mirror of
https://github.com/samba-team/samba.git
synced 2024-12-25 23:21:54 +03:00
9b78af1f64
> Here's the problem I hit:
>
> getgrnam("foo") -> nscd -> NSS -> winbindd ->
> winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() ->
> getgrnam("foo") -> nscd -> ....
>
> This is in the SAMBA_3_0 specifically but in theory could happen
> SAMBA_3_0_25 (or 26) for an unknown group.
>
> The attached patch passes down enough state for the
> name_to_sid() call to be able to determine the originating
> winbindd cmd that came into the parent. So we can avoid
> making more NSS calls if the original call came in trough NSS
> so we don't deadlock ? But you should still service
> lookupname() calls which are needed for example when
> doing the token access checks for a "valid groups" from
> smb.conf.
>
> I've got this in testing now. The problem has shown up with the
> DsProvider on OS X and with nscd on SOlaris and Linux.
(This used to be commit bcc8a3290a
)
1323 lines
33 KiB
C
1323 lines
33 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
Winbind daemon for ntdom nss module
|
|
|
|
Copyright (C) Tim Potter 2000-2001
|
|
Copyright (C) 2001 by Martin Pool <mbp@samba.org>
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "winbindd.h"
|
|
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_WINBIND
|
|
|
|
extern struct winbindd_methods cache_methods;
|
|
extern struct winbindd_methods passdb_methods;
|
|
|
|
/**
|
|
* @file winbindd_util.c
|
|
*
|
|
* Winbind daemon for NT domain authentication nss module.
|
|
**/
|
|
|
|
/* The list of trusted domains. Note that the list can be deleted and
|
|
recreated using the init_domain_list() function so pointers to
|
|
individual winbindd_domain structures cannot be made. Keep a copy of
|
|
the domain name instead. */
|
|
|
|
static struct winbindd_domain *_domain_list;
|
|
|
|
/**
|
|
When was the last scan of trusted domains done?
|
|
|
|
0 == not ever
|
|
*/
|
|
|
|
static time_t last_trustdom_scan;
|
|
|
|
struct winbindd_domain *domain_list(void)
|
|
{
|
|
/* Initialise list */
|
|
|
|
if ((!_domain_list) && (!init_domain_list())) {
|
|
smb_panic("Init_domain_list failed\n");
|
|
}
|
|
|
|
return _domain_list;
|
|
}
|
|
|
|
/* Free all entries in the trusted domain list */
|
|
|
|
void free_domain_list(void)
|
|
{
|
|
struct winbindd_domain *domain = _domain_list;
|
|
|
|
while(domain) {
|
|
struct winbindd_domain *next = domain->next;
|
|
|
|
DLIST_REMOVE(_domain_list, domain);
|
|
SAFE_FREE(domain);
|
|
domain = next;
|
|
}
|
|
}
|
|
|
|
static BOOL is_internal_domain(const DOM_SID *sid)
|
|
{
|
|
if (sid == NULL)
|
|
return False;
|
|
|
|
return (sid_check_is_domain(sid) || sid_check_is_builtin(sid));
|
|
}
|
|
|
|
static BOOL is_in_internal_domain(const DOM_SID *sid)
|
|
{
|
|
if (sid == NULL)
|
|
return False;
|
|
|
|
return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid));
|
|
}
|
|
|
|
|
|
/* Add a trusted domain to our list of domains */
|
|
static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
|
|
struct winbindd_methods *methods,
|
|
const DOM_SID *sid)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
const char *alternative_name = NULL;
|
|
|
|
/* ignore alt_name if we are not in an AD domain */
|
|
|
|
if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
|
|
alternative_name = alt_name;
|
|
}
|
|
|
|
/* We can't call domain_list() as this function is called from
|
|
init_domain_list() and we'll get stuck in a loop. */
|
|
for (domain = _domain_list; domain; domain = domain->next) {
|
|
if (strequal(domain_name, domain->name) ||
|
|
strequal(domain_name, domain->alt_name))
|
|
{
|
|
break;
|
|
}
|
|
|
|
if (alternative_name && *alternative_name)
|
|
{
|
|
if (strequal(alternative_name, domain->name) ||
|
|
strequal(alternative_name, domain->alt_name))
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (sid)
|
|
{
|
|
if (is_null_sid(sid)) {
|
|
continue;
|
|
}
|
|
|
|
if (sid_equal(sid, &domain->sid)) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* See if we found a match. Check if we need to update the
|
|
SID. */
|
|
|
|
if ( domain ) {
|
|
if ( sid_equal( &domain->sid, &global_sid_NULL ) )
|
|
sid_copy( &domain->sid, sid );
|
|
|
|
return domain;
|
|
}
|
|
|
|
/* Create new domain entry */
|
|
|
|
if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL)
|
|
return NULL;
|
|
|
|
/* Fill in fields */
|
|
|
|
ZERO_STRUCTP(domain);
|
|
|
|
/* prioritise the short name */
|
|
if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) {
|
|
fstrcpy(domain->name, alternative_name);
|
|
fstrcpy(domain->alt_name, domain_name);
|
|
} else {
|
|
fstrcpy(domain->name, domain_name);
|
|
if (alternative_name) {
|
|
fstrcpy(domain->alt_name, alternative_name);
|
|
}
|
|
}
|
|
|
|
domain->methods = methods;
|
|
domain->backend = NULL;
|
|
domain->internal = is_internal_domain(sid);
|
|
domain->sequence_number = DOM_SEQUENCE_NONE;
|
|
domain->last_seq_check = 0;
|
|
domain->initialized = False;
|
|
domain->online = is_internal_domain(sid);
|
|
domain->check_online_timeout = 0;
|
|
if (sid) {
|
|
sid_copy(&domain->sid, sid);
|
|
}
|
|
|
|
/* Link to domain list */
|
|
DLIST_ADD(_domain_list, domain);
|
|
|
|
wcache_tdc_add_domain( domain );
|
|
|
|
DEBUG(2,("Added domain %s %s %s\n",
|
|
domain->name, domain->alt_name,
|
|
&domain->sid?sid_string_static(&domain->sid):""));
|
|
|
|
return domain;
|
|
}
|
|
|
|
/********************************************************************
|
|
rescan our domains looking for new trusted domains
|
|
********************************************************************/
|
|
|
|
struct trustdom_state {
|
|
TALLOC_CTX *mem_ctx;
|
|
BOOL primary;
|
|
BOOL forest_root;
|
|
struct winbindd_response *response;
|
|
};
|
|
|
|
static void trustdom_recv(void *private_data, BOOL success);
|
|
static void rescan_forest_root_trusts( void );
|
|
static void rescan_forest_trusts( void );
|
|
|
|
static void add_trusted_domains( struct winbindd_domain *domain )
|
|
{
|
|
TALLOC_CTX *mem_ctx;
|
|
struct winbindd_request *request;
|
|
struct winbindd_response *response;
|
|
uint32 fr_flags = (DS_DOMAIN_TREE_ROOT|DS_DOMAIN_IN_FOREST);
|
|
|
|
struct trustdom_state *state;
|
|
|
|
mem_ctx = talloc_init("add_trusted_domains");
|
|
if (mem_ctx == NULL) {
|
|
DEBUG(0, ("talloc_init failed\n"));
|
|
return;
|
|
}
|
|
|
|
request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
|
|
response = TALLOC_P(mem_ctx, struct winbindd_response);
|
|
state = TALLOC_P(mem_ctx, struct trustdom_state);
|
|
|
|
if ((request == NULL) || (response == NULL) || (state == NULL)) {
|
|
DEBUG(0, ("talloc failed\n"));
|
|
talloc_destroy(mem_ctx);
|
|
return;
|
|
}
|
|
|
|
state->mem_ctx = mem_ctx;
|
|
state->response = response;
|
|
|
|
/* Flags used to know how to continue the forest trust search */
|
|
|
|
state->primary = domain->primary;
|
|
state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags );
|
|
|
|
request->length = sizeof(*request);
|
|
request->cmd = WINBINDD_LIST_TRUSTDOM;
|
|
|
|
async_domain_request(mem_ctx, domain, request, response,
|
|
trustdom_recv, state);
|
|
}
|
|
|
|
static void trustdom_recv(void *private_data, BOOL success)
|
|
{
|
|
struct trustdom_state *state =
|
|
talloc_get_type_abort(private_data, struct trustdom_state);
|
|
struct winbindd_response *response = state->response;
|
|
char *p;
|
|
|
|
if ((!success) || (response->result != WINBINDD_OK)) {
|
|
DEBUG(1, ("Could not receive trustdoms\n"));
|
|
talloc_destroy(state->mem_ctx);
|
|
return;
|
|
}
|
|
|
|
p = (char *)response->extra_data.data;
|
|
|
|
while ((p != NULL) && (*p != '\0')) {
|
|
char *q, *sidstr, *alt_name;
|
|
DOM_SID sid;
|
|
struct winbindd_domain *domain;
|
|
char *alternate_name = NULL;
|
|
|
|
alt_name = strchr(p, '\\');
|
|
if (alt_name == NULL) {
|
|
DEBUG(0, ("Got invalid trustdom response\n"));
|
|
break;
|
|
}
|
|
|
|
*alt_name = '\0';
|
|
alt_name += 1;
|
|
|
|
sidstr = strchr(alt_name, '\\');
|
|
if (sidstr == NULL) {
|
|
DEBUG(0, ("Got invalid trustdom response\n"));
|
|
break;
|
|
}
|
|
|
|
*sidstr = '\0';
|
|
sidstr += 1;
|
|
|
|
q = strchr(sidstr, '\n');
|
|
if (q != NULL)
|
|
*q = '\0';
|
|
|
|
if (!string_to_sid(&sid, sidstr)) {
|
|
/* Allow NULL sid for sibling domains */
|
|
if ( strcmp(sidstr,"S-0-0") == 0) {
|
|
sid_copy( &sid, &global_sid_NULL);
|
|
} else {
|
|
DEBUG(0, ("Got invalid trustdom response\n"));
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* use the real alt_name if we have one, else pass in NULL */
|
|
|
|
if ( !strequal( alt_name, "(null)" ) )
|
|
alternate_name = alt_name;
|
|
|
|
/* If we have an existing domain structure, calling
|
|
add_trusted_domain() will update the SID if
|
|
necessary. This is important because we need the
|
|
SID for sibling domains */
|
|
|
|
if ( find_domain_from_name_noinit(p) != NULL ) {
|
|
domain = add_trusted_domain(p, alternate_name,
|
|
&cache_methods,
|
|
&sid);
|
|
} else {
|
|
domain = add_trusted_domain(p, alternate_name,
|
|
&cache_methods,
|
|
&sid);
|
|
setup_domain_child(domain, &domain->child, NULL);
|
|
}
|
|
p=q;
|
|
if (p != NULL)
|
|
p += 1;
|
|
}
|
|
|
|
SAFE_FREE(response->extra_data.data);
|
|
|
|
/*
|
|
Cases to consider when scanning trusts:
|
|
(a) we are calling from a child domain (primary && !forest_root)
|
|
(b) we are calling from the root of the forest (primary && forest_root)
|
|
(c) we are calling from a trusted forest domain (!primary
|
|
&& !forest_root)
|
|
*/
|
|
|
|
if ( state->primary ) {
|
|
/* If this is our primary domain and we are not the in the
|
|
forest root, we have to scan the root trusts first */
|
|
|
|
if ( !state->forest_root )
|
|
rescan_forest_root_trusts();
|
|
else
|
|
rescan_forest_trusts();
|
|
|
|
} else if ( state->forest_root ) {
|
|
/* Once we have done root forest trust search, we can
|
|
go on to search thing trusted forests */
|
|
|
|
rescan_forest_trusts();
|
|
}
|
|
|
|
talloc_destroy(state->mem_ctx);
|
|
|
|
return;
|
|
}
|
|
|
|
/********************************************************************
|
|
Scan the trusts of our forest root
|
|
********************************************************************/
|
|
|
|
static void rescan_forest_root_trusts( void )
|
|
{
|
|
struct winbindd_tdc_domain *dom_list = NULL;
|
|
size_t num_trusts = 0;
|
|
int i;
|
|
|
|
/* The only transitive trusts supported by Windows 2003 AD are
|
|
(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
|
|
first two are handled in forest and listed by
|
|
DsEnumerateDomainTrusts(). Forest trusts are not so we
|
|
have to do that ourselves. */
|
|
|
|
if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
|
|
return;
|
|
|
|
for ( i=0; i<num_trusts; i++ ) {
|
|
struct winbindd_domain *d = NULL;
|
|
|
|
/* Find the forest root. Don't necessarily trust
|
|
the domain_list() as our primary domain may not
|
|
have been initialized. */
|
|
|
|
if ( !(dom_list[i].trust_flags & DS_DOMAIN_TREE_ROOT) ) {
|
|
continue;
|
|
}
|
|
|
|
/* Here's the forest root */
|
|
|
|
d = find_domain_from_name_noinit( dom_list[i].domain_name );
|
|
|
|
if ( !d ) {
|
|
d = add_trusted_domain( dom_list[i].domain_name,
|
|
dom_list[i].dns_name,
|
|
&cache_methods,
|
|
&dom_list[i].sid );
|
|
}
|
|
|
|
DEBUG(10,("rescan_forest_root_trusts: Following trust path "
|
|
"for domain tree root %s (%s)\n",
|
|
d->name, d->alt_name ));
|
|
|
|
d->domain_flags = dom_list[i].trust_flags;
|
|
d->domain_type = dom_list[i].trust_type;
|
|
d->domain_trust_attribs = dom_list[i].trust_attribs;
|
|
|
|
add_trusted_domains( d );
|
|
|
|
break;
|
|
}
|
|
|
|
TALLOC_FREE( dom_list );
|
|
|
|
return;
|
|
}
|
|
|
|
/********************************************************************
|
|
scan the transitive forest trists (not our own)
|
|
********************************************************************/
|
|
|
|
|
|
static void rescan_forest_trusts( void )
|
|
{
|
|
struct winbindd_domain *d = NULL;
|
|
struct winbindd_tdc_domain *dom_list = NULL;
|
|
size_t num_trusts = 0;
|
|
int i;
|
|
|
|
/* The only transitive trusts supported by Windows 2003 AD are
|
|
(a) Parent-Child, (b) Tree-Root, and (c) Forest. The
|
|
first two are handled in forest and listed by
|
|
DsEnumerateDomainTrusts(). Forest trusts are not so we
|
|
have to do that ourselves. */
|
|
|
|
if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
|
|
return;
|
|
|
|
for ( i=0; i<num_trusts; i++ ) {
|
|
uint32 flags = dom_list[i].trust_flags;
|
|
uint32 type = dom_list[i].trust_type;
|
|
uint32 attribs = dom_list[i].trust_attribs;
|
|
|
|
d = find_domain_from_name_noinit( dom_list[i].domain_name );
|
|
|
|
/* ignore our primary and internal domains */
|
|
|
|
if ( d && (d->internal || d->primary ) )
|
|
continue;
|
|
|
|
if ( (flags & DS_DOMAIN_DIRECT_INBOUND) &&
|
|
(type == DS_DOMAIN_TRUST_TYPE_UPLEVEL) &&
|
|
(attribs == DS_DOMAIN_TRUST_ATTRIB_FOREST_TRANSITIVE) )
|
|
{
|
|
/* add the trusted domain if we don't know
|
|
about it */
|
|
|
|
if ( !d ) {
|
|
d = add_trusted_domain( dom_list[i].domain_name,
|
|
dom_list[i].dns_name,
|
|
&cache_methods,
|
|
&dom_list[i].sid );
|
|
}
|
|
|
|
DEBUG(10,("Following trust path for domain %s (%s)\n",
|
|
d->name, d->alt_name ));
|
|
add_trusted_domains( d );
|
|
}
|
|
}
|
|
|
|
TALLOC_FREE( dom_list );
|
|
|
|
return;
|
|
}
|
|
|
|
/*********************************************************************
|
|
The process of updating the trusted domain list is a three step
|
|
async process:
|
|
(a) ask our domain
|
|
(b) ask the root domain in our forest
|
|
(c) ask the a DC in any Win2003 trusted forests
|
|
*********************************************************************/
|
|
|
|
void rescan_trusted_domains( void )
|
|
{
|
|
time_t now = time(NULL);
|
|
|
|
/* see if the time has come... */
|
|
|
|
if ((now >= last_trustdom_scan) &&
|
|
((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
|
|
return;
|
|
|
|
/* clear the TRUSTDOM cache first */
|
|
|
|
wcache_tdc_clear();
|
|
|
|
/* this will only add new domains we didn't already know about
|
|
in the domain_list()*/
|
|
|
|
add_trusted_domains( find_our_domain() );
|
|
|
|
last_trustdom_scan = now;
|
|
|
|
return;
|
|
}
|
|
|
|
struct init_child_state {
|
|
TALLOC_CTX *mem_ctx;
|
|
struct winbindd_domain *domain;
|
|
struct winbindd_request *request;
|
|
struct winbindd_response *response;
|
|
void (*continuation)(void *private_data, BOOL success);
|
|
void *private_data;
|
|
};
|
|
|
|
static void init_child_recv(void *private_data, BOOL success);
|
|
static void init_child_getdc_recv(void *private_data, BOOL success);
|
|
|
|
enum winbindd_result init_child_connection(struct winbindd_domain *domain,
|
|
void (*continuation)(void *private_data,
|
|
BOOL success),
|
|
void *private_data)
|
|
{
|
|
TALLOC_CTX *mem_ctx;
|
|
struct winbindd_request *request;
|
|
struct winbindd_response *response;
|
|
struct init_child_state *state;
|
|
struct winbindd_domain *request_domain;
|
|
|
|
mem_ctx = talloc_init("init_child_connection");
|
|
if (mem_ctx == NULL) {
|
|
DEBUG(0, ("talloc_init failed\n"));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request);
|
|
response = TALLOC_P(mem_ctx, struct winbindd_response);
|
|
state = TALLOC_P(mem_ctx, struct init_child_state);
|
|
|
|
if ((request == NULL) || (response == NULL) || (state == NULL)) {
|
|
DEBUG(0, ("talloc failed\n"));
|
|
TALLOC_FREE(mem_ctx);
|
|
continuation(private_data, False);
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
request->length = sizeof(*request);
|
|
|
|
state->mem_ctx = mem_ctx;
|
|
state->domain = domain;
|
|
state->request = request;
|
|
state->response = response;
|
|
state->continuation = continuation;
|
|
state->private_data = private_data;
|
|
|
|
if (IS_DC || domain->primary || domain->internal ) {
|
|
/* The primary domain has to find the DC name itself */
|
|
request->cmd = WINBINDD_INIT_CONNECTION;
|
|
fstrcpy(request->domain_name, domain->name);
|
|
request->data.init_conn.is_primary = domain->internal ? False : True;
|
|
fstrcpy(request->data.init_conn.dcname, "");
|
|
async_request(mem_ctx, &domain->child, request, response,
|
|
init_child_recv, state);
|
|
return WINBINDD_PENDING;
|
|
}
|
|
|
|
/* This is *not* the primary domain, let's ask our DC about a DC
|
|
* name */
|
|
|
|
request->cmd = WINBINDD_GETDCNAME;
|
|
fstrcpy(request->domain_name, domain->name);
|
|
|
|
request_domain = find_our_domain();
|
|
async_domain_request(mem_ctx, request_domain, request, response,
|
|
init_child_getdc_recv, state);
|
|
return WINBINDD_PENDING;
|
|
}
|
|
|
|
static void init_child_getdc_recv(void *private_data, BOOL success)
|
|
{
|
|
struct init_child_state *state =
|
|
talloc_get_type_abort(private_data, struct init_child_state);
|
|
const char *dcname = "";
|
|
|
|
DEBUG(10, ("Received getdcname response\n"));
|
|
|
|
if (success && (state->response->result == WINBINDD_OK)) {
|
|
dcname = state->response->data.dc_name;
|
|
}
|
|
|
|
state->request->cmd = WINBINDD_INIT_CONNECTION;
|
|
fstrcpy(state->request->domain_name, state->domain->name);
|
|
state->request->data.init_conn.is_primary = False;
|
|
fstrcpy(state->request->data.init_conn.dcname, dcname);
|
|
|
|
async_request(state->mem_ctx, &state->domain->child,
|
|
state->request, state->response,
|
|
init_child_recv, state);
|
|
}
|
|
|
|
static void init_child_recv(void *private_data, BOOL success)
|
|
{
|
|
struct init_child_state *state =
|
|
talloc_get_type_abort(private_data, struct init_child_state);
|
|
|
|
DEBUG(5, ("Received child initialization response for domain %s\n",
|
|
state->domain->name));
|
|
|
|
if ((!success) || (state->response->result != WINBINDD_OK)) {
|
|
DEBUG(3, ("Could not init child\n"));
|
|
state->continuation(state->private_data, False);
|
|
talloc_destroy(state->mem_ctx);
|
|
return;
|
|
}
|
|
|
|
fstrcpy(state->domain->name,
|
|
state->response->data.domain_info.name);
|
|
fstrcpy(state->domain->alt_name,
|
|
state->response->data.domain_info.alt_name);
|
|
string_to_sid(&state->domain->sid,
|
|
state->response->data.domain_info.sid);
|
|
state->domain->native_mode =
|
|
state->response->data.domain_info.native_mode;
|
|
state->domain->active_directory =
|
|
state->response->data.domain_info.active_directory;
|
|
state->domain->sequence_number =
|
|
state->response->data.domain_info.sequence_number;
|
|
|
|
init_dc_connection(state->domain);
|
|
|
|
if (state->continuation != NULL)
|
|
state->continuation(state->private_data, True);
|
|
talloc_destroy(state->mem_ctx);
|
|
}
|
|
|
|
enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain,
|
|
struct winbindd_cli_state *state)
|
|
{
|
|
/* Ensure null termination */
|
|
state->request.domain_name
|
|
[sizeof(state->request.domain_name)-1]='\0';
|
|
state->request.data.init_conn.dcname
|
|
[sizeof(state->request.data.init_conn.dcname)-1]='\0';
|
|
|
|
if (strlen(state->request.data.init_conn.dcname) > 0) {
|
|
fstrcpy(domain->dcname, state->request.data.init_conn.dcname);
|
|
}
|
|
|
|
init_dc_connection(domain);
|
|
|
|
if (!domain->initialized) {
|
|
/* If we return error here we can't do any cached authentication,
|
|
but we may be in disconnected mode and can't initialize correctly.
|
|
Do what the previous code did and just return without initialization,
|
|
once we go online we'll re-initialize.
|
|
*/
|
|
DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization "
|
|
"online = %d\n", domain->name, (int)domain->online ));
|
|
}
|
|
|
|
fstrcpy(state->response.data.domain_info.name, domain->name);
|
|
fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name);
|
|
fstrcpy(state->response.data.domain_info.sid,
|
|
sid_string_static(&domain->sid));
|
|
|
|
state->response.data.domain_info.native_mode
|
|
= domain->native_mode;
|
|
state->response.data.domain_info.active_directory
|
|
= domain->active_directory;
|
|
state->response.data.domain_info.primary
|
|
= domain->primary;
|
|
state->response.data.domain_info.sequence_number =
|
|
domain->sequence_number;
|
|
|
|
return WINBINDD_OK;
|
|
}
|
|
|
|
/* Look up global info for the winbind daemon */
|
|
BOOL init_domain_list(void)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
int role = lp_server_role();
|
|
|
|
/* Free existing list */
|
|
free_domain_list();
|
|
|
|
/* Add ourselves as the first entry. */
|
|
|
|
if ( role == ROLE_DOMAIN_MEMBER ) {
|
|
DOM_SID our_sid;
|
|
|
|
if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
|
|
DEBUG(0, ("Could not fetch our SID - did we join?\n"));
|
|
return False;
|
|
}
|
|
|
|
domain = add_trusted_domain( lp_workgroup(), lp_realm(),
|
|
&cache_methods, &our_sid);
|
|
domain->primary = True;
|
|
setup_domain_child(domain, &domain->child, NULL);
|
|
|
|
/* Even in the parent winbindd we'll need to
|
|
talk to the DC, so try and see if we can
|
|
contact it. Theoretically this isn't neccessary
|
|
as the init_dc_connection() in init_child_recv()
|
|
will do this, but we can start detecting the DC
|
|
early here. */
|
|
set_domain_online_request(domain);
|
|
}
|
|
|
|
/* Local SAM */
|
|
|
|
domain = add_trusted_domain(get_global_sam_name(), NULL,
|
|
&passdb_methods, get_global_sam_sid());
|
|
if ( role != ROLE_DOMAIN_MEMBER ) {
|
|
domain->primary = True;
|
|
}
|
|
setup_domain_child(domain, &domain->child, NULL);
|
|
|
|
/* BUILTIN domain */
|
|
|
|
domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
|
|
&global_sid_Builtin);
|
|
setup_domain_child(domain, &domain->child, NULL);
|
|
|
|
return True;
|
|
}
|
|
|
|
void check_domain_trusted( const char *name, const DOM_SID *user_sid )
|
|
{
|
|
struct winbindd_domain *domain;
|
|
DOM_SID dom_sid;
|
|
uint32 rid;
|
|
|
|
domain = find_domain_from_name_noinit( name );
|
|
if ( domain )
|
|
return;
|
|
|
|
sid_copy( &dom_sid, user_sid );
|
|
if ( !sid_split_rid( &dom_sid, &rid ) )
|
|
return;
|
|
|
|
/* add the newly discovered trusted domain */
|
|
|
|
domain = add_trusted_domain( name, NULL, &cache_methods,
|
|
&dom_sid);
|
|
|
|
if ( !domain )
|
|
return;
|
|
|
|
/* assume this is a trust from a one-way transitive
|
|
forest trust */
|
|
|
|
domain->active_directory = True;
|
|
domain->domain_flags = DS_DOMAIN_DIRECT_OUTBOUND;
|
|
domain->domain_type = DS_DOMAIN_TRUST_TYPE_UPLEVEL;
|
|
domain->internal = False;
|
|
domain->online = True;
|
|
|
|
setup_domain_child(domain, &domain->child, NULL);
|
|
|
|
wcache_tdc_add_domain( domain );
|
|
|
|
return;
|
|
}
|
|
|
|
/**
|
|
* Given a domain name, return the struct winbindd domain info for it
|
|
*
|
|
* @note Do *not* pass lp_workgroup() to this function. domain_list
|
|
* may modify it's value, and free that pointer. Instead, our local
|
|
* domain may be found by calling find_our_domain().
|
|
* directly.
|
|
*
|
|
*
|
|
* @return The domain structure for the named domain, if it is working.
|
|
*/
|
|
|
|
struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
|
|
/* Search through list */
|
|
|
|
for (domain = domain_list(); domain != NULL; domain = domain->next) {
|
|
if (strequal(domain_name, domain->name) ||
|
|
(domain->alt_name[0] &&
|
|
strequal(domain_name, domain->alt_name))) {
|
|
return domain;
|
|
}
|
|
}
|
|
|
|
/* Not found */
|
|
|
|
return NULL;
|
|
}
|
|
|
|
struct winbindd_domain *find_domain_from_name(const char *domain_name)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
|
|
domain = find_domain_from_name_noinit(domain_name);
|
|
|
|
if (domain == NULL)
|
|
return NULL;
|
|
|
|
if (!domain->initialized)
|
|
init_dc_connection(domain);
|
|
|
|
return domain;
|
|
}
|
|
|
|
/* Given a domain sid, return the struct winbindd domain info for it */
|
|
|
|
struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
|
|
/* Search through list */
|
|
|
|
for (domain = domain_list(); domain != NULL; domain = domain->next) {
|
|
if (sid_compare_domain(sid, &domain->sid) == 0)
|
|
return domain;
|
|
}
|
|
|
|
/* Not found */
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/* Given a domain sid, return the struct winbindd domain info for it */
|
|
|
|
struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
|
|
domain = find_domain_from_sid_noinit(sid);
|
|
|
|
if (domain == NULL)
|
|
return NULL;
|
|
|
|
if (!domain->initialized)
|
|
init_dc_connection(domain);
|
|
|
|
return domain;
|
|
}
|
|
|
|
struct winbindd_domain *find_our_domain(void)
|
|
{
|
|
struct winbindd_domain *domain;
|
|
|
|
/* Search through list */
|
|
|
|
for (domain = domain_list(); domain != NULL; domain = domain->next) {
|
|
if (domain->primary)
|
|
return domain;
|
|
}
|
|
|
|
smb_panic("Could not find our domain\n");
|
|
return NULL;
|
|
}
|
|
|
|
struct winbindd_domain *find_root_domain(void)
|
|
{
|
|
struct winbindd_domain *ours = find_our_domain();
|
|
|
|
if ( !ours )
|
|
return NULL;
|
|
|
|
if ( strlen(ours->forest_name) == 0 )
|
|
return NULL;
|
|
|
|
return find_domain_from_name( ours->forest_name );
|
|
}
|
|
|
|
struct winbindd_domain *find_builtin_domain(void)
|
|
{
|
|
DOM_SID sid;
|
|
struct winbindd_domain *domain;
|
|
|
|
string_to_sid(&sid, "S-1-5-32");
|
|
domain = find_domain_from_sid(&sid);
|
|
|
|
if (domain == NULL)
|
|
smb_panic("Could not find BUILTIN domain\n");
|
|
|
|
return domain;
|
|
}
|
|
|
|
/* Find the appropriate domain to lookup a name or SID */
|
|
|
|
struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid)
|
|
{
|
|
/* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
|
|
|
|
if ( sid_check_is_in_unix_groups(sid) ||
|
|
sid_check_is_unix_groups(sid) ||
|
|
sid_check_is_in_unix_users(sid) ||
|
|
sid_check_is_unix_users(sid) )
|
|
{
|
|
return find_domain_from_sid(get_global_sam_sid());
|
|
}
|
|
|
|
/* A DC can't ask the local smbd for remote SIDs, here winbindd is the
|
|
* one to contact the external DC's. On member servers the internal
|
|
* domains are different: These are part of the local SAM. */
|
|
|
|
DEBUG(10, ("find_lookup_domain_from_sid(%s)\n",
|
|
sid_string_static(sid)));
|
|
|
|
if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
|
|
DEBUG(10, ("calling find_domain_from_sid\n"));
|
|
return find_domain_from_sid(sid);
|
|
}
|
|
|
|
/* On a member server a query for SID or name can always go to our
|
|
* primary DC. */
|
|
|
|
DEBUG(10, ("calling find_our_domain\n"));
|
|
return find_our_domain();
|
|
}
|
|
|
|
struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
|
|
{
|
|
if ( strequal(domain_name, unix_users_domain_name() ) ||
|
|
strequal(domain_name, unix_groups_domain_name() ) )
|
|
{
|
|
return find_domain_from_name_noinit( get_global_sam_name() );
|
|
}
|
|
|
|
if (IS_DC || strequal(domain_name, "BUILTIN") ||
|
|
strequal(domain_name, get_global_sam_name()))
|
|
return find_domain_from_name_noinit(domain_name);
|
|
|
|
/* The "Unix User" and "Unix Group" domain our handled by passdb */
|
|
|
|
return find_our_domain();
|
|
}
|
|
|
|
/* Lookup a sid in a domain from a name */
|
|
|
|
BOOL winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx,
|
|
enum winbindd_cmd orig_cmd,
|
|
struct winbindd_domain *domain,
|
|
const char *domain_name,
|
|
const char *name, DOM_SID *sid,
|
|
enum lsa_SidType *type)
|
|
{
|
|
NTSTATUS result;
|
|
|
|
/* Lookup name */
|
|
result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd,
|
|
domain_name, name, sid, type);
|
|
|
|
/* Return sid and type if lookup successful */
|
|
if (!NT_STATUS_IS_OK(result)) {
|
|
*type = SID_NAME_UNKNOWN;
|
|
}
|
|
|
|
return NT_STATUS_IS_OK(result);
|
|
}
|
|
|
|
/**
|
|
* @brief Lookup a name in a domain from a sid.
|
|
*
|
|
* @param sid Security ID you want to look up.
|
|
* @param name On success, set to the name corresponding to @p sid.
|
|
* @param dom_name On success, set to the 'domain name' corresponding to @p sid.
|
|
* @param type On success, contains the type of name: alias, group or
|
|
* user.
|
|
* @retval True if the name exists, in which case @p name and @p type
|
|
* are set, otherwise False.
|
|
**/
|
|
BOOL winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx,
|
|
struct winbindd_domain *domain,
|
|
DOM_SID *sid,
|
|
char **dom_name,
|
|
char **name,
|
|
enum lsa_SidType *type)
|
|
{
|
|
NTSTATUS result;
|
|
|
|
*dom_name = NULL;
|
|
*name = NULL;
|
|
|
|
/* Lookup name */
|
|
|
|
result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type);
|
|
|
|
/* Return name and type if successful */
|
|
|
|
if (NT_STATUS_IS_OK(result)) {
|
|
return True;
|
|
}
|
|
|
|
*type = SID_NAME_UNKNOWN;
|
|
|
|
return False;
|
|
}
|
|
|
|
/* Free state information held for {set,get,end}{pw,gr}ent() functions */
|
|
|
|
void free_getent_state(struct getent_state *state)
|
|
{
|
|
struct getent_state *temp;
|
|
|
|
/* Iterate over state list */
|
|
|
|
temp = state;
|
|
|
|
while(temp != NULL) {
|
|
struct getent_state *next;
|
|
|
|
/* Free sam entries then list entry */
|
|
|
|
SAFE_FREE(state->sam_entries);
|
|
DLIST_REMOVE(state, state);
|
|
next = temp->next;
|
|
|
|
SAFE_FREE(temp);
|
|
temp = next;
|
|
}
|
|
}
|
|
|
|
/* Is this a domain which we may assume no DOMAIN\ prefix? */
|
|
|
|
static BOOL assume_domain(const char *domain)
|
|
{
|
|
/* never assume the domain on a standalone server */
|
|
|
|
if ( lp_server_role() == ROLE_STANDALONE )
|
|
return False;
|
|
|
|
/* domain member servers may possibly assume for the domain name */
|
|
|
|
if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
|
|
if ( !strequal(lp_workgroup(), domain) )
|
|
return False;
|
|
|
|
if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
|
|
return True;
|
|
}
|
|
|
|
/* only left with a domain controller */
|
|
|
|
if ( strequal(get_global_sam_name(), domain) ) {
|
|
return True;
|
|
}
|
|
|
|
return False;
|
|
}
|
|
|
|
/* Parse a string of the form DOMAIN\user into a domain and a user */
|
|
|
|
BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
|
|
{
|
|
char *p = strchr(domuser,*lp_winbind_separator());
|
|
|
|
if ( !p ) {
|
|
fstrcpy(user, domuser);
|
|
|
|
if ( assume_domain(lp_workgroup())) {
|
|
fstrcpy(domain, lp_workgroup());
|
|
} else {
|
|
return False;
|
|
}
|
|
} else {
|
|
fstrcpy(user, p+1);
|
|
fstrcpy(domain, domuser);
|
|
domain[PTR_DIFF(p, domuser)] = 0;
|
|
}
|
|
|
|
strupper_m(domain);
|
|
|
|
return True;
|
|
}
|
|
|
|
BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
|
|
char **domain, char **user)
|
|
{
|
|
fstring fstr_domain, fstr_user;
|
|
if (!parse_domain_user(domuser, fstr_domain, fstr_user)) {
|
|
return False;
|
|
}
|
|
*domain = talloc_strdup(mem_ctx, fstr_domain);
|
|
*user = talloc_strdup(mem_ctx, fstr_user);
|
|
return ((*domain != NULL) && (*user != NULL));
|
|
}
|
|
|
|
/* Ensure an incoming username from NSS is fully qualified. Replace the
|
|
incoming fstring with DOMAIN <separator> user. Returns the same
|
|
values as parse_domain_user() but also replaces the incoming username.
|
|
Used to ensure all names are fully qualified within winbindd.
|
|
Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
|
|
The protocol definitions of auth_crap, chng_pswd_auth_crap
|
|
really should be changed to use this instead of doing things
|
|
by hand. JRA. */
|
|
|
|
BOOL canonicalize_username(fstring username_inout, fstring domain, fstring user)
|
|
{
|
|
if (!parse_domain_user(username_inout, domain, user)) {
|
|
return False;
|
|
}
|
|
slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
|
|
domain, *lp_winbind_separator(),
|
|
user);
|
|
return True;
|
|
}
|
|
|
|
/*
|
|
Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
|
|
'winbind separator' options.
|
|
This means:
|
|
- omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
|
|
lp_workgroup()
|
|
|
|
If we are a PDC or BDC, and this is for our domain, do likewise.
|
|
|
|
Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
|
|
username is then unqualified in unix
|
|
|
|
We always canonicalize as UPPERCASE DOMAIN, lowercase username.
|
|
*/
|
|
void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume)
|
|
{
|
|
fstring tmp_user;
|
|
|
|
fstrcpy(tmp_user, user);
|
|
strlower_m(tmp_user);
|
|
|
|
if (can_assume && assume_domain(domain)) {
|
|
strlcpy(name, tmp_user, sizeof(fstring));
|
|
} else {
|
|
slprintf(name, sizeof(fstring) - 1, "%s%c%s",
|
|
domain, *lp_winbind_separator(),
|
|
tmp_user);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Winbindd socket accessor functions
|
|
*/
|
|
|
|
char *get_winbind_priv_pipe_dir(void)
|
|
{
|
|
return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR);
|
|
}
|
|
|
|
/*
|
|
* Client list accessor functions
|
|
*/
|
|
|
|
static struct winbindd_cli_state *_client_list;
|
|
static int _num_clients;
|
|
|
|
/* Return list of all connected clients */
|
|
|
|
struct winbindd_cli_state *winbindd_client_list(void)
|
|
{
|
|
return _client_list;
|
|
}
|
|
|
|
/* Add a connection to the list */
|
|
|
|
void winbindd_add_client(struct winbindd_cli_state *cli)
|
|
{
|
|
DLIST_ADD(_client_list, cli);
|
|
_num_clients++;
|
|
}
|
|
|
|
/* Remove a client from the list */
|
|
|
|
void winbindd_remove_client(struct winbindd_cli_state *cli)
|
|
{
|
|
DLIST_REMOVE(_client_list, cli);
|
|
_num_clients--;
|
|
}
|
|
|
|
/* Close all open clients */
|
|
|
|
void winbindd_kill_all_clients(void)
|
|
{
|
|
struct winbindd_cli_state *cl = winbindd_client_list();
|
|
|
|
DEBUG(10, ("winbindd_kill_all_clients: going postal\n"));
|
|
|
|
while (cl) {
|
|
struct winbindd_cli_state *next;
|
|
|
|
next = cl->next;
|
|
winbindd_remove_client(cl);
|
|
cl = next;
|
|
}
|
|
}
|
|
|
|
/* Return number of open clients */
|
|
|
|
int winbindd_num_clients(void)
|
|
{
|
|
return _num_clients;
|
|
}
|
|
|
|
NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
const DOM_SID *user_sid,
|
|
uint32 *p_num_groups, DOM_SID **user_sids)
|
|
{
|
|
NET_USER_INFO_3 *info3 = NULL;
|
|
NTSTATUS status = NT_STATUS_NO_MEMORY;
|
|
int i;
|
|
size_t num_groups = 0;
|
|
DOM_SID group_sid, primary_group;
|
|
|
|
DEBUG(3,(": lookup_usergroups_cached\n"));
|
|
|
|
*user_sids = NULL;
|
|
num_groups = 0;
|
|
*p_num_groups = 0;
|
|
|
|
info3 = netsamlogon_cache_get(mem_ctx, user_sid);
|
|
|
|
if (info3 == NULL) {
|
|
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
}
|
|
|
|
if (info3->num_groups == 0) {
|
|
TALLOC_FREE(info3);
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
/* always add the primary group to the sid array */
|
|
sid_compose(&primary_group, &info3->dom_sid.sid, info3->user_rid);
|
|
|
|
if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) {
|
|
TALLOC_FREE(info3);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
for (i=0; i<info3->num_groups; i++) {
|
|
sid_copy(&group_sid, &info3->dom_sid.sid);
|
|
sid_append_rid(&group_sid, info3->gids[i].g_rid);
|
|
|
|
if (!add_sid_to_array(mem_ctx, &group_sid, user_sids,
|
|
&num_groups)) {
|
|
TALLOC_FREE(info3);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
}
|
|
|
|
TALLOC_FREE(info3);
|
|
*p_num_groups = num_groups;
|
|
status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
|
|
|
|
DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
|
|
|
|
return status;
|
|
}
|
|
|
|
/*********************************************************************
|
|
We use this to remove spaces from user and group names
|
|
********************************************************************/
|
|
|
|
void ws_name_replace( char *name, char replace )
|
|
{
|
|
char replace_char[2] = { 0x0, 0x0 };
|
|
|
|
if ( !lp_winbind_normalize_names() || (replace == '\0') )
|
|
return;
|
|
|
|
replace_char[0] = replace;
|
|
all_string_sub( name, " ", replace_char, 0 );
|
|
|
|
return;
|
|
}
|
|
|
|
/*********************************************************************
|
|
We use this to do the inverse of ws_name_replace()
|
|
********************************************************************/
|
|
|
|
void ws_name_return( char *name, char replace )
|
|
{
|
|
char replace_char[2] = { 0x0, 0x0 };
|
|
|
|
if ( !lp_winbind_normalize_names() || (replace == '\0') )
|
|
return;
|
|
|
|
replace_char[0] = replace;
|
|
all_string_sub( name, replace_char, " ", 0 );
|
|
|
|
return;
|
|
}
|
|
|
|
/*********************************************************************
|
|
********************************************************************/
|
|
|
|
BOOL winbindd_can_contact_domain( struct winbindd_domain *domain )
|
|
{
|
|
/* We can contact the domain if it is our primary domain */
|
|
|
|
if ( domain->primary )
|
|
return True;
|
|
|
|
/* Can always contact a domain that is in out forest */
|
|
|
|
if ( domain->domain_flags & DS_DOMAIN_IN_FOREST )
|
|
return True;
|
|
|
|
/* We cannot contact the domain if it is running AD and
|
|
we have no inbound trust */
|
|
|
|
if ( domain->active_directory &&
|
|
((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) )
|
|
{
|
|
return False;
|
|
}
|
|
|
|
/* Assume everything else is ok (probably not true but what
|
|
can you do?) */
|
|
|
|
return True;
|
|
}
|