2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
30 #include "source4/lib/messaging/messaging.h"
31 #include "librpc/gen_ndr/ndr_lsa.h"
34 #define DBGC_CLASS DBGC_WINBIND
36 extern struct winbindd_methods cache_methods;
39 * @file winbindd_util.c
41 * Winbind daemon for NT domain authentication nss module.
45 /* The list of trusted domains. Note that the list can be deleted and
46 recreated using the init_domain_list() function so pointers to
47 individual winbindd_domain structures cannot be made. Keep a copy of
48 the domain name instead. */
50 static struct winbindd_domain *_domain_list = NULL;
52 struct winbindd_domain *domain_list(void)
56 if ((!_domain_list) && (!init_domain_list())) {
57 smb_panic("Init_domain_list failed");
63 /* Free all entries in the trusted domain list */
65 static void free_domain_list(void)
67 struct winbindd_domain *domain = _domain_list;
70 struct winbindd_domain *next = domain->next;
72 DLIST_REMOVE(_domain_list, domain);
79 * Iterator for winbindd's domain list.
80 * To be used (e.g.) in tevent based loops.
82 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
85 domain = domain_list();
87 domain = domain->next;
91 && sid_check_is_our_sam(&domain->sid)) {
92 domain = domain->next;
97 static bool is_internal_domain(const struct dom_sid *sid)
102 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
105 static bool is_in_internal_domain(const struct dom_sid *sid)
110 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
114 /* Add a trusted domain to our list of domains.
115 If the domain already exists in the list,
116 return it and don't re-initialize. */
118 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
119 struct winbindd_methods *methods,
120 const struct dom_sid *sid)
122 struct winbindd_domain *domain;
123 const char *alternative_name = NULL;
124 char *idmap_config_option;
126 const char **ignored_domains, **dom;
127 int role = lp_server_role();
129 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
130 for (dom=ignored_domains; dom && *dom; dom++) {
131 if (gen_fnmatch(*dom, domain_name) == 0) {
132 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
137 /* use alt_name if available to allow DNS lookups */
139 if (alt_name && *alt_name) {
140 alternative_name = alt_name;
143 /* We can't call domain_list() as this function is called from
144 init_domain_list() and we'll get stuck in a loop. */
145 for (domain = _domain_list; domain; domain = domain->next) {
146 if (strequal(domain_name, domain->name) ||
147 strequal(domain_name, domain->alt_name))
152 if (alternative_name && *alternative_name)
154 if (strequal(alternative_name, domain->name) ||
155 strequal(alternative_name, domain->alt_name))
163 if (is_null_sid(sid)) {
167 if (dom_sid_equal(sid, &domain->sid)) {
173 if (domain != NULL) {
175 * We found a match on domain->name or
176 * domain->alt_name. Possibly update the SID
177 * if the stored SID was the NULL SID
178 * and return the matching entry.
181 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
182 sid_copy( &domain->sid, sid );
187 /* Create new domain entry */
188 domain = talloc_zero(NULL, struct winbindd_domain);
189 if (domain == NULL) {
193 domain->children = talloc_zero_array(domain,
194 struct winbindd_child,
195 lp_winbind_max_domain_connections());
196 if (domain->children == NULL) {
201 domain->name = talloc_strdup(domain, domain_name);
202 if (domain->name == NULL) {
207 if (alternative_name) {
208 domain->alt_name = talloc_strdup(domain, alternative_name);
209 if (domain->alt_name == NULL) {
215 domain->methods = methods;
216 domain->backend = NULL;
217 domain->internal = is_internal_domain(sid);
218 domain->sequence_number = DOM_SEQUENCE_NONE;
219 domain->last_seq_check = 0;
220 domain->initialized = False;
221 domain->online = is_internal_domain(sid);
222 domain->check_online_timeout = 0;
