2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_WINBIND
29 extern struct winbindd_methods cache_methods;
30 extern struct winbindd_methods builtin_passdb_methods;
31 extern struct winbindd_methods sam_passdb_methods;
35 * @file winbindd_util.c
37 * Winbind daemon for NT domain authentication nss module.
41 /* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
46 static struct winbindd_domain *_domain_list = NULL;
49 When was the last scan of trusted domains done?
54 static time_t last_trustdom_scan;
56 struct winbindd_domain *domain_list(void)
60 if ((!_domain_list) && (!init_domain_list())) {
61 smb_panic("Init_domain_list failed");
67 /* Free all entries in the trusted domain list */
69 void free_domain_list(void)
71 struct winbindd_domain *domain = _domain_list;
74 struct winbindd_domain *next = domain->next;
76 DLIST_REMOVE(_domain_list, domain);
82 static bool is_internal_domain(const DOM_SID *sid)
88 return sid_check_is_builtin(sid);
90 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
93 static bool is_in_internal_domain(const DOM_SID *sid)
99 return sid_check_is_in_builtin(sid);
101 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
105 /* Add a trusted domain to our list of domains */
106 static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
107 struct winbindd_methods *methods,
110 struct winbindd_domain *domain;
111 const char *alternative_name = NULL;
112 char *idmap_config_option;
114 const char **ignored_domains, **dom;
116 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
117 for (dom=ignored_domains; dom && *dom; dom++) {
118 if (gen_fnmatch(*dom, domain_name) == 0) {
119 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
124 /* ignore alt_name if we are not in an AD domain */
126 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
127 alternative_name = alt_name;
130 /* We can't call domain_list() as this function is called from
131 init_domain_list() and we'll get stuck in a loop. */
132 for (domain = _domain_list; domain; domain = domain->next) {
133 if (strequal(domain_name, domain->name) ||
134 strequal(domain_name, domain->alt_name))
139 if (alternative_name && *alternative_name)
141 if (strequal(alternative_name, domain->name) ||
142 strequal(alternative_name, domain->alt_name))
150 if (is_null_sid(sid)) {
154 if (sid_equal(sid, &domain->sid)) {
160 /* See if we found a match. Check if we need to update the
163 if ( domain && sid) {
164 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
165 sid_copy( &domain->sid, sid );
170 /* Create new domain entry */
172 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
177 ZERO_STRUCTP(domain);
179 fstrcpy(domain->name, domain_name);
180 if (alternative_name) {
181 fstrcpy(domain->alt_name, alternative_name);
184 domain->methods = methods;
185 domain->backend = NULL;
186 domain->internal = is_internal_domain(sid);
187 domain->sequence_number = DOM_SEQUENCE_NONE;
188 domain->last_seq_check = 0;
189 domain->initialized = False;
190 domain->online = is_internal_domain(sid);
191 domain->check_online_timeout = 0;
192 domain->dc_probe_pid = (pid_t)-1;
194 sid_copy(&domain->sid, sid);
197 /* Link to domain list */
198 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
200 wcache_tdc_add_domain( domain );
202 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
204 if (idmap_config_option == NULL) {
205 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
209 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
211 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
212 param ? param : "not defined"));
215 unsigned low_id, high_id;
216 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
217 DEBUG(1, ("invalid range syntax in %s: %s\n",
218 idmap_config_option, param));
221 if (low_id > high_id) {
222 DEBUG(1, ("invalid range in %s: %s\n",
223 idmap_config_option, param));
226 domain->have_idmap_config = true;
227 domain->id_range_low = low_id;
228 domain->id_range_high = high_id;
233 DEBUG(2,("Added domain %s %s %s\n",
234 domain->name, domain->alt_name,
235 &domain->sid?sid_string_dbg(&domain->sid):""));
240 /********************************************************************
241 rescan our domains looking for new trusted domains
