2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
35 * @file winbindd_util.c
37 * Winbind daemon for NT domain authentication nss module.
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
46 static struct winbindd_domain *_domain_list = NULL;
48 struct winbindd_domain *domain_list(void)
52 if ((!_domain_list) && (!init_domain_list())) {
53 smb_panic("Init_domain_list failed");
59 /* Free all entries in the trusted domain list */
61 void free_domain_list(void)
63 struct winbindd_domain *domain = _domain_list;
66 struct winbindd_domain *next = domain->next;
68 DLIST_REMOVE(_domain_list, domain);
74 static bool is_internal_domain(const DOM_SID *sid)
79 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
82 static bool is_in_internal_domain(const DOM_SID *sid)
87 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
91 /* Add a trusted domain to our list of domains */
92 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
93 struct winbindd_methods *methods,
96 struct winbindd_domain *domain;
97 const char *alternative_name = NULL;
98 char *idmap_config_option;
100 const char **ignored_domains, **dom;
102 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
103 for (dom=ignored_domains; dom && *dom; dom++) {
104 if (gen_fnmatch(*dom, domain_name) == 0) {
105 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
110 /* ignore alt_name if we are not in an AD domain */
112 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
113 alternative_name = alt_name;
116 /* We can't call domain_list() as this function is called from
117 init_domain_list() and we'll get stuck in a loop. */
118 for (domain = _domain_list; domain; domain = domain->next) {
119 if (strequal(domain_name, domain->name) ||
120 strequal(domain_name, domain->alt_name))
125 if (alternative_name && *alternative_name)
127 if (strequal(alternative_name, domain->name) ||
128 strequal(alternative_name, domain->alt_name))
136 if (is_null_sid(sid)) {
140 if (sid_equal(sid, &domain->sid)) {
146 /* See if we found a match. Check if we need to update the
149 if ( domain && sid) {
150 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
151 sid_copy( &domain->sid, sid );
156 /* Create new domain entry */
158 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
163 ZERO_STRUCTP(domain);
165 fstrcpy(domain->name, domain_name);
166 if (alternative_name) {
167 fstrcpy(domain->alt_name, alternative_name);
170 domain->methods = methods;
171 domain->backend = NULL;
172 domain->internal = is_internal_domain(sid);
173 domain->sequence_number = DOM_SEQUENCE_NONE;
174 domain->last_seq_check = 0;
175 domain->initialized = False;
176 domain->online = is_internal_domain(sid);
177 domain->check_online_timeout = 0;
178 domain->dc_probe_pid = (pid_t)-1;
180 sid_copy(&domain->sid, sid);
183 /* Link to domain list */
184 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
186 wcache_tdc_add_domain( domain );
188 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
190 if (idmap_config_option == NULL) {
191 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
195 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
197 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
198 param ? param : "not defined"));
201 unsigned low_id, high_id;
202 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
203 DEBUG(1, ("invalid range syntax in %s: %s\n",
204 idmap_config_option, param));
207 if (low_id > high_id) {
208 DEBUG(1, ("invalid range in %s: %s\n",
209 idmap_config_option, param));
212 domain->have_idmap_config = true;
213 domain->id_range_low = low_id;
214 domain->id_range_high = high_id;
219 DEBUG(2,("Added domain %s %s %s\n",
220 domain->name, domain->alt_name,
221 &domain->sid?sid_string_dbg(&domain->sid):""));
226 /********************************************************************
227 rescan our domains looking for new trusted domains
228 ********************************************************************/
230 struct trustdom_state {
234 struct winbindd_response *response;
237 static void trustdom_recv(void *private_data, bool success);
