2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
30 #include "source4/lib/messaging/messaging.h"
31 #include "librpc/gen_ndr/ndr_lsa.h"
32 #include "auth/credentials/credentials.h"
35 #define DBGC_CLASS DBGC_WINBIND
37 static struct winbindd_domain *
38 add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
39 struct winbindd_methods *methods);
41 extern struct winbindd_methods cache_methods;
44 * @file winbindd_util.c
46 * Winbind daemon for NT domain authentication nss module.
50 /* The list of trusted domains. Note that the list can be deleted and
51 recreated using the init_domain_list() function so pointers to
52 individual winbindd_domain structures cannot be made. Keep a copy of
53 the domain name instead. */
55 static struct winbindd_domain *_domain_list = NULL;
57 struct winbindd_domain *domain_list(void)
61 if ((!_domain_list) && (!init_domain_list())) {
62 smb_panic("Init_domain_list failed");
68 /* Free all entries in the trusted domain list */
70 static void free_domain_list(void)
72 struct winbindd_domain *domain = _domain_list;
75 struct winbindd_domain *next = domain->next;
77 DLIST_REMOVE(_domain_list, domain);
84 * Iterator for winbindd's domain list.
85 * To be used (e.g.) in tevent based loops.
87 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
90 domain = domain_list();
92 domain = domain->next;
95 if ((domain != NULL) &&
96 (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
97 sid_check_is_our_sam(&domain->sid))
99 domain = domain->next;
105 static bool is_internal_domain(const struct dom_sid *sid)
110 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
113 static bool is_in_internal_domain(const struct dom_sid *sid)
118 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
122 /* Add a trusted domain to our list of domains.
123 If the domain already exists in the list,
124 return it and don't re-initialize. */
126 static struct winbindd_domain *
127 add_trusted_domain(const char *domain_name, const char *alt_name,
128 struct winbindd_methods *methods, const struct dom_sid *sid)
130 struct winbindd_tdc_domain tdc;
134 tdc.domain_name = domain_name;
135 tdc.dns_name = alt_name;
137 sid_copy(&tdc.sid, sid);
140 return add_trusted_domain_from_tdc(&tdc, methods);
143 /* Add a trusted domain out of a trusted domain cache
146 static struct winbindd_domain *
147 add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
148 struct winbindd_methods *methods)
150 struct winbindd_domain *domain;
151 const char *alternative_name = NULL;
152 const char **ignored_domains, **dom;
153 int role = lp_server_role();
154 const char *domain_name = tdc->domain_name;
155 const struct dom_sid *sid = &tdc->sid;
157 if (is_null_sid(sid)) {
161 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
162 for (dom=ignored_domains; dom && *dom; dom++) {
163 if (gen_fnmatch(*dom, domain_name) == 0) {
164 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
169 /* use alt_name if available to allow DNS lookups */
171 if (tdc->dns_name && *tdc->dns_name) {
172 alternative_name = tdc->dns_name;
175 /* We can't call domain_list() as this function is called from
176 init_domain_list() and we'll get stuck in a loop. */
177 for (domain = _domain_list; domain; domain = domain->next) {
178 if (strequal(domain_name, domain->name) ||
179 strequal(domain_name, domain->alt_name))
184 if (alternative_name) {
185 if (strequal(alternative_name, domain->name) ||
186 strequal(alternative_name, domain->alt_name))
193 if (dom_sid_equal(sid, &domain->sid)) {
199 if (domain != NULL) {
201 * We found a match on domain->name or
202 * domain->alt_name. Possibly update the SID
203 * if the stored SID was the NULL SID
204 * and return the matching entry.