223 domain->dc_probe_pid = (pid_t)-1;
225 sid_copy(&domain->sid, sid);
228 /* Is this our primary domain ? */
229 if (strequal(domain_name, get_global_sam_name()) &&
230 (role != ROLE_DOMAIN_MEMBER)) {
231 domain->primary = true;
232 } else if (strequal(domain_name, lp_workgroup()) &&
233 (role == ROLE_DOMAIN_MEMBER)) {
234 domain->primary = true;
237 if (domain->primary) {
238 if (role == ROLE_ACTIVE_DIRECTORY_DC) {
239 domain->active_directory = true;
241 if (lp_security() == SEC_ADS) {
242 domain->active_directory = true;
246 /* Link to domain list */
247 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
249 wcache_tdc_add_domain( domain );
251 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
253 if (idmap_config_option == NULL) {
254 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
258 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
260 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
261 param ? param : "not defined"));
264 unsigned low_id, high_id;
265 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
266 DEBUG(1, ("invalid range syntax in %s: %s\n",
267 idmap_config_option, param));
270 if (low_id > high_id) {
271 DEBUG(1, ("invalid range in %s: %s\n",
272 idmap_config_option, param));
275 domain->have_idmap_config = true;
276 domain->id_range_low = low_id;
277 domain->id_range_high = high_id;
282 setup_domain_child(domain);
284 DEBUG(2,("Added domain %s %s %s\n",
285 domain->name, domain->alt_name,
286 &domain->sid?sid_string_dbg(&domain->sid):""));
291 bool domain_is_forest_root(const struct winbindd_domain *domain)
293 const uint32_t fr_flags =
294 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
296 return ((domain->domain_flags & fr_flags) == fr_flags);
299 /********************************************************************
300 rescan our domains looking for new trusted domains
301 ********************************************************************/
303 struct trustdom_state {
304 struct winbindd_domain *domain;
305 struct winbindd_request request;
308 static void trustdom_list_done(struct tevent_req *req);
309 static void rescan_forest_root_trusts( void );
310 static void rescan_forest_trusts( void );
312 static void add_trusted_domains( struct winbindd_domain *domain )
314 struct trustdom_state *state;
315 struct tevent_req *req;
317 state = talloc_zero(NULL, struct trustdom_state);
319 DEBUG(0, ("talloc failed\n"));
322 state->domain = domain;
324 state->request.length = sizeof(state->request);
325 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
327 req = wb_domain_request_send(state, winbind_event_context(),
328 domain, &state->request);
330 DEBUG(1, ("wb_domain_request_send failed\n"));
334 tevent_req_set_callback(req, trustdom_list_done, state);
337 static void trustdom_list_done(struct tevent_req *req)
339 struct trustdom_state *state = tevent_req_callback_data(
340 req, struct trustdom_state);
341 struct winbindd_response *response;
345 res = wb_domain_request_recv(req, state, &response, &err);
346 if ((res == -1) || (response->result != WINBINDD_OK)) {
347 DEBUG(1, ("Could not receive trustdoms\n"));
352 p = (char *)response->extra_data.data;
354 while ((p != NULL) && (*p != '\0')) {
355 char *q, *sidstr, *alt_name;
357 char *alternate_name = NULL;
359 alt_name = strchr(p, '\\');
360 if (alt_name == NULL) {
361 DEBUG(0, ("Got invalid trustdom response\n"));
368 sidstr = strchr(alt_name, '\\');
369 if (sidstr == NULL) {
370 DEBUG(0, ("Got invalid trustdom response\n"));
377 q = strchr(sidstr, '\n');
381 if (!string_to_sid(&sid, sidstr)) {
382 DEBUG(0, ("Got invalid trustdom response\n"));
386 /* use the real alt_name if we have one, else pass in NULL */
388 if ( !strequal( alt_name, "(null)" ) )
389 alternate_name = alt_name;
392 * We always call add_trusted_domain() cause on an existing
393 * domain structure, it will update the SID if necessary.
