2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
30 #include "source4/lib/messaging/messaging.h"
31 #include "librpc/gen_ndr/ndr_lsa.h"
32 #include "auth/credentials/credentials.h"
35 #define DBGC_CLASS DBGC_WINBIND
37 extern struct winbindd_methods cache_methods;
40 * @file winbindd_util.c
42 * Winbind daemon for NT domain authentication nss module.
46 /* The list of trusted domains. Note that the list can be deleted and
47 recreated using the init_domain_list() function so pointers to
48 individual winbindd_domain structures cannot be made. Keep a copy of
49 the domain name instead. */
51 static struct winbindd_domain *_domain_list = NULL;
53 struct winbindd_domain *domain_list(void)
57 if ((!_domain_list) && (!init_domain_list())) {
58 smb_panic("Init_domain_list failed");
64 /* Free all entries in the trusted domain list */
66 static void free_domain_list(void)
68 struct winbindd_domain *domain = _domain_list;
71 struct winbindd_domain *next = domain->next;
73 DLIST_REMOVE(_domain_list, domain);
80 * Iterator for winbindd's domain list.
81 * To be used (e.g.) in tevent based loops.
83 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
86 domain = domain_list();
88 domain = domain->next;
91 if ((domain != NULL) &&
92 (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
93 sid_check_is_our_sam(&domain->sid))
95 domain = domain->next;
101 static bool is_internal_domain(const struct dom_sid *sid)
106 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
109 static bool is_in_internal_domain(const struct dom_sid *sid)
114 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
118 /* Add a trusted domain to our list of domains.
119 If the domain already exists in the list,
120 return it and don't re-initialize. */
122 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
123 struct winbindd_methods *methods,
124 const struct dom_sid *sid)
126 struct winbindd_domain *domain;
127 const char *alternative_name = NULL;
128 char *idmap_config_option;
130 const char **ignored_domains, **dom;
131 int role = lp_server_role();
133 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
134 for (dom=ignored_domains; dom && *dom; dom++) {
135 if (gen_fnmatch(*dom, domain_name) == 0) {
136 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
141 /* use alt_name if available to allow DNS lookups */
143 if (alt_name && *alt_name) {
144 alternative_name = alt_name;
147 /* We can't call domain_list() as this function is called from
148 init_domain_list() and we'll get stuck in a loop. */
149 for (domain = _domain_list; domain; domain = domain->next) {
150 if (strequal(domain_name, domain->name) ||
151 strequal(domain_name, domain->alt_name))
156 if (alternative_name && *alternative_name)
158 if (strequal(alternative_name, domain->name) ||
159 strequal(alternative_name, domain->alt_name))
167 if (is_null_sid(sid)) {
171 if (dom_sid_equal(sid, &domain->sid)) {
177 if (domain != NULL) {
179 * We found a match on domain->name or
180 * domain->alt_name. Possibly update the SID
181 * if the stored SID was the NULL SID
182 * and return the matching entry.
