2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "lib/util_unixsids.h"
27 #include "../libcli/security/security.h"
28 #include "../libcli/auth/pam_errors.h"
29 #include "passdb/machine_sid.h"
31 #include "source4/lib/messaging/messaging.h"
32 #include "librpc/gen_ndr/ndr_lsa.h"
33 #include "auth/credentials/credentials.h"
34 #include "libsmb/samlogon_cache.h"
37 #define DBGC_CLASS DBGC_WINBIND
39 static struct winbindd_domain *
40 add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc);
43 * @file winbindd_util.c
45 * Winbind daemon for NT domain authentication nss module.
49 /* The list of trusted domains. Note that the list can be deleted and
50 recreated using the init_domain_list() function so pointers to
51 individual winbindd_domain structures cannot be made. Keep a copy of
52 the domain name instead. */
54 static struct winbindd_domain *_domain_list = NULL;
56 struct winbindd_domain *domain_list(void)
60 if ((!_domain_list) && (!init_domain_list())) {
61 smb_panic("Init_domain_list failed");
67 /* Free all entries in the trusted domain list */
69 static void free_domain_list(void)
71 struct winbindd_domain *domain = _domain_list;
74 struct winbindd_domain *next = domain->next;
76 DLIST_REMOVE(_domain_list, domain);
83 * Iterator for winbindd's domain list.
84 * To be used (e.g.) in tevent based loops.
86 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
89 domain = domain_list();
91 domain = domain->next;
94 if ((domain != NULL) &&
95 (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
96 sid_check_is_our_sam(&domain->sid))
98 domain = domain->next;
104 static bool is_internal_domain(const struct dom_sid *sid)
109 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
112 static bool is_in_internal_domain(const struct dom_sid *sid)
117 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
121 /* Add a trusted domain to our list of domains.
122 If the domain already exists in the list,
123 return it and don't re-initialize. */
125 static struct winbindd_domain *
126 add_trusted_domain(const char *domain_name, const char *alt_name,
127 const struct dom_sid *sid)
129 struct winbindd_tdc_domain tdc;
133 tdc.domain_name = domain_name;
134 tdc.dns_name = alt_name;
136 sid_copy(&tdc.sid, sid);
139 return add_trusted_domain_from_tdc(&tdc);
142 /* Add a trusted domain out of a trusted domain cache
145 static struct winbindd_domain *
146 add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc)
148 struct winbindd_domain *domain;
149 const char *alternative_name = NULL;
150 const char **ignored_domains, **dom;
151 int role = lp_server_role();
152 const char *domain_name = tdc->domain_name;
153 const struct dom_sid *sid = &tdc->sid;
155 if (is_null_sid(sid)) {
159 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
160 for (dom=ignored_domains; dom && *dom; dom++) {
161 if (gen_fnmatch(*dom, domain_name) == 0) {
162 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
167 /* use alt_name if available to allow DNS lookups */
169 if (tdc->dns_name && *tdc->dns_name) {
170 alternative_name = tdc->dns_name;
173 /* We can't call domain_list() as this function is called from
174 init_domain_list() and we'll get stuck in a loop. */
175 for (domain = _domain_list; domain; domain = domain->next) {
176 if (strequal(domain_name, domain->name) ||
177 strequal(domain_name, domain->alt_name))
182 if (alternative_name) {
183 if (strequal(alternative_name, domain->name) ||
184 strequal(alternative_name, domain->alt_name))
191 if (dom_sid_equal(sid, &domain->sid)) {
197 if (domain != NULL) {
199 * We found a match on domain->name or
200 * domain->alt_name. Possibly update the SID
201 * if the stored SID was the NULL SID
202 * and return the matching entry.