238 static void rescan_forest_root_trusts( void );
239 static void rescan_forest_trusts( void );
241 static void add_trusted_domains( struct winbindd_domain *domain )
244 struct winbindd_request *request;
245 struct winbindd_response *response;
246 uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
248 struct trustdom_state *state;
250 mem_ctx = talloc_init("add_trusted_domains");
251 if (mem_ctx == NULL) {
252 DEBUG(0, ("talloc_init failed\n"));
256 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
257 response = TALLOC_P(mem_ctx, struct winbindd_response);
258 state = TALLOC_P(mem_ctx, struct trustdom_state);
260 if ((request == NULL) || (response == NULL) || (state == NULL)) {
261 DEBUG(0, ("talloc failed\n"));
262 talloc_destroy(mem_ctx);
266 state->mem_ctx = mem_ctx;
267 state->response = response;
269 /* Flags used to know how to continue the forest trust search */
271 state->primary = domain->primary;
272 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
274 request->length = sizeof(*request);
275 request->cmd = WINBINDD_LIST_TRUSTDOM;
277 async_domain_request(mem_ctx, domain, request, response,
278 trustdom_recv, state);
281 static void trustdom_recv(void *private_data, bool success)
283 struct trustdom_state *state =
284 talloc_get_type_abort(private_data, struct trustdom_state);
285 struct winbindd_response *response = state->response;
288 if ((!success) || (response->result != WINBINDD_OK)) {
289 DEBUG(1, ("Could not receive trustdoms\n"));
290 talloc_destroy(state->mem_ctx);
294 p = (char *)response->extra_data.data;
296 while ((p != NULL) && (*p != '\0')) {
297 char *q, *sidstr, *alt_name;
299 struct winbindd_domain *domain;
300 char *alternate_name = NULL;
302 alt_name = strchr(p, '\\');
303 if (alt_name == NULL) {
304 DEBUG(0, ("Got invalid trustdom response\n"));
311 sidstr = strchr(alt_name, '\\');
312 if (sidstr == NULL) {
313 DEBUG(0, ("Got invalid trustdom response\n"));
320 q = strchr(sidstr, '\n');
324 if (!string_to_sid(&sid, sidstr)) {
325 DEBUG(0, ("Got invalid trustdom response\n"));
329 /* use the real alt_name if we have one, else pass in NULL */
331 if ( !strequal( alt_name, "(null)" ) )
332 alternate_name = alt_name;
334 /* If we have an existing domain structure, calling
335 add_trusted_domain() will update the SID if
336 necessary. This is important because we need the
337 SID for sibling domains */
339 if ( find_domain_from_name_noinit(p) != NULL ) {
340 domain = add_trusted_domain(p, alternate_name,
344 domain = add_trusted_domain(p, alternate_name,
348 setup_domain_child(domain,
358 Cases to consider when scanning trusts:
359 (a) we are calling from a child domain (primary && !forest_root)
360 (b) we are calling from the root of the forest (primary && forest_root)
361 (c) we are calling from a trusted forest domain (!primary
365 if ( state->primary ) {
366 /* If this is our primary domain and we are not in the
367 forest root, we have to scan the root trusts first */
369 if ( !state->forest_root )
370 rescan_forest_root_trusts();
372 rescan_forest_trusts();
374 } else if ( state->forest_root ) {
375 /* Once we have done root forest trust search, we can
376 go on to search the trusted forests */
378 rescan_forest_trusts();
381 talloc_destroy(state->mem_ctx);
386 /********************************************************************
387 Scan the trusts of our forest root
388 ********************************************************************/
390 static void rescan_forest_root_trusts( void )
392 struct winbindd_tdc_domain *dom_list = NULL;
393 size_t num_trusts = 0;
396 /* The only transitive trusts supported by Windows 2003 AD are
397 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
398 first two are handled in forest and listed by
399 DsEnumerateDomainTrusts(). Forest trusts are not so we
400 have to do that ourselves. */
402 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
405 for ( i=0; i<num_trusts; i++ ) {
406 struct winbindd_domain *d = NULL;
408 /* Find the forest root. Don't necessarily trust
409 the domain_list() as our primary domain may not
