#include "passdb.h"
#include "source4/lib/messaging/messaging.h"
#include "librpc/gen_ndr/ndr_lsa.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "auth/credentials/credentials.h"
#include "libsmb/samlogon_cache.h"
* Winbind daemon for NT domain authentication nss module.
**/
+static bool add_trusted_domains_dc(void);
/* The list of trusted domains. Note that the list can be deleted and
recreated using the init_domain_list() function so pointers to
uint32_t trust_flags,
uint32_t trust_attribs,
enum netr_SchannelType secure_channel_type,
+ struct winbindd_domain *routing_domain,
struct winbindd_domain **_d)
{
struct winbindd_domain *domain = NULL;
return NT_STATUS_NO_MEMORY;
}
+ domain->queue = tevent_queue_create(domain, "winbind_domain");
+ if (domain->queue == NULL) {
+ TALLOC_FREE(domain);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ domain->binding_handle = wbint_binding_handle(domain, domain, NULL);
+ if (domain->binding_handle == NULL) {
+ TALLOC_FREE(domain);
+ return NT_STATUS_NO_MEMORY;
+ }
+
domain->name = talloc_strdup(domain, domain_name);
if (domain->name == NULL) {
TALLOC_FREE(domain);
domain->domain_type = trust_type;
domain->domain_trust_attribs = trust_attribs;
domain->secure_channel_type = secure_channel_type;
+ domain->routing_domain = routing_domain;
sid_copy(&domain->sid, sid);
/* Is this our primary domain ? */
}
}
+ domain->can_do_ncacn_ip_tcp = domain->active_directory;
+
/* Link to domain list */
DLIST_ADD_END(_domain_list, domain);
return NT_STATUS_OK;
}
+bool set_routing_domain(struct winbindd_domain *domain,
+ struct winbindd_domain *routing_domain)
+{
+ if (domain->routing_domain == NULL) {
+ domain->routing_domain = routing_domain;
+ return true;
+ }
+ if (domain->routing_domain != routing_domain) {
+ return false;
+ }
+ return true;
+}
+
+bool add_trusted_domain_from_auth(uint16_t validation_level,
+ struct info3_text *info3,
+ struct info6_text *info6)
+{
+ struct winbindd_domain *domain = NULL;
+ struct dom_sid domain_sid;
+ const char *dns_domainname = NULL;
+ NTSTATUS status;
+ bool ok;
+
+ /*
+ * We got a successfull auth from a domain that might not yet be in our
+ * domain list. If we're a member we trust our DC who authenticated the
+ * user from that domain and add the domain to our list on-the-fly. If
+ * we're a DC we rely on configured trusts and don't add on-the-fly.
+ */
+
+ if (IS_DC) {
+ return true;
+ }
+
+ ok = dom_sid_parse(info3->dom_sid, &domain_sid);
+ if (!ok) {
+ DBG_NOTICE("dom_sid_parse [%s] failed\n", info3->dom_sid);
+ return false;
+ }
+
+ if (validation_level == 6) {
+ if (!strequal(info6->dns_domainname, "")) {
+ dns_domainname = info6->dns_domainname;
+ }
+ }
+
+ status = add_trusted_domain(info3->logon_dom,
+ dns_domainname,
+ &domain_sid,
+ 0,
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0,
+ SEC_CHAN_NULL,
+ find_default_route_domain(),
+ &domain);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
+ {
+ DBG_DEBUG("Adding domain [%s] with sid [%s] failed\n",
+ info3->logon_dom, info3->dom_sid);
+ return false;
+ }
+
+ return true;
+}
+
bool domain_is_forest_root(const struct winbindd_domain *domain)
{
const uint32_t fr_flags =
trust_flags,
trust_attribs,
SEC_CHAN_NULL,
+ find_default_route_domain(),
&domain);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
