sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-19 10:03:58 +03:00
Code
samba-mirror/source3/nsswitch/winbindd.h

233 lines
6.9 KiB
C
Raw Normal View History

brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
/*
Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-30 06:08:46 +00:00
Unix SMB/CIFS implementation.
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
Winbind daemon for ntdom nss module
Copyright (C) Tim Potter 2000
From aliguori@us.ibm.com: This patch adds the architecture for an IDMAP backend system including a new smb.conf parameter "winbind backend". Right now, the only valid value is "tdb" but I'm currently working on an LDAP backend. (This used to be commit 35e4448dcb2deb0d5d34d9e974a49f2fb31f1356)
2003-02-20 22:46:37 +00:00
Copyright (C) Anthony Liguori 2003
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Library General Public License for more details.
You should have received a copy of the GNU Library General Public
License along with this library; if not, write to the
Free Software Foundation, Inc., 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA.
*/
#ifndef _WINBINDD_H
#define _WINBINDD_H
#include "includes.h"
#include "nterr.h"
in head as well ... renamed ntdom to winbind I think that using winbind in /etc/nsswitch.conf is better than ntdom (This used to be commit 80f85b5359c26dc26f8f88b984f27cfa4ac34e61)
2000-05-10 14:17:21 +00:00
#include "winbindd_nss.h"
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
debug classized (This used to be commit ae5d24873ad0fb3df970cc9912e18e6a5067ae2d)
2002-05-21 07:53:28 +00:00
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
/* Client state structure */
struct winbindd_cli_state {
*Excellent* patch from Michael Steffens <michael_steffens@hp.com> to limit the unix domain sockets used by winbindd (also solves FD_SETSIZE problem in winbindd to boot !). Adds a "last_access" field to winbindd connections, and will close the oldest idle connection once the number of open connections goes over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200 currently). Jeremy. (This used to be commit a82caefda49396641e8650db8a7ef51752ba6c41)
2003-02-28 00:26:20 +00:00
struct winbindd_cli_state *prev, *next; /* Linked list pointers */
int sock; /* Open socket from client */
pid_t pid; /* pid of client */
int read_buf_len, write_buf_len; /* Indexes in request/response */
BOOL finished; /* Can delete from list */
BOOL write_extra_data; /* Write extra_data field */
time_t last_access; /* Time of last access (read or write) */
privilaged -> privileged (This changes the location of the winbindd privileged pipe) (This used to be commit f111f10076c7797e5fd39edcc0aad7d860bb5ac5)
2003-04-07 06:43:16 +00:00
BOOL privileged; /* Is the client 'privileged' */
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
2003-03-23 13:03:25 +00:00
*Excellent* patch from Michael Steffens <michael_steffens@hp.com> to limit the unix domain sockets used by winbindd (also solves FD_SETSIZE problem in winbindd to boot !). Adds a "last_access" field to winbindd connections, and will close the oldest idle connection once the number of open connections goes over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200 currently). Jeremy. (This used to be commit a82caefda49396641e8650db8a7ef51752ba6c41)
2003-02-28 00:26:20 +00:00
struct winbindd_request request; /* Request from client */
struct winbindd_response response; /* Respose to client */
struct getent_state *getpwent_state; /* State for getpwent() */
struct getent_state *getgrent_state; /* State for getgrent() */
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
};
Preliminary merge of winbind into HEAD. Note that this compiles and links but I haven't actually run it yet so it probably doesn't work. (-: (This used to be commit 59f95416b66db6df05289bde224de29c721978e5)
2001-05-07 04:32:40 +00:00
/* State between get{pw,gr}ent() calls */
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
struct getent_state {
Preliminary merge of winbind into HEAD. Note that this compiles and links but I haven't actually run it yet so it probably doesn't work. (-: (This used to be commit 59f95416b66db6df05289bde224de29c721978e5)
2001-05-07 04:32:40 +00:00
struct getent_state *prev, *next;
void *sam_entries;
uint32 sam_entry_index, num_sam_entries;
