));
838 if (tdb_store(tdb, data, key2, TDB_REPLACE) != 0) {
839 DEBUG(0,("Unable to update record %s\n", data.dptr ));
844 if (tdb_delete(tdb, key) != 0) {
845 DEBUG(0,("Unable to delete record %s\n", key.dptr ));
853 /* These definitions are from sam/idmap_tdb.c. Replicated here just
854 out of laziness.... :-( */
856 /* High water mark keys */
857 #define HWM_GROUP "GROUP HWM"
858 #define HWM_USER "USER HWM"
860 /* idmap version determines auto-conversion */
861 #define IDMAP_VERSION 2
864 /*****************************************************************************
865 Convert the idmap database from an older version.
866 *****************************************************************************/
868 static BOOL idmap_convert(const char *idmap_name)
871 BOOL bigendianheader;
873 TDB_CONTEXT *idmap_tdb;
875 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
878 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
882 bigendianheader = (idmap_tdb->flags & TDB_BIGENDIAN) ? True : False;
884 vers = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
886 if (((vers == -1) && bigendianheader) || (IREV(vers) == IDMAP_VERSION)) {
887 /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
889 * high and low records were created on a
890 * big endian machine and will need byte-reversing.
895 wm = tdb_fetch_int32(idmap_tdb, HWM_USER);
900 wm = server_state.uid_low;
903 if (tdb_store_int32(idmap_tdb, HWM_USER, wm) == -1) {
904 DEBUG(0, ("idmap_convert: Unable to byteswap user hwm in idmap database\n"));
905 tdb_close(idmap_tdb);
909 wm = tdb_fetch_int32(idmap_tdb, HWM_GROUP);
913 wm = server_state.gid_low;
916 if (tdb_store_int32(idmap_tdb, HWM_GROUP, wm) == -1) {
917 DEBUG(0, ("idmap_convert: Unable to byteswap group hwm in idmap database\n"));
918 tdb_close(idmap_tdb);
923 /* the old format stored as DOMAIN/rid - now we store the SID direct */
924 tdb_traverse(idmap_tdb, convert_fn, &failed);
927 DEBUG(0, ("Problem during conversion\n"));
928 tdb_close(idmap_tdb);
932 if (tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION) == -1) {
933 DEBUG(0, ("idmap_convert: Unable to dtore idmap version in databse\n"));
934 tdb_close(idmap_tdb);
938 tdb_close(idmap_tdb);
942 /*****************************************************************************
943 Convert the idmap database from an older version if necessary
944 *****************************************************************************/
946 BOOL winbindd_upgrade_idmap(void)
950 SMB_STRUCT_STAT stbuf;
951 TDB_CONTEXT *idmap_tdb;
953 pstrcpy(idmap_name, lock_path("winbindd_idmap.tdb"));
955 if (!file_exist(idmap_name, &stbuf)) {
956 /* nothing to convert return */
960 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
963 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
967 if (tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION") == IDMAP_VERSION) {
968 /* nothing to convert return */
969 tdb_close(idmap_tdb);
973 /* backup_tdb expects the tdb not to be open */
974 tdb_close(idmap_tdb);
976 DEBUG(0, ("Upgrading winbindd_idmap.tdb from an old version\n"));
978 pstrcpy(backup_name, idmap_name);
979 pstrcat(backup_name, ".bak");
981 if (backup_tdb(idmap_name, backup_name) != 0) {
982 DEBUG(0, ("Could not backup idmap database\n"));
986 return idmap_convert(idmap_name);
989 /*******************************************************************
990 wrapper around retrieving the trust account password
991 *******************************************************************/
993 BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16],
994 time_t *pass_last_set_time, uint32 *channel)
999 /* if we are a DC and this is not our domain, then lookup an account
1000 for the domain trust */
1002 if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() )
1004 if ( !secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
1005 pass_last_set_time) )
1007 DEBUG(0, ("get_trust_pw: could not fetch trust account "
1008 "password for trusted domain %s\n", domain));
1012 *channel = SEC_CHAN_DOMAIN;
1013 E_md4hash(pwd, ret_pwd);
1018 else /* just get the account for our domain (covers
1019 ROLE_DOMAIN_MEMBER as well */
1021 /* get the machine trust account for our domain */
1023 if ( !secrets_fetch_trust_account_password (lp_workgroup(), ret_pwd,
1024 pass_last_set_time, channel) )
1026 DEBUG(0, ("get_trust_pw: could not fetch trust account "
1027 "password for my domain %s\n", domain));