205 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
206 sid_copy( &domain->sid, sid );
211 /* Create new domain entry */
212 domain = talloc_zero(NULL, struct winbindd_domain);
213 if (domain == NULL) {
217 domain->children = talloc_zero_array(domain,
218 struct winbindd_child,
219 lp_winbind_max_domain_connections());
220 if (domain->children == NULL) {
225 domain->name = talloc_strdup(domain, domain_name);
226 if (domain->name == NULL) {
231 if (alternative_name) {
232 domain->alt_name = talloc_strdup(domain, alternative_name);
233 if (domain->alt_name == NULL) {
239 domain->backend = NULL;
240 domain->internal = is_internal_domain(sid);
241 domain->sequence_number = DOM_SEQUENCE_NONE;
242 domain->last_seq_check = 0;
243 domain->initialized = false;
244 domain->online = is_internal_domain(sid);
245 domain->check_online_timeout = 0;
246 domain->dc_probe_pid = (pid_t)-1;
248 sid_copy(&domain->sid, sid);
250 domain->domain_flags = tdc->trust_flags;
251 domain->domain_type = tdc->trust_type;
252 domain->domain_trust_attribs = tdc->trust_attribs;
254 /* Is this our primary domain ? */
255 if (strequal(domain_name, get_global_sam_name()) &&
256 (role != ROLE_DOMAIN_MEMBER)) {
257 domain->primary = true;
258 } else if (strequal(domain_name, lp_workgroup()) &&
259 (role == ROLE_DOMAIN_MEMBER)) {
260 domain->primary = true;
263 if (domain->primary) {
264 if (role == ROLE_ACTIVE_DIRECTORY_DC) {
265 domain->active_directory = true;
267 if (lp_security() == SEC_ADS) {
268 domain->active_directory = true;
270 } else if (!domain->internal) {
271 if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
272 domain->active_directory = true;
276 /* Link to domain list */
277 DLIST_ADD_END(_domain_list, domain);
279 wcache_tdc_add_domain( domain );
281 setup_domain_child(domain);
284 ("Added domain %s %s %s\n", domain->name, domain->alt_name,
285 !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : ""));
290 bool domain_is_forest_root(const struct winbindd_domain *domain)
292 const uint32_t fr_flags =
293 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
295 return ((domain->domain_flags & fr_flags) == fr_flags);
298 /********************************************************************
299 rescan our domains looking for new trusted domains
300 ********************************************************************/
302 struct trustdom_state {
303 struct winbindd_domain *domain;
304 struct winbindd_request request;
307 static void trustdom_list_done(struct tevent_req *req);
308 static void rescan_forest_root_trusts( void );
309 static void rescan_forest_trusts( void );
311 static void add_trusted_domains( struct winbindd_domain *domain )
313 struct trustdom_state *state;
314 struct tevent_req *req;
316 state = talloc_zero(NULL, struct trustdom_state);
318 DEBUG(0, ("talloc failed\n"));
321 state->domain = domain;
323 state->request.length = sizeof(state->request);
324 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
326 req = wb_domain_request_send(state, winbind_event_context(),
327 domain, &state->request);
329 DEBUG(1, ("wb_domain_request_send failed\n"));
333 tevent_req_set_callback(req, trustdom_list_done, state);
336 static void trustdom_list_done(struct tevent_req *req)
338 struct trustdom_state *state = tevent_req_callback_data(
339 req, struct trustdom_state);
340 struct winbindd_response *response;
343 struct winbindd_tdc_domain trust_params = {0};
346 res = wb_domain_request_recv(req, state, &response, &err);
347 if ((res == -1) || (response->result != WINBINDD_OK)) {
348 DBG_WARNING("Could not receive trusts for domain %s\n",
349 state->domain->name);
354 if (response->length < sizeof(struct winbindd_response)) {
355 DBG_ERR("ill-formed trustdom response - short length\n");
360 extra_len = response->length - sizeof(struct winbindd_response);
362 p = (char *)response->extra_data.data;
364 while ((p - (char *)response->extra_data.data) < extra_len) {
365 char *q, *sidstr, *alt_name;
367 DBG_DEBUG("parsing response line '%s'\n", p);
369 ZERO_STRUCT(trust_params);
370 trust_params.domain_name = p;
372 alt_name = strchr(p, '\\');
373 if (alt_name == NULL) {
374 DBG_ERR("Got invalid trustdom response\n");
381 sidstr = strchr(alt_name, '\\');
382 if (sidstr == NULL) {
383 DBG_ERR("Got invalid trustdom response\n");
390 /* use the real alt_name if we have one, else pass in NULL */
391 if (!strequal(alt_name, "(null)")) {
392 trust_params.dns_name = alt_name;
395 q = strtok(sidstr, "\\");
397 DBG_ERR("Got invalid trustdom response\n");
401 if (!string_to_sid(&trust_params.sid, sidstr)) {
402 DEBUG(0, ("Got invalid trustdom response\n"));
406 q = strtok(NULL, "\\");
408 DBG_ERR("Got invalid trustdom response\n");
412 trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10);
414 q = strtok(NULL, "\\");
416 DBG_ERR("Got invalid trustdom response\n");
420 trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10);
422 q = strtok(NULL, "\n");
424 DBG_ERR("Got invalid trustdom response\n");
428 trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
431 * We always call add_trusted_domain() cause on an existing
432 * domain structure, it will update the SID if necessary.