394 * This is important because we need the SID for sibling
397 (void)add_trusted_domain(p, alternate_name,
407 Cases to consider when scanning trusts:
408 (a) we are calling from a child domain (primary && !forest_root)
409 (b) we are calling from the root of the forest (primary && forest_root)
410 (c) we are calling from a trusted forest domain (!primary
414 if (state->domain->primary) {
415 /* If this is our primary domain and we are not in the
416 forest root, we have to scan the root trusts first */
418 if (!domain_is_forest_root(state->domain))
419 rescan_forest_root_trusts();
421 rescan_forest_trusts();
423 } else if (domain_is_forest_root(state->domain)) {
424 /* Once we have done root forest trust search, we can
425 go on to search the trusted forests */
427 rescan_forest_trusts();
435 /********************************************************************
436 Scan the trusts of our forest root
437 ********************************************************************/
439 static void rescan_forest_root_trusts( void )
441 struct winbindd_tdc_domain *dom_list = NULL;
442 size_t num_trusts = 0;
445 /* The only transitive trusts supported by Windows 2003 AD are
446 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
447 first two are handled in forest and listed by
448 DsEnumerateDomainTrusts(). Forest trusts are not so we
449 have to do that ourselves. */
451 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
454 for ( i=0; i<num_trusts; i++ ) {
455 struct winbindd_domain *d = NULL;
457 /* Find the forest root. Don't necessarily trust
458 the domain_list() as our primary domain may not
459 have been initialized. */
461 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
465 /* Here's the forest root */
467 d = find_domain_from_name_noinit( dom_list[i].domain_name );
470 d = add_trusted_domain( dom_list[i].domain_name,
471 dom_list[i].dns_name,
480 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
481 "for domain tree root %s (%s)\n",
482 d->name, d->alt_name ));
484 d->domain_flags = dom_list[i].trust_flags;
485 d->domain_type = dom_list[i].trust_type;
486 d->domain_trust_attribs = dom_list[i].trust_attribs;
488 add_trusted_domains( d );
493 TALLOC_FREE( dom_list );
498 /********************************************************************
499 scan the transitive forest trusts (not our own)
500 ********************************************************************/
503 static void rescan_forest_trusts( void )
505 struct winbindd_domain *d = NULL;
506 struct winbindd_tdc_domain *dom_list = NULL;
507 size_t num_trusts = 0;
510 /* The only transitive trusts supported by Windows 2003 AD are
511 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
512 first two are handled in forest and listed by
513 DsEnumerateDomainTrusts(). Forest trusts are not so we
514 have to do that ourselves. */
516 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
519 for ( i=0; i<num_trusts; i++ ) {
520 uint32_t flags = dom_list[i].trust_flags;
521 uint32_t type = dom_list[i].trust_type;
522 uint32_t attribs = dom_list[i].trust_attribs;
524 d = find_domain_from_name_noinit( dom_list[i].domain_name );
526 /* ignore our primary and internal domains */
528 if ( d && (d->internal || d->primary ) )
531 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
532 (type == LSA_TRUST_TYPE_UPLEVEL) &&
533 (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
535 /* add the trusted domain if we don't know
539 d = add_trusted_domain( dom_list[i].domain_name,
540 dom_list[i].dns_name,
549 DEBUG(10,("Following trust path for domain %s (%s)\n",
550 d->name, d->alt_name ));
551 add_trusted_domains( d );
555 TALLOC_FREE( dom_list );
560 /*********************************************************************
561 The process of updating the trusted domain list is a three step
564 (b) ask the root domain in our forest
565 (c) ask the a DC in any Win2003 trusted forests
566 *********************************************************************/
568 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
569 struct timeval now, void *private_data)
573 /* I use to clear the cache here and start over but that
574 caused problems in child processes that needed the
575 trust dom list early on. Removing it means we
576 could have some trusted domains listed that have been
577 removed from our primary domain's DC until a full
578 restart. This should be ok since I think this is what
579 Windows does as well. */
581 /* this will only add new domains we didn't already know about
582 in the domain_list()*/
584 add_trusted_domains( find_our_domain() );
586 te = tevent_add_timer(
587 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
588 rescan_trusted_domains, NULL);
590 * If te == NULL, there's not much we can do here. Don't fail, the
591 * only thing we miss is new trusted domains.
597 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
598 struct winbindd_cli_state *state)
600 /* Ensure null termination */
601 state->request->domain_name
602 [sizeof(state->request->domain_name)-1]='\0';
603 state->request->data.init_conn.dcname
604 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
606 if (strlen(state->request->data.init_conn.dcname) > 0) {
607 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
610 init_dc_connection(domain, false);
612 if (!domain->initialized) {
613 /* If we return error here we can't do any cached authentication,
614 but we may be in disconnected mode and can't initialize correctly.
615 Do what the previous code did and just return without initialization,
616 once we go online we'll re-initialize.