242 ********************************************************************/
244 struct trustdom_state {
248 struct winbindd_response *response;
251 static void trustdom_recv(void *private_data, bool success);
252 static void rescan_forest_root_trusts( void );
253 static void rescan_forest_trusts( void );
255 static void add_trusted_domains( struct winbindd_domain *domain )
258 struct winbindd_request *request;
259 struct winbindd_response *response;
260 uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
262 struct trustdom_state *state;
264 mem_ctx = talloc_init("add_trusted_domains");
265 if (mem_ctx == NULL) {
266 DEBUG(0, ("talloc_init failed\n"));
270 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
271 response = TALLOC_P(mem_ctx, struct winbindd_response);
272 state = TALLOC_P(mem_ctx, struct trustdom_state);
274 if ((request == NULL) || (response == NULL) || (state == NULL)) {
275 DEBUG(0, ("talloc failed\n"));
276 talloc_destroy(mem_ctx);
280 state->mem_ctx = mem_ctx;
281 state->response = response;
283 /* Flags used to know how to continue the forest trust search */
285 state->primary = domain->primary;
286 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
288 request->length = sizeof(*request);
289 request->cmd = WINBINDD_LIST_TRUSTDOM;
291 async_domain_request(mem_ctx, domain, request, response,
292 trustdom_recv, state);
295 static void trustdom_recv(void *private_data, bool success)
297 struct trustdom_state *state =
298 talloc_get_type_abort(private_data, struct trustdom_state);
299 struct winbindd_response *response = state->response;
302 if ((!success) || (response->result != WINBINDD_OK)) {
303 DEBUG(1, ("Could not receive trustdoms\n"));
304 talloc_destroy(state->mem_ctx);
308 p = (char *)response->extra_data.data;
310 while ((p != NULL) && (*p != '\0')) {
311 char *q, *sidstr, *alt_name;
313 struct winbindd_domain *domain;
314 char *alternate_name = NULL;
316 alt_name = strchr(p, '\\');
317 if (alt_name == NULL) {
318 DEBUG(0, ("Got invalid trustdom response\n"));
325 sidstr = strchr(alt_name, '\\');
326 if (sidstr == NULL) {
327 DEBUG(0, ("Got invalid trustdom response\n"));
334 q = strchr(sidstr, '\n');
338 if (!string_to_sid(&sid, sidstr)) {
339 /* Allow NULL sid for sibling domains */
340 if ( strcmp(sidstr,"S-0-0") == 0) {
341 sid_copy( &sid, &global_sid_NULL);
343 DEBUG(0, ("Got invalid trustdom response\n"));
348 /* use the real alt_name if we have one, else pass in NULL */
350 if ( !strequal( alt_name, "(null)" ) )
351 alternate_name = alt_name;
353 /* If we have an existing domain structure, calling
354 add_trusted_domain() will update the SID if
355 necessary. This is important because we need the
356 SID for sibling domains */
358 if ( find_domain_from_name_noinit(p) != NULL ) {
359 domain = add_trusted_domain(p, alternate_name,
363 domain = add_trusted_domain(p, alternate_name,
367 setup_domain_child(domain,
377 Cases to consider when scanning trusts:
378 (a) we are calling from a child domain (primary && !forest_root)
379 (b) we are calling from the root of the forest (primary && forest_root)
380 (c) we are calling from a trusted forest domain (!primary
384 if ( state->primary ) {
385 /* If this is our primary domain and we are not in the
386 forest root, we have to scan the root trusts first */
388 if ( !state->forest_root )
389 rescan_forest_root_trusts();
391 rescan_forest_trusts();
393 } else if ( state->forest_root ) {
394 /* Once we have done root forest trust search, we can
395 go on to search the trusted forests */
397 rescan_forest_trusts();
400 talloc_destroy(state->mem_ctx);
405 /********************************************************************
406 Scan the trusts of our forest root
407 ********************************************************************/
409 static void rescan_forest_root_trusts( void )
411 struct winbindd_tdc_domain *dom_list = NULL;
412 size_t num_trusts = 0;
415 /* The only transitive trusts supported by Windows 2003 AD are
416 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
417 first two are handled in forest and listed by
418 DsEnumerateDomainTrusts(). Forest trusts are not so we
419 have to do that ourselves. */