410 have been initialized. */
412 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
416 /* Here's the forest root */
418 d = find_domain_from_name_noinit( dom_list[i].domain_name );
421 d = add_trusted_domain( dom_list[i].domain_name,
422 dom_list[i].dns_name,
426 setup_domain_child(d, &d->child);
434 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
435 "for domain tree root %s (%s)\n",
436 d->name, d->alt_name ));
438 d->domain_flags = dom_list[i].trust_flags;
439 d->domain_type = dom_list[i].trust_type;
440 d->domain_trust_attribs = dom_list[i].trust_attribs;
442 add_trusted_domains( d );
447 TALLOC_FREE( dom_list );
452 /********************************************************************
453 scan the transitive forest trusts (not our own)
454 ********************************************************************/
457 static void rescan_forest_trusts( void )
459 struct winbindd_domain *d = NULL;
460 struct winbindd_tdc_domain *dom_list = NULL;
461 size_t num_trusts = 0;
464 /* The only transitive trusts supported by Windows 2003 AD are
465 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
466 first two are handled in forest and listed by
467 DsEnumerateDomainTrusts(). Forest trusts are not so we
468 have to do that ourselves. */
470 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
473 for ( i=0; i<num_trusts; i++ ) {
474 uint32 flags = dom_list[i].trust_flags;
475 uint32 type = dom_list[i].trust_type;
476 uint32 attribs = dom_list[i].trust_attribs;
478 d = find_domain_from_name_noinit( dom_list[i].domain_name );
480 /* ignore our primary and internal domains */
482 if ( d && (d->internal || d->primary ) )
485 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
486 (type == NETR_TRUST_TYPE_UPLEVEL) &&
487 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
489 /* add the trusted domain if we don't know
493 d = add_trusted_domain( dom_list[i].domain_name,
494 dom_list[i].dns_name,
498 setup_domain_child(d, &d->child);
506 DEBUG(10,("Following trust path for domain %s (%s)\n",
507 d->name, d->alt_name ));
508 add_trusted_domains( d );
512 TALLOC_FREE( dom_list );
517 /*********************************************************************
518 The process of updating the trusted domain list is a three step
521 (b) ask the root domain in our forest
522 (c) ask the a DC in any Win2003 trusted forests
523 *********************************************************************/
525 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
526 struct timeval now, void *private_data)
530 /* I use to clear the cache here and start over but that
531 caused problems in child processes that needed the
532 trust dom list early on. Removing it means we
533 could have some trusted domains listed that have been
534 removed from our primary domain's DC until a full
535 restart. This should be ok since I think this is what
536 Windows does as well. */
538 /* this will only add new domains we didn't already know about
539 in the domain_list()*/
541 add_trusted_domains( find_our_domain() );
543 te = tevent_add_timer(
544 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
545 rescan_trusted_domains, NULL);
547 * If te == NULL, there's not much we can do here. Don't fail, the
548 * only thing we miss is new trusted domains.
554 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
555 struct winbindd_cli_state *state)
557 /* Ensure null termination */
558 state->request->domain_name
559 [sizeof(state->request->domain_name)-1]='\0';
560 state->request->data.init_conn.dcname
561 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
563 if (strlen(state->request->data.init_conn.dcname) > 0) {
564 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
567 if (domain->internal) {
568 domain->initialized = true;
570 init_dc_connection(domain);
573 if (!domain->initialized) {
574 /* If we return error here we can't do any cached authentication,
575 but we may be in disconnected mode and can't initialize correctly.
576 Do what the previous code did and just return without initialization,
577 once we go online we'll re-initialize.
579 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
580 "online = %d\n", domain->name, (int)domain->online ));
583 fstrcpy(state->response->data.domain_info.name, domain->name);
584 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
585 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
587 state->response->data.domain_info.native_mode
588 = domain->native_mode;
589 state->response->data.domain_info.active_directory
590 = domain->active_directory;
591 state->response->data.domain_info.primary
597 /* Look up global info for the winbind daemon */
598 bool init_domain_list(void)
600 struct winbindd_domain *domain;
601 int role = lp_server_role();
603 /* Free existing list */
608 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
609 &global_sid_Builtin);
611 setup_domain_child(domain,
617 domain = add_trusted_domain(get_global_sam_name(), NULL,
618 &sam_passdb_methods, get_global_sam_sid());
620 if ( role != ROLE_DOMAIN_MEMBER ) {
621 domain->primary = True;
623 setup_domain_child(domain,
627 /* Add ourselves as the first entry. */
629 if ( role == ROLE_DOMAIN_MEMBER ) {
632 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
633 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
637 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
638 &cache_methods, &our_sid);
640 domain->primary = True;
641 setup_domain_child(domain,
644 /* Even in the parent winbindd we'll need to
645 talk to the DC, so try and see if we can
646 contact it. Theoretically this isn't neccessary
647 as the init_dc_connection() in init_child_recv()
648 will do this, but we can start detecting the DC
650 set_domain_online_request(domain);
657 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
659 struct winbindd_domain *domain;
663 /* Check if we even care */
665 if (!lp_allow_trusted_domains())
668 domain = find_domain_from_name_noinit( name );
672 sid_copy( &dom_sid, user_sid );
673 if ( !sid_split_rid( &dom_sid, &rid ) )
676 /* add the newly discovered trusted domain */
678 domain = add_trusted_domain( name, NULL, &cache_methods,
684 /* assume this is a trust from a one-way transitive
687 domain->active_directory = True;
688 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
689 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
690 domain->internal = False;
691 domain->online = True;
693 setup_domain_child(domain,
696 wcache_tdc_add_domain( domain );
702 * Given a domain name, return the struct winbindd domain info for it
704 * @note Do *not* pass lp_workgroup() to this function. domain_list
705 * may modify it's value, and free that pointer. Instead, our local
706 * domain may be found by calling find_our_domain().
710 * @return The domain structure for the named domain, if it is working.
713 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
715 struct winbindd_domain *domain;
717 /* Search through list */
719 for (domain = domain_list(); domain != NULL; domain = domain->next) {
720 if (strequal(domain_name, domain->name) ||
721 (domain->alt_name[0] &&
722 strequal(domain_name, domain->alt_name))) {
732 struct winbindd_domain *find_domain_from_name(const char *domain_name)
734 struct winbindd_domain *domain;
736 domain = find_domain_from_name_noinit(domain_name);
741 if (!domain->initialized)
742 init_dc_connection(domain);
747 /* Given a domain sid, return the struct winbindd domain info for it */
749 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
751 struct winbindd_domain *domain;
753 /* Search through list */
755 for (domain = domain_list(); domain != NULL; domain = domain->next) {
756 if (sid_compare_domain(sid, &domain->sid) == 0)
765 /* Given a domain sid, return the struct winbindd domain info for it */
767 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
769 struct winbindd_domain *domain;
771 domain = find_domain_from_sid_noinit(sid);
776 if (!domain->initialized)
777 init_dc_connection(domain);
782 struct winbindd_domain *find_our_domain(void)
784 struct winbindd_domain *domain;
786 /* Search through list */
788 for (domain = domain_list(); domain != NULL; domain = domain->next) {
793 smb_panic("Could not find our domain");
797 struct winbindd_domain *find_root_domain(void)
799 struct winbindd_domain *ours = find_our_domain();
804 if ( strlen(ours->forest_name) == 0 )
807 return find_domain_from_name( ours->forest_name );
810 struct winbindd_domain *find_builtin_domain(void)
813 struct winbindd_domain *domain;
815 string_to_sid(&sid, "S-1-5-32");
816 domain = find_domain_from_sid(&sid);
818 if (domain == NULL) {
819 smb_panic("Could not find BUILTIN domain");
825 /* Find the appropriate domain to lookup a name or SID */
827 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
829 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
831 if ( sid_check_is_in_unix_groups(sid) ||
832 sid_check_is_unix_groups(sid) ||
833 sid_check_is_in_unix_users(sid) ||
834 sid_check_is_unix_users(sid) )
836 return find_domain_from_sid(get_global_sam_sid());
839 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
840 * one to contact the external DC's. On member servers the internal
841 * domains are different: These are part of the local SAM. */
843 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
845 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
846 DEBUG(10, ("calling find_domain_from_sid\n"));
847 return find_domain_from_sid(sid);
850 /* On a member server a query for SID or name can always go to our
853 DEBUG(10, ("calling find_our_domain\n"));
854 return find_our_domain();
857 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
859 if ( strequal(domain_name, unix_users_domain_name() ) ||
860 strequal(domain_name, unix_groups_domain_name() ) )
863 * The "Unix User" and "Unix Group" domain our handled by
866 return find_domain_from_name_noinit( get_global_sam_name() );
869 if (IS_DC || strequal(domain_name, "BUILTIN") ||
870 strequal(domain_name, get_global_sam_name()))
871 return find_domain_from_name_noinit(domain_name);
874 return find_our_domain();
877 /* Is this a domain which we may assume no DOMAIN\ prefix? */
879 static bool assume_domain(const char *domain)
881 /* never assume the domain on a standalone server */
883 if ( lp_server_role() == ROLE_STANDALONE )
886 /* domain member servers may possibly assume for the domain name */
888 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
889 if ( !strequal(lp_workgroup(), domain) )
892 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
896 /* only left with a domain controller */
898 if ( strequal(get_global_sam_name(), domain) ) {
905 /* Parse a string of the form DOMAIN\user into a domain and a user */
907 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
909 char *p = strchr(domuser,*lp_winbind_separator());
912 fstrcpy(user, domuser);
914 if ( assume_domain(lp_workgroup())) {
915 fstrcpy(domain, lp_workgroup());
916 } else if ((p = strchr(domuser, '@')) != NULL) {
917 fstrcpy(domain, p + 1);
918 user[PTR_DIFF(p, domuser)] = 0;
924 fstrcpy(domain, domuser);
925 domain[PTR_DIFF(p, domuser)] = 0;
933 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
934 char **domain, char **user)
936 fstring fstr_domain, fstr_user;
937 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
940 *domain = talloc_strdup(mem_ctx, fstr_domain);
941 *user = talloc_strdup(mem_ctx, fstr_user);
942 return ((*domain != NULL) && (*user != NULL));
945 /* add a domain user name to a buffer */
946 void parse_add_domuser(void *buf, char *domuser, int *len)
952 p = strchr(domuser, *lp_winbind_separator());
956 fstrcpy(domain, domuser);
957 domain[PTR_DIFF(p, domuser)] = 0;
960 if (assume_domain(domain)) {
963 *len -= (PTR_DIFF(p, domuser));
967 safe_strcpy((char *)buf, user, *len);
970 /* Ensure an incoming username from NSS is fully qualified. Replace the
971 incoming fstring with DOMAIN <separator> user. Returns the same
972 values as parse_domain_user() but also replaces the incoming username.
973 Used to ensure all names are fully qualified within winbindd.
974 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
975 The protocol definitions of auth_crap, chng_pswd_auth_crap
976 really should be changed to use this instead of doing things
979 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
981 if (!parse_domain_user(username_inout, domain, user)) {
984 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
985 domain, *lp_winbind_separator(),
991 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
992 'winbind separator' options.
994 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
997 If we are a PDC or BDC, and this is for our domain, do likewise.
999 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1000 username is then unqualified in unix
1002 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1004 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1008 fstrcpy(tmp_user, user);
1009 strlower_m(tmp_user);
1011 if (can_assume && assume_domain(domain)) {
1012 strlcpy(name, tmp_user, sizeof(fstring));
1014 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1015 domain, *lp_winbind_separator(),
1021 * talloc version of fill_domain_username()
1022 * return NULL on talloc failure.
1024 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1029 char *tmp_user, *name;
1031 tmp_user = talloc_strdup(mem_ctx, user);
1032 strlower_m(tmp_user);
1034 if (can_assume && assume_domain(domain)) {
1037 name = talloc_asprintf(mem_ctx, "%s%c%s",
1039 *lp_winbind_separator(),
1041 TALLOC_FREE(tmp_user);
1048 * Winbindd socket accessor functions
1051 const char *get_winbind_pipe_dir(void)
1053 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1056 char *get_winbind_priv_pipe_dir(void)
1058 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1061 /* Open the winbindd socket */
1063 static int _winbindd_socket = -1;
1064 static int _winbindd_priv_socket = -1;
1066 int open_winbindd_socket(void)
1068 if (_winbindd_socket == -1) {
1069 _winbindd_socket = create_pipe_sock(
1070 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1071 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1075 return _winbindd_socket;
1078 int open_winbindd_priv_socket(void)
1080 if (_winbindd_priv_socket == -1) {
1081 _winbindd_priv_socket = create_pipe_sock(
1082 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1083 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1084 _winbindd_priv_socket));
1087 return _winbindd_priv_socket;
1091 * Client list accessor functions
1094 static struct winbindd_cli_state *_client_list;
1095 static int _num_clients;
1097 /* Return list of all connected clients */
1099 struct winbindd_cli_state *winbindd_client_list(void)
1101 return _client_list;
1104 /* Add a connection to the list */
1106 void winbindd_add_client(struct winbindd_cli_state *cli)
1108 DLIST_ADD(_client_list, cli);
1112 /* Remove a client from the list */
1114 void winbindd_remove_client(struct winbindd_cli_state *cli)
1116 DLIST_REMOVE(_client_list, cli);
1120 /* Close all open clients */
1122 void winbindd_kill_all_clients(void)
1124 struct winbindd_cli_state *cl = winbindd_client_list();
1126 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1129 struct winbindd_cli_state *next;
1132 winbindd_remove_client(cl);
1137 /* Return number of open clients */
1139 int winbindd_num_clients(void)
1141 return _num_clients;
1144 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1145 TALLOC_CTX *mem_ctx,
1146 const DOM_SID *user_sid,
1147 uint32 *p_num_groups, DOM_SID **user_sids)
1149 struct netr_SamInfo3 *info3 = NULL;
1150 NTSTATUS status = NT_STATUS_NO_MEMORY;
1151 size_t num_groups = 0;
1153 DEBUG(3,(": lookup_usergroups_cached\n"));
1158 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1160 if (info3 == NULL) {
1161 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1164 if (info3->base.groups.count == 0) {
1166 return NT_STATUS_UNSUCCESSFUL;
1170 * Before bug #7843 the "Domain Local" groups were added with a
1171 * lookupuseraliases call, but this isn't done anymore for our domain
1172 * so we need to resolve resource groups here.
1174 * When to use Resource Groups:
1175 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1177 status = sid_array_from_info3(mem_ctx, info3,
1182 if (!NT_STATUS_IS_OK(status)) {
1188 *p_num_groups = num_groups;
1189 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1191 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1196 /*********************************************************************
1197 We use this to remove spaces from user and group names
1198 ********************************************************************/
1200 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1201 struct winbindd_domain *domain,
1207 if (!name || !normalized) {
1208 return NT_STATUS_INVALID_PARAMETER;
1211 if (!lp_winbind_normalize_names()) {
1212 return NT_STATUS_PROCEDURE_NOT_FOUND;
1215 /* Alias support and whitespace replacement are mutually
1218 nt_status = resolve_username_to_alias(mem_ctx, domain,
1220 if (NT_STATUS_IS_OK(nt_status)) {
1221 /* special return code to let the caller know we
1222 mapped to an alias */
1223 return NT_STATUS_FILE_RENAMED;
1226 /* check for an unreachable domain */
1228 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1229 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1231 set_domain_offline(domain);
1235 /* deal with whitespace */
1237 *normalized = talloc_strdup(mem_ctx, name);
1238 if (!(*normalized)) {
1239 return NT_STATUS_NO_MEMORY;
1242 all_string_sub( *normalized, " ", "_", 0 );
1244 return NT_STATUS_OK;
1247 /*********************************************************************
1248 We use this to do the inverse of normalize_name_map()
1249 ********************************************************************/
1251 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1256 struct winbindd_domain *domain = find_our_domain();
1258 if (!name || !normalized) {
1259 return NT_STATUS_INVALID_PARAMETER;