185 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
186 sid_copy( &domain->sid, sid );
191 /* Create new domain entry */
192 domain = talloc_zero(NULL, struct winbindd_domain);
193 if (domain == NULL) {
197 domain->children = talloc_zero_array(domain,
198 struct winbindd_child,
199 lp_winbind_max_domain_connections());
200 if (domain->children == NULL) {
205 domain->name = talloc_strdup(domain, domain_name);
206 if (domain->name == NULL) {
211 if (alternative_name) {
212 domain->alt_name = talloc_strdup(domain, alternative_name);
213 if (domain->alt_name == NULL) {
219 domain->methods = methods;
220 domain->backend = NULL;
221 domain->internal = is_internal_domain(sid);
222 domain->sequence_number = DOM_SEQUENCE_NONE;
223 domain->last_seq_check = 0;
224 domain->initialized = False;
225 domain->online = is_internal_domain(sid);
226 domain->check_online_timeout = 0;
227 domain->dc_probe_pid = (pid_t)-1;
229 sid_copy(&domain->sid, sid);
232 /* Is this our primary domain ? */
233 if (strequal(domain_name, get_global_sam_name()) &&
234 (role != ROLE_DOMAIN_MEMBER)) {
235 domain->primary = true;
236 } else if (strequal(domain_name, lp_workgroup()) &&
237 (role == ROLE_DOMAIN_MEMBER)) {
238 domain->primary = true;
241 if (domain->primary) {
242 if (role == ROLE_ACTIVE_DIRECTORY_DC) {
243 domain->active_directory = true;
245 if (lp_security() == SEC_ADS) {
246 domain->active_directory = true;
250 /* Link to domain list */
251 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
253 wcache_tdc_add_domain( domain );
255 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
257 if (idmap_config_option == NULL) {
258 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
262 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
264 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
265 param ? param : "not defined"));
268 unsigned low_id, high_id;
269 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
270 DEBUG(1, ("invalid range syntax in %s: %s\n",
271 idmap_config_option, param));
274 if (low_id > high_id) {
275 DEBUG(1, ("invalid range in %s: %s\n",
276 idmap_config_option, param));
279 domain->have_idmap_config = true;
280 domain->id_range_low = low_id;
281 domain->id_range_high = high_id;
286 setup_domain_child(domain);
288 DEBUG(2,("Added domain %s %s %s\n",
289 domain->name, domain->alt_name,
290 &domain->sid?sid_string_dbg(&domain->sid):""));
295 bool domain_is_forest_root(const struct winbindd_domain *domain)
297 const uint32_t fr_flags =
298 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
300 return ((domain->domain_flags & fr_flags) == fr_flags);
303 /********************************************************************
304 rescan our domains looking for new trusted domains
305 ********************************************************************/
307 struct trustdom_state {
308 struct winbindd_domain *domain;
309 struct winbindd_request request;
312 static void trustdom_list_done(struct tevent_req *req);
313 static void rescan_forest_root_trusts( void );
314 static void rescan_forest_trusts( void );
316 static void add_trusted_domains( struct winbindd_domain *domain )
318 struct trustdom_state *state;
319 struct tevent_req *req;
321 state = talloc_zero(NULL, struct trustdom_state);
323 DEBUG(0, ("talloc failed\n"));
326 state->domain = domain;
328 state->request.length = sizeof(state->request);
329 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
331 req = wb_domain_request_send(state, winbind_event_context(),
332 domain, &state->request);
334 DEBUG(1, ("wb_domain_request_send failed\n"));
338 tevent_req_set_callback(req, trustdom_list_done, state);
341 static void trustdom_list_done(struct tevent_req *req)
343 struct trustdom_state *state = tevent_req_callback_data(
344 req, struct trustdom_state);
345 struct winbindd_response *response;
349 res = wb_domain_request_recv(req, state, &response, &err);
350 if ((res == -1) || (response->result != WINBINDD_OK)) {
351 DEBUG(1, ("Could not receive trustdoms\n"));
356 p = (char *)response->extra_data.data;
358 while ((p != NULL) && (*p != '\0')) {
359 char *q, *sidstr, *alt_name;
361 char *alternate_name = NULL;
363 alt_name = strchr(p, '\\');
364 if (alt_name == NULL) {
365 DEBUG(0, ("Got invalid trustdom response\n"));
372 sidstr = strchr(alt_name, '\\');
373 if (sidstr == NULL) {
374 DEBUG(0, ("Got invalid trustdom response\n"));
381 q = strchr(sidstr, '\n');
385 if (!string_to_sid(&sid, sidstr)) {
386 DEBUG(0, ("Got invalid trustdom response\n"));
390 /* use the real alt_name if we have one, else pass in NULL */
392 if ( !strequal( alt_name, "(null)" ) )
393 alternate_name = alt_name;
396 * We always call add_trusted_domain() cause on an existing
397 * domain structure, it will update the SID if necessary.
