Context Navigation

source: vendor/3.5.10/source3/winbindd/winbindd_util.c

Visit:

Last change on this file was 478, checked in by Silvan Scherrer, 15 years ago
Samba 3.5: vendor update to 3.5.4
File size: 37.0 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	Winbind daemon for ntdom nss module
5
6	Copyright (C) Tim Potter 2000-2001
7	Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program. If not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	#include "includes.h"
24	#include "winbindd.h"
25
26	#undef DBGC_CLASS
27	#define DBGC_CLASS DBGC_WINBIND
28
29	extern struct winbindd_methods cache_methods;
30	extern struct winbindd_methods builtin_passdb_methods;
31	extern struct winbindd_methods sam_passdb_methods;
32
33
34	/**
35	* @file winbindd_util.c
36	*
37	* Winbind daemon for NT domain authentication nss module.
38	**/
39
40
41	/* The list of trusted domains. Note that the list can be deleted and
42	recreated using the init_domain_list() function so pointers to
43	individual winbindd_domain structures cannot be made. Keep a copy of
44	the domain name instead. */
45
46	static struct winbindd_domain *_domain_list = NULL;
47
48	struct winbindd_domain *domain_list(void)
49	{
50	/* Initialise list */
51
52	if ((!_domain_list) && (!init_domain_list())) {
53	smb_panic("Init_domain_list failed");
54	}
55
56	return _domain_list;
57	}
58
59	/* Free all entries in the trusted domain list */
60
61	void free_domain_list(void)
62	{
63	struct winbindd_domain *domain = _domain_list;
64
65	while(domain) {
66	struct winbindd_domain *next = domain->next;
67
68	DLIST_REMOVE(_domain_list, domain);
69	SAFE_FREE(domain);
70	domain = next;
71	}
72	}
73
74	static bool is_internal_domain(const DOM_SID *sid)
75	{
76	if (sid == NULL)
77	return False;
78
79	return (sid_check_is_domain(sid) \|\| sid_check_is_builtin(sid));
80	}
81
82	static bool is_in_internal_domain(const DOM_SID *sid)
83	{
84	if (sid == NULL)
85	return False;
86
87	return (sid_check_is_in_our_domain(sid) \|\| sid_check_is_in_builtin(sid));
88	}
89
90
91	/* Add a trusted domain to our list of domains */
92	static struct winbindd_domain add_trusted_domain(const char domain_name, const char *alt_name,
93	struct winbindd_methods *methods,
94	const DOM_SID *sid)
95	{
96	struct winbindd_domain *domain;
97	const char *alternative_name = NULL;
98	char *idmap_config_option;
99	const char *param;
100	const char ignored_domains, dom;
101
102	ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
103	for (dom=ignored_domains; dom && *dom; dom++) {
104	if (gen_fnmatch(*dom, domain_name) == 0) {
105	DEBUG(2,("Ignoring domain '%s'\n", domain_name));
106	return NULL;
107	}
108	}
109
110	/* ignore alt_name if we are not in an AD domain */
111
112	if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
113	alternative_name = alt_name;
114	}
115
116	/* We can't call domain_list() as this function is called from
117	init_domain_list() and we'll get stuck in a loop. */
118	for (domain = _domain_list; domain; domain = domain->next) {
119	if (strequal(domain_name, domain->name) \|\|
120	strequal(domain_name, domain->alt_name))
121	{
122	break;
123	}
124
125	if (alternative_name && *alternative_name)
126	{
127	if (strequal(alternative_name, domain->name) \|\|
128	strequal(alternative_name, domain->alt_name))
129	{
130	break;
131	}
132	}
133
134	if (sid)
135	{
136	if (is_null_sid(sid)) {
137	continue;
138	}
139
140	if (sid_equal(sid, &domain->sid)) {
141	break;
142	}
143	}
144	}
145
146	/* See if we found a match. Check if we need to update the
147	SID. */
148
149	if ( domain && sid) {
150	if ( sid_equal( &domain->sid, &global_sid_NULL ) )
151	sid_copy( &domain->sid, sid );
152
153	return domain;
154	}
155
156	/* Create new domain entry */
157
158	if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
159	return NULL;
160
161	/* Fill in fields */
162
163	ZERO_STRUCTP(domain);
164
165	fstrcpy(domain->name, domain_name);
166	if (alternative_name) {
167	fstrcpy(domain->alt_name, alternative_name);
168	}
169
170	domain->methods = methods;
171	domain->backend = NULL;
172	domain->internal = is_internal_domain(sid);
173	domain->sequence_number = DOM_SEQUENCE_NONE;
174	domain->last_seq_check = 0;
175	domain->initialized = False;
176	domain->online = is_internal_domain(sid);
177	domain->check_online_timeout = 0;
178	domain->dc_probe_pid = (pid_t)-1;
179	if (sid) {
180	sid_copy(&domain->sid, sid);
181	}
182
183	/* Link to domain list */
184	DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
185
186	wcache_tdc_add_domain( domain );
187
188	idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
189	domain->name);
190	if (idmap_config_option == NULL) {
191	DEBUG(0, ("talloc failed, not looking for idmap config\n"));
192	goto done;
193	}
194
195	param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
196
197	DEBUG(10, ("%s : range = %s\n", idmap_config_option,
198	param ? param : "not defined"));
199