dom_list[i].trust_flags,
dom_list[i].trust_attribs,
SEC_CHAN_NULL,
+ find_default_route_domain(),
&d);
if (!NT_STATUS_IS_OK(status) &&
flags,
attribs,
SEC_CHAN_NULL,
+ find_default_route_domain(),
&d);
if (!NT_STATUS_IS_OK(status) &&
NT_STATUS_EQUAL(status,
[sizeof(state->request->data.init_conn.dcname)-1]='\0';
if (strlen(state->request->data.init_conn.dcname) > 0) {
- fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
+ TALLOC_FREE(domain->dcname);
+ domain->dcname = talloc_strdup(domain,
+ state->request->data.init_conn.dcname);
+ if (domain->dcname == NULL) {
+ return WINBINDD_ERROR;
+ }
}
init_dc_connection(domain, false);
struct server_id server_id,
DATA_BLOB *data)
{
- TALLOC_CTX *frame = talloc_stackframe();
- enum netr_SchannelType secure_channel_type = SEC_CHAN_DOMAIN;
- struct lsa_TrustDomainInfoInfoEx info;
- enum ndr_err_code ndr_err;
- struct winbindd_domain *d = NULL;
- uint32_t trust_flags = 0;
- NTSTATUS status;
-
- DEBUG(5, ("wb_imsg_new_trusted_domain\n"));
-
- if (data == NULL) {
- TALLOC_FREE(frame);
- return;
- }
-
- ndr_err = ndr_pull_struct_blob_all(data, frame, &info,
- (ndr_pull_flags_fn_t)ndr_pull_lsa_TrustDomainInfoInfoEx);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- TALLOC_FREE(frame);
- return;
- }
-
- d = find_domain_from_name_noinit(info.netbios_name.string);
- if (d != NULL) {
- TALLOC_FREE(frame);
- return;
- }
+ bool ok;
- if (info.trust_type == LSA_TRUST_TYPE_UPLEVEL) {
- secure_channel_type = SEC_CHAN_DNS_DOMAIN;
- }
- if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
- trust_flags |= NETR_TRUST_FLAG_INBOUND;
- }
- if (info.trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
- trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
- }
- if (info.trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
- trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
- }
+ DBG_NOTICE("Rescanning trusted domains\n");
- status = add_trusted_domain(info.netbios_name.string,
- info.domain_name.string,
- info.sid,
- info.trust_type,
- trust_flags,
- info.trust_attributes,
- secure_channel_type,
- &d);
- if (!NT_STATUS_IS_OK(status) &&
- !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
- {
- DBG_NOTICE("add_trusted_domain returned %s\n",
- nt_errstr(status));
- TALLOC_FREE(frame);
- return;
+ ok = add_trusted_domains_dc();
+ if (!ok) {
+ DBG_ERR("Failed to reload trusted domains\n");
}
- TALLOC_FREE(frame);
}
/*
return true;
}
+static bool add_trusted_domains_dc(void)
+{
+ struct winbindd_domain *domain = NULL;
+ struct pdb_trusted_domain **domains = NULL;
+ uint32_t num_domains = 0;
+ uint32_t i;
+ NTSTATUS status;
+
+ if (!(pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX)) {
+ struct trustdom_info **ti = NULL;
+
+ status = pdb_enum_trusteddoms(talloc_tos(), &num_domains, &ti);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_enum_trusteddoms() failed - %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ for (i = 0; i < num_domains; i++) {
+ status = add_trusted_domain(ti[i]->name,
+ NULL,
+ &ti[i]->sid,
+ LSA_TRUST_TYPE_DOWNLEVEL,
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0,
+ SEC_CHAN_DOMAIN,
+ NULL,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ /* Even in the parent winbindd we'll need to
+ talk to the DC, so try and see if we can
+ contact it. Theoretically this isn't neccessary