207 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
208 sid_copy( &domain->sid, sid );
213 /* Create new domain entry */
214 domain = talloc_zero(NULL, struct winbindd_domain);
215 if (domain == NULL) {
219 domain->children = talloc_zero_array(domain,
220 struct winbindd_child,
221 lp_winbind_max_domain_connections());
222 if (domain->children == NULL) {
227 domain->name = talloc_strdup(domain, domain_name);
228 if (domain->name == NULL) {
233 if (alternative_name) {
234 domain->alt_name = talloc_strdup(domain, alternative_name);
235 if (domain->alt_name == NULL) {
241 domain->methods = methods;
242 domain->backend = NULL;
243 domain->internal = is_internal_domain(sid);
244 domain->sequence_number = DOM_SEQUENCE_NONE;
245 domain->last_seq_check = 0;
246 domain->initialized = false;
247 domain->online = is_internal_domain(sid);
248 domain->check_online_timeout = 0;
249 domain->dc_probe_pid = (pid_t)-1;
251 sid_copy(&domain->sid, sid);
253 domain->domain_flags = tdc->trust_flags;
254 domain->domain_type = tdc->trust_type;
255 domain->domain_trust_attribs = tdc->trust_attribs;
257 /* Is this our primary domain ? */
258 if (strequal(domain_name, get_global_sam_name()) &&
259 (role != ROLE_DOMAIN_MEMBER)) {
260 domain->primary = true;
261 } else if (strequal(domain_name, lp_workgroup()) &&
262 (role == ROLE_DOMAIN_MEMBER)) {
263 domain->primary = true;
266 if (domain->primary) {
267 if (role == ROLE_ACTIVE_DIRECTORY_DC) {
268 domain->active_directory = true;
270 if (lp_security() == SEC_ADS) {
271 domain->active_directory = true;
273 } else if (!domain->internal) {
274 if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
275 domain->active_directory = true;
279 /* Link to domain list */
280 DLIST_ADD_END(_domain_list, domain);
282 wcache_tdc_add_domain( domain );
284 setup_domain_child(domain);
287 ("Added domain %s %s %s\n", domain->name, domain->alt_name,
288 !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : ""));
293 bool domain_is_forest_root(const struct winbindd_domain *domain)
295 const uint32_t fr_flags =
296 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
298 return ((domain->domain_flags & fr_flags) == fr_flags);
301 /********************************************************************
302 rescan our domains looking for new trusted domains
303 ********************************************************************/
305 struct trustdom_state {
306 struct winbindd_domain *domain;
307 struct winbindd_request request;
310 static void trustdom_list_done(struct tevent_req *req);
311 static void rescan_forest_root_trusts( void );
312 static void rescan_forest_trusts( void );
314 static void add_trusted_domains( struct winbindd_domain *domain )
316 struct trustdom_state *state;
317 struct tevent_req *req;
319 state = talloc_zero(NULL, struct trustdom_state);
321 DEBUG(0, ("talloc failed\n"));
324 state->domain = domain;
326 state->request.length = sizeof(state->request);
327 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
329 req = wb_domain_request_send(state, winbind_event_context(),
330 domain, &state->request);
332 DEBUG(1, ("wb_domain_request_send failed\n"));
336 tevent_req_set_callback(req, trustdom_list_done, state);
339 static void trustdom_list_done(struct tevent_req *req)
341 struct trustdom_state *state = tevent_req_callback_data(
342 req, struct trustdom_state);
343 struct winbindd_response *response;
346 struct winbindd_tdc_domain trust_params = {0};
349 res = wb_domain_request_recv(req, state, &response, &err);
350 if ((res == -1) || (response->result != WINBINDD_OK)) {
351 DBG_WARNING("Could not receive trustdoms\n");
356 if (response->length < sizeof(struct winbindd_response)) {
357 DBG_ERR("ill-formed trustdom response - short length\n");
362 extra_len = response->length - sizeof(struct winbindd_response);
364 p = (char *)response->extra_data.data;
366 while ((p - (char *)response->extra_data.data) < extra_len) {
367 char *q, *sidstr, *alt_name;
369 DBG_DEBUG("parsing response line '%s'\n", p);
371 ZERO_STRUCT(trust_params);
372 trust_params.domain_name = p;
374 alt_name = strchr(p, '\\');
375 if (alt_name == NULL) {
376 DBG_ERR("Got invalid trustdom response\n");
383 sidstr = strchr(alt_name, '\\');
384 if (sidstr == NULL) {
385 DBG_ERR("Got invalid trustdom response\n");
392 /* use the real alt_name if we have one, else pass in NULL */
393 if (!strequal(alt_name, "(null)")) {
394 trust_params.dns_name = alt_name;
397 q = strtok(sidstr, "\\");
399 DBG_ERR("Got invalid trustdom response\n");
403 if (!string_to_sid(&trust_params.sid, sidstr)) {
404 DEBUG(0, ("Got invalid trustdom response\n"));
408 q = strtok(NULL, "\\");
410 DBG_ERR("Got invalid trustdom response\n");
414 trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10);
416 q = strtok(NULL, "\\");
418 DBG_ERR("Got invalid trustdom response\n");
422 trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10);
424 q = strtok(NULL, "\n");
426 DBG_ERR("Got invalid trustdom response\n");
430 trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
433 * We always call add_trusted_domain() cause on an existing
434 * domain structure, it will update the SID if necessary.