200	if (param != NULL) {
201	unsigned low_id, high_id;
202	if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
203	DEBUG(1, ("invalid range syntax in %s: %s\n",
204	idmap_config_option, param));
205	goto done;
206	}
207	if (low_id > high_id) {
208	DEBUG(1, ("invalid range in %s: %s\n",
209	idmap_config_option, param));
210	goto done;
211	}
212	domain->have_idmap_config = true;
213	domain->id_range_low = low_id;
214	domain->id_range_high = high_id;
215	}
216
217	done:
218
219	DEBUG(2,("Added domain %s %s %s\n",
220	domain->name, domain->alt_name,
221	&domain->sid?sid_string_dbg(&domain->sid):""));
222
223	return domain;
224	}
225
226	/********************************************************************
227	rescan our domains looking for new trusted domains
228	********************************************************************/
229
230	struct trustdom_state {
231	TALLOC_CTX *mem_ctx;
232	bool primary;
233	bool forest_root;
234	struct winbindd_response *response;
235	};
236
237	static void trustdom_recv(void *private_data, bool success);
238	static void rescan_forest_root_trusts( void );
239	static void rescan_forest_trusts( void );
240
241	static void add_trusted_domains( struct winbindd_domain *domain )
242	{
243	TALLOC_CTX *mem_ctx;
244	struct winbindd_request *request;
245	struct winbindd_response *response;
246	uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT\|NETR_TRUST_FLAG_IN_FOREST);
247
248	struct trustdom_state *state;
249
250	mem_ctx = talloc_init("add_trusted_domains");
251	if (mem_ctx == NULL) {
252	DEBUG(0, ("talloc_init failed\n"));
253	return;
254	}
255
256	request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
257	response = TALLOC_P(mem_ctx, struct winbindd_response);
258	state = TALLOC_P(mem_ctx, struct trustdom_state);
259
260	if ((request == NULL) \|\| (response == NULL) \|\| (state == NULL)) {
261	DEBUG(0, ("talloc failed\n"));
262	talloc_destroy(mem_ctx);
263	return;
264	}
265
266	state->mem_ctx = mem_ctx;
267	state->response = response;
268
269	/* Flags used to know how to continue the forest trust search */
270
271	state->primary = domain->primary;
272	state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
273
274	request->length = sizeof(*request);
275	request->cmd = WINBINDD_LIST_TRUSTDOM;
276
277	async_domain_request(mem_ctx, domain, request, response,
278	trustdom_recv, state);
279	}
280
281	static void trustdom_recv(void *private_data, bool success)
282	{
283	struct trustdom_state *state =
284	talloc_get_type_abort(private_data, struct trustdom_state);
285	struct winbindd_response *response = state->response;
286	char *p;
287
288	if ((!success) \|\| (response->result != WINBINDD_OK)) {
289	DEBUG(1, ("Could not receive trustdoms\n"));
290	talloc_destroy(state->mem_ctx);
291	return;
292	}
293
294	p = (char *)response->extra_data.data;
295
296	while ((p != NULL) && (*p != '\0')) {
297	char q, sidstr, *alt_name;
298	DOM_SID sid;
299	struct winbindd_domain *domain;
300	char *alternate_name = NULL;
301
302	alt_name = strchr(p, '\\');
303	if (alt_name == NULL) {
304	DEBUG(0, ("Got invalid trustdom response\n"));
305	break;
306	}
307
308	*alt_name = '\0';
309	alt_name += 1;
310
311	sidstr = strchr(alt_name, '\\');
312	if (sidstr == NULL) {
313	DEBUG(0, ("Got invalid trustdom response\n"));
314	break;
315	}
316
317	*sidstr = '\0';
318	sidstr += 1;
319
320	q = strchr(sidstr, '\n');
321	if (q != NULL)
322	*q = '\0';
323
324	if (!string_to_sid(&sid, sidstr)) {
325	DEBUG(0, ("Got invalid trustdom response\n"));
326	break;
327	}
328
329	/* use the real alt_name if we have one, else pass in NULL */
330
331	if ( !strequal( alt_name, "(null)" ) )
332	alternate_name = alt_name;
333
334	/* If we have an existing domain structure, calling
335	add_trusted_domain() will update the SID if
336	necessary. This is important because we need the
337	SID for sibling domains */
338
339	if ( find_domain_from_name_noinit(p) != NULL ) {
340	domain = add_trusted_domain(p, alternate_name,
341	&cache_methods,
342	&sid);
343	} else {
344	domain = add_trusted_domain(p, alternate_name,
345	&cache_methods,
346	&sid);
347	if (domain) {
348	setup_domain_child(domain,
349	&domain->child);
350	}
351	}
352	p=q;
353	if (p != NULL)
354	p += 1;
355	}
356
357	/*
358	Cases to consider when scanning trusts:
359	(a) we are calling from a child domain (primary && !forest_root)
360	(b) we are calling from the root of the forest (primary && forest_root)
361	(c) we are calling from a trusted forest domain (!primary
362	&& !forest_root)
363	*/
364
365	if ( state->primary ) {
366	/* If this is our primary domain and we are not in the
367	forest root, we have to scan the root trusts first */
368
369	if ( !state->forest_root )
370	rescan_forest_root_trusts();
371	else
372	rescan_forest_trusts();
373
374	} else if ( state->forest_root ) {
375	/* Once we have done root forest trust search, we can
376	go on to search the trusted forests */