+ as the init_dc_connection() in init_child_recv()
+ will do this, but we can start detecting the DC
+ early here. */
+ set_domain_online_request(domain);
+ }
+
+ return true;
+ }
+
+ status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_enum_trusted_domains() failed - %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ for (i = 0; i < num_domains; i++) {
+ enum netr_SchannelType sec_chan_type = SEC_CHAN_DOMAIN;
+ uint32_t trust_flags = 0;
+
+ if (domains[i]->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
+ sec_chan_type = SEC_CHAN_DNS_DOMAIN;
+ }
+
+ if (!(domains[i]->trust_direction & LSA_TRUST_DIRECTION_OUTBOUND)) {
+ sec_chan_type = SEC_CHAN_NULL;
+ }
+
+ if (domains[i]->trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
+ trust_flags |= NETR_TRUST_FLAG_INBOUND;
+ }
+ if (domains[i]->trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
+ trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
+ }
+ if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+ trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
+ }
+
+ status = add_trusted_domain(domains[i]->netbios_name,
+ domains[i]->domain_name,
+ &domains[i]->security_identifier,
+ domains[i]->trust_type,
+ trust_flags,
+ domains[i]->trust_attributes,
+ sec_chan_type,
+ NULL,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ if (domains[i]->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
+ domain->active_directory = true;
+ }
+ domain->domain_type = domains[i]->trust_type;
+ domain->domain_trust_attribs = domains[i]->trust_attributes;
+
+ if (sec_chan_type != SEC_CHAN_NULL) {
+ /* Even in the parent winbindd we'll need to
+ talk to the DC, so try and see if we can
+ contact it. Theoretically this isn't neccessary
+ as the init_dc_connection() in init_child_recv()
+ will do this, but we can start detecting the DC
+ early here. */
+ set_domain_online_request(domain);
+ }
+ }
+
+ for (i = 0; i < num_domains; i++) {
+ struct ForestTrustInfo fti;
+ uint32_t fi;
+ enum ndr_err_code ndr_err;
+ struct winbindd_domain *routing_domain = NULL;
+
+ if (domains[i]->trust_type != LSA_TRUST_TYPE_UPLEVEL) {
+ continue;
+ }
+
+ if (!(domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)) {
+ continue;
+ }
+
+ if (domains[i]->trust_forest_trust_info.length == 0) {
+ continue;
+ }
+
+ routing_domain = find_domain_from_name_noinit(
+ domains[i]->netbios_name);
+ if (routing_domain == NULL) {
+ DBG_ERR("Can't find winbindd domain [%s]\n",
+ domains[i]->netbios_name);
+ return false;
+ }
+
+ ndr_err = ndr_pull_struct_blob_all(
+ &domains[i]->trust_forest_trust_info,
+ talloc_tos(), &fti,
+ (ndr_pull_flags_fn_t)ndr_pull_ForestTrustInfo);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DBG_ERR("ndr_pull_ForestTrustInfo(%s) - %s\n",
+ domains[i]->netbios_name,
+ ndr_map_error2string(ndr_err));
+ return false;
+ }
+
+ for (fi = 0; fi < fti.count; fi++) {
+ struct ForestTrustInfoRecord *rec =
+ &fti.records[fi].record;
+ struct ForestTrustDataDomainInfo *drec = NULL;
+
+ if (rec->type != FOREST_TRUST_DOMAIN_INFO) {
+ continue;
+ }
+ drec = &rec->data.info;
+
+ if (rec->flags & LSA_NB_DISABLED_MASK) {
+ continue;
+ }
+
+ if (rec->flags & LSA_SID_DISABLED_MASK) {
+ continue;
+ }
+
+ /*
+ * TODO:
+ * also try to find a matching
+ * LSA_TLN_DISABLED_MASK ???
