source: vendor/3.5.7/source3/winbindd/winbindd_util.c

Last change on this file was 478, checked in by Silvan Scherrer, 15 years ago

Samba 3.5: vendor update to 3.5.4

File size: 37.0 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon for ntdom nss module
5
6 Copyright (C) Tim Potter 2000-2001
7 Copyright (C) 2001 by Martin Pool <mbp@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21*/
22
23#include "includes.h"
24#include "winbindd.h"
25
26#undef DBGC_CLASS
27#define DBGC_CLASS DBGC_WINBIND
28
29extern struct winbindd_methods cache_methods;
30extern struct winbindd_methods builtin_passdb_methods;
31extern struct winbindd_methods sam_passdb_methods;
32
33
34/**
35 * @file winbindd_util.c
36 *
37 * Winbind daemon for NT domain authentication nss module.
38 **/
39
40
41/* The list of trusted domains. Note that the list can be deleted and
42 recreated using the init_domain_list() function so pointers to
43 individual winbindd_domain structures cannot be made. Keep a copy of
44 the domain name instead. */
45
46static struct winbindd_domain *_domain_list = NULL;
47
48struct winbindd_domain *domain_list(void)
49{
50 /* Initialise list */
51
52 if ((!_domain_list) && (!init_domain_list())) {
53 smb_panic("Init_domain_list failed");
54 }
55
56 return _domain_list;
57}
58
59/* Free all entries in the trusted domain list */
60
61void free_domain_list(void)
62{
63 struct winbindd_domain *domain = _domain_list;
64
65 while(domain) {
66 struct winbindd_domain *next = domain->next;
67
68 DLIST_REMOVE(_domain_list, domain);
69 SAFE_FREE(domain);
70 domain = next;
71 }
72}
73
74static bool is_internal_domain(const DOM_SID *sid)
75{
76 if (sid == NULL)
77 return False;
78
79 return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
80}
81
82static bool is_in_internal_domain(const DOM_SID *sid)
83{
84 if (sid == NULL)
85 return False;
86
87 return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
88}
89
90
91/* Add a trusted domain to our list of domains */
92static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
93 struct winbindd_methods *methods,
94 const DOM_SID *sid)
95{
96 struct winbindd_domain *domain;
97 const char *alternative_name = NULL;
98 char *idmap_config_option;
99 const char *param;
100 const char **ignored_domains, **dom;
101
102 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
103 for (dom=ignored_domains; dom && *dom; dom++) {
104 if (gen_fnmatch(*dom, domain_name) == 0) {
105 DEBUG(2,("Ignoring domain '%s'\n", domain_name));
106 return NULL;
107 }
108 }
109
110 /* ignore alt_name if we are not in an AD domain */
111
112 if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
113 alternative_name = alt_name;
114 }
115
116 /* We can't call domain_list() as this function is called from
117 init_domain_list() and we'll get stuck in a loop. */
118 for (domain = _domain_list; domain; domain = domain->next) {
119 if (strequal(domain_name, domain->name) ||
120 strequal(domain_name, domain->alt_name))
121 {
122 break;
123 }
124
125 if (alternative_name && *alternative_name)
126 {
127 if (strequal(alternative_name, domain->name) ||
128 strequal(alternative_name, domain->alt_name))
129 {
130 break;
131 }
132 }
133
134 if (sid)
135 {
136 if (is_null_sid(sid)) {
137 continue;
138 }
139
140 if (sid_equal(sid, &domain->sid)) {
141 break;
142 }
143 }
144 }
145
146 /* See if we found a match. Check if we need to update the
147 SID. */
148
149 if ( domain && sid) {
150 if ( sid_equal( &domain->sid, &global_sid_NULL ) )
151 sid_copy( &domain->sid, sid );
152
153 return domain;
154 }
155
156 /* Create new domain entry */
157
158 if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
159 return NULL;
160
161 /* Fill in fields */
162
163 ZERO_STRUCTP(domain);
164
165 fstrcpy(domain->name, domain_name);
166 if (alternative_name) {
167 fstrcpy(domain->alt_name, alternative_name);
168 }
169
170 domain->methods = methods;
171 domain->backend = NULL;
172 domain->internal = is_internal_domain(sid);
173 domain->sequence_number = DOM_SEQUENCE_NONE;
174 domain->last_seq_check = 0;
175 domain->initialized = False;
176 domain->online = is_internal_domain(sid);
177 domain->check_online_timeout = 0;
178 domain->dc_probe_pid = (pid_t)-1;
179 if (sid) {
180 sid_copy(&domain->sid, sid);
181 }
182
183 /* Link to domain list */
184 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
185
186 wcache_tdc_add_domain( domain );
187
188 idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
189 domain->name);
190 if (idmap_config_option == NULL) {
191 DEBUG(0, ("talloc failed, not looking for idmap config\n"));
192 goto done;
193 }
194
195 param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
196
197 DEBUG(10, ("%s : range = %s\n", idmap_config_option,
198 param ? param : "not defined"));
199
200 if (param != NULL) {
201 unsigned low_id, high_id;
