2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
35 * @file winbindd_util.c
37 * Winbind daemon for NT domain authentication nss module.
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
46 static struct winbindd_domain *_domain_list = NULL;
49 When was the last scan of trusted domains done?
54 static time_t last_trustdom_scan;
56 struct winbindd_domain *domain_list(void)
60 if ((!_domain_list) && (!init_domain_list())) {
61 smb_panic("Init_domain_list failed");
67 /* Free all entries in the trusted domain list */
69 void free_domain_list(void)
71 struct winbindd_domain *domain = _domain_list;
74 struct winbindd_domain *next = domain->next;
76 DLIST_REMOVE(_domain_list, domain);
82 static bool is_internal_domain(const DOM_SID *sid)
88 return sid_check_is_builtin(sid);
90 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
93 static bool is_in_internal_domain(const DOM_SID *sid)
99 return sid_check_is_in_builtin(sid);
101 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
105 /* Add a trusted domain to our list of domains */
106 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
107 struct winbindd_methods *methods,
110 struct winbindd_domain *domain;
111 const char *alternative_name = NULL;
112 const char **ignored_domains, **dom;
114 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
115 for (dom=ignored_domains; dom && *dom; dom++) {
116 if (gen_fnmatch(*dom, domain_name) == 0) {
117 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
122 /* ignore alt_name if we are not in an AD domain */
124 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
125 alternative_name = alt_name;
128 /* We can't call domain_list() as this function is called from
129 init_domain_list() and we'll get stuck in a loop. */
130 for (domain = _domain_list; domain; domain = domain->next) {
131 if (strequal(domain_name, domain->name) ||
132 strequal(domain_name, domain->alt_name))
137 if (alternative_name && *alternative_name)
139 if (strequal(alternative_name, domain->name) ||
140 strequal(alternative_name, domain->alt_name))
148 if (is_null_sid(sid)) {
152 if (sid_equal(sid, &domain->sid)) {
158 /* See if we found a match. Check if we need to update the
161 if ( domain && sid) {
162 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
163 sid_copy( &domain->sid, sid );
168 /* Create new domain entry */
170 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
175 ZERO_STRUCTP(domain);
177 fstrcpy(domain->name, domain_name);
178 if (alternative_name) {
179 fstrcpy(domain->alt_name, alternative_name);
182 domain->methods = methods;
183 domain->backend = NULL;
184 domain->internal = is_internal_domain(sid);
185 domain->sequence_number = DOM_SEQUENCE_NONE;
186 domain->last_seq_check = 0;
187 domain->initialized = False;
188 domain->online = is_internal_domain(sid);
189 domain->check_online_timeout = 0;
191 sid_copy(&domain->sid, sid);
194 /* Link to domain list */
195 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
197 wcache_tdc_add_domain( domain );
199 DEBUG(2,("Added domain %s %s %s\n",
200 domain->name, domain->alt_name,
201 &domain->sid?sid_string_dbg(&domain->sid):""));
206 /********************************************************************
207 rescan our domains looking for new trusted domains
208 ********************************************************************/
210 struct trustdom_state {
214 struct winbindd_response *response;
217 static void trustdom_recv(void *private_data, bool success);
218 static void rescan_forest_root_trusts( void );
219 static void rescan_forest_trusts( void );
221 static void add_trusted_domains( struct winbindd_domain *domain )
224 struct winbindd_request *request;
225 struct winbindd_response *response;
226 uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
228 struct trustdom_state *state;
230 mem_ctx = talloc_init("add_trusted_domains");
231 if (mem_ctx == NULL) {
