2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
30 #include "source4/lib/messaging/messaging.h"
31 #include "librpc/gen_ndr/ndr_lsa.h"
34 #define DBGC_CLASS DBGC_WINBIND
36 extern struct winbindd_methods cache_methods;
39 * @file winbindd_util.c
41 * Winbind daemon for NT domain authentication nss module.
45 /* The list of trusted domains. Note that the list can be deleted and
46 recreated using the init_domain_list() function so pointers to
47 individual winbindd_domain structures cannot be made. Keep a copy of
48 the domain name instead. */
50 static struct winbindd_domain *_domain_list = NULL;
52 struct winbindd_domain *domain_list(void)
56 if ((!_domain_list) && (!init_domain_list())) {
57 smb_panic("Init_domain_list failed");
63 /* Free all entries in the trusted domain list */
65 static void free_domain_list(void)
67 struct winbindd_domain *domain = _domain_list;
70 struct winbindd_domain *next = domain->next;
72 DLIST_REMOVE(_domain_list, domain);
79 * Iterator for winbindd's domain list.
80 * To be used (e.g.) in tevent based loops.
82 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
85 domain = domain_list();
87 domain = domain->next;
90 if ((domain != NULL) &&
91 (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
92 sid_check_is_our_sam(&domain->sid))
94 domain = domain->next;
100 static bool is_internal_domain(const struct dom_sid *sid)
105 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
108 static bool is_in_internal_domain(const struct dom_sid *sid)
113 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
117 /* Add a trusted domain to our list of domains.
118 If the domain already exists in the list,
119 return it and don't re-initialize. */
121 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
122 struct winbindd_methods *methods,
123 const struct dom_sid *sid)
125 struct winbindd_domain *domain;
126 const char *alternative_name = NULL;
127 char *idmap_config_option;
129 const char **ignored_domains, **dom;
130 int role = lp_server_role();
132 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
133 for (dom=ignored_domains; dom && *dom; dom++) {
134 if (gen_fnmatch(*dom, domain_name) == 0) {
135 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
140 /* use alt_name if available to allow DNS lookups */
142 if (alt_name && *alt_name) {
143 alternative_name = alt_name;
146 /* We can't call domain_list() as this function is called from
147 init_domain_list() and we'll get stuck in a loop. */
148 for (domain = _domain_list; domain; domain = domain->next) {
149 if (strequal(domain_name, domain->name) ||
150 strequal(domain_name, domain->alt_name))
155 if (alternative_name && *alternative_name)
157 if (strequal(alternative_name, domain->name) ||
158 strequal(alternative_name, domain->alt_name))
166 if (is_null_sid(sid)) {
170 if (dom_sid_equal(sid, &domain->sid)) {
176 if (domain != NULL) {
178 * We found a match on domain->name or
179 * domain->alt_name. Possibly update the SID
180 * if the stored SID was the NULL SID
181 * and return the matching entry.
184 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
185 sid_copy( &domain->sid, sid );
190 /* Create new domain entry */
191 domain = talloc_zero(NULL, struct winbindd_domain);
192 if (domain == NULL) {
196 domain->children = talloc_zero_array(domain,
197 struct winbindd_child,
198 lp_winbind_max_domain_connections());
199 if (domain->children == NULL) {
204 domain->name = talloc_strdup(domain, domain_name);
205 if (domain->name == NULL) {
210 if (alternative_name) {
211 domain->alt_name = talloc_strdup(domain, alternative_name);
212 if (domain->alt_name == NULL) {
218 domain->methods = methods;
219 domain->backend = NULL;
220 domain->internal = is_internal_domain(sid);
221 domain->sequence_number = DOM_SEQUENCE_NONE;
222 domain->last_seq_check = 0;
223 domain->initialized = False;
224 domain->online = is_internal_domain(sid);
225 domain->check_online_timeout = 0;
226 domain->dc_probe_pid = (pid_t)-1;
228 sid_copy(&domain->sid, sid);
231 /* Is this our primary domain ? */
232 if (strequal(domain_name, get_global_sam_name()) &&
233 (role != ROLE_DOMAIN_MEMBER)) {
234 domain->primary = true;
235 } else if (strequal(domain_name, lp_workgroup()) &&
236 (role == ROLE_DOMAIN_MEMBER)) {
237 domain->primary = true;
240 if (domain->primary) {
241 if (role == ROLE_ACTIVE_DIRECTORY_DC) {
242 domain->active_directory = true;
244 if (lp_security() == SEC_ADS) {
245 domain->active_directory = true;
249 /* Link to domain list */
250 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
252 wcache_tdc_add_domain( domain );
254 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
256 if (idmap_config_option == NULL) {
257 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
261 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
263 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
264 param ? param : "not defined"));
267 unsigned low_id, high_id;
268 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
269 DEBUG(1, ("invalid range syntax in %s: %s\n",
270 idmap_config_option, param));
273 if (low_id > high_id) {
274 DEBUG(1, ("invalid range in %s: %s\n",
275 idmap_config_option, param));
278 domain->have_idmap_config = true;
279 domain->id_range_low = low_id;
280 domain->id_range_high = high_id;
285 setup_domain_child(domain);
287 DEBUG(2,("Added domain %s %s %s\n",
288 domain->name, domain->alt_name,
289 &domain->sid?sid_string_dbg(&domain->sid):""));
294 bool domain_is_forest_root(const struct winbindd_domain *domain)
296 const uint32_t fr_flags =
297 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
299 return ((domain->domain_flags & fr_flags) == fr_flags);
302 /********************************************************************
303 rescan our domains looking for new trusted domains
304 ********************************************************************/
306 struct trustdom_state {
307 struct winbindd_domain *domain;
308 struct winbindd_request request;
311 static void trustdom_list_done(struct tevent_req *req);
312 static void rescan_forest_root_trusts( void );
313 static void rescan_forest_trusts( void );
315 static void add_trusted_domains( struct winbindd_domain *domain )
317 struct trustdom_state *state;
318 struct tevent_req *req;
320 state = talloc_zero(NULL, struct trustdom_state);
322 DEBUG(0, ("talloc failed\n"));
325 state->domain = domain;
327 state->request.length = sizeof(state->request);
328 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
330 req = wb_domain_request_send(state, winbind_event_context(),
331 domain, &state->request);
333 DEBUG(1, ("wb_domain_request_send failed\n"));
337 tevent_req_set_callback(req, trustdom_list_done, state);
340 static void trustdom_list_done(struct tevent_req *req)
342 struct trustdom_state *state = tevent_req_callback_data(
343 req, struct trustdom_state);
344 struct winbindd_response *response;
348 res = wb_domain_request_recv(req, state, &response, &err);
349 if ((res == -1) || (response->result != WINBINDD_OK)) {
350 DEBUG(1, ("Could not receive trustdoms\n"));
355 p = (char *)response->extra_data.data;
357 while ((p != NULL) && (*p != '\0')) {
358 char *q, *sidstr, *alt_name;
360 char *alternate_name = NULL;
362 alt_name = strchr(p, '\\');
363 if (alt_name == NULL) {
364 DEBUG(0, ("Got invalid trustdom response\n"));
371 sidstr = strchr(alt_name, '\\');
372 if (sidstr == NULL) {
373 DEBUG(0, ("Got invalid trustdom response\n"));
380 q = strchr(sidstr, '\n');
384 if (!string_to_sid(&sid, sidstr)) {
385 DEBUG(0, ("Got invalid trustdom response\n"));
389 /* use the real alt_name if we have one, else pass in NULL */
391 if ( !strequal( alt_name, "(null)" ) )
392 alternate_name = alt_name;
395 * We always call add_trusted_domain() cause on an existing
396 * domain structure, it will update the SID if necessary.
397 * This is important because we need the SID for sibling
400 (void)add_trusted_domain(p, alternate_name,
410 Cases to consider when scanning trusts:
411 (a) we are calling from a child domain (primary && !forest_root)
412 (b) we are calling from the root of the forest (primary && forest_root)
413 (c) we are calling from a trusted forest domain (!primary
417 if (state->domain->primary) {
418 /* If this is our primary domain and we are not in the
419 forest root, we have to scan the root trusts first */
421 if (!domain_is_forest_root(state->domain))
422 rescan_forest_root_trusts();
424 rescan_forest_trusts();
426 } else if (domain_is_forest_root(state->domain)) {
427 /* Once we have done root forest trust search, we can
428 go on to search the trusted forests */
430 rescan_forest_trusts();
438 /********************************************************************
439 Scan the trusts of our forest root
440 ********************************************************************/
442 static void rescan_forest_root_trusts( void )
444 struct winbindd_tdc_domain *dom_list = NULL;
445 size_t num_trusts = 0;
448 /* The only transitive trusts supported by Windows 2003 AD are
449 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
450 first two are handled in forest and listed by
451 DsEnumerateDomainTrusts(). Forest trusts are not so we
452 have to do that ourselves. */
454 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
457 for ( i=0; i<num_trusts; i++ ) {
458 struct winbindd_domain *d = NULL;
460 /* Find the forest root. Don't necessarily trust
461 the domain_list() as our primary domain may not
462 have been initialized. */
464 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
468 /* Here's the forest root */
470 d = find_domain_from_name_noinit( dom_list[i].domain_name );
473 d = add_trusted_domain( dom_list[i].domain_name,
474 dom_list[i].dns_name,
483 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
484 "for domain tree root %s (%s)\n",
485 d->name, d->alt_name ));
487 d->domain_flags = dom_list[i].trust_flags;
488 d->domain_type = dom_list[i].trust_type;
489 d->domain_trust_attribs = dom_list[i].trust_attribs;
491 add_trusted_domains( d );
496 TALLOC_FREE( dom_list );
501 /********************************************************************
502 scan the transitive forest trusts (not our own)
503 ********************************************************************/
506 static void rescan_forest_trusts( void )
508 struct winbindd_domain *d = NULL;
509 struct winbindd_tdc_domain *dom_list = NULL;
510 size_t num_trusts = 0;
513 /* The only transitive trusts supported by Windows 2003 AD are
514 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
515 first two are handled in forest and listed by
516 DsEnumerateDomainTrusts(). Forest trusts are not so we
517 have to do that ourselves. */
519 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
522 for ( i=0; i<num_trusts; i++ ) {
523 uint32_t flags = dom_list[i].trust_flags;
524 uint32_t type = dom_list[i].trust_type;
525 uint32_t attribs = dom_list[i].trust_attribs;
527 d = find_domain_from_name_noinit( dom_list[i].domain_name );
529 /* ignore our primary and internal domains */
531 if ( d && (d->internal || d->primary ) )
534 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
535 (type == LSA_TRUST_TYPE_UPLEVEL) &&
536 (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
538 /* add the trusted domain if we don't know
542 d = add_trusted_domain( dom_list[i].domain_name,
543 dom_list[i].dns_name,
552 DEBUG(10,("Following trust path for domain %s (%s)\n",
553 d->name, d->alt_name ));
554 add_trusted_domains( d );
558 TALLOC_FREE( dom_list );
563 /*********************************************************************
564 The process of updating the trusted domain list is a three step
567 (b) ask the root domain in our forest
568 (c) ask the a DC in any Win2003 trusted forests
569 *********************************************************************/
571 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
572 struct timeval now, void *private_data)
576 /* I use to clear the cache here and start over but that
577 caused problems in child processes that needed the
578 trust dom list early on. Removing it means we
579 could have some trusted domains listed that have been
580 removed from our primary domain's DC until a full
581 restart. This should be ok since I think this is what
582 Windows does as well. */
584 /* this will only add new domains we didn't already know about
585 in the domain_list()*/
587 add_trusted_domains( find_our_domain() );
589 te = tevent_add_timer(
590 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
591 rescan_trusted_domains, NULL);
593 * If te == NULL, there's not much we can do here. Don't fail, the
594 * only thing we miss is new trusted domains.
600 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
601 struct winbindd_cli_state *state)
603 /* Ensure null termination */
604 state->request->domain_name
605 [sizeof(state->request->domain_name)-1]='\0';
606 state->request->data.init_conn.dcname
607 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
609 if (strlen(state->request->data.init_conn.dcname) > 0) {
610 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
613 init_dc_connection(domain, false);
615 if (!domain->initialized) {
616 /* If we return error here we can't do any cached authentication,
617 but we may be in disconnected mode and can't initialize correctly.
618 Do what the previous code did and just return without initialization,
619 once we go online we'll re-initialize.
621 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
622 "online = %d\n", domain->name, (int)domain->online ));
625 fstrcpy(state->response->data.domain_info.name, domain->name);
626 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
627 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
629 state->response->data.domain_info.native_mode
630 = domain->native_mode;
631 state->response->data.domain_info.active_directory
632 = domain->active_directory;
633 state->response->data.domain_info.primary
639 static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
642 struct server_id server_id,
645 TALLOC_CTX *frame = talloc_stackframe();
646 struct lsa_TrustDomainInfoInfoEx info;
647 enum ndr_err_code ndr_err;
648 struct winbindd_domain *d = NULL;
650 DEBUG(5, ("wb_imsg_new_trusted_domain\n"));
657 ndr_err = ndr_pull_struct_blob_all(data, frame, &info,
658 (ndr_pull_flags_fn_t)ndr_pull_lsa_TrustDomainInfoInfoEx);
659 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
664 d = find_domain_from_name_noinit(info.netbios_name.string);
670 d = add_trusted_domain(info.netbios_name.string,
671 info.domain_name.string,
689 if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
690 d->domain_flags |= NETR_TRUST_FLAG_INBOUND;
692 if (info.trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
693 d->domain_flags |= NETR_TRUST_FLAG_OUTBOUND;
695 if (info.trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
696 d->domain_flags |= NETR_TRUST_FLAG_IN_FOREST;
698 d->domain_type = info.trust_type;
699 d->domain_trust_attribs = info.trust_attributes;
704 /* Look up global info for the winbind daemon */
705 bool init_domain_list(void)
707 int role = lp_server_role();
710 /* Free existing list */
715 (void)add_trusted_domain("BUILTIN", NULL, &cache_methods,
716 &global_sid_Builtin);
720 if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
721 struct winbindd_domain *domain;
722 enum netr_SchannelType sec_chan_type;
723 const char *account_name;
724 struct samr_Password current_nt_hash;
725 struct pdb_domain_info *pdb_domain_info;
728 pdb_domain_info = pdb_get_domain_info(talloc_tos());
729 if (pdb_domain_info == NULL) {
730 DEBUG(0, ("Failed to fetch our own, local AD "
731 "domain info from sam.ldb\n"));
734 domain = add_trusted_domain(pdb_domain_info->name,
735 pdb_domain_info->dns_domain,
737 &pdb_domain_info->sid);
738 TALLOC_FREE(pdb_domain_info);
739 if (domain == NULL) {
740 DEBUG(0, ("Failed to add our own, local AD "
741 "domain to winbindd's internal list\n"));
746 * We need to call this to find out if we are an RODC
748 ok = get_trust_pw_hash(domain->name,
749 current_nt_hash.hash,
753 DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n"));
756 if (sec_chan_type == SEC_CHAN_RODC) {
761 (void)add_trusted_domain(get_global_sam_name(), NULL,
762 &cache_methods, get_global_sam_sid());
764 /* Add ourselves as the first entry. */
766 if ( role == ROLE_DOMAIN_MEMBER ) {
767 struct winbindd_domain *domain;
768 struct dom_sid our_sid;
770 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
771 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
775 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
776 &cache_methods, &our_sid);
778 /* Even in the parent winbindd we'll need to
779 talk to the DC, so try and see if we can
780 contact it. Theoretically this isn't neccessary
781 as the init_dc_connection() in init_child_recv()
782 will do this, but we can start detecting the DC
784 set_domain_online_request(domain);
788 status = imessaging_register(winbind_imessaging_context(), NULL,
789 MSG_WINBIND_NEW_TRUSTED_DOMAIN,
790 wb_imsg_new_trusted_domain);
791 if (!NT_STATUS_IS_OK(status)) {
792 DEBUG(0, ("imessaging_register(MSG_WINBIND_NEW_TRUSTED_DOMAIN) - %s\n",
801 * Given a domain name, return the struct winbindd domain info for it
803 * @note Do *not* pass lp_workgroup() to this function. domain_list
804 * may modify it's value, and free that pointer. Instead, our local
805 * domain may be found by calling find_our_domain().
809 * @return The domain structure for the named domain, if it is working.
812 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
814 struct winbindd_domain *domain;
816 /* Search through list */
818 for (domain = domain_list(); domain != NULL; domain = domain->next) {
819 if (strequal(domain_name, domain->name) ||
820 (domain->alt_name != NULL &&
821 strequal(domain_name, domain->alt_name))) {
831 struct winbindd_domain *find_domain_from_name(const char *domain_name)
833 struct winbindd_domain *domain;
835 domain = find_domain_from_name_noinit(domain_name);
840 if (!domain->initialized)
841 init_dc_connection(domain, false);
846 /* Given a domain sid, return the struct winbindd domain info for it */
848 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
850 struct winbindd_domain *domain;
852 /* Search through list */
854 for (domain = domain_list(); domain != NULL; domain = domain->next) {
855 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
864 /* Given a domain sid, return the struct winbindd domain info for it */
866 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
868 struct winbindd_domain *domain;
870 domain = find_domain_from_sid_noinit(sid);
875 if (!domain->initialized)
876 init_dc_connection(domain, false);
881 struct winbindd_domain *find_our_domain(void)
883 struct winbindd_domain *domain;
885 /* Search through list */
887 for (domain = domain_list(); domain != NULL; domain = domain->next) {
892 smb_panic("Could not find our domain");
896 struct winbindd_domain *find_root_domain(void)
898 struct winbindd_domain *ours = find_our_domain();
900 if (ours->forest_name == NULL) {
904 return find_domain_from_name( ours->forest_name );
907 struct winbindd_domain *find_builtin_domain(void)
909 struct winbindd_domain *domain;
911 domain = find_domain_from_sid(&global_sid_Builtin);
912 if (domain == NULL) {
913 smb_panic("Could not find BUILTIN domain");
919 /* Find the appropriate domain to lookup a name or SID */
921 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
923 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
925 if ( sid_check_is_in_unix_groups(sid) ||
926 sid_check_is_unix_groups(sid) ||
927 sid_check_is_in_unix_users(sid) ||
928 sid_check_is_unix_users(sid) )
930 return find_domain_from_sid(get_global_sam_sid());
933 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
934 * one to contact the external DC's. On member servers the internal
935 * domains are different: These are part of the local SAM. */
937 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
939 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
940 DEBUG(10, ("calling find_domain_from_sid\n"));
941 return find_domain_from_sid(sid);
944 /* On a member server a query for SID or name can always go to our
947 DEBUG(10, ("calling find_our_domain\n"));
948 return find_our_domain();
951 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
953 if ( strequal(domain_name, unix_users_domain_name() ) ||
954 strequal(domain_name, unix_groups_domain_name() ) )
957 * The "Unix User" and "Unix Group" domain our handled by
960 return find_domain_from_name_noinit( get_global_sam_name() );
963 if (IS_DC || strequal(domain_name, "BUILTIN") ||
964 strequal(domain_name, get_global_sam_name()))
965 return find_domain_from_name_noinit(domain_name);
968 return find_our_domain();
971 /* Is this a domain which we may assume no DOMAIN\ prefix? */
973 static bool assume_domain(const char *domain)
975 /* never assume the domain on a standalone server */
977 if ( lp_server_role() == ROLE_STANDALONE )
980 /* domain member servers may possibly assume for the domain name */
982 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
983 if ( !strequal(lp_workgroup(), domain) )
986 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
990 /* only left with a domain controller */
992 if ( strequal(get_global_sam_name(), domain) ) {
999 /* Parse a string of the form DOMAIN\user into a domain and a user */
1001 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1003 char *p = strchr(domuser,*lp_winbind_separator());
1006 fstrcpy(user, domuser);
1008 if ( assume_domain(lp_workgroup())) {
1009 fstrcpy(domain, lp_workgroup());
1010 } else if ((p = strchr(domuser, '@')) != NULL) {
1011 fstrcpy(domain, p + 1);
1012 user[PTR_DIFF(p, domuser)] = 0;
1018 fstrcpy(domain, domuser);
1019 domain[PTR_DIFF(p, domuser)] = 0;
1022 return strupper_m(domain);
1025 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1026 char **domain, char **user)
1028 fstring fstr_domain, fstr_user;
1029 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1032 *domain = talloc_strdup(mem_ctx, fstr_domain);
1033 *user = talloc_strdup(mem_ctx, fstr_user);
1034 return ((*domain != NULL) && (*user != NULL));
1037 /* Ensure an incoming username from NSS is fully qualified. Replace the
1038 incoming fstring with DOMAIN <separator> user. Returns the same
1039 values as parse_domain_user() but also replaces the incoming username.
1040 Used to ensure all names are fully qualified within winbindd.
1041 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1042 The protocol definitions of auth_crap, chng_pswd_auth_crap
1043 really should be changed to use this instead of doing things
1046 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1048 if (!parse_domain_user(username_inout, domain, user)) {
1051 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1052 domain, *lp_winbind_separator(),
1058 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1059 'winbind separator' options.
1061 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1064 If we are a PDC or BDC, and this is for our domain, do likewise.
1066 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1067 username is then unqualified in unix
1069 On an AD DC we always fill DOMAIN\\USERNAME.
1071 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1073 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1077 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1081 fstrcpy(tmp_user, user);
1082 (void)strlower_m(tmp_user);
1084 if (can_assume && assume_domain(domain)) {
1085 strlcpy(name, tmp_user, sizeof(fstring));
1087 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1088 domain, *lp_winbind_separator(),
1094 * talloc version of fill_domain_username()
1095 * return NULL on talloc failure.
1097 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1102 char *tmp_user, *name;
1104 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1108 tmp_user = talloc_strdup(mem_ctx, user);
1109 if (!strlower_m(tmp_user)) {
1110 TALLOC_FREE(tmp_user);
1114 if (can_assume && assume_domain(domain)) {
1117 name = talloc_asprintf(mem_ctx, "%s%c%s",
1119 *lp_winbind_separator(),
1121 TALLOC_FREE(tmp_user);
1128 * Client list accessor functions
1131 static struct winbindd_cli_state *_client_list;
1132 static int _num_clients;
1134 /* Return list of all connected clients */
1136 struct winbindd_cli_state *winbindd_client_list(void)
1138 return _client_list;
1141 /* Add a connection to the list */
1143 void winbindd_add_client(struct winbindd_cli_state *cli)
1145 DLIST_ADD(_client_list, cli);
1149 /* Remove a client from the list */
1151 void winbindd_remove_client(struct winbindd_cli_state *cli)
1153 DLIST_REMOVE(_client_list, cli);
1157 /* Return number of open clients */
1159 int winbindd_num_clients(void)
1161 return _num_clients;
1164 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1165 TALLOC_CTX *mem_ctx,
1166 const struct dom_sid *user_sid,
1167 uint32_t *p_num_groups, struct dom_sid **user_sids)
1169 struct netr_SamInfo3 *info3 = NULL;
1170 NTSTATUS status = NT_STATUS_NO_MEMORY;
1171 uint32_t num_groups = 0;
1173 DEBUG(3,(": lookup_usergroups_cached\n"));
1178 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1180 if (info3 == NULL) {
1181 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1184 if (info3->base.groups.count == 0) {
1186 return NT_STATUS_UNSUCCESSFUL;
1190 * Before bug #7843 the "Domain Local" groups were added with a
1191 * lookupuseraliases call, but this isn't done anymore for our domain
1192 * so we need to resolve resource groups here.
1194 * When to use Resource Groups:
1195 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1197 status = sid_array_from_info3(mem_ctx, info3,
1202 if (!NT_STATUS_IS_OK(status)) {
1208 *p_num_groups = num_groups;
1209 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1211 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1216 /*********************************************************************
1217 We use this to remove spaces from user and group names
1218 ********************************************************************/
1220 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1221 struct winbindd_domain *domain,
1227 if (!name || !normalized) {
1228 return NT_STATUS_INVALID_PARAMETER;
1231 if (!lp_winbind_normalize_names()) {
1232 return NT_STATUS_PROCEDURE_NOT_FOUND;
1235 /* Alias support and whitespace replacement are mutually
1238 nt_status = resolve_username_to_alias(mem_ctx, domain,
1240 if (NT_STATUS_IS_OK(nt_status)) {
1241 /* special return code to let the caller know we
1242 mapped to an alias */
1243 return NT_STATUS_FILE_RENAMED;
1246 /* check for an unreachable domain */
1248 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1249 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1251 set_domain_offline(domain);
1255 /* deal with whitespace */
1257 *normalized = talloc_strdup(mem_ctx, name);
1258 if (!(*normalized)) {
1259 return NT_STATUS_NO_MEMORY;
1262 all_string_sub( *normalized, " ", "_", 0 );
1264 return NT_STATUS_OK;
1267 /*********************************************************************
1268 We use this to do the inverse of normalize_name_map()
1269 ********************************************************************/
1271 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1276 struct winbindd_domain *domain = find_our_domain();
1278 if (!name || !normalized) {
1279 return NT_STATUS_INVALID_PARAMETER;
1282 if (!lp_winbind_normalize_names()) {
1283 return NT_STATUS_PROCEDURE_NOT_FOUND;
1286 /* Alias support and whitespace replacement are mutally
1289 /* When mapping from an alias to a username, we don't know the
1290 domain. But we only need a domain structure to cache
1291 a successful lookup , so just our own domain structure for
1294 nt_status = resolve_alias_to_username(mem_ctx, domain,
1296 if (NT_STATUS_IS_OK(nt_status)) {
1297 /* Special return code to let the caller know we mapped
1299 return NT_STATUS_FILE_RENAMED;
1302 /* check for an unreachable domain */
1304 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1305 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1307 set_domain_offline(domain);
1311 /* deal with whitespace */
1313 *normalized = talloc_strdup(mem_ctx, name);
1314 if (!(*normalized)) {
1315 return NT_STATUS_NO_MEMORY;
1318 all_string_sub(*normalized, "_", " ", 0);
1320 return NT_STATUS_OK;
1323 /*********************************************************************
1324 ********************************************************************/
1326 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1328 struct winbindd_tdc_domain *tdc = NULL;
1329 TALLOC_CTX *frame = talloc_stackframe();
1332 /* We can contact the domain if it is our primary domain */
1334 if (domain->primary) {
1339 /* Trust the TDC cache and not the winbindd_domain flags */
1341 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1342 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1348 /* Can always contact a domain that is in out forest */
1350 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1356 * On a _member_ server, we cannot contact the domain if it
1357 * is running AD and we have no inbound trust.
1361 domain->active_directory &&
1362 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1364 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1365 "and we have no inbound trust.\n", domain->name));
1369 /* Assume everything else is ok (probably not true but what
1375 talloc_destroy(frame);
1380 /*********************************************************************
1381 ********************************************************************/
1383 bool winbindd_internal_child(struct winbindd_child *child)
1385 if ((child == idmap_child()) || (child == locator_child())) {
1392 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1394 /*********************************************************************
1395 ********************************************************************/
1397 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1400 char addr[INET6_ADDRSTRLEN];
1401 const char *kdc = NULL;
1404 if (!domain || !domain->alt_name || !*domain->alt_name) {
1408 if (domain->initialized && !domain->active_directory) {
1409 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1414 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1417 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1419 kdc = domain->dcname;
1422 if (!kdc || !*kdc) {
1423 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1428 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1429 domain->alt_name) == -1) {
1433 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1436 setenv(var, kdc, 1);
1440 /*********************************************************************
1441 ********************************************************************/
1443 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1445 struct winbindd_domain *our_dom = find_our_domain();
1447 winbindd_set_locator_kdc_env(domain);
1449 if (domain != our_dom) {
1450 winbindd_set_locator_kdc_env(our_dom);
1454 /*********************************************************************
1455 ********************************************************************/
1457 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1461 if (!domain || !domain->alt_name || !*domain->alt_name) {
1465 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1466 domain->alt_name) == -1) {
1475 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1480 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1485 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1487 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1489 resp->data.auth.nt_status = NT_STATUS_V(result);
1490 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1492 /* we might have given a more useful error above */
1493 if (*resp->data.auth.error_string == '\0')
1494 fstrcpy(resp->data.auth.error_string,
1495 get_friendly_nt_error_msg(result));
1496 resp->data.auth.pam_error = nt_status_to_pam(result);
1499 bool is_domain_offline(const struct winbindd_domain *domain)
1501 if (!lp_winbind_offline_logon()) {
1504 if (get_global_winbindd_state_offline()) {
1507 return !domain->online;
1510 bool is_domain_online(const struct winbindd_domain *domain)
1512 return !is_domain_offline(domain);
1516 * Parse an char array into a list of sids.
1518 * The input sidstr should consist of 0-terminated strings
1519 * representing sids, separated by newline characters '\n'.
1520 * The list is terminated by an empty string, i.e.
1521 * character '\0' directly following a character '\n'
1522 * (or '\0' right at the start of sidstr).
1524 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1525 struct dom_sid **sids, uint32_t *num_sids)
1533 while (p[0] != '\0') {
1535 const char *q = NULL;
1537 if (!dom_sid_parse_endp(p, &sid, &q)) {
1538 DEBUG(1, ("Could not parse sid %s\n", p));
1541 if ((q == NULL) || (q[0] != '\n')) {
1542 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1545 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,