2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
32 #define DBGC_CLASS DBGC_WINBIND
34 extern struct winbindd_methods cache_methods;
37 * @file winbindd_util.c
39 * Winbind daemon for NT domain authentication nss module.
43 /* The list of trusted domains. Note that the list can be deleted and
44 recreated using the init_domain_list() function so pointers to
45 individual winbindd_domain structures cannot be made. Keep a copy of
46 the domain name instead. */
48 static struct winbindd_domain *_domain_list = NULL;
50 struct winbindd_domain *domain_list(void)
54 if ((!_domain_list) && (!init_domain_list())) {
55 smb_panic("Init_domain_list failed");
61 /* Free all entries in the trusted domain list */
63 static void free_domain_list(void)
65 struct winbindd_domain *domain = _domain_list;
68 struct winbindd_domain *next = domain->next;
70 DLIST_REMOVE(_domain_list, domain);
77 * Iterator for winbindd's domain list.
78 * To be used (e.g.) in tevent based loops.
80 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
83 domain = domain_list();
85 domain = domain->next;
89 && sid_check_is_our_sam(&domain->sid)) {
90 domain = domain->next;
95 static bool is_internal_domain(const struct dom_sid *sid)
100 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
103 static bool is_in_internal_domain(const struct dom_sid *sid)
108 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
112 /* Add a trusted domain to our list of domains.
113 If the domain already exists in the list,
114 return it and don't re-initialize. */
116 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
117 struct winbindd_methods *methods,
118 const struct dom_sid *sid)
120 struct winbindd_domain *domain;
121 const char *alternative_name = NULL;
122 char *idmap_config_option;
124 const char **ignored_domains, **dom;
125 int role = lp_server_role();
127 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
128 for (dom=ignored_domains; dom && *dom; dom++) {
129 if (gen_fnmatch(*dom, domain_name) == 0) {
130 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
135 /* use alt_name if available to allow DNS lookups */
137 if (alt_name && *alt_name) {
138 alternative_name = alt_name;
141 /* We can't call domain_list() as this function is called from
142 init_domain_list() and we'll get stuck in a loop. */
143 for (domain = _domain_list; domain; domain = domain->next) {
144 if (strequal(domain_name, domain->name) ||
145 strequal(domain_name, domain->alt_name))
150 if (alternative_name && *alternative_name)
152 if (strequal(alternative_name, domain->name) ||
153 strequal(alternative_name, domain->alt_name))
161 if (is_null_sid(sid)) {
165 if (dom_sid_equal(sid, &domain->sid)) {
171 if (domain != NULL) {
173 * We found a match on domain->name or
174 * domain->alt_name. Possibly update the SID
175 * if the stored SID was the NULL SID
176 * and return the matching entry.
179 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
180 sid_copy( &domain->sid, sid );
185 /* Create new domain entry */
186 domain = talloc_zero(NULL, struct winbindd_domain);
187 if (domain == NULL) {
191 domain->children = talloc_zero_array(domain,
192 struct winbindd_child,
193 lp_winbind_max_domain_connections());
194 if (domain->children == NULL) {
199 domain->name = talloc_strdup(domain, domain_name);
200 if (domain->name == NULL) {
205 if (alternative_name) {
206 domain->alt_name = talloc_strdup(domain, alternative_name);
207 if (domain->alt_name == NULL) {
213 domain->methods = methods;
214 domain->backend = NULL;
215 domain->internal = is_internal_domain(sid);
216 domain->sequence_number = DOM_SEQUENCE_NONE;
217 domain->last_seq_check = 0;
218 domain->initialized = False;
219 domain->online = is_internal_domain(sid);
220 domain->check_online_timeout = 0;
221 domain->dc_probe_pid = (pid_t)-1;
223 sid_copy(&domain->sid, sid);
226 /* Is this our primary domain ? */
227 if (strequal(domain_name, get_global_sam_name()) &&
228 (role != ROLE_DOMAIN_MEMBER)) {
229 domain->primary = true;
230 } else if (strequal(domain_name, lp_workgroup()) &&
231 (role == ROLE_DOMAIN_MEMBER)) {
232 domain->primary = true;
235 if (domain->primary) {
236 if (role == ROLE_ACTIVE_DIRECTORY_DC) {
237 domain->active_directory = true;
239 if (lp_security() == SEC_ADS) {
240 domain->active_directory = true;
244 /* Link to domain list */
245 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
247 wcache_tdc_add_domain( domain );
249 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
251 if (idmap_config_option == NULL) {
252 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
256 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
258 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
259 param ? param : "not defined"));
262 unsigned low_id, high_id;
263 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
264 DEBUG(1, ("invalid range syntax in %s: %s\n",
265 idmap_config_option, param));
268 if (low_id > high_id) {
269 DEBUG(1, ("invalid range in %s: %s\n",
270 idmap_config_option, param));
273 domain->have_idmap_config = true;
274 domain->id_range_low = low_id;
275 domain->id_range_high = high_id;
280 setup_domain_child(domain);
282 DEBUG(2,("Added domain %s %s %s\n",
283 domain->name, domain->alt_name,
284 &domain->sid?sid_string_dbg(&domain->sid):""));
289 bool domain_is_forest_root(const struct winbindd_domain *domain)
291 const uint32_t fr_flags =
292 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
294 return ((domain->domain_flags & fr_flags) == fr_flags);
297 /********************************************************************
298 rescan our domains looking for new trusted domains
299 ********************************************************************/
301 struct trustdom_state {
302 struct winbindd_domain *domain;
303 struct winbindd_request request;
306 static void trustdom_list_done(struct tevent_req *req);
307 static void rescan_forest_root_trusts( void );
308 static void rescan_forest_trusts( void );
310 static void add_trusted_domains( struct winbindd_domain *domain )
312 struct trustdom_state *state;
313 struct tevent_req *req;
315 state = talloc_zero(NULL, struct trustdom_state);
317 DEBUG(0, ("talloc failed\n"));
320 state->domain = domain;
322 state->request.length = sizeof(state->request);
323 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
325 req = wb_domain_request_send(state, winbind_event_context(),
326 domain, &state->request);
328 DEBUG(1, ("wb_domain_request_send failed\n"));
332 tevent_req_set_callback(req, trustdom_list_done, state);
335 static void trustdom_list_done(struct tevent_req *req)
337 struct trustdom_state *state = tevent_req_callback_data(
338 req, struct trustdom_state);
339 struct winbindd_response *response;
343 res = wb_domain_request_recv(req, state, &response, &err);
344 if ((res == -1) || (response->result != WINBINDD_OK)) {
345 DEBUG(1, ("Could not receive trustdoms\n"));
350 p = (char *)response->extra_data.data;
352 while ((p != NULL) && (*p != '\0')) {
353 char *q, *sidstr, *alt_name;
355 char *alternate_name = NULL;
357 alt_name = strchr(p, '\\');
358 if (alt_name == NULL) {
359 DEBUG(0, ("Got invalid trustdom response\n"));
366 sidstr = strchr(alt_name, '\\');
367 if (sidstr == NULL) {
368 DEBUG(0, ("Got invalid trustdom response\n"));
375 q = strchr(sidstr, '\n');
379 if (!string_to_sid(&sid, sidstr)) {
380 DEBUG(0, ("Got invalid trustdom response\n"));
384 /* use the real alt_name if we have one, else pass in NULL */
386 if ( !strequal( alt_name, "(null)" ) )
387 alternate_name = alt_name;
390 * We always call add_trusted_domain() cause on an existing
391 * domain structure, it will update the SID if necessary.
392 * This is important because we need the SID for sibling
395 (void)add_trusted_domain(p, alternate_name,
405 Cases to consider when scanning trusts:
406 (a) we are calling from a child domain (primary && !forest_root)
407 (b) we are calling from the root of the forest (primary && forest_root)
408 (c) we are calling from a trusted forest domain (!primary
412 if (state->domain->primary) {
413 /* If this is our primary domain and we are not in the
414 forest root, we have to scan the root trusts first */
416 if (!domain_is_forest_root(state->domain))
417 rescan_forest_root_trusts();
419 rescan_forest_trusts();
421 } else if (domain_is_forest_root(state->domain)) {
422 /* Once we have done root forest trust search, we can
423 go on to search the trusted forests */
425 rescan_forest_trusts();
433 /********************************************************************
434 Scan the trusts of our forest root
435 ********************************************************************/
437 static void rescan_forest_root_trusts( void )
439 struct winbindd_tdc_domain *dom_list = NULL;
440 size_t num_trusts = 0;
443 /* The only transitive trusts supported by Windows 2003 AD are
444 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
445 first two are handled in forest and listed by
446 DsEnumerateDomainTrusts(). Forest trusts are not so we
447 have to do that ourselves. */
449 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
452 for ( i=0; i<num_trusts; i++ ) {
453 struct winbindd_domain *d = NULL;
455 /* Find the forest root. Don't necessarily trust
456 the domain_list() as our primary domain may not
457 have been initialized. */
459 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
463 /* Here's the forest root */
465 d = find_domain_from_name_noinit( dom_list[i].domain_name );
468 d = add_trusted_domain( dom_list[i].domain_name,
469 dom_list[i].dns_name,
478 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
479 "for domain tree root %s (%s)\n",
480 d->name, d->alt_name ));
482 d->domain_flags = dom_list[i].trust_flags;
483 d->domain_type = dom_list[i].trust_type;
484 d->domain_trust_attribs = dom_list[i].trust_attribs;
486 add_trusted_domains( d );
491 TALLOC_FREE( dom_list );
496 /********************************************************************
497 scan the transitive forest trusts (not our own)
498 ********************************************************************/
501 static void rescan_forest_trusts( void )
503 struct winbindd_domain *d = NULL;
504 struct winbindd_tdc_domain *dom_list = NULL;
505 size_t num_trusts = 0;
508 /* The only transitive trusts supported by Windows 2003 AD are
509 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
510 first two are handled in forest and listed by
511 DsEnumerateDomainTrusts(). Forest trusts are not so we
512 have to do that ourselves. */
514 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
517 for ( i=0; i<num_trusts; i++ ) {
518 uint32 flags = dom_list[i].trust_flags;
519 uint32 type = dom_list[i].trust_type;
520 uint32 attribs = dom_list[i].trust_attribs;
522 d = find_domain_from_name_noinit( dom_list[i].domain_name );
524 /* ignore our primary and internal domains */
526 if ( d && (d->internal || d->primary ) )
529 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
530 (type == LSA_TRUST_TYPE_UPLEVEL) &&
531 (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
533 /* add the trusted domain if we don't know
537 d = add_trusted_domain( dom_list[i].domain_name,
538 dom_list[i].dns_name,
547 DEBUG(10,("Following trust path for domain %s (%s)\n",
548 d->name, d->alt_name ));
549 add_trusted_domains( d );
553 TALLOC_FREE( dom_list );
558 /*********************************************************************
559 The process of updating the trusted domain list is a three step
562 (b) ask the root domain in our forest
563 (c) ask the a DC in any Win2003 trusted forests
564 *********************************************************************/
566 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
567 struct timeval now, void *private_data)
571 /* I use to clear the cache here and start over but that
572 caused problems in child processes that needed the
573 trust dom list early on. Removing it means we
574 could have some trusted domains listed that have been
575 removed from our primary domain's DC until a full
576 restart. This should be ok since I think this is what
577 Windows does as well. */
579 /* this will only add new domains we didn't already know about
580 in the domain_list()*/
582 add_trusted_domains( find_our_domain() );
584 te = tevent_add_timer(
585 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
586 rescan_trusted_domains, NULL);
588 * If te == NULL, there's not much we can do here. Don't fail, the
589 * only thing we miss is new trusted domains.
595 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
596 struct winbindd_cli_state *state)
598 /* Ensure null termination */
599 state->request->domain_name
600 [sizeof(state->request->domain_name)-1]='\0';
601 state->request->data.init_conn.dcname
602 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
604 if (strlen(state->request->data.init_conn.dcname) > 0) {
605 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
608 init_dc_connection(domain, false);
610 if (!domain->initialized) {
611 /* If we return error here we can't do any cached authentication,
612 but we may be in disconnected mode and can't initialize correctly.
613 Do what the previous code did and just return without initialization,
614 once we go online we'll re-initialize.
616 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
617 "online = %d\n", domain->name, (int)domain->online ));
620 fstrcpy(state->response->data.domain_info.name, domain->name);
621 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
622 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
624 state->response->data.domain_info.native_mode
625 = domain->native_mode;
626 state->response->data.domain_info.active_directory
627 = domain->active_directory;
628 state->response->data.domain_info.primary
634 /* Look up global info for the winbind daemon */
635 bool init_domain_list(void)
637 int role = lp_server_role();
639 /* Free existing list */
644 (void)add_trusted_domain("BUILTIN", NULL, &cache_methods,
645 &global_sid_Builtin);
649 if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
650 struct winbindd_domain *domain;
651 enum netr_SchannelType sec_chan_type;
652 const char *account_name;
653 struct samr_Password current_nt_hash;
656 domain = add_trusted_domain(get_global_sam_name(), lp_dnsdomain(),
657 &cache_methods, get_global_sam_sid());
658 if (domain == NULL) {
659 DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n"));
664 * We need to call this to find out if we are an RODC
666 ok = get_trust_pw_hash(domain->name,
667 current_nt_hash.hash,
671 DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n"));
674 if (sec_chan_type == SEC_CHAN_RODC) {
679 (void)add_trusted_domain(get_global_sam_name(), NULL,
680 &cache_methods, get_global_sam_sid());
682 /* Add ourselves as the first entry. */
684 if ( role == ROLE_DOMAIN_MEMBER ) {
685 struct winbindd_domain *domain;
686 struct dom_sid our_sid;
688 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
689 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
693 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
694 &cache_methods, &our_sid);
696 /* Even in the parent winbindd we'll need to
697 talk to the DC, so try and see if we can
698 contact it. Theoretically this isn't neccessary
699 as the init_dc_connection() in init_child_recv()
700 will do this, but we can start detecting the DC
702 set_domain_online_request(domain);
710 * Given a domain name, return the struct winbindd domain info for it
712 * @note Do *not* pass lp_workgroup() to this function. domain_list
713 * may modify it's value, and free that pointer. Instead, our local
714 * domain may be found by calling find_our_domain().
718 * @return The domain structure for the named domain, if it is working.
721 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
723 struct winbindd_domain *domain;
725 /* Search through list */
727 for (domain = domain_list(); domain != NULL; domain = domain->next) {
728 if (strequal(domain_name, domain->name) ||
729 (domain->alt_name != NULL &&
730 strequal(domain_name, domain->alt_name))) {
740 struct winbindd_domain *find_domain_from_name(const char *domain_name)
742 struct winbindd_domain *domain;
744 domain = find_domain_from_name_noinit(domain_name);
749 if (!domain->initialized)
750 init_dc_connection(domain, false);
755 /* Given a domain sid, return the struct winbindd domain info for it */
757 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
759 struct winbindd_domain *domain;
761 /* Search through list */
763 for (domain = domain_list(); domain != NULL; domain = domain->next) {
764 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
773 /* Given a domain sid, return the struct winbindd domain info for it */
775 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
777 struct winbindd_domain *domain;
779 domain = find_domain_from_sid_noinit(sid);
784 if (!domain->initialized)
785 init_dc_connection(domain, false);
790 struct winbindd_domain *find_our_domain(void)
792 struct winbindd_domain *domain;
794 /* Search through list */
796 for (domain = domain_list(); domain != NULL; domain = domain->next) {
801 smb_panic("Could not find our domain");
805 struct winbindd_domain *find_root_domain(void)
807 struct winbindd_domain *ours = find_our_domain();
809 if (ours->forest_name == NULL) {
813 return find_domain_from_name( ours->forest_name );
816 struct winbindd_domain *find_builtin_domain(void)
818 struct winbindd_domain *domain;
820 domain = find_domain_from_sid(&global_sid_Builtin);
821 if (domain == NULL) {
822 smb_panic("Could not find BUILTIN domain");
828 /* Find the appropriate domain to lookup a name or SID */
830 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
832 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
834 if ( sid_check_is_in_unix_groups(sid) ||
835 sid_check_is_unix_groups(sid) ||
836 sid_check_is_in_unix_users(sid) ||
837 sid_check_is_unix_users(sid) )
839 return find_domain_from_sid(get_global_sam_sid());
842 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
843 * one to contact the external DC's. On member servers the internal
844 * domains are different: These are part of the local SAM. */
846 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
848 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
849 DEBUG(10, ("calling find_domain_from_sid\n"));
850 return find_domain_from_sid(sid);
853 /* On a member server a query for SID or name can always go to our
856 DEBUG(10, ("calling find_our_domain\n"));
857 return find_our_domain();
860 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
862 if ( strequal(domain_name, unix_users_domain_name() ) ||
863 strequal(domain_name, unix_groups_domain_name() ) )
866 * The "Unix User" and "Unix Group" domain our handled by
869 return find_domain_from_name_noinit( get_global_sam_name() );
872 if (IS_DC || strequal(domain_name, "BUILTIN") ||
873 strequal(domain_name, get_global_sam_name()))
874 return find_domain_from_name_noinit(domain_name);
877 return find_our_domain();
880 /* Is this a domain which we may assume no DOMAIN\ prefix? */
882 static bool assume_domain(const char *domain)
884 /* never assume the domain on a standalone server */
886 if ( lp_server_role() == ROLE_STANDALONE )
889 /* domain member servers may possibly assume for the domain name */
891 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
892 if ( !strequal(lp_workgroup(), domain) )
895 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
899 /* only left with a domain controller */
901 if ( strequal(get_global_sam_name(), domain) ) {
908 /* Parse a string of the form DOMAIN\user into a domain and a user */
910 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
912 char *p = strchr(domuser,*lp_winbind_separator());
915 fstrcpy(user, domuser);
917 if ( assume_domain(lp_workgroup())) {
918 fstrcpy(domain, lp_workgroup());
919 } else if ((p = strchr(domuser, '@')) != NULL) {
920 fstrcpy(domain, p + 1);
921 user[PTR_DIFF(p, domuser)] = 0;
927 fstrcpy(domain, domuser);
928 domain[PTR_DIFF(p, domuser)] = 0;
931 return strupper_m(domain);
934 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
935 char **domain, char **user)
937 fstring fstr_domain, fstr_user;
938 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
941 *domain = talloc_strdup(mem_ctx, fstr_domain);
942 *user = talloc_strdup(mem_ctx, fstr_user);
943 return ((*domain != NULL) && (*user != NULL));
946 /* Ensure an incoming username from NSS is fully qualified. Replace the
947 incoming fstring with DOMAIN <separator> user. Returns the same
948 values as parse_domain_user() but also replaces the incoming username.
949 Used to ensure all names are fully qualified within winbindd.
950 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
951 The protocol definitions of auth_crap, chng_pswd_auth_crap
952 really should be changed to use this instead of doing things
955 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
957 if (!parse_domain_user(username_inout, domain, user)) {
960 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
961 domain, *lp_winbind_separator(),
967 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
968 'winbind separator' options.
970 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
973 If we are a PDC or BDC, and this is for our domain, do likewise.
975 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
976 username is then unqualified in unix
978 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
980 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
984 fstrcpy(tmp_user, user);
985 (void)strlower_m(tmp_user);
987 if (can_assume && assume_domain(domain)) {
988 strlcpy(name, tmp_user, sizeof(fstring));
990 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
991 domain, *lp_winbind_separator(),
997 * talloc version of fill_domain_username()
998 * return NULL on talloc failure.
1000 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1005 char *tmp_user, *name;
1007 tmp_user = talloc_strdup(mem_ctx, user);
1008 if (!strlower_m(tmp_user)) {
1009 TALLOC_FREE(tmp_user);
1013 if (can_assume && assume_domain(domain)) {
1016 name = talloc_asprintf(mem_ctx, "%s%c%s",
1018 *lp_winbind_separator(),
1020 TALLOC_FREE(tmp_user);
1027 * Client list accessor functions
1030 static struct winbindd_cli_state *_client_list;
1031 static int _num_clients;
1033 /* Return list of all connected clients */
1035 struct winbindd_cli_state *winbindd_client_list(void)
1037 return _client_list;
1040 /* Add a connection to the list */
1042 void winbindd_add_client(struct winbindd_cli_state *cli)
1044 DLIST_ADD(_client_list, cli);
1048 /* Remove a client from the list */
1050 void winbindd_remove_client(struct winbindd_cli_state *cli)
1052 DLIST_REMOVE(_client_list, cli);
1056 /* Return number of open clients */
1058 int winbindd_num_clients(void)
1060 return _num_clients;
1063 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1064 TALLOC_CTX *mem_ctx,
1065 const struct dom_sid *user_sid,
1066 uint32_t *p_num_groups, struct dom_sid **user_sids)
1068 struct netr_SamInfo3 *info3 = NULL;
1069 NTSTATUS status = NT_STATUS_NO_MEMORY;
1070 uint32_t num_groups = 0;
1072 DEBUG(3,(": lookup_usergroups_cached\n"));
1077 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1079 if (info3 == NULL) {
1080 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1083 if (info3->base.groups.count == 0) {
1085 return NT_STATUS_UNSUCCESSFUL;
1089 * Before bug #7843 the "Domain Local" groups were added with a
1090 * lookupuseraliases call, but this isn't done anymore for our domain
1091 * so we need to resolve resource groups here.
1093 * When to use Resource Groups:
1094 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1096 status = sid_array_from_info3(mem_ctx, info3,
1101 if (!NT_STATUS_IS_OK(status)) {
1107 *p_num_groups = num_groups;
1108 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1110 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1115 /*********************************************************************
1116 We use this to remove spaces from user and group names
1117 ********************************************************************/
1119 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1120 struct winbindd_domain *domain,
1126 if (!name || !normalized) {
1127 return NT_STATUS_INVALID_PARAMETER;
1130 if (!lp_winbind_normalize_names()) {
1131 return NT_STATUS_PROCEDURE_NOT_FOUND;
1134 /* Alias support and whitespace replacement are mutually
1137 nt_status = resolve_username_to_alias(mem_ctx, domain,
1139 if (NT_STATUS_IS_OK(nt_status)) {
1140 /* special return code to let the caller know we
1141 mapped to an alias */
1142 return NT_STATUS_FILE_RENAMED;
1145 /* check for an unreachable domain */
1147 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1148 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1150 set_domain_offline(domain);
1154 /* deal with whitespace */
1156 *normalized = talloc_strdup(mem_ctx, name);
1157 if (!(*normalized)) {
1158 return NT_STATUS_NO_MEMORY;
1161 all_string_sub( *normalized, " ", "_", 0 );
1163 return NT_STATUS_OK;
1166 /*********************************************************************
1167 We use this to do the inverse of normalize_name_map()
1168 ********************************************************************/
1170 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1175 struct winbindd_domain *domain = find_our_domain();
1177 if (!name || !normalized) {
1178 return NT_STATUS_INVALID_PARAMETER;
1181 if (!lp_winbind_normalize_names()) {
1182 return NT_STATUS_PROCEDURE_NOT_FOUND;
1185 /* Alias support and whitespace replacement are mutally
1188 /* When mapping from an alias to a username, we don't know the
1189 domain. But we only need a domain structure to cache
1190 a successful lookup , so just our own domain structure for
1193 nt_status = resolve_alias_to_username(mem_ctx, domain,
1195 if (NT_STATUS_IS_OK(nt_status)) {
1196 /* Special return code to let the caller know we mapped
1198 return NT_STATUS_FILE_RENAMED;
1201 /* check for an unreachable domain */
1203 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1204 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1206 set_domain_offline(domain);
1210 /* deal with whitespace */
1212 *normalized = talloc_strdup(mem_ctx, name);
1213 if (!(*normalized)) {
1214 return NT_STATUS_NO_MEMORY;
1217 all_string_sub(*normalized, "_", " ", 0);
1219 return NT_STATUS_OK;
1222 /*********************************************************************
1223 ********************************************************************/
1225 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1227 struct winbindd_tdc_domain *tdc = NULL;
1228 TALLOC_CTX *frame = talloc_stackframe();
1231 /* We can contact the domain if it is our primary domain */
1233 if (domain->primary) {
1238 /* Trust the TDC cache and not the winbindd_domain flags */
1240 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1241 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1247 /* Can always contact a domain that is in out forest */
1249 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1255 * On a _member_ server, we cannot contact the domain if it
1256 * is running AD and we have no inbound trust.
1260 domain->active_directory &&
1261 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1263 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1264 "and we have no inbound trust.\n", domain->name));
1268 /* Assume everything else is ok (probably not true but what
1274 talloc_destroy(frame);
1279 /*********************************************************************
1280 ********************************************************************/
1282 bool winbindd_internal_child(struct winbindd_child *child)
1284 if ((child == idmap_child()) || (child == locator_child())) {
1291 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1293 /*********************************************************************
1294 ********************************************************************/
1296 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1299 char addr[INET6_ADDRSTRLEN];
1300 const char *kdc = NULL;
1303 if (!domain || !domain->alt_name || !*domain->alt_name) {
1307 if (domain->initialized && !domain->active_directory) {
1308 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1313 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1316 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1318 kdc = domain->dcname;
1321 if (!kdc || !*kdc) {
1322 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1327 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1328 domain->alt_name) == -1) {
1332 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1335 setenv(var, kdc, 1);
1339 /*********************************************************************
1340 ********************************************************************/
1342 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1344 struct winbindd_domain *our_dom = find_our_domain();
1346 winbindd_set_locator_kdc_env(domain);
1348 if (domain != our_dom) {
1349 winbindd_set_locator_kdc_env(our_dom);
1353 /*********************************************************************
1354 ********************************************************************/
1356 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1360 if (!domain || !domain->alt_name || !*domain->alt_name) {
1364 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1365 domain->alt_name) == -1) {
1374 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1379 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1384 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1386 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1388 resp->data.auth.nt_status = NT_STATUS_V(result);
1389 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1391 /* we might have given a more useful error above */
1392 if (*resp->data.auth.error_string == '\0')
1393 fstrcpy(resp->data.auth.error_string,
1394 get_friendly_nt_error_msg(result));
1395 resp->data.auth.pam_error = nt_status_to_pam(result);
1398 bool is_domain_offline(const struct winbindd_domain *domain)
1400 if (!lp_winbind_offline_logon()) {
1403 if (get_global_winbindd_state_offline()) {
1406 return !domain->online;
1409 bool is_domain_online(const struct winbindd_domain *domain)
1411 return !is_domain_offline(domain);
1415 * Parse an char array into a list of sids.
1417 * The input sidstr should consist of 0-terminated strings
1418 * representing sids, separated by newline characters '\n'.
1419 * The list is terminated by an empty string, i.e.
1420 * character '\0' directly following a character '\n'
1421 * (or '\0' right at the start of sidstr).
1423 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1424 struct dom_sid **sids, uint32_t *num_sids)
1432 while (p[0] != '\0') {
1434 const char *q = NULL;
1436 if (!dom_sid_parse_endp(p, &sid, &q)) {
1437 DEBUG(1, ("Could not parse sid %s\n", p));
1440 if ((q == NULL) || (q[0] != '\n')) {
1441 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1444 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,