1262 if (!lp_winbind_normalize_names()) {
1263 return NT_STATUS_PROCEDURE_NOT_FOUND;
1266 /* Alias support and whitespace replacement are mutally
1269 /* When mapping from an alias to a username, we don't know the
1270 domain. But we only need a domain structure to cache
1271 a successful lookup , so just our own domain structure for
1274 nt_status = resolve_alias_to_username(mem_ctx, domain,
1276 if (NT_STATUS_IS_OK(nt_status)) {
1277 /* Special return code to let the caller know we mapped
1279 return NT_STATUS_FILE_RENAMED;
1282 /* check for an unreachable domain */
1284 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1285 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1287 set_domain_offline(domain);
1291 /* deal with whitespace */
1293 *normalized = talloc_strdup(mem_ctx, name);
1294 if (!(*normalized)) {
1295 return NT_STATUS_NO_MEMORY;
1298 all_string_sub(*normalized, "_", " ", 0);
1300 return NT_STATUS_OK;
1303 /*********************************************************************
1304 ********************************************************************/
1306 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1308 struct winbindd_tdc_domain *tdc = NULL;
1309 TALLOC_CTX *frame = talloc_stackframe();
1312 /* We can contact the domain if it is our primary domain */
1314 if (domain->primary) {
1318 /* Trust the TDC cache and not the winbindd_domain flags */
1320 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1321 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1326 /* Can always contact a domain that is in out forest */
1328 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1334 * On a _member_ server, we cannot contact the domain if it
1335 * is running AD and we have no inbound trust.
1339 domain->active_directory &&
1340 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1342 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1343 "and we have no inbound trust.\n", domain->name));
1347 /* Assume everything else is ok (probably not true but what
1353 talloc_destroy(frame);
1358 /*********************************************************************
1359 ********************************************************************/
1361 bool winbindd_internal_child(struct winbindd_child *child)
1363 if ((child == idmap_child()) || (child == locator_child())) {
1370 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1372 /*********************************************************************
1373 ********************************************************************/
1375 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1378 char addr[INET6_ADDRSTRLEN];
1379 const char *kdc = NULL;
1382 if (!domain || !domain->alt_name || !*domain->alt_name) {
1386 if (domain->initialized && !domain->active_directory) {
1387 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1392 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1395 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1397 kdc = domain->dcname;
1400 if (!kdc || !*kdc) {
1401 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1406 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1407 domain->alt_name) == -1) {
1411 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1414 setenv(var, kdc, 1);
1418 /*********************************************************************
1419 ********************************************************************/
1421 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1423 struct winbindd_domain *our_dom = find_our_domain();
1425 winbindd_set_locator_kdc_env(domain);
1427 if (domain != our_dom) {
1428 winbindd_set_locator_kdc_env(our_dom);
1432 /*********************************************************************
1433 ********************************************************************/
1435 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1439 if (!domain || !domain->alt_name || !*domain->alt_name) {
1443 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1444 domain->alt_name) == -1) {
1453 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1458 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1463 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1465 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1467 resp->data.auth.nt_status = NT_STATUS_V(result);
1468 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1470 /* we might have given a more useful error above */
1471 if (*resp->data.auth.error_string == '\0')
1472 fstrcpy(resp->data.auth.error_string,
1473 get_friendly_nt_error_msg(result));
1474 resp->data.auth.pam_error = nt_status_to_pam(result);
1477 bool is_domain_offline(const struct winbindd_domain *domain)
1479 if (!lp_winbind_offline_logon()) {
1482 if (get_global_winbindd_state_offline()) {
1485 return !domain->online;