618 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
619 "online = %d\n", domain->name, (int)domain->online ));
622 fstrcpy(state->response->data.domain_info.name, domain->name);
623 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
624 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
626 state->response->data.domain_info.native_mode
627 = domain->native_mode;
628 state->response->data.domain_info.active_directory
629 = domain->active_directory;
630 state->response->data.domain_info.primary
636 static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
639 struct server_id server_id,
642 TALLOC_CTX *frame = talloc_stackframe();
643 struct lsa_TrustDomainInfoInfoEx info;
644 enum ndr_err_code ndr_err;
645 struct winbindd_domain *d = NULL;
647 DEBUG(5, ("wb_imsg_new_trusted_domain\n"));
654 ndr_err = ndr_pull_struct_blob_all(data, frame, &info,
655 (ndr_pull_flags_fn_t)ndr_pull_lsa_TrustDomainInfoInfoEx);
656 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
661 d = find_domain_from_name_noinit(info.netbios_name.string);
667 d = add_trusted_domain(info.netbios_name.string,
668 info.domain_name.string,
686 if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
687 d->domain_flags |= NETR_TRUST_FLAG_INBOUND;
689 if (info.trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
690 d->domain_flags |= NETR_TRUST_FLAG_OUTBOUND;
692 if (info.trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
693 d->domain_flags |= NETR_TRUST_FLAG_IN_FOREST;
695 d->domain_type = info.trust_type;
696 d->domain_trust_attribs = info.trust_attributes;
701 /* Look up global info for the winbind daemon */
702 bool init_domain_list(void)
704 int role = lp_server_role();
707 /* Free existing list */
712 (void)add_trusted_domain("BUILTIN", NULL, &cache_methods,
713 &global_sid_Builtin);
717 if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
718 struct winbindd_domain *domain;
719 enum netr_SchannelType sec_chan_type;
720 const char *account_name;
721 struct samr_Password current_nt_hash;
724 domain = add_trusted_domain(get_global_sam_name(), lp_dnsdomain(),
725 &cache_methods, get_global_sam_sid());
726 if (domain == NULL) {
727 DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n"));
732 * We need to call this to find out if we are an RODC
734 ok = get_trust_pw_hash(domain->name,
735 current_nt_hash.hash,
739 DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n"));
742 if (sec_chan_type == SEC_CHAN_RODC) {
747 (void)add_trusted_domain(get_global_sam_name(), NULL,
748 &cache_methods, get_global_sam_sid());
750 /* Add ourselves as the first entry. */
752 if ( role == ROLE_DOMAIN_MEMBER ) {
753 struct winbindd_domain *domain;
754 struct dom_sid our_sid;
756 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
757 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
761 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
762 &cache_methods, &our_sid);
764 /* Even in the parent winbindd we'll need to
765 talk to the DC, so try and see if we can
766 contact it. Theoretically this isn't neccessary
767 as the init_dc_connection() in init_child_recv()
768 will do this, but we can start detecting the DC
770 set_domain_online_request(domain);
774 status = imessaging_register(winbind_imessaging_context(), NULL,
775 MSG_WINBIND_NEW_TRUSTED_DOMAIN,
776 wb_imsg_new_trusted_domain);
777 if (!NT_STATUS_IS_OK(status)) {
778 DEBUG(0, ("imessaging_register(MSG_WINBIND_NEW_TRUSTED_DOMAIN) - %s\n",
787 * Given a domain name, return the struct winbindd domain info for it
789 * @note Do *not* pass lp_workgroup() to this function. domain_list
790 * may modify it's value, and free that pointer. Instead, our local
791 * domain may be found by calling find_our_domain().
795 * @return The domain structure for the named domain, if it is working.
