2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #define DBGC_CLASS DBGC_WINBIND
30 * @file winbindd_util.c
32 * Winbind daemon for NT domain authentication nss module.
37 * Used to clobber name fields that have an undefined value.
39 * Correct code should never look at a field that has this value.
42 static const fstring name_deadbeef = "<deadbeef>";
44 /* The list of trusted domains. Note that the list can be deleted and
45 recreated using the init_domain_list() function so pointers to
46 individual winbindd_domain structures cannot be made. Keep a copy of
47 the domain name instead. */
49 static struct winbindd_domain *_domain_list;
51 struct winbindd_domain *domain_list(void)
61 /* Free all entries in the trusted domain list */
63 void free_domain_list(void)
65 struct winbindd_domain *domain = _domain_list;
68 struct winbindd_domain *next = domain->next;
70 DLIST_REMOVE(_domain_list, domain);
77 /* Add a trusted domain to our list of domains */
78 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
79 struct winbindd_methods *methods,
82 struct winbindd_domain *domain;
85 /* We can't call domain_list() as this function is called from
86 init_domain_list() and we'll get stuck in a loop. */
87 for (domain = _domain_list; domain; domain = domain->next) {
88 if (strcasecmp(domain_name, domain->name) == 0 ||
89 strcasecmp(domain_name, domain->alt_name) == 0) {
92 if (alt_name && *alt_name) {
93 if (strcasecmp(alt_name, domain->name) == 0 ||
94 strcasecmp(alt_name, domain->alt_name) == 0) {
100 /* Create new domain entry */
102 if ((domain = (struct winbindd_domain *)
103 malloc(sizeof(*domain))) == NULL)
108 ZERO_STRUCTP(domain);
110 /* prioritise the short name */
111 if (strchr_m(domain_name, '.') && alt_name && *alt_name) {
112 fstrcpy(domain->name, alt_name);
113 fstrcpy(domain->alt_name, domain_name);
115 fstrcpy(domain->name, domain_name);
117 fstrcpy(domain->alt_name, alt_name);
121 domain->methods = methods;
122 domain->backend = NULL;
123 domain->sequence_number = DOM_SEQUENCE_NONE;
124 domain->last_seq_check = 0;
126 sid_copy(&domain->sid, sid);
129 /* see if this is a native mode win2k domain (use realm name if possible) */
131 contact_name = *domain->alt_name ? domain->alt_name : domain->name;
132 domain->native_mode = cm_check_for_native_mode_win2k( contact_name );
134 DEBUG(3,("add_trusted_domain: %s is a %s mode domain\n", contact_name,
135 domain->native_mode ? "native" : "mixed (or NT4)" ));
137 /* Link to domain list */
138 DLIST_ADD(_domain_list, domain);
140 DEBUG(1,("Added domain %s %s %s\n",
141 domain->name, domain->alt_name,
142 sid?sid_string_static(&domain->sid):""));
149 rescan our domains looking for new trusted domains
151 void add_trusted_domains( struct winbindd_domain *domain )
159 DOM_SID *dom_sids, null_sid;
161 struct winbindd_domain *new_domain;
163 /* trusted domains might be disabled */
164 if (!lp_allow_trusted_domains()) {
168 DEBUG(1, ("scanning trusted domain list\n"));
170 if (!(mem_ctx = talloc_init("init_domain_list")))
173 ZERO_STRUCTP(&null_sid);
177 /* ask the DC what domains it trusts */
179 result = domain->methods->trusted_domains(domain, mem_ctx, &num_domains,
180 &names, &alt_names, &dom_sids);
182 if ( NT_STATUS_IS_OK(result) ) {
184 /* Add each domain to the trusted domain list */
186 for(i = 0; i < num_domains; i++) {
187 DEBUG(10,("Found domain %s\n", names[i]));
188 add_trusted_domain(names[i], alt_names?alt_names[i]:NULL,
189 domain->methods, &dom_sids[i]);
191 /* if the SID was empty, we better set it now */
193 if ( sid_equal(&dom_sids[i], &null_sid) ) {
195 new_domain = find_domain_from_name(names[i]);
197 /* this should never happen */
199 DEBUG(0,("rescan_trust_domains: can't find the domain I just added! [%s]\n",
204 /* call the cache method; which will operate on the winbindd_domain \
205 passed in and choose either rpc or ads as appropriate */
207 result = domain->methods->domain_sid( new_domain, &new_domain->sid );
209 if ( NT_STATUS_IS_OK(result) )
210 sid_copy( &dom_sids[i], &new_domain->sid );
213 /* store trusted domain in the cache */
214 trustdom_cache_store(names[i], alt_names ? alt_names[i] : NULL,
215 &dom_sids[i], t + WINBINDD_RESCAN_FREQ);
219 talloc_destroy(mem_ctx);
222 /* Look up global info for the winbind daemon */
223 BOOL init_domain_list(void)
225 extern struct winbindd_methods cache_methods;
226 struct winbindd_domain *domain;