398 * This is important because we need the SID for sibling
401 (void)add_trusted_domain(p, alternate_name,
411 Cases to consider when scanning trusts:
412 (a) we are calling from a child domain (primary && !forest_root)
413 (b) we are calling from the root of the forest (primary && forest_root)
414 (c) we are calling from a trusted forest domain (!primary
418 if (state->domain->primary) {
419 /* If this is our primary domain and we are not in the
420 forest root, we have to scan the root trusts first */
422 if (!domain_is_forest_root(state->domain))
423 rescan_forest_root_trusts();
425 rescan_forest_trusts();
427 } else if (domain_is_forest_root(state->domain)) {
428 /* Once we have done root forest trust search, we can
429 go on to search the trusted forests */
431 rescan_forest_trusts();
439 /********************************************************************
440 Scan the trusts of our forest root
441 ********************************************************************/
443 static void rescan_forest_root_trusts( void )
445 struct winbindd_tdc_domain *dom_list = NULL;
446 size_t num_trusts = 0;
449 /* The only transitive trusts supported by Windows 2003 AD are
450 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
451 first two are handled in forest and listed by
452 DsEnumerateDomainTrusts(). Forest trusts are not so we
453 have to do that ourselves. */
455 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
458 for ( i=0; i<num_trusts; i++ ) {
459 struct winbindd_domain *d = NULL;
461 /* Find the forest root. Don't necessarily trust
462 the domain_list() as our primary domain may not
463 have been initialized. */
465 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
469 /* Here's the forest root */
471 d = find_domain_from_name_noinit( dom_list[i].domain_name );
474 d = add_trusted_domain( dom_list[i].domain_name,
475 dom_list[i].dns_name,
484 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
485 "for domain tree root %s (%s)\n",
486 d->name, d->alt_name ));
488 d->domain_flags = dom_list[i].trust_flags;
489 d->domain_type = dom_list[i].trust_type;
490 d->domain_trust_attribs = dom_list[i].trust_attribs;
492 add_trusted_domains( d );
497 TALLOC_FREE( dom_list );
502 /********************************************************************
503 scan the transitive forest trusts (not our own)
504 ********************************************************************/
507 static void rescan_forest_trusts( void )
509 struct winbindd_domain *d = NULL;
510 struct winbindd_tdc_domain *dom_list = NULL;
511 size_t num_trusts = 0;
514 /* The only transitive trusts supported by Windows 2003 AD are
515 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
516 first two are handled in forest and listed by
517 DsEnumerateDomainTrusts(). Forest trusts are not so we
518 have to do that ourselves. */
520 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
523 for ( i=0; i<num_trusts; i++ ) {
524 uint32_t flags = dom_list[i].trust_flags;
525 uint32_t type = dom_list[i].trust_type;
526 uint32_t attribs = dom_list[i].trust_attribs;
528 d = find_domain_from_name_noinit( dom_list[i].domain_name );
530 /* ignore our primary and internal domains */
532 if ( d && (d->internal || d->primary ) )
535 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
536 (type == LSA_TRUST_TYPE_UPLEVEL) &&
537 (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
539 /* add the trusted domain if we don't know
543 d = add_trusted_domain( dom_list[i].domain_name,
544 dom_list[i].dns_name,
553 DEBUG(10,("Following trust path for domain %s (%s)\n",
554 d->name, d->alt_name ));
555 add_trusted_domains( d );
559 TALLOC_FREE( dom_list );
564 /*********************************************************************
565 The process of updating the trusted domain list is a three step
568 (b) ask the root domain in our forest
569 (c) ask the a DC in any Win2003 trusted forests
570 *********************************************************************/
572 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
573 struct timeval now, void *private_data)
577 /* I use to clear the cache here and start over but that
578 caused problems in child processes that needed the
579 trust dom list early on. Removing it means we
580 could have some trusted domains listed that have been
581 removed from our primary domain's DC until a full
582 restart. This should be ok since I think this is what
583 Windows does as well. */
585 /* this will only add new domains we didn't already know about
586 in the domain_list()*/
588 add_trusted_domains( find_our_domain() );
590 te = tevent_add_timer(
591 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
592 rescan_trusted_domains, NULL);
594 * If te == NULL, there's not much we can do here. Don't fail, the
595 * only thing we miss is new trusted domains.
601 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
602 struct winbindd_cli_state *state)
604 /* Ensure null termination */
605 state->request->domain_name
606 [sizeof(state->request->domain_name)-1]='\0';
607 state->request->data.init_conn.dcname
608 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
610 if (strlen(state->request->data.init_conn.dcname) > 0) {
611 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
614 init_dc_connection(domain, false);
616 if (!domain->initialized) {
617 /* If we return error here we can't do any cached authentication,
618 but we may be in disconnected mode and can't initialize correctly.
619 Do what the previous code did and just return without initialization,
620 once we go online we'll re-initialize.
622 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
623 "online = %d\n", domain->name, (int)domain->online ));
626 fstrcpy(state->response->data.domain_info.name, domain->name);
627 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
628 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
630 state->response->data.domain_info.native_mode
631 = domain->native_mode;
632 state->response->data.domain_info.active_directory
633 = domain->active_directory;
634 state->response->data.domain_info.primary
640 static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
643 struct server_id server_id,
646 TALLOC_CTX *frame = talloc_stackframe();
647 struct lsa_TrustDomainInfoInfoEx info;
648 enum ndr_err_code ndr_err;
649 struct winbindd_domain *d = NULL;
651 DEBUG(5, ("wb_imsg_new_trusted_domain\n"));
658 ndr_err = ndr_pull_struct_blob_all(data, frame, &info,
659 (ndr_pull_flags_fn_t)ndr_pull_lsa_TrustDomainInfoInfoEx);
660 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
665 d = find_domain_from_name_noinit(info.netbios_name.string);
671 d = add_trusted_domain(info.netbios_name.string,
672 info.domain_name.string,
690 if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
691 d->domain_flags |= NETR_TRUST_FLAG_INBOUND;
693 if (info.trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
694 d->domain_flags |= NETR_TRUST_FLAG_OUTBOUND;
696 if (info.trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
697 d->domain_flags |= NETR_TRUST_FLAG_IN_FOREST;
699 d->domain_type = info.trust_type;
700 d->domain_trust_attribs = info.trust_attributes;
706 * We did not get the secret when we queried secrets.tdb, so read it
707 * from secrets.tdb and re-sync the databases
709 static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
712 struct cli_credentials *creds;
713 NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name,
714 NULL, domain, &creds);
715 if (!NT_STATUS_IS_OK(can_migrate)) {
716 DEBUG(0, ("Failed to fetch our own, local AD domain join "
717 "password for winbindd's internal use, both from "
718 "secrets.tdb and secrets.ldb: %s\n",
719 nt_errstr(can_migrate)));
724 * NOTE: It is very unlikely we end up here if there is an
725 * oldpass, because a new password is created at
726 * classicupgrade, so this is not a concern.
728 ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
730 cli_credentials_get_domain(creds),
731 cli_credentials_get_realm(creds),
732 cli_credentials_get_salt_principal(creds),
733 0, /* Supported enc types, unused */
735 cli_credentials_get_password_last_changed_time(creds),
736 cli_credentials_get_secure_channel_type(creds),
737 false /* do_delete: Do not delete */);
740 DEBUG(0, ("Failed to write our our own, "
741 "local AD domain join password for "
742 "winbindd's internal use into secrets.tdb\n"));
748 /* Look up global info for the winbind daemon */
749 bool init_domain_list(void)
751 int role = lp_server_role();
754 /* Free existing list */
759 (void)add_trusted_domain("BUILTIN", NULL, &cache_methods,
760 &global_sid_Builtin);
764 if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
765 struct winbindd_domain *domain;
766 enum netr_SchannelType sec_chan_type;
767 const char *account_name;
768 struct samr_Password current_nt_hash;
769 struct pdb_domain_info *pdb_domain_info;
772 pdb_domain_info = pdb_get_domain_info(talloc_tos());
773 if (pdb_domain_info == NULL) {
774 DEBUG(0, ("Failed to fetch our own, local AD "
775 "domain info from sam.ldb\n"));
778 domain = add_trusted_domain(pdb_domain_info->name,
779 pdb_domain_info->dns_domain,
781 &pdb_domain_info->sid);
782 TALLOC_FREE(pdb_domain_info);
783 if (domain == NULL) {
784 DEBUG(0, ("Failed to add our own, local AD "
785 "domain to winbindd's internal list\n"));
790 * We need to call this to find out if we are an RODC
792 ok = get_trust_pw_hash(domain->name,
793 current_nt_hash.hash,
798 * If get_trust_pw_hash() fails, then try and
799 * fetch the password from the more recent of
800 * secrets.{ldb,tdb} using the
801 * pdb_get_trust_credentials()
803 ok = migrate_secrets_tdb_to_ldb(domain);
806 DEBUG(0, ("Failed to migrate our own, "
807 "local AD domain join password for "
808 "winbindd's internal use into "
812 ok = get_trust_pw_hash(domain->name,
813 current_nt_hash.hash,
817 DEBUG(0, ("Failed to find our our own, just "
818 "written local AD domain join "
819 "password for winbindd's internal "
820 "use in secrets.tdb\n"));
824 if (sec_chan_type == SEC_CHAN_RODC) {
829 (void)add_trusted_domain(get_global_sam_name(), NULL,
830 &cache_methods, get_global_sam_sid());
832 /* Add ourselves as the first entry. */
834 if ( role == ROLE_DOMAIN_MEMBER ) {
835 struct winbindd_domain *domain;
836 struct dom_sid our_sid;
838 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
839 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
843 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
844 &cache_methods, &our_sid);
846 /* Even in the parent winbindd we'll need to
847 talk to the DC, so try and see if we can
848 contact it. Theoretically this isn't neccessary
849 as the init_dc_connection() in init_child_recv()
850 will do this, but we can start detecting the DC
852 set_domain_online_request(domain);
856 status = imessaging_register(winbind_imessaging_context(), NULL,
857 MSG_WINBIND_NEW_TRUSTED_DOMAIN,
858 wb_imsg_new_trusted_domain);
859 if (!NT_STATUS_IS_OK(status)) {
860 DEBUG(0, ("imessaging_register(MSG_WINBIND_NEW_TRUSTED_DOMAIN) - %s\n",
869 * Given a domain name, return the struct winbindd domain info for it
871 * @note Do *not* pass lp_workgroup() to this function. domain_list
872 * may modify it's value, and free that pointer. Instead, our local
873 * domain may be found by calling find_our_domain().
877 * @return The domain structure for the named domain, if it is working.
880 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
882 struct winbindd_domain *domain;
884 /* Search through list */
886 for (domain = domain_list(); domain != NULL; domain = domain->next) {
887 if (strequal(domain_name, domain->name) ||
888 (domain->alt_name != NULL &&
889 strequal(domain_name, domain->alt_name))) {
899 struct winbindd_domain *find_domain_from_name(const char *domain_name)
901 struct winbindd_domain *domain;
903 domain = find_domain_from_name_noinit(domain_name);
908 if (!domain->initialized)
909 init_dc_connection(domain, false);
914 /* Given a domain sid, return the struct winbindd domain info for it */
916 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
918 struct winbindd_domain *domain;
920 /* Search through list */
922 for (domain = domain_list(); domain != NULL; domain = domain->next) {
923 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
932 /* Given a domain sid, return the struct winbindd domain info for it */
934 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
936 struct winbindd_domain *domain;
938 domain = find_domain_from_sid_noinit(sid);
943 if (!domain->initialized)
944 init_dc_connection(domain, false);
949 struct winbindd_domain *find_our_domain(void)
951 struct winbindd_domain *domain;
953 /* Search through list */
955 for (domain = domain_list(); domain != NULL; domain = domain->next) {
960 smb_panic("Could not find our domain");
964 struct winbindd_domain *find_root_domain(void)
966 struct winbindd_domain *ours = find_our_domain();
968 if (ours->forest_name == NULL) {
972 return find_domain_from_name( ours->forest_name );
975 struct winbindd_domain *find_builtin_domain(void)
977 struct winbindd_domain *domain;
979 domain = find_domain_from_sid(&global_sid_Builtin);
980 if (domain == NULL) {
981 smb_panic("Could not find BUILTIN domain");
987 /* Find the appropriate domain to lookup a name or SID */
989 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
991 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
993 if ( sid_check_is_in_unix_groups(sid) ||
994 sid_check_is_unix_groups(sid) ||
995 sid_check_is_in_unix_users(sid) ||
996 sid_check_is_unix_users(sid) )
998 return find_domain_from_sid(get_global_sam_sid());
1001 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
1002 * one to contact the external DC's. On member servers the internal
1003 * domains are different: These are part of the local SAM. */
1005 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
1007 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
1008 DEBUG(10, ("calling find_domain_from_sid\n"));
1009 return find_domain_from_sid(sid);
1012 /* On a member server a query for SID or name can always go to our
1015 DEBUG(10, ("calling find_our_domain\n"));
1016 return find_our_domain();
1019 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
1021 if ( strequal(domain_name, unix_users_domain_name() ) ||
1022 strequal(domain_name, unix_groups_domain_name() ) )
1025 * The "Unix User" and "Unix Group" domain our handled by
1028 return find_domain_from_name_noinit( get_global_sam_name() );
1031 if (IS_DC || strequal(domain_name, "BUILTIN") ||
1032 strequal(domain_name, get_global_sam_name()))
1033 return find_domain_from_name_noinit(domain_name);
1036 return find_our_domain();
1039 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1041 static bool assume_domain(const char *domain)
1043 /* never assume the domain on a standalone server */
1045 if ( lp_server_role() == ROLE_STANDALONE )
1048 /* domain member servers may possibly assume for the domain name */
1050 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1051 if ( !strequal(lp_workgroup(), domain) )
1054 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1058 /* only left with a domain controller */
1060 if ( strequal(get_global_sam_name(), domain) ) {
1067 /* Parse a string of the form DOMAIN\user into a domain and a user */
1069 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1071 char *p = strchr(domuser,*lp_winbind_separator());
1074 fstrcpy(user, domuser);
1076 if ( assume_domain(lp_workgroup())) {
1077 fstrcpy(domain, lp_workgroup());
1078 } else if ((p = strchr(domuser, '@')) != NULL) {
1079 fstrcpy(domain, p + 1);
1080 user[PTR_DIFF(p, domuser)] = 0;
1086 fstrcpy(domain, domuser);
1087 domain[PTR_DIFF(p, domuser)] = 0;
1090 return strupper_m(domain);
1093 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1094 char **domain, char **user)
1096 fstring fstr_domain, fstr_user;
1097 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1100 *domain = talloc_strdup(mem_ctx, fstr_domain);
1101 *user = talloc_strdup(mem_ctx, fstr_user);
1102 return ((*domain != NULL) && (*user != NULL));
1105 /* Ensure an incoming username from NSS is fully qualified. Replace the
1106 incoming fstring with DOMAIN <separator> user. Returns the same
1107 values as parse_domain_user() but also replaces the incoming username.
1108 Used to ensure all names are fully qualified within winbindd.
1109 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1110 The protocol definitions of auth_crap, chng_pswd_auth_crap
1111 really should be changed to use this instead of doing things
1114 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1116 if (!parse_domain_user(username_inout, domain, user)) {
1119 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1120 domain, *lp_winbind_separator(),
1126 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1127 'winbind separator' options.
1129 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1132 If we are a PDC or BDC, and this is for our domain, do likewise.
1134 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1135 username is then unqualified in unix
1137 On an AD DC we always fill DOMAIN\\USERNAME.
1139 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1141 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1145 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1149 fstrcpy(tmp_user, user);
1150 (void)strlower_m(tmp_user);
1152 if (can_assume && assume_domain(domain)) {
1153 strlcpy(name, tmp_user, sizeof(fstring));
1155 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1156 domain, *lp_winbind_separator(),
1162 * talloc version of fill_domain_username()
1163 * return NULL on talloc failure.
1165 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1170 char *tmp_user, *name;
1172 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1176 tmp_user = talloc_strdup(mem_ctx, user);
1177 if (!strlower_m(tmp_user)) {
1178 TALLOC_FREE(tmp_user);
1182 if (can_assume && assume_domain(domain)) {
1185 name = talloc_asprintf(mem_ctx, "%s%c%s",
1187 *lp_winbind_separator(),
1189 TALLOC_FREE(tmp_user);
1196 * Client list accessor functions
1199 static struct winbindd_cli_state *_client_list;
1200 static int _num_clients;
1202 /* Return list of all connected clients */
1204 struct winbindd_cli_state *winbindd_client_list(void)
1206 return _client_list;
1209 /* Return list-tail of all connected clients */
1211 struct winbindd_cli_state *winbindd_client_list_tail(void)
1213 return DLIST_TAIL(_client_list);
1216 /* Return previous (read:newer) client in list */
1218 struct winbindd_cli_state *
1219 winbindd_client_list_prev(struct winbindd_cli_state *cli)
1221 return DLIST_PREV(cli);
1224 /* Add a connection to the list */
1226 void winbindd_add_client(struct winbindd_cli_state *cli)
1228 cli->last_access = time(NULL);
1229 DLIST_ADD(_client_list, cli);
1233 /* Remove a client from the list */
1235 void winbindd_remove_client(struct winbindd_cli_state *cli)
1237 DLIST_REMOVE(_client_list, cli);
1241 /* Move a client to head or list */
1243 void winbindd_promote_client(struct winbindd_cli_state *cli)
1245 cli->last_access = time(NULL);
1246 DLIST_PROMOTE(_client_list, cli);
1249 /* Return number of open clients */
1251 int winbindd_num_clients(void)
1253 return _num_clients;
1256 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1257 TALLOC_CTX *mem_ctx,
1258 const struct dom_sid *user_sid,
1259 uint32_t *p_num_groups, struct dom_sid **user_sids)
1261 struct netr_SamInfo3 *info3 = NULL;
1262 NTSTATUS status = NT_STATUS_NO_MEMORY;
1263 uint32_t num_groups = 0;
1265 DEBUG(3,(": lookup_usergroups_cached\n"));
1270 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1272 if (info3 == NULL) {
1273 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1276 if (info3->base.groups.count == 0) {
1278 return NT_STATUS_UNSUCCESSFUL;
1282 * Before bug #7843 the "Domain Local" groups were added with a
1283 * lookupuseraliases call, but this isn't done anymore for our domain
1284 * so we need to resolve resource groups here.
1286 * When to use Resource Groups:
1287 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1289 status = sid_array_from_info3(mem_ctx, info3,
1294 if (!NT_STATUS_IS_OK(status)) {
1300 *p_num_groups = num_groups;
1301 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1303 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1308 /*********************************************************************
1309 We use this to remove spaces from user and group names
1310 ********************************************************************/
1312 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1313 struct winbindd_domain *domain,
1319 if (!name || !normalized) {
1320 return NT_STATUS_INVALID_PARAMETER;
1323 if (!lp_winbind_normalize_names()) {
1324 return NT_STATUS_PROCEDURE_NOT_FOUND;
1327 /* Alias support and whitespace replacement are mutually
1330 nt_status = resolve_username_to_alias(mem_ctx, domain,
1332 if (NT_STATUS_IS_OK(nt_status)) {
1333 /* special return code to let the caller know we
1334 mapped to an alias */
1335 return NT_STATUS_FILE_RENAMED;
1338 /* check for an unreachable domain */
1340 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1341 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1343 set_domain_offline(domain);
1347 /* deal with whitespace */
1349 *normalized = talloc_strdup(mem_ctx, name);
1350 if (!(*normalized)) {
1351 return NT_STATUS_NO_MEMORY;
1354 all_string_sub( *normalized, " ", "_", 0 );
1356 return NT_STATUS_OK;
1359 /*********************************************************************
1360 We use this to do the inverse of normalize_name_map()
1361 ********************************************************************/
1363 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1368 struct winbindd_domain *domain = find_our_domain();
1370 if (!name || !normalized) {
1371 return NT_STATUS_INVALID_PARAMETER;
1374 if (!lp_winbind_normalize_names()) {
1375 return NT_STATUS_PROCEDURE_NOT_FOUND;
1378 /* Alias support and whitespace replacement are mutally
1381 /* When mapping from an alias to a username, we don't know the
1382 domain. But we only need a domain structure to cache
1383 a successful lookup , so just our own domain structure for
1386 nt_status = resolve_alias_to_username(mem_ctx, domain,
1388 if (NT_STATUS_IS_OK(nt_status)) {
1389 /* Special return code to let the caller know we mapped
1391 return NT_STATUS_FILE_RENAMED;
1394 /* check for an unreachable domain */
1396 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1397 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1399 set_domain_offline(domain);
1403 /* deal with whitespace */
1405 *normalized = talloc_strdup(mem_ctx, name);
1406 if (!(*normalized)) {
1407 return NT_STATUS_NO_MEMORY;
1410 all_string_sub(*normalized, "_", " ", 0);
1412 return NT_STATUS_OK;
1415 /*********************************************************************
1416 ********************************************************************/
1418 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1420 struct winbindd_tdc_domain *tdc = NULL;
1421 TALLOC_CTX *frame = talloc_stackframe();
1424 /* We can contact the domain if it is our primary domain */
1426 if (domain->primary) {
1431 /* Trust the TDC cache and not the winbindd_domain flags */
1433 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1434 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1440 /* Can always contact a domain that is in out forest */
1442 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1448 * On a _member_ server, we cannot contact the domain if it
1449 * is running AD and we have no inbound trust.