433 * This is important because we need the SID for sibling
436 (void)add_trusted_domain_from_tdc(&trust_params);
438 p = q + strlen(q) + 1;
442 Cases to consider when scanning trusts:
443 (a) we are calling from a child domain (primary && !forest_root)
444 (b) we are calling from the root of the forest (primary && forest_root)
445 (c) we are calling from a trusted forest domain (!primary
449 if (state->domain->primary) {
450 /* If this is our primary domain and we are not in the
451 forest root, we have to scan the root trusts first */
453 if (!domain_is_forest_root(state->domain))
454 rescan_forest_root_trusts();
456 rescan_forest_trusts();
458 } else if (domain_is_forest_root(state->domain)) {
459 /* Once we have done root forest trust search, we can
460 go on to search the trusted forests */
462 rescan_forest_trusts();
470 /********************************************************************
471 Scan the trusts of our forest root
472 ********************************************************************/
474 static void rescan_forest_root_trusts( void )
476 struct winbindd_tdc_domain *dom_list = NULL;
477 size_t num_trusts = 0;
480 /* The only transitive trusts supported by Windows 2003 AD are
481 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
482 first two are handled in forest and listed by
483 DsEnumerateDomainTrusts(). Forest trusts are not so we
484 have to do that ourselves. */
486 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
489 for ( i=0; i<num_trusts; i++ ) {
490 struct winbindd_domain *d = NULL;
492 /* Find the forest root. Don't necessarily trust
493 the domain_list() as our primary domain may not
494 have been initialized. */
496 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
500 /* Here's the forest root */
502 d = find_domain_from_name_noinit( dom_list[i].domain_name );
505 d = add_trusted_domain_from_tdc(&dom_list[i]);
512 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
513 "for domain tree root %s (%s)\n",
514 d->name, d->alt_name ));
516 d->domain_flags = dom_list[i].trust_flags;
517 d->domain_type = dom_list[i].trust_type;
518 d->domain_trust_attribs = dom_list[i].trust_attribs;
520 add_trusted_domains( d );
525 TALLOC_FREE( dom_list );
530 /********************************************************************
531 scan the transitive forest trusts (not our own)
532 ********************************************************************/
535 static void rescan_forest_trusts( void )
537 struct winbindd_domain *d = NULL;
538 struct winbindd_tdc_domain *dom_list = NULL;
539 size_t num_trusts = 0;
542 /* The only transitive trusts supported by Windows 2003 AD are
543 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
544 first two are handled in forest and listed by
545 DsEnumerateDomainTrusts(). Forest trusts are not so we
546 have to do that ourselves. */
548 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
551 for ( i=0; i<num_trusts; i++ ) {
552 uint32_t flags = dom_list[i].trust_flags;
553 uint32_t type = dom_list[i].trust_type;
554 uint32_t attribs = dom_list[i].trust_attribs;
556 d = find_domain_from_name_noinit( dom_list[i].domain_name );
558 /* ignore our primary and internal domains */
560 if ( d && (d->internal || d->primary ) )
563 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
564 (type == LSA_TRUST_TYPE_UPLEVEL) &&
565 (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
567 /* add the trusted domain if we don't know
571 d = add_trusted_domain_from_tdc(&dom_list[i]);
578 DEBUG(10,("Following trust path for domain %s (%s)\n",
579 d->name, d->alt_name ));
580 add_trusted_domains( d );
584 TALLOC_FREE( dom_list );
589 /*********************************************************************
590 The process of updating the trusted domain list is a three step
593 (b) ask the root domain in our forest
594 (c) ask the a DC in any Win2003 trusted forests
595 *********************************************************************/
597 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
598 struct timeval now, void *private_data)
602 /* I use to clear the cache here and start over but that
603 caused problems in child processes that needed the
604 trust dom list early on. Removing it means we
605 could have some trusted domains listed that have been
606 removed from our primary domain's DC until a full
607 restart. This should be ok since I think this is what
608 Windows does as well. */
610 /* this will only add new domains we didn't already know about
611 in the domain_list()*/
613 add_trusted_domains( find_our_domain() );
615 te = tevent_add_timer(
616 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
617 rescan_trusted_domains, NULL);
619 * If te == NULL, there's not much we can do here. Don't fail, the
620 * only thing we miss is new trusted domains.