228 /* Free existing list */
231 /* Add ourselves as the first entry */
233 domain = add_trusted_domain( lp_workgroup(), NULL, &cache_methods, NULL);
235 if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) {
236 DEBUG(1, ("Could not fetch sid for our domain %s\n",
241 /* get any alternate name for the primary domain */
242 cache_methods.alternate_name(domain);
244 /* do an initial scan for trusted domains */
245 add_trusted_domains(domain);
250 /* Given a domain name, return the struct winbindd domain info for it
251 if it is actually working. */
253 struct winbindd_domain *find_domain_from_name(const char *domain_name)
255 struct winbindd_domain *domain;
257 /* Search through list */
259 for (domain = domain_list(); domain != NULL; domain = domain->next) {
260 if (strequal(domain_name, domain->name) ||
261 (domain->alt_name[0] && strequal(domain_name, domain->alt_name)))
270 /* Given a domain sid, return the struct winbindd domain info for it */
272 struct winbindd_domain *find_domain_from_sid(DOM_SID *sid)
274 struct winbindd_domain *domain;
276 /* Search through list */
278 for (domain = domain_list(); domain != NULL; domain = domain->next) {
279 if (sid_compare_domain(sid, &domain->sid) == 0)
288 /* Lookup a sid in a domain from a name */
290 BOOL winbindd_lookup_sid_by_name(struct winbindd_domain *domain,
291 const char *name, DOM_SID *sid,
292 enum SID_NAME_USE *type)
296 /* Don't bother with machine accounts */
298 if (name[strlen(name) - 1] == '$')
301 mem_ctx = talloc_init("lookup_sid_by_name for %s\n", name);
306 result = domain->methods->name_to_sid(domain, mem_ctx, name, sid, type);
308 talloc_destroy(mem_ctx);
310 /* Return rid and type if lookup successful */
311 if (!NT_STATUS_IS_OK(result)) {
312 *type = SID_NAME_UNKNOWN;
315 return NT_STATUS_IS_OK(result);
319 * @brief Lookup a name in a domain from a sid.
321 * @param sid Security ID you want to look up.
322 * @param name On success, set to the name corresponding to @p sid.
323 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
324 * @param type On success, contains the type of name: alias, group or
326 * @retval True if the name exists, in which case @p name and @p type
327 * are set, otherwise False.
329 BOOL winbindd_lookup_name_by_sid(DOM_SID *sid,
332 enum SID_NAME_USE *type)
338 struct winbindd_domain *domain;
340 domain = find_domain_from_sid(sid);
343 DEBUG(1,("Can't find domain from sid\n"));
349 if (!(mem_ctx = talloc_init("winbindd_lookup_name_by_sid")))
352 result = domain->methods->sid_to_name(domain, mem_ctx, sid, &names, type);
354 /* Return name and type if successful */
356 if ((rv = NT_STATUS_IS_OK(result))) {
357 fstrcpy(dom_name, domain->name);
358 fstrcpy(name, names);
360 *type = SID_NAME_UNKNOWN;
361 fstrcpy(name, name_deadbeef);
364 talloc_destroy(mem_ctx);
370 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
372 void free_getent_state(struct getent_state *state)
374 struct getent_state *temp;
376 /* Iterate over state list */
380 while(temp != NULL) {
381 struct getent_state *next;
383 /* Free sam entries then list entry */
385 SAFE_FREE(state->sam_entries);
386 DLIST_REMOVE(state, state);
394 /* Parse winbindd related parameters */
396 BOOL winbindd_param_init(void)
398 /* Parse winbind uid and winbind_gid parameters */
400 if (!lp_idmap_uid(&server_state.uid_low, &server_state.uid_high)) {
401 DEBUG(0, ("winbindd: idmap uid range missing or invalid\n"));
402 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
406 if (!lp_idmap_gid(&server_state.gid_low, &server_state.gid_high)) {
407 DEBUG(0, ("winbindd: idmap gid range missing or invalid\n"));
408 DEBUG(0, ("winbindd: cannot continue, exiting.\n"));
415 /* Check if a domain is present in a comma-separated list of domains */
417 BOOL check_domain_env(char *domain_env, char *domain)
420 const char *tmp = domain_env;
422 while(next_token(&tmp, name, ",", sizeof(fstring))) {
423 if (strequal(name, domain))
430 /* Parse a string of the form DOMAIN/user into a domain and a user */
432 BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
434 char *p = strchr(domuser,*lp_winbind_separator());
437 fstrcpy(user, domuser);
439 if ( lp_winbind_use_default_domain() )
440 fstrcpy(domain, lp_workgroup());
442 fstrcpy( domain, "" );
446 fstrcpy(domain, domuser);
447 domain[PTR_DIFF(p, domuser)] = 0;
456 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
457 'winbind separator' options.
