2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
31 #define DBGC_CLASS DBGC_WINBIND
33 extern struct winbindd_methods cache_methods;
36 * @file winbindd_util.cq
38 * Winbind daemon for NT domain authentication nss module.
42 /* The list of trusted domains. Note that the list can be deleted and
43 recreated using the init_domain_list() function so pointers to
44 individual winbindd_domain structures cannot be made. Keep a copy of
45 the domain name instead. */
47 static struct winbindd_domain *_domain_list = NULL;
49 struct winbindd_domain *domain_list(void)
53 if ((!_domain_list) && (!init_domain_list())) {
54 smb_panic("Init_domain_list failed");
60 /* Free all entries in the trusted domain list */
62 static void free_domain_list(void)
64 struct winbindd_domain *domain = _domain_list;
67 struct winbindd_domain *next = domain->next;
69 DLIST_REMOVE(_domain_list, domain);
75 static bool is_internal_domain(const struct dom_sid *sid)
80 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
83 static bool is_in_internal_domain(const struct dom_sid *sid)
88 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
92 /* Add a trusted domain to our list of domains */
93 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
94 struct winbindd_methods *methods,
95 const struct dom_sid *sid)
97 struct winbindd_domain *domain;
98 const char *alternative_name = NULL;
99 char *idmap_config_option;
101 const char **ignored_domains, **dom;
103 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
104 for (dom=ignored_domains; dom && *dom; dom++) {
105 if (gen_fnmatch(*dom, domain_name) == 0) {
106 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
111 /* ignore alt_name if we are not in an AD domain */
113 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
114 alternative_name = alt_name;
117 /* We can't call domain_list() as this function is called from
118 init_domain_list() and we'll get stuck in a loop. */
119 for (domain = _domain_list; domain; domain = domain->next) {
120 if (strequal(domain_name, domain->name) ||
121 strequal(domain_name, domain->alt_name))
126 if (alternative_name && *alternative_name)
128 if (strequal(alternative_name, domain->name) ||
129 strequal(alternative_name, domain->alt_name))
137 if (is_null_sid(sid)) {
141 if (dom_sid_equal(sid, &domain->sid)) {
147 if (domain != NULL) {
149 * We found a match. Possibly update the SID
152 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
153 sid_copy( &domain->sid, sid );
158 /* Create new domain entry */
160 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
165 ZERO_STRUCTP(domain);
167 domain->children = SMB_MALLOC_ARRAY(
168 struct winbindd_child, lp_winbind_max_domain_connections());
169 if (domain->children == NULL) {
173 memset(domain->children, 0,
174 sizeof(struct winbindd_child)
175 * lp_winbind_max_domain_connections());
177 fstrcpy(domain->name, domain_name);
178 if (alternative_name) {
179 fstrcpy(domain->alt_name, alternative_name);
182 domain->methods = methods;
183 domain->backend = NULL;
184 domain->internal = is_internal_domain(sid);
185 domain->sequence_number = DOM_SEQUENCE_NONE;
186 domain->last_seq_check = 0;
187 domain->initialized = False;
188 domain->online = is_internal_domain(sid);
189 domain->check_online_timeout = 0;
190 domain->dc_probe_pid = (pid_t)-1;
192 sid_copy(&domain->sid, sid);
195 /* Link to domain list */
196 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
198 wcache_tdc_add_domain( domain );
200 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
202 if (idmap_config_option == NULL) {
203 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
207 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
209 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
210 param ? param : "not defined"));
213 unsigned low_id, high_id;
214 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
215 DEBUG(1, ("invalid range syntax in %s: %s\n",
216 idmap_config_option, param));
219 if (low_id > high_id) {
220 DEBUG(1, ("invalid range in %s: %s\n",
221 idmap_config_option, param));
224 domain->have_idmap_config = true;
225 domain->id_range_low = low_id;
226 domain->id_range_high = high_id;
231 DEBUG(2,("Added domain %s %s %s\n",
232 domain->name, domain->alt_name,
233 &domain->sid?sid_string_dbg(&domain->sid):""));
238 bool domain_is_forest_root(const struct winbindd_domain *domain)
240 const uint32_t fr_flags =
241 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
243 return ((domain->domain_flags & fr_flags) == fr_flags);
246 /********************************************************************
247 rescan our domains looking for new trusted domains
248 ********************************************************************/
250 struct trustdom_state {
251 struct winbindd_domain *domain;
252 struct winbindd_request request;