435 * This is important because we need the SID for sibling
438 (void)add_trusted_domain_from_tdc(&trust_params,
441 p = q + strlen(q) + 1;
445 Cases to consider when scanning trusts:
446 (a) we are calling from a child domain (primary && !forest_root)
447 (b) we are calling from the root of the forest (primary && forest_root)
448 (c) we are calling from a trusted forest domain (!primary
452 if (state->domain->primary) {
453 /* If this is our primary domain and we are not in the
454 forest root, we have to scan the root trusts first */
456 if (!domain_is_forest_root(state->domain))
457 rescan_forest_root_trusts();
459 rescan_forest_trusts();
461 } else if (domain_is_forest_root(state->domain)) {
462 /* Once we have done root forest trust search, we can
463 go on to search the trusted forests */
465 rescan_forest_trusts();
473 /********************************************************************
474 Scan the trusts of our forest root
475 ********************************************************************/
477 static void rescan_forest_root_trusts( void )
479 struct winbindd_tdc_domain *dom_list = NULL;
480 size_t num_trusts = 0;
483 /* The only transitive trusts supported by Windows 2003 AD are
484 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
485 first two are handled in forest and listed by
486 DsEnumerateDomainTrusts(). Forest trusts are not so we
487 have to do that ourselves. */
489 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
492 for ( i=0; i<num_trusts; i++ ) {
493 struct winbindd_domain *d = NULL;
495 /* Find the forest root. Don't necessarily trust
496 the domain_list() as our primary domain may not
497 have been initialized. */
499 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
503 /* Here's the forest root */
505 d = find_domain_from_name_noinit( dom_list[i].domain_name );
508 d = add_trusted_domain_from_tdc(&dom_list[i],
516 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
517 "for domain tree root %s (%s)\n",
518 d->name, d->alt_name ));
520 d->domain_flags = dom_list[i].trust_flags;
521 d->domain_type = dom_list[i].trust_type;
522 d->domain_trust_attribs = dom_list[i].trust_attribs;
524 add_trusted_domains( d );
529 TALLOC_FREE( dom_list );
534 /********************************************************************
535 scan the transitive forest trusts (not our own)
536 ********************************************************************/
539 static void rescan_forest_trusts( void )
541 struct winbindd_domain *d = NULL;
542 struct winbindd_tdc_domain *dom_list = NULL;
543 size_t num_trusts = 0;
546 /* The only transitive trusts supported by Windows 2003 AD are
547 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
548 first two are handled in forest and listed by
549 DsEnumerateDomainTrusts(). Forest trusts are not so we
550 have to do that ourselves. */
552 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
555 for ( i=0; i<num_trusts; i++ ) {
556 uint32_t flags = dom_list[i].trust_flags;
557 uint32_t type = dom_list[i].trust_type;
558 uint32_t attribs = dom_list[i].trust_attribs;
560 d = find_domain_from_name_noinit( dom_list[i].domain_name );
562 /* ignore our primary and internal domains */
564 if ( d && (d->internal || d->primary ) )
567 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
568 (type == LSA_TRUST_TYPE_UPLEVEL) &&
569 (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
571 /* add the trusted domain if we don't know
575 d = add_trusted_domain_from_tdc(&dom_list[i],
583 DEBUG(10,("Following trust path for domain %s (%s)\n",
584 d->name, d->alt_name ));
585 add_trusted_domains( d );
589 TALLOC_FREE( dom_list );
594 /*********************************************************************
595 The process of updating the trusted domain list is a three step
598 (b) ask the root domain in our forest
599 (c) ask the a DC in any Win2003 trusted forests
600 *********************************************************************/
602 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
603 struct timeval now, void *private_data)
607 /* I use to clear the cache here and start over but that
608 caused problems in child processes that needed the
609 trust dom list early on. Removing it means we
610 could have some trusted domains listed that have been
611 removed from our primary domain's DC until a full
612 restart. This should be ok since I think this is what
613 Windows does as well. */
615 /* this will only add new domains we didn't already know about
616 in the domain_list()*/
618 add_trusted_domains( find_our_domain() );
620 te = tevent_add_timer(
621 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
622 rescan_trusted_domains, NULL);
624 * If te == NULL, there's not much we can do here. Don't fail, the
625 * only thing we miss is new trusted domains.