798 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
800 struct winbindd_domain *domain;
802 /* Search through list */
804 for (domain = domain_list(); domain != NULL; domain = domain->next) {
805 if (strequal(domain_name, domain->name) ||
806 (domain->alt_name != NULL &&
807 strequal(domain_name, domain->alt_name))) {
817 struct winbindd_domain *find_domain_from_name(const char *domain_name)
819 struct winbindd_domain *domain;
821 domain = find_domain_from_name_noinit(domain_name);
826 if (!domain->initialized)
827 init_dc_connection(domain, false);
832 /* Given a domain sid, return the struct winbindd domain info for it */
834 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
836 struct winbindd_domain *domain;
838 /* Search through list */
840 for (domain = domain_list(); domain != NULL; domain = domain->next) {
841 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
850 /* Given a domain sid, return the struct winbindd domain info for it */
852 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
854 struct winbindd_domain *domain;
856 domain = find_domain_from_sid_noinit(sid);
861 if (!domain->initialized)
862 init_dc_connection(domain, false);
867 struct winbindd_domain *find_our_domain(void)
869 struct winbindd_domain *domain;
871 /* Search through list */
873 for (domain = domain_list(); domain != NULL; domain = domain->next) {
878 smb_panic("Could not find our domain");
882 struct winbindd_domain *find_root_domain(void)
884 struct winbindd_domain *ours = find_our_domain();
886 if (ours->forest_name == NULL) {
890 return find_domain_from_name( ours->forest_name );
893 struct winbindd_domain *find_builtin_domain(void)
895 struct winbindd_domain *domain;
897 domain = find_domain_from_sid(&global_sid_Builtin);
898 if (domain == NULL) {
899 smb_panic("Could not find BUILTIN domain");
905 /* Find the appropriate domain to lookup a name or SID */
907 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
909 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
911 if ( sid_check_is_in_unix_groups(sid) ||
912 sid_check_is_unix_groups(sid) ||
913 sid_check_is_in_unix_users(sid) ||
914 sid_check_is_unix_users(sid) )
916 return find_domain_from_sid(get_global_sam_sid());
919 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
920 * one to contact the external DC's. On member servers the internal
921 * domains are different: These are part of the local SAM. */
923 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
925 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
926 DEBUG(10, ("calling find_domain_from_sid\n"));
927 return find_domain_from_sid(sid);
930 /* On a member server a query for SID or name can always go to our
933 DEBUG(10, ("calling find_our_domain\n"));
934 return find_our_domain();
937 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
939 if ( strequal(domain_name, unix_users_domain_name() ) ||
940 strequal(domain_name, unix_groups_domain_name() ) )
943 * The "Unix User" and "Unix Group" domain our handled by
946 return find_domain_from_name_noinit( get_global_sam_name() );
949 if (IS_DC || strequal(domain_name, "BUILTIN") ||
950 strequal(domain_name, get_global_sam_name()))
951 return find_domain_from_name_noinit(domain_name);
954 return find_our_domain();
957 /* Is this a domain which we may assume no DOMAIN\ prefix? */
959 static bool assume_domain(const char *domain)
961 /* never assume the domain on a standalone server */
963 if ( lp_server_role() == ROLE_STANDALONE )
966 /* domain member servers may possibly assume for the domain name */
968 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
969 if ( !strequal(lp_workgroup(), domain) )
972 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
976 /* only left with a domain controller */
978 if ( strequal(get_global_sam_name(), domain) ) {
985 /* Parse a string of the form DOMAIN\user into a domain and a user */
987 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
989 char *p = strchr(domuser,*lp_winbind_separator());
992 fstrcpy(user, domuser);
994 if ( assume_domain(lp_workgroup())) {
995 fstrcpy(domain, lp_workgroup());
996 } else if ((p = strchr(domuser, '@')) != NULL) {
997 fstrcpy(domain, p + 1);
998 user[PTR_DIFF(p, domuser)] = 0;
1004 fstrcpy(domain, domuser);
1005 domain[PTR_DIFF(p, domuser)] = 0;
1008 return strupper_m(domain);
1011 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1012 char **domain, char **user)
1014 fstring fstr_domain, fstr_user;
1015 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1018 *domain = talloc_strdup(mem_ctx, fstr_domain);
1019 *user = talloc_strdup(mem_ctx, fstr_user);
1020 return ((*domain != NULL) && (*user != NULL));
1023 /* Ensure an incoming username from NSS is fully qualified. Replace the
1024 incoming fstring with DOMAIN <separator> user. Returns the same
1025 values as parse_domain_user() but also replaces the incoming username.
1026 Used to ensure all names are fully qualified within winbindd.
1027 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1028 The protocol definitions of auth_crap, chng_pswd_auth_crap
1029 really should be changed to use this instead of doing things
1032 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1034 if (!parse_domain_user(username_inout, domain, user)) {
1037 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1038 domain, *lp_winbind_separator(),
1044 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1045 'winbind separator' options.