626 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
627 struct winbindd_cli_state *state)
629 /* Ensure null termination */
630 state->request->domain_name
631 [sizeof(state->request->domain_name)-1]='\0';
632 state->request->data.init_conn.dcname
633 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
635 if (strlen(state->request->data.init_conn.dcname) > 0) {
636 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
639 init_dc_connection(domain, false);
641 if (!domain->initialized) {
642 /* If we return error here we can't do any cached authentication,
643 but we may be in disconnected mode and can't initialize correctly.
644 Do what the previous code did and just return without initialization,
645 once we go online we'll re-initialize.
647 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
648 "online = %d\n", domain->name, (int)domain->online ));
651 fstrcpy(state->response->data.domain_info.name, domain->name);
652 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
653 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
655 state->response->data.domain_info.native_mode
656 = domain->native_mode;
657 state->response->data.domain_info.active_directory
658 = domain->active_directory;
659 state->response->data.domain_info.primary
665 static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
668 struct server_id server_id,
671 TALLOC_CTX *frame = talloc_stackframe();
672 struct lsa_TrustDomainInfoInfoEx info;
673 enum ndr_err_code ndr_err;
674 struct winbindd_domain *d = NULL;
676 DEBUG(5, ("wb_imsg_new_trusted_domain\n"));
683 ndr_err = ndr_pull_struct_blob_all(data, frame, &info,
684 (ndr_pull_flags_fn_t)ndr_pull_lsa_TrustDomainInfoInfoEx);
685 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
690 d = find_domain_from_name_noinit(info.netbios_name.string);
696 d = add_trusted_domain(info.netbios_name.string,
697 info.domain_name.string,
714 if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
715 d->domain_flags |= NETR_TRUST_FLAG_INBOUND;
717 if (info.trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
718 d->domain_flags |= NETR_TRUST_FLAG_OUTBOUND;
720 if (info.trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
721 d->domain_flags |= NETR_TRUST_FLAG_IN_FOREST;
723 d->domain_type = info.trust_type;
724 d->domain_trust_attribs = info.trust_attributes;
730 * We did not get the secret when we queried secrets.tdb, so read it
731 * from secrets.tdb and re-sync the databases
733 static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
736 struct cli_credentials *creds;
737 NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name,
738 NULL, domain, &creds);
739 if (!NT_STATUS_IS_OK(can_migrate)) {
740 DEBUG(0, ("Failed to fetch our own, local AD domain join "
741 "password for winbindd's internal use, both from "
742 "secrets.tdb and secrets.ldb: %s\n",
743 nt_errstr(can_migrate)));
748 * NOTE: It is very unlikely we end up here if there is an
749 * oldpass, because a new password is created at
750 * classicupgrade, so this is not a concern.