1453 domain->active_directory &&
1454 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1456 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1457 "and we have no inbound trust.\n", domain->name));
1461 /* Assume everything else is ok (probably not true but what
1467 talloc_destroy(frame);
1472 /*********************************************************************
1473 ********************************************************************/
1475 bool winbindd_internal_child(struct winbindd_child *child)
1477 if ((child == idmap_child()) || (child == locator_child())) {
1484 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1486 /*********************************************************************
1487 ********************************************************************/
1489 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1492 char addr[INET6_ADDRSTRLEN];
1493 const char *kdc = NULL;
1496 if (!domain || !domain->alt_name || !*domain->alt_name) {
1500 if (domain->initialized && !domain->active_directory) {
1501 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1506 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1509 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1511 kdc = domain->dcname;
1514 if (!kdc || !*kdc) {
1515 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1520 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1521 domain->alt_name) == -1) {
1525 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1528 setenv(var, kdc, 1);
1532 /*********************************************************************
1533 ********************************************************************/
1535 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1537 struct winbindd_domain *our_dom = find_our_domain();
1539 winbindd_set_locator_kdc_env(domain);
1541 if (domain != our_dom) {
1542 winbindd_set_locator_kdc_env(our_dom);
1546 /*********************************************************************
1547 ********************************************************************/
1549 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1553 if (!domain || !domain->alt_name || !*domain->alt_name) {
1557 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1558 domain->alt_name) == -1) {
1567 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1572 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1577 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1579 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1581 resp->data.auth.nt_status = NT_STATUS_V(result);
1582 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1584 /* we might have given a more useful error above */
1585 if (*resp->data.auth.error_string == '\0')
1586 fstrcpy(resp->data.auth.error_string,
1587 get_friendly_nt_error_msg(result));
1588 resp->data.auth.pam_error = nt_status_to_pam(result);
1591 bool is_domain_offline(const struct winbindd_domain *domain)
1593 if (!lp_winbind_offline_logon()) {
1596 if (get_global_winbindd_state_offline()) {
1599 return !domain->online;
1602 bool is_domain_online(const struct winbindd_domain *domain)
1604 return !is_domain_offline(domain);
1608 * Parse an char array into a list of sids.
1610 * The input sidstr should consist of 0-terminated strings
1611 * representing sids, separated by newline characters '\n'.
1612 * The list is terminated by an empty string, i.e.
1613 * character '\0' directly following a character '\n'
1614 * (or '\0' right at the start of sidstr).
1616 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1617 struct dom_sid **sids, uint32_t *num_sids)
1625 while (p[0] != '\0') {
1627 const char *q = NULL;
1629 if (!dom_sid_parse_endp(p, &sid, &q)) {
1630 DEBUG(1, ("Could not parse sid %s\n", p));
1633 if ((q == NULL) || (q[0] != '\n')) {
1634 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1637 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
git.samba.org / samba.git / blob