459 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
463 void fill_domain_username(fstring name, const char *domain, const char *user)
465 if(lp_winbind_use_default_domain() &&
466 !strcmp(lp_workgroup(), domain)) {
467 strlcpy(name, user, sizeof(fstring));
469 slprintf(name, sizeof(fstring) - 1, "%s%s%s",
470 domain, lp_winbind_separator(),
476 * Winbindd socket accessor functions
479 char *get_winbind_priv_pipe_dir(void)
481 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
484 /* Open the winbindd socket */
486 static int _winbindd_socket = -1;
487 static int _winbindd_priv_socket = -1;
489 int open_winbindd_socket(void)
491 if (_winbindd_socket == -1) {
492 _winbindd_socket = create_pipe_sock(
493 WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME, 0755);
494 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
498 return _winbindd_socket;
501 int open_winbindd_priv_socket(void)
503 if (_winbindd_priv_socket == -1) {
504 _winbindd_priv_socket = create_pipe_sock(
505 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
506 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
507 _winbindd_priv_socket));
510 return _winbindd_priv_socket;
513 /* Close the winbindd socket */
515 void close_winbindd_socket(void)
517 if (_winbindd_socket != -1) {
518 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
520 close(_winbindd_socket);
521 _winbindd_socket = -1;
523 if (_winbindd_priv_socket != -1) {
524 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
525 _winbindd_priv_socket));
526 close(_winbindd_priv_socket);
527 _winbindd_priv_socket = -1;
532 * Client list accessor functions
535 static struct winbindd_cli_state *_client_list;
536 static int _num_clients;
538 /* Return list of all connected clients */
540 struct winbindd_cli_state *winbindd_client_list(void)
545 /* Add a connection to the list */
547 void winbindd_add_client(struct winbindd_cli_state *cli)
549 DLIST_ADD(_client_list, cli);
553 /* Remove a client from the list */
555 void winbindd_remove_client(struct winbindd_cli_state *cli)
557 DLIST_REMOVE(_client_list, cli);
561 /* Close all open clients */
563 void winbindd_kill_all_clients(void)
565 struct winbindd_cli_state *cl = winbindd_client_list();
567 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
570 struct winbindd_cli_state *next;
573 winbindd_remove_client(cl);
578 /* Return number of open clients */
580 int winbindd_num_clients(void)
585 /* Help with RID -> SID conversion */
587 DOM_SID *rid_to_talloced_sid(struct winbindd_domain *domain,
592 sid = talloc(mem_ctx, sizeof(*sid));
594 smb_panic("rid_to_to_talloced_sid: talloc for DOM_SID failed!\n");
596 sid_copy(sid, &domain->sid);
597 sid_append_rid(sid, rid);
601 /*****************************************************************************
602 For idmap conversion: convert one record to new format
603 Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
605 *****************************************************************************/
606 static int convert_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA data, void *state)
608 struct winbindd_domain *domain;
615 BOOL *failed = (BOOL *)state;
617 DEBUG(10,("Converting %s\n", key.dptr));
619 p = strchr(key.dptr, '/');
624 fstrcpy(dom_name, key.dptr);
627 domain = find_domain_from_name(dom_name);
628 if (domain == NULL) {
629 /* We must delete the old record. */
630 DEBUG(0,("Unable to find domain %s\n", dom_name ));
631 DEBUG(0,("deleting record %s\n", key.dptr ));
633 if (tdb_delete(tdb, key) != 0) {
634 DEBUG(0, ("Unable to delete record %s\n", key.dptr));
644 sid_copy(&sid, &domain->sid);
645 sid_append_rid(&sid, rid);
647 sid_to_string(keystr, &sid);
649 key2.dsize = strlen(keystr) + 1;
651 if (tdb_store(tdb, key2, data, TDB_INSERT) != 0) {
652 DEBUG(0,("Unable to add record %s\n", key2.dptr ));
657 if (tdb_store(tdb, data, key2, TDB_REPLACE) != 0) {
658 DEBUG(0,("Unable to update record %s\n", data.dptr ));
663 if (tdb_delete(tdb, key) != 0) {
664 DEBUG(0,("Unable to delete record %s\n", key.dptr ));
672 /* These definitions are from sam/idmap_tdb.c. Replicated here just
673 out of laziness.... :-( */
675 /* High water mark keys */
676 #define HWM_GROUP "GROUP HWM"
677 #define HWM_USER "USER HWM"
679 /* idmap version determines auto-conversion */
680 #define IDMAP_VERSION 2
683 /*****************************************************************************
684 Convert the idmap database from an older version.
685 *****************************************************************************/
687 static BOOL idmap_convert(const char *idmap_name)
690 BOOL bigendianheader;
692 TDB_CONTEXT *idmap_tdb;
694 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
697 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
701 bigendianheader = (idmap_tdb->flags & TDB_BIGENDIAN) ? True : False;
703 vers = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
705 if (((vers == -1) && bigendianheader) || (IREV(vers) == IDMAP_VERSION)) {
706 /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
708 * high and low records were created on a
709 * big endian machine and will need byte-reversing.
714 wm = tdb_fetch_int32(idmap_tdb, HWM_USER);
719 wm = server_state.uid_low;
722 if (tdb_store_int32(idmap_tdb, HWM_USER, wm) == -1) {
723 DEBUG(0, ("idmap_convert: Unable to byteswap user hwm in idmap database\n"));
724 tdb_close(idmap_tdb);
728 wm = tdb_fetch_int32(idmap_tdb, HWM_GROUP);
732 wm = server_state.gid_low;
735 if (tdb_store_int32(idmap_tdb, HWM_GROUP, wm) == -1) {
736 DEBUG(0, ("idmap_convert: Unable to byteswap group hwm in idmap database\n"));
737 tdb_close(idmap_tdb);
742 /* the old format stored as DOMAIN/rid - now we store the SID direct */
743 tdb_traverse(idmap_tdb, convert_fn, &failed);
746 DEBUG(0, ("Problem during conversion\n"));
747 tdb_close(idmap_tdb);
751 if (tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION) == -1) {
752 DEBUG(0, ("idmap_convert: Unable to dtore idmap version in databse\n"));
753 tdb_close(idmap_tdb);
757 tdb_close(idmap_tdb);
761 /*****************************************************************************
762 Convert the idmap database from an older version if necessary
763 *****************************************************************************/
765 BOOL winbindd_upgrade_idmap(void)
769 SMB_STRUCT_STAT stbuf;
770 TDB_CONTEXT *idmap_tdb;
772 pstrcpy(idmap_name, lock_path("winbindd_idmap.tdb"));
774 if (!file_exist(idmap_name, &stbuf)) {
775 /* nothing to convert return */
779 if (!(idmap_tdb = tdb_open_log(idmap_name, 0,
782 DEBUG(0, ("idmap_convert: Unable to open idmap database\n"));
786 if (tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION") == IDMAP_VERSION) {
787 /* nothing to convert return */
788 tdb_close(idmap_tdb);
792 /* backup_tdb expects the tdb not to be open */
793 tdb_close(idmap_tdb);
795 DEBUG(0, ("Upgrading winbindd_idmap.tdb from an old version\n"));
797 pstrcpy(backup_name, idmap_name);
798 pstrcat(backup_name, ".bak");
800 if (backup_tdb(idmap_name, backup_name) != 0) {
801 DEBUG(0, ("Could not backup idmap database\n"));
805 return idmap_convert(idmap_name);
808 /*******************************************************************
809 wrapper around retrieving the trust account password
810 *******************************************************************/
812 BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16],
813 time_t *pass_last_set_time, uint32 *channel)
818 /* if we are a DC and this is not our domain, then lookup an account
819 for the domain trust */
821 if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() )
823 if ( !secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
824 pass_last_set_time) )
826 DEBUG(0, ("get_trust_pw: could not fetch trust account "
827 "password for trusted domain %s\n", domain));
831 *channel = SEC_CHAN_DOMAIN;
832 E_md4hash(pwd, ret_pwd);
837 else /* just get the account for our domain (covers
838 ROLE_DOMAIN_MEMBER as well */
840 /* get the machine trust account for our domain */
842 if ( !secrets_fetch_trust_account_password (lp_workgroup(), ret_pwd,
843 pass_last_set_time, channel) )
845 DEBUG(0, ("get_trust_pw: could not fetch trust account "
846 "password for my domain %s\n", domain));