202 if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
203 DEBUG(1, ("invalid range syntax in %s: %s\n",
204 idmap_config_option, param));
205 goto done;
206 }
207 if (low_id > high_id) {
208 DEBUG(1, ("invalid range in %s: %s\n",
209 idmap_config_option, param));
210 goto done;
211 }
212 domain->have_idmap_config = true;
213 domain->id_range_low = low_id;
214 domain->id_range_high = high_id;
215 }
216
217done:
218
219 DEBUG(2,("Added domain %s %s %s\n",
220 domain->name, domain->alt_name,
221 &domain->sid?sid_string_dbg(&domain->sid):""));
222
223 return domain;
224}
225
226/********************************************************************
227 rescan our domains looking for new trusted domains
228********************************************************************/
229
230struct trustdom_state {
231 TALLOC_CTX *mem_ctx;
232 bool primary;
233 bool forest_root;
234 struct winbindd_response *response;
235};
236
237static void trustdom_recv(void *private_data, bool success);
238static void rescan_forest_root_trusts( void );
239static void rescan_forest_trusts( void );
240
241static void add_trusted_domains( struct winbindd_domain *domain )
242{
243 TALLOC_CTX *mem_ctx;
244 struct winbindd_request *request;
245 struct winbindd_response *response;
246 uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
247
248 struct trustdom_state *state;
249
250 mem_ctx = talloc_init("add_trusted_domains");
251 if (mem_ctx == NULL) {
252 DEBUG(0, ("talloc_init failed\n"));
253 return;
254 }
255
256 request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
257 response = TALLOC_P(mem_ctx, struct winbindd_response);
258 state = TALLOC_P(mem_ctx, struct trustdom_state);
259
260 if ((request == NULL) || (response == NULL) || (state == NULL)) {
261 DEBUG(0, ("talloc failed\n"));
262 talloc_destroy(mem_ctx);
263 return;
264 }
265
266 state->mem_ctx = mem_ctx;
267 state->response = response;
268
269 /* Flags used to know how to continue the forest trust search */
270
271 state->primary = domain->primary;
272 state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
273
274 request->length = sizeof(*request);
275 request->cmd = WINBINDD_LIST_TRUSTDOM;
276
277 async_domain_request(mem_ctx, domain, request, response,
278 trustdom_recv, state);
279}
280
281static void trustdom_recv(void *private_data, bool success)
282{
283 struct trustdom_state *state =
284 talloc_get_type_abort(private_data, struct trustdom_state);
285 struct winbindd_response *response = state->response;
286 char *p;
287
288 if ((!success) || (response->result != WINBINDD_OK)) {
289 DEBUG(1, ("Could not receive trustdoms\n"));
290 talloc_destroy(state->mem_ctx);
291 return;
292 }
293
294 p = (char *)response->extra_data.data;
295
296 while ((p != NULL) && (*p != '\0')) {
297 char *q, *sidstr, *alt_name;
298 DOM_SID sid;
299 struct winbindd_domain *domain;
300 char *alternate_name = NULL;
301
302 alt_name = strchr(p, '\\');
303 if (alt_name == NULL) {
304 DEBUG(0, ("Got invalid trustdom response\n"));
305 break;
306 }
307
308 *alt_name = '\0';
309 alt_name += 1;
310
311 sidstr = strchr(alt_name, '\\');
312 if (sidstr == NULL) {
313 DEBUG(0, ("Got invalid trustdom response\n"));
314 break;
315 }
316
317 *sidstr = '\0';
318 sidstr += 1;
319
320 q = strchr(sidstr, '\n');
321 if (q != NULL)
322 *q = '\0';
323
324 if (!string_to_sid(&sid, sidstr)) {
325 DEBUG(0, ("Got invalid trustdom response\n"));
326 break;
327 }
328
329 /* use the real alt_name if we have one, else pass in NULL */
330
331 if ( !strequal( alt_name, "(null)" ) )
332 alternate_name = alt_name;
333
334 /* If we have an existing domain structure, calling
335 add_trusted_domain() will update the SID if
336 necessary. This is important because we need the
337 SID for sibling domains */
338
339 if ( find_domain_from_name_noinit(p) != NULL ) {
340 domain = add_trusted_domain(p, alternate_name,
341 &cache_methods,
342 &sid);
343 } else {
344 domain = add_trusted_domain(p, alternate_name,
345 &cache_methods,
346 &sid);
347 if (domain) {
348 setup_domain_child(domain,
349 &domain->child);
350 }
351 }
352 p=q;
353 if (p != NULL)
354 p += 1;
355 }
356
357 /*
358 Cases to consider when scanning trusts:
359 (a) we are calling from a child domain (primary && !forest_root)
360 (b) we are calling from the root of the forest (primary && forest_root)
361 (c) we are calling from a trusted forest domain (!primary
362 && !forest_root)
363 */
364
365 if ( state->primary ) {
366 /* If this is our primary domain and we are not in the
367 forest root, we have to scan the root trusts first */
368
369 if ( !state->forest_root )
370 rescan_forest_root_trusts();
371 else
372 rescan_forest_trusts();
373
374 } else if ( state->forest_root ) {
375 /* Once we have done root forest trust search, we can
376 go on to search the trusted forests */
377
378 rescan_forest_trusts();
