2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "lib/util_unixsids.h"
27 #include "../libcli/security/security.h"
28 #include "../libcli/auth/pam_errors.h"
29 #include "passdb/machine_sid.h"
31 #include "source4/lib/messaging/messaging.h"
32 #include "librpc/gen_ndr/ndr_lsa.h"
33 #include "auth/credentials/credentials.h"
34 #include "libsmb/samlogon_cache.h"
37 #define DBGC_CLASS DBGC_WINBIND
39 static struct winbindd_domain *
40 add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc);
43 * @file winbindd_util.c
45 * Winbind daemon for NT domain authentication nss module.
49 /* The list of trusted domains. Note that the list can be deleted and
50 recreated using the init_domain_list() function so pointers to
51 individual winbindd_domain structures cannot be made. Keep a copy of
52 the domain name instead. */
54 static struct winbindd_domain *_domain_list = NULL;
56 struct winbindd_domain *domain_list(void)
60 if ((!_domain_list) && (!init_domain_list())) {
61 smb_panic("Init_domain_list failed");
67 /* Free all entries in the trusted domain list */
69 static void free_domain_list(void)
71 struct winbindd_domain *domain = _domain_list;
74 struct winbindd_domain *next = domain->next;
76 DLIST_REMOVE(_domain_list, domain);
83 * Iterator for winbindd's domain list.
84 * To be used (e.g.) in tevent based loops.
86 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
89 domain = domain_list();
91 domain = domain->next;
94 if ((domain != NULL) &&
95 (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
96 sid_check_is_our_sam(&domain->sid))
98 domain = domain->next;
104 static bool is_internal_domain(const struct dom_sid *sid)
109 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
112 static bool is_in_internal_domain(const struct dom_sid *sid)
117 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
121 /* Add a trusted domain to our list of domains.
122 If the domain already exists in the list,
123 return it and don't re-initialize. */
125 static struct winbindd_domain *
126 add_trusted_domain(const char *domain_name, const char *alt_name,
127 const struct dom_sid *sid)
129 struct winbindd_tdc_domain tdc;
133 tdc.domain_name = domain_name;
134 tdc.dns_name = alt_name;
136 sid_copy(&tdc.sid, sid);
139 return add_trusted_domain_from_tdc(&tdc);
142 /* Add a trusted domain out of a trusted domain cache
145 static struct winbindd_domain *
146 add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc)
148 struct winbindd_domain *domain;
149 const char *alternative_name = NULL;
150 const char **ignored_domains, **dom;
151 int role = lp_server_role();
152 const char *domain_name = tdc->domain_name;
153 const struct dom_sid *sid = &tdc->sid;
155 if (is_null_sid(sid)) {
159 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
160 for (dom=ignored_domains; dom && *dom; dom++) {
161 if (gen_fnmatch(*dom, domain_name) == 0) {
162 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
167 /* use alt_name if available to allow DNS lookups */
169 if (tdc->dns_name && *tdc->dns_name) {
170 alternative_name = tdc->dns_name;
173 /* We can't call domain_list() as this function is called from
174 init_domain_list() and we'll get stuck in a loop. */
175 for (domain = _domain_list; domain; domain = domain->next) {
176 if (strequal(domain_name, domain->name) ||
177 strequal(domain_name, domain->alt_name))
182 if (alternative_name) {
183 if (strequal(alternative_name, domain->name) ||
184 strequal(alternative_name, domain->alt_name))
191 if (dom_sid_equal(sid, &domain->sid)) {
197 if (domain != NULL) {
199 * We found a match on domain->name or
200 * domain->alt_name. Possibly update the SID
201 * if the stored SID was the NULL SID
202 * and return the matching entry.
205 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
206 sid_copy( &domain->sid, sid );
211 /* Create new domain entry */
212 domain = talloc_zero(NULL, struct winbindd_domain);
213 if (domain == NULL) {
217 domain->children = talloc_zero_array(domain,
218 struct winbindd_child,
219 lp_winbind_max_domain_connections());
220 if (domain->children == NULL) {
225 domain->name = talloc_strdup(domain, domain_name);
226 if (domain->name == NULL) {
231 if (alternative_name) {
232 domain->alt_name = talloc_strdup(domain, alternative_name);
233 if (domain->alt_name == NULL) {
239 domain->backend = NULL;
240 domain->internal = is_internal_domain(sid);
241 domain->sequence_number = DOM_SEQUENCE_NONE;
242 domain->last_seq_check = 0;
243 domain->initialized = false;
244 domain->online = is_internal_domain(sid);
245 domain->check_online_timeout = 0;
246 domain->dc_probe_pid = (pid_t)-1;
248 sid_copy(&domain->sid, sid);
250 domain->domain_flags = tdc->trust_flags;
251 domain->domain_type = tdc->trust_type;
252 domain->domain_trust_attribs = tdc->trust_attribs;
254 /* Is this our primary domain ? */
255 if (strequal(domain_name, get_global_sam_name()) &&
256 (role != ROLE_DOMAIN_MEMBER)) {
257 domain->primary = true;
258 } else if (strequal(domain_name, lp_workgroup()) &&
259 (role == ROLE_DOMAIN_MEMBER)) {
260 domain->primary = true;
263 if (domain->primary) {
264 if (role == ROLE_ACTIVE_DIRECTORY_DC) {
265 domain->active_directory = true;
267 if (lp_security() == SEC_ADS) {
268 domain->active_directory = true;
270 } else if (!domain->internal) {
271 if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
272 domain->active_directory = true;
276 /* Link to domain list */
277 DLIST_ADD_END(_domain_list, domain);
279 wcache_tdc_add_domain( domain );
281 setup_domain_child(domain);
284 ("Added domain %s %s %s\n", domain->name, domain->alt_name,
285 !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : ""));
290 bool domain_is_forest_root(const struct winbindd_domain *domain)
292 const uint32_t fr_flags =
293 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
295 return ((domain->domain_flags & fr_flags) == fr_flags);
298 /********************************************************************
299 rescan our domains looking for new trusted domains
300 ********************************************************************/
302 struct trustdom_state {
303 struct winbindd_domain *domain;
304 struct winbindd_request request;
307 static void trustdom_list_done(struct tevent_req *req);
308 static void rescan_forest_root_trusts( void );
309 static void rescan_forest_trusts( void );
311 static void add_trusted_domains( struct winbindd_domain *domain )
313 struct trustdom_state *state;
314 struct tevent_req *req;
316 state = talloc_zero(NULL, struct trustdom_state);
318 DEBUG(0, ("talloc failed\n"));
321 state->domain = domain;
323 state->request.length = sizeof(state->request);
324 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
326 req = wb_domain_request_send(state, winbind_event_context(),
327 domain, &state->request);
329 DEBUG(1, ("wb_domain_request_send failed\n"));
333 tevent_req_set_callback(req, trustdom_list_done, state);
336 static void trustdom_list_done(struct tevent_req *req)
338 struct trustdom_state *state = tevent_req_callback_data(
339 req, struct trustdom_state);
340 struct winbindd_response *response;
343 struct winbindd_tdc_domain trust_params = {0};
345 bool within_forest = false;
348 * Only when we enumerate our primary domain
349 * or our forest root domain, we should keep
350 * the NETR_TRUST_FLAG_IN_FOREST flag, in
351 * all other cases we need to clear it as the domain
352 * is not part of our forest.
354 if (state->domain->primary) {
355 within_forest = true;
356 } else if (domain_is_forest_root(state->domain)) {
357 within_forest = true;
360 res = wb_domain_request_recv(req, state, &response, &err);
361 if ((res == -1) || (response->result != WINBINDD_OK)) {
362 DBG_WARNING("Could not receive trusts for domain %s\n",
363 state->domain->name);
368 if (response->length < sizeof(struct winbindd_response)) {
369 DBG_ERR("ill-formed trustdom response - short length\n");
374 extra_len = response->length - sizeof(struct winbindd_response);
376 p = (char *)response->extra_data.data;
378 while ((p - (char *)response->extra_data.data) < extra_len) {
379 char *q, *sidstr, *alt_name;
381 DBG_DEBUG("parsing response line '%s'\n", p);
383 ZERO_STRUCT(trust_params);
384 trust_params.domain_name = p;
386 alt_name = strchr(p, '\\');
387 if (alt_name == NULL) {
388 DBG_ERR("Got invalid trustdom response\n");
395 sidstr = strchr(alt_name, '\\');
396 if (sidstr == NULL) {
397 DBG_ERR("Got invalid trustdom response\n");
404 /* use the real alt_name if we have one, else pass in NULL */
405 if (!strequal(alt_name, "(null)")) {
406 trust_params.dns_name = alt_name;
409 q = strtok(sidstr, "\\");
411 DBG_ERR("Got invalid trustdom response\n");
415 if (!string_to_sid(&trust_params.sid, sidstr)) {
416 DEBUG(0, ("Got invalid trustdom response\n"));
420 q = strtok(NULL, "\\");
422 DBG_ERR("Got invalid trustdom response\n");
426 trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10);
428 q = strtok(NULL, "\\");
430 DBG_ERR("Got invalid trustdom response\n");
434 trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10);
436 q = strtok(NULL, "\n");
438 DBG_ERR("Got invalid trustdom response\n");
442 trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
444 if (!within_forest) {
445 trust_params.trust_flags &= ~NETR_TRUST_FLAG_IN_FOREST;
448 if (!state->domain->primary) {
449 trust_params.trust_flags &= ~NETR_TRUST_FLAG_PRIMARY;
453 * We always call add_trusted_domain() cause on an existing
454 * domain structure, it will update the SID if necessary.