232 DEBUG(0, ("talloc_init failed\n"));
236 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
237 response = TALLOC_P(mem_ctx, struct winbindd_response);
238 state = TALLOC_P(mem_ctx, struct trustdom_state);
240 if ((request == NULL) || (response == NULL) || (state == NULL)) {
241 DEBUG(0, ("talloc failed\n"));
242 talloc_destroy(mem_ctx);
246 state->mem_ctx = mem_ctx;
247 state->response = response;
249 /* Flags used to know how to continue the forest trust search */
251 state->primary = domain->primary;
252 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
254 request->length = sizeof(*request);
255 request->cmd = WINBINDD_LIST_TRUSTDOM;
257 async_domain_request(mem_ctx, domain, request, response,
258 trustdom_recv, state);
261 static void trustdom_recv(void *private_data, bool success)
263 struct trustdom_state *state =
264 talloc_get_type_abort(private_data, struct trustdom_state);
265 struct winbindd_response *response = state->response;
268 if ((!success) || (response->result != WINBINDD_OK)) {
269 DEBUG(1, ("Could not receive trustdoms\n"));
270 talloc_destroy(state->mem_ctx);
274 p = (char *)response->extra_data.data;
276 while ((p != NULL) && (*p != '\0')) {
277 char *q, *sidstr, *alt_name;
279 struct winbindd_domain *domain;
280 char *alternate_name = NULL;
282 alt_name = strchr(p, '\\');
283 if (alt_name == NULL) {
284 DEBUG(0, ("Got invalid trustdom response\n"));
291 sidstr = strchr(alt_name, '\\');
292 if (sidstr == NULL) {
293 DEBUG(0, ("Got invalid trustdom response\n"));
300 q = strchr(sidstr, '\n');
304 if (!string_to_sid(&sid, sidstr)) {
305 /* Allow NULL sid for sibling domains */
306 if ( strcmp(sidstr,"S-0-0") == 0) {
307 sid_copy( &sid, &global_sid_NULL);
309 DEBUG(0, ("Got invalid trustdom response\n"));
314 /* use the real alt_name if we have one, else pass in NULL */
316 if ( !strequal( alt_name, "(null)" ) )
317 alternate_name = alt_name;
319 /* If we have an existing domain structure, calling
320 add_trusted_domain() will update the SID if
321 necessary. This is important because we need the
322 SID for sibling domains */
324 if ( find_domain_from_name_noinit(p) != NULL ) {
325 domain = add_trusted_domain(p, alternate_name,
329 domain = add_trusted_domain(p, alternate_name,
333 setup_domain_child(domain,
342 SAFE_FREE(response->extra_data.data);
345 Cases to consider when scanning trusts:
346 (a) we are calling from a child domain (primary && !forest_root)
347 (b) we are calling from the root of the forest (primary && forest_root)
348 (c) we are calling from a trusted forest domain (!primary
352 if ( state->primary ) {
353 /* If this is our primary domain and we are not in the
354 forest root, we have to scan the root trusts first */
356 if ( !state->forest_root )
357 rescan_forest_root_trusts();
359 rescan_forest_trusts();
361 } else if ( state->forest_root ) {
362 /* Once we have done root forest trust search, we can
363 go on to search the trusted forests */
365 rescan_forest_trusts();
368 talloc_destroy(state->mem_ctx);
373 /********************************************************************
374 Scan the trusts of our forest root
375 ********************************************************************/
377 static void rescan_forest_root_trusts( void )
379 struct winbindd_tdc_domain *dom_list = NULL;
380 size_t num_trusts = 0;
383 /* The only transitive trusts supported by Windows 2003 AD are
384 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
385 first two are handled in forest and listed by
386 DsEnumerateDomainTrusts(). Forest trusts are not so we
387 have to do that ourselves. */
389 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
392 for ( i=0; i<num_trusts; i++ ) {
393 struct winbindd_domain *d = NULL;
395 /* Find the forest root. Don't necessarily trust
396 the domain_list() as our primary domain may not
397 have been initialized. */
399 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
403 /* Here's the forest root */
405 d = find_domain_from_name_noinit( dom_list[i].domain_name );
408 d = add_trusted_domain( dom_list[i].domain_name,
409 dom_list[i].dns_name,
418 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
419 "for domain tree root %s (%s)\n",
420 d->name, d->alt_name ));
422 d->domain_flags = dom_list[i].trust_flags;
423 d->domain_type = dom_list[i].trust_type;
424 d->domain_trust_attribs = dom_list[i].trust_attribs;
426 add_trusted_domains( d );
431 TALLOC_FREE( dom_list );
436 /********************************************************************
437 scan the transitive forest trusts (not our own)
438 ********************************************************************/
441 static void rescan_forest_trusts( void )
443 struct winbindd_domain *d = NULL;
444 struct winbindd_tdc_domain *dom_list = NULL;
445 size_t num_trusts = 0;
448 /* The only transitive trusts supported by Windows 2003 AD are
449 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
450 first two are handled in forest and listed by
451 DsEnumerateDomainTrusts(). Forest trusts are not so we
452 have to do that ourselves. */
454 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
457 for ( i=0; i<num_trusts; i++ ) {
458 uint32 flags = dom_list[i].trust_flags;
459 uint32 type = dom_list[i].trust_type;
460 uint32 attribs = dom_list[i].trust_attribs;
462 d = find_domain_from_name_noinit( dom_list[i].domain_name );
464 /* ignore our primary and internal domains */
466 if ( d && (d->internal || d->primary ) )
469 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
470 (type == NETR_TRUST_TYPE_UPLEVEL) &&
471 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
473 /* add the trusted domain if we don't know
477 d = add_trusted_domain( dom_list[i].domain_name,
478 dom_list[i].dns_name,
487 DEBUG(10,("Following trust path for domain %s (%s)\n",
488 d->name, d->alt_name ));
489 add_trusted_domains( d );
493 TALLOC_FREE( dom_list );
498 /*********************************************************************
499 The process of updating the trusted domain list is a three step
502 (b) ask the root domain in our forest
503 (c) ask the a DC in any Win2003 trusted forests
504 *********************************************************************/
506 void rescan_trusted_domains( void )
508 time_t now = time(NULL);
510 /* Check that we allow trusted domains at all */
511 if (!lp_allow_trusted_domains())
514 /* see if the time has come... */
516 if ((now >= last_trustdom_scan) &&
517 ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
520 /* I use to clear the cache here and start over but that
521 caused problems in child processes that needed the
522 trust dom list early on. Removing it means we
523 could have some trusted domains listed that have been
524 removed from our primary domain's DC until a full
525 restart. This should be ok since I think this is what
526 Windows does as well. */
528 /* this will only add new domains we didn't already know about
529 in the domain_list()*/
531 add_trusted_domains( find_our_domain() );
533 last_trustdom_scan = now;
538 struct init_child_state {
540 struct winbindd_domain *domain;
541 struct winbindd_request *request;
542 struct winbindd_response *response;
543 void (*continuation)(void *private_data, bool success);
547 static void init_child_recv(void *private_data, bool success);
548 static void init_child_getdc_recv(void *private_data, bool success);
550 enum winbindd_result init_child_connection(struct winbindd_domain *domain,
551 void (*continuation)(void *private_data,
556 struct winbindd_request *request;
557 struct winbindd_response *response;
558 struct init_child_state *state;
559 struct winbindd_domain *request_domain;
561 mem_ctx = talloc_init("init_child_connection");
562 if (mem_ctx == NULL) {
563 DEBUG(0, ("talloc_init failed\n"));
564 return WINBINDD_ERROR;
