2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
30 #include "source4/lib/messaging/messaging.h"
31 #include "librpc/gen_ndr/ndr_lsa.h"
32 #include "auth/credentials/credentials.h"
35 #define DBGC_CLASS DBGC_WINBIND
37 static struct winbindd_domain *
38 add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
39 struct winbindd_methods *methods);
41 extern struct winbindd_methods cache_methods;
44 * @file winbindd_util.c
46 * Winbind daemon for NT domain authentication nss module.
50 /* The list of trusted domains. Note that the list can be deleted and
51 recreated using the init_domain_list() function so pointers to
52 individual winbindd_domain structures cannot be made. Keep a copy of
53 the domain name instead. */
55 static struct winbindd_domain *_domain_list = NULL;
57 struct winbindd_domain *domain_list(void)
61 if ((!_domain_list) && (!init_domain_list())) {
62 smb_panic("Init_domain_list failed");
68 /* Free all entries in the trusted domain list */
70 static void free_domain_list(void)
72 struct winbindd_domain *domain = _domain_list;
75 struct winbindd_domain *next = domain->next;
77 DLIST_REMOVE(_domain_list, domain);
84 * Iterator for winbindd's domain list.
85 * To be used (e.g.) in tevent based loops.
87 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
90 domain = domain_list();
92 domain = domain->next;
95 if ((domain != NULL) &&
96 (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
97 sid_check_is_our_sam(&domain->sid))
99 domain = domain->next;
105 static bool is_internal_domain(const struct dom_sid *sid)
110 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
113 static bool is_in_internal_domain(const struct dom_sid *sid)
118 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
122 /* Add a trusted domain to our list of domains.
123 If the domain already exists in the list,
124 return it and don't re-initialize. */
126 static struct winbindd_domain *
127 add_trusted_domain(const char *domain_name, const char *alt_name,
128 struct winbindd_methods *methods, const struct dom_sid *sid)
130 struct winbindd_tdc_domain tdc;
134 tdc.domain_name = domain_name;
135 tdc.dns_name = alt_name;
137 sid_copy(&tdc.sid, sid);
140 return add_trusted_domain_from_tdc(&tdc, methods);
143 /* Add a trusted domain out of a trusted domain cache
146 static struct winbindd_domain *
147 add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
148 struct winbindd_methods *methods)
150 struct winbindd_domain *domain;
151 const char *alternative_name = NULL;
152 const char **ignored_domains, **dom;
153 int role = lp_server_role();
154 const char *domain_name = tdc->domain_name;
155 const struct dom_sid *sid = &tdc->sid;
157 if (is_null_sid(sid)) {
161 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
162 for (dom=ignored_domains; dom && *dom; dom++) {
163 if (gen_fnmatch(*dom, domain_name) == 0) {
164 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
169 /* use alt_name if available to allow DNS lookups */
171 if (tdc->dns_name && *tdc->dns_name) {
172 alternative_name = tdc->dns_name;
175 /* We can't call domain_list() as this function is called from
176 init_domain_list() and we'll get stuck in a loop. */
177 for (domain = _domain_list; domain; domain = domain->next) {
178 if (strequal(domain_name, domain->name) ||
179 strequal(domain_name, domain->alt_name))
184 if (alternative_name) {
185 if (strequal(alternative_name, domain->name) ||
186 strequal(alternative_name, domain->alt_name))
193 if (dom_sid_equal(sid, &domain->sid)) {
199 if (domain != NULL) {
201 * We found a match on domain->name or
202 * domain->alt_name. Possibly update the SID
203 * if the stored SID was the NULL SID
204 * and return the matching entry.