631 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
632 struct winbindd_cli_state *state)
634 /* Ensure null termination */
635 state->request->domain_name
636 [sizeof(state->request->domain_name)-1]='\0';
637 state->request->data.init_conn.dcname
638 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
640 if (strlen(state->request->data.init_conn.dcname) > 0) {
641 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
644 init_dc_connection(domain, false);
646 if (!domain->initialized) {
647 /* If we return error here we can't do any cached authentication,
648 but we may be in disconnected mode and can't initialize correctly.
649 Do what the previous code did and just return without initialization,
650 once we go online we'll re-initialize.
652 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
653 "online = %d\n", domain->name, (int)domain->online ));
656 fstrcpy(state->response->data.domain_info.name, domain->name);
657 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
658 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
660 state->response->data.domain_info.native_mode
661 = domain->native_mode;
662 state->response->data.domain_info.active_directory
663 = domain->active_directory;
664 state->response->data.domain_info.primary
670 static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
673 struct server_id server_id,
676 TALLOC_CTX *frame = talloc_stackframe();
677 struct lsa_TrustDomainInfoInfoEx info;
678 enum ndr_err_code ndr_err;
679 struct winbindd_domain *d = NULL;
681 DEBUG(5, ("wb_imsg_new_trusted_domain\n"));
688 ndr_err = ndr_pull_struct_blob_all(data, frame, &info,
689 (ndr_pull_flags_fn_t)ndr_pull_lsa_TrustDomainInfoInfoEx);
690 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
695 d = find_domain_from_name_noinit(info.netbios_name.string);
701 d = add_trusted_domain(info.netbios_name.string,
702 info.domain_name.string,
720 if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
721 d->domain_flags |= NETR_TRUST_FLAG_INBOUND;
723 if (info.trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
724 d->domain_flags |= NETR_TRUST_FLAG_OUTBOUND;
726 if (info.trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
727 d->domain_flags |= NETR_TRUST_FLAG_IN_FOREST;
729 d->domain_type = info.trust_type;
730 d->domain_trust_attribs = info.trust_attributes;
736 * We did not get the secret when we queried secrets.tdb, so read it
737 * from secrets.tdb and re-sync the databases
739 static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
742 struct cli_credentials *creds;
743 NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name,
744 NULL, domain, &creds);
745 if (!NT_STATUS_IS_OK(can_migrate)) {
746 DEBUG(0, ("Failed to fetch our own, local AD domain join "
747 "password for winbindd's internal use, both from "
748 "secrets.tdb and secrets.ldb: %s\n",
749 nt_errstr(can_migrate)));
754 * NOTE: It is very unlikely we end up here if there is an
755 * oldpass, because a new password is created at
756 * classicupgrade, so this is not a concern.
758 ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
760 cli_credentials_get_domain(creds),
761 cli_credentials_get_realm(creds),
762 cli_credentials_get_salt_principal(creds),
763 0, /* Supported enc types, unused */
765 cli_credentials_get_password_last_changed_time(creds),
766 cli_credentials_get_secure_channel_type(creds),
767 false /* do_delete: Do not delete */);
770 DEBUG(0, ("Failed to write our our own, "
771 "local AD domain join password for "
772 "winbindd's internal use into secrets.tdb\n"));
778 /* Look up global info for the winbind daemon */
779 bool init_domain_list(void)
781 int role = lp_server_role();
784 /* Free existing list */
789 (void)add_trusted_domain("BUILTIN", NULL, &cache_methods,
790 &global_sid_Builtin);
794 if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
795 struct winbindd_domain *domain;
796 enum netr_SchannelType sec_chan_type;
797 const char *account_name;
798 struct samr_Password current_nt_hash;
799 struct pdb_domain_info *pdb_domain_info;
802 pdb_domain_info = pdb_get_domain_info(talloc_tos());
803 if (pdb_domain_info == NULL) {
804 DEBUG(0, ("Failed to fetch our own, local AD "
805 "domain info from sam.ldb\n"));
808 domain = add_trusted_domain(pdb_domain_info->name,