567 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
568 response = TALLOC_P(mem_ctx, struct winbindd_response);
569 state = TALLOC_P(mem_ctx, struct init_child_state);
571 if ((request == NULL) || (response == NULL) || (state == NULL)) {
572 DEBUG(0, ("talloc failed\n"));
573 TALLOC_FREE(mem_ctx);
574 continuation(private_data, False);
575 return WINBINDD_ERROR;
578 request->length = sizeof(*request);
580 state->mem_ctx = mem_ctx;
581 state->domain = domain;
582 state->request = request;
583 state->response = response;
584 state->continuation = continuation;
585 state->private_data = private_data;
587 if (IS_DC || domain->primary || domain->internal ) {
588 /* The primary domain has to find the DC name itself */
589 request->cmd = WINBINDD_INIT_CONNECTION;
590 fstrcpy(request->domain_name, domain->name);
591 request->data.init_conn.is_primary = domain->primary ? true : false;
592 fstrcpy(request->data.init_conn.dcname, "");
593 async_request(mem_ctx, &domain->child, request, response,
594 init_child_recv, state);
595 return WINBINDD_PENDING;
598 /* This is *not* the primary domain, let's ask our DC about a DC
601 request->cmd = WINBINDD_GETDCNAME;
602 fstrcpy(request->domain_name, domain->name);
604 request_domain = find_our_domain();
605 async_domain_request(mem_ctx, request_domain, request, response,
606 init_child_getdc_recv, state);
607 return WINBINDD_PENDING;
610 static void init_child_getdc_recv(void *private_data, bool success)
612 struct init_child_state *state =
613 talloc_get_type_abort(private_data, struct init_child_state);
614 const char *dcname = "";
616 DEBUG(10, ("Received getdcname response\n"));
618 if (success && (state->response->result == WINBINDD_OK)) {
619 dcname = state->response->data.dc_name;
622 state->request->cmd = WINBINDD_INIT_CONNECTION;
623 fstrcpy(state->request->domain_name, state->domain->name);
624 state->request->data.init_conn.is_primary = False;
625 fstrcpy(state->request->data.init_conn.dcname, dcname);
627 async_request(state->mem_ctx, &state->domain->child,
628 state->request, state->response,
629 init_child_recv, state);
632 static void init_child_recv(void *private_data, bool success)
634 struct init_child_state *state =
635 talloc_get_type_abort(private_data, struct init_child_state);
637 DEBUG(5, ("Received child initialization response for domain %s\n",
638 state->domain->name));
640 if ((!success) || (state->response->result != WINBINDD_OK)) {
641 DEBUG(3, ("Could not init child\n"));
642 state->continuation(state->private_data, False);
643 talloc_destroy(state->mem_ctx);
647 fstrcpy(state->domain->name,
648 state->response->data.domain_info.name);
649 fstrcpy(state->domain->alt_name,
650 state->response->data.domain_info.alt_name);
651 string_to_sid(&state->domain->sid,
652 state->response->data.domain_info.sid);
653 state->domain->native_mode =
654 state->response->data.domain_info.native_mode;
655 state->domain->active_directory =
656 state->response->data.domain_info.active_directory;
658 init_dc_connection(state->domain);
660 if (state->continuation != NULL)
661 state->continuation(state->private_data, True);
662 talloc_destroy(state->mem_ctx);
665 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
666 struct winbindd_cli_state *state)
668 /* Ensure null termination */
669 state->request.domain_name
670 [sizeof(state->request.domain_name)-1]='\0';
671 state->request.data.init_conn.dcname
672 [sizeof(state->request.data.init_conn.dcname)-1]='\0';
674 if (strlen(state->request.data.init_conn.dcname) > 0) {
675 fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
678 init_dc_connection(domain);
680 if (!domain->initialized) {
681 /* If we return error here we can't do any cached authentication,
682 but we may be in disconnected mode and can't initialize correctly.
683 Do what the previous code did and just return without initialization,
684 once we go online we'll re-initialize.