455 * This is important because we need the SID for sibling
458 (void)add_trusted_domain_from_tdc(&trust_params);
460 p = q + strlen(q) + 1;
464 Cases to consider when scanning trusts:
465 (a) we are calling from a child domain (primary && !forest_root)
466 (b) we are calling from the root of the forest (primary && forest_root)
467 (c) we are calling from a trusted forest domain (!primary
471 if (state->domain->primary) {
472 /* If this is our primary domain and we are not in the
473 forest root, we have to scan the root trusts first */
475 if (!domain_is_forest_root(state->domain))
476 rescan_forest_root_trusts();
478 rescan_forest_trusts();
480 } else if (domain_is_forest_root(state->domain)) {
481 /* Once we have done root forest trust search, we can
482 go on to search the trusted forests */
484 rescan_forest_trusts();
492 /********************************************************************
493 Scan the trusts of our forest root
494 ********************************************************************/
496 static void rescan_forest_root_trusts( void )
498 struct winbindd_tdc_domain *dom_list = NULL;
499 size_t num_trusts = 0;
502 /* The only transitive trusts supported by Windows 2003 AD are
503 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
504 first two are handled in forest and listed by
505 DsEnumerateDomainTrusts(). Forest trusts are not so we
506 have to do that ourselves. */
508 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
511 for ( i=0; i<num_trusts; i++ ) {
512 struct winbindd_domain *d = NULL;
514 /* Find the forest root. Don't necessarily trust
515 the domain_list() as our primary domain may not
516 have been initialized. */
518 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
522 /* Here's the forest root */
524 d = find_domain_from_name_noinit( dom_list[i].domain_name );
527 d = add_trusted_domain_from_tdc(&dom_list[i]);
534 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
535 "for domain tree root %s (%s)\n",
536 d->name, d->alt_name ));
538 d->domain_flags = dom_list[i].trust_flags;
539 d->domain_type = dom_list[i].trust_type;
540 d->domain_trust_attribs = dom_list[i].trust_attribs;
542 add_trusted_domains( d );
547 TALLOC_FREE( dom_list );
552 /********************************************************************
553 scan the transitive forest trusts (not our own)
554 ********************************************************************/
557 static void rescan_forest_trusts( void )
559 struct winbindd_domain *d = NULL;
560 struct winbindd_tdc_domain *dom_list = NULL;
561 size_t num_trusts = 0;
564 /* The only transitive trusts supported by Windows 2003 AD are
565 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
566 first two are handled in forest and listed by
567 DsEnumerateDomainTrusts(). Forest trusts are not so we
568 have to do that ourselves. */
570 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
573 for ( i=0; i<num_trusts; i++ ) {
574 uint32_t flags = dom_list[i].trust_flags;
575 uint32_t type = dom_list[i].trust_type;
576 uint32_t attribs = dom_list[i].trust_attribs;
578 d = find_domain_from_name_noinit( dom_list[i].domain_name );
580 /* ignore our primary and internal domains */
582 if ( d && (d->internal || d->primary ) )
585 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
586 (type == LSA_TRUST_TYPE_UPLEVEL) &&
587 (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
589 /* add the trusted domain if we don't know
593 d = add_trusted_domain_from_tdc(&dom_list[i]);
600 DEBUG(10,("Following trust path for domain %s (%s)\n",
601 d->name, d->alt_name ));
602 add_trusted_domains( d );
606 TALLOC_FREE( dom_list );
611 /*********************************************************************
612 The process of updating the trusted domain list is a three step
615 (b) ask the root domain in our forest
616 (c) ask the a DC in any Win2003 trusted forests
617 *********************************************************************/
619 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
620 struct timeval now, void *private_data)
624 /* I use to clear the cache here and start over but that
625 caused problems in child processes that needed the
626 trust dom list early on. Removing it means we
627 could have some trusted domains listed that have been
628 removed from our primary domain's DC until a full
629 restart. This should be ok since I think this is what
630 Windows does as well. */
632 /* this will only add new domains we didn't already know about
633 in the domain_list()*/
635 add_trusted_domains( find_our_domain() );
637 te = tevent_add_timer(
638 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
639 rescan_trusted_domains, NULL);
641 * If te == NULL, there's not much we can do here. Don't fail, the
642 * only thing we miss is new trusted domains.
648 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
649 struct winbindd_cli_state *state)
651 /* Ensure null termination */
652 state->request->domain_name
653 [sizeof(state->request->domain_name)-1]='\0';
654 state->request->data.init_conn.dcname
655 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
657 if (strlen(state->request->data.init_conn.dcname) > 0) {
658 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
661 init_dc_connection(domain, false);
663 if (!domain->initialized) {
664 /* If we return error here we can't do any cached authentication,
665 but we may be in disconnected mode and can't initialize correctly.
666 Do what the previous code did and just return without initialization,
667 once we go online we'll re-initialize.
669 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
670 "online = %d\n", domain->name, (int)domain->online ));
673 fstrcpy(state->response->data.domain_info.name, domain->name);
674 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
675 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
677 state->response->data.domain_info.native_mode
678 = domain->native_mode;
679 state->response->data.domain_info.active_directory
680 = domain->active_directory;
681 state->response->data.domain_info.primary
687 static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
690 struct server_id server_id,
693 TALLOC_CTX *frame = talloc_stackframe();
694 struct lsa_TrustDomainInfoInfoEx info;
695 enum ndr_err_code ndr_err;
696 struct winbindd_domain *d = NULL;
698 DEBUG(5, ("wb_imsg_new_trusted_domain\n"));
705 ndr_err = ndr_pull_struct_blob_all(data, frame, &info,
706 (ndr_pull_flags_fn_t)ndr_pull_lsa_TrustDomainInfoInfoEx);
707 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
712 d = find_domain_from_name_noinit(info.netbios_name.string);
718 d = add_trusted_domain(info.netbios_name.string,
719 info.domain_name.string,
736 if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
737 d->domain_flags |= NETR_TRUST_FLAG_INBOUND;
739 if (info.trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
740 d->domain_flags |= NETR_TRUST_FLAG_OUTBOUND;
742 if (info.trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
743 d->domain_flags |= NETR_TRUST_FLAG_IN_FOREST;
745 d->domain_type = info.trust_type;
746 d->domain_trust_attribs = info.trust_attributes;
752 * We did not get the secret when we queried secrets.tdb, so read it
753 * from secrets.tdb and re-sync the databases
755 static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
758 struct cli_credentials *creds;
759 NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name,
760 NULL, domain, &creds);
761 if (!NT_STATUS_IS_OK(can_migrate)) {
762 DEBUG(0, ("Failed to fetch our own, local AD domain join "
763 "password for winbindd's internal use, both from "
764 "secrets.tdb and secrets.ldb: %s\n",
765 nt_errstr(can_migrate)));
770 * NOTE: It is very unlikely we end up here if there is an
771 * oldpass, because a new password is created at
772 * classicupgrade, so this is not a concern.
774 ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
776 cli_credentials_get_domain(creds),
777 cli_credentials_get_realm(creds),
778 cli_credentials_get_salt_principal(creds),
779 0, /* Supported enc types, unused */
781 cli_credentials_get_password_last_changed_time(creds),
782 cli_credentials_get_secure_channel_type(creds),
783 false /* do_delete: Do not delete */);
786 DEBUG(0, ("Failed to write our our own, "
787 "local AD domain join password for "
788 "winbindd's internal use into secrets.tdb\n"));
794 /* Look up global info for the winbind daemon */
795 bool init_domain_list(void)
797 int role = lp_server_role();
798 struct pdb_domain_info *pdb_domain_info = NULL;
801 /* Free existing list */
806 (void)add_trusted_domain("BUILTIN", NULL, &global_sid_Builtin);
811 * In case the passdb backend is passdb_dsdb the domain SID comes from
812 * dsdb, not from secrets.tdb. As we use the domain SID in various
813 * places, we must ensure the domain SID is migrated from dsdb to
814 * secrets.tdb before get_global_sam_sid() is called the first time.
816 * The migration is done as part of the passdb_dsdb initialisation,
817 * calling pdb_get_domain_info() triggers it.
819 pdb_domain_info = pdb_get_domain_info(talloc_tos());
821 if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
822 struct winbindd_domain *domain;
823 enum netr_SchannelType sec_chan_type;
824 const char *account_name;
825 struct samr_Password current_nt_hash;
828 if (pdb_domain_info == NULL) {
829 DEBUG(0, ("Failed to fetch our own, local AD "
830 "domain info from sam.ldb\n"));
833 domain = add_trusted_domain(pdb_domain_info->name,
834 pdb_domain_info->dns_domain,
835 &pdb_domain_info->sid);
836 TALLOC_FREE(pdb_domain_info);
837 if (domain == NULL) {
838 DEBUG(0, ("Failed to add our own, local AD "
839 "domain to winbindd's internal list\n"));
844 * We need to call this to find out if we are an RODC
846 ok = get_trust_pw_hash(domain->name,
847 current_nt_hash.hash,
852 * If get_trust_pw_hash() fails, then try and
853 * fetch the password from the more recent of
854 * secrets.{ldb,tdb} using the
855 * pdb_get_trust_credentials()
857 ok = migrate_secrets_tdb_to_ldb(domain);
860 DEBUG(0, ("Failed to migrate our own, "
861 "local AD domain join password for "
862 "winbindd's internal use into "
866 ok = get_trust_pw_hash(domain->name,
867 current_nt_hash.hash,
871 DEBUG(0, ("Failed to find our our own, just "
872 "written local AD domain join "
873 "password for winbindd's internal "
874 "use in secrets.tdb\n"));
878 if (sec_chan_type == SEC_CHAN_RODC) {
883 (void)add_trusted_domain(get_global_sam_name(), NULL,
884 get_global_sam_sid());
886 /* Add ourselves as the first entry. */
888 if ( role == ROLE_DOMAIN_MEMBER ) {
889 struct winbindd_domain *domain;
890 struct dom_sid our_sid;
892 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
893 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
897 domain = add_trusted_domain(lp_workgroup(), lp_realm(),
900 /* Even in the parent winbindd we'll need to
901 talk to the DC, so try and see if we can
902 contact it. Theoretically this isn't neccessary
903 as the init_dc_connection() in init_child_recv()
904 will do this, but we can start detecting the DC
906 set_domain_online_request(domain);
910 status = imessaging_register(winbind_imessaging_context(), NULL,
911 MSG_WINBIND_NEW_TRUSTED_DOMAIN,
912 wb_imsg_new_trusted_domain);
913 if (!NT_STATUS_IS_OK(status)) {
914 DEBUG(0, ("imessaging_register(MSG_WINBIND_NEW_TRUSTED_DOMAIN) - %s\n",
923 * Given a domain name, return the struct winbindd domain info for it
925 * @note Do *not* pass lp_workgroup() to this function. domain_list
926 * may modify it's value, and free that pointer. Instead, our local
927 * domain may be found by calling find_our_domain().
931 * @return The domain structure for the named domain, if it is working.
934 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
936 struct winbindd_domain *domain;
938 /* Search through list */
940 for (domain = domain_list(); domain != NULL; domain = domain->next) {
941 if (strequal(domain_name, domain->name) ||
942 (domain->alt_name != NULL &&
943 strequal(domain_name, domain->alt_name))) {
953 struct winbindd_domain *find_domain_from_name(const char *domain_name)
955 struct winbindd_domain *domain;
957 domain = find_domain_from_name_noinit(domain_name);
962 if (!domain->initialized)
963 init_dc_connection(domain, false);
968 /* Given a domain sid, return the struct winbindd domain info for it */
970 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
972 struct winbindd_domain *domain;
974 /* Search through list */
976 for (domain = domain_list(); domain != NULL; domain = domain->next) {
977 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
986 /* Given a domain sid, return the struct winbindd domain info for it */
988 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
990 struct winbindd_domain *domain;
992 domain = find_domain_from_sid_noinit(sid);
997 if (!domain->initialized)
998 init_dc_connection(domain, false);
1003 struct winbindd_domain *find_our_domain(void)
1005 struct winbindd_domain *domain;
1007 /* Search through list */
1009 for (domain = domain_list(); domain != NULL; domain = domain->next) {
1010 if (domain->primary)
1014 smb_panic("Could not find our domain");
1018 /* Find the appropriate domain to lookup a name or SID */
1020 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
1022 DBG_DEBUG("SID [%s]\n", sid_string_dbg(sid));
1025 * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled
1029 if ( sid_check_is_in_unix_groups(sid) ||
1030 sid_check_is_unix_groups(sid) ||
1031 sid_check_is_in_unix_users(sid) ||
1032 sid_check_is_unix_users(sid) ||
1033 sid_check_is_wellknown_domain(sid, NULL) ||
1034 sid_check_is_in_wellknown_domain(sid) )
1036 return find_domain_from_sid(get_global_sam_sid());
1039 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
1040 * one to contact the external DC's. On member servers the internal
1041 * domains are different: These are part of the local SAM. */
1043 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
1044 DEBUG(10, ("calling find_domain_from_sid\n"));
1045 return find_domain_from_sid(sid);
1048 /* On a member server a query for SID or name can always go to our
1051 DEBUG(10, ("calling find_our_domain\n"));
1052 return find_our_domain();
1055 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
1057 if ( strequal(domain_name, unix_users_domain_name() ) ||
1058 strequal(domain_name, unix_groups_domain_name() ) )
1061 * The "Unix User" and "Unix Group" domain our handled by
1064 return find_domain_from_name_noinit( get_global_sam_name() );
1067 if (IS_DC || strequal(domain_name, "BUILTIN") ||
1068 strequal(domain_name, get_global_sam_name()))
1069 return find_domain_from_name_noinit(domain_name);
1072 return find_our_domain();
1075 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1077 static bool assume_domain(const char *domain)
1079 /* never assume the domain on a standalone server */
1081 if ( lp_server_role() == ROLE_STANDALONE )
1084 /* domain member servers may possibly assume for the domain name */
1086 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1087 if ( !strequal(lp_workgroup(), domain) )
1090 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1094 /* only left with a domain controller */
1096 if ( strequal(get_global_sam_name(), domain) ) {
1103 /* Parse a string of the form DOMAIN\user into a domain and a user */
1105 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1107 char *p = strchr(domuser,*lp_winbind_separator());
1110 fstrcpy(user, domuser);
1111 p = strchr(domuser, '@');
1113 if ( assume_domain(lp_workgroup()) && p == NULL) {
1114 fstrcpy(domain, lp_workgroup());
1115 } else if (p != NULL) {
1116 fstrcpy(domain, p + 1);
1117 user[PTR_DIFF(p, domuser)] = 0;
1123 fstrcpy(domain, domuser);
1124 domain[PTR_DIFF(p, domuser)] = 0;
1127 return strupper_m(domain);
1130 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1131 char **domain, char **user)
1133 fstring fstr_domain, fstr_user;
1134 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1137 *domain = talloc_strdup(mem_ctx, fstr_domain);
1138 *user = talloc_strdup(mem_ctx, fstr_user);
1139 return ((*domain != NULL) && (*user != NULL));
1142 /* Ensure an incoming username from NSS is fully qualified. Replace the
1143 incoming fstring with DOMAIN <separator> user. Returns the same
1144 values as parse_domain_user() but also replaces the incoming username.
1145 Used to ensure all names are fully qualified within winbindd.
1146 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1147 The protocol definitions of auth_crap, chng_pswd_auth_crap
1148 really should be changed to use this instead of doing things
1151 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1153 if (!parse_domain_user(username_inout, domain, user)) {
1156 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1157 domain, *lp_winbind_separator(),
1163 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1164 'winbind separator' options.
1166 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1169 If we are a PDC or BDC, and this is for our domain, do likewise.
1171 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1172 username is then unqualified in unix
1174 On an AD DC we always fill DOMAIN\\USERNAME.
1176 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1178 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1182 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1186 fstrcpy(tmp_user, user);
1187 (void)strlower_m(tmp_user);
1189 if (can_assume && assume_domain(domain)) {
1190 strlcpy(name, tmp_user, sizeof(fstring));
1192 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1193 domain, *lp_winbind_separator(),
1199 * talloc version of fill_domain_username()
1200 * return NULL on talloc failure.
1202 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1207 char *tmp_user, *name;
1209 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1213 tmp_user = talloc_strdup(mem_ctx, user);
1214 if (!strlower_m(tmp_user)) {
1215 TALLOC_FREE(tmp_user);
1219 if (can_assume && assume_domain(domain)) {
1222 name = talloc_asprintf(mem_ctx, "%s%c%s",
1224 *lp_winbind_separator(),
1226 TALLOC_FREE(tmp_user);
1233 * Client list accessor functions
1236 static struct winbindd_cli_state *_client_list;
1237 static int _num_clients;
1239 /* Return list of all connected clients */
1241 struct winbindd_cli_state *winbindd_client_list(void)
1243 return _client_list;
1246 /* Return list-tail of all connected clients */
1248 struct winbindd_cli_state *winbindd_client_list_tail(void)
1250 return DLIST_TAIL(_client_list);
1253 /* Return previous (read:newer) client in list */
1255 struct winbindd_cli_state *
1256 winbindd_client_list_prev(struct winbindd_cli_state *cli)
1258 return DLIST_PREV(cli);
1261 /* Add a connection to the list */
1263 void winbindd_add_client(struct winbindd_cli_state *cli)
1265 cli->last_access = time(NULL);
1266 DLIST_ADD(_client_list, cli);
1270 /* Remove a client from the list */
1272 void winbindd_remove_client(struct winbindd_cli_state *cli)
1274 DLIST_REMOVE(_client_list, cli);
1278 /* Move a client to head or list */
1280 void winbindd_promote_client(struct winbindd_cli_state *cli)
1282 cli->last_access = time(NULL);
1283 DLIST_PROMOTE(_client_list, cli);
1286 /* Return number of open clients */
1288 int winbindd_num_clients(void)
1290 return _num_clients;
1293 NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
1294 const struct dom_sid *user_sid,
1295 uint32_t *p_num_groups, struct dom_sid **user_sids)
1297 struct netr_SamInfo3 *info3 = NULL;
1298 NTSTATUS status = NT_STATUS_NO_MEMORY;
1299 uint32_t num_groups = 0;
1301 DEBUG(3,(": lookup_usergroups_cached\n"));
1306 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1308 if (info3 == NULL) {
1309 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1313 * Before bug #7843 the "Domain Local" groups were added with a
1314 * lookupuseraliases call, but this isn't done anymore for our domain
1315 * so we need to resolve resource groups here.
1317 * When to use Resource Groups:
1318 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1320 status = sid_array_from_info3(mem_ctx, info3,
1325 if (!NT_STATUS_IS_OK(status)) {
1331 *p_num_groups = num_groups;
1332 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1334 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1339 /*********************************************************************
1340 We use this to remove spaces from user and group names
1341 ********************************************************************/
1343 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1344 struct winbindd_domain *domain,
1350 if (!name || !normalized) {
1351 return NT_STATUS_INVALID_PARAMETER;
1354 if (!lp_winbind_normalize_names()) {
1355 return NT_STATUS_PROCEDURE_NOT_FOUND;
1358 /* Alias support and whitespace replacement are mutually
1361 nt_status = resolve_username_to_alias(mem_ctx, domain,
1363 if (NT_STATUS_IS_OK(nt_status)) {
1364 /* special return code to let the caller know we
1365 mapped to an alias */
1366 return NT_STATUS_FILE_RENAMED;
1369 /* check for an unreachable domain */
1371 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1372 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1374 set_domain_offline(domain);
1378 /* deal with whitespace */
1380 *normalized = talloc_strdup(mem_ctx, name);
1381 if (!(*normalized)) {
1382 return NT_STATUS_NO_MEMORY;
1385 all_string_sub( *normalized, " ", "_", 0 );
1387 return NT_STATUS_OK;
1390 /*********************************************************************
1391 We use this to do the inverse of normalize_name_map()
1392 ********************************************************************/
1394 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1399 struct winbindd_domain *domain = find_our_domain();
1401 if (!name || !normalized) {
1402 return NT_STATUS_INVALID_PARAMETER;
1405 if (!lp_winbind_normalize_names()) {
1406 return NT_STATUS_PROCEDURE_NOT_FOUND;
1409 /* Alias support and whitespace replacement are mutally
1412 /* When mapping from an alias to a username, we don't know the
1413 domain. But we only need a domain structure to cache
1414 a successful lookup , so just our own domain structure for
1417 nt_status = resolve_alias_to_username(mem_ctx, domain,
1419 if (NT_STATUS_IS_OK(nt_status)) {
1420 /* Special return code to let the caller know we mapped
1422 return NT_STATUS_FILE_RENAMED;
1425 /* check for an unreachable domain */
1427 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1428 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1430 set_domain_offline(domain);
1434 /* deal with whitespace */
1436 *normalized = talloc_strdup(mem_ctx, name);
1437 if (!(*normalized)) {
1438 return NT_STATUS_NO_MEMORY;
1441 all_string_sub(*normalized, "_", " ", 0);
1443 return NT_STATUS_OK;
1446 /*********************************************************************
1447 ********************************************************************/
1449 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1451 struct winbindd_tdc_domain *tdc = NULL;
1452 TALLOC_CTX *frame = talloc_stackframe();
1455 /* We can contact the domain if it is our primary domain */
1457 if (domain->primary) {
1462 /* Trust the TDC cache and not the winbindd_domain flags */
1464 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1465 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1471 /* Can always contact a domain that is in out forest */
1473 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1479 * On a _member_ server, we cannot contact the domain if it
1480 * is running AD and we have no inbound trust.
1484 domain->active_directory &&
1485 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1487 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1488 "and we have no inbound trust.\n", domain->name));
1492 /* Assume everything else is ok (probably not true but what
1498 talloc_destroy(frame);
1503 /*********************************************************************
1504 ********************************************************************/
1506 bool winbindd_internal_child(struct winbindd_child *child)
1508 if ((child == idmap_child()) || (child == locator_child())) {
1515 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1517 /*********************************************************************
1518 ********************************************************************/
1520 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1523 char addr[INET6_ADDRSTRLEN];
1524 const char *kdc = NULL;
1527 if (!domain || !domain->alt_name || !*domain->alt_name) {
1531 if (domain->initialized && !domain->active_directory) {
1532 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1537 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1540 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1542 kdc = domain->dcname;
1545 if (!kdc || !*kdc) {
1546 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1551 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1552 domain->alt_name) == -1) {
1556 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1559 setenv(var, kdc, 1);
1563 /*********************************************************************
1564 ********************************************************************/
1566 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1568 struct winbindd_domain *our_dom = find_our_domain();
1570 winbindd_set_locator_kdc_env(domain);
1572 if (domain != our_dom) {
1573 winbindd_set_locator_kdc_env(our_dom);
1577 /*********************************************************************
1578 ********************************************************************/
1580 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1584 if (!domain || !domain->alt_name || !*domain->alt_name) {
1588 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1589 domain->alt_name) == -1) {
1598 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1603 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1608 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1610 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1612 resp->data.auth.nt_status = NT_STATUS_V(result);
1613 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1615 /* we might have given a more useful error above */
1616 if (*resp->data.auth.error_string == '\0')
1617 fstrcpy(resp->data.auth.error_string,
1618 get_friendly_nt_error_msg(result));
1619 resp->data.auth.pam_error = nt_status_to_pam(result);
1622 bool is_domain_offline(const struct winbindd_domain *domain)
1624 if (!lp_winbind_offline_logon()) {
1627 if (get_global_winbindd_state_offline()) {
1630 return !domain->online;
1633 bool is_domain_online(const struct winbindd_domain *domain)
1635 return !is_domain_offline(domain);
1639 * Parse an char array into a list of sids.
1641 * The input sidstr should consist of 0-terminated strings
1642 * representing sids, separated by newline characters '\n'.
1643 * The list is terminated by an empty string, i.e.
1644 * character '\0' directly following a character '\n'
1645 * (or '\0' right at the start of sidstr).
1647 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1648 struct dom_sid **sids, uint32_t *num_sids)
1656 while (p[0] != '\0') {
1658 const char *q = NULL;
1660 if (!dom_sid_parse_endp(p, &sid, &q)) {
1661 DEBUG(1, ("Could not parse sid %s\n", p));
1665 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1668 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
1678 bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
1679 struct unixid **pxids, uint32_t *pnum_xids)
1682 struct unixid *xids = NULL;
1683 uint32_t num_xids = 0;
1690 while (p[0] != '\0') {
1693 unsigned long long id;
1698 xid = (struct unixid) { .type = ID_TYPE_UID };
1701 xid = (struct unixid) { .type = ID_TYPE_GID };
1709 id = strtoull(p, &endp, 10);
1710 if ((id == ULLONG_MAX) && (errno == ERANGE)) {
1713 if (*endp != '\n') {
1719 if ((unsigned long long)xid.id != id) {
1723 tmp = talloc_realloc(mem_ctx, xids, struct unixid, num_xids+1);
1729 xids[num_xids] = xid;
1734 *pnum_xids = num_xids;