255 static void trustdom_list_done(struct tevent_req *req);
256 static void rescan_forest_root_trusts( void );
257 static void rescan_forest_trusts( void );
259 static void add_trusted_domains( struct winbindd_domain *domain )
261 struct trustdom_state *state;
262 struct tevent_req *req;
264 state = talloc_zero(NULL, struct trustdom_state);
266 DEBUG(0, ("talloc failed\n"));
269 state->domain = domain;
271 state->request.length = sizeof(state->request);
272 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
274 req = wb_domain_request_send(state, winbind_event_context(),
275 domain, &state->request);
277 DEBUG(1, ("wb_domain_request_send failed\n"));
281 tevent_req_set_callback(req, trustdom_list_done, state);
284 static void trustdom_list_done(struct tevent_req *req)
286 struct trustdom_state *state = tevent_req_callback_data(
287 req, struct trustdom_state);
288 struct winbindd_response *response;
292 res = wb_domain_request_recv(req, state, &response, &err);
293 if ((res == -1) || (response->result != WINBINDD_OK)) {
294 DEBUG(1, ("Could not receive trustdoms\n"));
299 p = (char *)response->extra_data.data;
301 while ((p != NULL) && (*p != '\0')) {
302 char *q, *sidstr, *alt_name;
304 struct winbindd_domain *domain;
305 char *alternate_name = NULL;
307 alt_name = strchr(p, '\\');
308 if (alt_name == NULL) {
309 DEBUG(0, ("Got invalid trustdom response\n"));
316 sidstr = strchr(alt_name, '\\');
317 if (sidstr == NULL) {
318 DEBUG(0, ("Got invalid trustdom response\n"));
325 q = strchr(sidstr, '\n');
329 if (!string_to_sid(&sid, sidstr)) {
330 DEBUG(0, ("Got invalid trustdom response\n"));
334 /* use the real alt_name if we have one, else pass in NULL */
336 if ( !strequal( alt_name, "(null)" ) )
337 alternate_name = alt_name;
339 /* If we have an existing domain structure, calling
340 add_trusted_domain() will update the SID if
341 necessary. This is important because we need the
342 SID for sibling domains */
344 if ( find_domain_from_name_noinit(p) != NULL ) {
345 domain = add_trusted_domain(p, alternate_name,
349 domain = add_trusted_domain(p, alternate_name,
353 setup_domain_child(domain);
362 Cases to consider when scanning trusts:
363 (a) we are calling from a child domain (primary && !forest_root)
364 (b) we are calling from the root of the forest (primary && forest_root)
365 (c) we are calling from a trusted forest domain (!primary
369 if (state->domain->primary) {
370 /* If this is our primary domain and we are not in the
371 forest root, we have to scan the root trusts first */
373 if (!domain_is_forest_root(state->domain))
374 rescan_forest_root_trusts();
376 rescan_forest_trusts();
378 } else if (domain_is_forest_root(state->domain)) {
379 /* Once we have done root forest trust search, we can
380 go on to search the trusted forests */
382 rescan_forest_trusts();
390 /********************************************************************
391 Scan the trusts of our forest root
392 ********************************************************************/
394 static void rescan_forest_root_trusts( void )
396 struct winbindd_tdc_domain *dom_list = NULL;
397 size_t num_trusts = 0;
400 /* The only transitive trusts supported by Windows 2003 AD are
401 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
402 first two are handled in forest and listed by
403 DsEnumerateDomainTrusts(). Forest trusts are not so we
404 have to do that ourselves. */
406 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
409 for ( i=0; i<num_trusts; i++ ) {
410 struct winbindd_domain *d = NULL;
412 /* Find the forest root. Don't necessarily trust
413 the domain_list() as our primary domain may not
414 have been initialized. */
416 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
420 /* Here's the forest root */
422 d = find_domain_from_name_noinit( dom_list[i].domain_name );
425 d = add_trusted_domain( dom_list[i].domain_name,
426 dom_list[i].dns_name,
430 setup_domain_child(d);
438 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
439 "for domain tree root %s (%s)\n",
440 d->name, d->alt_name ));
442 d->domain_flags = dom_list[i].trust_flags;
443 d->domain_type = dom_list[i].trust_type;
444 d->domain_trust_attribs = dom_list[i].trust_attribs;
446 add_trusted_domains( d );
451 TALLOC_FREE( dom_list );
456 /********************************************************************
457 scan the transitive forest trusts (not our own)
458 ********************************************************************/
461 static void rescan_forest_trusts( void )
463 struct winbindd_domain *d = NULL;
464 struct winbindd_tdc_domain *dom_list = NULL;
465 size_t num_trusts = 0;
468 /* The only transitive trusts supported by Windows 2003 AD are
469 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
470 first two are handled in forest and listed by
471 DsEnumerateDomainTrusts(). Forest trusts are not so we