686 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
687 "online = %d\n", domain->name, (int)domain->online ));
690 fstrcpy(state->response.data.domain_info.name, domain->name);
691 fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
692 sid_to_fstring(state->response.data.domain_info.sid, &domain->sid);
694 state->response.data.domain_info.native_mode
695 = domain->native_mode;
696 state->response.data.domain_info.active_directory
697 = domain->active_directory;
698 state->response.data.domain_info.primary
704 /* Look up global info for the winbind daemon */
705 bool init_domain_list(void)
707 struct winbindd_domain *domain;
708 int role = lp_server_role();
710 /* Free existing list */
715 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
716 &global_sid_Builtin);
718 setup_domain_child(domain,
724 domain = add_trusted_domain(get_global_sam_name(), NULL,
725 &sam_passdb_methods, get_global_sam_sid());
727 if ( role != ROLE_DOMAIN_MEMBER ) {
728 domain->primary = True;
730 setup_domain_child(domain,
734 /* Add ourselves as the first entry. */
736 if ( role == ROLE_DOMAIN_MEMBER ) {
739 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
740 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
744 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
745 &cache_methods, &our_sid);
747 domain->primary = True;
748 setup_domain_child(domain,
751 /* Even in the parent winbindd we'll need to
752 talk to the DC, so try and see if we can
753 contact it. Theoretically this isn't neccessary
754 as the init_dc_connection() in init_child_recv()
755 will do this, but we can start detecting the DC
757 set_domain_online_request(domain);
764 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
766 struct winbindd_domain *domain;
770 /* Check if we even care */
772 if (!lp_allow_trusted_domains())
775 domain = find_domain_from_name_noinit( name );
779 sid_copy( &dom_sid, user_sid );
780 if ( !sid_split_rid( &dom_sid, &rid ) )
783 /* add the newly discovered trusted domain */
785 domain = add_trusted_domain( name, NULL, &cache_methods,
791 /* assume this is a trust from a one-way transitive
794 domain->active_directory = True;
795 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
796 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
797 domain->internal = False;
798 domain->online = True;
800 setup_domain_child(domain,
803 wcache_tdc_add_domain( domain );
809 * Given a domain name, return the struct winbindd domain info for it
811 * @note Do *not* pass lp_workgroup() to this function. domain_list
812 * may modify it's value, and free that pointer. Instead, our local
813 * domain may be found by calling find_our_domain().
817 * @return The domain structure for the named domain, if it is working.
820 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
822 struct winbindd_domain *domain;
824 /* Search through list */
826 for (domain = domain_list(); domain != NULL; domain = domain->next) {
827 if (strequal(domain_name, domain->name) ||
828 (domain->alt_name[0] &&
829 strequal(domain_name, domain->alt_name))) {
839 struct winbindd_domain *find_domain_from_name(const char *domain_name)
841 struct winbindd_domain *domain;
843 domain = find_domain_from_name_noinit(domain_name);
848 if (!domain->initialized)
849 init_dc_connection(domain);
854 /* Given a domain sid, return the struct winbindd domain info for it */
856 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
858 struct winbindd_domain *domain;
860 /* Search through list */
862 for (domain = domain_list(); domain != NULL; domain = domain->next) {
863 if (sid_compare_domain(sid, &domain->sid) == 0)
872 /* Given a domain sid, return the struct winbindd domain info for it */
874 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
876 struct winbindd_domain *domain;
878 domain = find_domain_from_sid_noinit(sid);
883 if (!domain->initialized)
884 init_dc_connection(domain);
889 struct winbindd_domain *find_our_domain(void)
891 struct winbindd_domain *domain;
893 /* Search through list */
895 for (domain = domain_list(); domain != NULL; domain = domain->next) {
900 smb_panic("Could not find our domain");
904 struct winbindd_domain *find_root_domain(void)
906 struct winbindd_domain *ours = find_our_domain();
911 if ( strlen(ours->forest_name) == 0 )
914 return find_domain_from_name( ours->forest_name );
917 struct winbindd_domain *find_builtin_domain(void)
920 struct winbindd_domain *domain;
922 string_to_sid(&sid, "S-1-5-32");
923 domain = find_domain_from_sid(&sid);
925 if (domain == NULL) {
926 smb_panic("Could not find BUILTIN domain");
932 /* Find the appropriate domain to lookup a name or SID */
934 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
936 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