377
378	rescan_forest_trusts();
379	}
380
381	talloc_destroy(state->mem_ctx);
382
383	return;
384	}
385
386	/********************************************************************
387	Scan the trusts of our forest root
388	********************************************************************/
389
390	static void rescan_forest_root_trusts( void )
391	{
392	struct winbindd_tdc_domain *dom_list = NULL;
393	size_t num_trusts = 0;
394	int i;
395
396	/* The only transitive trusts supported by Windows 2003 AD are
397	(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
398	first two are handled in forest and listed by
399	DsEnumerateDomainTrusts(). Forest trusts are not so we
400	have to do that ourselves. */
401
402	if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
403	return;
404
405	for ( i=0; i<num_trusts; i++ ) {
406	struct winbindd_domain *d = NULL;
407
408	/* Find the forest root. Don't necessarily trust
409	the domain_list() as our primary domain may not
410	have been initialized. */
411
412	if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
413	continue;
414	}
415
416	/* Here's the forest root */
417
418	d = find_domain_from_name_noinit( dom_list[i].domain_name );
419
420	if ( !d ) {
421	d = add_trusted_domain( dom_list[i].domain_name,
422	dom_list[i].dns_name,
423	&cache_methods,
424	&dom_list[i].sid );
425	if (d != NULL) {
426	setup_domain_child(d, &d->child);
427	}
428	}
429
430	if (d == NULL) {
431	continue;
432	}
433
434	DEBUG(10,("rescan_forest_root_trusts: Following trust path "
435	"for domain tree root %s (%s)\n",
436	d->name, d->alt_name ));
437
438	d->domain_flags = dom_list[i].trust_flags;
439	d->domain_type = dom_list[i].trust_type;
440	d->domain_trust_attribs = dom_list[i].trust_attribs;
441
442	add_trusted_domains( d );
443
444	break;
445	}
446
447	TALLOC_FREE( dom_list );
448
449	return;
450	}
451
452	/********************************************************************
453	scan the transitive forest trusts (not our own)
454	********************************************************************/
455
456
457	static void rescan_forest_trusts( void )
458	{
459	struct winbindd_domain *d = NULL;
460	struct winbindd_tdc_domain *dom_list = NULL;
461	size_t num_trusts = 0;
462	int i;
463
464	/* The only transitive trusts supported by Windows 2003 AD are
465	(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
466	first two are handled in forest and listed by
467	DsEnumerateDomainTrusts(). Forest trusts are not so we
468	have to do that ourselves. */
469
470	if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
471	return;
472
473	for ( i=0; i<num_trusts; i++ ) {
474	uint32 flags = dom_list[i].trust_flags;
475	uint32 type = dom_list[i].trust_type;
476	uint32 attribs = dom_list[i].trust_attribs;
477
478	d = find_domain_from_name_noinit( dom_list[i].domain_name );
479
480	/* ignore our primary and internal domains */
481
482	if ( d && (d->internal \|\| d->primary ) )
483	continue;
484
485	if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
486	(type == NETR_TRUST_TYPE_UPLEVEL) &&
487	(attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
488	{
489	/* add the trusted domain if we don't know
490	about it */
491
492	if ( !d ) {
493	d = add_trusted_domain( dom_list[i].domain_name,
494	dom_list[i].dns_name,
495	&cache_methods,
496	&dom_list[i].sid );
497	if (d != NULL) {
498	setup_domain_child(d, &d->child);
499	}
500	}
501
502	if (d == NULL) {
503	continue;
504	}
505
506	DEBUG(10,("Following trust path for domain %s (%s)\n",
507	d->name, d->alt_name ));
508	add_trusted_domains( d );
509	}
510	}
511
512	TALLOC_FREE( dom_list );
513
514	return;
515	}
516
517	/*********************************************************************
518	The process of updating the trusted domain list is a three step
519	async process:
520	(a) ask our domain
521	(b) ask the root domain in our forest
522	(c) ask the a DC in any Win2003 trusted forests
523	*********************************************************************/
524
525	void rescan_trusted_domains(struct tevent_context ev, struct tevent_timer te,
526	struct timeval now, void *private_data)
527	{
528	TALLOC_FREE(te);
529
530	/* I use to clear the cache here and start over but that
531	caused problems in child processes that needed the
532	trust dom list early on. Removing it means we
533	could have some trusted domains listed that have been
534	removed from our primary domain's DC until a full
535	restart. This should be ok since I think this is what
536	Windows does as well. */
537
538	/* this will only add new domains we didn't already know about
539	in the domain_list()*/
540
541	add_trusted_domains( find_our_domain() );
542
543	te = tevent_add_timer(
544	ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
545	rescan_trusted_domains, NULL);
546	/*
547	* If te == NULL, there's not much we can do here. Don't fail, the
548	* only thing we miss is new trusted domains.
