mirror of
https://github.com/samba-team/samba.git
synced 2024-12-29 11:21:54 +03:00
e4f5bfb34b
This API is unusual in that if used to remove a non-list head it nulls out the next and prev pointers. This is what you want for debugging (don't want an entry removed from the list to be still virtually linked into it) but means there is no consistent idiom for use as the next and prev pointers get trashed on removal from the list, meaning you must save them yourself. You can use it one way when deleting everything via the head pointer, as this preserves the next pointer, but you *must* use it another way when not deleting everything via the head pointer. Fix all known uses of this (the main one is in conn_free_internal() and would not free all the private data entries for vfs modules. The other changes in web/statuspage.c and winbindd_util.c are not strictly neccessary, as the head pointer is being used, but I've done them for consistency. Long term we must revisit this as this API is too hard to use correctly. Jeremy.
1700 lines
42 KiB
C
1700 lines
42 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
Winbind daemon for ntdom nss module
|
|
|
|
Copyright (C) Tim Potter 2000-2001
|
|
Copyright (C) 2001 by Martin Pool <mbp@samba.org>
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "winbindd.h"
|
|
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_WINBIND
|
|
|
|
extern struct winbindd_methods cache_methods;
|
|
extern struct winbindd_methods builtin_passdb_methods;
|
|
extern struct winbindd_methods sam_passdb_methods;
|
|
|
|
|
|
/**
|
|
* @file winbindd_util.c
|
|
*
|
|
* Winbind daemon for NT domain authentication nss module.
|
|
**/
|
|
|
|
|
|
/* The list of trusted domains. Note that the list can be deleted and
|
|
recreated using the init_domain_list() function so pointers to
|
|
individual winbindd_domain structures cannot be made. Keep a copy of
|
|
the domain name instead. */
|
|
|
|
static struct winbindd_domain *_domain_list = NULL;
|
|
|
|
/**
|
|
When was the last scan of trusted domains done?
|
|
|
|
0 == not ever
|
|
*/
|
|
|
|
static time_t last_trustdom_scan;
|
|
|
|
struct winbindd_domain *domain_list(void)
|
|
{
|
|
/* Initialise list */
|
|
|
|
if ((!_domain_list) && (!init_domain_list())) {
|
|
smb_panic("Init_domain_list failed");
|
|
}
|
|
|
|
return _domain_list;
|
|
}
|
|
|
|
/* Free all entries in the trusted domain list */
|
|
|
|
void free_domain_list(void)
|
|
{
|
|
struct winbindd_domain *domain = _domain_list;
|
|
|
|
while(domain) {
|
|
struct winbindd_domain *next = domain->next;
|
|
|
|
DLIST_REMOVE(_domain_list, domain);
|
|
SAFE_FREE(domain);
|
|
domain = next;
|
|
}
|
|
}
|
|
|
|
static bool is_internal_domain(const DOM_SID *sid)
|
|
{
|
|
if (sid == NULL)
|
|
return False;
|
|
|
|
if ( IS_DC )
|
|
return sid_check_is_builtin(sid);
|
|
|
|
return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
|
|
}
|
|
|
|
static bool is_in_internal_domain(const DOM_SID *sid)
|
|
{
|
|
if (sid == NULL)
|
|
return False;
|
|
|
|
if ( IS_DC )
|
|
return sid_check_is_in_builtin(sid);
|
|
|
|
return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
|
|
}
|
|
|
|
|
|
/* Add a trusted domain to our list of domains */
|
|
static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
|
|
struct winbindd_methods *methods,
|
|
const DOM_SID *sid)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
const char *alternative_name = NULL;
|
|
char *idmap_config_option;
|
|
const char *param;
|
|
const char **ignored_domains, **dom;
|
|
|
|
ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
|
|
for (dom=ignored_domains; dom && *dom; dom++) {
|
|
if (gen_fnmatch(*dom, domain_name) == 0) {
|
|
DEBUG(2,("Ignoring domain '%s'\n", domain_name));
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
/* ignore alt_name if we are not in an AD domain */
|
|
|
|
if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
|
|
alternative_name = alt_name;
|
|
}
|
|
|
|
/* We can't call domain_list() as this function is called from
|
|
init_domain_list() and we'll get stuck in a loop. */
|
|
for (domain = _domain_list; domain; domain = domain->next) {
|
|
if (strequal(domain_name, domain->name) ||
|
|
strequal(domain_name, domain->alt_name))
|
|
{
|
|
break;
|
|
}
|
|
|
|
if (alternative_name && *alternative_name)
|
|
{
|
|
if (strequal(alternative_name, domain->name) ||
|
|
strequal(alternative_name, domain->alt_name))
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (sid)
|
|
{
|
|
if (is_null_sid(sid)) {
|
|
continue;
|
|
}
|
|
|
|
if (sid_equal(sid, &domain->sid)) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* See if we found a match. Check if we need to update the
|
|
SID. */
|
|
|
|
if ( domain && sid) {
|
|
if ( sid_equal( &domain->sid, &global_sid_NULL ) )
|
|
sid_copy( &domain->sid, sid );
|
|
|
|
return domain;
|
|
}
|
|
|
|
/* Create new domain entry */
|
|
|
|
if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
|
|
return NULL;
|
|
|
|
/* Fill in fields */
|
|
|
|
ZERO_STRUCTP(domain);
|
|
|
|
fstrcpy(domain->name, domain_name);
|
|
if (alternative_name) {
|
|
fstrcpy(domain->alt_name, alternative_name);
|
|
}
|
|
|
|
domain->methods = methods;
|
|
domain->backend = NULL;
|
|
domain->internal = is_internal_domain(sid);
|
|
domain->sequence_number = DOM_SEQUENCE_NONE;
|
|
domain->last_seq_check = 0;
|
|
domain->initialized = False;
|
|
domain->online = is_internal_domain(sid);
|
|
domain->check_online_timeout = 0;
|
|
domain->dc_probe_pid = (pid_t)-1;
|
|
if (sid) {
|
|
sid_copy(&domain->sid, sid);
|
|
}
|
|
|
|
/* Link to domain list */
|
|
DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
|
|
|
|
wcache_tdc_add_domain( domain );
|
|
|
|
idmap_config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
|
|
domain->name);
|
|
if (idmap_config_option == NULL) {
|
|
DEBUG(0, ("talloc failed, not looking for idmap config\n"));
|
|
goto done;
|
|
}
|
|
|
|
param = lp_parm_const_string(-1, idmap_config_option, "range", NULL);
|
|
|
|
DEBUG(10, ("%s : range = %s\n", idmap_config_option,
|
|
param ? param : "not defined"));
|
|
|
|
if (param != NULL) {
|
|
unsigned low_id, high_id;
|
|
if (sscanf(param, "%u - %u", &low_id, &high_id) != 2) {
|
|
DEBUG(1, ("invalid range syntax in %s: %s\n",
|
|
idmap_config_option, param));
|
|
goto done;
|
|
}
|
|
if (low_id > high_id) {
|
|
DEBUG(1, ("invalid range in %s: %s\n",
|
|
idmap_config_option, param));
|
|
goto done;
|
|
}
|
|
domain->have_idmap_config = true;
|
|
domain->id_range_low = low_id;
|
|
domain->id_range_high = high_id;
|
|
}
|
|
|
|
done:
|
|
|
|
DEBUG(2,("Added domain %s %s %s\n",
|
|
domain->name, domain->alt_name,
|
|
&domain->sid?sid_string_dbg(&domain->sid):""));
|
|
|
|
return domain;
|
|
}
|
|
|
|
/********************************************************************
|
|
rescan our domains looking for new trusted domains
|
|
********************************************************************/
|
|
|
|
struct trustdom_state {
|
|
TALLOC_CTX *mem_ctx;
|
|
bool primary;
|
|
bool forest_root;
|
|
struct winbindd_response *response;
|
|
};
|
|
|
|
static void trustdom_recv(void *private_data, bool success);
|
|
static void rescan_forest_root_trusts( void );
|
|
static void rescan_forest_trusts( void );
|
|
|
|
static void add_trusted_domains( struct winbindd_domain *domain )
|
|
{
|
|
TALLOC_CTX *mem_ctx;
|
|
struct winbindd_request *request;
|
|
struct winbindd_response *response;
|
|
uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
|
|
|
|
struct trustdom_state *state;
|
|
|
|
mem_ctx = talloc_init("add_trusted_domains");
|
|
if (mem_ctx == NULL) {
|
|
DEBUG(0, ("talloc_init failed\n"));
|
|
return;
|
|
}
|
|
|
|
request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
|
|
response = TALLOC_P(mem_ctx, struct winbindd_response);
|
|
state = TALLOC_P(mem_ctx, struct trustdom_state);
|
|
|
|
if ((request == NULL) || (response == NULL) || (state == NULL)) {
|
|
DEBUG(0, ("talloc failed\n"));
|
|
talloc_destroy(mem_ctx);
|
|
return;
|
|
}
|
|
|
|
state->mem_ctx = mem_ctx;
|
|
state->response = response;
|
|
|
|
/* Flags used to know how to continue the forest trust search */
|
|
|
|
state->primary = domain->primary;
|
|
state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
|
|
|
|
request->length = sizeof(*request);
|
|
request->cmd = WINBINDD_LIST_TRUSTDOM;
|
|
|
|
async_domain_request(mem_ctx, domain, request, response,
|
|
trustdom_recv, state);
|
|
}
|
|
|
|
static void trustdom_recv(void *private_data, bool success)
|
|
{
|
|
struct trustdom_state *state =
|
|
talloc_get_type_abort(private_data, struct trustdom_state);
|
|
struct winbindd_response *response = state->response;
|
|
char *p;
|
|
|
|
if ((!success) || (response->result != WINBINDD_OK)) {
|
|
DEBUG(1, ("Could not receive trustdoms\n"));
|
|
talloc_destroy(state->mem_ctx);
|
|
return;
|
|
}
|
|
|
|
p = (char *)response->extra_data.data;
|
|
|
|
while ((p != NULL) && (*p != '\0')) {
|
|
char *q, *sidstr, *alt_name;
|
|
DOM_SID sid;
|
|
struct winbindd_domain *domain;
|
|
char *alternate_name = NULL;
|
|
|
|
alt_name = strchr(p, '\\');
|
|
if (alt_name == NULL) {
|
|
DEBUG(0, ("Got invalid trustdom response\n"));
|
|
break;
|
|
}
|
|
|
|
*alt_name = '\0';
|
|
alt_name += 1;
|
|
|
|
sidstr = strchr(alt_name, '\\');
|
|
if (sidstr == NULL) {
|
|
DEBUG(0, ("Got invalid trustdom response\n"));
|
|
break;
|
|
}
|
|
|
|
*sidstr = '\0';
|
|
sidstr += 1;
|
|
|
|
q = strchr(sidstr, '\n');
|
|
if (q != NULL)
|
|
*q = '\0';
|
|
|
|
if (!string_to_sid(&sid, sidstr)) {
|
|
/* Allow NULL sid for sibling domains */
|
|
if ( strcmp(sidstr,"S-0-0") == 0) {
|
|
sid_copy( &sid, &global_sid_NULL);
|
|
} else {
|
|
DEBUG(0, ("Got invalid trustdom response\n"));
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* use the real alt_name if we have one, else pass in NULL */
|
|
|
|
if ( !strequal( alt_name, "(null)" ) )
|
|
alternate_name = alt_name;
|
|
|
|
/* If we have an existing domain structure, calling
|
|
add_trusted_domain() will update the SID if
|
|
necessary. This is important because we need the
|
|
SID for sibling domains */
|
|
|
|
if ( find_domain_from_name_noinit(p) != NULL ) {
|
|
domain = add_trusted_domain(p, alternate_name,
|
|
&cache_methods,
|
|
&sid);
|
|
} else {
|
|
domain = add_trusted_domain(p, alternate_name,
|
|
&cache_methods,
|
|
&sid);
|
|
if (domain) {
|
|
setup_domain_child(domain,
|
|
&domain->child);
|
|
}
|
|
}
|
|
p=q;
|
|
if (p != NULL)
|
|
p += 1;
|
|
}
|
|
|
|
SAFE_FREE(response->extra_data.data);
|
|
|
|
/*
|
|
Cases to consider when scanning trusts:
|
|
(a) we are calling from a child domain (primary && !forest_root)
|
|
(b) we are calling from the root of the forest (primary && forest_root)
|
|
(c) we are calling from a trusted forest domain (!primary
|
|
&& !forest_root)
|
|
*/
|
|
|
|
if ( state->primary ) {
|
|
/* If this is our primary domain and we are not in the
|
|
forest root, we have to scan the root trusts first */
|
|
|
|
if ( !state->forest_root )
|
|
rescan_forest_root_trusts();
|
|
else
|
|
rescan_forest_trusts();
|
|
|
|
} else if ( state->forest_root ) {
|
|
/* Once we have done root forest trust search, we can
|
|
go on to search the trusted forests */
|
|
|
|
rescan_forest_trusts();
|
|
}
|
|
|
|
talloc_destroy(state->mem_ctx);
|
|
|
|
return;
|
|
}
|
|
|
|
/********************************************************************
|
|
Scan the trusts of our forest root
|
|
********************************************************************/
|
|
|
|
static void rescan_forest_root_trusts( void )
|
|
{
|
|
struct winbindd_tdc_domain *dom_list = NULL;
|
|
size_t num_trusts = 0;
|
|
int i;
|
|
|
|
/* The only transitive trusts supported by Windows 2003 AD are
|
|
(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
|
|
first two are handled in forest and listed by
|
|
DsEnumerateDomainTrusts(). Forest trusts are not so we
|
|
have to do that ourselves. */
|
|
|
|
if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
|
|
return;
|
|
|
|
for ( i=0; i<num_trusts; i++ ) {
|
|
struct winbindd_domain *d = NULL;
|
|
|
|
/* Find the forest root. Don't necessarily trust
|
|
the domain_list() as our primary domain may not
|
|
have been initialized. */
|
|
|
|
if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
|
|
continue;
|
|
}
|
|
|
|
/* Here's the forest root */
|
|
|
|
d = find_domain_from_name_noinit( dom_list[i].domain_name );
|
|
|
|
if ( !d ) {
|
|
d = add_trusted_domain( dom_list[i].domain_name,
|
|
dom_list[i].dns_name,
|
|
&cache_methods,
|
|
&dom_list[i].sid );
|
|
}
|
|
|
|
if (d == NULL) {
|
|
continue;
|
|
}
|
|
|
|
DEBUG(10,("rescan_forest_root_trusts: Following trust path "
|
|
"for domain tree root %s (%s)\n",
|
|
d->name, d->alt_name ));
|
|
|
|
d->domain_flags = dom_list[i].trust_flags;
|
|
d->domain_type = dom_list[i].trust_type;
|
|
d->domain_trust_attribs = dom_list[i].trust_attribs;
|
|
|
|
add_trusted_domains( d );
|
|
|
|
break;
|
|
}
|
|
|
|
TALLOC_FREE( dom_list );
|
|
|
|
return;
|
|
}
|
|
|
|
/********************************************************************
|
|
scan the transitive forest trusts (not our own)
|
|
********************************************************************/
|
|
|
|
|
|
static void rescan_forest_trusts( void )
|
|
{
|
|
struct winbindd_domain *d = NULL;
|
|
struct winbindd_tdc_domain *dom_list = NULL;
|
|
size_t num_trusts = 0;
|
|
int i;
|
|
|
|
/* The only transitive trusts supported by Windows 2003 AD are
|
|
(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
|
|
first two are handled in forest and listed by
|
|
DsEnumerateDomainTrusts(). Forest trusts are not so we
|
|
have to do that ourselves. */
|
|
|
|
if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
|
|
return;
|
|
|
|
for ( i=0; i<num_trusts; i++ ) {
|
|
uint32 flags = dom_list[i].trust_flags;
|
|
uint32 type = dom_list[i].trust_type;
|
|
uint32 attribs = dom_list[i].trust_attribs;
|
|
|
|
d = find_domain_from_name_noinit( dom_list[i].domain_name );
|
|
|
|
/* ignore our primary and internal domains */
|
|
|
|
if ( d && (d->internal || d->primary ) )
|
|
continue;
|
|
|
|
if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
|
|
(type == NETR_TRUST_TYPE_UPLEVEL) &&
|
|
(attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
|
|
{
|
|
/* add the trusted domain if we don't know
|
|
about it */
|
|
|
|
if ( !d ) {
|
|
d = add_trusted_domain( dom_list[i].domain_name,
|
|
dom_list[i].dns_name,
|
|
&cache_methods,
|
|
&dom_list[i].sid );
|
|
}
|
|
|
|
if (d == NULL) {
|
|
continue;
|
|
}
|
|
|
|
DEBUG(10,("Following trust path for domain %s (%s)\n",
|
|
d->name, d->alt_name ));
|
|
add_trusted_domains( d );
|
|
}
|
|
}
|
|
|
|
TALLOC_FREE( dom_list );
|
|
|
|
return;
|
|
}
|
|
|
|
/*********************************************************************
|
|
The process of updating the trusted domain list is a three step
|
|
async process:
|
|
(a) ask our domain
|
|
(b) ask the root domain in our forest
|
|
(c) ask the a DC in any Win2003 trusted forests
|
|
*********************************************************************/
|
|
|
|
void rescan_trusted_domains( void )
|
|
{
|
|
time_t now = time(NULL);
|
|
|
|
/* see if the time has come... */
|
|
|
|
if ((now >= last_trustdom_scan) &&
|
|
((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
|
|
return;
|
|
|
|
/* I use to clear the cache here and start over but that
|
|
caused problems in child processes that needed the
|
|
trust dom list early on. Removing it means we
|
|
could have some trusted domains listed that have been
|
|
removed from our primary domain's DC until a full
|
|
restart. This should be ok since I think this is what
|
|
Windows does as well. */
|
|
|
|
/* this will only add new domains we didn't already know about
|
|
in the domain_list()*/
|
|
|
|
add_trusted_domains( find_our_domain() );
|
|
|
|
last_trustdom_scan = now;
|
|
|
|
return;
|
|
}
|
|
|
|
struct init_child_state {
|
|
TALLOC_CTX *mem_ctx;
|
|
struct winbindd_domain *domain;
|
|
struct winbindd_request *request;
|
|
struct winbindd_response *response;
|
|
void (*continuation)(void *private_data, bool success);
|
|
void *private_data;
|
|
};
|
|
|
|
static void init_child_recv(void *private_data, bool success);
|
|
static void init_child_getdc_recv(void *private_data, bool success);
|
|
|
|
enum winbindd_result init_child_connection(struct winbindd_domain *domain,
|
|
void (*continuation)(void *private_data,
|
|
bool success),
|
|
void *private_data)
|
|
{
|
|
TALLOC_CTX *mem_ctx;
|
|
struct winbindd_request *request;
|
|
struct winbindd_response *response;
|
|
struct init_child_state *state;
|
|
struct winbindd_domain *request_domain;
|
|
|
|
mem_ctx = talloc_init("init_child_connection");
|
|
if (mem_ctx == NULL) {
|
|
DEBUG(0, ("talloc_init failed\n"));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
|
|
response = TALLOC_P(mem_ctx, struct winbindd_response);
|
|
state = TALLOC_P(mem_ctx, struct init_child_state);
|
|
|
|
if ((request == NULL) || (response == NULL) || (state == NULL)) {
|
|
DEBUG(0, ("talloc failed\n"));
|
|
TALLOC_FREE(mem_ctx);
|
|
continuation(private_data, False);
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
request->length = sizeof(*request);
|
|
|
|
state->mem_ctx = mem_ctx;
|
|
state->domain = domain;
|
|
state->request = request;
|
|
state->response = response;
|
|
state->continuation = continuation;
|
|
state->private_data = private_data;
|
|
|
|
if (IS_DC || domain->primary || domain->internal ) {
|
|
/* The primary domain has to find the DC name itself */
|
|
request->cmd = WINBINDD_INIT_CONNECTION;
|
|
fstrcpy(request->domain_name, domain->name);
|
|
request->data.init_conn.is_primary = domain->primary ? true : false;
|
|
fstrcpy(request->data.init_conn.dcname, "");
|
|
async_request(mem_ctx, &domain->child, request, response,
|
|
init_child_recv, state);
|
|
return WINBINDD_PENDING;
|
|
}
|
|
|
|
/* This is *not* the primary domain, let's ask our DC about a DC
|
|
* name */
|
|
|
|
request->cmd = WINBINDD_GETDCNAME;
|
|
fstrcpy(request->domain_name, domain->name);
|
|
|
|
request_domain = find_our_domain();
|
|
async_domain_request(mem_ctx, request_domain, request, response,
|
|
init_child_getdc_recv, state);
|
|
return WINBINDD_PENDING;
|
|
}
|
|
|
|
static void init_child_getdc_recv(void *private_data, bool success)
|
|
{
|
|
struct init_child_state *state =
|
|
talloc_get_type_abort(private_data, struct init_child_state);
|
|
const char *dcname = "";
|
|
|
|
DEBUG(10, ("Received getdcname response\n"));
|
|
|
|
if (success && (state->response->result == WINBINDD_OK)) {
|
|
dcname = state->response->data.dc_name;
|
|
}
|
|
|
|
state->request->cmd = WINBINDD_INIT_CONNECTION;
|
|
fstrcpy(state->request->domain_name, state->domain->name);
|
|
state->request->data.init_conn.is_primary = False;
|
|
fstrcpy(state->request->data.init_conn.dcname, dcname);
|
|
|
|
async_request(state->mem_ctx, &state->domain->child,
|
|
state->request, state->response,
|
|
init_child_recv, state);
|
|
}
|
|
|
|
static void init_child_recv(void *private_data, bool success)
|
|
{
|
|
struct init_child_state *state =
|
|
talloc_get_type_abort(private_data, struct init_child_state);
|
|
|
|
DEBUG(5, ("Received child initialization response for domain %s\n",
|
|
state->domain->name));
|
|
|
|
if ((!success) || (state->response->result != WINBINDD_OK)) {
|
|
DEBUG(3, ("Could not init child\n"));
|
|
state->continuation(state->private_data, False);
|
|
talloc_destroy(state->mem_ctx);
|
|
return;
|
|
}
|
|
|
|
fstrcpy(state->domain->name,
|
|
state->response->data.domain_info.name);
|
|
fstrcpy(state->domain->alt_name,
|
|
state->response->data.domain_info.alt_name);
|
|
string_to_sid(&state->domain->sid,
|
|
state->response->data.domain_info.sid);
|
|
state->domain->native_mode =
|
|
state->response->data.domain_info.native_mode;
|
|
state->domain->active_directory =
|
|
state->response->data.domain_info.active_directory;
|
|
|
|
init_dc_connection(state->domain);
|
|
|
|
if (state->continuation != NULL)
|
|
state->continuation(state->private_data, True);
|
|
talloc_destroy(state->mem_ctx);
|
|
}
|
|
|
|
enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
|
|
struct winbindd_cli_state *state)
|
|
{
|
|
/* Ensure null termination */
|
|
state->request.domain_name
|
|
[sizeof(state->request.domain_name)-1]='\0';
|
|
state->request.data.init_conn.dcname
|
|
[sizeof(state->request.data.init_conn.dcname)-1]='\0';
|
|
|
|
if (strlen(state->request.data.init_conn.dcname) > 0) {
|
|
fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
|
|
}
|
|
|
|
init_dc_connection(domain);
|
|
|
|
if (!domain->initialized) {
|
|
/* If we return error here we can't do any cached authentication,
|
|
but we may be in disconnected mode and can't initialize correctly.
|
|
Do what the previous code did and just return without initialization,
|
|
once we go online we'll re-initialize.
|
|
*/
|
|
DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
|
|
"online = %d\n", domain->name, (int)domain->online ));
|
|
}
|
|
|
|
fstrcpy(state->response.data.domain_info.name, domain->name);
|
|
fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
|
|
sid_to_fstring(state->response.data.domain_info.sid, &domain->sid);
|
|
|
|
state->response.data.domain_info.native_mode
|
|
= domain->native_mode;
|
|
state->response.data.domain_info.active_directory
|
|
= domain->active_directory;
|
|
state->response.data.domain_info.primary
|
|
= domain->primary;
|
|
|
|
return WINBINDD_OK;
|
|
}
|
|
|
|
/* Look up global info for the winbind daemon */
|
|
bool init_domain_list(void)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
int role = lp_server_role();
|
|
|
|
/* Free existing list */
|
|
free_domain_list();
|
|
|
|
/* BUILTIN domain */
|
|
|
|
domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
|
|
&global_sid_Builtin);
|
|
if (domain) {
|
|
setup_domain_child(domain,
|
|
&domain->child);
|
|
}
|
|
|
|
/* Local SAM */
|
|
|
|
domain = add_trusted_domain(get_global_sam_name(), NULL,
|
|
&sam_passdb_methods, get_global_sam_sid());
|
|
if (domain) {
|
|
if ( role != ROLE_DOMAIN_MEMBER ) {
|
|
domain->primary = True;
|
|
}
|
|
setup_domain_child(domain,
|
|
&domain->child);
|
|
}
|
|
|
|
/* Add ourselves as the first entry. */
|
|
|
|
if ( role == ROLE_DOMAIN_MEMBER ) {
|
|
DOM_SID our_sid;
|
|
|
|
if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
|
|
DEBUG(0, ("Could not fetch our SID - did we join?\n"));
|
|
return False;
|
|
}
|
|
|
|
domain = add_trusted_domain( lp_workgroup(), lp_realm(),
|
|
&cache_methods, &our_sid);
|
|
if (domain) {
|
|
domain->primary = True;
|
|
setup_domain_child(domain,
|
|
&domain->child);
|
|
|
|
/* Even in the parent winbindd we'll need to
|
|
talk to the DC, so try and see if we can
|
|
contact it. Theoretically this isn't neccessary
|
|
as the init_dc_connection() in init_child_recv()
|
|
will do this, but we can start detecting the DC
|
|
early here. */
|
|
set_domain_online_request(domain);
|
|
}
|
|
}
|
|
|
|
return True;
|
|
}
|
|
|
|
void check_domain_trusted( const char *name, const DOM_SID *user_sid )
|
|
{
|
|
struct winbindd_domain *domain;
|
|
DOM_SID dom_sid;
|
|
uint32 rid;
|
|
|
|
domain = find_domain_from_name_noinit( name );
|
|
if ( domain )
|
|
return;
|
|
|
|
sid_copy( &dom_sid, user_sid );
|
|
if ( !sid_split_rid( &dom_sid, &rid ) )
|
|
return;
|
|
|
|
/* add the newly discovered trusted domain */
|
|
|
|
domain = add_trusted_domain( name, NULL, &cache_methods,
|
|
&dom_sid);
|
|
|
|
if ( !domain )
|
|
return;
|
|
|
|
/* assume this is a trust from a one-way transitive
|
|
forest trust */
|
|
|
|
domain->active_directory = True;
|
|
domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND;
|
|
domain->domain_type = NETR_TRUST_TYPE_UPLEVEL;
|
|
domain->internal = False;
|
|
domain->online = True;
|
|
|
|
setup_domain_child(domain,
|
|
&domain->child);
|
|
|
|
wcache_tdc_add_domain( domain );
|
|
|
|
return;
|
|
}
|
|
|
|
/**
|
|
* Given a domain name, return the struct winbindd domain info for it
|
|
*
|
|
* @note Do *not* pass lp_workgroup() to this function. domain_list
|
|
* may modify it's value, and free that pointer. Instead, our local
|
|
* domain may be found by calling find_our_domain().
|
|
* directly.
|
|
*
|
|
*
|
|
* @return The domain structure for the named domain, if it is working.
|
|
*/
|
|
|
|
struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
|
|
/* Search through list */
|
|
|
|
for (domain = domain_list(); domain != NULL; domain = domain->next) {
|
|
if (strequal(domain_name, domain->name) ||
|
|
(domain->alt_name[0] &&
|
|
strequal(domain_name, domain->alt_name))) {
|
|
return domain;
|
|
}
|
|
}
|
|
|
|
/* Not found */
|
|
|
|
return NULL;
|
|
}
|
|
|
|
struct winbindd_domain *find_domain_from_name(const char *domain_name)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
|
|
domain = find_domain_from_name_noinit(domain_name);
|
|
|
|
if (domain == NULL)
|
|
return NULL;
|
|
|
|
if (!domain->initialized)
|
|
init_dc_connection(domain);
|
|
|
|
return domain;
|
|
}
|
|
|
|
/* Given a domain sid, return the struct winbindd domain info for it */
|
|
|
|
struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
|
|
/* Search through list */
|
|
|
|
for (domain = domain_list(); domain != NULL; domain = domain->next) {
|
|
if (sid_compare_domain(sid, &domain->sid) == 0)
|
|
return domain;
|
|
}
|
|
|
|
/* Not found */
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/* Given a domain sid, return the struct winbindd domain info for it */
|
|
|
|
struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
|
|
domain = find_domain_from_sid_noinit(sid);
|
|
|
|
if (domain == NULL)
|
|
return NULL;
|
|
|
|
if (!domain->initialized)
|
|
init_dc_connection(domain);
|
|
|
|
return domain;
|
|
}
|
|
|
|
struct winbindd_domain *find_our_domain(void)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
|
|
/* Search through list */
|
|
|
|
for (domain = domain_list(); domain != NULL; domain = domain->next) {
|
|
if (domain->primary)
|
|
return domain;
|
|
}
|
|
|
|
smb_panic("Could not find our domain");
|
|
return NULL;
|
|
}
|
|
|
|
struct winbindd_domain *find_root_domain(void)
|
|
{
|
|
struct winbindd_domain *ours = find_our_domain();
|
|
|
|
if ( !ours )
|
|
return NULL;
|
|
|
|
if ( strlen(ours->forest_name) == 0 )
|
|
return NULL;
|
|
|
|
return find_domain_from_name( ours->forest_name );
|
|
}
|
|
|
|
struct winbindd_domain *find_builtin_domain(void)
|
|
{
|
|
DOM_SID sid;
|
|
struct winbindd_domain *domain;
|
|
|
|
string_to_sid(&sid, "S-1-5-32");
|
|
domain = find_domain_from_sid(&sid);
|
|
|
|
if (domain == NULL) {
|
|
smb_panic("Could not find BUILTIN domain");
|
|
}
|
|
|
|
return domain;
|
|
}
|
|
|
|
/* Find the appropriate domain to lookup a name or SID */
|
|
|
|
struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
|
|
{
|
|
/* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
|
|
|
|
if ( sid_check_is_in_unix_groups(sid) ||
|
|
sid_check_is_unix_groups(sid) ||
|
|
sid_check_is_in_unix_users(sid) ||
|
|
sid_check_is_unix_users(sid) )
|
|
{
|
|
return find_domain_from_sid(get_global_sam_sid());
|
|
}
|
|
|
|
/* A DC can't ask the local smbd for remote SIDs, here winbindd is the
|
|
* one to contact the external DC's. On member servers the internal
|
|
* domains are different: These are part of the local SAM. */
|
|
|
|
DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
|
|
|
|
if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
|
|
DEBUG(10, ("calling find_domain_from_sid\n"));
|
|
return find_domain_from_sid(sid);
|
|
}
|
|
|
|
/* On a member server a query for SID or name can always go to our
|
|
* primary DC. */
|
|
|
|
DEBUG(10, ("calling find_our_domain\n"));
|
|
return find_our_domain();
|
|
}
|
|
|
|
struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
|
|
{
|
|
if ( strequal(domain_name, unix_users_domain_name() ) ||
|
|
strequal(domain_name, unix_groups_domain_name() ) )
|
|
{
|
|
return find_domain_from_name_noinit( get_global_sam_name() );
|
|
}
|
|
|
|
if (IS_DC || strequal(domain_name, "BUILTIN") ||
|
|
strequal(domain_name, get_global_sam_name()))
|
|
return find_domain_from_name_noinit(domain_name);
|
|
|
|
/* The "Unix User" and "Unix Group" domain our handled by passdb */
|
|
|
|
return find_our_domain();
|
|
}
|
|
|
|
/* Lookup a sid in a domain from a name */
|
|
|
|
bool winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
|
|
enum winbindd_cmd orig_cmd,
|
|
struct winbindd_domain *domain,
|
|
const char *domain_name,
|
|
const char *name, DOM_SID *sid,
|
|
enum lsa_SidType *type)
|
|
{
|
|
NTSTATUS result;
|
|
|
|
/* Lookup name */
|
|
result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd,
|
|
domain_name, name, sid, type);
|
|
|
|
/* Return sid and type if lookup successful */
|
|
if (!NT_STATUS_IS_OK(result)) {
|
|
*type = SID_NAME_UNKNOWN;
|
|
}
|
|
|
|
return NT_STATUS_IS_OK(result);
|
|
}
|
|
|
|
/**
|
|
* @brief Lookup a name in a domain from a sid.
|
|
*
|
|
* @param sid Security ID you want to look up.
|
|
* @param name On success, set to the name corresponding to @p sid.
|
|
* @param dom_name On success, set to the 'domain name' corresponding to @p sid.
|
|
* @param type On success, contains the type of name: alias, group or
|
|
* user.
|
|
* @retval True if the name exists, in which case @p name and @p type
|
|
* are set, otherwise False.
|
|
**/
|
|
bool winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
|
|
struct winbindd_domain *domain,
|
|
DOM_SID *sid,
|
|
char **dom_name,
|
|
char **name,
|
|
enum lsa_SidType *type)
|
|
{
|
|
NTSTATUS result;
|
|
|
|
*dom_name = NULL;
|
|
*name = NULL;
|
|
|
|
/* Lookup name */
|
|
|
|
result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
|
|
|
|
/* Return name and type if successful */
|
|
|
|
if (NT_STATUS_IS_OK(result)) {
|
|
return True;
|
|
}
|
|
|
|
*type = SID_NAME_UNKNOWN;
|
|
|
|
return False;
|
|
}
|
|
|
|
/* Free state information held for {set,get,end}{pw,gr}ent() functions */
|
|
|
|
void free_getent_state(struct getent_state *state)
|
|
{
|
|
struct getent_state *temp;
|
|
|
|
/* Iterate over state list */
|
|
|
|
temp = state;
|
|
|
|
while(temp != NULL) {
|
|
struct getent_state *next = temp->next;
|
|
|
|
/* Free sam entries then list entry */
|
|
|
|
SAFE_FREE(state->sam_entries);
|
|
DLIST_REMOVE(state, state);
|
|
|
|
SAFE_FREE(temp);
|
|
temp = next;
|
|
}
|
|
}
|
|
|
|
/* Is this a domain which we may assume no DOMAIN\ prefix? */
|
|
|
|
static bool assume_domain(const char *domain)
|
|
{
|
|
/* never assume the domain on a standalone server */
|
|
|
|
if ( lp_server_role() == ROLE_STANDALONE )
|
|
return False;
|
|
|
|
/* domain member servers may possibly assume for the domain name */
|
|
|
|
if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
|
|
if ( !strequal(lp_workgroup(), domain) )
|
|
return False;
|
|
|
|
if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
|
|
return True;
|
|
}
|
|
|
|
/* only left with a domain controller */
|
|
|
|
if ( strequal(get_global_sam_name(), domain) ) {
|
|
return True;
|
|
}
|
|
|
|
return False;
|
|
}
|
|
|
|
/* Parse a string of the form DOMAIN\user into a domain and a user */
|
|
|
|
bool parse_domain_user(const char *domuser, fstring domain, fstring user)
|
|
{
|
|
char *p = strchr(domuser,*lp_winbind_separator());
|
|
|
|
if ( !p ) {
|
|
fstrcpy(user, domuser);
|
|
|
|
if ( assume_domain(lp_workgroup())) {
|
|
fstrcpy(domain, lp_workgroup());
|
|
} else if ((p = strchr(domuser, '@')) != NULL) {
|
|
fstrcpy(domain, "");
|
|
} else {
|
|
return False;
|
|
}
|
|
} else {
|
|
fstrcpy(user, p+1);
|
|
fstrcpy(domain, domuser);
|
|
domain[PTR_DIFF(p, domuser)] = 0;
|
|
}
|
|
|
|
strupper_m(domain);
|
|
|
|
return True;
|
|
}
|
|
|
|
bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
|
|
char **domain, char **user)
|
|
{
|
|
fstring fstr_domain, fstr_user;
|
|
if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
|
|
return False;
|
|
}
|
|
*domain = talloc_strdup(mem_ctx, fstr_domain);
|
|
*user = talloc_strdup(mem_ctx, fstr_user);
|
|
return ((*domain != NULL) && (*user != NULL));
|
|
}
|
|
|
|
/* add a domain user name to a buffer */
|
|
void parse_add_domuser(void *buf, char *domuser, int *len)
|
|
{
|
|
fstring domain;
|
|
char *p, *user;
|
|
|
|
user = domuser;
|
|
p = strchr(domuser, *lp_winbind_separator());
|
|
|
|
if (p) {
|
|
|
|
fstrcpy(domain, domuser);
|
|
domain[PTR_DIFF(p, domuser)] = 0;
|
|
p++;
|
|
|
|
if (assume_domain(domain)) {
|
|
|
|
user = p;
|
|
*len -= (PTR_DIFF(p, domuser));
|
|
}
|
|
}
|
|
|
|
safe_strcpy((char *)buf, user, *len);
|
|
}
|
|
|
|
/* Ensure an incoming username from NSS is fully qualified. Replace the
|
|
incoming fstring with DOMAIN <separator> user. Returns the same
|
|
values as parse_domain_user() but also replaces the incoming username.
|
|
Used to ensure all names are fully qualified within winbindd.
|
|
Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
|
|
The protocol definitions of auth_crap, chng_pswd_auth_crap
|
|
really should be changed to use this instead of doing things
|
|
by hand. JRA. */
|
|
|
|
bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
|
|
{
|
|
if (!parse_domain_user(username_inout, domain, user)) {
|
|
return False;
|
|
}
|
|
slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
|
|
domain, *lp_winbind_separator(),
|
|
user);
|
|
return True;
|
|
}
|
|
|
|
/*
|
|
Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
|
|
'winbind separator' options.
|
|
This means:
|
|
- omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
|
|
lp_workgroup()
|
|
|
|
If we are a PDC or BDC, and this is for our domain, do likewise.
|
|
|
|
Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
|
|
username is then unqualified in unix
|
|
|
|
We always canonicalize as UPPERCASE DOMAIN, lowercase username.
|
|
*/
|
|
void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
|
|
{
|
|
fstring tmp_user;
|
|
|
|
fstrcpy(tmp_user, user);
|
|
strlower_m(tmp_user);
|
|
|
|
if (can_assume && assume_domain(domain)) {
|
|
strlcpy(name, tmp_user, sizeof(fstring));
|
|
} else {
|
|
slprintf(name, sizeof(fstring) - 1, "%s%c%s",
|
|
domain, *lp_winbind_separator(),
|
|
tmp_user);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* talloc version of fill_domain_username()
|
|
* return NULL on talloc failure.
|
|
*/
|
|
char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
|
|
const char *domain,
|
|
const char *user,
|
|
bool can_assume)
|
|
{
|
|
char *tmp_user, *name;
|
|
|
|
tmp_user = talloc_strdup(mem_ctx, user);
|
|
strlower_m(tmp_user);
|
|
|
|
if (can_assume && assume_domain(domain)) {
|
|
name = tmp_user;
|
|
} else {
|
|
name = talloc_asprintf(mem_ctx, "%s%c%s",
|
|
domain,
|
|
*lp_winbind_separator(),
|
|
tmp_user);
|
|
TALLOC_FREE(tmp_user);
|
|
}
|
|
|
|
return name;
|
|
}
|
|
|
|
/*
|
|
* Winbindd socket accessor functions
|
|
*/
|
|
|
|
const char *get_winbind_pipe_dir(void)
|
|
{
|
|
return lp_parm_const_string(-1, "winbindd", "socket dir", WINBINDD_SOCKET_DIR);
|
|
}
|
|
|
|
char *get_winbind_priv_pipe_dir(void)
|
|
{
|
|
return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
|
|
}
|
|
|
|
/* Open the winbindd socket */
|
|
|
|
static int _winbindd_socket = -1;
|
|
static int _winbindd_priv_socket = -1;
|
|
|
|
int open_winbindd_socket(void)
|
|
{
|
|
if (_winbindd_socket == -1) {
|
|
_winbindd_socket = create_pipe_sock(
|
|
get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
|
|
DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n",
|
|
_winbindd_socket));
|
|
}
|
|
|
|
return _winbindd_socket;
|
|
}
|
|
|
|
int open_winbindd_priv_socket(void)
|
|
{
|
|
if (_winbindd_priv_socket == -1) {
|
|
_winbindd_priv_socket = create_pipe_sock(
|
|
get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
|
|
DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
|
|
_winbindd_priv_socket));
|
|
}
|
|
|
|
return _winbindd_priv_socket;
|
|
}
|
|
|
|
/* Close the winbindd socket */
|
|
|
|
void close_winbindd_socket(void)
|
|
{
|
|
if (_winbindd_socket != -1) {
|
|
DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
|
|
_winbindd_socket));
|
|
close(_winbindd_socket);
|
|
_winbindd_socket = -1;
|
|
}
|
|
if (_winbindd_priv_socket != -1) {
|
|
DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
|
|
_winbindd_priv_socket));
|
|
close(_winbindd_priv_socket);
|
|
_winbindd_priv_socket = -1;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Client list accessor functions
|
|
*/
|
|
|
|
static struct winbindd_cli_state *_client_list;
|
|
static int _num_clients;
|
|
|
|
/* Return list of all connected clients */
|
|
|
|
struct winbindd_cli_state *winbindd_client_list(void)
|
|
{
|
|
return _client_list;
|
|
}
|
|
|
|
/* Add a connection to the list */
|
|
|
|
void winbindd_add_client(struct winbindd_cli_state *cli)
|
|
{
|
|
DLIST_ADD(_client_list, cli);
|
|
_num_clients++;
|
|
}
|
|
|
|
/* Remove a client from the list */
|
|
|
|
void winbindd_remove_client(struct winbindd_cli_state *cli)
|
|
{
|
|
DLIST_REMOVE(_client_list, cli);
|
|
_num_clients--;
|
|
}
|
|
|
|
/* Close all open clients */
|
|
|
|
void winbindd_kill_all_clients(void)
|
|
{
|
|
struct winbindd_cli_state *cl = winbindd_client_list();
|
|
|
|
DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
|
|
|
|
while (cl) {
|
|
struct winbindd_cli_state *next;
|
|
|
|
next = cl->next;
|
|
winbindd_remove_client(cl);
|
|
cl = next;
|
|
}
|
|
}
|
|
|
|
/* Return number of open clients */
|
|
|
|
int winbindd_num_clients(void)
|
|
{
|
|
return _num_clients;
|
|
}
|
|
|
|
NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
const DOM_SID *user_sid,
|
|
uint32 *p_num_groups, DOM_SID **user_sids)
|
|
{
|
|
struct netr_SamInfo3 *info3 = NULL;
|
|
NTSTATUS status = NT_STATUS_NO_MEMORY;
|
|
size_t num_groups = 0;
|
|
|
|
DEBUG(3,(": lookup_usergroups_cached\n"));
|
|
|
|
*user_sids = NULL;
|
|
*p_num_groups = 0;
|
|
|
|
info3 = netsamlogon_cache_get(mem_ctx, user_sid);
|
|
|
|
if (info3 == NULL) {
|
|
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
}
|
|
|
|
if (info3->base.groups.count == 0) {
|
|
TALLOC_FREE(info3);
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
/* Skip Domain local groups outside our domain.
|
|
We'll get these from the getsidaliases() RPC call. */
|
|
status = sid_array_from_info3(mem_ctx, info3,
|
|
user_sids,
|
|
&num_groups,
|
|
false, true);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
TALLOC_FREE(info3);
|
|
return status;
|
|
}
|
|
|
|
TALLOC_FREE(info3);
|
|
*p_num_groups = num_groups;
|
|
status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
|
|
|
|
DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
|
|
|
|
return status;
|
|
}
|
|
|
|
/*********************************************************************
|
|
We use this to remove spaces from user and group names
|
|
********************************************************************/
|
|
|
|
NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
|
|
struct winbindd_domain *domain,
|
|
char *name,
|
|
char **normalized)
|
|
{
|
|
NTSTATUS nt_status;
|
|
|
|
if (!name || !normalized) {
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
if (!lp_winbind_normalize_names()) {
|
|
return NT_STATUS_PROCEDURE_NOT_FOUND;
|
|
}
|
|
|
|
/* Alias support and whitespace replacement are mutually
|
|
exclusive */
|
|
|
|
nt_status = resolve_username_to_alias(mem_ctx, domain,
|
|
name, normalized );
|
|
if (NT_STATUS_IS_OK(nt_status)) {
|
|
/* special return code to let the caller know we
|
|
mapped to an alias */
|
|
return NT_STATUS_FILE_RENAMED;
|
|
}
|
|
|
|
/* check for an unreachable domain */
|
|
|
|
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
|
|
DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
|
|
domain->name));
|
|
set_domain_offline(domain);
|
|
return nt_status;
|
|
}
|
|
|
|
/* deal with whitespace */
|
|
|
|
*normalized = talloc_strdup(mem_ctx, name);
|
|
if (!(*normalized)) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
all_string_sub( *normalized, " ", "_", 0 );
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
/*********************************************************************
|
|
We use this to do the inverse of normalize_name_map()
|
|
********************************************************************/
|
|
|
|
NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
|
|
char *name,
|
|
char **normalized)
|
|
{
|
|
NTSTATUS nt_status;
|
|
struct winbindd_domain *domain = find_our_domain();
|
|
|
|
if (!name || !normalized) {
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
if (!lp_winbind_normalize_names()) {
|
|
return NT_STATUS_PROCEDURE_NOT_FOUND;
|
|
}
|
|
|
|
/* Alias support and whitespace replacement are mutally
|
|
exclusive */
|
|
|
|
/* When mapping from an alias to a username, we don't know the
|
|
domain. But we only need a domain structure to cache
|
|
a successful lookup , so just our own domain structure for
|
|
the seqnum. */
|
|
|
|
nt_status = resolve_alias_to_username(mem_ctx, domain,
|
|
name, normalized);
|
|
if (NT_STATUS_IS_OK(nt_status)) {
|
|
/* Special return code to let the caller know we mapped
|
|
from an alias */
|
|
return NT_STATUS_FILE_RENAMED;
|
|
}
|
|
|
|
/* check for an unreachable domain */
|
|
|
|
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
|
|
DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
|
|
domain->name));
|
|
set_domain_offline(domain);
|
|
return nt_status;
|
|
}
|
|
|
|
/* deal with whitespace */
|
|
|
|
*normalized = talloc_strdup(mem_ctx, name);
|
|
if (!(*normalized)) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
all_string_sub(*normalized, "_", " ", 0);
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
/*********************************************************************
|
|
********************************************************************/
|
|
|
|
bool winbindd_can_contact_domain(struct winbindd_domain *domain)
|
|
{
|
|
struct winbindd_tdc_domain *tdc = NULL;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
bool ret = false;
|
|
|
|
/* We can contact the domain if it is our primary domain */
|
|
|
|
if (domain->primary) {
|
|
return true;
|
|
}
|
|
|
|
/* Trust the TDC cache and not the winbindd_domain flags */
|
|
|
|
if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
|
|
DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
|
|
domain->name));
|
|
return false;
|
|
}
|
|
|
|
/* Can always contact a domain that is in out forest */
|
|
|
|
if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
|
|
ret = true;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* On a _member_ server, we cannot contact the domain if it
|
|
* is running AD and we have no inbound trust.
|
|
*/
|
|
|
|
if (!IS_DC &&
|
|
domain->active_directory &&
|
|
((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
|
|
{
|
|
DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
|
|
"and we have no inbound trust.\n", domain->name));
|
|
goto done;
|
|
}
|
|
|
|
/* Assume everything else is ok (probably not true but what
|
|
can you do?) */
|
|
|
|
ret = true;
|
|
|
|
done:
|
|
talloc_destroy(frame);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*********************************************************************
|
|
********************************************************************/
|
|
|
|
bool winbindd_internal_child(struct winbindd_child *child)
|
|
{
|
|
if ((child == idmap_child()) || (child == locator_child())) {
|
|
return True;
|
|
}
|
|
|
|
return False;
|
|
}
|
|
|
|
#ifdef HAVE_KRB5_LOCATE_PLUGIN_H
|
|
|
|
/*********************************************************************
|
|
********************************************************************/
|
|
|
|
static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
|
|
{
|
|
char *var = NULL;
|
|
char addr[INET6_ADDRSTRLEN];
|
|
const char *kdc = NULL;
|
|
int lvl = 11;
|
|
|
|
if (!domain || !domain->alt_name || !*domain->alt_name) {
|
|
return;
|
|
}
|
|
|
|
if (domain->initialized && !domain->active_directory) {
|
|
DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
|
|
domain->alt_name));
|
|
return;
|
|
}
|
|
|
|
print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
|
|
kdc = addr;
|
|
if (!*kdc) {
|
|
DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
|
|
domain->alt_name));
|
|
kdc = domain->dcname;
|
|
}
|
|
|
|
if (!kdc || !*kdc) {
|
|
DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
|
|
domain->alt_name));
|
|
return;
|
|
}
|
|
|
|
if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
|
|
domain->alt_name) == -1) {
|
|
return;
|
|
}
|
|
|
|
DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
|
|
var, kdc));
|
|
|
|
setenv(var, kdc, 1);
|
|
free(var);
|
|
}
|
|
|
|
/*********************************************************************
|
|
********************************************************************/
|
|
|
|
void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
|
|
{
|
|
struct winbindd_domain *our_dom = find_our_domain();
|
|
|
|
winbindd_set_locator_kdc_env(domain);
|
|
|
|
if (domain != our_dom) {
|
|
winbindd_set_locator_kdc_env(our_dom);
|
|
}
|
|
}
|
|
|
|
/*********************************************************************
|
|
********************************************************************/
|
|
|
|
void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
|
|
{
|
|
char *var = NULL;
|
|
|
|
if (!domain || !domain->alt_name || !*domain->alt_name) {
|
|
return;
|
|
}
|
|
|
|
if (asprintf_strupper_m(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS,
|
|
domain->alt_name) == -1) {
|
|
return;
|
|
}
|
|
|
|
unsetenv(var);
|
|
free(var);
|
|
}
|
|
#else
|
|
|
|
void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
|
|
{
|
|
return;
|
|
}
|
|
|
|
void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
|
|
{
|
|
return;
|
|
}
|
|
|
|
#endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
|
|
|
|
void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
|
|
{
|
|
resp->data.auth.nt_status = NT_STATUS_V(result);
|
|
fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
|
|
|
|
/* we might have given a more useful error above */
|
|
if (*resp->data.auth.error_string == '\0')
|
|
fstrcpy(resp->data.auth.error_string,
|
|
get_friendly_nt_error_msg(result));
|
|
resp->data.auth.pam_error = nt_status_to_pam(result);
|
|
}
|