938 if ( sid_check_is_in_unix_groups(sid) ||
939 sid_check_is_unix_groups(sid) ||
940 sid_check_is_in_unix_users(sid) ||
941 sid_check_is_unix_users(sid) )
943 return find_domain_from_sid(get_global_sam_sid());
946 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
947 * one to contact the external DC's. On member servers the internal
948 * domains are different: These are part of the local SAM. */
950 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
952 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
953 DEBUG(10, ("calling find_domain_from_sid\n"));
954 return find_domain_from_sid(sid);
957 /* On a member server a query for SID or name can always go to our
960 DEBUG(10, ("calling find_our_domain\n"));
961 return find_our_domain();
964 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
966 if ( strequal(domain_name, unix_users_domain_name() ) ||
967 strequal(domain_name, unix_groups_domain_name() ) )
969 return find_domain_from_name_noinit( get_global_sam_name() );
972 if (IS_DC || strequal(domain_name, "BUILTIN") ||
973 strequal(domain_name, get_global_sam_name()))
974 return find_domain_from_name_noinit(domain_name);
976 /* The "Unix User" and "Unix Group" domain our handled by passdb */
978 return find_our_domain();
981 /* Lookup a sid in a domain from a name */
983 bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
984 enum winbindd_cmd orig_cmd,
985 struct winbindd_domain *domain,
986 const char *domain_name,
987 const char *name, DOM_SID *sid,
988 enum lsa_SidType *type)
993 result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd,
994 domain_name, name, sid, type);
996 /* Return sid and type if lookup successful */
997 if (!NT_STATUS_IS_OK(result)) {
998 *type = SID_NAME_UNKNOWN;
1001 return NT_STATUS_IS_OK(result);
1005 * @brief Lookup a name in a domain from a sid.
1007 * @param sid Security ID you want to look up.
1008 * @param name On success, set to the name corresponding to @p sid.
1009 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
1010 * @param type On success, contains the type of name: alias, group or
1012 * @retval True if the name exists, in which case @p name and @p type
1013 * are set, otherwise False.
1015 bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
1016 struct winbindd_domain *domain,
1020 enum lsa_SidType *type)
1029 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
1031 /* Return name and type if successful */
1033 if (NT_STATUS_IS_OK(result)) {
1037 *type = SID_NAME_UNKNOWN;
1042 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
1044 void free_getent_state(struct getent_state *state)
1046 struct getent_state *temp;
1048 /* Iterate over state list */
1052 while(temp != NULL) {
1053 struct getent_state *next = temp->next;
1055 /* Free sam entries then list entry */
1057 SAFE_FREE(state->sam_entries);
1058 DLIST_REMOVE(state, state);
1065 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1067 static bool assume_domain(const char *domain)
1069 /* never assume the domain on a standalone server */
1071 if ( lp_server_role() == ROLE_STANDALONE )
1074 /* domain member servers may possibly assume for the domain name */
1076 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1077 if ( !strequal(lp_workgroup(), domain) )
1080 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1084 /* only left with a domain controller */
1086 if ( strequal(get_global_sam_name(), domain) ) {
1093 /* Parse a string of the form DOMAIN\user into a domain and a user */
1095 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1097 char *p = strchr(domuser,*lp_winbind_separator());
1100 fstrcpy(user, domuser);
1102 if ( assume_domain(lp_workgroup())) {
1103 fstrcpy(domain, lp_workgroup());
1104 } else if ((p = strchr(domuser, '@')) != NULL) {
1105 fstrcpy(domain, "");
1111 fstrcpy(domain, domuser);
1112 domain[PTR_DIFF(p, domuser)] = 0;
1120 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1121 char **domain, char **user)
1123 fstring fstr_domain, fstr_user;
1124 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1127 *domain = talloc_strdup(mem_ctx, fstr_domain);
1128 *user = talloc_strdup(mem_ctx, fstr_user);
1129 return ((*domain != NULL) && (*user != NULL));
1132 /* add a domain user name to a buffer */
1133 void parse_add_domuser(void *buf, char *domuser, int *len)
1139 p = strchr(domuser, *lp_winbind_separator());
1143 fstrcpy(domain, domuser);
1144 domain[PTR_DIFF(p, domuser)] = 0;
1147 if (assume_domain(domain)) {
1150 *len -= (PTR_DIFF(p, domuser));
1154 safe_strcpy((char *)buf, user, *len);
1157 /* Ensure an incoming username from NSS is fully qualified. Replace the
1158 incoming fstring with DOMAIN <separator> user. Returns the same
1159 values as parse_domain_user() but also replaces the incoming username.
1160 Used to ensure all names are fully qualified within winbindd.
1161 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1162 The protocol definitions of auth_crap, chng_pswd_auth_crap
1163 really should be changed to use this instead of doing things
1166 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1168 if (!parse_domain_user(username_inout, domain, user)) {
1171 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1172 domain, *lp_winbind_separator(),
1178 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1179 'winbind separator' options.
1181 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1184 If we are a PDC or BDC, and this is for our domain, do likewise.
1186 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1187 username is then unqualified in unix
1189 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1191 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1195 fstrcpy(tmp_user, user);
1196 strlower_m(tmp_user);
1198 if (can_assume && assume_domain(domain)) {
1199 strlcpy(name, tmp_user, sizeof(fstring));
1201 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1202 domain, *lp_winbind_separator(),
1208 * talloc version of fill_domain_username()
1209 * return NULL on talloc failure.
1211 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1216 char *tmp_user, *name;
1218 tmp_user = talloc_strdup(mem_ctx, user);
1219 strlower_m(tmp_user);
1221 if (can_assume && assume_domain(domain)) {
1224 name = talloc_asprintf(mem_ctx, "%s%c%s",
1226 *lp_winbind_separator(),
1228 TALLOC_FREE(tmp_user);
1235 * Winbindd socket accessor functions
1238 const char *get_winbind_pipe_dir(void)
1240 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1243 char *get_winbind_priv_pipe_dir(void)
1245 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1248 /* Open the winbindd socket */
1250 static int _winbindd_socket = -1;
1251 static int _winbindd_priv_socket = -1;
1253 int open_winbindd_socket(void)
1255 if (_winbindd_socket == -1) {
1256 _winbindd_socket = create_pipe_sock(
1257 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1258 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1262 return _winbindd_socket;
1265 int open_winbindd_priv_socket(void)
1267 if (_winbindd_priv_socket == -1) {
1268 _winbindd_priv_socket = create_pipe_sock(
1269 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1270 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1271 _winbindd_priv_socket));
1274 return _winbindd_priv_socket;
1277 /* Close the winbindd socket */
1279 void close_winbindd_socket(void)
1281 if (_winbindd_socket != -1) {
1282 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1284 close(_winbindd_socket);
1285 _winbindd_socket = -1;
1287 if (_winbindd_priv_socket != -1) {
1288 DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
1289 _winbindd_priv_socket));
1290 close(_winbindd_priv_socket);
1291 _winbindd_priv_socket = -1;
1296 * Client list accessor functions
1299 static struct winbindd_cli_state *_client_list;
1300 static int _num_clients;
1302 /* Return list of all connected clients */
1304 struct winbindd_cli_state *winbindd_client_list(void)
1306 return _client_list;
1309 /* Add a connection to the list */
1311 void winbindd_add_client(struct winbindd_cli_state *cli)
1313 DLIST_ADD(_client_list, cli);
1317 /* Remove a client from the list */
1319 void winbindd_remove_client(struct winbindd_cli_state *cli)
1321 DLIST_REMOVE(_client_list, cli);
1325 /* Close all open clients */
1327 void winbindd_kill_all_clients(void)
1329 struct winbindd_cli_state *cl = winbindd_client_list();
1331 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1334 struct winbindd_cli_state *next;
1337 winbindd_remove_client(cl);
1342 /* Return number of open clients */
1344 int winbindd_num_clients(void)
1346 return _num_clients;
1349 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1350 TALLOC_CTX *mem_ctx,
1351 const DOM_SID *user_sid,
1352 uint32 *p_num_groups, DOM_SID **user_sids)
1354 struct netr_SamInfo3 *info3 = NULL;
1355 NTSTATUS status = NT_STATUS_NO_MEMORY;
1356 size_t num_groups = 0;
1358 DEBUG(3,(": lookup_usergroups_cached\n"));
1363 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1365 if (info3 == NULL) {
1366 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1369 if (info3->base.groups.count == 0) {
1371 return NT_STATUS_UNSUCCESSFUL;
1374 /* Skip Domain local groups outside our domain.
1375 We'll get these from the getsidaliases() RPC call. */
1376 status = sid_array_from_info3(mem_ctx, info3,
1381 if (!NT_STATUS_IS_OK(status)) {
1387 *p_num_groups = num_groups;
1388 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1390 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1395 /*********************************************************************
1396 We use this to remove spaces from user and group names
1397 ********************************************************************/
1399 void ws_name_replace( char *name, char replace )
1401 char replace_char[2] = { 0x0, 0x0 };
1403 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1406 replace_char[0] = replace;
1407 all_string_sub( name, " ", replace_char, 0 );
1412 /*********************************************************************
1413 We use this to do the inverse of ws_name_replace()
1414 ********************************************************************/
1416 void ws_name_return( char *name, char replace )
1418 char replace_char[2] = { 0x0, 0x0 };
1420 if ( !lp_winbind_normalize_names() || (replace == '\0') )
1423 replace_char[0] = replace;
1424 all_string_sub( name, replace_char, " ", 0 );
1429 /*********************************************************************
1430 ********************************************************************/
1432 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1434 struct winbindd_tdc_domain *tdc = NULL;
1435 TALLOC_CTX *frame = talloc_stackframe();
1438 /* We can contact the domain if it is our primary domain */
1440 if (domain->primary) {
1444 /* Trust the TDC cache and not the winbindd_domain flags */
1446 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1447 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1452 /* Can always contact a domain that is in out forest */
1454 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1460 * On a _member_ server, we cannot contact the domain if it
1461 * is running AD and we have no inbound trust.
1465 domain->active_directory &&
1466 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1468 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1469 "and we have no inbound trust.\n", domain->name));
1473 /* Assume everything else is ok (probably not true but what
1479 talloc_destroy(frame);
1484 /*********************************************************************
1485 ********************************************************************/
1487 bool winbindd_internal_child(struct winbindd_child *child)
1489 if ((child == idmap_child()) || (child == locator_child())) {
1496 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1498 /*********************************************************************
1499 ********************************************************************/
1501 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1504 char addr[INET6_ADDRSTRLEN];
1505 const char *kdc = NULL;
1508 if (!domain || !domain->alt_name || !*domain->alt_name) {
1512 if (domain->initialized && !domain->active_directory) {
1513 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1518 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1521 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1523 kdc = domain->dcname;
1526 if (!kdc || !*kdc) {
1527 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1532 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1533 domain->alt_name) == -1) {
1537 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1540 setenv(var, kdc, 1);
1544 /*********************************************************************
1545 ********************************************************************/
1547 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1549 struct winbindd_domain *our_dom = find_our_domain();
1551 winbindd_set_locator_kdc_env(domain);
1553 if (domain != our_dom) {
1554 winbindd_set_locator_kdc_env(our_dom);
1558 /*********************************************************************
1559 ********************************************************************/
1561 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1565 if (!domain || !domain->alt_name || !*domain->alt_name) {
1569 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1570 domain->alt_name) == -1) {
1579 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1584 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1589 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */