2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/security/security.h"
27 #include "../libcli/auth/pam_errors.h"
28 #include "passdb/machine_sid.h"
31 #define DBGC_CLASS DBGC_WINBIND
33 extern struct winbindd_methods cache_methods;
36 * @file winbindd_util.cq
38 * Winbind daemon for NT domain authentication nss module.
42 /* The list of trusted domains. Note that the list can be deleted and
43 recreated using the init_domain_list() function so pointers to
44 individual winbindd_domain structures cannot be made. Keep a copy of
45 the domain name instead. */
47 static struct winbindd_domain *_domain_list = NULL;
49 struct winbindd_domain *domain_list(void)
53 if ((!_domain_list) && (!init_domain_list())) {
54 smb_panic("Init_domain_list failed");
60 /* Free all entries in the trusted domain list */
62 static void free_domain_list(void)
64 struct winbindd_domain *domain = _domain_list;
67 struct winbindd_domain *next = domain->next;
69 DLIST_REMOVE(_domain_list, domain);
75 static bool is_internal_domain(const struct dom_sid *sid)
80 return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
83 static bool is_in_internal_domain(const struct dom_sid *sid)
88 return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
92 /* Add a trusted domain to our list of domains */
93 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
94 struct winbindd_methods *methods,
95 const struct dom_sid *sid)
97 struct winbindd_domain *domain;
98 const char *alternative_name = NULL;
99 char *idmap_config_option;
101 const char **ignored_domains, **dom;
103 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
104 for (dom=ignored_domains; dom && *dom; dom++) {
105 if (gen_fnmatch(*dom, domain_name) == 0) {
106 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
111 /* use alt_name if available to allow DNS lookups */
113 if (alt_name && *alt_name) {
114 alternative_name = alt_name;
117 /* We can't call domain_list() as this function is called from
118 init_domain_list() and we'll get stuck in a loop. */
119 for (domain = _domain_list; domain; domain = domain->next) {
120 if (strequal(domain_name, domain->name) ||
121 strequal(domain_name, domain->alt_name))
126 if (alternative_name && *alternative_name)
128 if (strequal(alternative_name, domain->name) ||
129 strequal(alternative_name, domain->alt_name))
137 if (is_null_sid(sid)) {
141 if (dom_sid_equal(sid, &domain->sid)) {
147 if (domain != NULL) {
149 * We found a match. Possibly update the SID
152 && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
153 sid_copy( &domain->sid, sid );
158 /* Create new domain entry */
160 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
165 ZERO_STRUCTP(domain);
167 domain->children = SMB_MALLOC_ARRAY(
168 struct winbindd_child, lp_winbind_max_domain_connections());
169 if (domain->children == NULL) {
173 memset(domain->children, 0,
174 sizeof(struct winbindd_child)
175 * lp_winbind_max_domain_connections());
177 fstrcpy(domain->name, domain_name);
178 if (alternative_name) {
179 fstrcpy(domain->alt_name, alternative_name);
182 domain->methods = methods;
183 domain->backend = NULL;
184 domain->internal = is_internal_domain(sid);
185 domain->sequence_number = DOM_SEQUENCE_NONE;
186 domain->last_seq_check = 0;
187 domain->initialized = False;
188 domain->online = is_internal_domain(sid);
189 domain->check_online_timeout = 0;
190 domain->dc_probe_pid = (pid_t)-1;
192 sid_copy(&domain->sid, sid);
195 /* Link to domain list */
196 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
198 wcache_tdc_add_domain( domain );
200 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
202 if (idmap_config_option == NULL) {
203 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
207 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
209 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
210 param ? param : "not defined"));
213 unsigned low_id, high_id;
214 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
215 DEBUG(1, ("invalid range syntax in %s: %s\n",
216 idmap_config_option, param));
219 if (low_id > high_id) {
220 DEBUG(1, ("invalid range in %s: %s\n",
221 idmap_config_option, param));
224 domain->have_idmap_config = true;
225 domain->id_range_low = low_id;
226 domain->id_range_high = high_id;
231 DEBUG(2,("Added domain %s %s %s\n",
232 domain->name, domain->alt_name,
233 &domain->sid?sid_string_dbg(&domain->sid):""));
238 bool domain_is_forest_root(const struct winbindd_domain *domain)
240 const uint32_t fr_flags =
241 (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
243 return ((domain->domain_flags & fr_flags) == fr_flags);
246 /********************************************************************
247 rescan our domains looking for new trusted domains
248 ********************************************************************/
250 struct trustdom_state {
251 struct winbindd_domain *domain;
252 struct winbindd_request request;
255 static void trustdom_list_done(struct tevent_req *req);
256 static void rescan_forest_root_trusts( void );
257 static void rescan_forest_trusts( void );
259 static void add_trusted_domains( struct winbindd_domain *domain )
261 struct trustdom_state *state;
262 struct tevent_req *req;
264 state = talloc_zero(NULL, struct trustdom_state);
266 DEBUG(0, ("talloc failed\n"));
269 state->domain = domain;
271 state->request.length = sizeof(state->request);
272 state->request.cmd = WINBINDD_LIST_TRUSTDOM;
274 req = wb_domain_request_send(state, winbind_event_context(),
275 domain, &state->request);
277 DEBUG(1, ("wb_domain_request_send failed\n"));
281 tevent_req_set_callback(req, trustdom_list_done, state);
284 static void trustdom_list_done(struct tevent_req *req)
286 struct trustdom_state *state = tevent_req_callback_data(
287 req, struct trustdom_state);
288 struct winbindd_response *response;
292 res = wb_domain_request_recv(req, state, &response, &err);
293 if ((res == -1) || (response->result != WINBINDD_OK)) {
294 DEBUG(1, ("Could not receive trustdoms\n"));
299 p = (char *)response->extra_data.data;
301 while ((p != NULL) && (*p != '\0')) {
302 char *q, *sidstr, *alt_name;
304 struct winbindd_domain *domain;
305 char *alternate_name = NULL;
308 alt_name = strchr(p, '\\');
309 if (alt_name == NULL) {
310 DEBUG(0, ("Got invalid trustdom response\n"));
317 sidstr = strchr(alt_name, '\\');
318 if (sidstr == NULL) {
319 DEBUG(0, ("Got invalid trustdom response\n"));
326 q = strchr(sidstr, '\n');
330 if (!string_to_sid(&sid, sidstr)) {
331 DEBUG(0, ("Got invalid trustdom response\n"));
335 /* use the real alt_name if we have one, else pass in NULL */
337 if ( !strequal( alt_name, "(null)" ) )
338 alternate_name = alt_name;
340 /* Check if we already have a child for the domain */
341 domain_exists = (find_domain_from_name_noinit(p) != NULL);
344 * We always call add_trusted_domain() cause on an existing
345 * domain structure, it will update the SID if necessary.
346 * This is important because we need the SID for sibling
349 domain = add_trusted_domain(p, alternate_name,
354 * If the domain doesn't exist yet and got correctly added,
355 * setup a new domain child.
357 if (!domain_exists && domain != NULL) {
358 setup_domain_child(domain);
366 Cases to consider when scanning trusts:
367 (a) we are calling from a child domain (primary && !forest_root)
368 (b) we are calling from the root of the forest (primary && forest_root)
369 (c) we are calling from a trusted forest domain (!primary
373 if (state->domain->primary) {
374 /* If this is our primary domain and we are not in the
375 forest root, we have to scan the root trusts first */
377 if (!domain_is_forest_root(state->domain))
378 rescan_forest_root_trusts();
380 rescan_forest_trusts();
382 } else if (domain_is_forest_root(state->domain)) {
383 /* Once we have done root forest trust search, we can
384 go on to search the trusted forests */
386 rescan_forest_trusts();
394 /********************************************************************
395 Scan the trusts of our forest root
396 ********************************************************************/
398 static void rescan_forest_root_trusts( void )
400 struct winbindd_tdc_domain *dom_list = NULL;
401 size_t num_trusts = 0;
404 /* The only transitive trusts supported by Windows 2003 AD are
405 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
406 first two are handled in forest and listed by
407 DsEnumerateDomainTrusts(). Forest trusts are not so we
408 have to do that ourselves. */
410 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
413 for ( i=0; i<num_trusts; i++ ) {
414 struct winbindd_domain *d = NULL;
416 /* Find the forest root. Don't necessarily trust
417 the domain_list() as our primary domain may not
418 have been initialized. */
420 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
424 /* Here's the forest root */
426 d = find_domain_from_name_noinit( dom_list[i].domain_name );
429 d = add_trusted_domain( dom_list[i].domain_name,
430 dom_list[i].dns_name,
434 setup_domain_child(d);
442 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
443 "for domain tree root %s (%s)\n",
444 d->name, d->alt_name ));
446 d->domain_flags = dom_list[i].trust_flags;
447 d->domain_type = dom_list[i].trust_type;
448 d->domain_trust_attribs = dom_list[i].trust_attribs;
450 add_trusted_domains( d );
455 TALLOC_FREE( dom_list );
460 /********************************************************************
461 scan the transitive forest trusts (not our own)
462 ********************************************************************/
465 static void rescan_forest_trusts( void )
467 struct winbindd_domain *d = NULL;
468 struct winbindd_tdc_domain *dom_list = NULL;
469 size_t num_trusts = 0;
472 /* The only transitive trusts supported by Windows 2003 AD are
473 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
474 first two are handled in forest and listed by
475 DsEnumerateDomainTrusts(). Forest trusts are not so we
476 have to do that ourselves. */
478 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
481 for ( i=0; i<num_trusts; i++ ) {
482 uint32 flags = dom_list[i].trust_flags;
483 uint32 type = dom_list[i].trust_type;
484 uint32 attribs = dom_list[i].trust_attribs;
486 d = find_domain_from_name_noinit( dom_list[i].domain_name );
488 /* ignore our primary and internal domains */
490 if ( d && (d->internal || d->primary ) )
493 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
494 (type == NETR_TRUST_TYPE_UPLEVEL) &&
495 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
497 /* add the trusted domain if we don't know
501 d = add_trusted_domain( dom_list[i].domain_name,
502 dom_list[i].dns_name,
506 setup_domain_child(d);
514 DEBUG(10,("Following trust path for domain %s (%s)\n",
515 d->name, d->alt_name ));
516 add_trusted_domains( d );
520 TALLOC_FREE( dom_list );
525 /*********************************************************************
526 The process of updating the trusted domain list is a three step
529 (b) ask the root domain in our forest
530 (c) ask the a DC in any Win2003 trusted forests
531 *********************************************************************/
533 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
534 struct timeval now, void *private_data)
538 /* I use to clear the cache here and start over but that
539 caused problems in child processes that needed the
540 trust dom list early on. Removing it means we
541 could have some trusted domains listed that have been
542 removed from our primary domain's DC until a full
543 restart. This should be ok since I think this is what
544 Windows does as well. */
546 /* this will only add new domains we didn't already know about
547 in the domain_list()*/
549 add_trusted_domains( find_our_domain() );
551 te = tevent_add_timer(
552 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
553 rescan_trusted_domains, NULL);
555 * If te == NULL, there's not much we can do here. Don't fail, the
556 * only thing we miss is new trusted domains.
562 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
563 struct winbindd_cli_state *state)
565 /* Ensure null termination */
566 state->request->domain_name
567 [sizeof(state->request->domain_name)-1]='\0';
568 state->request->data.init_conn.dcname
569 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
571 if (strlen(state->request->data.init_conn.dcname) > 0) {
572 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
575 if (domain->internal) {
576 domain->initialized = true;
578 init_dc_connection(domain);
581 if (!domain->initialized) {
582 /* If we return error here we can't do any cached authentication,
583 but we may be in disconnected mode and can't initialize correctly.
584 Do what the previous code did and just return without initialization,
585 once we go online we'll re-initialize.
587 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
588 "online = %d\n", domain->name, (int)domain->online ));
591 fstrcpy(state->response->data.domain_info.name, domain->name);
592 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
593 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
595 state->response->data.domain_info.native_mode
596 = domain->native_mode;
597 state->response->data.domain_info.active_directory
598 = domain->active_directory;
599 state->response->data.domain_info.primary
605 /* Look up global info for the winbind daemon */
606 bool init_domain_list(void)
608 struct winbindd_domain *domain;
609 int role = lp_server_role();
611 /* Free existing list */
616 domain = add_trusted_domain("BUILTIN", NULL, &cache_methods,
617 &global_sid_Builtin);
619 setup_domain_child(domain);
624 domain = add_trusted_domain(get_global_sam_name(), NULL,
625 &cache_methods, get_global_sam_sid());
627 if ( role != ROLE_DOMAIN_MEMBER ) {
628 domain->primary = True;
630 setup_domain_child(domain);
633 /* Add ourselves as the first entry. */
635 if ( role == ROLE_DOMAIN_MEMBER ) {
636 struct dom_sid our_sid;
638 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
639 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
643 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
644 &cache_methods, &our_sid);
646 domain->primary = True;
647 setup_domain_child(domain);
649 /* Even in the parent winbindd we'll need to
650 talk to the DC, so try and see if we can
651 contact it. Theoretically this isn't neccessary
652 as the init_dc_connection() in init_child_recv()
653 will do this, but we can start detecting the DC
655 set_domain_online_request(domain);
663 * Given a domain name, return the struct winbindd domain info for it
665 * @note Do *not* pass lp_workgroup() to this function. domain_list
666 * may modify it's value, and free that pointer. Instead, our local
667 * domain may be found by calling find_our_domain().
671 * @return The domain structure for the named domain, if it is working.
674 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
676 struct winbindd_domain *domain;
678 /* Search through list */
680 for (domain = domain_list(); domain != NULL; domain = domain->next) {
681 if (strequal(domain_name, domain->name) ||
682 (domain->alt_name[0] &&
683 strequal(domain_name, domain->alt_name))) {
693 struct winbindd_domain *find_domain_from_name(const char *domain_name)
695 struct winbindd_domain *domain;
697 domain = find_domain_from_name_noinit(domain_name);
702 if (!domain->initialized)
703 init_dc_connection(domain);
708 /* Given a domain sid, return the struct winbindd domain info for it */
710 struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
712 struct winbindd_domain *domain;
714 /* Search through list */
716 for (domain = domain_list(); domain != NULL; domain = domain->next) {
717 if (dom_sid_compare_domain(sid, &domain->sid) == 0)
726 /* Given a domain sid, return the struct winbindd domain info for it */
728 struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
730 struct winbindd_domain *domain;
732 domain = find_domain_from_sid_noinit(sid);
737 if (!domain->initialized)
738 init_dc_connection(domain);
743 struct winbindd_domain *find_our_domain(void)
745 struct winbindd_domain *domain;
747 /* Search through list */
749 for (domain = domain_list(); domain != NULL; domain = domain->next) {
754 smb_panic("Could not find our domain");
758 struct winbindd_domain *find_root_domain(void)
760 struct winbindd_domain *ours = find_our_domain();
762 if (ours->forest_name[0] == '\0') {
766 return find_domain_from_name( ours->forest_name );
769 struct winbindd_domain *find_builtin_domain(void)
771 struct winbindd_domain *domain;
773 domain = find_domain_from_sid(&global_sid_Builtin);
774 if (domain == NULL) {
775 smb_panic("Could not find BUILTIN domain");
781 /* Find the appropriate domain to lookup a name or SID */
783 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
785 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
787 if ( sid_check_is_in_unix_groups(sid) ||
788 sid_check_is_unix_groups(sid) ||
789 sid_check_is_in_unix_users(sid) ||
790 sid_check_is_unix_users(sid) )
792 return find_domain_from_sid(get_global_sam_sid());
795 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
796 * one to contact the external DC's. On member servers the internal
797 * domains are different: These are part of the local SAM. */
799 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
801 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
802 DEBUG(10, ("calling find_domain_from_sid\n"));
803 return find_domain_from_sid(sid);
806 /* On a member server a query for SID or name can always go to our
809 DEBUG(10, ("calling find_our_domain\n"));
810 return find_our_domain();
813 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
815 if ( strequal(domain_name, unix_users_domain_name() ) ||
816 strequal(domain_name, unix_groups_domain_name() ) )
819 * The "Unix User" and "Unix Group" domain our handled by
822 return find_domain_from_name_noinit( get_global_sam_name() );
825 if (IS_DC || strequal(domain_name, "BUILTIN") ||
826 strequal(domain_name, get_global_sam_name()))
827 return find_domain_from_name_noinit(domain_name);
830 return find_our_domain();
833 /* Is this a domain which we may assume no DOMAIN\ prefix? */
835 static bool assume_domain(const char *domain)
837 /* never assume the domain on a standalone server */
839 if ( lp_server_role() == ROLE_STANDALONE )
842 /* domain member servers may possibly assume for the domain name */
844 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
845 if ( !strequal(lp_workgroup(), domain) )
848 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
852 /* only left with a domain controller */
854 if ( strequal(get_global_sam_name(), domain) ) {
861 /* Parse a string of the form DOMAIN\user into a domain and a user */
863 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
865 char *p = strchr(domuser,*lp_winbind_separator());
868 fstrcpy(user, domuser);
870 if ( assume_domain(lp_workgroup())) {
871 fstrcpy(domain, lp_workgroup());
872 } else if ((p = strchr(domuser, '@')) != NULL) {
873 fstrcpy(domain, p + 1);
874 user[PTR_DIFF(p, domuser)] = 0;
880 fstrcpy(domain, domuser);
881 domain[PTR_DIFF(p, domuser)] = 0;
884 return strupper_m(domain);
887 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
888 char **domain, char **user)
890 fstring fstr_domain, fstr_user;
891 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
894 *domain = talloc_strdup(mem_ctx, fstr_domain);
895 *user = talloc_strdup(mem_ctx, fstr_user);
896 return ((*domain != NULL) && (*user != NULL));
899 /* Ensure an incoming username from NSS is fully qualified. Replace the
900 incoming fstring with DOMAIN <separator> user. Returns the same
901 values as parse_domain_user() but also replaces the incoming username.
902 Used to ensure all names are fully qualified within winbindd.
903 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
904 The protocol definitions of auth_crap, chng_pswd_auth_crap
905 really should be changed to use this instead of doing things
908 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
910 if (!parse_domain_user(username_inout, domain, user)) {
913 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
914 domain, *lp_winbind_separator(),
920 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
921 'winbind separator' options.
923 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
926 If we are a PDC or BDC, and this is for our domain, do likewise.
928 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
929 username is then unqualified in unix
931 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
933 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
937 fstrcpy(tmp_user, user);
938 (void)strlower_m(tmp_user);
940 if (can_assume && assume_domain(domain)) {
941 strlcpy(name, tmp_user, sizeof(fstring));
943 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
944 domain, *lp_winbind_separator(),
950 * talloc version of fill_domain_username()
951 * return NULL on talloc failure.
953 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
958 char *tmp_user, *name;
960 tmp_user = talloc_strdup(mem_ctx, user);
961 if (!strlower_m(tmp_user)) {
962 TALLOC_FREE(tmp_user);
966 if (can_assume && assume_domain(domain)) {
969 name = talloc_asprintf(mem_ctx, "%s%c%s",
971 *lp_winbind_separator(),
973 TALLOC_FREE(tmp_user);
980 * Client list accessor functions
983 static struct winbindd_cli_state *_client_list;
984 static int _num_clients;
986 /* Return list of all connected clients */
988 struct winbindd_cli_state *winbindd_client_list(void)
993 /* Add a connection to the list */
995 void winbindd_add_client(struct winbindd_cli_state *cli)
997 DLIST_ADD(_client_list, cli);
1001 /* Remove a client from the list */
1003 void winbindd_remove_client(struct winbindd_cli_state *cli)
1005 DLIST_REMOVE(_client_list, cli);
1009 /* Return number of open clients */
1011 int winbindd_num_clients(void)
1013 return _num_clients;
1016 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1017 TALLOC_CTX *mem_ctx,
1018 const struct dom_sid *user_sid,
1019 uint32_t *p_num_groups, struct dom_sid **user_sids)
1021 struct netr_SamInfo3 *info3 = NULL;
1022 NTSTATUS status = NT_STATUS_NO_MEMORY;
1023 uint32_t num_groups = 0;
1025 DEBUG(3,(": lookup_usergroups_cached\n"));
1030 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1032 if (info3 == NULL) {
1033 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1036 if (info3->base.groups.count == 0) {
1038 return NT_STATUS_UNSUCCESSFUL;
1042 * Before bug #7843 the "Domain Local" groups were added with a
1043 * lookupuseraliases call, but this isn't done anymore for our domain
1044 * so we need to resolve resource groups here.
1046 * When to use Resource Groups:
1047 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
1049 status = sid_array_from_info3(mem_ctx, info3,
1054 if (!NT_STATUS_IS_OK(status)) {
1060 *p_num_groups = num_groups;
1061 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1063 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1068 /*********************************************************************
1069 We use this to remove spaces from user and group names
1070 ********************************************************************/
1072 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1073 struct winbindd_domain *domain,
1079 if (!name || !normalized) {
1080 return NT_STATUS_INVALID_PARAMETER;
1083 if (!lp_winbind_normalize_names()) {
1084 return NT_STATUS_PROCEDURE_NOT_FOUND;
1087 /* Alias support and whitespace replacement are mutually
1090 nt_status = resolve_username_to_alias(mem_ctx, domain,
1092 if (NT_STATUS_IS_OK(nt_status)) {
1093 /* special return code to let the caller know we
1094 mapped to an alias */
1095 return NT_STATUS_FILE_RENAMED;
1098 /* check for an unreachable domain */
1100 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1101 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1103 set_domain_offline(domain);
1107 /* deal with whitespace */
1109 *normalized = talloc_strdup(mem_ctx, name);
1110 if (!(*normalized)) {
1111 return NT_STATUS_NO_MEMORY;
1114 all_string_sub( *normalized, " ", "_", 0 );
1116 return NT_STATUS_OK;
1119 /*********************************************************************
1120 We use this to do the inverse of normalize_name_map()
1121 ********************************************************************/
1123 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1128 struct winbindd_domain *domain = find_our_domain();
1130 if (!name || !normalized) {
1131 return NT_STATUS_INVALID_PARAMETER;
1134 if (!lp_winbind_normalize_names()) {
1135 return NT_STATUS_PROCEDURE_NOT_FOUND;
1138 /* Alias support and whitespace replacement are mutally
1141 /* When mapping from an alias to a username, we don't know the
1142 domain. But we only need a domain structure to cache
1143 a successful lookup , so just our own domain structure for
1146 nt_status = resolve_alias_to_username(mem_ctx, domain,
1148 if (NT_STATUS_IS_OK(nt_status)) {
1149 /* Special return code to let the caller know we mapped
1151 return NT_STATUS_FILE_RENAMED;
1154 /* check for an unreachable domain */
1156 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1157 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1159 set_domain_offline(domain);
1163 /* deal with whitespace */
1165 *normalized = talloc_strdup(mem_ctx, name);
1166 if (!(*normalized)) {
1167 return NT_STATUS_NO_MEMORY;
1170 all_string_sub(*normalized, "_", " ", 0);
1172 return NT_STATUS_OK;
1175 /*********************************************************************
1176 ********************************************************************/
1178 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1180 struct winbindd_tdc_domain *tdc = NULL;
1181 TALLOC_CTX *frame = talloc_stackframe();
1184 /* We can contact the domain if it is our primary domain */
1186 if (domain->primary) {
1191 /* Trust the TDC cache and not the winbindd_domain flags */
1193 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1194 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1200 /* Can always contact a domain that is in out forest */
1202 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1208 * On a _member_ server, we cannot contact the domain if it
1209 * is running AD and we have no inbound trust.
1213 domain->active_directory &&
1214 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1216 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1217 "and we have no inbound trust.\n", domain->name));
1221 /* Assume everything else is ok (probably not true but what
1227 talloc_destroy(frame);
1232 /*********************************************************************
1233 ********************************************************************/
1235 bool winbindd_internal_child(struct winbindd_child *child)
1237 if ((child == idmap_child()) || (child == locator_child())) {
1244 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1246 /*********************************************************************
1247 ********************************************************************/
1249 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1252 char addr[INET6_ADDRSTRLEN];
1253 const char *kdc = NULL;
1256 if (!domain || !domain->alt_name || !*domain->alt_name) {
1260 if (domain->initialized && !domain->active_directory) {
1261 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1266 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1269 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1271 kdc = domain->dcname;
1274 if (!kdc || !*kdc) {
1275 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1280 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1281 domain->alt_name) == -1) {
1285 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1288 setenv(var, kdc, 1);
1292 /*********************************************************************
1293 ********************************************************************/
1295 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1297 struct winbindd_domain *our_dom = find_our_domain();
1299 winbindd_set_locator_kdc_env(domain);
1301 if (domain != our_dom) {
1302 winbindd_set_locator_kdc_env(our_dom);
1306 /*********************************************************************
1307 ********************************************************************/
1309 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1313 if (!domain || !domain->alt_name || !*domain->alt_name) {
1317 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1318 domain->alt_name) == -1) {
1327 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1332 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1337 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1339 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1341 resp->data.auth.nt_status = NT_STATUS_V(result);
1342 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1344 /* we might have given a more useful error above */
1345 if (*resp->data.auth.error_string == '\0')
1346 fstrcpy(resp->data.auth.error_string,
1347 get_friendly_nt_error_msg(result));
1348 resp->data.auth.pam_error = nt_status_to_pam(result);
1351 bool is_domain_offline(const struct winbindd_domain *domain)
1353 if (!lp_winbind_offline_logon()) {
1356 if (get_global_winbindd_state_offline()) {
1359 return !domain->online;
1362 bool is_domain_online(const struct winbindd_domain *domain)
1364 return !is_domain_offline(domain);
1368 * Parse an char array into a list of sids.
1370 * The input sidstr should consist of 0-terminated strings
1371 * representing sids, separated by newline characters '\n'.
1372 * The list is terminated by an empty string, i.e.
1373 * character '\0' directly following a character '\n'
1374 * (or '\0' right at the start of sidstr).
1376 bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
1377 struct dom_sid **sids, uint32_t *num_sids)
1385 while (p[0] != '\0') {
1387 const char *q = NULL;
1389 if (!dom_sid_parse_endp(p, &sid, &q)) {
1390 DEBUG(1, ("Could not parse sid %s\n", p));
1393 if ((q == NULL) || (q[0] != '\n')) {
1394 DEBUG(1, ("Got invalid sidstr: %s\n", p));
1397 if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
git.samba.org / samba.git / blob