421 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
424 for ( i=0; i<num_trusts; i++ ) {
425 struct winbindd_domain *d = NULL;
427 /* Find the forest root. Don't necessarily trust
428 the domain_list() as our primary domain may not
429 have been initialized. */
431 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
435 /* Here's the forest root */
437 d = find_domain_from_name_noinit( dom_list[i].domain_name );
440 d = add_trusted_domain( dom_list[i].domain_name,
441 dom_list[i].dns_name,
450 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
451 "for domain tree root %s (%s)\n",
452 d->name, d->alt_name ));
454 d->domain_flags = dom_list[i].trust_flags;
455 d->domain_type = dom_list[i].trust_type;
456 d->domain_trust_attribs = dom_list[i].trust_attribs;
458 add_trusted_domains( d );
463 TALLOC_FREE( dom_list );
468 /********************************************************************
469 scan the transitive forest trusts (not our own)
470 ********************************************************************/
473 static void rescan_forest_trusts( void )
475 struct winbindd_domain *d = NULL;
476 struct winbindd_tdc_domain *dom_list = NULL;
477 size_t num_trusts = 0;
480 /* The only transitive trusts supported by Windows 2003 AD are
481 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
482 first two are handled in forest and listed by
483 DsEnumerateDomainTrusts(). Forest trusts are not so we
484 have to do that ourselves. */
486 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
489 for ( i=0; i<num_trusts; i++ ) {
490 uint32 flags = dom_list[i].trust_flags;
491 uint32 type = dom_list[i].trust_type;
492 uint32 attribs = dom_list[i].trust_attribs;
494 d = find_domain_from_name_noinit( dom_list[i].domain_name );
496 /* ignore our primary and internal domains */
498 if ( d && (d->internal || d->primary ) )
501 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
502 (type == NETR_TRUST_TYPE_UPLEVEL) &&
503 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
505 /* add the trusted domain if we don't know
509 d = add_trusted_domain( dom_list[i].domain_name,
510 dom_list[i].dns_name,
519 DEBUG(10,("Following trust path for domain %s (%s)\n",
520 d->name, d->alt_name ));
521 add_trusted_domains( d );
525 TALLOC_FREE( dom_list );
530 /*********************************************************************
531 The process of updating the trusted domain list is a three step
534 (b) ask the root domain in our forest
535 (c) ask the a DC in any Win2003 trusted forests
536 *********************************************************************/
538 void rescan_trusted_domains( void )
540 time_t now = time(NULL);
542 /* Check that we allow trusted domains at all */
543 if (!lp_allow_trusted_domains())
546 /* see if the time has come... */
548 if ((now >= last_trustdom_scan) &&
549 ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
552 /* I use to clear the cache here and start over but that
553 caused problems in child processes that needed the
554 trust dom list early on. Removing it means we
555 could have some trusted domains listed that have been
556 removed from our primary domain's DC until a full
557 restart. This should be ok since I think this is what
558 Windows does as well. */
560 /* this will only add new domains we didn't already know about
561 in the domain_list()*/
563 add_trusted_domains( find_our_domain() );
565 last_trustdom_scan = now;
570 enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
571 struct winbindd_cli_state *state)
573 /* Ensure null termination */
574 state->request->domain_name
575 [sizeof(state->request->domain_name)-1]='\0';
576 state->request->data.init_conn.dcname
577 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
579 if (strlen(state->request->data.init_conn.dcname) > 0) {
580 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
583 init_dc_connection(domain);
585 if (!domain->initialized) {
586 /* If we return error here we can't do any cached authentication,
587 but we may be in disconnected mode and can't initialize correctly.
588 Do what the previous code did and just return without initialization,
589 once we go online we'll re-initialize.