549	*/
550
551	return;
552	}
553
554	enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
555	struct winbindd_cli_state *state)
556	{
557	/* Ensure null termination */
558	state->request->domain_name
559	[sizeof(state->request->domain_name)-1]='\0';
560	state->request->data.init_conn.dcname
561	[sizeof(state->request->data.init_conn.dcname)-1]='\0';
562
563	if (strlen(state->request->data.init_conn.dcname) > 0) {
564	fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
565	}
566
567	if (domain->internal) {
568	domain->initialized = true;
569	} else {
570	init_dc_connection(domain);
571	}
572
573	if (!domain->initialized) {
574	/* If we return error here we can't do any cached authentication,
575	but we may be in disconnected mode and can't initialize correctly.
576	Do what the previous code did and just return without initialization,
577	once we go online we'll re-initialize.
578	*/
579	DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
580	"online = %d\n", domain->name, (int)domain->online ));
581	}
582
583	fstrcpy(state->response->data.domain_info.name, domain->name);
584	fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
585	sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
586
587	state->response->data.domain_info.native_mode
588	= domain->native_mode;
589	state->response->data.domain_info.active_directory
590	= domain->active_directory;
591	state->response->data.domain_info.primary
592	= domain->primary;
593
594	return WINBINDD_OK;
595	}
596
597	/* Look up global info for the winbind daemon */
598	bool init_domain_list(void)
599	{
600	struct winbindd_domain *domain;
601	int role = lp_server_role();
602
603	/* Free existing list */
604	free_domain_list();
605
606	/* BUILTIN domain */
607
608	domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
609	&global_sid_Builtin);
610	if (domain) {
611	setup_domain_child(domain,
612	&domain->child);
613	}
614
615	/* Local SAM */
616
617	domain = add_trusted_domain(get_global_sam_name(), NULL,
618	&sam_passdb_methods, get_global_sam_sid());
619	if (domain) {
620	if ( role != ROLE_DOMAIN_MEMBER ) {
621	domain->primary = True;
622	}
623	setup_domain_child(domain,
624	&domain->child);
625	}
626
627	/* Add ourselves as the first entry. */
628
629	if ( role == ROLE_DOMAIN_MEMBER ) {
630	DOM_SID our_sid;
631
632	if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
633	DEBUG(0, ("Could not fetch our SID - did we join?\n"));
634	return False;
635	}
636
637	domain = add_trusted_domain( lp_workgroup(), lp_realm(),
638	&cache_methods, &our_sid);
639	if (domain) {
640	domain->primary = True;
641	setup_domain_child(domain,
642	&domain->child);
643
644	/* Even in the parent winbindd we'll need to
645	talk to the DC, so try and see if we can
646	contact it. Theoretically this isn't neccessary
647	as the init_dc_connection() in init_child_recv()
648	will do this, but we can start detecting the DC
649	early here. */
650	set_domain_online_request(domain);
651	}
652	}
653
654	return True;
655	}
656
657	void check_domain_trusted( const char name, const DOM_SID user_sid )
658	{
659	struct winbindd_domain *domain;
660	DOM_SID dom_sid;
661	uint32 rid;
662
663	/* Check if we even care */
664
665	if (!lp_allow_trusted_domains())
666	return;
667
668	domain = find_domain_from_name_noinit( name );
669	if ( domain )
670	return;
671
672	sid_copy( &dom_sid, user_sid );
673	if ( !sid_split_rid( &dom_sid, &rid ) )
674	return;
675
676	/* add the newly discovered trusted domain */
677
678	domain = add_trusted_domain( name, NULL, &cache_methods,
679	&dom_sid);
680
681	if ( !domain )
682	return;
683
684	/* assume this is a trust from a one-way transitive
685	forest trust */
686
687	domain->active_directory = True;
688	domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
689	domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
690	domain->internal = False;
691	domain->online = True;
692
693	setup_domain_child(domain,
694	&domain->child);
695
696	wcache_tdc_add_domain( domain );
697
698	return;
699	}
700
701	/**
702	* Given a domain name, return the struct winbindd domain info for it
703	*
704	* @note Do not pass lp_workgroup() to this function. domain_list
705	* may modify it's value, and free that pointer. Instead, our local
706	* domain may be found by calling find_our_domain().
707	* directly.
708	*
709	*
710	* @return The domain structure for the named domain, if it is working.