207 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
208 sid_copy( &domain->sid, sid );
213 /* Create new domain entry */
214 domain = talloc_zero(NULL, struct winbindd_domain);
215 if (domain == NULL) {
219 domain->children = talloc_zero_array(domain,
220 struct winbindd_child,
221 lp_winbind_max_domain_connections());
222 if (domain->children == NULL) {
227 domain->name = talloc_strdup(domain, domain_name);
228 if (domain->name == NULL) {
233 if (alternative_name) {
234 domain->alt_name = talloc_strdup(domain, alternative_name);
235 if (domain->alt_name == NULL) {
241 domain->methods = methods;
242 domain->backend = NULL;
243 domain->internal = is_internal_domain(sid);
244 domain->sequence_number = DOM_SEQUENCE_NONE;
245 domain->last_seq_check = 0;
246 domain->initialized = false;
247 domain->online = is_internal_domain(sid);
248 domain->check_online_timeout = 0;
249 domain->dc_probe_pid = (pid_t)-1;
251 sid_copy(&domain->sid, sid);
253 domain->domain_flags = tdc->trust_flags;
254 domain->domain_type = tdc->trust_type;
255 domain->domain_trust_attribs = tdc->trust_attribs;
257 /* Is this our primary domain ? */
258 if (strequal(domain_name, get_global_sam_name()) &&
259 (role != ROLE_DOMAIN_MEMBER)) {
260 domain->primary = true;
261 } else if (strequal(domain_name, lp_workgroup()) &&
262 (role == ROLE_DOMAIN_MEMBER)) {
263 domain->primary = true;
266 if (domain->primary) {
267 if (role == ROLE_ACTIVE_DIRECTORY_DC) {
268 domain->active_directory = true;
270 if (lp_security() == SEC_ADS) {
271 domain->active_directory = true;
273 } else if (!domain->internal) {
274 if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
275 domain->active_directory = true;
279 /* Link to domain list */
280 DLIST_ADD_END(_domain_list, domain);
282 wcache_tdc_add_domain( domain );
284 setup_domain_child(domain);
287 ("Added domain %s %s %s\n", domain->name, domain->alt_name,
288 !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : ""));
293 bool domain_is_forest_root(const struct winbindd_domain *domain)
295 const uint32_t fr_flags =
296 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
298 return ((domain->domain_flags & fr_flags) == fr_flags);
301 /********************************************************************
302 rescan our domains looking for new trusted domains
303 ********************************************************************/
305 struct trustdom_state {
306 struct winbindd_domain *domain;
307 struct winbindd_request request;
310 static void trustdom_list_done(struct tevent_req *req);
311 static void rescan_forest_root_trusts( void );
312 static void rescan_forest_trusts( void );
314 static void add_trusted_domains( struct winbindd_domain *domain )
316 struct trustdom_state *state;
317 struct tevent_req *req;
319 state = talloc_zero(NULL, struct trustdom_state);
321 DEBUG(0, ("talloc failed\n"));
324 state->domain = domain;
326 state->request.length = sizeof(state->request);
327 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
329 req = wb_domain_request_send(state, winbind_event_context(),
330 domain, &state->request);
332 DEBUG(1, ("wb_domain_request_send failed\n"));
336 tevent_req_set_callback(req, trustdom_list_done, state);
339 static void trustdom_list_done(struct tevent_req *req)
341 struct trustdom_state *state = tevent_req_callback_data(
342 req, struct trustdom_state);
343 struct winbindd_response *response;
347 res = wb_domain_request_recv(req, state, &response, &err);
348 if ((res == -1) || (response->result != WINBINDD_OK)) {
349 DEBUG(1, ("Could not receive trustdoms\n"));
354 p = (char *)response->extra_data.data;
356 while ((p != NULL) && (*p != '\0')) {
357 char *q, *sidstr, *alt_name;
359 char *alternate_name = NULL;
361 alt_name = strchr(p, '\\');
362 if (alt_name == NULL) {
363 DEBUG(0, ("Got invalid trustdom response\n"));
370 sidstr = strchr(alt_name, '\\');
371 if (sidstr == NULL) {
372 DEBUG(0, ("Got invalid trustdom response\n"));
379 q = strchr(sidstr, '\n');
383 if (!string_to_sid(&sid, sidstr)) {
384 DEBUG(0, ("Got invalid trustdom response\n"));
388 /* use the real alt_name if we have one, else pass in NULL */
390 if ( !strequal( alt_name, "(null)" ) )
391 alternate_name = alt_name;
394 * We always call add_trusted_domain() cause on an existing
395 * domain structure, it will update the SID if necessary.
396 * This is important because we need the SID for sibling
399 (void)add_trusted_domain(p, alternate_name,
409 Cases to consider when scanning trusts:
410 (a) we are calling from a child domain (primary && !forest_root)
411 (b) we are calling from the root of the forest (primary && forest_root)
412 (c) we are calling from a trusted forest domain (!primary
416 if (state->domain->primary) {
417 /* If this is our primary domain and we are not in the
418 forest root, we have to scan the root trusts first */
420 if (!domain_is_forest_root(state->domain))
421 rescan_forest_root_trusts();
423 rescan_forest_trusts();
425 } else if (domain_is_forest_root(state->domain)) {
426 /* Once we have done root forest trust search, we can
427 go on to search the trusted forests */
429 rescan_forest_trusts();
437 /********************************************************************
438 Scan the trusts of our forest root
439 ********************************************************************/
441 static void rescan_forest_root_trusts( void )
443 struct winbindd_tdc_domain *dom_list = NULL;
444 size_t num_trusts = 0;
447 /* The only transitive trusts supported by Windows 2003 AD are
448 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
449 first two are handled in forest and listed by
450 DsEnumerateDomainTrusts(). Forest trusts are not so we
451 have to do that ourselves. */
453 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
456 for ( i=0; i<num_trusts; i++ ) {
457 struct winbindd_domain *d = NULL;
459 /* Find the forest root. Don't necessarily trust
460 the domain_list() as our primary domain may not
461 have been initialized. */
463 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
467 /* Here's the forest root */
469 d = find_domain_from_name_noinit( dom_list[i].domain_name );
472 d = add_trusted_domain_from_tdc(&dom_list[i],
480 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
481 "for domain tree root %s (%s)\n",
482 d->name, d->alt_name ));
484 d->domain_flags = dom_list[i].trust_flags;
485 d->domain_type = dom_list[i].trust_type;
486 d->domain_trust_attribs = dom_list[i].trust_attribs;
488 add_trusted_domains( d );
493 TALLOC_FREE( dom_list );
498 /********************************************************************
499 scan the transitive forest trusts (not our own)
500 ********************************************************************/
503 static void rescan_forest_trusts( void )
505 struct winbindd_domain *d = NULL;
506 struct winbindd_tdc_domain *dom_list = NULL;
507 size_t num_trusts = 0;
510 /* The only transitive trusts supported by Windows 2003 AD are
511 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
512 first two are handled in forest and listed by
513 DsEnumerateDomainTrusts(). Forest trusts are not so we
514 have to do that ourselves. */
516 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
519 for ( i=0; i<num_trusts; i++ ) {
520 uint32_t flags = dom_list[i].trust_flags;
521 uint32_t type = dom_list[i].trust_type;
522 uint32_t attribs = dom_list[i].trust_attribs;
524 d = find_domain_from_name_noinit( dom_list[i].domain_name );
526 /* ignore our primary and internal domains */
528 if ( d && (d->internal || d->primary ) )
531 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
532 (type == LSA_TRUST_TYPE_UPLEVEL) &&
533 (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
535 /* add the trusted domain if we don't know
539 d = add_trusted_domain_from_tdc(&dom_list[i],
547 DEBUG(10,("Following trust path for domain %s (%s)\n",
548 d->name, d->alt_name ));
549 add_trusted_domains( d );
553 TALLOC_FREE( dom_list );
558 /*********************************************************************
559 The process of updating the trusted domain list is a three step
562 (b) ask the root domain in our forest
563 (c) ask the a DC in any Win2003 trusted forests
564 *********************************************************************/
566 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
567 struct timeval now, void *private_data)
571 /* I use to clear the cache here and start over but that
572 caused problems in child processes that needed the
573 trust dom list early on. Removing it means we
574 could have some trusted domains listed that have been
575 removed from our primary domain's DC until a full
576 restart. This should be ok since I think this is what
577 Windows does as well. */
579 /* this will only add new domains we didn't already know about
580 in the domain_list()*/
582 add_trusted_domains( find_our_domain() );
584 te = tevent_add_timer(
585 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
586 rescan_trusted_domains, NULL);
588 * If te == NULL, there's not much we can do here. Don't fail, the
589 * only thing we miss is new trusted domains.
595 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
596 struct winbindd_cli_state *state)
598 /* Ensure null termination */
599 state->request->domain_name
600 [sizeof(state->request->domain_name)-1]='\0';
601 state->request->data.init_conn.dcname
602 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
604 if (strlen(state->request->data.init_conn.dcname) > 0) {
605 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
608 init_dc_connection(domain, false);
610 if (!domain->initialized) {
611 /* If we return error here we can't do any cached authentication,
612 but we may be in disconnected mode and can't initialize correctly.
613 Do what the previous code did and just return without initialization,
614 once we go online we'll re-initialize.
616 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
617 "online = %d\n", domain->name, (int)domain->online ));
620 fstrcpy(state->response->data.domain_info.name, domain->name);
621 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
622 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
624 state->response->data.domain_info.native_mode
625 = domain->native_mode;
626 state->response->data.domain_info.active_directory
627 = domain->active_directory;
628 state->response->data.domain_info.primary
634 static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
637 struct server_id server_id,
640 TALLOC_CTX *frame = talloc_stackframe();
641 struct lsa_TrustDomainInfoInfoEx info;
642 enum ndr_err_code ndr_err;
643 struct winbindd_domain *d = NULL;
645 DEBUG(5, ("wb_imsg_new_trusted_domain\n"));
652 ndr_err = ndr_pull_struct_blob_all(data, frame, &info,
653 (ndr_pull_flags_fn_t)ndr_pull_lsa_TrustDomainInfoInfoEx);
654 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
659 d = find_domain_from_name_noinit(info.netbios_name.string);
665 d = add_trusted_domain(info.netbios_name.string,
666 info.domain_name.string,
684 if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
685 d->domain_flags |= NETR_TRUST_FLAG_INBOUND;
687 if (info.trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
688 d->domain_flags |= NETR_TRUST_FLAG_OUTBOUND;
690 if (info.trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
691 d->domain_flags |= NETR_TRUST_FLAG_IN_FOREST;
693 d->domain_type = info.trust_type;
694 d->domain_trust_attribs = info.trust_attributes;
700 * We did not get the secret when we queried secrets.tdb, so read it
701 * from secrets.tdb and re-sync the databases
703 static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
706 struct cli_credentials *creds;
707 NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name,
708 NULL, domain, &creds);
709 if (!NT_STATUS_IS_OK(can_migrate)) {
710 DEBUG(0, ("Failed to fetch our own, local AD domain join "
711 "password for winbindd's internal use, both from "
712 "secrets.tdb and secrets.ldb: %s\n",
713 nt_errstr(can_migrate)));
718 * NOTE: It is very unlikely we end up here if there is an
719 * oldpass, because a new password is created at
720 * classicupgrade, so this is not a concern.
722 ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
724 cli_credentials_get_domain(creds),
725 cli_credentials_get_realm(creds),
726 cli_credentials_get_salt_principal(creds),
727 0, /* Supported enc types, unused */
729 cli_credentials_get_password_last_changed_time(creds),
730 cli_credentials_get_secure_channel_type(creds),
731 false /* do_delete: Do not delete */);
734 DEBUG(0, ("Failed to write our our own, "
735 "local AD domain join password for "
736 "winbindd's internal use into secrets.tdb\n"));
742 /* Look up global info for the winbind daemon */
743 bool init_domain_list(void)
745 int role = lp_server_role();
748 /* Free existing list */
753 (void)add_trusted_domain("BUILTIN", NULL, &cache_methods,
754 &global_sid_Builtin);
758 if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
759 struct winbindd_domain *domain;
760 enum netr_SchannelType sec_chan_type;
761 const char *account_name;
762 struct samr_Password current_nt_hash;
763 struct pdb_domain_info *pdb_domain_info;
766 pdb_domain_info = pdb_get_domain_info(talloc_tos());
767 if (pdb_domain_info == NULL) {
768 DEBUG(0, ("Failed to fetch our own, local AD "
769 "domain info from sam.ldb\n"));
772 domain = add_trusted_domain(pdb_domain_info->name,
773 pdb_domain_info->dns_domain,
775 &pdb_domain_info->sid);
776 TALLOC_FREE(pdb_domain_info);
777 if (domain == NULL) {
778 DEBUG(0, ("Failed to add our own, local AD "
779 "domain to winbindd's internal list\n"));
784 * We need to call this to find out if we are an RODC
786 ok = get_trust_pw_hash(domain->name,
787 current_nt_hash.hash,
792 * If get_trust_pw_hash() fails, then try and
793 * fetch the password from the more recent of
794 * secrets.{ldb,tdb} using the
795 * pdb_get_trust_credentials()
797 ok = migrate_secrets_tdb_to_ldb(domain);
800 DEBUG(0, ("Failed to migrate our own, "
801 "local AD domain join password for "
802 "winbindd's internal use into "
806 ok = get_trust_pw_hash(domain->name,
807 current_nt_hash.hash,
811 DEBUG(0, ("Failed to find our our own, just "
812 "written local AD domain join "
813 "password for winbindd's internal "
814 "use in secrets.tdb\n"));
818 if (sec_chan_type == SEC_CHAN_RODC) {
823 (void)add_trusted_domain(get_global_sam_name(), NULL,
824 &cache_methods, get_global_sam_sid());
826 /* Add ourselves as the first entry. */
828 if ( role == ROLE_DOMAIN_MEMBER ) {
829 struct winbindd_domain *domain;
830 struct dom_sid our_sid;
832 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
833 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
837 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
838 &cache_methods, &our_sid);
840 /* Even in the parent winbindd we'll need to
841 talk to the DC, so try and see if we can
842 contact it. Theoretically this isn't neccessary
843 as the init_dc_connection() in init_child_recv()
844 will do this, but we can start detecting the DC
846 set_domain_online_request(domain);
850 status = imessaging_register(winbind_imessaging_context(), NULL,
851 MSG_WINBIND_NEW_TRUSTED_DOMAIN,
852 wb_imsg_new_trusted_domain);
853 if (!NT_STATUS_IS_OK(status)) {
854 DEBUG(0, ("imessaging_register(MSG_WINBIND_NEW_TRUSTED_DOMAIN) - %s\n",
863 * Given a domain name, return the struct winbindd domain info for it
865 * @note Do *not* pass lp_workgroup() to this function. domain_list
866 * may modify it's value, and free that pointer. Instead, our local
867 * domain may be found by calling find_our_domain().
871 * @return The domain structure for the named domain, if it is working.
874 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
876 struct winbindd_domain *domain;
878 /* Search through list */
880 for (domain = domain_list(); domain != NULL; domain = domain->next) {
881 if (strequal(domain_name, domain->name) ||
882 (domain->alt_name != NULL &&
883 strequal(domain_name, domain->alt_name))) {
893 struct winbindd_domain *find_domain_from_name(const char *domain_name)
895 struct winbindd_domain *domain;
897 domain = find_domain_from_name_noinit(domain_name);
902 if (!domain->initialized)
903 init_dc_connection(domain, false);
908 /* Given a domain sid, return the struct winbindd domain info for it */
910 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
912 struct winbindd_domain *domain;
914 /* Search through list */
916 for (domain = domain_list(); domain != NULL; domain = domain->next) {
917 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
926 /* Given a domain sid, return the struct winbindd domain info for it */
928 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
930 struct winbindd_domain *domain;
932 domain = find_domain_from_sid_noinit(sid);
937 if (!domain->initialized)
938 init_dc_connection(domain, false);
943 struct winbindd_domain *find_our_domain(void)
945 struct winbindd_domain *domain;
947 /* Search through list */
949 for (domain = domain_list(); domain != NULL; domain = domain->next) {
954 smb_panic("Could not find our domain");
958 struct winbindd_domain *find_root_domain(void)
960 struct winbindd_domain *ours = find_our_domain();
962 if (ours->forest_name == NULL) {
966 return find_domain_from_name( ours->forest_name );
969 struct winbindd_domain *find_builtin_domain(void)
971 struct winbindd_domain *domain;
973 domain = find_domain_from_sid(&global_sid_Builtin);
974 if (domain == NULL) {
975 smb_panic("Could not find BUILTIN domain");
981 /* Find the appropriate domain to lookup a name or SID */
983 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
985 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
987 if ( sid_check_is_in_unix_groups(sid) ||
988 sid_check_is_unix_groups(sid) ||
989 sid_check_is_in_unix_users(sid) ||
990 sid_check_is_unix_users(sid) )
992 return find_domain_from_sid(get_global_sam_sid());
995 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
996 * one to contact the external DC's. On member servers the internal
997 * domains are different: These are part of the local SAM. */
999 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
1001 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
1002 DEBUG(10, ("calling find_domain_from_sid\n"));
1003 return find_domain_from_sid(sid);
1006 /* On a member server a query for SID or name can always go to our
1009 DEBUG(10, ("calling find_our_domain\n"));
1010 return find_our_domain();
1013 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
1015 if ( strequal(domain_name, unix_users_domain_name() ) ||
1016 strequal(domain_name, unix_groups_domain_name() ) )
1019 * The "Unix User" and "Unix Group" domain our handled by
1022 return find_domain_from_name_noinit( get_global_sam_name() );
1025 if (IS_DC || strequal(domain_name, "BUILTIN") ||
1026 strequal(domain_name, get_global_sam_name()))
1027 return find_domain_from_name_noinit(domain_name);
1030 return find_our_domain();
1033 /* Is this a domain which we may assume no DOMAIN\ prefix? */
1035 static bool assume_domain(const char *domain)
1037 /* never assume the domain on a standalone server */
1039 if ( lp_server_role() == ROLE_STANDALONE )
1042 /* domain member servers may possibly assume for the domain name */
1044 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1045 if ( !strequal(lp_workgroup(), domain) )
1048 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
1052 /* only left with a domain controller */
1054 if ( strequal(get_global_sam_name(), domain) ) {
1061 /* Parse a string of the form DOMAIN\user into a domain and a user */
1063 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1065 char *p = strchr(domuser,*lp_winbind_separator());
1068 fstrcpy(user, domuser);
1070 if ( assume_domain(lp_workgroup())) {
1071 fstrcpy(domain, lp_workgroup());
1072 } else if ((p = strchr(domuser, '@')) != NULL) {
1073 fstrcpy(domain, p + 1);
1074 user[PTR_DIFF(p, domuser)] = 0;
1080 fstrcpy(domain, domuser);
1081 domain[PTR_DIFF(p, domuser)] = 0;
1084 return strupper_m(domain);
1087 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1088 char **domain, char **user)
1090 fstring fstr_domain, fstr_user;
1091 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1094 *domain = talloc_strdup(mem_ctx, fstr_domain);
1095 *user = talloc_strdup(mem_ctx, fstr_user);
1096 return ((*domain != NULL) && (*user != NULL));
1099 /* Ensure an incoming username from NSS is fully qualified. Replace the
1100 incoming fstring with DOMAIN <separator> user. Returns the same
1101 values as parse_domain_user() but also replaces the incoming username.
1102 Used to ensure all names are fully qualified within winbindd.
1103 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1104 The protocol definitions of auth_crap, chng_pswd_auth_crap
1105 really should be changed to use this instead of doing things
1108 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1110 if (!parse_domain_user(username_inout, domain, user)) {
1113 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1114 domain, *lp_winbind_separator(),
1120 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1121 'winbind separator' options.
1123 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1126 If we are a PDC or BDC, and this is for our domain, do likewise.
1128 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1129 username is then unqualified in unix
1131 On an AD DC we always fill DOMAIN\\USERNAME.
1133 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1135 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1139 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1143 fstrcpy(tmp_user, user);
1144 (void)strlower_m(tmp_user);
1146 if (can_assume && assume_domain(domain)) {
1147 strlcpy(name, tmp_user, sizeof(fstring));
1149 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1150 domain, *lp_winbind_separator(),
1156 * talloc version of fill_domain_username()
1157 * return NULL on talloc failure.
1159 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1164 char *tmp_user, *name;
1166 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1170 tmp_user = talloc_strdup(mem_ctx, user);
1171 if (!strlower_m(tmp_user)) {
1172 TALLOC_FREE(tmp_user);
1176 if (can_assume && assume_domain(domain)) {
1179 name = talloc_asprintf(mem_ctx, "%s%c%s",
1181 *lp_winbind_separator(),
1183 TALLOC_FREE(tmp_user);
1190 * Client list accessor functions
1193 static struct winbindd_cli_state *_client_list;
1194 static int _num_clients;
1196 /* Return list of all connected clients */
1198 struct winbindd_cli_state *winbindd_client_list(void)
1200 return _client_list;
1203 /* Return list-tail of all connected clients */
1205 struct winbindd_cli_state *winbindd_client_list_tail(void)
1207 return DLIST_TAIL(_client_list);
1210 /* Return previous (read:newer) client in list */
1212 struct winbindd_cli_state *
1213 winbindd_client_list_prev(struct winbindd_cli_state *cli)
1215 return DLIST_PREV(cli);
1218 /* Add a connection to the list */
1220 void winbindd_add_client(struct winbindd_cli_state *cli)
1222 cli->last_access = time(NULL);
1223 DLIST_ADD(_client_list, cli);
1227 /* Remove a client from the list */
1229 void winbindd_remove_client(struct winbindd_cli_state *cli)
1231 DLIST_REMOVE(_client_list, cli);
1235 /* Move a client to head or list */
1237 void winbindd_promote_client(struct winbindd_cli_state *cli)
1239 cli->last_access = time(NULL);
1240 DLIST_PROMOTE(_client_list, cli);
1243 /* Return number of open clients */
1245 int winbindd_num_clients(void)
1247 return _num_clients;
1250 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1251 TALLOC_CTX *mem_ctx,
1252 const struct dom_sid *user_sid,
1253 uint32_t *p_num_groups, struct dom_sid **user_sids)
1255 struct netr_SamInfo3 *info3 = NULL;
1256 NTSTATUS status = NT_STATUS_NO_MEMORY;
1257 uint32_t num_groups = 0;
1259 DEBUG(3,(": lookup_usergroups_cached\n"));
1264 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1266 if (info3 == NULL) {
1267 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1270 if (info3->base.groups.count == 0) {
1272 return NT_STATUS_UNSUCCESSFUL;
1276 * Before bug #7843 the "Domain Local" groups were added with a
1277 * lookupuseraliases call, but this isn't done anymore for our domain
1278 * so we need to resolve resource groups here.
1280 * When to use Resource Groups:
1281 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1283 status = sid_array_from_info3(mem_ctx, info3,
1288 if (!NT_STATUS_IS_OK(status)) {
1294 *p_num_groups = num_groups;
1295 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1297 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1302 /*********************************************************************
1303 We use this to remove spaces from user and group names
1304 ********************************************************************/
1306 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1307 struct winbindd_domain *domain,
1313 if (!name || !normalized) {
1314 return NT_STATUS_INVALID_PARAMETER;
1317 if (!lp_winbind_normalize_names()) {
1318 return NT_STATUS_PROCEDURE_NOT_FOUND;
1321 /* Alias support and whitespace replacement are mutually
1324 nt_status = resolve_username_to_alias(mem_ctx, domain,
1326 if (NT_STATUS_IS_OK(nt_status)) {
1327 /* special return code to let the caller know we
1328 mapped to an alias */
1329 return NT_STATUS_FILE_RENAMED;
1332 /* check for an unreachable domain */
1334 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1335 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1337 set_domain_offline(domain);
1341 /* deal with whitespace */
1343 *normalized = talloc_strdup(mem_ctx, name);
1344 if (!(*normalized)) {
1345 return NT_STATUS_NO_MEMORY;
1348 all_string_sub( *normalized, " ", "_", 0 );
1350 return NT_STATUS_OK;
1353 /*********************************************************************
1354 We use this to do the inverse of normalize_name_map()
1355 ********************************************************************/
1357 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1362 struct winbindd_domain *domain = find_our_domain();
1364 if (!name || !normalized) {
1365 return NT_STATUS_INVALID_PARAMETER;
1368 if (!lp_winbind_normalize_names()) {
1369 return NT_STATUS_PROCEDURE_NOT_FOUND;
1372 /* Alias support and whitespace replacement are mutally
1375 /* When mapping from an alias to a username, we don't know the
1376 domain. But we only need a domain structure to cache
1377 a successful lookup , so just our own domain structure for
1380 nt_status = resolve_alias_to_username(mem_ctx, domain,
1382 if (NT_STATUS_IS_OK(nt_status)) {
1383 /* Special return code to let the caller know we mapped
1385 return NT_STATUS_FILE_RENAMED;
1388 /* check for an unreachable domain */
1390 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1391 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1393 set_domain_offline(domain);
1397 /* deal with whitespace */
1399 *normalized = talloc_strdup(mem_ctx, name);
1400 if (!(*normalized)) {
1401 return NT_STATUS_NO_MEMORY;
1404 all_string_sub(*normalized, "_", " ", 0);
1406 return NT_STATUS_OK;
1409 /*********************************************************************
1410 ********************************************************************/
1412 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1414 struct winbindd_tdc_domain *tdc = NULL;
1415 TALLOC_CTX *frame = talloc_stackframe();
1418 /* We can contact the domain if it is our primary domain */
1420 if (domain->primary) {
1425 /* Trust the TDC cache and not the winbindd_domain flags */
1427 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1428 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1434 /* Can always contact a domain that is in out forest */
1436 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1442 * On a _member_ server, we cannot contact the domain if it
1443 * is running AD and we have no inbound trust.
1447 domain->active_directory &&
1448 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1450 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1451 "and we have no inbound trust.\n", domain->name));
1455 /* Assume everything else is ok (probably not true but what
1461 talloc_destroy(frame);
1466 /*********************************************************************
1467 ********************************************************************/
1469 bool winbindd_internal_child(struct winbindd_child *child)
1471 if ((child == idmap_child()) || (child == locator_child())) {
1478 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1480 /*********************************************************************
1481 ********************************************************************/
1483 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1486 char addr[INET6_ADDRSTRLEN];
1487 const char *kdc = NULL;
1490 if (!domain || !domain->alt_name || !*domain->alt_name) {
1494 if (domain->initialized && !domain->active_directory) {
1495 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1500 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1503 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1505 kdc = domain->dcname;
1508 if (!kdc || !*kdc) {
1509 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1514 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1515 domain->alt_name) == -1) {
1519 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1522 setenv(var, kdc, 1);
1526 /*********************************************************************
1527 ********************************************************************/
1529 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1531 struct winbindd_domain *our_dom = find_our_domain();
1533 winbindd_set_locator_kdc_env(domain);
1535 if (domain != our_dom) {
1536 winbindd_set_locator_kdc_env(our_dom);
1540 /*********************************************************************
1541 ********************************************************************/
1543 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1547 if (!domain || !domain->alt_name || !*domain->alt_name) {
1551 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1552 domain->alt_name) == -1) {
1561 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1566 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1571 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1573 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1575 resp->data.auth.nt_status = NT_STATUS_V(result);
1576 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1578 /* we might have given a more useful error above */
1579 if (*resp->data.auth.error_string == '\0')
1580 fstrcpy(resp->data.auth.error_string,
1581 get_friendly_nt_error_msg(result));
1582 resp->data.auth.pam_error = nt_status_to_pam(result);
1585 bool is_domain_offline(const struct winbindd_domain *domain)
1587 if (!lp_winbind_offline_logon()) {
1590 if (get_global_winbindd_state_offline()) {
1593 return !domain->online;
1596 bool is_domain_online(const struct winbindd_domain *domain)
1598 return !is_domain_offline(domain);
1602 * Parse an char array into a list of sids.
1604 * The input sidstr should consist of 0-terminated strings
1605 * representing sids, separated by newline characters '\n'.
1606 * The list is terminated by an empty string, i.e.
1607 * character '\0' directly following a character '\n'
1608 * (or '\0' right at the start of sidstr).
1610 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1611 struct dom_sid **sids, uint32_t *num_sids)
1619 while (p[0] != '\0') {
1621 const char *q = NULL;
1623 if (!dom_sid_parse_endp(p, &sid, &q)) {
1624 DEBUG(1, ("Could not parse sid %s\n", p));
1627 if ((q == NULL) || (q[0] != '\n')) {
1628 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1631 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
1641 bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
1642 struct unixid **pxids, uint32_t *pnum_xids)
1645 struct unixid *xids = NULL;
1646 uint32_t num_xids = 0;
1653 while (p[0] != '\0') {
1656 unsigned long long id;
1661 xid = (struct unixid) { .type = ID_TYPE_UID };
1664 xid = (struct unixid) { .type = ID_TYPE_GID };
1672 id = strtoull(p, &endp, 10);
1673 if ((id == ULLONG_MAX) && (errno == ERANGE)) {
1676 if (*endp != '\n') {
1682 if ((unsigned long long)xid.id != id) {
1686 tmp = talloc_realloc(mem_ctx, xids, struct unixid, num_xids+1);
1692 xids[num_xids] = xid;
1697 *pnum_xids = num_xids;