591 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
592 "online = %d\n", domain->name, (int)domain->online ));
595 fstrcpy(state->response.data.domain_info.name, domain->name);
596 fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
597 sid_to_fstring(state->response.data.domain_info.sid, &domain->sid);
599 state->response.data.domain_info.native_mode
600 = domain->native_mode;
601 state->response.data.domain_info.active_directory
602 = domain->active_directory;
603 state->response.data.domain_info.primary
609 /* Look up global info for the winbind daemon */
610 bool init_domain_list(void)
612 struct winbindd_domain *domain;
613 int role = lp_server_role();
615 /* Free existing list */
620 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
621 &global_sid_Builtin);
623 setup_domain_child(domain,
629 domain = add_trusted_domain(get_global_sam_name(), NULL,
630 &sam_passdb_methods, get_global_sam_sid());
632 if ( role != ROLE_DOMAIN_MEMBER ) {
633 domain->primary = True;
635 setup_domain_child(domain,
639 /* Add ourselves as the first entry. */
641 if ( role == ROLE_DOMAIN_MEMBER ) {
644 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
645 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
649 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
650 &cache_methods, &our_sid);
652 domain->primary = True;
653 setup_domain_child(domain,
656 /* Even in the parent winbindd we'll need to
657 talk to the DC, so try and see if we can
658 contact it. Theoretically this isn't neccessary
659 as the init_dc_connection() in init_child_recv()
660 will do this, but we can start detecting the DC
662 set_domain_online_request(domain);
669 void check_domain_trusted( const char *name, const DOM_SID *user_sid )
671 struct winbindd_domain *domain;
675 /* Check if we even care */
677 if (!lp_allow_trusted_domains())
680 domain = find_domain_from_name_noinit( name );
684 sid_copy( &dom_sid, user_sid );
685 if ( !sid_split_rid( &dom_sid, &rid ) )
688 /* add the newly discovered trusted domain */
690 domain = add_trusted_domain( name, NULL, &cache_methods,
696 /* assume this is a trust from a one-way transitive
699 domain->active_directory = True;
700 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
701 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
702 domain->internal = False;
703 domain->online = True;
705 setup_domain_child(domain,
708 wcache_tdc_add_domain( domain );
714 * Given a domain name, return the struct winbindd domain info for it
716 * @note Do *not* pass lp_workgroup() to this function. domain_list
717 * may modify it's value, and free that pointer. Instead, our local
718 * domain may be found by calling find_our_domain().
722 * @return The domain structure for the named domain, if it is working.
725 struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
727 struct winbindd_domain *domain;
729 /* Search through list */
731 for (domain = domain_list(); domain != NULL; domain = domain->next) {
732 if (strequal(domain_name, domain->name) ||
733 (domain->alt_name[0] &&
734 strequal(domain_name, domain->alt_name))) {
744 struct winbindd_domain *find_domain_from_name(const char *domain_name)
746 struct winbindd_domain *domain;
748 domain = find_domain_from_name_noinit(domain_name);
753 if (!domain->initialized)
754 init_dc_connection(domain);
759 /* Given a domain sid, return the struct winbindd domain info for it */
761 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
763 struct winbindd_domain *domain;
765 /* Search through list */
767 for (domain = domain_list(); domain != NULL; domain = domain->next) {
768 if (sid_compare_domain(sid, &domain->sid) == 0)
777 /* Given a domain sid, return the struct winbindd domain info for it */
779 struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
781 struct winbindd_domain *domain;
783 domain = find_domain_from_sid_noinit(sid);
788 if (!domain->initialized)
789 init_dc_connection(domain);
794 struct winbindd_domain *find_our_domain(void)
796 struct winbindd_domain *domain;
798 /* Search through list */
800 for (domain = domain_list(); domain != NULL; domain = domain->next) {
805 smb_panic("Could not find our domain");
809 struct winbindd_domain *find_root_domain(void)
811 struct winbindd_domain *ours = find_our_domain();
816 if ( strlen(ours->forest_name) == 0 )
819 return find_domain_from_name( ours->forest_name );
822 struct winbindd_domain *find_builtin_domain(void)
825 struct winbindd_domain *domain;
827 string_to_sid(&sid, "S-1-5-32");
828 domain = find_domain_from_sid(&sid);
830 if (domain == NULL) {
831 smb_panic("Could not find BUILTIN domain");
837 /* Find the appropriate domain to lookup a name or SID */
839 struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
841 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
843 if ( sid_check_is_in_unix_groups(sid) ||
844 sid_check_is_unix_groups(sid) ||
845 sid_check_is_in_unix_users(sid) ||
846 sid_check_is_unix_users(sid) )
848 return find_domain_from_sid(get_global_sam_sid());
851 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
852 * one to contact the external DC's. On member servers the internal
853 * domains are different: These are part of the local SAM. */
855 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
857 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
858 DEBUG(10, ("calling find_domain_from_sid\n"));
859 return find_domain_from_sid(sid);
862 /* On a member server a query for SID or name can always go to our
865 DEBUG(10, ("calling find_our_domain\n"));
866 return find_our_domain();
869 struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
871 if ( strequal(domain_name, unix_users_domain_name() ) ||
872 strequal(domain_name, unix_groups_domain_name() ) )
874 return find_domain_from_name_noinit( get_global_sam_name() );
877 if (IS_DC || strequal(domain_name, "BUILTIN") ||
878 strequal(domain_name, get_global_sam_name()))
879 return find_domain_from_name_noinit(domain_name);
881 /* The "Unix User" and "Unix Group" domain our handled by passdb */
883 return find_our_domain();
886 /* Lookup a sid in a domain from a name */
888 bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
889 enum winbindd_cmd orig_cmd,
890 struct winbindd_domain *domain,
891 const char *domain_name,
892 const char *name, DOM_SID *sid,
893 enum lsa_SidType *type)
898 result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd,
899 domain_name, name, sid, type);
901 /* Return sid and type if lookup successful */
902 if (!NT_STATUS_IS_OK(result)) {
903 *type = SID_NAME_UNKNOWN;
906 return NT_STATUS_IS_OK(result);
910 * @brief Lookup a name in a domain from a sid.