removed the start_ndx parameter from group enumeration I tried testing this by lowering the buffer size in cli_samr_enum_dom_groups() but that didn't work - I think this needs more looking into (This used to be commit 34328e30315e4b42087d0ee11ed0c3fb715bc250)
2001-12-11 01:04:13 +00:00
BOOL got_sam_entries;
Always query the PDC for the list of trusted domains rather than interating the list received at startup or we get an out of date list. I thought there might be some sequence number that is incremented when a trusted domain is added or removed - perhaps there is but I just haven't found it yet. - Renamed get_domain_info() to init_domain_list() - Made an accessor function to return the list of trusted domains rather than using a global so we don't have to remember to put a magic init function - The getent state can not keep a pointer to a winbind_domain structure as it may be freed if init_domain_list() is called again so we keep the domain name instead (This used to be commit 37216c649a394b449eaaaa6644709eafb3bf37ff)
2002-01-11 05:33:45 +00:00
fstring domain_name;
Preliminary merge of winbind into HEAD. Note that this compiles and links but I haven't actually run it yet so it probably doesn't work. (-: (This used to be commit 59f95416b66db6df05289bde224de29c721978e5)
2001-05-07 04:32:40 +00:00
};
/* Storage for cached getpwent() user entries */
struct getpwent_user {
fstring name; /* Account name */
fstring gecos; /* User information */
Kill RID-only and domain+RID madness from winbind. Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-26 12:21:01 +00:00
DOM_SID user_sid; /* NT user and primary group SIDs */
DOM_SID group_sid;
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
};
/* Server state structure */
struct winbindd_state {
This is the start of a bit of a rewrite of winbindd's connection handling. I've wrapped up all the decisions about managing, making and closing connections into a connection manager in nsswitch/winbindd_cm.c. It's rather incomplete at the moment - only querying basic user info works at the moment (i.e finger -m DOMAIN/user) and everything else is broken. Jeremy, please take a look and I'll start moving across the rest of winbindd to this new system. (This used to be commit c369cf5af787ed9c642778d21f162716fbf0620e)
2001-10-05 00:20:06 +00:00
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
/* User and group id pool */
This is the start of a bit of a rewrite of winbindd's connection handling. I've wrapped up all the decisions about managing, making and closing connections into a connection manager in nsswitch/winbindd_cm.c. It's rather incomplete at the moment - only querying basic user info works at the moment (i.e finger -m DOMAIN/user) and everything else is broken. Jeremy, please take a look and I'll start moving across the rest of winbindd to this new system. (This used to be commit c369cf5af787ed9c642778d21f162716fbf0620e)
2001-10-05 00:20:06 +00:00
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
uid_t uid_low, uid_high; /* Range of uids to allocate */
gid_t gid_low, gid_high; /* Range of gids to allocate */
};
extern struct winbindd_state server_state; /* Server information */
The beginnings of alternative backends for winbindd This just splits off the dispinfo call behind a methods structure. I'll split off a few more functions soon, then we will be ready for LDAP replacement methods (This used to be commit 0216b0fca115c903ec31ed21427a83c62077dc95)
2001-12-01 12:31:43 +00:00
typedef struct {
char *acct_name;
char *full_name;
Kill RID-only and domain+RID madness from winbind. Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-26 12:21:01 +00:00
DOM_SID *user_sid; /* NT user and primary group SIDs */
DOM_SID *group_sid;
changed query_dispinfo to query_user_list (This used to be commit 80010d80f93cfb32c53a1720c7564fb080846f35)
2001-12-03 11:32:55 +00:00
} WINBIND_USERINFO;
The beginnings of alternative backends for winbindd This just splits off the dispinfo call behind a methods structure. I'll split off a few more functions soon, then we will be ready for LDAP replacement methods (This used to be commit 0216b0fca115c903ec31ed21427a83c62077dc95)
2001-12-01 12:31:43 +00:00