379 }
380
381 talloc_destroy(state->mem_ctx);
382
383 return;
384}
385
386/********************************************************************
387 Scan the trusts of our forest root
388********************************************************************/
389
390static void rescan_forest_root_trusts( void )
391{
392 struct winbindd_tdc_domain *dom_list = NULL;
393 size_t num_trusts = 0;
394 int i;
395
396 /* The only transitive trusts supported by Windows 2003 AD are
397 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
398 first two are handled in forest and listed by
399 DsEnumerateDomainTrusts(). Forest trusts are not so we
400 have to do that ourselves. */
401
402 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
403 return;
404
405 for ( i=0; i<num_trusts; i++ ) {
406 struct winbindd_domain *d = NULL;
407
408 /* Find the forest root. Don't necessarily trust
409 the domain_list() as our primary domain may not
410 have been initialized. */
411
412 if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
413 continue;
414 }
415
416 /* Here's the forest root */
417
418 d = find_domain_from_name_noinit( dom_list[i].domain_name );
419
420 if ( !d ) {
421 d = add_trusted_domain( dom_list[i].domain_name,
422 dom_list[i].dns_name,
423 &cache_methods,
424 &dom_list[i].sid );
425 if (d != NULL) {
426 setup_domain_child(d, &d->child);
427 }
428 }
429
430 if (d == NULL) {
431 continue;
432 }
433
434 DEBUG(10,("rescan_forest_root_trusts: Following trust path "
435 "for domain tree root %s (%s)\n",
436 d->name, d->alt_name ));
437
438 d->domain_flags = dom_list[i].trust_flags;
439 d->domain_type = dom_list[i].trust_type;
440 d->domain_trust_attribs = dom_list[i].trust_attribs;
441
442 add_trusted_domains( d );
443
444 break;
445 }
446
447 TALLOC_FREE( dom_list );
448
449 return;
450}
451
452/********************************************************************
453 scan the transitive forest trusts (not our own)
454********************************************************************/
455
456
457static void rescan_forest_trusts( void )
458{
459 struct winbindd_domain *d = NULL;
460 struct winbindd_tdc_domain *dom_list = NULL;
461 size_t num_trusts = 0;
462 int i;
463
464 /* The only transitive trusts supported by Windows 2003 AD are
465 (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
466 first two are handled in forest and listed by
467 DsEnumerateDomainTrusts(). Forest trusts are not so we
468 have to do that ourselves. */
469
470 if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
471 return;
472
473 for ( i=0; i<num_trusts; i++ ) {
474 uint32 flags = dom_list[i].trust_flags;
475 uint32 type = dom_list[i].trust_type;
476 uint32 attribs = dom_list[i].trust_attribs;
477
478 d = find_domain_from_name_noinit( dom_list[i].domain_name );
479
480 /* ignore our primary and internal domains */
481
482 if ( d && (d->internal || d->primary ) )
483 continue;
484
485 if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
486 (type == NETR_TRUST_TYPE_UPLEVEL) &&
487 (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
488 {
489 /* add the trusted domain if we don't know
490 about it */
491
492 if ( !d ) {
493 d = add_trusted_domain( dom_list[i].domain_name,
494 dom_list[i].dns_name,
495 &cache_methods,
496 &dom_list[i].sid );
497 if (d != NULL) {
498 setup_domain_child(d, &d->child);
499 }
500 }
501
502 if (d == NULL) {
503 continue;
504 }
505
506 DEBUG(10,("Following trust path for domain %s (%s)\n",
507 d->name, d->alt_name ));
508 add_trusted_domains( d );
509 }
510 }
511
512 TALLOC_FREE( dom_list );
513
514 return;
515}
516
517/*********************************************************************
518 The process of updating the trusted domain list is a three step
519 async process:
520 (a) ask our domain
521 (b) ask the root domain in our forest
522 (c) ask the a DC in any Win2003 trusted forests
523*********************************************************************/
524
525void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
526 struct timeval now, void *private_data)
527{
528 TALLOC_FREE(te);
529
530 /* I use to clear the cache here and start over but that
531 caused problems in child processes that needed the
532 trust dom list early on. Removing it means we
533 could have some trusted domains listed that have been
534 removed from our primary domain's DC until a full
535 restart. This should be ok since I think this is what
536 Windows does as well. */
537
538 /* this will only add new domains we didn't already know about
539 in the domain_list()*/
540
541 add_trusted_domains( find_our_domain() );
542
543 te = tevent_add_timer(
544 ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
545 rescan_trusted_domains, NULL);
546 /*
547 * If te == NULL, there's not much we can do here. Don't fail, the
548 * only thing we miss is new trusted domains.
549 */
550
551 return;
552}
553
554enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
555 struct winbindd_cli_state *state)
556{
557 /* Ensure null termination */
558 state->request->domain_name
559 [sizeof(state->request->domain_name)-1]='\0';
560 state->request->data.init_conn.dcname
561 [sizeof(state->request->data.init_conn.dcname)-1]='\0';
562
563 if (strlen(state->request->data.init_conn.dcname) > 0) {
564 fstrcpy(domain->dcname, state->request->data.init_conn.dcname);
565 }
566
567 if (domain->internal) {
568 domain->initialized = true;
569 } else {
570 init_dc_connection(domain);
571 }
572
573 if (!domain->initialized) {
574 /* If we return error here we can't do any cached authentication,
575 but we may be in disconnected mode and can't initialize correctly.
576 Do what the previous code did and just return without initialization,
577 once we go online we'll re-initialize.
578 */
579 DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
580 "online = %d\n", domain->name, (int)domain->online ));
581 }
582
583 fstrcpy(state->response->data.domain_info.name, domain->name);
584 fstrcpy(state->response->data.domain_info.alt_name, domain->alt_name);
585 sid_to_fstring(state->response->data.domain_info.sid, &domain->sid);
586
587 state->response->data.domain_info.native_mode
588 = domain->native_mode;
589 state->response->data.domain_info.active_directory
590 = domain->active_directory;
591 state->response->data.domain_info.primary
592 = domain->primary;
593
594 return WINBINDD_OK;
595}
596
597/* Look up global info for the winbind daemon */
598bool init_domain_list(void)
599{
600 struct winbindd_domain *domain;
601 int role = lp_server_role();
602
603 /* Free existing list */
604 free_domain_list();
605
606 /* BUILTIN domain */
607
608 domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
609 &global_sid_Builtin);
610 if (domain) {
611 setup_domain_child(domain,
612 &domain->child);
613 }
614
615 /* Local SAM */
616
617 domain = add_trusted_domain(get_global_sam_name(), NULL,
618 &sam_passdb_methods, get_global_sam_sid());
619 if (domain) {
620 if ( role != ROLE_DOMAIN_MEMBER ) {
621 domain->primary = True;
622 }
623 setup_domain_child(domain,
624 &domain->child);
625 }
626
627 /* Add ourselves as the first entry. */
628
629 if ( role == ROLE_DOMAIN_MEMBER ) {
630 DOM_SID our_sid;
631
632 if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
633 DEBUG(0, ("Could not fetch our SID - did we join?\n"));
634 return False;
635 }
636
637 domain = add_trusted_domain( lp_workgroup(), lp_realm(),
638 &cache_methods, &our_sid);
639 if (domain) {
640 domain->primary = True;
641 setup_domain_child(domain,
642 &domain->child);
643
644 /* Even in the parent winbindd we'll need to
645 talk to the DC, so try and see if we can
646 contact it. Theoretically this isn't neccessary
647 as the init_dc_connection() in init_child_recv()
648 will do this, but we can start detecting the DC
649 early here. */
650 set_domain_online_request(domain);
651 }
652 }
653
654 return True;
655}
656
657void check_domain_trusted( const char *name, const DOM_SID *user_sid )
658{
659 struct winbindd_domain *domain;
660 DOM_SID dom_sid;
661 uint32 rid;
662
663 /* Check if we even care */
664
665 if (!lp_allow_trusted_domains())
666 return;
667
668 domain = find_domain_from_name_noinit( name );
669 if ( domain )
670 return;
671
672 sid_copy( &dom_sid, user_sid );
673 if ( !sid_split_rid( &dom_sid, &rid ) )
674 return;
675
676 /* add the newly discovered trusted domain */
677
678 domain = add_trusted_domain( name, NULL, &cache_methods,
679 &dom_sid);
680
681 if ( !domain )
682 return;
683
684 /* assume this is a trust from a one-way transitive
685 forest trust */
686
687 domain->active_directory = True;
688 domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
689 domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
690 domain->internal = False;
691 domain->online = True;
692
693 setup_domain_child(domain,
694 &domain->child);
695
696 wcache_tdc_add_domain( domain );
697
698 return;
699}
700
701/**
702 * Given a domain name, return the struct winbindd domain info for it
703 *
704 * @note Do *not* pass lp_workgroup() to this function. domain_list
705 * may modify it's value, and free that pointer. Instead, our local
706 * domain may be found by calling find_our_domain().
707 * directly.
708 *
709 *
710 * @return The domain structure for the named domain, if it is working.