472 have to do that ourselves. */
474 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
477 for ( i=0; i<num_trusts; i++ ) {
478 uint32 flags = dom_list[i].trust_flags;
479 uint32 type = dom_list[i].trust_type;
480 uint32 attribs = dom_list[i].trust_attribs;
482 d = find_domain_from_name_noinit( dom_list[i].domain_name );
484 /* ignore our primary and internal domains */
486 if ( d && (d->internal || d->primary ) )
489 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
490 (type == NETR_TRUST_TYPE_UPLEVEL) &&
491 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
493 /* add the trusted domain if we don't know
497 d = add_trusted_domain( dom_list[i].domain_name,
498 dom_list[i].dns_name,
502 setup_domain_child(d);
510 DEBUG(10,("Following trust path for domain %s (%s)\n",
511 d->name, d->alt_name ));
512 add_trusted_domains( d );
516 TALLOC_FREE( dom_list );
521 /*********************************************************************
522 The process of updating the trusted domain list is a three step
525 (b) ask the root domain in our forest
526 (c) ask the a DC in any Win2003 trusted forests
527 *********************************************************************/
529 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
530 struct timeval now, void *private_data)
534 /* I use to clear the cache here and start over but that
535 caused problems in child processes that needed the
536 trust dom list early on. Removing it means we
537 could have some trusted domains listed that have been
538 removed from our primary domain's DC until a full
539 restart. This should be ok since I think this is what
540 Windows does as well. */
542 /* this will only add new domains we didn't already know about
543 in the domain_list()*/
545 add_trusted_domains( find_our_domain() );
547 te = tevent_add_timer(
548 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
549 rescan_trusted_domains, NULL);
551 * If te == NULL, there's not much we can do here. Don't fail, the
552 * only thing we miss is new trusted domains.
558 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
559 struct winbindd_cli_state *state)
561 /* Ensure null termination */
562 state->request->domain_name
563 [sizeof(state->request->domain_name)-1]='\0';
564 state->request->data.init_conn.dcname
565 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
567 if (strlen(state->request->data.init_conn.dcname) > 0) {
568 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
571 if (domain->internal) {
572 domain->initialized = true;
574 init_dc_connection(domain);
577 if (!domain->initialized) {
578 /* If we return error here we can't do any cached authentication,
579 but we may be in disconnected mode and can't initialize correctly.
580 Do what the previous code did and just return without initialization,
581 once we go online we'll re-initialize.
583 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
584 "online = %d\n", domain->name, (int)domain->online ));
587 fstrcpy(state->response->data.domain_info.name, domain->name);
588 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
589 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
591 state->response->data.domain_info.native_mode
592 = domain->native_mode;
593 state->response->data.domain_info.active_directory
594 = domain->active_directory;
595 state->response->data.domain_info.primary
601 /* Look up global info for the winbind daemon */
602 bool init_domain_list(void)
604 struct winbindd_domain *domain;
605 int role = lp_server_role();
607 /* Free existing list */
612 domain = add_trusted_domain("BUILTIN", NULL, &cache_methods,
613 &global_sid_Builtin);
615 setup_domain_child(domain);
620 domain = add_trusted_domain(get_global_sam_name(), NULL,
621 &cache_methods, get_global_sam_sid());
623 if ( role != ROLE_DOMAIN_MEMBER ) {
624 domain->primary = True;
626 setup_domain_child(domain);
629 /* Add ourselves as the first entry. */
631 if ( role == ROLE_DOMAIN_MEMBER ) {
632 struct dom_sid our_sid;
634 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
635 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
639 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
640 &cache_methods, &our_sid);
642 domain->primary = True;
643 setup_domain_child(domain);
645 /* Even in the parent winbindd we'll need to
646 talk to the DC, so try and see if we can
647 contact it. Theoretically this isn't neccessary
648 as the init_dc_connection() in init_child_recv()
649 will do this, but we can start detecting the DC
651 set_domain_online_request(domain);
659 * Given a domain name, return the struct winbindd domain info for it
661 * @note Do *not* pass lp_workgroup() to this function. domain_list
662 * may modify it's value, and free that pointer. Instead, our local
663 * domain may be found by calling find_our_domain().
667 * @return The domain structure for the named domain, if it is working.
670 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
672 struct winbindd_domain *domain;
674 /* Search through list */
676 for (domain = domain_list(); domain != NULL; domain = domain->next) {
677 if (strequal(domain_name, domain->name) ||
678 (domain->alt_name[0] &&
679 strequal(domain_name, domain->alt_name))) {
689 struct winbindd_domain *find_domain_from_name(const char *domain_name)
691 struct winbindd_domain *domain;
693 domain = find_domain_from_name_noinit(domain_name);
698 if (!domain->initialized)
699 init_dc_connection(domain);
704 /* Given a domain sid, return the struct winbindd domain info for it */
706 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
708 struct winbindd_domain *domain;
710 /* Search through list */
712 for (domain = domain_list(); domain != NULL; domain = domain->next) {
713 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
722 /* Given a domain sid, return the struct winbindd domain info for it */
724 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
726 struct winbindd_domain *domain;
728 domain = find_domain_from_sid_noinit(sid);
733 if (!domain->initialized)
734 init_dc_connection(domain);
739 struct winbindd_domain *find_our_domain(void)
741 struct winbindd_domain *domain;
743 /* Search through list */
745 for (domain = domain_list(); domain != NULL; domain = domain->next) {
750 smb_panic("Could not find our domain");
754 struct winbindd_domain *find_root_domain(void)
756 struct winbindd_domain *ours = find_our_domain();
758 if (ours->forest_name[0] == '\0') {
762 return find_domain_from_name( ours->forest_name );
765 struct winbindd_domain *find_builtin_domain(void)
767 struct winbindd_domain *domain;
769 domain = find_domain_from_sid(&global_sid_Builtin);
770 if (domain == NULL) {
771 smb_panic("Could not find BUILTIN domain");
777 /* Find the appropriate domain to lookup a name or SID */
779 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
781 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
783 if ( sid_check_is_in_unix_groups(sid) ||
784 sid_check_is_unix_groups(sid) ||
785 sid_check_is_in_unix_users(sid) ||
786 sid_check_is_unix_users(sid) )
788 return find_domain_from_sid(get_global_sam_sid());
791 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
792 * one to contact the external DC's. On member servers the internal
793 * domains are different: These are part of the local SAM. */
795 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
797 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
798 DEBUG(10, ("calling find_domain_from_sid\n"));
799 return find_domain_from_sid(sid);
802 /* On a member server a query for SID or name can always go to our
805 DEBUG(10, ("calling find_our_domain\n"));
806 return find_our_domain();
809 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
811 if ( strequal(domain_name, unix_users_domain_name() ) ||
812 strequal(domain_name, unix_groups_domain_name() ) )
815 * The "Unix User" and "Unix Group" domain our handled by
818 return find_domain_from_name_noinit( get_global_sam_name() );
821 if (IS_DC || strequal(domain_name, "BUILTIN") ||
822 strequal(domain_name, get_global_sam_name()))
823 return find_domain_from_name_noinit(domain_name);
826 return find_our_domain();
829 /* Is this a domain which we may assume no DOMAIN\ prefix? */
831 static bool assume_domain(const char *domain)
833 /* never assume the domain on a standalone server */
835 if ( lp_server_role() == ROLE_STANDALONE )
838 /* domain member servers may possibly assume for the domain name */
840 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
841 if ( !strequal(lp_workgroup(), domain) )
844 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
848 /* only left with a domain controller */
850 if ( strequal(get_global_sam_name(), domain) ) {
857 /* Parse a string of the form DOMAIN\user into a domain and a user */
859 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
861 char *p = strchr(domuser,*lp_winbind_separator());
864 fstrcpy(user, domuser);
866 if ( assume_domain(lp_workgroup())) {
867 fstrcpy(domain, lp_workgroup());
868 } else if ((p = strchr(domuser, '@')) != NULL) {
869 fstrcpy(domain, p + 1);
870 user[PTR_DIFF(p, domuser)] = 0;
876 fstrcpy(domain, domuser);
877 domain[PTR_DIFF(p, domuser)] = 0;
880 return strupper_m(domain);
883 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
884 char **domain, char **user)
886 fstring fstr_domain, fstr_user;
887 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
890 *domain = talloc_strdup(mem_ctx, fstr_domain);
891 *user = talloc_strdup(mem_ctx, fstr_user);
892 return ((*domain != NULL) && (*user != NULL));
895 /* Ensure an incoming username from NSS is fully qualified. Replace the
896 incoming fstring with DOMAIN <separator> user. Returns the same
897 values as parse_domain_user() but also replaces the incoming username.
898 Used to ensure all names are fully qualified within winbindd.
899 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
900 The protocol definitions of auth_crap, chng_pswd_auth_crap
901 really should be changed to use this instead of doing things
904 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
906 if (!parse_domain_user(username_inout, domain, user)) {
909 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
910 domain, *lp_winbind_separator(),
916 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
917 'winbind separator' options.
919 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
922 If we are a PDC or BDC, and this is for our domain, do likewise.
924 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
925 username is then unqualified in unix
927 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
929 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
933 fstrcpy(tmp_user, user);
934 (void)strlower_m(tmp_user);
936 if (can_assume && assume_domain(domain)) {
937 strlcpy(name, tmp_user, sizeof(fstring));
939 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
940 domain, *lp_winbind_separator(),
946 * talloc version of fill_domain_username()
947 * return NULL on talloc failure.
949 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
954 char *tmp_user, *name;
956 tmp_user = talloc_strdup(mem_ctx, user);
957 if (!strlower_m(tmp_user)) {
958 TALLOC_FREE(tmp_user);
962 if (can_assume && assume_domain(domain)) {
965 name = talloc_asprintf(mem_ctx, "%s%c%s",
967 *lp_winbind_separator(),
969 TALLOC_FREE(tmp_user);
976 * Client list accessor functions
979 static struct winbindd_cli_state *_client_list;
980 static int _num_clients;
982 /* Return list of all connected clients */
984 struct winbindd_cli_state *winbindd_client_list(void)
989 /* Add a connection to the list */
991 void winbindd_add_client(struct winbindd_cli_state *cli)
993 DLIST_ADD(_client_list, cli);
997 /* Remove a client from the list */
999 void winbindd_remove_client(struct winbindd_cli_state *cli)
1001 DLIST_REMOVE(_client_list, cli);
1005 /* Return number of open clients */
1007 int winbindd_num_clients(void)
1009 return _num_clients;
1012 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1013 TALLOC_CTX *mem_ctx,
1014 const struct dom_sid *user_sid,
1015 uint32_t *p_num_groups, struct dom_sid **user_sids)
1017 struct netr_SamInfo3 *info3 = NULL;
1018 NTSTATUS status = NT_STATUS_NO_MEMORY;
1019 uint32_t num_groups = 0;
1021 DEBUG(3,(": lookup_usergroups_cached\n"));
1026 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1028 if (info3 == NULL) {
1029 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1032 if (info3->base.groups.count == 0) {
1034 return NT_STATUS_UNSUCCESSFUL;
1038 * Before bug #7843 the "Domain Local" groups were added with a
1039 * lookupuseraliases call, but this isn't done anymore for our domain
1040 * so we need to resolve resource groups here.
1042 * When to use Resource Groups:
1043 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1045 status = sid_array_from_info3(mem_ctx, info3,
1050 if (!NT_STATUS_IS_OK(status)) {
1056 *p_num_groups = num_groups;
1057 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1059 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1064 /*********************************************************************
1065 We use this to remove spaces from user and group names
1066 ********************************************************************/
1068 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1069 struct winbindd_domain *domain,
1075 if (!name || !normalized) {
1076 return NT_STATUS_INVALID_PARAMETER;
1079 if (!lp_winbind_normalize_names()) {
1080 return NT_STATUS_PROCEDURE_NOT_FOUND;
1083 /* Alias support and whitespace replacement are mutually
1086 nt_status = resolve_username_to_alias(mem_ctx, domain,
1088 if (NT_STATUS_IS_OK(nt_status)) {
1089 /* special return code to let the caller know we
1090 mapped to an alias */
1091 return NT_STATUS_FILE_RENAMED;
1094 /* check for an unreachable domain */
1096 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1097 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1099 set_domain_offline(domain);
1103 /* deal with whitespace */
1105 *normalized = talloc_strdup(mem_ctx, name);
1106 if (!(*normalized)) {
1107 return NT_STATUS_NO_MEMORY;
1110 all_string_sub( *normalized, " ", "_", 0 );
1112 return NT_STATUS_OK;
1115 /*********************************************************************
1116 We use this to do the inverse of normalize_name_map()
1117 ********************************************************************/
1119 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1124 struct winbindd_domain *domain = find_our_domain();
1126 if (!name || !normalized) {
1127 return NT_STATUS_INVALID_PARAMETER;
1130 if (!lp_winbind_normalize_names()) {
1131 return NT_STATUS_PROCEDURE_NOT_FOUND;
1134 /* Alias support and whitespace replacement are mutally
1137 /* When mapping from an alias to a username, we don't know the
1138 domain. But we only need a domain structure to cache
1139 a successful lookup , so just our own domain structure for
1142 nt_status = resolve_alias_to_username(mem_ctx, domain,
1144 if (NT_STATUS_IS_OK(nt_status)) {
1145 /* Special return code to let the caller know we mapped
1147 return NT_STATUS_FILE_RENAMED;
1150 /* check for an unreachable domain */
1152 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1153 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1155 set_domain_offline(domain);
1159 /* deal with whitespace */
1161 *normalized = talloc_strdup(mem_ctx, name);
1162 if (!(*normalized)) {
1163 return NT_STATUS_NO_MEMORY;
1166 all_string_sub(*normalized, "_", " ", 0);
1168 return NT_STATUS_OK;
1171 /*********************************************************************
1172 ********************************************************************/
1174 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1176 struct winbindd_tdc_domain *tdc = NULL;
1177 TALLOC_CTX *frame = talloc_stackframe();
1180 /* We can contact the domain if it is our primary domain */
1182 if (domain->primary) {
1187 /* Trust the TDC cache and not the winbindd_domain flags */
1189 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1190 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1196 /* Can always contact a domain that is in out forest */
1198 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1204 * On a _member_ server, we cannot contact the domain if it
1205 * is running AD and we have no inbound trust.
1209 domain->active_directory &&
1210 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1212 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1213 "and we have no inbound trust.\n", domain->name));
1217 /* Assume everything else is ok (probably not true but what
1223 talloc_destroy(frame);
1228 /*********************************************************************
1229 ********************************************************************/
1231 bool winbindd_internal_child(struct winbindd_child *child)
1233 if ((child == idmap_child()) || (child == locator_child())) {
1240 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1242 /*********************************************************************
1243 ********************************************************************/
1245 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1248 char addr[INET6_ADDRSTRLEN];
1249 const char *kdc = NULL;
1252 if (!domain || !domain->alt_name || !*domain->alt_name) {
1256 if (domain->initialized && !domain->active_directory) {
1257 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1262 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1265 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1267 kdc = domain->dcname;
1270 if (!kdc || !*kdc) {
1271 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1276 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1277 domain->alt_name) == -1) {
1281 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1284 setenv(var, kdc, 1);
1288 /*********************************************************************
1289 ********************************************************************/
1291 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1293 struct winbindd_domain *our_dom = find_our_domain();
1295 winbindd_set_locator_kdc_env(domain);
1297 if (domain != our_dom) {
1298 winbindd_set_locator_kdc_env(our_dom);
1302 /*********************************************************************
1303 ********************************************************************/
1305 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1309 if (!domain || !domain->alt_name || !*domain->alt_name) {
1313 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1314 domain->alt_name) == -1) {
1323 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1328 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1333 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1335 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1337 resp->data.auth.nt_status = NT_STATUS_V(result);
1338 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1340 /* we might have given a more useful error above */
1341 if (*resp->data.auth.error_string == '\0')
1342 fstrcpy(resp->data.auth.error_string,
1343 get_friendly_nt_error_msg(result));
1344 resp->data.auth.pam_error = nt_status_to_pam(result);
1347 bool is_domain_offline(const struct winbindd_domain *domain)
1349 if (!lp_winbind_offline_logon()) {
1352 if (get_global_winbindd_state_offline()) {
1355 return !domain->online;
1358 bool is_domain_online(const struct winbindd_domain *domain)
1360 return !is_domain_offline(domain);
1363 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1364 struct dom_sid **sids, uint32_t *num_sids)
1372 while (p[0] != '\0') {
1374 const char *q = NULL;
1376 if (!dom_sid_parse_endp(p, &sid, &q)) {
1377 DEBUG(1, ("Could not parse sid %s\n", p));
1380 if ((q == NULL) || (q[0] != '\n')) {
1381 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1384 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
git.samba.org / samba.git / blob