1047 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1050 If we are a PDC or BDC, and this is for our domain, do likewise.
1052 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1053 username is then unqualified in unix
1055 On an AD DC we always fill DOMAIN\\USERNAME.
1057 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1059 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1063 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1067 fstrcpy(tmp_user, user);
1068 (void)strlower_m(tmp_user);
1070 if (can_assume && assume_domain(domain)) {
1071 strlcpy(name, tmp_user, sizeof(fstring));
1073 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1074 domain, *lp_winbind_separator(),
1080 * talloc version of fill_domain_username()
1081 * return NULL on talloc failure.
1083 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1088 char *tmp_user, *name;
1090 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1094 tmp_user = talloc_strdup(mem_ctx, user);
1095 if (!strlower_m(tmp_user)) {
1096 TALLOC_FREE(tmp_user);
1100 if (can_assume && assume_domain(domain)) {
1103 name = talloc_asprintf(mem_ctx, "%s%c%s",
1105 *lp_winbind_separator(),
1107 TALLOC_FREE(tmp_user);
1114 * Client list accessor functions
1117 static struct winbindd_cli_state *_client_list;
1118 static int _num_clients;
1120 /* Return list of all connected clients */
1122 struct winbindd_cli_state *winbindd_client_list(void)
1124 return _client_list;
1127 /* Add a connection to the list */
1129 void winbindd_add_client(struct winbindd_cli_state *cli)
1131 DLIST_ADD(_client_list, cli);
1135 /* Remove a client from the list */
1137 void winbindd_remove_client(struct winbindd_cli_state *cli)
1139 DLIST_REMOVE(_client_list, cli);
1143 /* Return number of open clients */
1145 int winbindd_num_clients(void)
1147 return _num_clients;
1150 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1151 TALLOC_CTX *mem_ctx,
1152 const struct dom_sid *user_sid,
1153 uint32_t *p_num_groups, struct dom_sid **user_sids)
1155 struct netr_SamInfo3 *info3 = NULL;
1156 NTSTATUS status = NT_STATUS_NO_MEMORY;
1157 uint32_t num_groups = 0;
1159 DEBUG(3,(": lookup_usergroups_cached\n"));
1164 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1166 if (info3 == NULL) {
1167 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1170 if (info3->base.groups.count == 0) {
1172 return NT_STATUS_UNSUCCESSFUL;
1176 * Before bug #7843 the "Domain Local" groups were added with a
1177 * lookupuseraliases call, but this isn't done anymore for our domain
1178 * so we need to resolve resource groups here.
1180 * When to use Resource Groups:
1181 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1183 status = sid_array_from_info3(mem_ctx, info3,
1188 if (!NT_STATUS_IS_OK(status)) {
1194 *p_num_groups = num_groups;
1195 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1197 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1202 /*********************************************************************
1203 We use this to remove spaces from user and group names
1204 ********************************************************************/
1206 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1207 struct winbindd_domain *domain,
1213 if (!name || !normalized) {
1214 return NT_STATUS_INVALID_PARAMETER;
1217 if (!lp_winbind_normalize_names()) {
1218 return NT_STATUS_PROCEDURE_NOT_FOUND;
1221 /* Alias support and whitespace replacement are mutually
1224 nt_status = resolve_username_to_alias(mem_ctx, domain,
1226 if (NT_STATUS_IS_OK(nt_status)) {
1227 /* special return code to let the caller know we
1228 mapped to an alias */
1229 return NT_STATUS_FILE_RENAMED;
1232 /* check for an unreachable domain */
1234 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1235 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1237 set_domain_offline(domain);
1241 /* deal with whitespace */
1243 *normalized = talloc_strdup(mem_ctx, name);
1244 if (!(*normalized)) {
1245 return NT_STATUS_NO_MEMORY;
1248 all_string_sub( *normalized, " ", "_", 0 );
1250 return NT_STATUS_OK;
1253 /*********************************************************************
1254 We use this to do the inverse of normalize_name_map()
1255 ********************************************************************/
1257 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1262 struct winbindd_domain *domain = find_our_domain();
1264 if (!name || !normalized) {
1265 return NT_STATUS_INVALID_PARAMETER;
1268 if (!lp_winbind_normalize_names()) {
1269 return NT_STATUS_PROCEDURE_NOT_FOUND;
1272 /* Alias support and whitespace replacement are mutally
1275 /* When mapping from an alias to a username, we don't know the
1276 domain. But we only need a domain structure to cache
1277 a successful lookup , so just our own domain structure for
1280 nt_status = resolve_alias_to_username(mem_ctx, domain,
1282 if (NT_STATUS_IS_OK(nt_status)) {
1283 /* Special return code to let the caller know we mapped
1285 return NT_STATUS_FILE_RENAMED;
1288 /* check for an unreachable domain */
1290 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1291 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1293 set_domain_offline(domain);
1297 /* deal with whitespace */
1299 *normalized = talloc_strdup(mem_ctx, name);
1300 if (!(*normalized)) {
1301 return NT_STATUS_NO_MEMORY;
1304 all_string_sub(*normalized, "_", " ", 0);
1306 return NT_STATUS_OK;
1309 /*********************************************************************
1310 ********************************************************************/
1312 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1314 struct winbindd_tdc_domain *tdc = NULL;
1315 TALLOC_CTX *frame = talloc_stackframe();
1318 /* We can contact the domain if it is our primary domain */
1320 if (domain->primary) {
1325 /* Trust the TDC cache and not the winbindd_domain flags */
1327 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1328 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1334 /* Can always contact a domain that is in out forest */
1336 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1342 * On a _member_ server, we cannot contact the domain if it
1343 * is running AD and we have no inbound trust.
1347 domain->active_directory &&
1348 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1350 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1351 "and we have no inbound trust.\n", domain->name));
1355 /* Assume everything else is ok (probably not true but what
1361 talloc_destroy(frame);
1366 /*********************************************************************
1367 ********************************************************************/
1369 bool winbindd_internal_child(struct winbindd_child *child)
1371 if ((child == idmap_child()) || (child == locator_child())) {
1378 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1380 /*********************************************************************
1381 ********************************************************************/
1383 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1386 char addr[INET6_ADDRSTRLEN];
1387 const char *kdc = NULL;
1390 if (!domain || !domain->alt_name || !*domain->alt_name) {
1394 if (domain->initialized && !domain->active_directory) {
1395 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1400 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1403 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1405 kdc = domain->dcname;
1408 if (!kdc || !*kdc) {
1409 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1414 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1415 domain->alt_name) == -1) {
1419 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1422 setenv(var, kdc, 1);
1426 /*********************************************************************
1427 ********************************************************************/
1429 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1431 struct winbindd_domain *our_dom = find_our_domain();
1433 winbindd_set_locator_kdc_env(domain);
1435 if (domain != our_dom) {
1436 winbindd_set_locator_kdc_env(our_dom);
1440 /*********************************************************************
1441 ********************************************************************/
1443 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1447 if (!domain || !domain->alt_name || !*domain->alt_name) {
1451 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1452 domain->alt_name) == -1) {
1461 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1466 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1471 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1473 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1475 resp->data.auth.nt_status = NT_STATUS_V(result);
1476 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1478 /* we might have given a more useful error above */
1479 if (*resp->data.auth.error_string == '\0')
1480 fstrcpy(resp->data.auth.error_string,
1481 get_friendly_nt_error_msg(result));
1482 resp->data.auth.pam_error = nt_status_to_pam(result);
1485 bool is_domain_offline(const struct winbindd_domain *domain)
1487 if (!lp_winbind_offline_logon()) {
1490 if (get_global_winbindd_state_offline()) {
1493 return !domain->online;
1496 bool is_domain_online(const struct winbindd_domain *domain)
1498 return !is_domain_offline(domain);
1502 * Parse an char array into a list of sids.
1504 * The input sidstr should consist of 0-terminated strings
1505 * representing sids, separated by newline characters '\n'.
1506 * The list is terminated by an empty string, i.e.
1507 * character '\0' directly following a character '\n'
1508 * (or '\0' right at the start of sidstr).
1510 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1511 struct dom_sid **sids, uint32_t *num_sids)
1519 while (p[0] != '\0') {
1521 const char *q = NULL;
1523 if (!dom_sid_parse_endp(p, &sid, &q)) {
1524 DEBUG(1, ("Could not parse sid %s\n", p));
1527 if ((q == NULL) || (q[0] != '\n')) {
1528 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1531 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,