711 */
712
713struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
714{
715 struct winbindd_domain *domain;
716
717 /* Search through list */
718
719 for (domain = domain_list(); domain != NULL; domain = domain->next) {
720 if (strequal(domain_name, domain->name) ||
721 (domain->alt_name[0] &&
722 strequal(domain_name, domain->alt_name))) {
723 return domain;
724 }
725 }
726
727 /* Not found */
728
729 return NULL;
730}
731
732struct winbindd_domain *find_domain_from_name(const char *domain_name)
733{
734 struct winbindd_domain *domain;
735
736 domain = find_domain_from_name_noinit(domain_name);
737
738 if (domain == NULL)
739 return NULL;
740
741 if (!domain->initialized)
742 init_dc_connection(domain);
743
744 return domain;
745}
746
747/* Given a domain sid, return the struct winbindd domain info for it */
748
749struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
750{
751 struct winbindd_domain *domain;
752
753 /* Search through list */
754
755 for (domain = domain_list(); domain != NULL; domain = domain->next) {
756 if (sid_compare_domain(sid, &domain->sid) == 0)
757 return domain;
758 }
759
760 /* Not found */
761
762 return NULL;
763}
764
765/* Given a domain sid, return the struct winbindd domain info for it */
766
767struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
768{
769 struct winbindd_domain *domain;
770
771 domain = find_domain_from_sid_noinit(sid);
772
773 if (domain == NULL)
774 return NULL;
775
776 if (!domain->initialized)
777 init_dc_connection(domain);
778
779 return domain;
780}
781
782struct winbindd_domain *find_our_domain(void)
783{
784 struct winbindd_domain *domain;
785
786 /* Search through list */
787
788 for (domain = domain_list(); domain != NULL; domain = domain->next) {
789 if (domain->primary)
790 return domain;
791 }
792
793 smb_panic("Could not find our domain");
794 return NULL;
795}
796
797struct winbindd_domain *find_root_domain(void)
798{
799 struct winbindd_domain *ours = find_our_domain();
800
801 if ( !ours )
802 return NULL;
803
804 if ( strlen(ours->forest_name) == 0 )
805 return NULL;
806
807 return find_domain_from_name( ours->forest_name );
808}
809
810struct winbindd_domain *find_builtin_domain(void)
811{
812 DOM_SID sid;
813 struct winbindd_domain *domain;
814
815 string_to_sid(&sid, "S-1-5-32");
816 domain = find_domain_from_sid(&sid);
817
818 if (domain == NULL) {
819 smb_panic("Could not find BUILTIN domain");
820 }
821
822 return domain;
823}
824
825/* Find the appropriate domain to lookup a name or SID */
826
827struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
828{
829 /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
830
831 if ( sid_check_is_in_unix_groups(sid) ||
832 sid_check_is_unix_groups(sid) ||
833 sid_check_is_in_unix_users(sid) ||
834 sid_check_is_unix_users(sid) )
835 {
836 return find_domain_from_sid(get_global_sam_sid());
837 }
838
839 /* A DC can't ask the local smbd for remote SIDs, here winbindd is the
840 * one to contact the external DC's. On member servers the internal
841 * domains are different: These are part of the local SAM. */
842
843 DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
844
845 if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
846 DEBUG(10, ("calling find_domain_from_sid\n"));
847 return find_domain_from_sid(sid);
848 }
849
850 /* On a member server a query for SID or name can always go to our
851 * primary DC. */
852
853 DEBUG(10, ("calling find_our_domain\n"));
854 return find_our_domain();
855}
856
857struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
858{
859 if ( strequal(domain_name, unix_users_domain_name() ) ||
860 strequal(domain_name, unix_groups_domain_name() ) )
861 {
862 /*
863 * The "Unix User" and "Unix Group" domain our handled by
864 * passdb
865 */
866 return find_domain_from_name_noinit( get_global_sam_name() );
867 }
868
869 if (IS_DC || strequal(domain_name, "BUILTIN") ||
870 strequal(domain_name, get_global_sam_name()))
871 return find_domain_from_name_noinit(domain_name);
872
873
874 return find_our_domain();
875}
876
877/* Is this a domain which we may assume no DOMAIN\ prefix? */
878
879static bool assume_domain(const char *domain)
880{
881 /* never assume the domain on a standalone server */
882
883 if ( lp_server_role() == ROLE_STANDALONE )
884 return False;
885
886 /* domain member servers may possibly assume for the domain name */
887
888 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
889 if ( !strequal(lp_workgroup(), domain) )
890 return False;
891
892 if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
893 return True;
894 }
895
896 /* only left with a domain controller */
897
898 if ( strequal(get_global_sam_name(), domain) ) {
899 return True;
900 }
901
902 return False;
903}
904
905/* Parse a string of the form DOMAIN\user into a domain and a user */
906
907bool parse_domain_user(const char *domuser, fstring domain, fstring user)
908{
909 char *p = strchr(domuser,*lp_winbind_separator());
910
911 if ( !p ) {
912 fstrcpy(user, domuser);
913
914 if ( assume_domain(lp_workgroup())) {
915 fstrcpy(domain, lp_workgroup());
916 } else if ((p = strchr(domuser, '@')) != NULL) {
917 fstrcpy(domain, p + 1);
918 user[PTR_DIFF(p, domuser)] = 0;
919 } else {
920 return False;
921 }
922 } else {
923 fstrcpy(user, p+1);
924 fstrcpy(domain, domuser);