752 ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
754 cli_credentials_get_domain(creds),
755 cli_credentials_get_realm(creds),
756 cli_credentials_get_salt_principal(creds),
757 0, /* Supported enc types, unused */
759 cli_credentials_get_password_last_changed_time(creds),
760 cli_credentials_get_secure_channel_type(creds),
761 false /* do_delete: Do not delete */);
764 DEBUG(0, ("Failed to write our our own, "
765 "local AD domain join password for "
766 "winbindd's internal use into secrets.tdb\n"));
772 /* Look up global info for the winbind daemon */
773 bool init_domain_list(void)
775 int role = lp_server_role();
778 /* Free existing list */
783 (void)add_trusted_domain("BUILTIN", NULL, &global_sid_Builtin);
787 if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
788 struct winbindd_domain *domain;
789 enum netr_SchannelType sec_chan_type;
790 const char *account_name;
791 struct samr_Password current_nt_hash;
792 struct pdb_domain_info *pdb_domain_info;
795 pdb_domain_info = pdb_get_domain_info(talloc_tos());
796 if (pdb_domain_info == NULL) {
797 DEBUG(0, ("Failed to fetch our own, local AD "
798 "domain info from sam.ldb\n"));
801 domain = add_trusted_domain(pdb_domain_info->name,
802 pdb_domain_info->dns_domain,
803 &pdb_domain_info->sid);
804 TALLOC_FREE(pdb_domain_info);
805 if (domain == NULL) {
806 DEBUG(0, ("Failed to add our own, local AD "
807 "domain to winbindd's internal list\n"));
812 * We need to call this to find out if we are an RODC
814 ok = get_trust_pw_hash(domain->name,
815 current_nt_hash.hash,
820 * If get_trust_pw_hash() fails, then try and
821 * fetch the password from the more recent of
822 * secrets.{ldb,tdb} using the
823 * pdb_get_trust_credentials()
825 ok = migrate_secrets_tdb_to_ldb(domain);
828 DEBUG(0, ("Failed to migrate our own, "
829 "local AD domain join password for "
830 "winbindd's internal use into "
834 ok = get_trust_pw_hash(domain->name,
835 current_nt_hash.hash,
839 DEBUG(0, ("Failed to find our our own, just "
840 "written local AD domain join "
841 "password for winbindd's internal "
842 "use in secrets.tdb\n"));
846 if (sec_chan_type == SEC_CHAN_RODC) {
851 (void)add_trusted_domain(get_global_sam_name(), NULL,
852 get_global_sam_sid());
854 /* Add ourselves as the first entry. */
856 if ( role == ROLE_DOMAIN_MEMBER ) {
857 struct winbindd_domain *domain;
858 struct dom_sid our_sid;
860 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
861 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
865 domain = add_trusted_domain(lp_workgroup(), lp_realm(),
868 /* Even in the parent winbindd we'll need to
869 talk to the DC, so try and see if we can
870 contact it. Theoretically this isn't neccessary
871 as the init_dc_connection() in init_child_recv()
872 will do this, but we can start detecting the DC
874 set_domain_online_request(domain);
878 status = imessaging_register(winbind_imessaging_context(), NULL,
879 MSG_WINBIND_NEW_TRUSTED_DOMAIN,
880 wb_imsg_new_trusted_domain);
881 if (!NT_STATUS_IS_OK(status)) {
882 DEBUG(0, ("imessaging_register(MSG_WINBIND_NEW_TRUSTED_DOMAIN) - %s\n",
891 * Given a domain name, return the struct winbindd domain info for it
893 * @note Do *not* pass lp_workgroup() to this function. domain_list
894 * may modify it's value, and free that pointer. Instead, our local
895 * domain may be found by calling find_our_domain().
899 * @return The domain structure for the named domain, if it is working.
902 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
904 struct winbindd_domain *domain;
906 /* Search through list */
908 for (domain = domain_list(); domain != NULL; domain = domain->next) {
909 if (strequal(domain_name, domain->name) ||
910 (domain->alt_name != NULL &&
911 strequal(domain_name, domain->alt_name))) {
921 struct winbindd_domain *find_domain_from_name(const char *domain_name)
923 struct winbindd_domain *domain;
925 domain = find_domain_from_name_noinit(domain_name);
930 if (!domain->initialized)
931 init_dc_connection(domain, false);
936 /* Given a domain sid, return the struct winbindd domain info for it */
938 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
940 struct winbindd_domain *domain;
942 /* Search through list */
944 for (domain = domain_list(); domain != NULL; domain = domain->next) {
945 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
954 /* Given a domain sid, return the struct winbindd domain info for it */
956 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
958 struct winbindd_domain *domain;
960 domain = find_domain_from_sid_noinit(sid);
965 if (!domain->initialized)
966 init_dc_connection(domain, false);
971 struct winbindd_domain *find_our_domain(void)
973 struct winbindd_domain *domain;
975 /* Search through list */
977 for (domain = domain_list(); domain != NULL; domain = domain->next) {
982 smb_panic("Could not find our domain");
