2005-09-22 22:35:08 +04:00
/*
Unix SMB / CIFS implementation .
Main winbindd server routines
Copyright ( C ) Stefan Metzmacher 2005
Copyright ( C ) Andrew Tridgell 2005
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# define WINBINDD_DIR " / tmp / .winbindd / "
# define WINBINDD_SOCKET WINBINDD_DIR"socket"
/* the privileged socket is in smbd_tmp_dir() */
# define WINBINDD_PRIVILEGED_SOCKET "winbind_socket"
# define WINBINDD_SAMBA3_SOCKET WINBINDD_DIR"pipe"
/* the privileged socket is in smbd_tmp_dir() */
# define WINBINDD_SAMBA3_PRIVILEGED_SOCKET "winbind_pipe"
/* this struct stores global data for the winbind task */
struct wbsrv_service {
struct task_server * task ;
2005-10-08 21:45:27 +04:00
2005-10-19 17:45:44 +04:00
const struct dom_sid * primary_sid ;
2005-10-09 16:50:35 +04:00
struct wbsrv_domain * domains ;
} ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-10 00:32:24 +04:00
struct wbsrv_samconn {
struct wbsrv_domain * domain ;
void * private_data ;
struct composite_context ( * seqnum_send ) ( struct wbsrv_samconn * ) ;
NTSTATUS ( * seqnum_recv ) ( struct composite_context * , uint64_t * ) ;
} ;
2005-10-09 16:50:35 +04:00
struct wbsrv_domain {
struct wbsrv_domain * next , * prev ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-10 00:32:24 +04:00
BOOL initialized ;
2005-10-09 16:50:35 +04:00
const char * name ;
const struct dom_sid * sid ;
2005-10-19 17:45:44 +04:00
const char * dcname ;
2005-10-08 21:45:27 +04:00
2005-10-03 21:36:49 +04:00
struct dcerpc_pipe * lsa_pipe ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-10 00:32:24 +04:00
struct policy_handle * lsa_policy ;
2005-10-16 02:01:15 +04:00
uint8_t lsa_auth_type ;
struct dcerpc_pipe * samr_pipe ;
struct policy_handle * samr_handle ;
struct policy_handle * domain_handle ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-10 00:32:24 +04:00
2005-10-24 13:34:12 +04:00
struct ldap_connection * ldap_conn ;
2005-10-09 16:50:35 +04:00
struct dcerpc_pipe * netlogon_auth2_pipe ;
2005-10-08 21:45:27 +04:00
struct dcerpc_pipe * netlogon_pipe ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-10 00:32:24 +04:00
struct cli_credentials * schannel_creds ;
2005-10-15 23:18:05 +04:00
BOOL busy ;
2005-10-19 17:45:44 +04:00
struct domain_request_state * request_queue ;
2005-09-22 22:35:08 +04:00
} ;
/*
this is an abstraction for the actual protocol being used ,
so that we can listen on different sockets with different protocols
e . g . the old samba3 protocol on one socket and a new protocol on another socket
*/
struct wbsrv_protocol_ops {
const char * name ;
BOOL allow_pending_calls ;
uint32_t ( * packet_length ) ( DATA_BLOB blob ) ;
NTSTATUS ( * pull_request ) ( DATA_BLOB blob , TALLOC_CTX * mem_ctx , struct wbsrv_call * * call ) ;
NTSTATUS ( * handle_call ) ( struct wbsrv_call * call ) ;
NTSTATUS ( * push_reply ) ( struct wbsrv_call * call , TALLOC_CTX * mem_ctx , DATA_BLOB * blob ) ;
} ;
/*
state of a listen socket and it ' s protocol information
*/
struct wbsrv_listen_socket {
const char * socket_path ;
struct wbsrv_service * service ;
BOOL privileged ;
const struct wbsrv_protocol_ops * ops ;
} ;
/*
state of an open winbind connection
*/
struct wbsrv_connection {
/* stream connection we belong to */
struct stream_connection * conn ;
/* the listening socket we belong to, it holds protocol hooks */
struct wbsrv_listen_socket * listen_socket ;
/* storage for protocol specific data */
void * protocol_private_data ;
/* the partial data we've receiced yet */
DATA_BLOB partial ;
/* the amount that we used yet from the partial buffer */
uint32_t partial_read ;
/* prevent loops when we use half async code, while processing a requuest */
BOOL processing ;
/* how many calls are pending */
uint32_t pending_calls ;
struct data_blob_list_item * send_queue ;
} ;
/*
state of one request
NOTE about async replies :
if the backend wants to reply later :
2005-09-26 01:01:56 +04:00
- it should set the WBSRV_CALL_FLAGS_REPLY_ASYNC flag , and may set a
talloc_destructor on the this structure or on the private_data ( if it ' s a
talloc child of this structure ) , so that wbsrv_terminate_connection
called by another call clean up the whole connection correct .
- When the backend is ready to reply it should call wbsrv_send_reply ( call ) ,
wbsrv_send_reply implies talloc_free ( call ) , so the backend should use
talloc_reference ( call ) , if it needs it later .
- If wbsrv_send_reply doesn ' t return NT_STATUS_OK , the backend function
should call , wbsrv_terminate_connection ( call - > wbconn , nt_errstr ( status ) ) ;
return ;
2005-09-22 22:35:08 +04:00
*/
struct wbsrv_call {
# define WBSRV_CALL_FLAGS_REPLY_ASYNC 0x00000001
uint32_t flags ;
2005-09-22 23:36:43 +04:00
/* the backend should use this event context */
struct event_context * event_ctx ;
2005-09-22 22:35:08 +04:00
/* the connection the call belongs to */
struct wbsrv_connection * wbconn ;
/* storage for protocol specific data */
void * private_data ;
} ;