925 domain[PTR_DIFF(p, domuser)] = 0;
926 }
927
928 strupper_m(domain);
929
930 return True;
931}
932
933bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
934 char **domain, char **user)
935{
936 fstring fstr_domain, fstr_user;
937 if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
938 return False;
939 }
940 *domain = talloc_strdup(mem_ctx, fstr_domain);
941 *user = talloc_strdup(mem_ctx, fstr_user);
942 return ((*domain != NULL) && (*user != NULL));
943}
944
945/* add a domain user name to a buffer */
946void parse_add_domuser(void *buf, char *domuser, int *len)
947{
948 fstring domain;
949 char *p, *user;
950
951 user = domuser;
952 p = strchr(domuser, *lp_winbind_separator());
953
954 if (p) {
955
956 fstrcpy(domain, domuser);
957 domain[PTR_DIFF(p, domuser)] = 0;
958 p++;
959
960 if (assume_domain(domain)) {
961
962 user = p;
963 *len -= (PTR_DIFF(p, domuser));
964 }
965 }
966
967 safe_strcpy((char *)buf, user, *len);
968}
969
970/* Ensure an incoming username from NSS is fully qualified. Replace the
971 incoming fstring with DOMAIN <separator> user. Returns the same
972 values as parse_domain_user() but also replaces the incoming username.
973 Used to ensure all names are fully qualified within winbindd.
974 Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
975 The protocol definitions of auth_crap, chng_pswd_auth_crap
976 really should be changed to use this instead of doing things
977 by hand. JRA. */
978
979bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
980{
981 if (!parse_domain_user(username_inout, domain, user)) {
982 return False;
983 }
984 slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
985 domain, *lp_winbind_separator(),
986 user);
987 return True;
988}
989
990/*
991 Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
992 'winbind separator' options.
993 This means:
994 - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
995 lp_workgroup()
996
997 If we are a PDC or BDC, and this is for our domain, do likewise.
998
999 Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
1000 username is then unqualified in unix
1001
1002 We always canonicalize as UPPERCASE DOMAIN, lowercase username.
1003*/
1004void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
1005{
1006 fstring tmp_user;
1007
1008 fstrcpy(tmp_user, user);
1009 strlower_m(tmp_user);
1010
1011 if (can_assume && assume_domain(domain)) {
1012 strlcpy(name, tmp_user, sizeof(fstring));
1013 } else {
1014 slprintf(name, sizeof(fstring) - 1, "%s%c%s",
1015 domain, *lp_winbind_separator(),
1016 tmp_user);
1017 }
1018}
1019
1020/**
1021 * talloc version of fill_domain_username()
1022 * return NULL on talloc failure.
1023 */
1024char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
1025 const char *domain,
1026 const char *user,
1027 bool can_assume)
1028{
1029 char *tmp_user, *name;
1030
1031 tmp_user = talloc_strdup(mem_ctx, user);
1032 strlower_m(tmp_user);
1033
1034 if (can_assume && assume_domain(domain)) {
1035 name = tmp_user;
1036 } else {
1037 name = talloc_asprintf(mem_ctx, "%s%c%s",
1038 domain,
1039 *lp_winbind_separator(),
1040 tmp_user);
1041 TALLOC_FREE(tmp_user);
1042 }
1043
1044 return name;
1045}
1046
1047/*
1048 * Winbindd socket accessor functions
1049 */
1050
1051const char *get_winbind_pipe_dir(void)
1052{
1053 return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
1054}
1055
1056char *get_winbind_priv_pipe_dir(void)
1057{
1058 return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
1059}
1060
1061/* Open the winbindd socket */
1062
1063static int _winbindd_socket = -1;
1064static int _winbindd_priv_socket = -1;
1065
1066int open_winbindd_socket(void)
1067{
1068 if (_winbindd_socket == -1) {
1069 _winbindd_socket = create_pipe_sock(
1070 get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
1071 DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
1072 _winbindd_socket));
1073 }
1074
1075 return _winbindd_socket;
1076}
1077
1078int open_winbindd_priv_socket(void)
1079{
1080 if (_winbindd_priv_socket == -1) {
1081 _winbindd_priv_socket = create_pipe_sock(
1082 get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
1083 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
1084 _winbindd_priv_socket));
1085 }
1086
1087 return _winbindd_priv_socket;
1088}
1089
1090/*
1091 * Client list accessor functions
1092 */
1093
1094static struct winbindd_cli_state *_client_list;
1095static int _num_clients;
1096
1097/* Return list of all connected clients */
1098
1099struct winbindd_cli_state *winbindd_client_list(void)
1100{
1101 return _client_list;
1102}
1103
1104/* Add a connection to the list */
1105
1106void winbindd_add_client(struct winbindd_cli_state *cli)
1107{
1108 DLIST_ADD(_client_list, cli);
1109 _num_clients++;
1110}
1111
1112/* Remove a client from the list */
1113
1114void winbindd_remove_client(struct winbindd_cli_state *cli)
1115{
1116 DLIST_REMOVE(_client_list, cli);
1117 _num_clients--;
1118}
1119
1120/* Close all open clients */
1121
1122void winbindd_kill_all_clients(void)
1123{
1124 struct winbindd_cli_state *cl = winbindd_client_list();
1125
1126 DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
1127
1128 while (cl) {
1129 struct winbindd_cli_state *next;
1130
1131 next = cl->next;
1132 winbindd_remove_client(cl);
1133 cl = next;
1134 }
1135}
1136
1137/* Return number of open clients */
1138