+ */
+
+ domain = find_domain_from_name_noinit(drec->netbios_name.string);
+ if (domain != NULL) {
+ continue;
+ }
+
+ status = add_trusted_domain(drec->netbios_name.string,
+ drec->dns_name.string,
+ &drec->sid,
+ LSA_TRUST_TYPE_UPLEVEL,
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0,
+ SEC_CHAN_NULL,
+ routing_domain,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+ if (domain == NULL) {
+ continue;
+ }
+ }
+ }
+
+ return true;
+}
+
+
/* Look up global info for the winbind daemon */
bool init_domain_list(void)
{
struct pdb_domain_info *pdb_domain_info = NULL;
struct winbindd_domain *domain = NULL;
NTSTATUS status;
+ bool ok;
/* Free existing list */
free_domain_list();
0, /* trust_flags */
0, /* trust_attribs */
SEC_CHAN_LOCAL,
+ NULL,
&domain);
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("add_trusted_domain BUILTIN returned %s\n",
enum netr_SchannelType sec_chan_type;
const char *account_name;
struct samr_Password current_nt_hash;
- bool ok;
if (pdb_domain_info == NULL) {
DEBUG(0, ("Failed to fetch our own, local AD "
trust_flags,
LSA_TRUST_ATTRIBUTE_WITHIN_FOREST,
SEC_CHAN_BDC,
+ NULL,
&domain);
TALLOC_FREE(pdb_domain_info);
if (!NT_STATUS_IS_OK(status)) {
trust_flags,
0, /* trust_attribs */
secure_channel_type,
+ NULL,
&domain);
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("Failed to add local SAM to "
return false;
}
}
- /* Add ourselves as the first entry. */
+
+ if (IS_DC) {
+ ok = add_trusted_domains_dc();
+ if (!ok) {
+ DBG_ERR("init_domain_list_dc failed\n");
+ return false;
+ }
+ }
if ( role == ROLE_DOMAIN_MEMBER ) {
struct dom_sid our_sid;
NETR_TRUST_FLAG_OUTBOUND,
0, /* trust_attribs */
SEC_CHAN_WKSTA,
+ NULL,
&domain);
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("Failed to add local SAM to "
}
status = imessaging_register(winbind_imessaging_context(), NULL,
- MSG_WINBIND_NEW_TRUSTED_DOMAIN,
+ MSG_WINBIND_RELOAD_TRUSTED_DOMAINS,
wb_imsg_new_trusted_domain);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("imessaging_register(MSG_WINBIND_NEW_TRUSTED_DOMAIN) - %s\n",
- nt_errstr(status)));
+ DBG_ERR("imessaging_register failed %s\n", nt_errstr(status));
return false;
}
return NULL;
}
+struct winbindd_domain *find_default_route_domain(void)
+{
+ if (!IS_DC) {
+ return find_our_domain();
+ }
+ DBG_DEBUG("Routing logic not yet implemented on a DC\n");
+ return NULL;
+}
+
/* Find the appropriate domain to lookup a name or SID */
struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
return find_domain_from_sid(get_global_sam_sid());
}
- /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
- * one to contact the external DC's. On member servers the internal
- * domains are different: These are part of the local SAM. */
+ /*
+ * On member servers the internal domains are different: These are part
+ * of the local SAM.
+ */
- if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
+ if (is_internal_domain(sid) || is_in_internal_domain(sid)) {
DEBUG(10, ("calling find_domain_from_sid\n"));
return find_domain_from_sid(sid);
}
+ if (IS_DC) {
+ struct winbindd_domain *domain = NULL;
+
+ domain = find_domain_from_sid_noinit(sid);
+ if (domain == NULL) {
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
+
+ return domain->routing_domain;
+ }
+
/* On a member server a query for SID or name can always go to our
* primary DC. */
return find_domain_from_name_noinit( get_global_sam_name() );
}
- if (IS_DC || strequal(domain_name, "BUILTIN") ||
+ if (strequal(domain_name, "BUILTIN") ||
strequal(domain_name, get_global_sam_name()))
return find_domain_from_name_noinit(domain_name);
+ if (IS_DC) {
+ struct winbindd_domain *domain = NULL;
+
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
+
+ return domain->routing_domain;
+ }
return find_our_domain();
}