711	*/
712
713	struct winbindd_domain find_domain_from_name_noinit(const char domain_name)
714	{
715	struct winbindd_domain *domain;
716
717	/* Search through list */
718
719	for (domain = domain_list(); domain != NULL; domain = domain->next) {
720	if (strequal(domain_name, domain->name) \|\|
721	(domain->alt_name[0] &&
722	strequal(domain_name, domain->alt_name))) {
723	return domain;
724	}
725	}
726
727	/* Not found */
728
729	return NULL;
730	}
731
732	struct winbindd_domain find_domain_from_name(const char domain_name)
733	{
734	struct winbindd_domain *domain;
735
736	domain = find_domain_from_name_noinit(domain_name);
737
738	if (domain == NULL)
739	return NULL;
740
741	if (!domain->initialized)
742	init_dc_connection(domain);
743
744	return domain;
745	}
746
747	/* Given a domain sid, return the struct winbindd domain info for it */
748
749	struct winbindd_domain find_domain_from_sid_noinit(const DOM_SID sid)
750	{
751	struct winbindd_domain *domain;
752
753	/* Search through list */
754
755	for (domain = domain_list(); domain != NULL; domain = domain->next) {
756	if (sid_compare_domain(sid, &domain->sid) == 0)
757	return domain;
758	}
759
760	/* Not found */
761
762	return NULL;
763	}
764
765	/* Given a domain sid, return the struct winbindd domain info for it */
766
767	struct winbindd_domain find_domain_from_sid(const DOM_SID sid)
768	{
769	struct winbindd_domain *domain;
770
771	domain = find_domain_from_sid_noinit(sid);
772
773	if (domain == NULL)
774	return NULL;
775
776	if (!domain->initialized)
777	init_dc_connection(domain);
778
779	return domain;
780	}
781
782	struct winbindd_domain *find_our_domain(void)
783	{
784	struct winbindd_domain *domain;
785
786	/* Search through list */
787
788	for (domain = domain_list(); domain != NULL; domain = domain->next) {
789	if (domain->primary)
790	return domain;
791	}
792
793	smb_panic("Could not find our domain");
794	return NULL;
795	}
796
797	struct winbindd_domain *find_root_domain(void)
798	{
799	struct winbindd_domain *ours = find_our_domain();
800
801	if ( !ours )
802	return NULL;
803
804	if ( strlen(ours->forest_name) == 0 )
805	return NULL;
806
807	return find_domain_from_name( ours->forest_name );
808	}
809
810	struct winbindd_domain *find_builtin_domain(void)
811	{
812	DOM_SID sid;
813	struct winbindd_domain *domain;
814
815	string_to_sid(&sid, "S-1-5-32");
816	domain = find_domain_from_sid(&sid);
817
818	if (domain == NULL) {
819	smb_panic("Could not find BUILTIN domain");
820	}
821
822	return domain;
823	}
824
825	/* Find the appropriate domain to lookup a name or SID */
826
827	struct winbindd_domain find_lookup_domain_from_sid(const DOM_SID sid)
828	{
829	/* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
830
831	if ( sid_check_is_in_unix_groups(sid) \|\|
832	sid_check_is_unix_groups(sid) \|\|
833	sid_check_is_in_unix_users(sid) \|\|
834	sid_check_is_unix_users(sid) )
835	{
836	return find_domain_from_sid(get_global_sam_sid());
837	}
838
839	/* A DC can't ask the local smbd for remote SIDs, here winbindd is the
840	* one to contact the external DC's. On member servers the internal
841	* domains are different: These are part of the local SAM. */
842
843	DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
844
845	if (IS_DC \|\| is_internal_domain(sid) \|\| is_in_internal_domain(sid)) {
846	DEBUG(10, ("calling find_domain_from_sid\n"));
847	return find_domain_from_sid(sid);
848	}
849
850	/* On a member server a query for SID or name can always go to our
851	* primary DC. */
852
853	DEBUG(10, ("calling find_our_domain\n"));
854	return find_our_domain();
855	}
856
857	struct winbindd_domain find_lookup_domain_from_name(const char domain_name)
858	{
859	if ( strequal(domain_name, unix_users_domain_name() ) \|\|
860	strequal(domain_name, unix_groups_domain_name() ) )
861	{
862	/*
863	* The "Unix User" and "Unix Group" domain our handled by
864	* passdb
865	*/
866	return find_domain_from_name_noinit( get_global_sam_name() );
867	}
868
869	if (IS_DC \|\| strequal(domain_name, "BUILTIN") \|\|
870	strequal(domain_name, get_global_sam_name()))
871	return find_domain_from_name_noinit(domain_name);
872
873
874	return find_our_domain();
875	}
876
877	/* Is this a domain which we may assume no DOMAIN\ prefix? */
878
879	static bool assume_domain(const char *domain)
880	{
881	/* never assume the domain on a standalone server */
882
883	if ( lp_server_role() == ROLE_STANDALONE )
884	return False;
885
886	/* domain member servers may possibly assume for the domain name */
887
888	if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
889	if ( !strequal(lp_workgroup(), domain) )
890	return False;
891
892	if ( lp_winbind_use_default_domain() \|\| lp_winbind_trusted_domains_only() )
893	return True;
894	}
895
896	/* only left with a domain controller */
897
898	if ( strequal(get_global_sam_name(), domain) ) {
899	return True;
900	}
901
902	return False;
903	}
904
905	/* Parse a string of the form DOMAIN\user into a domain and a user */
906
907	bool parse_domain_user(const char *domuser, fstring domain, fstring user)
908	{