986 struct winbindd_domain *find_root_domain(void)
988 struct winbindd_domain *ours = find_our_domain();
990 if (ours->forest_name == NULL) {
994 return find_domain_from_name( ours->forest_name );
997 struct winbindd_domain *find_builtin_domain(void)
999 struct winbindd_domain *domain;
1001 domain = find_domain_from_sid(&global_sid_Builtin);
1002 if (domain == NULL) {
1003 smb_panic("Could not find BUILTIN domain");
1009 /* Find the appropriate domain to lookup a name or SID */
1011 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
1013 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
1015 if ( sid_check_is_in_unix_groups(sid) ||
1016 sid_check_is_unix_groups(sid) ||
1017 sid_check_is_in_unix_users(sid) ||
1018 sid_check_is_unix_users(sid) )
1020 return find_domain_from_sid(get_global_sam_sid());
1023 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
1024 * one to contact the external DC's. On member servers the internal
1025 * domains are different: These are part of the local SAM. */
1027 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
1029 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
1030 DEBUG(10, ("calling find_domain_from_sid\n"));
1031 return find_domain_from_sid(sid);
1034 /* On a member server a query for SID or name can always go to our
1037 DEBUG(10, ("calling find_our_domain\n"));
1038 return find_our_domain();
1041 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
1043 if ( strequal(domain_name, unix_users_domain_name() ) ||
1044 strequal(domain_name, unix_groups_domain_name() ) )
1047 * The "Unix User" and "Unix Group" domain our handled by
1050 return find_domain_from_name_noinit( get_global_sam_name() );
1053 if (IS_DC || strequal(domain_name, "BUILTIN") ||
1054 strequal(domain_name, get_global_sam_name()))
1055 return find_domain_from_name_noinit(domain_name);
1058 return find_our_domain();
1061 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1063 static bool assume_domain(const char *domain)
1065 /* never assume the domain on a standalone server */
1067 if ( lp_server_role() == ROLE_STANDALONE )
1070 /* domain member servers may possibly assume for the domain name */
1072 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1073 if ( !strequal(lp_workgroup(), domain) )
1076 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1080 /* only left with a domain controller */
1082 if ( strequal(get_global_sam_name(), domain) ) {
1089 /* Parse a string of the form DOMAIN\user into a domain and a user */
1091 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1093 char *p = strchr(domuser,*lp_winbind_separator());
1096 fstrcpy(user, domuser);
1097 p = strchr(domuser, '@');
1099 if ( assume_domain(lp_workgroup()) && p == NULL) {
1100 fstrcpy(domain, lp_workgroup());
1101 } else if (p != NULL) {
1102 fstrcpy(domain, p + 1);
1103 user[PTR_DIFF(p, domuser)] = 0;
1109 fstrcpy(domain, domuser);
1110 domain[PTR_DIFF(p, domuser)] = 0;
1113 return strupper_m(domain);
1116 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1117 char **domain, char **user)
1119 fstring fstr_domain, fstr_user;
1120 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1123 *domain = talloc_strdup(mem_ctx, fstr_domain);
1124 *user = talloc_strdup(mem_ctx, fstr_user);
1125 return ((*domain != NULL) && (*user != NULL));
1128 /* Ensure an incoming username from NSS is fully qualified. Replace the
1129 incoming fstring with DOMAIN <separator> user. Returns the same
1130 values as parse_domain_user() but also replaces the incoming username.
1131 Used to ensure all names are fully qualified within winbindd.
1132 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1133 The protocol definitions of auth_crap, chng_pswd_auth_crap
1134 really should be changed to use this instead of doing things
1137 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1139 if (!parse_domain_user(username_inout, domain, user)) {
1142 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1143 domain, *lp_winbind_separator(),
1149 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1150 'winbind separator' options.
1152 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1155 If we are a PDC or BDC, and this is for our domain, do likewise.
1157 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1158 username is then unqualified in unix
1160 On an AD DC we always fill DOMAIN\\USERNAME.
1162 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1164 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1168 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1172 fstrcpy(tmp_user, user);
1173 (void)strlower_m(tmp_user);
1175 if (can_assume && assume_domain(domain)) {
1176 strlcpy(name, tmp_user, sizeof(fstring));
1178 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1179 domain, *lp_winbind_separator(),
1185 * talloc version of fill_domain_username()
1186 * return NULL on talloc failure.