1139int winbindd_num_clients(void)
1140{
1141 return _num_clients;
1142}
1143
1144NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
1145 TALLOC_CTX *mem_ctx,
1146 const DOM_SID *user_sid,
1147 uint32 *p_num_groups, DOM_SID **user_sids)
1148{
1149 struct netr_SamInfo3 *info3 = NULL;
1150 NTSTATUS status = NT_STATUS_NO_MEMORY;
1151 size_t num_groups = 0;
1152
1153 DEBUG(3,(": lookup_usergroups_cached\n"));
1154
1155 *user_sids = NULL;
1156 *p_num_groups = 0;
1157
1158 info3 = netsamlogon_cache_get(mem_ctx, user_sid);
1159
1160 if (info3 == NULL) {
1161 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1162 }
1163
1164 if (info3->base.groups.count == 0) {
1165 TALLOC_FREE(info3);
1166 return NT_STATUS_UNSUCCESSFUL;
1167 }
1168
1169 /* Skip Domain local groups outside our domain.
1170 We'll get these from the getsidaliases() RPC call. */
1171 status = sid_array_from_info3(mem_ctx, info3,
1172 user_sids,
1173 &num_groups,
1174 false, true);
1175
1176 if (!NT_STATUS_IS_OK(status)) {
1177 TALLOC_FREE(info3);
1178 return status;
1179 }
1180
1181 TALLOC_FREE(info3);
1182 *p_num_groups = num_groups;
1183 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1184
1185 DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
1186
1187 return status;
1188}
1189
1190/*********************************************************************
1191 We use this to remove spaces from user and group names
1192********************************************************************/
1193
1194NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
1195 struct winbindd_domain *domain,
1196 const char *name,
1197 char **normalized)
1198{
1199 NTSTATUS nt_status;
1200
1201 if (!name || !normalized) {
1202 return NT_STATUS_INVALID_PARAMETER;
1203 }
1204
1205 if (!lp_winbind_normalize_names()) {
1206 return NT_STATUS_PROCEDURE_NOT_FOUND;
1207 }
1208
1209 /* Alias support and whitespace replacement are mutually
1210 exclusive */
1211
1212 nt_status = resolve_username_to_alias(mem_ctx, domain,
1213 name, normalized );
1214 if (NT_STATUS_IS_OK(nt_status)) {
1215 /* special return code to let the caller know we
1216 mapped to an alias */
1217 return NT_STATUS_FILE_RENAMED;
1218 }
1219
1220 /* check for an unreachable domain */
1221
1222 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1223 DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
1224 domain->name));
1225 set_domain_offline(domain);
1226 return nt_status;
1227 }
1228
1229 /* deal with whitespace */
1230
1231 *normalized = talloc_strdup(mem_ctx, name);
1232 if (!(*normalized)) {
1233 return NT_STATUS_NO_MEMORY;
1234 }
1235
1236 all_string_sub( *normalized, " ", "_", 0 );
1237
1238 return NT_STATUS_OK;
1239}
1240
1241/*********************************************************************
1242 We use this to do the inverse of normalize_name_map()
1243********************************************************************/
1244
1245NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
1246 char *name,
1247 char **normalized)
1248{
1249 NTSTATUS nt_status;
1250 struct winbindd_domain *domain = find_our_domain();
1251
1252 if (!name || !normalized) {
1253 return NT_STATUS_INVALID_PARAMETER;
1254 }
1255
1256 if (!lp_winbind_normalize_names()) {
1257 return NT_STATUS_PROCEDURE_NOT_FOUND;
1258 }
1259
1260 /* Alias support and whitespace replacement are mutally
1261 exclusive */
1262
1263 /* When mapping from an alias to a username, we don't know the
1264 domain. But we only need a domain structure to cache
1265 a successful lookup , so just our own domain structure for
1266 the seqnum. */
1267
1268 nt_status = resolve_alias_to_username(mem_ctx, domain,
1269 name, normalized);
1270 if (NT_STATUS_IS_OK(nt_status)) {
1271 /* Special return code to let the caller know we mapped
1272 from an alias */
1273 return NT_STATUS_FILE_RENAMED;
1274 }
1275
1276 /* check for an unreachable domain */
1277
1278 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1279 DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
1280 domain->name));
1281 set_domain_offline(domain);
1282 return nt_status;
1283 }
1284
1285 /* deal with whitespace */
1286
1287 *normalized = talloc_strdup(mem_ctx, name);
1288 if (!(*normalized)) {
1289 return NT_STATUS_NO_MEMORY;
1290 }
1291
1292 all_string_sub(*normalized, "_", " ", 0);
1293
1294 return NT_STATUS_OK;
1295}
1296
1297/*********************************************************************
1298 ********************************************************************/
1299
1300bool winbindd_can_contact_domain(struct winbindd_domain *domain)
1301{
1302 struct winbindd_tdc_domain *tdc = NULL;
1303 TALLOC_CTX *frame = talloc_stackframe();
1304 bool ret = false;
1305
1306 /* We can contact the domain if it is our primary domain */
1307
1308 if (domain->primary) {
1309 return true;
1310 }
1311
1312 /* Trust the TDC cache and not the winbindd_domain flags */
1313
1314 if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
1315 DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
1316 domain->name));
1317 return false;
1318 }
1319
1320 /* Can always contact a domain that is in out forest */
1321
1322 if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
1323 ret = true;
1324 goto done;
1325 }
1326
1327 /*
1328 * On a _member_ server, we cannot contact the domain if it
1329 * is running AD and we have no inbound trust.
1330 */
1331
1332 if (!IS_DC &&
1333 domain->active_directory &&
1334 ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
1335 {
1336 DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
1337 "and we have no inbound trust.\n", domain->name));
1338 goto done;
1339 }
1340
1341 /* Assume everything else is ok (probably not true but what
1342 can you do?) */
1343
1344 ret = true;
1345
1346done:
1347 talloc_destroy(frame);
1348
1349 return ret;
1350}
1351
1352/*********************************************************************
1353 ********************************************************************/
1354
1355bool winbindd_internal_child(struct winbindd_child *child)
1356{
1357 if ((child == idmap_child()) || (child == locator_child())) {
1358 return True;
1359 }
1360
1361 return False;
1362}
1363
1364#ifdef HAVE_KRB5_LOCATE_PLUGIN_H
1365
1366/*********************************************************************
1367 ********************************************************************/
1368
1369static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
1370{
1371 char *var = NULL;
1372 char addr[INET6_ADDRSTRLEN];
1373 const char *kdc = NULL;
1374 int lvl = 11;
1375
1376 if (!domain || !domain->alt_name || !*domain->alt_name) {
1377 return;
1378 }
1379
1380 if (domain->initialized && !domain->active_directory) {
1381 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
1382 domain->alt_name));
1383 return;
1384 }
1385
1386 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
1387 kdc = addr;
1388 if (!*kdc) {
1389 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
1390 domain->alt_name));
1391 kdc = domain->dcname;
1392 }
1393
1394 if (!kdc || !*kdc) {
1395 DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
1396 domain->alt_name));
1397 return;
1398 }
1399
1400 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1401 domain->alt_name) == -1) {
1402 return;
1403 }
1404
1405 DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
1406 var, kdc));
1407
1408 setenv(var, kdc, 1);
1409 free(var);
1410}
1411
1412/*********************************************************************
1413 ********************************************************************/
1414
1415void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1416{
1417 struct winbindd_domain *our_dom = find_our_domain();
1418
1419 winbindd_set_locator_kdc_env(domain);
1420
1421 if (domain != our_dom) {
1422 winbindd_set_locator_kdc_env(our_dom);
1423 }
1424}
1425
1426/*********************************************************************
1427 ********************************************************************/
1428
1429void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1430{
1431 char *var = NULL;
1432
1433 if (!domain || !domain->alt_name || !*domain->alt_name) {
1434 return;
1435 }
1436
1437 if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
1438 domain->alt_name) == -1) {
1439 return;
1440 }
1441
1442 unsetenv(var);
1443 free(var);
1444}
1445#else
1446
1447void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
1448{
1449 return;
1450}
1451
1452void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
1453{
1454 return;
1455}
1456
1457#endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
1458
1459void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
1460{
1461 resp->data.auth.nt_status = NT_STATUS_V(result);
1462 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
1463
1464 /* we might have given a more useful error above */
1465 if (*resp->data.auth.error_string == '\0')
1466 fstrcpy(resp->data.auth.error_string,
1467 get_friendly_nt_error_msg(result));
1468 resp->data.auth.pam_error = nt_status_to_pam(result);
1469}
1470
1471bool is_domain_offline(const struct winbindd_domain *domain)
1472{
1473 if (!lp_winbind_offline_logon()) {
1474 return false;
1475 }
1476 if (get_global_winbindd_state_offline()) {
1477 return true;
1478 }
1479 return !domain->online;
1480}
Note: See TracBrowser for help on using the repository browser.