winbindd: add add_trusted_domain_from_auth

Function to add a new trusted domain to the domain list and TDC after an
successfull authentication. On Member servers only, not on DCs though.

Signed-off-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 4ab52a42ba56b2cbb6c53d55e1c1f77716f809b7..39cdef54531005d5c859b9ec55e6eedd704d6aed 100644 (file)
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -440,6 +440,9 @@ struct winbindd_domain *domain_list(void);
 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain);
 bool set_routing_domain(struct winbindd_domain *domain,
                        const struct winbindd_domain *routing_domain);
+bool add_trusted_domain_from_auth(uint16_t validation_level,
+                                 struct info3_text *info3,
+                                 struct info6_text *info6);
 bool domain_is_forest_root(const struct winbindd_domain *domain);
 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
                            struct timeval now, void *private_data);

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index fb1793d250a7e162afd34ae2659cefed0f7bd61c..2a975220ad0570215e00f32579860ff7468bf21e 100644 (file)
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -303,6 +303,61 @@ bool set_routing_domain(struct winbindd_domain *domain,
        return true;
 }
 
+bool add_trusted_domain_from_auth(uint16_t validation_level,
+                                 struct info3_text *info3,
+                                 struct info6_text *info6)
+{
+       struct winbindd_domain *domain = NULL;
+       struct dom_sid domain_sid;
+       const char *dns_domainname = NULL;
+       NTSTATUS status;
+       bool ok;
+
+       /*
+        * We got a successfull auth from a domain that might not yet be in our
+        * domain list. If we're a member we trust our DC who authenticated the
+        * user from that domain and add the domain to our list on-the-fly. If
+        * we're a DC we rely on configured trusts and don't add on-the-fly.
+        */
+
+       if (IS_DC) {
+               return true;
+       }
+
+       ok = dom_sid_parse(info3->dom_sid, &domain_sid);
+       if (!ok) {
+               DBG_NOTICE("dom_sid_parse [%s] failed\n", info3->dom_sid);
+               return false;
+       }
+
+       if (validation_level == 6) {
+               dns_domainname = &info6->dns_domainname[0];
+       }
+
+       status = add_trusted_domain(info3->logon_dom,
+                                   dns_domainname,
+                                   &domain_sid,
+                                   0,
+                                   NETR_TRUST_FLAG_OUTBOUND,
+                                   0,
+                                   SEC_CHAN_NULL,
+                                   &domain);
+       if (!NT_STATUS_IS_OK(status) &&
+           !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
+       {
+               DBG_DEBUG("Adding domain [%s] with sid [%s] failed\n",
+                         info3->logon_dom, info3->dom_sid);
+               return false;
+       }
+
+       ok = set_routing_domain(domain, find_default_route_domain());
+       if (!ok) {
+               return false;
+       }
+
+       return true;
+}
+
 bool domain_is_forest_root(const struct winbindd_domain *domain)
 {
        const uint32_t fr_flags =