1188 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1193 char *tmp_user, *name;
1195 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1199 tmp_user = talloc_strdup(mem_ctx, user);
1200 if (!strlower_m(tmp_user)) {
1201 TALLOC_FREE(tmp_user);
1205 if (can_assume && assume_domain(domain)) {
1208 name = talloc_asprintf(mem_ctx, "%s%c%s",
1210 *lp_winbind_separator(),
1212 TALLOC_FREE(tmp_user);
1219 * Client list accessor functions
1222 static struct winbindd_cli_state *_client_list;
1223 static int _num_clients;
1225 /* Return list of all connected clients */
1227 struct winbindd_cli_state *winbindd_client_list(void)
1229 return _client_list;
1232 /* Return list-tail of all connected clients */
1234 struct winbindd_cli_state *winbindd_client_list_tail(void)
1236 return DLIST_TAIL(_client_list);
1239 /* Return previous (read:newer) client in list */
1241 struct winbindd_cli_state *
1242 winbindd_client_list_prev(struct winbindd_cli_state *cli)
1244 return DLIST_PREV(cli);
1247 /* Add a connection to the list */
1249 void winbindd_add_client(struct winbindd_cli_state *cli)
1251 cli->last_access = time(NULL);
1252 DLIST_ADD(_client_list, cli);
1256 /* Remove a client from the list */
1258 void winbindd_remove_client(struct winbindd_cli_state *cli)
1260 DLIST_REMOVE(_client_list, cli);
1264 /* Move a client to head or list */
1266 void winbindd_promote_client(struct winbindd_cli_state *cli)
1268 cli->last_access = time(NULL);
1269 DLIST_PROMOTE(_client_list, cli);
1272 /* Return number of open clients */
1274 int winbindd_num_clients(void)
1276 return _num_clients;
1279 NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
1280 const struct dom_sid *user_sid,
1281 uint32_t *p_num_groups, struct dom_sid **user_sids)
1283 struct netr_SamInfo3 *info3 = NULL;
1284 NTSTATUS status = NT_STATUS_NO_MEMORY;
1285 uint32_t num_groups = 0;
1287 DEBUG(3,(": lookup_usergroups_cached\n"));
1292 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1294 if (info3 == NULL) {
1295 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1299 * Before bug #7843 the "Domain Local" groups were added with a
1300 * lookupuseraliases call, but this isn't done anymore for our domain
1301 * so we need to resolve resource groups here.
1303 * When to use Resource Groups:
1304 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1306 status = sid_array_from_info3(mem_ctx, info3,
1311 if (!NT_STATUS_IS_OK(status)) {
1317 *p_num_groups = num_groups;
1318 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1320 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1325 /*********************************************************************
1326 We use this to remove spaces from user and group names
1327 ********************************************************************/
1329 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1330 struct winbindd_domain *domain,
1336 if (!name || !normalized) {
1337 return NT_STATUS_INVALID_PARAMETER;
1340 if (!lp_winbind_normalize_names()) {
1341 return NT_STATUS_PROCEDURE_NOT_FOUND;
1344 /* Alias support and whitespace replacement are mutually
1347 nt_status = resolve_username_to_alias(mem_ctx, domain,
1349 if (NT_STATUS_IS_OK(nt_status)) {
1350 /* special return code to let the caller know we
1351 mapped to an alias */
1352 return NT_STATUS_FILE_RENAMED;
1355 /* check for an unreachable domain */
1357 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1358 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1360 set_domain_offline(domain);
1364 /* deal with whitespace */
1366 *normalized = talloc_strdup(mem_ctx, name);
1367 if (!(*normalized)) {
1368 return NT_STATUS_NO_MEMORY;
1371 all_string_sub( *normalized, " ", "_", 0 );
1373 return NT_STATUS_OK;
1376 /*********************************************************************
1377 We use this to do the inverse of normalize_name_map()
1378 ********************************************************************/
1380 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1385 struct winbindd_domain *domain = find_our_domain();
1387 if (!name || !normalized) {
1388 return NT_STATUS_INVALID_PARAMETER;
1391 if (!lp_winbind_normalize_names()) {
1392 return NT_STATUS_PROCEDURE_NOT_FOUND;
1395 /* Alias support and whitespace replacement are mutally
1398 /* When mapping from an alias to a username, we don't know the
1399 domain. But we only need a domain structure to cache
1400 a successful lookup , so just our own domain structure for
1403 nt_status = resolve_alias_to_username(mem_ctx, domain,
1405 if (NT_STATUS_IS_OK(nt_status)) {
1406 /* Special return code to let the caller know we mapped
1408 return NT_STATUS_FILE_RENAMED;
1411 /* check for an unreachable domain */
1413 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1414 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1416 set_domain_offline(domain);
1420 /* deal with whitespace */
1422 *normalized = talloc_strdup(mem_ctx, name);
1423 if (!(*normalized)) {
1424 return NT_STATUS_NO_MEMORY;
1427 all_string_sub(*normalized, "_", " ", 0);
1429 return NT_STATUS_OK;
1432 /*********************************************************************
1433 ********************************************************************/
1435 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1437 struct winbindd_tdc_domain *tdc = NULL;
1438 TALLOC_CTX *frame = talloc_stackframe();
1441 /* We can contact the domain if it is our primary domain */
1443 if (domain->primary) {
1448 /* Trust the TDC cache and not the winbindd_domain flags */
1450 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1451 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1457 /* Can always contact a domain that is in out forest */
1459 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1465 * On a _member_ server, we cannot contact the domain if it
1466 * is running AD and we have no inbound trust.
