2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
9 This library is free software; you can redistribute it and/or
10 modify it under the terms of the GNU Lesser General Public
11 License as published by the Free Software Foundation; either
12 version 3 of the License, or (at your option) any later version.
14 This library is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Library General Public License for more details.
19 You should have received a copy of the GNU Lesser General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "nsswitch/winbind_struct_protocol.h"
27 #include "nsswitch/libwbclient/wbclient.h"
33 #ifdef HAVE_SYS_MMAN_H
38 #define DBGC_CLASS DBGC_WINBIND
40 #define WB_REPLACE_CHAR '_'
42 struct winbindd_fd_event {
43 struct winbindd_fd_event *next, *prev;
45 int flags; /* see EVENT_FD_* flags */
46 void (*handler)(struct winbindd_fd_event *fde, int flags);
49 void (*finished)(void *private_data, bool success);
58 enum lsa_SidType type;
61 struct winbindd_cli_state {
62 struct winbindd_cli_state *prev, *next; /* Linked list pointers */
63 int sock; /* Open socket from client */
64 pid_t pid; /* pid of client */
65 bool finished; /* Can delete from list */
66 bool write_extra_data; /* Write extra_data field */
67 time_t last_access; /* Time of last access (read or write) */
68 bool privileged; /* Is the client 'privileged' */
70 TALLOC_CTX *mem_ctx; /* memory per request */
71 struct winbindd_request *request; /* Request from client */
72 struct winbindd_request _request;
73 struct tevent_queue *out_queue;
74 struct winbindd_response response; /* Respose to client */
75 bool getpwent_initialized; /* Has getpwent_state been
77 bool getgrent_initialized; /* Has getgrent_state been
79 struct getent_state *getpwent_state; /* State for getpwent() */
80 struct getent_state *getgrent_state; /* State for getgrent() */
83 /* State between get{pw,gr}ent() calls */
86 struct getent_state *prev, *next;
88 uint32 sam_entry_index, num_sam_entries;
93 /* Storage for cached getpwent() user entries */
95 struct getpwent_user {
96 fstring name; /* Account name */
97 fstring gecos; /* User information */
98 fstring homedir; /* User Home Directory */
99 fstring shell; /* User Login Shell */
100 DOM_SID user_sid; /* NT user and primary group SIDs */
104 /* Server state structure */
111 gid_t primary_gid; /* allow the nss_info
112 backend to set the primary group */
113 DOM_SID user_sid; /* NT user and primary group SIDs */
117 /* Our connection to the DC */
119 struct winbindd_cm_conn {
120 struct cli_state *cli;
122 struct rpc_pipe_client *samr_pipe;
123 struct policy_handle sam_connect_handle, sam_domain_handle;
125 struct rpc_pipe_client *lsa_pipe;
126 struct policy_handle lsa_policy;
128 struct rpc_pipe_client *netlogon_pipe;
131 struct winbindd_async_request;
135 struct winbindd_domain;
137 struct winbindd_child_dispatch_table {
139 enum winbindd_cmd struct_cmd;
140 enum winbindd_result (*struct_fn)(struct winbindd_domain *domain,
141 struct winbindd_cli_state *state);
144 struct winbindd_child {
145 struct winbindd_child *next, *prev;
148 struct winbindd_domain *domain;
151 struct winbindd_fd_event event;
152 struct timed_event *lockout_policy_event;
153 struct timed_event *machine_password_change_event;
154 struct winbindd_async_request *requests;
156 const struct winbindd_child_dispatch_table *table;
159 /* Structures to hold per domain information */
161 struct winbindd_domain {
162 fstring name; /* Domain name (NetBIOS) */
163 fstring alt_name; /* alt Domain name, if any (FQDN for ADS) */
164 fstring forest_name; /* Name of the AD forest we're in */
165 DOM_SID sid; /* SID for this domain */
166 uint32 domain_flags; /* Domain flags from netlogon.h */
167 uint32 domain_type; /* Domain type from netlogon.h */
168 uint32 domain_trust_attribs; /* Trust attribs from netlogon.h */
169 bool initialized; /* Did we already ask for the domain mode? */
170 bool native_mode; /* is this a win2k domain in native mode ? */
171 bool active_directory; /* is this a win2k active directory ? */
172 bool primary; /* is this our primary domain ? */
173 bool internal; /* BUILTIN and member SAM */
174 bool online; /* is this domain available ? */
175 time_t startup_time; /* When we set "startup" true. */
176 bool startup; /* are we in the first 30 seconds after startup_time ? */
178 bool can_do_samlogon_ex; /* Due to the lack of finer control what type
179 * of DC we have, let us try to do a
180 * credential-chain less samlogon_ex call
181 * with AD and schannel. If this fails with
182 * DCERPC_FAULT_OP_RNG_ERROR, then set this
183 * to False. This variable is around so that
184 * we don't have to try _ex every time. */
186 /* Lookup methods for this domain (LDAP or RPC) */
187 struct winbindd_methods *methods;
189 /* the backend methods are used by the cache layer to find the right
191 struct winbindd_methods *backend;
193 /* Private data for the backends (used for connection cache) */
198 * idmap config settings, used to tell the idmap child which
199 * special domain config to use for a mapping
201 bool have_idmap_config;
202 uint32_t id_range_low, id_range_high;
205 pid_t dc_probe_pid; /* Child we're using to detect the DC. */
207 struct sockaddr_storage dcaddr;
209 /* Sequence number stuff */
211 time_t last_seq_check;
212 uint32 sequence_number;
213 NTSTATUS last_status;
215 /* The smb connection */
217 struct winbindd_cm_conn conn;
219 /* The child pid we're talking to */
221 struct winbindd_child child;
223 /* Callback we use to try put us back online. */
225 uint32 check_online_timeout;
226 struct timed_event *check_online_event;
228 /* Linked list info */
230 struct winbindd_domain *prev, *next;
233 /* per-domain methods. This is how LDAP vs RPC is selected
235 struct winbindd_methods {
236 /* does this backend provide a consistent view of the data? (ie. is the primary group
240 /* get a list of users, returning a WINBIND_USERINFO for each one */
241 NTSTATUS (*query_user_list)(struct winbindd_domain *domain,
244 WINBIND_USERINFO **info);
246 /* get a list of domain groups */
247 NTSTATUS (*enum_dom_groups)(struct winbindd_domain *domain,
250 struct acct_info **info);
252 /* get a list of domain local groups */
253 NTSTATUS (*enum_local_groups)(struct winbindd_domain *domain,
256 struct acct_info **info);
258 /* convert one user or group name to a sid */
259 NTSTATUS (*name_to_sid)(struct winbindd_domain *domain,
261 enum winbindd_cmd orig_cmd,
262 const char *domain_name,
265 enum lsa_SidType *type);
267 /* convert a sid to a user or group name */
268 NTSTATUS (*sid_to_name)(struct winbindd_domain *domain,
273 enum lsa_SidType *type);
275 NTSTATUS (*rids_to_names)(struct winbindd_domain *domain,
277 const DOM_SID *domain_sid,
282 enum lsa_SidType **types);
284 /* lookup user info for a given SID */
285 NTSTATUS (*query_user)(struct winbindd_domain *domain,
287 const DOM_SID *user_sid,
288 WINBIND_USERINFO *user_info);
290 /* lookup all groups that a user is a member of. The backend
291 can also choose to lookup by username or rid for this
293 NTSTATUS (*lookup_usergroups)(struct winbindd_domain *domain,
295 const DOM_SID *user_sid,
296 uint32 *num_groups, DOM_SID **user_gids);
298 /* Lookup all aliases that the sids delivered are member of. This is
299 * to implement 'domain local groups' correctly */
300 NTSTATUS (*lookup_useraliases)(struct winbindd_domain *domain,
305 uint32 **alias_rids);
307 /* find all members of the group with the specified group_rid */
308 NTSTATUS (*lookup_groupmem)(struct winbindd_domain *domain,
310 const DOM_SID *group_sid,
312 DOM_SID **sid_mem, char ***names,
313 uint32 **name_types);
315 /* return the current global sequence number */
316 NTSTATUS (*sequence_number)(struct winbindd_domain *domain, uint32 *seq);
318 /* return the lockout policy */
319 NTSTATUS (*lockout_policy)(struct winbindd_domain *domain,
321 struct samr_DomInfo12 *lockout_policy);
323 /* return the lockout policy */
324 NTSTATUS (*password_policy)(struct winbindd_domain *domain,
326 struct samr_DomInfo1 *password_policy);
328 /* enumerate trusted domains */
329 NTSTATUS (*trusted_domains)(struct winbindd_domain *domain,
337 /* Filled out by IDMAP backends */
338 struct winbindd_idmap_methods {
339 /* Called when backend is first loaded */
342 bool (*get_sid_from_uid)(uid_t uid, DOM_SID *sid);
343 bool (*get_sid_from_gid)(gid_t gid, DOM_SID *sid);
345 bool (*get_uid_from_sid)(DOM_SID *sid, uid_t *uid);
346 bool (*get_gid_from_sid)(DOM_SID *sid, gid_t *gid);
348 /* Called when backend is unloaded */
350 /* Called to dump backend status */
351 void (*status)(void);
354 /* Data structures for dealing with the trusted domain cache */
356 struct winbindd_tdc_domain {
357 const char *domain_name;
358 const char *dns_name;
361 uint32 trust_attribs;
365 /* Switch for listing users or groups */
371 struct WINBINDD_MEMORY_CREDS {
372 struct WINBINDD_MEMORY_CREDS *next, *prev;
373 const char *username; /* lookup key. */
377 uint8_t *nt_hash; /* Base pointer for the following 2 */
382 struct WINBINDD_CCACHE_ENTRY {
383 struct WINBINDD_CCACHE_ENTRY *next, *prev;
384 const char *principal_name;
387 const char *username;
389 struct WINBINDD_MEMORY_CREDS *cred_ptr;
395 struct timed_event *event;
398 #include "winbindd/winbindd_proto.h"
400 #define WINBINDD_ESTABLISH_LOOP 30
401 #define WINBINDD_RESCAN_FREQ lp_winbind_cache_time()
402 #define WINBINDD_PAM_AUTH_KRB5_RENEW_TIME 2592000 /* one month */
403 #define DOM_SEQUENCE_NONE ((uint32)-1)
405 #define IS_DOMAIN_OFFLINE(x) ( lp_winbind_offline_logon() && \
406 ( get_global_winbindd_state_offline() \
408 #define IS_DOMAIN_ONLINE(x) (!IS_DOMAIN_OFFLINE(x))
410 #endif /* _WINBINDD_H */