809 pdb_domain_info->dns_domain,
811 &pdb_domain_info->sid);
812 TALLOC_FREE(pdb_domain_info);
813 if (domain == NULL) {
814 DEBUG(0, ("Failed to add our own, local AD "
815 "domain to winbindd's internal list\n"));
820 * We need to call this to find out if we are an RODC
822 ok = get_trust_pw_hash(domain->name,
823 current_nt_hash.hash,
828 * If get_trust_pw_hash() fails, then try and
829 * fetch the password from the more recent of
830 * secrets.{ldb,tdb} using the
831 * pdb_get_trust_credentials()
833 ok = migrate_secrets_tdb_to_ldb(domain);
836 DEBUG(0, ("Failed to migrate our own, "
837 "local AD domain join password for "
838 "winbindd's internal use into "
842 ok = get_trust_pw_hash(domain->name,
843 current_nt_hash.hash,
847 DEBUG(0, ("Failed to find our our own, just "
848 "written local AD domain join "
849 "password for winbindd's internal "
850 "use in secrets.tdb\n"));
854 if (sec_chan_type == SEC_CHAN_RODC) {
859 (void)add_trusted_domain(get_global_sam_name(), NULL,
860 &cache_methods, get_global_sam_sid());
862 /* Add ourselves as the first entry. */
864 if ( role == ROLE_DOMAIN_MEMBER ) {
865 struct winbindd_domain *domain;
866 struct dom_sid our_sid;
868 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
869 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
873 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
874 &cache_methods, &our_sid);
876 /* Even in the parent winbindd we'll need to
877 talk to the DC, so try and see if we can
878 contact it. Theoretically this isn't neccessary
879 as the init_dc_connection() in init_child_recv()
880 will do this, but we can start detecting the DC
882 set_domain_online_request(domain);
886 status = imessaging_register(winbind_imessaging_context(), NULL,
887 MSG_WINBIND_NEW_TRUSTED_DOMAIN,
888 wb_imsg_new_trusted_domain);
889 if (!NT_STATUS_IS_OK(status)) {
890 DEBUG(0, ("imessaging_register(MSG_WINBIND_NEW_TRUSTED_DOMAIN) - %s\n",
899 * Given a domain name, return the struct winbindd domain info for it
901 * @note Do *not* pass lp_workgroup() to this function. domain_list
902 * may modify it's value, and free that pointer. Instead, our local
903 * domain may be found by calling find_our_domain().
907 * @return The domain structure for the named domain, if it is working.
910 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
912 struct winbindd_domain *domain;
914 /* Search through list */
916 for (domain = domain_list(); domain != NULL; domain = domain->next) {
917 if (strequal(domain_name, domain->name) ||
918 (domain->alt_name != NULL &&
919 strequal(domain_name, domain->alt_name))) {
929 struct winbindd_domain *find_domain_from_name(const char *domain_name)
931 struct winbindd_domain *domain;
933 domain = find_domain_from_name_noinit(domain_name);
938 if (!domain->initialized)
939 init_dc_connection(domain, false);
944 /* Given a domain sid, return the struct winbindd domain info for it */
946 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
948 struct winbindd_domain *domain;
950 /* Search through list */
952 for (domain = domain_list(); domain != NULL; domain = domain->next) {
953 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
962 /* Given a domain sid, return the struct winbindd domain info for it */
964 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
966 struct winbindd_domain *domain;
968 domain = find_domain_from_sid_noinit(sid);
973 if (!domain->initialized)
974 init_dc_connection(domain, false);
979 struct winbindd_domain *find_our_domain(void)
981 struct winbindd_domain *domain;
983 /* Search through list */
985 for (domain = domain_list(); domain != NULL; domain = domain->next) {
990 smb_panic("Could not find our domain");
994 struct winbindd_domain *find_root_domain(void)
996 struct winbindd_domain *ours = find_our_domain();
998 if (ours->forest_name == NULL) {
1002 return find_domain_from_name( ours->forest_name );
1005 struct winbindd_domain *find_builtin_domain(void)
1007 struct winbindd_domain *domain;
1009 domain = find_domain_from_sid(&global_sid_Builtin);
1010 if (domain == NULL) {
1011 smb_panic("Could not find BUILTIN domain");
1017 /* Find the appropriate domain to lookup a name or SID */
1019 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
1021 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
1023 if ( sid_check_is_in_unix_groups(sid) ||
1024 sid_check_is_unix_groups(sid) ||
1025 sid_check_is_in_unix_users(sid) ||
1026 sid_check_is_unix_users(sid) )
1028 return find_domain_from_sid(get_global_sam_sid());
1031 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
1032 * one to contact the external DC's. On member servers the internal
1033 * domains are different: These are part of the local SAM. */
1035 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
1037 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
1038 DEBUG(10, ("calling find_domain_from_sid\n"));
1039 return find_domain_from_sid(sid);
1042 /* On a member server a query for SID or name can always go to our
1045 DEBUG(10, ("calling find_our_domain\n"));
1046 return find_our_domain();
1049 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
1051 if ( strequal(domain_name, unix_users_domain_name() ) ||
1052 strequal(domain_name, unix_groups_domain_name() ) )
1055 * The "Unix User" and "Unix Group" domain our handled by
1058 return find_domain_from_name_noinit( get_global_sam_name() );
1061 if (IS_DC || strequal(domain_name, "BUILTIN") ||
1062 strequal(domain_name, get_global_sam_name()))
1063 return find_domain_from_name_noinit(domain_name);
1066 return find_our_domain();
1069 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1071 static bool assume_domain(const char *domain)
1073 /* never assume the domain on a standalone server */
1075 if ( lp_server_role() == ROLE_STANDALONE )
1078 /* domain member servers may possibly assume for the domain name */
1080 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1081 if ( !strequal(lp_workgroup(), domain) )
1084 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1088 /* only left with a domain controller */
1090 if ( strequal(get_global_sam_name(), domain) ) {
1097 /* Parse a string of the form DOMAIN\user into a domain and a user */
1099 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1101 char *p = strchr(domuser,*lp_winbind_separator());
1104 fstrcpy(user, domuser);
1106 if ( assume_domain(lp_workgroup())) {
1107 fstrcpy(domain, lp_workgroup());
1108 } else if ((p = strchr(domuser, '@')) != NULL) {
1109 fstrcpy(domain, p + 1);
1110 user[PTR_DIFF(p, domuser)] = 0;
1116 fstrcpy(domain, domuser);
1117 domain[PTR_DIFF(p, domuser)] = 0;
1120 return strupper_m(domain);
1123 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1124 char **domain, char **user)
1126 fstring fstr_domain, fstr_user;
1127 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1130 *domain = talloc_strdup(mem_ctx, fstr_domain);
1131 *user = talloc_strdup(mem_ctx, fstr_user);
1132 return ((*domain != NULL) && (*user != NULL));
1135 /* Ensure an incoming username from NSS is fully qualified. Replace the
1136 incoming fstring with DOMAIN <separator> user. Returns the same
1137 values as parse_domain_user() but also replaces the incoming username.
1138 Used to ensure all names are fully qualified within winbindd.
1139 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1140 The protocol definitions of auth_crap, chng_pswd_auth_crap
1141 really should be changed to use this instead of doing things
1144 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1146 if (!parse_domain_user(username_inout, domain, user)) {
1149 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1150 domain, *lp_winbind_separator(),
1156 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1157 'winbind separator' options.
1159 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1162 If we are a PDC or BDC, and this is for our domain, do likewise.
1164 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1165 username is then unqualified in unix
1167 On an AD DC we always fill DOMAIN\\USERNAME.
1169 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1171 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1175 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1179 fstrcpy(tmp_user, user);
1180 (void)strlower_m(tmp_user);
1182 if (can_assume && assume_domain(domain)) {
1183 strlcpy(name, tmp_user, sizeof(fstring));
1185 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1186 domain, *lp_winbind_separator(),
1192 * talloc version of fill_domain_username()
1193 * return NULL on talloc failure.
1195 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1200 char *tmp_user, *name;
1202 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1206 tmp_user = talloc_strdup(mem_ctx, user);
1207 if (!strlower_m(tmp_user)) {
1208 TALLOC_FREE(tmp_user);
1212 if (can_assume && assume_domain(domain)) {
1215 name = talloc_asprintf(mem_ctx, "%s%c%s",
1217 *lp_winbind_separator(),
1219 TALLOC_FREE(tmp_user);
1226 * Client list accessor functions
1229 static struct winbindd_cli_state *_client_list;
1230 static int _num_clients;
1232 /* Return list of all connected clients */
1234 struct winbindd_cli_state *winbindd_client_list(void)
1236 return _client_list;
1239 /* Return list-tail of all connected clients */
1241 struct winbindd_cli_state *winbindd_client_list_tail(void)
1243 return DLIST_TAIL(_client_list);
1246 /* Return previous (read:newer) client in list */
1248 struct winbindd_cli_state *
1249 winbindd_client_list_prev(struct winbindd_cli_state *cli)
1251 return DLIST_PREV(cli);
1254 /* Add a connection to the list */
1256 void winbindd_add_client(struct winbindd_cli_state *cli)
1258 cli->last_access = time(NULL);
1259 DLIST_ADD(_client_list, cli);
1263 /* Remove a client from the list */
1265 void winbindd_remove_client(struct winbindd_cli_state *cli)
1267 DLIST_REMOVE(_client_list, cli);
1271 /* Move a client to head or list */
1273 void winbindd_promote_client(struct winbindd_cli_state *cli)
1275 cli->last_access = time(NULL);
1276 DLIST_PROMOTE(_client_list, cli);
1279 /* Return number of open clients */
1281 int winbindd_num_clients(void)
1283 return _num_clients;
1286 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1287 TALLOC_CTX *mem_ctx,
1288 const struct dom_sid *user_sid,
1289 uint32_t *p_num_groups, struct dom_sid **user_sids)
1291 struct netr_SamInfo3 *info3 = NULL;
1292 NTSTATUS status = NT_STATUS_NO_MEMORY;
1293 uint32_t num_groups = 0;
1295 DEBUG(3,(": lookup_usergroups_cached\n"));
1300 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1302 if (info3 == NULL) {
1303 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1306 if (info3->base.groups.count == 0) {
1308 return NT_STATUS_UNSUCCESSFUL;
1312 * Before bug #7843 the "Domain Local" groups were added with a
1313 * lookupuseraliases call, but this isn't done anymore for our domain
1314 * so we need to resolve resource groups here.
1316 * When to use Resource Groups:
1317 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1319 status = sid_array_from_info3(mem_ctx, info3,
1324 if (!NT_STATUS_IS_OK(status)) {
1330 *p_num_groups = num_groups;
1331 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1333 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1338 /*********************************************************************
1339 We use this to remove spaces from user and group names
1340 ********************************************************************/
1342 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1343 struct winbindd_domain *domain,
1349 if (!name || !normalized) {
1350 return NT_STATUS_INVALID_PARAMETER;
1353 if (!lp_winbind_normalize_names()) {
1354 return NT_STATUS_PROCEDURE_NOT_FOUND;
1357 /* Alias support and whitespace replacement are mutually
1360 nt_status = resolve_username_to_alias(mem_ctx, domain,
1362 if (NT_STATUS_IS_OK(nt_status)) {
1363 /* special return code to let the caller know we
1364 mapped to an alias */
1365 return NT_STATUS_FILE_RENAMED;
1368 /* check for an unreachable domain */
1370 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1371 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1373 set_domain_offline(domain);
1377 /* deal with whitespace */
1379 *normalized = talloc_strdup(mem_ctx, name);
1380 if (!(*normalized)) {
1381 return NT_STATUS_NO_MEMORY;
1384 all_string_sub( *normalized, " ", "_", 0 );
1386 return NT_STATUS_OK;
1389 /*********************************************************************
1390 We use this to do the inverse of normalize_name_map()
1391 ********************************************************************/
1393 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1398 struct winbindd_domain *domain = find_our_domain();
1400 if (!name || !normalized) {
1401 return NT_STATUS_INVALID_PARAMETER;
1404 if (!lp_winbind_normalize_names()) {
1405 return NT_STATUS_PROCEDURE_NOT_FOUND;
1408 /* Alias support and whitespace replacement are mutally
1411 /* When mapping from an alias to a username, we don't know the
1412 domain. But we only need a domain structure to cache
1413 a successful lookup , so just our own domain structure for
1416 nt_status = resolve_alias_to_username(mem_ctx, domain,
1418 if (NT_STATUS_IS_OK(nt_status)) {
1419 /* Special return code to let the caller know we mapped
1421 return NT_STATUS_FILE_RENAMED;
1424 /* check for an unreachable domain */
1426 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1427 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1429 set_domain_offline(domain);
1433 /* deal with whitespace */
1435 *normalized = talloc_strdup(mem_ctx, name);
1436 if (!(*normalized)) {
1437 return NT_STATUS_NO_MEMORY;
1440 all_string_sub(*normalized, "_", " ", 0);
1442 return NT_STATUS_OK;
1445 /*********************************************************************
1446 ********************************************************************/
1448 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1450 struct winbindd_tdc_domain *tdc = NULL;
1451 TALLOC_CTX *frame = talloc_stackframe();
1454 /* We can contact the domain if it is our primary domain */
1456 if (domain->primary) {
1461 /* Trust the TDC cache and not the winbindd_domain flags */
1463 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1464 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1470 /* Can always contact a domain that is in out forest */
1472 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1478 * On a _member_ server, we cannot contact the domain if it
1479 * is running AD and we have no inbound trust.
1483 domain->active_directory &&
1484 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1486 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1487 "and we have no inbound trust.\n", domain->name));
1491 /* Assume everything else is ok (probably not true but what
1497 talloc_destroy(frame);
1502 /*********************************************************************
1503 ********************************************************************/
1505 bool winbindd_internal_child(struct winbindd_child *child)
1507 if ((child == idmap_child()) || (child == locator_child())) {
1514 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1516 /*********************************************************************
1517 ********************************************************************/
1519 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1522 char addr[INET6_ADDRSTRLEN];
1523 const char *kdc = NULL;
1526 if (!domain || !domain->alt_name || !*domain->alt_name) {
1530 if (domain->initialized && !domain->active_directory) {
1531 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1536 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1539 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1541 kdc = domain->dcname;
1544 if (!kdc || !*kdc) {
1545 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1550 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1551 domain->alt_name) == -1) {
1555 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1558 setenv(var, kdc, 1);
1562 /*********************************************************************
1563 ********************************************************************/
1565 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1567 struct winbindd_domain *our_dom = find_our_domain();
1569 winbindd_set_locator_kdc_env(domain);
1571 if (domain != our_dom) {
1572 winbindd_set_locator_kdc_env(our_dom);
1576 /*********************************************************************
1577 ********************************************************************/
1579 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1583 if (!domain || !domain->alt_name || !*domain->alt_name) {
1587 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1588 domain->alt_name) == -1) {
1597 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1602 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1607 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1609 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1611 resp->data.auth.nt_status = NT_STATUS_V(result);
1612 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1614 /* we might have given a more useful error above */
1615 if (*resp->data.auth.error_string == '\0')
1616 fstrcpy(resp->data.auth.error_string,
1617 get_friendly_nt_error_msg(result));
1618 resp->data.auth.pam_error = nt_status_to_pam(result);
1621 bool is_domain_offline(const struct winbindd_domain *domain)
1623 if (!lp_winbind_offline_logon()) {
1626 if (get_global_winbindd_state_offline()) {
1629 return !domain->online;
1632 bool is_domain_online(const struct winbindd_domain *domain)
1634 return !is_domain_offline(domain);
1638 * Parse an char array into a list of sids.
1640 * The input sidstr should consist of 0-terminated strings
1641 * representing sids, separated by newline characters '\n'.
1642 * The list is terminated by an empty string, i.e.
1643 * character '\0' directly following a character '\n'
1644 * (or '\0' right at the start of sidstr).
1646 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1647 struct dom_sid **sids, uint32_t *num_sids)
1655 while (p[0] != '\0') {
1657 const char *q = NULL;
1659 if (!dom_sid_parse_endp(p, &sid, &q)) {
1660 DEBUG(1, ("Could not parse sid %s\n", p));
1663 if ((q == NULL) || (q[0] != '\n')) {
1664 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1667 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
1677 bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
1678 struct unixid **pxids, uint32_t *pnum_xids)
1681 struct unixid *xids = NULL;
1682 uint32_t num_xids = 0;
1689 while (p[0] != '\0') {
1692 unsigned long long id;
1697 xid = (struct unixid) { .type = ID_TYPE_UID };
1700 xid = (struct unixid) { .type = ID_TYPE_GID };
1708 id = strtoull(p, &endp, 10);
1709 if ((id == ULLONG_MAX) && (errno == ERANGE)) {
1712 if (*endp != '\n') {
1718 if ((unsigned long long)xid.id != id) {
1722 tmp = talloc_realloc(mem_ctx, xids, struct unixid, num_xids+1);
1728 xids[num_xids] = xid;
1733 *pnum_xids = num_xids;