1470 domain->active_directory &&
1471 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1473 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1474 "and we have no inbound trust.\n", domain->name));
1478 /* Assume everything else is ok (probably not true but what
1484 talloc_destroy(frame);
1489 /*********************************************************************
1490 ********************************************************************/
1492 bool winbindd_internal_child(struct winbindd_child *child)
1494 if ((child == idmap_child()) || (child == locator_child())) {
1501 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1503 /*********************************************************************
1504 ********************************************************************/
1506 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1509 char addr[INET6_ADDRSTRLEN];
1510 const char *kdc = NULL;
1513 if (!domain || !domain->alt_name || !*domain->alt_name) {
1517 if (domain->initialized && !domain->active_directory) {
1518 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1523 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1526 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1528 kdc = domain->dcname;
1531 if (!kdc || !*kdc) {
1532 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1537 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1538 domain->alt_name) == -1) {
1542 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1545 setenv(var, kdc, 1);
1549 /*********************************************************************
1550 ********************************************************************/
1552 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1554 struct winbindd_domain *our_dom = find_our_domain();
1556 winbindd_set_locator_kdc_env(domain);
1558 if (domain != our_dom) {
1559 winbindd_set_locator_kdc_env(our_dom);
1563 /*********************************************************************
1564 ********************************************************************/
1566 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1570 if (!domain || !domain->alt_name || !*domain->alt_name) {
1574 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1575 domain->alt_name) == -1) {
1584 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1589 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1594 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1596 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1598 resp->data.auth.nt_status = NT_STATUS_V(result);
1599 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1601 /* we might have given a more useful error above */
1602 if (*resp->data.auth.error_string == '\0')
1603 fstrcpy(resp->data.auth.error_string,
1604 get_friendly_nt_error_msg(result));
1605 resp->data.auth.pam_error = nt_status_to_pam(result);
1608 bool is_domain_offline(const struct winbindd_domain *domain)
1610 if (!lp_winbind_offline_logon()) {
1613 if (get_global_winbindd_state_offline()) {
1616 return !domain->online;
1619 bool is_domain_online(const struct winbindd_domain *domain)
1621 return !is_domain_offline(domain);
1625 * Parse an char array into a list of sids.
1627 * The input sidstr should consist of 0-terminated strings
1628 * representing sids, separated by newline characters '\n'.
1629 * The list is terminated by an empty string, i.e.
1630 * character '\0' directly following a character '\n'
1631 * (or '\0' right at the start of sidstr).
1633 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1634 struct dom_sid **sids, uint32_t *num_sids)
1642 while (p[0] != '\0') {
1644 const char *q = NULL;
1646 if (!dom_sid_parse_endp(p, &sid, &q)) {
1647 DEBUG(1, ("Could not parse sid %s\n", p));
1651 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1654 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
1664 bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
1665 struct unixid **pxids, uint32_t *pnum_xids)
1668 struct unixid *xids = NULL;
1669 uint32_t num_xids = 0;
1676 while (p[0] != '\0') {
1679 unsigned long long id;
1684 xid = (struct unixid) { .type = ID_TYPE_UID };
1687 xid = (struct unixid) { .type = ID_TYPE_GID };
1695 id = strtoull(p, &endp, 10);
1696 if ((id == ULLONG_MAX) && (errno == ERANGE)) {
1699 if (*endp != '\n') {
1705 if ((unsigned long long)xid.id != id) {
1709 tmp = talloc_realloc(mem_ctx, xids, struct unixid, num_xids+1);
1715 xids[num_xids] = xid;
1720 *pnum_xids = num_xids;