Always query the PDC for the list of trusted domains rather than interating the list received at startup or we get an out of date list. I thought there might be some sequence number that is incremented when a trusted domain is added or removed - perhaps there is but I just haven't found it yet. - Renamed get_domain_info() to init_domain_list() - Made an accessor function to return the list of trusted domains rather than using a global so we don't have to remember to put a magic init function - The getent state can not keep a pointer to a winbind_domain structure as it may be freed if init_domain_list() is called again so we keep the domain name instead (This used to be commit 37216c649a394b449eaaaa6644709eafb3bf37ff)
2002-01-11 05:33:45 +00:00
/* Structures to hold per domain information */
struct winbindd_domain {
fstring name; /* Domain name */
This fixes a number of ADS problems, particularly with netbiosless setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-08-05 02:47:46 +00:00
fstring alt_name; /* alt Domain name (if any) */
Always query the PDC for the list of trusted domains rather than interating the list received at startup or we get an out of date list. I thought there might be some sequence number that is incremented when a trusted domain is added or removed - perhaps there is but I just haven't found it yet. - Renamed get_domain_info() to init_domain_list() - Made an accessor function to return the list of trusted domains rather than using a global so we don't have to remember to put a magic init function - The getent state can not keep a pointer to a winbind_domain structure as it may be freed if init_domain_list() is called again so we keep the domain name instead (This used to be commit 37216c649a394b449eaaaa6644709eafb3bf37ff)
2002-01-11 05:33:45 +00:00
DOM_SID sid; /* SID for this domain */
merge native_mode flag in winbindd_domain struct from app-head (This used to be commit dd948a302ad6bd4307ecdfb10510e12185150eae)
2002-10-04 21:39:09 +00:00
BOOL native_mode; /* is this a win2k domain in native mode ? */
Always query the PDC for the list of trusted domains rather than interating the list received at startup or we get an out of date list. I thought there might be some sequence number that is incremented when a trusted domain is added or removed - perhaps there is but I just haven't found it yet. - Renamed get_domain_info() to init_domain_list() - Made an accessor function to return the list of trusted domains rather than using a global so we don't have to remember to put a magic init function - The getent state can not keep a pointer to a winbind_domain structure as it may be freed if init_domain_list() is called again so we keep the domain name instead (This used to be commit 37216c649a394b449eaaaa6644709eafb3bf37ff)
2002-01-11 05:33:45 +00:00
/* Lookup methods for this domain (LDAP or RPC) */
struct winbindd_methods *methods;
/* Private data for the backends (used for connection cache) */
void *private;
/* Sequence number stuff */
time_t last_seq_check;
uint32 sequence_number;
/* Linked list info */
struct winbindd_domain *prev, *next;
};
The beginnings of alternative backends for winbindd This just splits off the dispinfo call behind a methods structure. I'll split off a few more functions soon, then we will be ready for LDAP replacement methods (This used to be commit 0216b0fca115c903ec31ed21427a83c62077dc95)
2001-12-01 12:31:43 +00:00
/* per-domain methods. This is how LDAP vs RPC is selected
*/
struct winbindd_methods {
winbindd backends can now be marked "consistent" or "inconsistent" consistent backends (like ADS) always give correct primary group info, so we can play cache tricks to speed things up a lot inconsistent backends (like MSRPC) need to fetch stuff more often (This used to be commit 217c39f23282e20f96a61a0d5a2434b3f5f66a86)
2001-12-10 06:05:21 +00:00
/* does this backend provide a consistent view of the data? (ie. is the primary group
always correct) */
BOOL consistent;
finally worked out how to do ldap lookups by binary blobs, so I can now do searches on SID. This allows me to do a true ldap sid_to_name() function one one function to go! (This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
2001-12-05 04:48:51 +00:00
/* get a list of users, returning a WINBIND_USERINFO for each one */
changed query_dispinfo to query_user_list (This used to be commit 80010d80f93cfb32c53a1720c7564fb080846f35)
2001-12-03 11:32:55 +00:00
NTSTATUS (*query_user_list)(struct winbindd_domain *domain,
The beginnings of alternative backends for winbindd This just splits off the dispinfo call behind a methods structure. I'll split off a few more functions soon, then we will be ready for LDAP replacement methods (This used to be commit 0216b0fca115c903ec31ed21427a83c62077dc95)
2001-12-01 12:31:43 +00:00
TALLOC_CTX *mem_ctx,
got rid of start_ndx from query_user_list() (This used to be commit 1c909afe76566807fb576c965eb869f98e72f2bd)
2001-12-11 00:03:58 +00:00
uint32 *num_entries,
changed query_dispinfo to query_user_list (This used to be commit 80010d80f93cfb32c53a1720c7564fb080846f35)
2001-12-03 11:32:55 +00:00
WINBIND_USERINFO **info);
The beginnings of alternative backends for winbindd This just splits off the dispinfo call behind a methods structure. I'll split off a few more functions soon, then we will be ready for LDAP replacement methods (This used to be commit 0216b0fca115c903ec31ed21427a83c62077dc95)
2001-12-01 12:31:43 +00:00
merge from APP_HEAD * s/driverlocation/comment * detect native mode domain and enumerate local groups Also * Added sendfile stats from SAMBA_2_2 (This used to be commit 764b58e2c0b3179cffe157c0ab58761b156b8423)
2002-10-08 18:29:57 +00:00
/* get a list of domain groups */
split winbindd_enum_dom_groups into the new backend structure also created winbindd_rpc.c which contains the functions that have been converted to the new structure. There will soon be a winbindd_ads.c for the ldap backend (This used to be commit e4ccc602ba65838646f2632120069f3274619dd9)
2001-12-03 01:23:42 +00:00
NTSTATUS (*enum_dom_groups)(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
removed the start_ndx parameter from group enumeration I tried testing this by lowering the buffer size in cli_samr_enum_dom_groups() but that didn't work - I think this needs more looking into (This used to be commit 34328e30315e4b42087d0ee11ed0c3fb715bc250)
2001-12-11 01:04:13 +00:00
uint32 *num_entries,
split winbindd_enum_dom_groups into the new backend structure also created winbindd_rpc.c which contains the functions that have been converted to the new structure. There will soon be a winbindd_ads.c for the ldap backend (This used to be commit e4ccc602ba65838646f2632120069f3274619dd9)
2001-12-03 01:23:42 +00:00
struct acct_info **info);
added name_to_sid to the backend (This used to be commit 816e40a51af80a7f703c0451304de406deab3dd8)
2001-12-03 08:17:46 +00:00
merge from APP_HEAD * s/driverlocation/comment * detect native mode domain and enumerate local groups Also * Added sendfile stats from SAMBA_2_2 (This used to be commit 764b58e2c0b3179cffe157c0ab58761b156b8423)
2002-10-08 18:29:57 +00:00
/* get a list of domain local groups */
NTSTATUS (*enum_local_groups)(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_entries,
struct acct_info **info);
finally worked out how to do ldap lookups by binary blobs, so I can now do searches on SID. This allows me to do a true ldap sid_to_name() function one one function to go! (This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
2001-12-05 04:48:51 +00:00
/* convert one user or group name to a sid */
added name_to_sid to the backend (This used to be commit 816e40a51af80a7f703c0451304de406deab3dd8)
2001-12-03 08:17:46 +00:00
NTSTATUS (*name_to_sid)(struct winbindd_domain *domain,
Kill RID-only and domain+RID madness from winbind. Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-26 12:21:01 +00:00
TALLOC_CTX *mem_ctx,
added name_to_sid to the backend (This used to be commit 816e40a51af80a7f703c0451304de406deab3dd8)
2001-12-03 08:17:46 +00:00
const char *name,
DOM_SID *sid,
enum SID_NAME_USE *type);
put sid_to_name behind the winbindd backend interface I spent quite a while trying to work out how to make this call via ldap and failed. I then found that MS servers seem use rpc for sid_to_name, and it works even when in native mode, I ended up just implementing it via rpc (This used to be commit 789833b44e342c0b5de463ed8f9b5f7474a99f27)
2001-12-03 11:11:14 +00:00
finally worked out how to do ldap lookups by binary blobs, so I can now do searches on SID. This allows me to do a true ldap sid_to_name() function one one function to go! (This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
2001-12-05 04:48:51 +00:00
/* convert a sid to a user or group name */
put sid_to_name behind the winbindd backend interface I spent quite a while trying to work out how to make this call via ldap and failed. I then found that MS servers seem use rpc for sid_to_name, and it works even when in native mode, I ended up just implementing it via rpc (This used to be commit 789833b44e342c0b5de463ed8f9b5f7474a99f27)
2001-12-03 11:11:14 +00:00
NTSTATUS (*sid_to_name)(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
DOM_SID *sid,
char **name,
enum SID_NAME_USE *type);
added a query_user backend fixed a winbindd crash when the group membership can't be looked up (This used to be commit 088f4cc5be4a1a38781e4d019146d53993ed8c6f)
2001-12-04 06:17:39 +00:00
Kill RID-only and domain+RID madness from winbind. Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-26 12:21:01 +00:00
/* lookup user info for a given SID */
added a query_user backend fixed a winbindd crash when the group membership can't be looked up (This used to be commit 088f4cc5be4a1a38781e4d019146d53993ed8c6f)
2001-12-04 06:17:39 +00:00
NTSTATUS (*query_user)(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
Kill RID-only and domain+RID madness from winbind. Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-26 12:21:01 +00:00
DOM_SID *user_sid,
added a query_user backend fixed a winbindd crash when the group membership can't be looked up (This used to be commit 088f4cc5be4a1a38781e4d019146d53993ed8c6f)
2001-12-04 06:17:39 +00:00
WINBIND_USERINFO *user_info);
moved lookup_usergroups() into the backend structure (This used to be commit 689f45d2079d06b09947b2cdd314867df98c938d)
2001-12-04 06:46:53 +00:00
finally worked out how to do ldap lookups by binary blobs, so I can now do searches on SID. This allows me to do a true ldap sid_to_name() function one one function to go! (This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
2001-12-05 04:48:51 +00:00
/* lookup all groups that a user is a member of. The backend
can also choose to lookup by username or rid for this
function */
moved lookup_usergroups() into the backend structure (This used to be commit 689f45d2079d06b09947b2cdd314867df98c938d)
2001-12-04 06:46:53 +00:00
NTSTATUS (*lookup_usergroups)(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
Kill RID-only and domain+RID madness from winbind. Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-26 12:21:01 +00:00
DOM_SID *user_sid,
uint32 *num_groups, DOM_SID ***user_gids);
finally worked out how to do ldap lookups by binary blobs, so I can now do searches on SID. This allows me to do a true ldap sid_to_name() function one one function to go! (This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
2001-12-05 04:48:51 +00:00
/* find all members of the group with the specified group_rid */
NTSTATUS (*lookup_groupmem)(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
Kill RID-only and domain+RID madness from winbind. Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-26 12:21:01 +00:00
DOM_SID *group_sid,
uint32 *num_names,
DOM_SID ***sid_mem, char ***names,
finally worked out how to do ldap lookups by binary blobs, so I can now do searches on SID. This allows me to do a true ldap sid_to_name() function one one function to go! (This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
2001-12-05 04:48:51 +00:00
uint32 **name_types);
moved the sequence number fetch into the backend, and fetch the sequence number via ldap when using ads (This used to be commit 9a084f0bb91883224ad44e2b76417d10c15cce42)
2001-12-05 07:52:44 +00:00
/* return the current global sequence number */
completely new winbindd cache infrastructure this one looks like just another winbind backend, and has the following properties: - does -ve and +ve cacheing of all queries - can be disabled with -n switch to winbindd - stores all records packed, so even huge domains are not a problem for a complete cache - handles the server being down - uses sequence numbers for all entries This fixes a lot of problems with winbindd. Serving from cache is now *very* fast. (This used to be commit fddb4f4c04473a60a97212c0c8e143d6a4d68380)
2001-12-09 23:59:42 +00:00
NTSTATUS (*sequence_number)(struct winbindd_domain *domain, uint32 *seq);
moved the domain sid lookup and enumeration of trusted domains into the backends at startup, loop until we get the domain sid for our primary domain, trying every 10 seconds. This makes winbindd handle a room-wide power failure better (This used to be commit 7c60ae59378be1b2af2e57ee3927966a29a797a5)
2001-12-10 02:25:19 +00:00
/* enumerate trusted domains */
NTSTATUS (*trusted_domains)(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_domains,
char ***names,
This fixes a number of ADS problems, particularly with netbiosless setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-08-05 02:47:46 +00:00
char ***alt_names,
moved the domain sid lookup and enumeration of trusted domains into the backends at startup, loop until we get the domain sid for our primary domain, trying every 10 seconds. This makes winbindd handle a room-wide power failure better (This used to be commit 7c60ae59378be1b2af2e57ee3927966a29a797a5)
2001-12-10 02:25:19 +00:00
DOM_SID **dom_sids);
/* find the domain sid */
NTSTATUS (*domain_sid)(struct winbindd_domain *domain,
DOM_SID *sid);
This fixes a number of ADS problems, particularly with netbiosless setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-08-05 02:47:46 +00:00
/* setup the list of alternate names for the domain, if any */
NTSTATUS (*alternate_name)(struct winbindd_domain *domain);
The beginnings of alternative backends for winbindd This just splits off the dispinfo call behind a methods structure. I'll split off a few more functions soon, then we will be ready for LDAP replacement methods (This used to be commit 0216b0fca115c903ec31ed21427a83c62077dc95)
2001-12-01 12:31:43 +00:00
};
This is the start of a bit of a rewrite of winbindd's connection handling. I've wrapped up all the decisions about managing, making and closing connections into a connection manager in nsswitch/winbindd_cm.c. It's rather incomplete at the moment - only querying basic user info works at the moment (i.e finger -m DOMAIN/user) and everything else is broken. Jeremy, please take a look and I'll start moving across the rest of winbindd to this new system. (This used to be commit c369cf5af787ed9c642778d21f162716fbf0620e)
2001-10-05 00:20:06 +00:00
/* Used to glue a policy handle and cli_state together */
typedef struct {
struct cli_state *cli;
POLICY_HND pol;
} CLI_POLICY_HND;
From aliguori@us.ibm.com: This patch adds the architecture for an IDMAP backend system including a new smb.conf parameter "winbind backend". Right now, the only valid value is "tdb" but I'm currently working on an LDAP backend. (This used to be commit 35e4448dcb2deb0d5d34d9e974a49f2fb31f1356)
2003-02-20 22:46:37 +00:00
/* Filled out by IDMAP backends */
THE Idmap patch :-) includes a --with-idmap=no switch to disable idmap usage if you find problems. cosmetic fixes and param aliases to separate winbind from idamp roles. A temporarily remote idmap winbind compatibility backend. As I have time I will further change code to not call directly winbind (partly done but not tested) and a specilized module will be built in place for the current glue hack. The patch has been tested locally in my limited time, the patch is simple and clear and should not reserve problems, if any just disable it. As usual, comments and fisex are welcome :-) Simo. (This used to be commit 02781320476ed1b7ee5d943fa36f9a66ab67f208)
2003-04-02 10:36:02 +00:00
struct winbindd_idmap_methods {
From aliguori@us.ibm.com: This patch adds the architecture for an IDMAP backend system including a new smb.conf parameter "winbind backend". Right now, the only valid value is "tdb" but I'm currently working on an LDAP backend. (This used to be commit 35e4448dcb2deb0d5d34d9e974a49f2fb31f1356)
2003-02-20 22:46:37 +00:00
/* Called when backend is first loaded */
BOOL (*init)(void);
BOOL (*get_sid_from_uid)(uid_t uid, DOM_SID *sid);
BOOL (*get_sid_from_gid)(gid_t gid, DOM_SID *sid);
BOOL (*get_uid_from_sid)(DOM_SID *sid, uid_t *uid);
BOOL (*get_gid_from_sid)(DOM_SID *sid, gid_t *gid);
/* Called when backend is unloaded */
BOOL (*close)(void);
/* Called to dump backend status */
void (*status)(void);
};
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
#include "winbindd_proto.h"
#include "rpc_parse.h"
Preliminary merge of winbind into HEAD. Note that this compiles and links but I haven't actually run it yet so it probably doesn't work. (-: (This used to be commit 59f95416b66db6df05289bde224de29c721978e5)
2001-05-07 04:32:40 +00:00
#include "rpc_client.h"
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
#define WINBINDD_ESTABLISH_LOOP 30
This fixes a number of ADS problems, particularly with netbiosless setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-08-05 02:47:46 +00:00
#define WINBINDD_RESCAN_FREQ 300
brought the winbindd code into head this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
2000-05-09 11:43:00 +00:00
#define DOM_SEQUENCE_NONE ((uint32)-1)
#endif /* _WINBINDD_H */
Copy Permalink