912 * @param sid Security ID you want to look up.
913 * @param name On success, set to the name corresponding to @p sid.
914 * @param dom_name On success, set to the 'domain name' corresponding to @p sid.
915 * @param type On success, contains the type of name: alias, group or
917 * @retval True if the name exists, in which case @p name and @p type
918 * are set, otherwise False.
920 bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
921 struct winbindd_domain *domain,
925 enum lsa_SidType *type)
934 result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
936 /* Return name and type if successful */
938 if (NT_STATUS_IS_OK(result)) {
942 *type = SID_NAME_UNKNOWN;
947 /* Free state information held for {set,get,end}{pw,gr}ent() functions */
949 void free_getent_state(struct getent_state *state)
951 struct getent_state *temp;
953 /* Iterate over state list */
957 while(temp != NULL) {
958 struct getent_state *next = temp->next;
960 /* Free sam entries then list entry */
962 SAFE_FREE(state->sam_entries);
963 DLIST_REMOVE(state, state);
970 /* Is this a domain which we may assume no DOMAIN\ prefix? */
972 static bool assume_domain(const char *domain)
974 /* never assume the domain on a standalone server */
976 if ( lp_server_role() == ROLE_STANDALONE )
979 /* domain member servers may possibly assume for the domain name */
981 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
982 if ( !strequal(lp_workgroup(), domain) )
985 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
989 /* only left with a domain controller */
991 if ( strequal(get_global_sam_name(), domain) ) {
998 /* Parse a string of the form DOMAIN\user into a domain and a user */
1000 bool parse_domain_user(const char *domuser, fstring domain, fstring user)
1002 char *p = strchr(domuser,*lp_winbind_separator());
1005 fstrcpy(user, domuser);
1007 if ( assume_domain(lp_workgroup())) {
1008 fstrcpy(domain, lp_workgroup());
1009 } else if ((p = strchr(domuser, '@')) != NULL) {
1010 fstrcpy(domain, "");
1016 fstrcpy(domain, domuser);
1017 domain[PTR_DIFF(p, domuser)] = 0;
1025 bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
1026 char **domain, char **user)
1028 fstring fstr_domain, fstr_user;
1029 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
1032 *domain = talloc_strdup(mem_ctx, fstr_domain);
1033 *user = talloc_strdup(mem_ctx, fstr_user);
1034 return ((*domain != NULL) && (*user != NULL));
1037 /* add a domain user name to a buffer */
1038 void parse_add_domuser(void *buf, char *domuser, int *len)
1044 p = strchr(domuser, *lp_winbind_separator());
1048 fstrcpy(domain, domuser);
1049 domain[PTR_DIFF(p, domuser)] = 0;
1052 if (assume_domain(domain)) {
1055 *len -= (PTR_DIFF(p, domuser));
1059 safe_strcpy((char *)buf, user, *len);
1062 /* Ensure an incoming username from NSS is fully qualified. Replace the
1063 incoming fstring with DOMAIN <separator> user. Returns the same
1064 values as parse_domain_user() but also replaces the incoming username.
1065 Used to ensure all names are fully qualified within winbindd.
1066 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
1067 The protocol definitions of auth_crap, chng_pswd_auth_crap
1068 really should be changed to use this instead of doing things
1071 bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
1073 if (!parse_domain_user(username_inout, domain, user)) {
1076 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
1077 domain, *lp_winbind_separator(),
1083 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
1084 'winbind separator' options.
1086 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
1089 If we are a PDC or BDC, and this is for our domain, do likewise.
1091 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1092 username is then unqualified in unix
1094 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1096 void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1100 fstrcpy(tmp_user, user);
1101 strlower_m(tmp_user);
1103 if (can_assume && assume_domain(domain)) {
1104 strlcpy(name, tmp_user, sizeof(fstring));
1106 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1107 domain, *lp_winbind_separator(),
1113 * talloc version of fill_domain_username()
1114 * return NULL on talloc failure.
1116 char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1121 char *tmp_user, *name;
1123 tmp_user = talloc_strdup(mem_ctx, user);
1124 strlower_m(tmp_user);
1126 if (can_assume && assume_domain(domain)) {
1129 name = talloc_asprintf(mem_ctx, "%s%c%s",
1131 *lp_winbind_separator(),
1133 TALLOC_FREE(tmp_user);
1140 * Winbindd socket accessor functions
1143 const char *get_winbind_pipe_dir(void)
1145 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1148 char *get_winbind_priv_pipe_dir(void)
1150 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1153 /* Open the winbindd socket */
1155 static int _winbindd_socket = -1;
1156 static int _winbindd_priv_socket = -1;
1158 int open_winbindd_socket(void)
1160 if (_winbindd_socket == -1) {
1161 _winbindd_socket = create_pipe_sock(
1162 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1163 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1167 return _winbindd_socket;
1170 int open_winbindd_priv_socket(void)
1172 if (_winbindd_priv_socket == -1) {
1173 _winbindd_priv_socket = create_pipe_sock(
1174 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1175 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1176 _winbindd_priv_socket));
1179 return _winbindd_priv_socket;
1183 * Client list accessor functions
1186 static struct winbindd_cli_state *_client_list;
1187 static int _num_clients;
1189 /* Return list of all connected clients */
1191 struct winbindd_cli_state *winbindd_client_list(void)
1193 return _client_list;
1196 /* Add a connection to the list */
1198 void winbindd_add_client(struct winbindd_cli_state *cli)
1200 DLIST_ADD(_client_list, cli);
1204 /* Remove a client from the list */
1206 void winbindd_remove_client(struct winbindd_cli_state *cli)
1208 DLIST_REMOVE(_client_list, cli);
1212 /* Close all open clients */
1214 void winbindd_kill_all_clients(void)
1216 struct winbindd_cli_state *cl = winbindd_client_list();
1218 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1221 struct winbindd_cli_state *next;
1224 winbindd_remove_client(cl);
1229 /* Return number of open clients */
1231 int winbindd_num_clients(void)
1233 return _num_clients;
1236 NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1237 TALLOC_CTX *mem_ctx,
1238 const DOM_SID *user_sid,
1239 uint32 *p_num_groups, DOM_SID **user_sids)
1241 struct netr_SamInfo3 *info3 = NULL;
1242 NTSTATUS status = NT_STATUS_NO_MEMORY;
1243 size_t num_groups = 0;
1245 DEBUG(3,(": lookup_usergroups_cached\n"));
1250 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1252 if (info3 == NULL) {
1253 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1256 if (info3->base.groups.count == 0) {
1258 return NT_STATUS_UNSUCCESSFUL;
1261 /* Skip Domain local groups outside our domain.
1262 We'll get these from the getsidaliases() RPC call. */
1263 status = sid_array_from_info3(mem_ctx, info3,
1268 if (!NT_STATUS_IS_OK(status)) {
1274 *p_num_groups = num_groups;
1275 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1277 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1282 /*********************************************************************
1283 We use this to remove spaces from user and group names
1284 ********************************************************************/
1286 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1287 struct winbindd_domain *domain,
1293 if (!name || !normalized) {
1294 return NT_STATUS_INVALID_PARAMETER;
1297 if (!lp_winbind_normalize_names()) {
1298 return NT_STATUS_PROCEDURE_NOT_FOUND;
1301 /* Alias support and whitespace replacement are mutually
1304 nt_status = resolve_username_to_alias(mem_ctx, domain,
1306 if (NT_STATUS_IS_OK(nt_status)) {
1307 /* special return code to let the caller know we
1308 mapped to an alias */
1309 return NT_STATUS_FILE_RENAMED;
1312 /* check for an unreachable domain */
1314 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1315 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1317 set_domain_offline(domain);
1321 /* deal with whitespace */
1323 *normalized = talloc_strdup(mem_ctx, name);
1324 if (!(*normalized)) {
1325 return NT_STATUS_NO_MEMORY;
1328 all_string_sub( *normalized, " ", "_", 0 );
1330 return NT_STATUS_OK;
1333 /*********************************************************************
1334 We use this to do the inverse of normalize_name_map()
1335 ********************************************************************/
1337 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1342 struct winbindd_domain *domain = find_our_domain();
1344 if (!name || !normalized) {
1345 return NT_STATUS_INVALID_PARAMETER;
1348 if (!lp_winbind_normalize_names()) {
1349 return NT_STATUS_PROCEDURE_NOT_FOUND;
1352 /* Alias support and whitespace replacement are mutally
1355 /* When mapping from an alias to a username, we don't know the
1356 domain. But we only need a domain structure to cache
1357 a successful lookup , so just our own domain structure for
1360 nt_status = resolve_alias_to_username(mem_ctx, domain,
1362 if (NT_STATUS_IS_OK(nt_status)) {
1363 /* Special return code to let the caller know we mapped
1365 return NT_STATUS_FILE_RENAMED;
1368 /* check for an unreachable domain */
1370 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1371 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1373 set_domain_offline(domain);
1377 /* deal with whitespace */
1379 *normalized = talloc_strdup(mem_ctx, name);
1380 if (!(*normalized)) {
1381 return NT_STATUS_NO_MEMORY;
1384 all_string_sub(*normalized, "_", " ", 0);
1386 return NT_STATUS_OK;
1389 /*********************************************************************
1390 ********************************************************************/
1392 bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1394 struct winbindd_tdc_domain *tdc = NULL;
1395 TALLOC_CTX *frame = talloc_stackframe();
1398 /* We can contact the domain if it is our primary domain */
1400 if (domain->primary) {
1404 /* Trust the TDC cache and not the winbindd_domain flags */
1406 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1407 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1412 /* Can always contact a domain that is in out forest */
1414 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1420 * On a _member_ server, we cannot contact the domain if it
1421 * is running AD and we have no inbound trust.
1425 domain->active_directory &&
1426 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1428 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1429 "and we have no inbound trust.\n", domain->name));
1433 /* Assume everything else is ok (probably not true but what
1439 talloc_destroy(frame);
1444 /*********************************************************************
1445 ********************************************************************/
1447 bool winbindd_internal_child(struct winbindd_child *child)
1449 if ((child == idmap_child()) || (child == locator_child())) {
1456 #ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1458 /*********************************************************************
1459 ********************************************************************/
1461 static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1464 char addr[INET6_ADDRSTRLEN];
1465 const char *kdc = NULL;
1468 if (!domain || !domain->alt_name || !*domain->alt_name) {
1472 if (domain->initialized && !domain->active_directory) {
1473 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1478 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1481 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1483 kdc = domain->dcname;
1486 if (!kdc || !*kdc) {
1487 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1492 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1493 domain->alt_name) == -1) {
1497 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1500 setenv(var, kdc, 1);
1504 /*********************************************************************
1505 ********************************************************************/
1507 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1509 struct winbindd_domain *our_dom = find_our_domain();
1511 winbindd_set_locator_kdc_env(domain);
1513 if (domain != our_dom) {
1514 winbindd_set_locator_kdc_env(our_dom);
1518 /*********************************************************************
1519 ********************************************************************/
1521 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1525 if (!domain || !domain->alt_name || !*domain->alt_name) {
1529 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1530 domain->alt_name) == -1) {
1539 void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1544 void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1549 #endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1551 void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1553 resp->data.auth.nt_status = NT_STATUS_V(result);
1554 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1556 /* we might have given a more useful error above */
1557 if (*resp->data.auth.error_string == '\0')
1558 fstrcpy(resp->data.auth.error_string,
1559 get_friendly_nt_error_msg(result));
1560 resp->data.auth.pam_error = nt_status_to_pam(result);