909	char p = strchr(domuser,lp_winbind_separator());
910
911	if ( !p ) {
912	fstrcpy(user, domuser);
913
914	if ( assume_domain(lp_workgroup())) {
915	fstrcpy(domain, lp_workgroup());
916	} else if ((p = strchr(domuser, '@')) != NULL) {
917	fstrcpy(domain, p + 1);
918	user[PTR_DIFF(p, domuser)] = 0;
919	} else {
920	return False;
921	}
922	} else {
923	fstrcpy(user, p+1);
924	fstrcpy(domain, domuser);
925	domain[PTR_DIFF(p, domuser)] = 0;
926	}
927
928	strupper_m(domain);
929
930	return True;
931	}
932
933	bool parse_domain_user_talloc(TALLOC_CTX mem_ctx, const char domuser,
934	char domain, char user)
935	{
936	fstring fstr_domain, fstr_user;
937	if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
938	return False;
939	}
940	*domain = talloc_strdup(mem_ctx, fstr_domain);
941	*user = talloc_strdup(mem_ctx, fstr_user);
942	return ((domain != NULL) && (user != NULL));
943	}
944
945	/* add a domain user name to a buffer */
946	void parse_add_domuser(void buf, char domuser, int *len)
947	{
948	fstring domain;
949	char p, user;
950
951	user = domuser;
952	p = strchr(domuser, *lp_winbind_separator());
953
954	if (p) {
955
956	fstrcpy(domain, domuser);
957	domain[PTR_DIFF(p, domuser)] = 0;
958	p++;
959
960	if (assume_domain(domain)) {
961
962	user = p;
963	*len -= (PTR_DIFF(p, domuser));
964	}
965	}
966
967	safe_strcpy((char )buf, user, len);
968	}
969
970	/* Ensure an incoming username from NSS is fully qualified. Replace the
971	incoming fstring with DOMAIN <separator> user. Returns the same
972	values as parse_domain_user() but also replaces the incoming username.
973	Used to ensure all names are fully qualified within winbindd.
974	Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
975	The protocol definitions of auth_crap, chng_pswd_auth_crap
976	really should be changed to use this instead of doing things
977	by hand. JRA. */
978
979	bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
980	{
981	if (!parse_domain_user(username_inout, domain, user)) {
982	return False;
983	}
984	slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
985	domain, *lp_winbind_separator(),
986	user);
987	return True;
988	}
989
990	/*
991	Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
992	'winbind separator' options.
993	This means:
994	- omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
995	lp_workgroup()
996
997	If we are a PDC or BDC, and this is for our domain, do likewise.
998
999	Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1000	username is then unqualified in unix
1001
1002	We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1003	*/
1004	void fill_domain_username(fstring name, const char domain, const char user, bool can_assume)
1005	{
1006	fstring tmp_user;
1007
1008	fstrcpy(tmp_user, user);
1009	strlower_m(tmp_user);
1010
1011	if (can_assume && assume_domain(domain)) {
1012	strlcpy(name, tmp_user, sizeof(fstring));
1013	} else {
1014	slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1015	domain, *lp_winbind_separator(),
1016	tmp_user);
1017	}
1018	}
1019
1020	/**
1021	* talloc version of fill_domain_username()
1022	* return NULL on talloc failure.
1023	*/
1024	char fill_domain_username_talloc(TALLOC_CTX mem_ctx,
1025	const char *domain,
1026	const char *user,
1027	bool can_assume)
1028	{
1029	char tmp_user, name;
1030
1031	tmp_user = talloc_strdup(mem_ctx, user);
1032	strlower_m(tmp_user);
1033
1034	if (can_assume && assume_domain(domain)) {
1035	name = tmp_user;
1036	} else {
1037	name = talloc_asprintf(mem_ctx, "%s%c%s",
1038	domain,
1039	*lp_winbind_separator(),
1040	tmp_user);
1041	TALLOC_FREE(tmp_user);
1042	}
1043
1044	return name;
1045	}
1046
1047	/*
1048	* Winbindd socket accessor functions
1049	*/
1050
1051	const char *get_winbind_pipe_dir(void)
1052	{
1053	return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1054	}
1055
1056	char *get_winbind_priv_pipe_dir(void)
1057	{
1058	return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1059	}
1060
1061	/* Open the winbindd socket */
1062
1063	static int _winbindd_socket = -1;
1064	static int _winbindd_priv_socket = -1;
1065
1066	int open_winbindd_socket(void)
1067	{
1068	if (_winbindd_socket == -1) {
1069	_winbindd_socket = create_pipe_sock(
1070	get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1071	DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1072	_winbindd_socket));
1073	}
1074
1075	return _winbindd_socket;
1076	}
1077
1078	int open_winbindd_priv_socket(void)
1079	{
1080	if (_winbindd_priv_socket == -1) {
1081	_winbindd_priv_socket = create_pipe_sock(
1082	get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1083	DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1084	_winbindd_priv_socket));
1085	}
1086
1087	return _winbindd_priv_socket;
1088	}
1089
1090	/*
1091	* Client list accessor functions
1092	*/
1093
1094	static struct winbindd_cli_state *_client_list;
1095	static int _num_clients;
1096
1097	/* Return list of all connected clients */
1098
1099	struct winbindd_cli_state *winbindd_client_list(void)
1100	{
1101	return _client_list;
1102	}
1103
1104	/* Add a connection to the list */
1105
1106	void winbindd_add_client(struct winbindd_cli_state *cli)
1107	{
1108	DLIST_ADD(_client_list, cli);
1109	_num_clients++;
1110	}
1111
1112	/* Remove a client from the list */
1113
1114	void winbindd_remove_client(struct winbindd_cli_state *cli)
1115	{
1116	DLIST_REMOVE(_client_list, cli);
1117	_num_clients--;
1118	}
1119
1120	/* Close all open clients */
1121
1122	void winbindd_kill_all_clients(void)
1123	{
1124	struct winbindd_cli_state *cl = winbindd_client_list();
1125
1126	DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1127
1128	while (cl) {
1129	struct winbindd_cli_state *next;
1130
1131	next = cl->next;
1132	winbindd_remove_client(cl);
1133	cl = next;
1134	}
1135	}
1136
1137	/* Return number of open clients */
1138
1139	int winbindd_num_clients(void)
1140	{
1141	return _num_clients;
1142	}
1143
1144	NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1145	TALLOC_CTX *mem_ctx,
1146	const DOM_SID *user_sid,
1147	uint32 p_num_groups, DOM_SID *user_sids)
1148	{
1149	struct netr_SamInfo3 *info3 = NULL;
1150	NTSTATUS status = NT_STATUS_NO_MEMORY;
1151	size_t num_groups = 0;
1152
1153	DEBUG(3,(": lookup_usergroups_cached\n"));
1154
1155	*user_sids = NULL;
1156	*p_num_groups = 0;
1157
1158	info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1159
1160	if (info3 == NULL) {
1161	return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1162	}
1163
1164	if (info3->base.groups.count == 0) {
1165	TALLOC_FREE(info3);
1166	return NT_STATUS_UNSUCCESSFUL;
1167	}
1168
1169	/* Skip Domain local groups outside our domain.
1170	We'll get these from the getsidaliases() RPC call. */
1171	status = sid_array_from_info3(mem_ctx, info3,
1172	user_sids,
1173	&num_groups,
1174	false, true);
1175
1176	if (!NT_STATUS_IS_OK(status)) {
1177	TALLOC_FREE(info3);
1178	return status;
1179	}
1180
1181	TALLOC_FREE(info3);
1182	*p_num_groups = num_groups;
1183	status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1184
1185	DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1186
1187	return status;
1188	}
1189
1190	/*********************************************************************
1191	We use this to remove spaces from user and group names
1192	********************************************************************/
1193
1194	NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1195	struct winbindd_domain *domain,
1196	const char *name,
1197	char **normalized)
1198	{
1199	NTSTATUS nt_status;
1200
1201	if (!name \|\| !normalized) {
1202	return NT_STATUS_INVALID_PARAMETER;
1203	}
1204
1205	if (!lp_winbind_normalize_names()) {
1206	return NT_STATUS_PROCEDURE_NOT_FOUND;
1207	}
1208
1209	/* Alias support and whitespace replacement are mutually
1210	exclusive */
1211
1212	nt_status = resolve_username_to_alias(mem_ctx, domain,
1213	name, normalized );
1214	if (NT_STATUS_IS_OK(nt_status)) {
1215	/* special return code to let the caller know we
1216	mapped to an alias */
1217	return NT_STATUS_FILE_RENAMED;
1218	}
1219
1220	/* check for an unreachable domain */
1221
1222	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1223	DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1224	domain->name));
1225	set_domain_offline(domain);
1226	return nt_status;
1227	}
1228
1229	/* deal with whitespace */
1230
1231	*normalized = talloc_strdup(mem_ctx, name);
1232	if (!(*normalized)) {
1233	return NT_STATUS_NO_MEMORY;
1234	}
1235
1236	all_string_sub( *normalized, " ", "_", 0 );
1237
1238	return NT_STATUS_OK;
1239	}
1240
1241	/*********************************************************************
1242	We use this to do the inverse of normalize_name_map()
1243	********************************************************************/
1244
1245	NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1246	char *name,
1247	char **normalized)
1248	{
1249	NTSTATUS nt_status;
1250	struct winbindd_domain *domain = find_our_domain();
1251
1252	if (!name \|\| !normalized) {
1253	return NT_STATUS_INVALID_PARAMETER;
1254	}
1255
1256	if (!lp_winbind_normalize_names()) {
1257	return NT_STATUS_PROCEDURE_NOT_FOUND;
1258	}
1259
1260	/* Alias support and whitespace replacement are mutally
1261	exclusive */
1262
1263	/* When mapping from an alias to a username, we don't know the
1264	domain. But we only need a domain structure to cache
1265	a successful lookup , so just our own domain structure for
1266	the seqnum. */
1267
1268	nt_status = resolve_alias_to_username(mem_ctx, domain,
1269	name, normalized);
1270	if (NT_STATUS_IS_OK(nt_status)) {
1271	/* Special return code to let the caller know we mapped
1272	from an alias */
1273	return NT_STATUS_FILE_RENAMED;
1274	}
1275
1276	/* check for an unreachable domain */
1277
1278	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1279	DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1280	domain->name));
1281	set_domain_offline(domain);
1282	return nt_status;
1283	}
1284
1285	/* deal with whitespace */
1286
1287	*normalized = talloc_strdup(mem_ctx, name);
1288	if (!(*normalized)) {
1289	return NT_STATUS_NO_MEMORY;
1290	}
1291
1292	all_string_sub(*normalized, "_", " ", 0);
1293
1294	return NT_STATUS_OK;
1295	}
1296
1297	/*********************************************************************
1298	********************************************************************/
1299
1300	bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1301	{
1302	struct winbindd_tdc_domain *tdc = NULL;
1303	TALLOC_CTX *frame = talloc_stackframe();
1304	bool ret = false;
1305
1306	/* We can contact the domain if it is our primary domain */
1307
1308	if (domain->primary) {
1309	return true;
1310	}
1311
1312	/* Trust the TDC cache and not the winbindd_domain flags */
1313
1314	if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1315	DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1316	domain->name));
1317	return false;
1318	}
1319
1320	/* Can always contact a domain that is in out forest */
1321
1322	if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1323	ret = true;
1324	goto done;
1325	}
1326
1327	/*
1328	* On a _member_ server, we cannot contact the domain if it
1329	* is running AD and we have no inbound trust.
1330	*/
1331
1332	if (!IS_DC &&
1333	domain->active_directory &&
1334	((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1335	{
1336	DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1337	"and we have no inbound trust.\n", domain->name));
1338	goto done;
1339	}
1340
1341	/* Assume everything else is ok (probably not true but what
1342	can you do?) */
1343
1344	ret = true;
1345
1346	done:
1347	talloc_destroy(frame);
1348
1349	return ret;
1350	}
1351
1352	/*********************************************************************
1353	********************************************************************/
1354
1355	bool winbindd_internal_child(struct winbindd_child *child)
1356	{
1357	if ((child == idmap_child()) \|\| (child == locator_child())) {
1358	return True;
1359	}
1360
1361	return False;
1362	}
1363
1364	#ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1365
1366	/*********************************************************************
1367	********************************************************************/
1368
1369	static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1370	{
1371	char *var = NULL;
1372	char addr[INET6_ADDRSTRLEN];
1373	const char *kdc = NULL;
1374	int lvl = 11;
1375
1376	if (!domain \|\| !domain->alt_name \|\| !*domain->alt_name) {
1377	return;
1378	}
1379
1380	if (domain->initialized && !domain->active_directory) {
1381	DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1382	domain->alt_name));
1383	return;
1384	}
1385
1386	print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1387	kdc = addr;
1388	if (!*kdc) {
1389	DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1390	domain->alt_name));
1391	kdc = domain->dcname;
1392	}
1393
1394	if (!kdc \|\| !*kdc) {
1395	DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1396	domain->alt_name));
1397	return;
1398	}
1399
1400	if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1401	domain->alt_name) == -1) {
1402	return;
1403	}
1404
1405	DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1406	var, kdc));
1407
1408	setenv(var, kdc, 1);
1409	free(var);
1410	}
1411
1412	/*********************************************************************
1413	********************************************************************/
1414
1415	void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1416	{
1417	struct winbindd_domain *our_dom = find_our_domain();
1418
1419	winbindd_set_locator_kdc_env(domain);
1420
1421	if (domain != our_dom) {
1422	winbindd_set_locator_kdc_env(our_dom);
1423	}
1424	}
1425
1426	/*********************************************************************
1427	********************************************************************/
1428
1429	void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1430	{
1431	char *var = NULL;
1432
1433	if (!domain \|\| !domain->alt_name \|\| !*domain->alt_name) {
1434	return;
1435	}
1436
1437	if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1438	domain->alt_name) == -1) {
1439	return;
1440	}
1441
1442	unsetenv(var);
1443	free(var);
1444	}
1445	#else
1446
1447	void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1448	{
1449	return;
1450	}
1451
1452	void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1453	{
1454	return;
1455	}
1456
1457	#endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1458
1459	void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1460	{
1461	resp->data.auth.nt_status = NT_STATUS_V(result);
1462	fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1463
1464	/* we might have given a more useful error above */
1465	if (*resp->data.auth.error_string == '\0')
1466	fstrcpy(resp->data.auth.error_string,
1467	get_friendly_nt_error_msg(result));
1468	resp->data.auth.pam_error = nt_status_to_pam(result);
1469	}
1470
1471	bool is_domain_offline(const struct winbindd_domain *domain)
1472	{
1473	if (!lp_winbind_offline_logon()) {
1474	return false;
1475	}
1476	if (get_global_winbindd_state_offline()) {
1477	return true;
1478	}
1479	return !domain->online;
1480	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: