diff options
Diffstat (limited to 'source3/nsswitch')
32 files changed, 0 insertions, 29961 deletions
diff --git a/source3/nsswitch/idmap.c b/source3/nsswitch/idmap.c deleted file mode 100644 index 2c7acc185c..0000000000 --- a/source3/nsswitch/idmap.c +++ /dev/null @@ -1,1562 +0,0 @@ -/* - Unix SMB/CIFS implementation. - ID Mapping - Copyright (C) Tim Potter 2000 - Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 - Copyright (C) Simo Sorce 2003-2007 - Copyright (C) Jeremy Allison 2006 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_IDMAP - -static_decl_idmap; - -struct idmap_backend { - const char *name; - struct idmap_methods *methods; - struct idmap_backend *prev, *next; -}; - -struct idmap_alloc_backend { - const char *name; - struct idmap_alloc_methods *methods; - struct idmap_alloc_backend *prev, *next; -}; - -struct idmap_cache_ctx; - -struct idmap_alloc_context { - const char *params; - struct idmap_alloc_methods *methods; - BOOL initialized; -}; - -static TALLOC_CTX *idmap_ctx = NULL; -static struct idmap_cache_ctx *idmap_cache; - -static struct idmap_backend *backends = NULL; -static struct idmap_domain **idmap_domains = NULL; -static int num_domains = 0; -static int pdb_dom_num = -1; -static int def_dom_num = -1; - -static struct idmap_alloc_backend *alloc_backends = NULL; -static struct idmap_alloc_context *idmap_alloc_ctx = NULL; - -#define IDMAP_CHECK_RET(ret) do { \ - if ( ! NT_STATUS_IS_OK(ret)) { \ - DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); \ - goto done; \ - } } while(0) -#define IDMAP_REPORT_RET(ret) do { \ - if ( ! NT_STATUS_IS_OK(ret)) { \ - DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); \ - } } while(0) -#define IDMAP_CHECK_ALLOC(mem) do { \ - if (!mem) { \ - DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; \ - goto done; \ - } } while(0) - -static struct idmap_methods *get_methods(struct idmap_backend *be, - const char *name) -{ - struct idmap_backend *b; - - for (b = be; b; b = b->next) { - if (strequal(b->name, name)) { - return b->methods; - } - } - - return NULL; -} - -static struct idmap_alloc_methods *get_alloc_methods( - struct idmap_alloc_backend *be, - const char *name) -{ - struct idmap_alloc_backend *b; - - for (b = be; b; b = b->next) { - if (strequal(b->name, name)) { - return b->methods; - } - } - - return NULL; -} - -BOOL idmap_is_offline(void) -{ - return ( lp_winbind_offline_logon() && - get_global_winbindd_state_offline() ); -} - -/********************************************************************** - Allow a module to register itself as a method. -**********************************************************************/ - -NTSTATUS smb_register_idmap(int version, const char *name, - struct idmap_methods *methods) -{ - struct idmap_methods *test; - struct idmap_backend *entry; - - if (!idmap_ctx) { - return NT_STATUS_INTERNAL_DB_ERROR; - } - - if ((version != SMB_IDMAP_INTERFACE_VERSION)) { - DEBUG(0, ("Failed to register idmap module.\n" - "The module was compiled against " - "SMB_IDMAP_INTERFACE_VERSION %d,\n" - "current SMB_IDMAP_INTERFACE_VERSION is %d.\n" - "Please recompile against the current version " - "of samba!\n", - version, SMB_IDMAP_INTERFACE_VERSION)); - return NT_STATUS_OBJECT_TYPE_MISMATCH; - } - - if (!name || !name[0] || !methods) { - DEBUG(0,("Called with NULL pointer or empty name!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - test = get_methods(backends, name); - if (test) { - DEBUG(0,("Idmap module %s already registered!\n", name)); - return NT_STATUS_OBJECT_NAME_COLLISION; - } - - entry = talloc(idmap_ctx, struct idmap_backend); - if ( ! entry) { - DEBUG(0,("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - entry->name = talloc_strdup(idmap_ctx, name); - if ( ! entry->name) { - DEBUG(0,("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - entry->methods = methods; - - DLIST_ADD(backends, entry); - DEBUG(5, ("Successfully added idmap backend '%s'\n", name)); - return NT_STATUS_OK; -} - -/********************************************************************** - Allow a module to register itself as a method. -**********************************************************************/ - -NTSTATUS smb_register_idmap_alloc(int version, const char *name, - struct idmap_alloc_methods *methods) -{ - struct idmap_alloc_methods *test; - struct idmap_alloc_backend *entry; - - if (!idmap_ctx) { - return NT_STATUS_INTERNAL_DB_ERROR; - } - - if ((version != SMB_IDMAP_INTERFACE_VERSION)) { - DEBUG(0, ("Failed to register idmap alloc module.\n" - "The module was compiled against " - "SMB_IDMAP_INTERFACE_VERSION %d,\n" - "current SMB_IDMAP_INTERFACE_VERSION is %d.\n" - "Please recompile against the current version " - "of samba!\n", - version, SMB_IDMAP_INTERFACE_VERSION)); - return NT_STATUS_OBJECT_TYPE_MISMATCH; - } - - if (!name || !name[0] || !methods) { - DEBUG(0,("Called with NULL pointer or empty name!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - test = get_alloc_methods(alloc_backends, name); - if (test) { - DEBUG(0,("idmap_alloc module %s already registered!\n", name)); - return NT_STATUS_OBJECT_NAME_COLLISION; - } - - entry = talloc(idmap_ctx, struct idmap_alloc_backend); - if ( ! entry) { - DEBUG(0,("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - entry->name = talloc_strdup(idmap_ctx, name); - if ( ! entry->name) { - DEBUG(0,("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - entry->methods = methods; - - DLIST_ADD(alloc_backends, entry); - DEBUG(5, ("Successfully added idmap alloc backend '%s'\n", name)); - return NT_STATUS_OK; -} - -static int close_domain_destructor(struct idmap_domain *dom) -{ - NTSTATUS ret; - - ret = dom->methods->close_fn(dom); - if (!NT_STATUS_IS_OK(ret)) { - DEBUG(3, ("Failed to close idmap domain [%s]!\n", dom->name)); - } - - return 0; -} - -/************************************************************************** - Shutdown. -**************************************************************************/ - -NTSTATUS idmap_close(void) -{ - /* close the alloc backend first before freeing idmap_ctx */ - if (idmap_alloc_ctx) { - idmap_alloc_ctx->methods->close_fn(); - idmap_alloc_ctx->methods = NULL; - } - alloc_backends = NULL; - - /* this talloc_free call will fire the talloc destructors - * that will free all active backends resources */ - TALLOC_FREE(idmap_ctx); - idmap_cache = NULL; - idmap_domains = NULL; - backends = NULL; - - return NT_STATUS_OK; -} - -/********************************************************************** - Initialise idmap cache and a remote backend (if configured). -**********************************************************************/ - -static const char *idmap_default_domain[] = { "default domain", NULL }; - -/**************************************************************************** - ****************************************************************************/ - -NTSTATUS idmap_init_cache(void) -{ - /* Always initialize the cache. We'll have to delay initialization - of backends if we are offline */ - - if ( idmap_ctx ) { - return NT_STATUS_OK; - } - - if ( (idmap_ctx = talloc_named_const(NULL, 0, "idmap_ctx")) == NULL ) { - return NT_STATUS_NO_MEMORY; - } - - if ( (idmap_cache = idmap_cache_init(idmap_ctx)) == NULL ) { - return NT_STATUS_UNSUCCESSFUL; - } - - return NT_STATUS_OK; -} - -/**************************************************************************** - ****************************************************************************/ - -NTSTATUS idmap_init(void) -{ - NTSTATUS ret; - static NTSTATUS idmap_init_status = NT_STATUS_UNSUCCESSFUL; - struct idmap_domain *dom; - char *compat_backend = NULL; - char *compat_params = NULL; - const char **dom_list = NULL; - char *alloc_backend = NULL; - BOOL default_already_defined = False; - BOOL pri_dom_is_in_list = False; - int compat = 0; - int i; - - ret = idmap_init_cache(); - if (!NT_STATUS_IS_OK(ret)) - return ret; - - if (NT_STATUS_IS_OK(idmap_init_status)) { - return NT_STATUS_OK; - } - - /* We can't reliably call intialization code here unless - we are online. But return NT_STATUS_OK so the upper - level code doesn't abort idmap lookups. */ - - if ( get_global_winbindd_state_offline() ) { - idmap_init_status = NT_STATUS_FILE_IS_OFFLINE; - return NT_STATUS_OK; - } - - static_init_idmap; - - dom_list = lp_idmap_domains(); - - if ( lp_idmap_backend() ) { - const char **compat_list = lp_idmap_backend(); - char *p = NULL; - const char *q = NULL; - - if ( dom_list ) { - DEBUG(0, ("WARNING: idmap backend and idmap domains are" - " mutually exclusive!\n")); - DEBUGADD(0,("idmap backend option will be IGNORED!\n")); - } else { - compat = 1; - - compat_backend = talloc_strdup(idmap_ctx, *compat_list); - if (compat_backend == NULL ) { - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - /* strip any leading idmap_ prefix of */ - if (strncmp(*compat_list, "idmap_", 6) == 0 ) { - q = *compat_list += 6; - DEBUG(0, ("WARNING: idmap backend uses obsolete" - " and deprecated 'idmap_' prefix.\n" - "Please replace 'idmap_%s' by '%s' in" - " %s\n", q, q, dyn_CONFIGFILE)); - compat_backend = talloc_strdup(idmap_ctx, q); - } else { - compat_backend = talloc_strdup(idmap_ctx, - *compat_list); - } - - /* separate the backend and module arguements */ - if ((p = strchr(compat_backend, ':')) != NULL) { - *p = '\0'; - compat_params = p + 1; - } - } - } else if ( !dom_list ) { - /* Back compatible: without idmap domains and explicit - idmap backend. Taking default idmap backend: tdb */ - - compat = 1; - compat_backend = talloc_strdup( idmap_ctx, "tdb"); - compat_params = compat_backend; - } - - if ( ! dom_list) { - dom_list = idmap_default_domain; - } - - /*************************** - * initialize idmap domains - */ - DEBUG(1, ("Initializing idmap domains\n")); - - for (i = 0; dom_list[i]; i++) { - const char *parm_backend; - char *config_option; - - /* ignore BUILTIN and local MACHINE domains */ - if (strequal(dom_list[i], "BUILTIN") - || strequal(dom_list[i], get_global_sam_name())) - { - DEBUG(0,("idmap_init: Ignoring invalid domain %s\n", - dom_list[i])); - continue; - } - - if (strequal(dom_list[i], lp_workgroup())) { - pri_dom_is_in_list = True; - } - /* init domain */ - - dom = TALLOC_ZERO_P(idmap_ctx, struct idmap_domain); - IDMAP_CHECK_ALLOC(dom); - - dom->name = talloc_strdup(dom, dom_list[i]); - IDMAP_CHECK_ALLOC(dom->name); - - config_option = talloc_asprintf(dom, "idmap config %s", - dom->name); - IDMAP_CHECK_ALLOC(config_option); - - /* default or specific ? */ - - dom->default_domain = lp_parm_bool(-1, config_option, - "default", False); - - if (dom->default_domain || - strequal(dom_list[i], idmap_default_domain[0])) { - - /* make sure this is set even when we match - * idmap_default_domain[0] */ - dom->default_domain = True; - - if (default_already_defined) { - DEBUG(1, ("ERROR: Multiple domains defined as" - " default!\n")); - ret = NT_STATUS_INVALID_PARAMETER; - goto done; - } - - default_already_defined = True; - - } - - dom->readonly = lp_parm_bool(-1, config_option, - "readonly", False); - - /* find associated backend (default: tdb) */ - if (compat) { - parm_backend = talloc_strdup(idmap_ctx, compat_backend); - } else { - parm_backend = talloc_strdup(idmap_ctx, - lp_parm_const_string( - -1, config_option, - "backend", "tdb")); - } - IDMAP_CHECK_ALLOC(parm_backend); - - /* get the backend methods for this domain */ - dom->methods = get_methods(backends, parm_backend); - - if ( ! dom->methods) { - ret = smb_probe_module("idmap", parm_backend); - if (NT_STATUS_IS_OK(ret)) { - dom->methods = get_methods(backends, - parm_backend); - } - } - if ( ! dom->methods) { - DEBUG(0, ("ERROR: Could not get methods for " - "backend %s\n", parm_backend)); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* check the set_mapping function exists otherwise mark the - * module as readonly */ - if ( ! dom->methods->set_mapping) { - DEBUG(5, ("Forcing to readonly, as this module can't" - " store arbitrary mappings.\n")); - dom->readonly = True; - } - - /* now that we have methods, - * set the destructor for this domain */ - talloc_set_destructor(dom, close_domain_destructor); - - if (compat_params) { - dom->params = talloc_strdup(dom, compat_params); - IDMAP_CHECK_ALLOC(dom->params); - } else { - dom->params = NULL; - } - - /* Finally instance a backend copy for this domain */ - ret = dom->methods->init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for backend " - "%s (domain %s), deferred!\n", - parm_backend, dom->name)); - } - idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, - struct idmap_domain *, i+1); - if ( ! idmap_domains) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - idmap_domains[i] = dom; - - /* save default domain position for future uses */ - if (dom->default_domain) { - def_dom_num = i; - } - - DEBUG(10, ("Domain %s - Backend %s - %sdefault - %sreadonly\n", - dom->name, parm_backend, - dom->default_domain?"":"not ", - dom->readonly?"":"not ")); - - talloc_free(config_option); - } - - /* save the number of domains we have */ - num_domains = i; - - /* automatically add idmap_nss backend if needed */ - if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && - ( ! pri_dom_is_in_list) && - lp_winbind_trusted_domains_only()) { - - dom = TALLOC_ZERO_P(idmap_ctx, struct idmap_domain); - IDMAP_CHECK_ALLOC(dom); - - dom->name = talloc_strdup(dom, lp_workgroup()); - IDMAP_CHECK_ALLOC(dom->name); - - dom->default_domain = False; - dom->readonly = True; - - /* get the backend methods for passdb */ - dom->methods = get_methods(backends, "nss"); - - /* (the nss module is always statically linked) */ - if ( ! dom->methods) { - DEBUG(0, ("ERROR: No methods for idmap_nss ?!\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* now that we have methods, - * set the destructor for this domain */ - talloc_set_destructor(dom, close_domain_destructor); - - if (compat_params) { - dom->params = talloc_strdup(dom, compat_params); - IDMAP_CHECK_ALLOC(dom->params); - } else { - dom->params = NULL; - } - - /* Finally instance a backend copy for this domain */ - ret = dom->methods->init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Init. failed for idmap_nss ?!\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - idmap_domains = talloc_realloc(idmap_ctx, - idmap_domains, - struct idmap_domain *, - num_domains+1); - if ( ! idmap_domains) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - idmap_domains[num_domains] = dom; - - DEBUG(10, ("Domain %s - Backend nss - not default - readonly\n", - dom->name )); - - num_domains++; - } - - /**** automatically add idmap_passdb backend ****/ - dom = TALLOC_ZERO_P(idmap_ctx, struct idmap_domain); - IDMAP_CHECK_ALLOC(dom); - - dom->name = talloc_strdup(dom, get_global_sam_name()); - IDMAP_CHECK_ALLOC(dom->name); - - dom->default_domain = False; - dom->readonly = True; - - /* get the backend methods for passdb */ - dom->methods = get_methods(backends, "passdb"); - - /* (the passdb module is always statically linked) */ - if ( ! dom->methods) { - DEBUG(0, ("ERROR: No methods for idmap_passdb ?!\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* now that we have methods, set the destructor for this domain */ - talloc_set_destructor(dom, close_domain_destructor); - - if (compat_params) { - dom->params = talloc_strdup(dom, compat_params); - IDMAP_CHECK_ALLOC(dom->params); - } else { - dom->params = NULL; - } - - /* Finally instance a backend copy for this domain */ - ret = dom->methods->init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Init. failed for idmap_passdb ?!\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - idmap_domains = talloc_realloc(idmap_ctx, - idmap_domains, - struct idmap_domain *, - num_domains+1); - if ( ! idmap_domains) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - idmap_domains[num_domains] = dom; - - /* needed to handle special BUILTIN and wellknown SIDs cases */ - pdb_dom_num = num_domains; - - DEBUG(10, ("Domain %s - Backend passdb - not default - readonly\n", - dom->name)); - - num_domains++; - /**** finished adding idmap_passdb backend ****/ - - /* sort domains so that the default is the last one */ - /* don't sort if no default domain defined */ - if (def_dom_num != -1 && def_dom_num != num_domains-1) { - /* default is not last, move it */ - struct idmap_domain *tmp; - - if (pdb_dom_num > def_dom_num) { - pdb_dom_num --; - - } else if (pdb_dom_num == def_dom_num) { /* ?? */ - pdb_dom_num = num_domains - 1; - } - - tmp = idmap_domains[def_dom_num]; - - for (i = def_dom_num; i < num_domains-1; i++) { - idmap_domains[i] = idmap_domains[i+1]; - } - idmap_domains[i] = tmp; - def_dom_num = i; - } - - - /* Initialize alloc module */ - - DEBUG(3, ("Initializing idmap alloc module\n")); - - alloc_backend = NULL; - if (compat) { - alloc_backend = talloc_strdup(idmap_ctx, compat_backend); - } else { - char *ab = lp_idmap_alloc_backend(); - - if (ab && (ab[0] != '\0')) { - alloc_backend = talloc_strdup(idmap_ctx, - lp_idmap_alloc_backend()); - } - } - - if ( alloc_backend ) { - - idmap_alloc_ctx = TALLOC_ZERO_P(idmap_ctx, - struct idmap_alloc_context); - IDMAP_CHECK_ALLOC(idmap_alloc_ctx); - - idmap_alloc_ctx->methods = get_alloc_methods(alloc_backends, - alloc_backend); - if ( ! idmap_alloc_ctx->methods) { - ret = smb_probe_module("idmap", alloc_backend); - if (NT_STATUS_IS_OK(ret)) { - idmap_alloc_ctx->methods = - get_alloc_methods(alloc_backends, - alloc_backend); - } - } - if (idmap_alloc_ctx->methods) { - - if (compat_params) { - idmap_alloc_ctx->params = - talloc_strdup(idmap_alloc_ctx, - compat_params); - IDMAP_CHECK_ALLOC(idmap_alloc_ctx->params); - } else { - idmap_alloc_ctx->params = NULL; - } - - ret = idmap_alloc_ctx->methods->init(idmap_alloc_ctx->params); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for " - "alloc backend %s, deferred!\n", - alloc_backend)); - } else { - idmap_alloc_ctx->initialized = True; - } - } else { - DEBUG(2, ("idmap_init: Unable to get methods for " - "alloc backend %s\n", - alloc_backend)); - /* certain compat backends are just readonly */ - if ( compat ) { - TALLOC_FREE(idmap_alloc_ctx); - ret = NT_STATUS_OK; - } else { - ret = NT_STATUS_UNSUCCESSFUL; - } - } - } - - /* cleanpu temporary strings */ - TALLOC_FREE( compat_backend ); - - idmap_init_status = NT_STATUS_OK; - - return ret; - -done: - DEBUG(0, ("Aborting IDMAP Initialization ...\n")); - idmap_close(); - - return ret; -} - -static NTSTATUS idmap_alloc_init(void) -{ - NTSTATUS ret; - - if (! NT_STATUS_IS_OK(ret = idmap_init())) { - return ret; - } - - if ( ! idmap_alloc_ctx) { - return NT_STATUS_NOT_SUPPORTED; - } - - if ( ! idmap_alloc_ctx->initialized) { - ret = idmap_alloc_ctx->methods->init(idmap_alloc_ctx->params); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for alloc " - "backend, deferred!\n")); - return ret; - } else { - idmap_alloc_ctx->initialized = True; - } - } - - return NT_STATUS_OK; -} - -/************************************************************************** - idmap allocator interface functions -**************************************************************************/ - -NTSTATUS idmap_allocate_uid(struct unixid *id) -{ - NTSTATUS ret; - - if (! NT_STATUS_IS_OK(ret = idmap_alloc_init())) { - return ret; - } - - id->type = ID_TYPE_UID; - return idmap_alloc_ctx->methods->allocate_id(id); -} - -NTSTATUS idmap_allocate_gid(struct unixid *id) -{ - NTSTATUS ret; - - if (! NT_STATUS_IS_OK(ret = idmap_alloc_init())) { - return ret; - } - - id->type = ID_TYPE_GID; - return idmap_alloc_ctx->methods->allocate_id(id); -} - -NTSTATUS idmap_set_uid_hwm(struct unixid *id) -{ - NTSTATUS ret; - - if (! NT_STATUS_IS_OK(ret = idmap_alloc_init())) { - return ret; - } - - id->type = ID_TYPE_UID; - return idmap_alloc_ctx->methods->set_id_hwm(id); -} - -NTSTATUS idmap_set_gid_hwm(struct unixid *id) -{ - NTSTATUS ret; - - if (! NT_STATUS_IS_OK(ret = idmap_alloc_init())) { - return ret; - } - - id->type = ID_TYPE_GID; - return idmap_alloc_ctx->methods->set_id_hwm(id); -} - -/****************************************************************************** - Lookup an idmap_domain give a full user or group SID - ******************************************************************************/ - -static struct idmap_domain* find_idmap_domain_from_sid( DOM_SID *account_sid ) -{ - DOM_SID domain_sid; - uint32 rid; - struct winbindd_domain *domain = NULL; - int i; - - /* 1. Handle BUILTIN or Special SIDs and prevent them from - falling into the default domain space (if we have a - configured passdb backend. */ - - if ( (pdb_dom_num != -1) && - (sid_check_is_in_builtin(account_sid) || - sid_check_is_in_wellknown_domain(account_sid) || - sid_check_is_in_unix_groups(account_sid) || - sid_check_is_in_unix_users(account_sid)) ) - { - return idmap_domains[pdb_dom_num]; - } - - /* 2. Lookup the winbindd_domain from the account_sid */ - - sid_copy( &domain_sid, account_sid ); - sid_split_rid( &domain_sid, &rid ); - domain = find_domain_from_sid_noinit( &domain_sid ); - - for (i = 0; domain && i < num_domains; i++) { - if ( strequal( idmap_domains[i]->name, domain->name ) ) { - return idmap_domains[i]; - } - } - - /* 3. Fall back to the default domain */ - - if ( def_dom_num != -1 ) { - return idmap_domains[def_dom_num]; - } - - return NULL; -} - -/****************************************************************************** - Lookup an index given an idmap_domain pointer - ******************************************************************************/ - -static uint32 find_idmap_domain_index( struct idmap_domain *id_domain) -{ - int i; - - for (i = 0; i < num_domains; i++) { - if ( idmap_domains[i] == id_domain ) - return i; - } - - return -1; -} - - -/********************************************************* - Check if creating a mapping is permitted for the domain -*********************************************************/ - -static NTSTATUS idmap_can_map(const struct id_map *map, - struct idmap_domain **ret_dom) -{ - struct idmap_domain *dom; - - /* Check we do not create mappings for our own local domain, - * or BUILTIN or special SIDs */ - if ((sid_compare_domain(map->sid, get_global_sam_sid()) == 0) || - sid_check_is_in_builtin(map->sid) || - sid_check_is_in_wellknown_domain(map->sid) || - sid_check_is_in_unix_users(map->sid) || - sid_check_is_in_unix_groups(map->sid) ) - { - DEBUG(10, ("We are not supposed to create mappings for our own " - "domains (local, builtin, specials)\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - /* Special check for trusted domain only = Yes */ - if (lp_winbind_trusted_domains_only()) { - struct winbindd_domain *wdom = find_our_domain(); - if (wdom && (sid_compare_domain(map->sid, &wdom->sid) == 0)) { - DEBUG(10, ("We are not supposed to create mappings for " - "our primary domain when <trusted domain " - "only> is True\n")); - DEBUGADD(10, ("Leave [%s] unmapped\n", - sid_string_static(map->sid))); - return NT_STATUS_UNSUCCESSFUL; - } - } - - if ( (dom = find_idmap_domain_from_sid( map->sid )) == NULL ) { - /* huh, couldn't find a suitable domain, - * let's just leave it unmapped */ - DEBUG(10, ("Could not find idmap backend for SID %s", - sid_string_static(map->sid))); - return NT_STATUS_NO_SUCH_DOMAIN; - } - - if (dom->readonly) { - /* ouch the domain is read only, - * let's just leave it unmapped */ - DEBUG(10, ("idmap backend for SID %s is READONLY!\n", - sid_string_static(map->sid))); - return NT_STATUS_UNSUCCESSFUL; - } - - *ret_dom = dom; - return NT_STATUS_OK; -} - -static NTSTATUS idmap_new_mapping(TALLOC_CTX *ctx, struct id_map *map) -{ - NTSTATUS ret; - struct idmap_domain *dom; - - /* If we are offline we cannot lookup SIDs, deny mapping */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - ret = idmap_can_map(map, &dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return NT_STATUS_NONE_MAPPED; - } - - /* check if this is a valid SID and then map it */ - switch (map->xid.type) { - case ID_TYPE_UID: - ret = idmap_allocate_uid(&map->xid); - if ( ! NT_STATUS_IS_OK(ret)) { - /* can't allocate id, let's just leave it unmapped */ - DEBUG(2, ("uid allocation failed! " - "Can't create mapping\n")); - return NT_STATUS_NONE_MAPPED; - } - break; - case ID_TYPE_GID: - ret = idmap_allocate_gid(&map->xid); - if ( ! NT_STATUS_IS_OK(ret)) { - /* can't allocate id, let's just leave it unmapped */ - DEBUG(2, ("gid allocation failed! " - "Can't create mapping\n")); - return NT_STATUS_NONE_MAPPED; - } - break; - default: - /* invalid sid, let's just leave it unmapped */ - DEBUG(3,("idmap_new_mapping: Refusing to create a " - "mapping for an unspecified ID type.\n")); - return NT_STATUS_NONE_MAPPED; - } - - /* ok, got a new id, let's set a mapping */ - map->status = ID_MAPPED; - - DEBUG(10, ("Setting mapping: %s <-> %s %lu\n", - sid_string_static(map->sid), - (map->xid.type == ID_TYPE_UID) ? "UID" : "GID", - (unsigned long)map->xid.id)); - ret = dom->methods->set_mapping(dom, map); - - if ( ! NT_STATUS_IS_OK(ret)) { - /* something wrong here :-( */ - DEBUG(2, ("Failed to commit mapping\n!")); - - /* TODO: would it make sense to have an "unalloc_id function?" */ - - return NT_STATUS_NONE_MAPPED; - } - - return NT_STATUS_OK; -} - -static NTSTATUS idmap_backends_set_mapping(const struct id_map *map) -{ - struct idmap_domain *dom; - NTSTATUS ret; - - DEBUG(10, ("Setting mapping %s <-> %s %lu\n", - sid_string_static(map->sid), - (map->xid.type == ID_TYPE_UID) ? "UID" : "GID", - (unsigned long)map->xid.id)); - - ret = idmap_can_map(map, &dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - - DEBUG(10,("set_mapping for domain %s\n", dom->name )); - - return dom->methods->set_mapping(dom, map); -} - -static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) -{ - struct idmap_domain *dom; - struct id_map **unmapped; - struct id_map **_ids; - TALLOC_CTX *ctx; - NTSTATUS ret; - int i, u, n; - - if (!ids || !*ids) { - DEBUG(1, ("Invalid list of maps\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - ctx = talloc_named_const(NULL, 0, "idmap_backends_unixids_to_sids ctx"); - if ( ! ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - DEBUG(10, ("Query backends to map ids->sids\n")); - - /* start from the default (the last one) and then if there are still - * unmapped entries cycle through the others */ - - _ids = ids; - - unmapped = NULL; - for (n = num_domains-1; n >= 0; n--) { /* cycle backwards */ - - dom = idmap_domains[n]; - - DEBUG(10, ("Query sids from domain %s\n", dom->name)); - - ret = dom->methods->unixids_to_sids(dom, _ids); - IDMAP_REPORT_RET(ret); - - unmapped = NULL; - - for (i = 0, u = 0; _ids[i]; i++) { - if (_ids[i]->status != ID_MAPPED) { - unmapped = talloc_realloc(ctx, unmapped, - struct id_map *, u + 2); - IDMAP_CHECK_ALLOC(unmapped); - unmapped[u] = _ids[i]; - u++; - } - } - if (unmapped) { - /* terminate the unmapped list */ - unmapped[u] = NULL; - } else { /* no more entries, get out */ - break; - } - - _ids = unmapped; - - } - - if (unmapped) { - /* there are still unmapped ids, - * map them to the unix users/groups domains */ - /* except for expired entries, - * these will be returned as valid (offline mode) */ - for (i = 0; unmapped[i]; i++) { - if (unmapped[i]->status == ID_EXPIRED) continue; - switch (unmapped[i]->xid.type) { - case ID_TYPE_UID: - uid_to_unix_users_sid( - (uid_t)unmapped[i]->xid.id, - unmapped[i]->sid); - unmapped[i]->status = ID_MAPPED; - break; - case ID_TYPE_GID: - gid_to_unix_groups_sid( - (gid_t)unmapped[i]->xid.id, - unmapped[i]->sid); - unmapped[i]->status = ID_MAPPED; - break; - default: /* what?! */ - unmapped[i]->status = ID_UNKNOWN; - break; - } - } - } - - ret = NT_STATUS_OK; - -done: - talloc_free(ctx); - return ret; -} - -static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) -{ - struct id_map ***dom_ids; - struct idmap_domain *dom; - TALLOC_CTX *ctx; - NTSTATUS ret; - int i, *counters; - - if ( (ctx = talloc_named_const(NULL, 0, "be_sids_to_ids")) == NULL ) { - DEBUG(1, ("failed to allocate talloc context, OOM?\n")); - return NT_STATUS_NO_MEMORY; - } - - DEBUG(10, ("Query backends to map sids->ids\n")); - - /* split list per domain */ - if (num_domains == 0) { - DEBUG(1, ("No domains available?\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - dom_ids = TALLOC_ZERO_ARRAY(ctx, struct id_map **, num_domains); - IDMAP_CHECK_ALLOC(dom_ids); - counters = TALLOC_ZERO_ARRAY(ctx, int, num_domains); - IDMAP_CHECK_ALLOC(counters); - - /* partition the requests by domain */ - - for (i = 0; ids[i]; i++) { - uint32 idx; - - if ((dom = find_idmap_domain_from_sid(ids[i]->sid)) == NULL) { - /* no available idmap_domain. Move on */ - continue; - } - - DEBUG(10,("SID %s is being handled by %s\n", - sid_string_static(ids[i]->sid), - dom ? dom->name : "none" )); - - idx = find_idmap_domain_index( dom ); - SMB_ASSERT( idx != -1 ); - - dom_ids[idx] = talloc_realloc(ctx, dom_ids[idx], - struct id_map *, - counters[idx] + 2); - IDMAP_CHECK_ALLOC(dom_ids[idx]); - - dom_ids[idx][counters[idx]] = ids[i]; - counters[idx]++; - dom_ids[idx][counters[idx]] = NULL; - } - - /* All the ids have been dispatched in the right queues. - Let's cycle through the filled ones */ - - for (i = 0; i < num_domains; i++) { - if (dom_ids[i]) { - dom = idmap_domains[i]; - DEBUG(10, ("Query ids from domain %s\n", dom->name)); - ret = dom->methods->sids_to_unixids(dom, dom_ids[i]); - IDMAP_REPORT_RET(ret); - } - } - - /* ok all the backends have been contacted at this point */ - /* let's see if we have any unmapped SID left and act accordingly */ - - for (i = 0; ids[i]; i++) { - /* NOTE: this will NOT touch ID_EXPIRED entries that the backend - * was not able to confirm/deny (offline mode) */ - if (ids[i]->status == ID_UNKNOWN || - ids[i]->status == ID_UNMAPPED) { - /* ok this is an unmapped one, see if we can map it */ - ret = idmap_new_mapping(ctx, ids[i]); - if (NT_STATUS_IS_OK(ret)) { - /* successfully mapped */ - ids[i]->status = ID_MAPPED; - } else - if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) { - /* could not map it */ - ids[i]->status = ID_UNMAPPED; - } else { - /* Something very bad happened down there - * OR we are offline */ - ids[i]->status = ID_UNKNOWN; - } - } - } - - ret = NT_STATUS_OK; - -done: - talloc_free(ctx); - return ret; -} - -/************************************************************************** - idmap interface functions -**************************************************************************/ - -NTSTATUS idmap_unixids_to_sids(struct id_map **ids) -{ - TALLOC_CTX *ctx; - NTSTATUS ret; - struct id_map **bids; - int i, bi; - int bn = 0; - struct winbindd_domain *our_domain = find_our_domain(); - - if (! NT_STATUS_IS_OK(ret = idmap_init())) { - return ret; - } - - if (!ids || !*ids) { - DEBUG(1, ("Invalid list of maps\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - ctx = talloc_named_const(NULL, 0, "idmap_unixids_to_sids ctx"); - if ( ! ctx) { - DEBUG(1, ("failed to allocate talloc context, OOM?\n")); - return NT_STATUS_NO_MEMORY; - } - - /* no ids to be asked to the backends by default */ - bids = NULL; - bi = 0; - - for (i = 0; ids[i]; i++) { - - if ( ! ids[i]->sid) { - DEBUG(1, ("invalid null SID in id_map array")); - talloc_free(ctx); - return NT_STATUS_INVALID_PARAMETER; - } - - ret = idmap_cache_map_id(idmap_cache, ids[i]); - - if ( ! NT_STATUS_IS_OK(ret)) { - - if ( ! bids) { - /* alloc space for ids to be resolved by - * backends (realloc ten by ten) */ - bids = TALLOC_ARRAY(ctx, struct id_map *, 10); - if ( ! bids) { - DEBUG(1, ("Out of memory!\n")); - talloc_free(ctx); - return NT_STATUS_NO_MEMORY; - } - bn = 10; - } - - /* add this id to the ones to be retrieved - * from the backends */ - bids[bi] = ids[i]; - bi++; - - /* check if we need to allocate new space - * on the rids array */ - if (bi == bn) { - bn += 10; - bids = talloc_realloc(ctx, bids, - struct id_map *, bn); - if ( ! bids) { - DEBUG(1, ("Out of memory!\n")); - talloc_free(ctx); - return NT_STATUS_NO_MEMORY; - } - } - - /* make sure the last element is NULL */ - bids[bi] = NULL; - } - } - - /* let's see if there is any id mapping to be retieved - * from the backends */ - if (bi) { - /* Only do query if we are online */ - if ( IS_DOMAIN_OFFLINE(our_domain) ) { - ret = NT_STATUS_FILE_IS_OFFLINE; - goto done; - } - - ret = idmap_backends_unixids_to_sids(bids); - IDMAP_CHECK_RET(ret); - - /* update the cache */ - for (i = 0; i < bi; i++) { - if (bids[i]->status == ID_MAPPED) { - ret = idmap_cache_set(idmap_cache, bids[i]); - } else if (bids[i]->status == ID_EXPIRED) { - /* the cache returned an expired entry and the - * backend was not able to clear the situation - * (offline). This handles a previous - * NT_STATUS_SYNCHRONIZATION_REQUIRED - * for disconnected mode, */ - bids[i]->status = ID_MAPPED; - } else if (bids[i]->status == ID_UNKNOWN) { - /* something bad here. We were not able to - * handle this for some reason, mark it as - * unmapped and hope next time things will - * settle down. */ - bids[i]->status = ID_UNMAPPED; - } else { /* unmapped */ - ret = idmap_cache_set_negative_id(idmap_cache, - bids[i]); - } - IDMAP_CHECK_RET(ret); - } - } - - ret = NT_STATUS_OK; -done: - talloc_free(ctx); - return ret; -} - -NTSTATUS idmap_sids_to_unixids(struct id_map **ids) -{ - TALLOC_CTX *ctx; - NTSTATUS ret; - struct id_map **bids; - int i, bi; - int bn = 0; - struct winbindd_domain *our_domain = find_our_domain(); - - if (! NT_STATUS_IS_OK(ret = idmap_init())) { - return ret; - } - - if (!ids || !*ids) { - DEBUG(1, ("Invalid list of maps\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - ctx = talloc_named_const(NULL, 0, "idmap_sids_to_unixids ctx"); - if ( ! ctx) { - DEBUG(1, ("failed to allocate talloc context, OOM?\n")); - return NT_STATUS_NO_MEMORY; - } - - /* no ids to be asked to the backends by default */ - bids = NULL; - bi = 0; - - for (i = 0; ids[i]; i++) { - - if ( ! ids[i]->sid) { - DEBUG(1, ("invalid null SID in id_map array\n")); - talloc_free(ctx); - return NT_STATUS_INVALID_PARAMETER; - } - - ret = idmap_cache_map_sid(idmap_cache, ids[i]); - - if ( ! NT_STATUS_IS_OK(ret)) { - - if ( ! bids) { - /* alloc space for ids to be resolved - by backends (realloc ten by ten) */ - bids = TALLOC_ARRAY(ctx, struct id_map *, 10); - if ( ! bids) { - DEBUG(1, ("Out of memory!\n")); - talloc_free(ctx); - return NT_STATUS_NO_MEMORY; - } - bn = 10; - } - - /* add this id to the ones to be retrieved - * from the backends */ - bids[bi] = ids[i]; - bi++; - - /* check if we need to allocate new space - * on the ids array */ - if (bi == bn) { - bn += 10; - bids = talloc_realloc(ctx, bids, - struct id_map *, bn); - if ( ! bids) { - DEBUG(1, ("Out of memory!\n")); - talloc_free(ctx); - return NT_STATUS_NO_MEMORY; - } - } - - /* make sure the last element is NULL */ - bids[bi] = NULL; - } - } - - /* let's see if there is any id mapping to be retieved - * from the backends */ - if (bids) { - /* Only do query if we are online */ - if ( IS_DOMAIN_OFFLINE(our_domain) ) { - ret = NT_STATUS_FILE_IS_OFFLINE; - goto done; - } - - ret = idmap_backends_sids_to_unixids(bids); - IDMAP_CHECK_RET(ret); - - /* update the cache */ - for (i = 0; bids[i]; i++) { - if (bids[i]->status == ID_MAPPED) { - ret = idmap_cache_set(idmap_cache, bids[i]); - } else if (bids[i]->status == ID_EXPIRED) { - /* the cache returned an expired entry and the - * backend was not able to clear the situation - * (offline). This handles a previous - * NT_STATUS_SYNCHRONIZATION_REQUIRED - * for disconnected mode, */ - bids[i]->status = ID_MAPPED; - } else if (bids[i]->status == ID_UNKNOWN) { - /* something bad here. We were not able to - * handle this for some reason, mark it as - * unmapped and hope next time things will - * settle down. */ - bids[i]->status = ID_UNMAPPED; - } else { /* unmapped */ - ret = idmap_cache_set_negative_sid(idmap_cache, - bids[i]); - } - IDMAP_CHECK_RET(ret); - } - } - - ret = NT_STATUS_OK; -done: - talloc_free(ctx); - return ret; -} - -NTSTATUS idmap_set_mapping(const struct id_map *id) -{ - TALLOC_CTX *ctx; - NTSTATUS ret; - - if (! NT_STATUS_IS_OK(ret = idmap_init())) { - return ret; - } - - /* sanity checks */ - if ((id->sid == NULL) || (id->status != ID_MAPPED)) { - DEBUG(1, ("NULL SID or unmapped entry\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - /* TODO: check uid/gid range ? */ - - ctx = talloc_named_const(NULL, 0, "idmap_set_mapping ctx"); - if ( ! ctx) { - DEBUG(1, ("failed to allocate talloc context, OOM?\n")); - return NT_STATUS_NO_MEMORY; - } - - /* set the new mapping */ - ret = idmap_backends_set_mapping(id); - IDMAP_CHECK_RET(ret); - - /* set the mapping in the cache */ - ret = idmap_cache_set(idmap_cache, id); - IDMAP_CHECK_RET(ret); - -done: - talloc_free(ctx); - return ret; -} - -/************************************************************************** - Dump backend status. -**************************************************************************/ - -void idmap_dump_maps(char *logfile) -{ - NTSTATUS ret; - struct unixid allid; - struct id_map *maps; - int num_maps; - FILE *dump; - int i; - - if (! NT_STATUS_IS_OK(ret = idmap_init())) { - return; - } - - dump = fopen(logfile, "w"); - if ( ! dump) { - DEBUG(0, ("Unable to open open stream for file [%s], " - "errno: %d\n", logfile, errno)); - return; - } - - if (NT_STATUS_IS_OK(ret = idmap_alloc_init())) { - allid.type = ID_TYPE_UID; - allid.id = 0; - idmap_alloc_ctx->methods->get_id_hwm(&allid); - fprintf(dump, "USER HWM %lu\n", (unsigned long)allid.id); - - allid.type = ID_TYPE_GID; - allid.id = 0; - idmap_alloc_ctx->methods->get_id_hwm(&allid); - fprintf(dump, "GROUP HWM %lu\n", (unsigned long)allid.id); - } - - maps = talloc(idmap_ctx, struct id_map); - num_maps = 0; - - for (i = 0; i < num_domains; i++) { - if (idmap_domains[i]->methods->dump_data) { - idmap_domains[i]->methods->dump_data(idmap_domains[i], - &maps, &num_maps); - } - } - - for (i = 0; i < num_maps; i++) { - switch (maps[i].xid.type) { - case ID_TYPE_UID: - fprintf(dump, "UID %lu %s\n", - (unsigned long)maps[i].xid.id, - sid_string_static(maps[i].sid)); - break; - case ID_TYPE_GID: - fprintf(dump, "GID %lu %s\n", - (unsigned long)maps[i].xid.id, - sid_string_static(maps[i].sid)); - break; - case ID_TYPE_NOT_SPECIFIED: - break; - } - } - - fflush(dump); - fclose(dump); -} - -char *idmap_fetch_secret(const char *backend, bool alloc, - const char *domain, const char *identity) -{ - char *tmp, *ret; - int r; - - if (alloc) { - r = asprintf(&tmp, "IDMAP_ALLOC_%s", backend); - } else { - r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain); - } - - if (r < 0) - return NULL; - - strupper_m(tmp); /* make sure the key is case insensitive */ - ret = secrets_fetch_generic(tmp, identity); - - SAFE_FREE(tmp); - - return ret; -} - diff --git a/source3/nsswitch/idmap_ad.c b/source3/nsswitch/idmap_ad.c deleted file mode 100644 index 41dbb471f9..0000000000 --- a/source3/nsswitch/idmap_ad.c +++ /dev/null @@ -1,870 +0,0 @@ -/* - * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts - * - * Unix SMB/CIFS implementation. - * - * Winbind ADS backend functions - * - * Copyright (C) Andrew Tridgell 2001 - * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003 - * Copyright (C) Gerald (Jerry) Carter 2004-2007 - * Copyright (C) Luke Howard 2001-2004 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_IDMAP - -#define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache" - -#define IDMAP_AD_MAX_IDS 30 -#define CHECK_ALLOC_DONE(mem) do { \ - if (!mem) { \ - DEBUG(0, ("Out of memory!\n")); \ - ret = NT_STATUS_NO_MEMORY; \ - goto done; \ - } \ -} while (0) - -struct idmap_ad_context { - uint32_t filter_low_id; - uint32_t filter_high_id; -}; - -NTSTATUS init_module(void); - -static ADS_STRUCT *ad_idmap_ads = NULL; -static struct posix_schema *ad_schema = NULL; -static enum wb_posix_mapping ad_map_type = WB_POSIX_MAP_UNKNOWN; - -/************************************************************************ - ***********************************************************************/ - -static ADS_STRUCT *ad_idmap_cached_connection_internal(void) -{ - ADS_STRUCT *ads; - ADS_STATUS status; - BOOL local = False; - fstring dc_name; - struct in_addr dc_ip; - - if (ad_idmap_ads != NULL) { - - time_t expire; - time_t now = time(NULL); - - ads = ad_idmap_ads; - - expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire); - - /* check for a valid structure */ - DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n", - (uint32)expire-(uint32)now, (uint32) expire, (uint32) now)); - - if ( ads->config.realm && (expire > time(NULL))) { - return ads; - } else { - /* we own this ADS_STRUCT so make sure it goes away */ - DEBUG(7,("Deleting expired krb5 credential cache\n")); - ads->is_mine = True; - ads_destroy( &ads ); - ads_kdestroy(WINBIND_CCACHE_NAME); - ad_idmap_ads = NULL; - TALLOC_FREE( ad_schema ); - } - } - - if (!local) { - /* we don't want this to affect the users ccache */ - setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); - } - - if ( (ads = ads_init(lp_realm(), lp_workgroup(), NULL)) == NULL ) { - DEBUG(1,("ads_init failed\n")); - return NULL; - } - - /* the machine acct password might have change - fetch it every time */ - SAFE_FREE(ads->auth.password); - ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); - - SAFE_FREE(ads->auth.realm); - ads->auth.realm = SMB_STRDUP(lp_realm()); - - /* setup server affinity */ - - get_dc_name( NULL, ads->auth.realm, dc_name, &dc_ip ); - - status = ads_connect(ads); - if (!ADS_ERR_OK(status)) { - DEBUG(1, ("ad_idmap_init: failed to connect to AD\n")); - ads_destroy(&ads); - return NULL; - } - - ads->is_mine = False; - - ad_idmap_ads = ads; - - return ads; -} - -/************************************************************************ - ***********************************************************************/ - -static ADS_STRUCT *ad_idmap_cached_connection(void) -{ - ADS_STRUCT *ads = ad_idmap_cached_connection_internal(); - - if ( !ads ) - return NULL; - - /* if we have a valid ADS_STRUCT and the schema model is - defined, then we can return here. */ - - if ( ad_schema ) - return ads; - - /* Otherwise, set the schema model */ - - if ( (ad_map_type == WB_POSIX_MAP_SFU) || - (ad_map_type == WB_POSIX_MAP_SFU20) || - (ad_map_type == WB_POSIX_MAP_RFC2307) ) - { - ADS_STATUS schema_status; - - schema_status = ads_check_posix_schema_mapping( NULL, ads, ad_map_type, &ad_schema); - if ( !ADS_ERR_OK(schema_status) ) { - DEBUG(2,("ad_idmap_cached_connection: Failed to obtain schema details!\n")); - return NULL; - } - } - - return ads; -} - -/************************************************************************ - ***********************************************************************/ - -static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom) -{ - struct idmap_ad_context *ctx; - char *config_option; - const char *range = NULL; - const char *schema_mode = NULL; - - if ( (ctx = TALLOC_ZERO_P(dom, struct idmap_ad_context)) == NULL ) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - if ( (config_option = talloc_asprintf(ctx, "idmap config %s", dom->name)) == NULL ) { - DEBUG(0, ("Out of memory!\n")); - talloc_free(ctx); - return NT_STATUS_NO_MEMORY; - } - - /* load ranges */ - range = lp_parm_const_string(-1, config_option, "range", NULL); - if (range && range[0]) { - if ((sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) || - (ctx->filter_low_id > ctx->filter_high_id)) { - DEBUG(1, ("ERROR: invalid filter range [%s]", range)); - ctx->filter_low_id = 0; - ctx->filter_high_id = 0; - } - } - - /* schema mode */ - if ( ad_map_type == WB_POSIX_MAP_UNKNOWN ) - ad_map_type = WB_POSIX_MAP_RFC2307; - schema_mode = lp_parm_const_string(-1, config_option, "schema_mode", NULL); - if ( schema_mode && schema_mode[0] ) { - if ( strequal(schema_mode, "sfu") ) - ad_map_type = WB_POSIX_MAP_SFU; - else if ( strequal(schema_mode, "sfu20" ) ) - ad_map_type = WB_POSIX_MAP_SFU20; - else if ( strequal(schema_mode, "rfc2307" ) ) - ad_map_type = WB_POSIX_MAP_RFC2307; - else - DEBUG(0,("idmap_ad_initialize: Unknown schema_mode (%s)\n", - schema_mode)); - } - - dom->private_data = ctx; - dom->initialized = True; - - talloc_free(config_option); - - return NT_STATUS_OK; -} - -/************************************************************************ - Search up to IDMAP_AD_MAX_IDS entries in maps for a match. - ***********************************************************************/ - -static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id) -{ - int i; - - for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) { - if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) { - return maps[i]; - } - } - - return NULL; -} - -/************************************************************************ - Search up to IDMAP_AD_MAX_IDS entries in maps for a match - ***********************************************************************/ - -static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid) -{ - int i; - - for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) { - if (sid_equal(maps[i]->sid, sid)) { - return maps[i]; - } - } - - return NULL; -} - -/************************************************************************ - ***********************************************************************/ - -static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids) -{ - NTSTATUS ret; - TALLOC_CTX *memctx; - struct idmap_ad_context *ctx; - ADS_STATUS rc; - ADS_STRUCT *ads; - const char *attrs[] = { "sAMAccountType", - "objectSid", - NULL, /* uidnumber */ - NULL, /* gidnumber */ - NULL }; - LDAPMessage *res = NULL; - LDAPMessage *entry = NULL; - char *filter = NULL; - int idx = 0; - int bidx = 0; - int count; - int i; - char *u_filter = NULL; - char *g_filter = NULL; - - /* Only do query if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - /* Initilization my have been deferred because we were offline */ - if ( ! dom->initialized) { - ret = idmap_ad_initialize(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - ctx = talloc_get_type(dom->private_data, struct idmap_ad_context); - - if ( (memctx = talloc_new(ctx)) == NULL ) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - if ( (ads = ad_idmap_cached_connection()) == NULL ) { - DEBUG(1, ("ADS uninitialized\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - attrs[2] = ad_schema->posix_uidnumber_attr; - attrs[3] = ad_schema->posix_gidnumber_attr; - -again: - bidx = idx; - for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) { - switch (ids[idx]->xid.type) { - case ID_TYPE_UID: - if ( ! u_filter) { - u_filter = talloc_asprintf(memctx, "(&(|" - "(sAMAccountType=%d)" - "(sAMAccountType=%d)" - "(sAMAccountType=%d))(|", - ATYPE_NORMAL_ACCOUNT, - ATYPE_WORKSTATION_TRUST, - ATYPE_INTERDOMAIN_TRUST); - } - u_filter = talloc_asprintf_append(u_filter, "(%s=%lu)", - ad_schema->posix_uidnumber_attr, - (unsigned long)ids[idx]->xid.id); - CHECK_ALLOC_DONE(u_filter); - break; - - case ID_TYPE_GID: - if ( ! g_filter) { - g_filter = talloc_asprintf(memctx, "(&(|" - "(sAMAccountType=%d)" - "(sAMAccountType=%d))(|", - ATYPE_SECURITY_GLOBAL_GROUP, - ATYPE_SECURITY_LOCAL_GROUP); - } - g_filter = talloc_asprintf_append(g_filter, "(%s=%lu)", - ad_schema->posix_gidnumber_attr, - (unsigned long)ids[idx]->xid.id); - CHECK_ALLOC_DONE(g_filter); - break; - - default: - DEBUG(3, ("Error: mapping requested but Unknown ID type\n")); - ids[idx]->status = ID_UNKNOWN; - continue; - } - } - filter = talloc_asprintf(memctx, "(|"); - CHECK_ALLOC_DONE(filter); - if ( u_filter) { - filter = talloc_asprintf_append(filter, "%s))", u_filter); - CHECK_ALLOC_DONE(filter); - TALLOC_FREE(u_filter); - } - if ( g_filter) { - filter = talloc_asprintf_append(filter, "%s))", g_filter); - CHECK_ALLOC_DONE(filter); - TALLOC_FREE(g_filter); - } - filter = talloc_asprintf_append(filter, ")"); - CHECK_ALLOC_DONE(filter); - - rc = ads_search_retry(ads, &res, filter, attrs); - if (!ADS_ERR_OK(rc)) { - DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc))); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - if ( (count = ads_count_replies(ads, res)) == 0 ) { - DEBUG(10, ("No IDs found\n")); - } - - entry = res; - for (i = 0; (i < count) && entry; i++) { - DOM_SID sid; - enum id_type type; - struct id_map *map; - uint32_t id; - uint32_t atype; - - if (i == 0) { /* first entry */ - entry = ads_first_entry(ads, entry); - } else { /* following ones */ - entry = ads_next_entry(ads, entry); - } - - if ( !entry ) { - DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n")); - break; - } - - /* first check if the SID is present */ - if (!ads_pull_sid(ads, entry, "objectSid", &sid)) { - DEBUG(2, ("Could not retrieve SID from entry\n")); - continue; - } - - /* get type */ - if (!ads_pull_uint32(ads, entry, "sAMAccountType", &atype)) { - DEBUG(1, ("could not get SAM account type\n")); - continue; - } - - switch (atype & 0xF0000000) { - case ATYPE_SECURITY_GLOBAL_GROUP: - case ATYPE_SECURITY_LOCAL_GROUP: - type = ID_TYPE_GID; - break; - case ATYPE_NORMAL_ACCOUNT: - case ATYPE_WORKSTATION_TRUST: - case ATYPE_INTERDOMAIN_TRUST: - type = ID_TYPE_UID; - break; - default: - DEBUG(1, ("unrecognized SAM account type %08x\n", atype)); - continue; - } - - if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ? - ad_schema->posix_uidnumber_attr : - ad_schema->posix_gidnumber_attr, - &id)) - { - DEBUG(1, ("Could not get unix ID\n")); - continue; - } - - if ((id == 0) || - (ctx->filter_low_id && (id < ctx->filter_low_id)) || - (ctx->filter_high_id && (id > ctx->filter_high_id))) { - DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", - id, ctx->filter_low_id, ctx->filter_high_id)); - continue; - } - - map = find_map_by_id(&ids[bidx], type, id); - if (!map) { - DEBUG(2, ("WARNING: couldn't match result with requested ID\n")); - continue; - } - - sid_copy(map->sid, &sid); - - /* mapped */ - map->status = ID_MAPPED; - - DEBUG(10, ("Mapped %s -> %lu (%d)\n", - sid_string_static(map->sid), - (unsigned long)map->xid.id, - map->xid.type)); - } - - if (res) { - ads_msgfree(ads, res); - } - - if (ids[idx]) { /* still some values to map */ - goto again; - } - - ret = NT_STATUS_OK; - - /* mark all unknown/expired ones as unmapped */ - for (i = 0; ids[i]; i++) { - if (ids[i]->status != ID_MAPPED) - ids[i]->status = ID_UNMAPPED; - } - -done: - talloc_free(memctx); - return ret; -} - -/************************************************************************ - ***********************************************************************/ - -static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids) -{ - NTSTATUS ret; - TALLOC_CTX *memctx; - struct idmap_ad_context *ctx; - ADS_STATUS rc; - ADS_STRUCT *ads; - const char *attrs[] = { "sAMAccountType", - "objectSid", - NULL, /* attr_uidnumber */ - NULL, /* attr_gidnumber */ - NULL }; - LDAPMessage *res = NULL; - LDAPMessage *entry = NULL; - char *filter = NULL; - int idx = 0; - int bidx = 0; - int count; - int i; - char *sidstr; - - /* Only do query if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - /* Initilization my have been deferred because we were offline */ - if ( ! dom->initialized) { - ret = idmap_ad_initialize(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - ctx = talloc_get_type(dom->private_data, struct idmap_ad_context); - - if ( (memctx = talloc_new(ctx)) == NULL ) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - if ( (ads = ad_idmap_cached_connection()) == NULL ) { - DEBUG(1, ("ADS uninitialized\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - attrs[2] = ad_schema->posix_uidnumber_attr; - attrs[3] = ad_schema->posix_gidnumber_attr; - -again: - filter = talloc_asprintf(memctx, "(&(|" - "(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)" /* user account types */ - "(sAMAccountType=%d)(sAMAccountType=%d)" /* group account types */ - ")(|", - ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST, - ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP); - - CHECK_ALLOC_DONE(filter); - - bidx = idx; - for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) { - - sidstr = sid_binstring(ids[idx]->sid); - filter = talloc_asprintf_append(filter, "(objectSid=%s)", sidstr); - - free(sidstr); - CHECK_ALLOC_DONE(filter); - } - filter = talloc_asprintf_append(filter, "))"); - CHECK_ALLOC_DONE(filter); - DEBUG(10, ("Filter: [%s]\n", filter)); - - rc = ads_search_retry(ads, &res, filter, attrs); - if (!ADS_ERR_OK(rc)) { - DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc))); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - if ( (count = ads_count_replies(ads, res)) == 0 ) { - DEBUG(10, ("No IDs found\n")); - } - - entry = res; - for (i = 0; (i < count) && entry; i++) { - DOM_SID sid; - enum id_type type; - struct id_map *map; - uint32_t id; - uint32_t atype; - - if (i == 0) { /* first entry */ - entry = ads_first_entry(ads, entry); - } else { /* following ones */ - entry = ads_next_entry(ads, entry); - } - - if ( !entry ) { - DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n")); - break; - } - - /* first check if the SID is present */ - if (!ads_pull_sid(ads, entry, "objectSid", &sid)) { - DEBUG(2, ("Could not retrieve SID from entry\n")); - continue; - } - - map = find_map_by_sid(&ids[bidx], &sid); - if (!map) { - DEBUG(2, ("WARNING: couldn't match result with requested SID\n")); - continue; - } - - /* get type */ - if (!ads_pull_uint32(ads, entry, "sAMAccountType", &atype)) { - DEBUG(1, ("could not get SAM account type\n")); - continue; - } - - switch (atype & 0xF0000000) { - case ATYPE_SECURITY_GLOBAL_GROUP: - case ATYPE_SECURITY_LOCAL_GROUP: - type = ID_TYPE_GID; - break; - case ATYPE_NORMAL_ACCOUNT: - case ATYPE_WORKSTATION_TRUST: - case ATYPE_INTERDOMAIN_TRUST: - type = ID_TYPE_UID; - break; - default: - DEBUG(1, ("unrecognized SAM account type %08x\n", atype)); - continue; - } - - if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ? - ad_schema->posix_uidnumber_attr : - ad_schema->posix_gidnumber_attr, - &id)) - { - DEBUG(1, ("Could not get unix ID\n")); - continue; - } - if ((id == 0) || - (ctx->filter_low_id && (id < ctx->filter_low_id)) || - (ctx->filter_high_id && (id > ctx->filter_high_id))) { - DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", - id, ctx->filter_low_id, ctx->filter_high_id)); - continue; - } - - /* mapped */ - map->xid.type = type; - map->xid.id = id; - map->status = ID_MAPPED; - - DEBUG(10, ("Mapped %s -> %lu (%d)\n", - sid_string_static(map->sid), - (unsigned long)map->xid.id, - map->xid.type)); - } - - if (res) { - ads_msgfree(ads, res); - } - - if (ids[idx]) { /* still some values to map */ - goto again; - } - - ret = NT_STATUS_OK; - - /* mark all unknwoni/expired ones as unmapped */ - for (i = 0; ids[i]; i++) { - if (ids[i]->status != ID_MAPPED) - ids[i]->status = ID_UNMAPPED; - } - -done: - talloc_free(memctx); - return ret; -} - -/************************************************************************ - ***********************************************************************/ - -static NTSTATUS idmap_ad_close(struct idmap_domain *dom) -{ - ADS_STRUCT *ads = ad_idmap_ads; - - if (ads != NULL) { - /* we own this ADS_STRUCT so make sure it goes away */ - ads->is_mine = True; - ads_destroy( &ads ); - ad_idmap_ads = NULL; - } - - TALLOC_FREE( ad_schema ); - - return NT_STATUS_OK; -} - -/* - * nss_info_{sfu,sfu20,rfc2307} - */ - -/************************************************************************ - Initialize the {sfu,sfu20,rfc2307} state - ***********************************************************************/ - -static NTSTATUS nss_sfu_init( struct nss_domain_entry *e ) -{ - /* Sanity check if we have previously been called with a - different schema model */ - - if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) && - (ad_map_type != WB_POSIX_MAP_SFU) ) - { - DEBUG(0,("nss_sfu_init: Posix Map type has already been set. " - "Mixed schema models not supported!\n")); - return NT_STATUS_NOT_SUPPORTED; - } - - ad_map_type = WB_POSIX_MAP_SFU; - - return NT_STATUS_OK; -} - -static NTSTATUS nss_sfu20_init( struct nss_domain_entry *e ) -{ - /* Sanity check if we have previously been called with a - different schema model */ - - if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) && - (ad_map_type != WB_POSIX_MAP_SFU20) ) - { - DEBUG(0,("nss_sfu20_init: Posix Map type has already been set. " - "Mixed schema models not supported!\n")); - return NT_STATUS_NOT_SUPPORTED; - } - - ad_map_type = WB_POSIX_MAP_SFU20; - - return NT_STATUS_OK; -} - -static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e ) -{ - /* Sanity check if we have previously been called with a - different schema model */ - - if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) && - (ad_map_type != WB_POSIX_MAP_RFC2307) ) - { - DEBUG(0,("nss_rfc2307_init: Posix Map type has already been set. " - "Mixed schema models not supported!\n")); - return NT_STATUS_NOT_SUPPORTED; - } - - ad_map_type = WB_POSIX_MAP_RFC2307; - - return NT_STATUS_OK; -} - - -/************************************************************************ - ***********************************************************************/ -static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e, - const DOM_SID *sid, - TALLOC_CTX *ctx, - ADS_STRUCT *ads, - LDAPMessage *msg, - char **homedir, - char **shell, - char **gecos, - uint32 *gid ) -{ - ADS_STRUCT *ads_internal = NULL; - - /* Only do query if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - /* We are assuming that the internal ADS_STRUCT is for the - same forest as the incoming *ads pointer */ - - ads_internal = ad_idmap_cached_connection(); - - if ( !ads_internal || !ad_schema ) - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - - if ( !homedir || !shell || !gecos ) - return NT_STATUS_INVALID_PARAMETER; - - *homedir = ads_pull_string( ads, ctx, msg, ad_schema->posix_homedir_attr ); - *shell = ads_pull_string( ads, ctx, msg, ad_schema->posix_shell_attr ); - *gecos = ads_pull_string( ads, ctx, msg, ad_schema->posix_gecos_attr ); - - if ( gid ) { - if ( !ads_pull_uint32(ads, msg, ad_schema->posix_gidnumber_attr, gid ) ) - *gid = (uint32)-1; - } - - return NT_STATUS_OK; -} - -/************************************************************************ - ***********************************************************************/ - -static NTSTATUS nss_ad_close( void ) -{ - /* nothing to do. All memory is free()'d by the idmap close_fn() */ - - return NT_STATUS_OK; -} - -/************************************************************************ - Function dispatch tables for the idmap and nss plugins - ***********************************************************************/ - -static struct idmap_methods ad_methods = { - .init = idmap_ad_initialize, - .unixids_to_sids = idmap_ad_unixids_to_sids, - .sids_to_unixids = idmap_ad_sids_to_unixids, - .close_fn = idmap_ad_close -}; - -/* The SFU and RFC2307 NSS plugins share everything but the init - function which sets the intended schema model to use */ - -static struct nss_info_methods nss_rfc2307_methods = { - .init = nss_rfc2307_init, - .get_nss_info = nss_ad_get_info, - .close_fn = nss_ad_close -}; - -static struct nss_info_methods nss_sfu_methods = { - .init = nss_sfu_init, - .get_nss_info = nss_ad_get_info, - .close_fn = nss_ad_close -}; - -static struct nss_info_methods nss_sfu20_methods = { - .init = nss_sfu20_init, - .get_nss_info = nss_ad_get_info, - .close_fn = nss_ad_close -}; - - - -/************************************************************************ - Initialize the plugins - ***********************************************************************/ - -NTSTATUS idmap_ad_init(void) -{ - static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL; - static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL; - static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL; - static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL; - - /* Always register the AD method first in order to get the - idmap_domain interface called */ - - if ( !NT_STATUS_IS_OK(status_idmap_ad) ) { - status_idmap_ad = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, - "ad", &ad_methods); - if ( !NT_STATUS_IS_OK(status_idmap_ad) ) - return status_idmap_ad; - } - - if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) { - status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION, - "rfc2307", &nss_rfc2307_methods ); - if ( !NT_STATUS_IS_OK(status_nss_rfc2307) ) - return status_nss_rfc2307; - } - - if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) { - status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION, - "sfu", &nss_sfu_methods ); - if ( !NT_STATUS_IS_OK(status_nss_sfu) ) - return status_nss_sfu; - } - - if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) { - status_nss_sfu20 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION, - "sfu20", &nss_sfu20_methods ); - if ( !NT_STATUS_IS_OK(status_nss_sfu20) ) - return status_nss_sfu20; - } - - return NT_STATUS_OK; -} - diff --git a/source3/nsswitch/idmap_cache.c b/source3/nsswitch/idmap_cache.c deleted file mode 100644 index 4f01cb1392..0000000000 --- a/source3/nsswitch/idmap_cache.c +++ /dev/null @@ -1,531 +0,0 @@ -/* - Unix SMB/CIFS implementation. - ID Mapping Cache - - based on gencache - - Copyright (C) Simo Sorce 2006 - Copyright (C) Rafal Szczesniak 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>.*/ - -#include "includes.h" -#include "winbindd.h" - -#define TIMEOUT_LEN 12 -#define IDMAP_CACHE_DATA_FMT "%12u/%s" -#define IDMAP_READ_CACHE_DATA_FMT_TEMPLATE "%%12u/%%%us" - -struct idmap_cache_ctx { - TDB_CONTEXT *tdb; -}; - -static int idmap_cache_destructor(struct idmap_cache_ctx *cache) -{ - int ret = 0; - - if (cache && cache->tdb) { - ret = tdb_close(cache->tdb); - cache->tdb = NULL; - } - - return ret; -} - -struct idmap_cache_ctx *idmap_cache_init(TALLOC_CTX *memctx) -{ - struct idmap_cache_ctx *cache; - char* cache_fname = NULL; - - cache = talloc(memctx, struct idmap_cache_ctx); - if ( ! cache) { - DEBUG(0, ("Out of memory!\n")); - return NULL; - } - - cache_fname = lock_path("idmap_cache.tdb"); - - DEBUG(10, ("Opening cache file at %s\n", cache_fname)); - - cache->tdb = tdb_open_log(cache_fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); - - if (!cache->tdb) { - DEBUG(5, ("Attempt to open %s has failed.\n", cache_fname)); - return NULL; - } - - talloc_set_destructor(cache, idmap_cache_destructor); - - return cache; -} - -void idmap_cache_shutdown(struct idmap_cache_ctx *cache) -{ - talloc_free(cache); -} - -NTSTATUS idmap_cache_build_sidkey(TALLOC_CTX *ctx, char **sidkey, const struct id_map *id) -{ - *sidkey = talloc_asprintf(ctx, "IDMAP/SID/%s", sid_string_static(id->sid)); - if ( ! *sidkey) { - DEBUG(1, ("failed to build sidkey, OOM?\n")); - return NT_STATUS_NO_MEMORY; - } - - return NT_STATUS_OK; -} - -NTSTATUS idmap_cache_build_idkey(TALLOC_CTX *ctx, char **idkey, const struct id_map *id) -{ - *idkey = talloc_asprintf(ctx, "IDMAP/%s/%lu", - (id->xid.type==ID_TYPE_UID)?"UID":"GID", - (unsigned long)id->xid.id); - if ( ! *idkey) { - DEBUG(1, ("failed to build idkey, OOM?\n")); - return NT_STATUS_NO_MEMORY; - } - - return NT_STATUS_OK; -} - -NTSTATUS idmap_cache_set(struct idmap_cache_ctx *cache, const struct id_map *id) -{ - NTSTATUS ret; - time_t timeout = time(NULL) + lp_idmap_cache_time(); - TDB_DATA databuf; - char *sidkey; - char *idkey; - char *valstr; - - /* Don't cache lookups in the S-1-22-{1,2} domain */ - if ( (id->xid.type == ID_TYPE_UID) && - sid_check_is_in_unix_users(id->sid) ) - { - return NT_STATUS_OK; - } - if ( (id->xid.type == ID_TYPE_GID) && - sid_check_is_in_unix_groups(id->sid) ) - { - return NT_STATUS_OK; - } - - - ret = idmap_cache_build_sidkey(cache, &sidkey, id); - if (!NT_STATUS_IS_OK(ret)) return ret; - - /* use sidkey as the local memory ctx */ - ret = idmap_cache_build_idkey(sidkey, &idkey, id); - if (!NT_STATUS_IS_OK(ret)) { - goto done; - } - - /* save SID -> ID */ - - /* use sidkey as the local memory ctx */ - valstr = talloc_asprintf(sidkey, IDMAP_CACHE_DATA_FMT, (int)timeout, idkey); - if (!valstr) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - databuf = string_term_tdb_data(valstr); - DEBUG(10, ("Adding cache entry with key = %s; value = %s and timeout =" - " %s (%d seconds %s)\n", sidkey, valstr , ctime(&timeout), - (int)(timeout - time(NULL)), - timeout > time(NULL) ? "ahead" : "in the past")); - - if (tdb_store_bystring(cache->tdb, sidkey, databuf, TDB_REPLACE) != 0) { - DEBUG(3, ("Failed to store cache entry!\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* save ID -> SID */ - - /* use sidkey as the local memory ctx */ - valstr = talloc_asprintf(sidkey, IDMAP_CACHE_DATA_FMT, (int)timeout, sidkey); - if (!valstr) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - databuf = string_term_tdb_data(valstr); - DEBUG(10, ("Adding cache entry with key = %s; value = %s and timeout =" - " %s (%d seconds %s)\n", idkey, valstr, ctime(&timeout), - (int)(timeout - time(NULL)), - timeout > time(NULL) ? "ahead" : "in the past")); - - if (tdb_store_bystring(cache->tdb, idkey, databuf, TDB_REPLACE) != 0) { - DEBUG(3, ("Failed to store cache entry!\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - ret = NT_STATUS_OK; - -done: - talloc_free(sidkey); - return ret; -} - -NTSTATUS idmap_cache_set_negative_sid(struct idmap_cache_ctx *cache, const struct id_map *id) -{ - NTSTATUS ret; - time_t timeout = time(NULL) + lp_idmap_negative_cache_time(); - TDB_DATA databuf; - char *sidkey; - char *valstr; - - ret = idmap_cache_build_sidkey(cache, &sidkey, id); - if (!NT_STATUS_IS_OK(ret)) return ret; - - /* use sidkey as the local memory ctx */ - valstr = talloc_asprintf(sidkey, IDMAP_CACHE_DATA_FMT, (int)timeout, "IDMAP/NEGATIVE"); - if (!valstr) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - databuf = string_term_tdb_data(valstr); - DEBUG(10, ("Adding cache entry with key = %s; value = %s and timeout =" - " %s (%d seconds %s)\n", sidkey, valstr, ctime(&timeout), - (int)(timeout - time(NULL)), - timeout > time(NULL) ? "ahead" : "in the past")); - - if (tdb_store_bystring(cache->tdb, sidkey, databuf, TDB_REPLACE) != 0) { - DEBUG(3, ("Failed to store cache entry!\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - -done: - talloc_free(sidkey); - return ret; -} - -NTSTATUS idmap_cache_set_negative_id(struct idmap_cache_ctx *cache, const struct id_map *id) -{ - NTSTATUS ret; - time_t timeout = time(NULL) + lp_idmap_negative_cache_time(); - TDB_DATA databuf; - char *idkey; - char *valstr; - - ret = idmap_cache_build_idkey(cache, &idkey, id); - if (!NT_STATUS_IS_OK(ret)) return ret; - - /* use idkey as the local memory ctx */ - valstr = talloc_asprintf(idkey, IDMAP_CACHE_DATA_FMT, (int)timeout, "IDMAP/NEGATIVE"); - if (!valstr) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - databuf = string_term_tdb_data(valstr); - DEBUG(10, ("Adding cache entry with key = %s; value = %s and timeout =" - " %s (%d seconds %s)\n", idkey, valstr, ctime(&timeout), - (int)(timeout - time(NULL)), - timeout > time(NULL) ? "ahead" : "in the past")); - - if (tdb_store_bystring(cache->tdb, idkey, databuf, TDB_REPLACE) != 0) { - DEBUG(3, ("Failed to store cache entry!\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - -done: - talloc_free(idkey); - return ret; -} - -NTSTATUS idmap_cache_fill_map(struct id_map *id, const char *value) -{ - char *rem; - - /* see if it is a sid */ - if ( ! strncmp("IDMAP/SID/", value, 10)) { - - if ( ! string_to_sid(id->sid, &value[10])) { - goto failed; - } - - id->status = ID_MAPPED; - - return NT_STATUS_OK; - } - - /* not a SID see if it is an UID or a GID */ - if ( ! strncmp("IDMAP/UID/", value, 10)) { - - /* a uid */ - id->xid.type = ID_TYPE_UID; - - } else if ( ! strncmp("IDMAP/GID/", value, 10)) { - - /* a gid */ - id->xid.type = ID_TYPE_GID; - - } else { - - /* a completely bogus value bail out */ - goto failed; - } - - id->xid.id = strtol(&value[10], &rem, 0); - if (*rem != '\0') { - goto failed; - } - - id->status = ID_MAPPED; - - return NT_STATUS_OK; - -failed: - DEBUG(1, ("invalid value: %s\n", value)); - id->status = ID_UNKNOWN; - return NT_STATUS_INTERNAL_DB_CORRUPTION; -} - -BOOL idmap_cache_is_negative(const char *val) -{ - if ( ! strcmp("IDMAP/NEGATIVE", val)) { - return True; - } - return False; -} - -/* search the cahce for the SID an return a mapping if found * - * - * 4 cases are possible - * - * 1 map found - * in this case id->status = ID_MAPPED and NT_STATUS_OK is returned - * 2 map not found - * in this case id->status = ID_UNKNOWN and NT_STATUS_NONE_MAPPED is returned - * 3 negative cache found - * in this case id->status = ID_UNMAPPED and NT_STATUS_OK is returned - * 4 map found but timer expired - * in this case id->status = ID_EXPIRED and NT_STATUS_SYNCHRONIZATION_REQUIRED - * is returned. In this case revalidation of the cache is needed. - */ - -NTSTATUS idmap_cache_map_sid(struct idmap_cache_ctx *cache, struct id_map *id) -{ - NTSTATUS ret; - TDB_DATA databuf; - time_t t; - char *sidkey; - char *endptr; - struct winbindd_domain *our_domain = find_our_domain(); - time_t now = time(NULL); - - /* make sure it is marked as not mapped by default */ - id->status = ID_UNKNOWN; - - ret = idmap_cache_build_sidkey(cache, &sidkey, id); - if (!NT_STATUS_IS_OK(ret)) return ret; - - databuf = tdb_fetch_bystring(cache->tdb, sidkey); - - if (databuf.dptr == NULL) { - DEBUG(10, ("Cache entry with key = %s couldn't be found\n", sidkey)); - ret = NT_STATUS_NONE_MAPPED; - goto done; - } - - t = strtol((const char *)databuf.dptr, &endptr, 10); - - if ((endptr == NULL) || (*endptr != '/')) { - DEBUG(2, ("Invalid gencache data format: %s\n", (const char *)databuf.dptr)); - /* remove the entry */ - tdb_delete_bystring(cache->tdb, sidkey); - ret = NT_STATUS_NONE_MAPPED; - goto done; - } - - /* check it is not negative */ - if (strcmp("IDMAP/NEGATIVE", endptr+1) != 0) { - - DEBUG(10, ("Returning %s cache entry: key = %s, value = %s, " - "timeout = %s", t > now ? "valid" : - "expired", sidkey, endptr+1, ctime(&t))); - - /* this call if successful will also mark the entry as mapped */ - ret = idmap_cache_fill_map(id, endptr+1); - if ( ! NT_STATUS_IS_OK(ret)) { - /* if not valid form delete the entry */ - tdb_delete_bystring(cache->tdb, sidkey); - ret = NT_STATUS_NONE_MAPPED; - goto done; - } - - /* here ret == NT_STATUS_OK and id->status = ID_MAPPED */ - - if (t <= now) { - /* If we've been told to be offline - stay in - that state... */ - if ( IS_DOMAIN_OFFLINE(our_domain) ) { - DEBUG(10,("idmap_cache_map_sid: idmap is offline\n")); - goto done; - } - - /* We're expired, set an error code - for upper layer */ - ret = NT_STATUS_SYNCHRONIZATION_REQUIRED; - } - - goto done; - } - - /* Was a negative cache hit */ - - /* Ignore the negative cache when offline */ - - if ( IS_DOMAIN_OFFLINE(our_domain) ) { - DEBUG(10,("idmap_cache_map_sid: idmap is offline\n")); - goto done; - } - - - /* Check for valid or expired cache hits */ - if (t <= now) { - /* We're expired. Return not mapped */ - ret = NT_STATUS_NONE_MAPPED; - } else { - /* this is not mapped as it was a negative cache hit */ - id->status = ID_UNMAPPED; - ret = NT_STATUS_OK; - } - -done: - SAFE_FREE(databuf.dptr); - talloc_free(sidkey); - return ret; -} - -/* search the cahce for the ID an return a mapping if found * - * - * 4 cases are possible - * - * 1 map found - * in this case id->status = ID_MAPPED and NT_STATUS_OK is returned - * 2 map not found - * in this case id->status = ID_UNKNOWN and NT_STATUS_NONE_MAPPED is returned - * 3 negative cache found - * in this case id->status = ID_UNMAPPED and NT_STATUS_OK is returned - * 4 map found but timer expired - * in this case id->status = ID_EXPIRED and NT_STATUS_SYNCHRONIZATION_REQUIRED - * is returned. In this case revalidation of the cache is needed. - */ - -NTSTATUS idmap_cache_map_id(struct idmap_cache_ctx *cache, struct id_map *id) -{ - NTSTATUS ret; - TDB_DATA databuf; - time_t t; - char *idkey; - char *endptr; - struct winbindd_domain *our_domain = find_our_domain(); - time_t now = time(NULL); - - /* make sure it is marked as unknown by default */ - id->status = ID_UNKNOWN; - - ret = idmap_cache_build_idkey(cache, &idkey, id); - if (!NT_STATUS_IS_OK(ret)) return ret; - - databuf = tdb_fetch_bystring(cache->tdb, idkey); - - if (databuf.dptr == NULL) { - DEBUG(10, ("Cache entry with key = %s couldn't be found\n", idkey)); - ret = NT_STATUS_NONE_MAPPED; - goto done; - } - - t = strtol((const char *)databuf.dptr, &endptr, 10); - - if ((endptr == NULL) || (*endptr != '/')) { - DEBUG(2, ("Invalid gencache data format: %s\n", (const char *)databuf.dptr)); - /* remove the entry */ - tdb_delete_bystring(cache->tdb, idkey); - ret = NT_STATUS_NONE_MAPPED; - goto done; - } - - /* check it is not negative */ - if (strcmp("IDMAP/NEGATIVE", endptr+1) != 0) { - - DEBUG(10, ("Returning %s cache entry: key = %s, value = %s, " - "timeout = %s", t > now ? "valid" : - "expired", idkey, endptr+1, ctime(&t))); - - /* this call if successful will also mark the entry as mapped */ - ret = idmap_cache_fill_map(id, endptr+1); - if ( ! NT_STATUS_IS_OK(ret)) { - /* if not valid form delete the entry */ - tdb_delete_bystring(cache->tdb, idkey); - ret = NT_STATUS_NONE_MAPPED; - goto done; - } - - /* here ret == NT_STATUS_OK and id->mapped = ID_MAPPED */ - - if (t <= now) { - /* If we've been told to be offline - stay in - that state... */ - if ( IS_DOMAIN_OFFLINE(our_domain) ) { - DEBUG(10,("idmap_cache_map_sid: idmap is offline\n")); - goto done; - } - - /* We're expired, set an error code - for upper layer */ - ret = NT_STATUS_SYNCHRONIZATION_REQUIRED; - } - - goto done; - } - - /* Was a negative cache hit */ - - /* Ignore the negative cache when offline */ - - if ( IS_DOMAIN_OFFLINE(our_domain) ) { - DEBUG(10,("idmap_cache_map_sid: idmap is offline\n")); - ret = NT_STATUS_NONE_MAPPED; - - goto done; - } - - /* Process the negative cache hit */ - - if (t <= now) { - /* We're expired. Return not mapped */ - ret = NT_STATUS_NONE_MAPPED; - } else { - /* this is not mapped is it was a negative cache hit */ - id->status = ID_UNMAPPED; - ret = NT_STATUS_OK; - } - -done: - SAFE_FREE(databuf.dptr); - talloc_free(idkey); - return ret; -} - diff --git a/source3/nsswitch/idmap_ldap.c b/source3/nsswitch/idmap_ldap.c deleted file mode 100644 index 3b63915b05..0000000000 --- a/source3/nsswitch/idmap_ldap.c +++ /dev/null @@ -1,1505 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - idmap LDAP backend - - Copyright (C) Tim Potter 2000 - Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 - Copyright (C) Gerald Carter 2003 - Copyright (C) Simo Sorce 2003-2007 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_IDMAP - -#include <lber.h> -#include <ldap.h> - -#include "smbldap.h" - -struct idmap_ldap_context { - struct smbldap_state *smbldap_state; - char *url; - char *suffix; - char *user_dn; - uint32_t filter_low_id, filter_high_id; /* Filter range */ - BOOL anon; -}; - -struct idmap_ldap_alloc_context { - struct smbldap_state *smbldap_state; - char *url; - char *suffix; - char *user_dn; - uid_t low_uid, high_uid; /* Range of uids */ - gid_t low_gid, high_gid; /* Range of gids */ - -}; - -#define CHECK_ALLOC_DONE(mem) do { \ - if (!mem) { \ - DEBUG(0, ("Out of memory!\n")); \ - ret = NT_STATUS_NO_MEMORY; \ - goto done; \ - } } while (0) - -/********************************************************************** - IDMAP ALLOC TDB BACKEND -**********************************************************************/ - -static struct idmap_ldap_alloc_context *idmap_alloc_ldap; - -/********************************************************************* - ********************************************************************/ - -static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx, - struct smbldap_state *ldap_state, - const char *config_option, - struct idmap_domain *dom, - char **dn ) -{ - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - char *secret = NULL; - const char *tmp = NULL; - char *user_dn = NULL; - BOOL anon = False; - - /* assume anonymous if we don't have a specified user */ - - tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL); - - if ( tmp ) { - if (!dom) { - /* only the alloc backend can pass in a NULL dom */ - secret = idmap_fetch_secret("ldap", True, - NULL, tmp); - } else { - secret = idmap_fetch_secret("ldap", False, - dom->name, tmp); - } - - if (!secret) { - DEBUG(0, ("get_credentials: Unable to fetch " - "auth credentials for %s in %s\n", - tmp, (dom==NULL)?"ALLOC":dom->name)); - ret = NT_STATUS_ACCESS_DENIED; - goto done; - } - *dn = talloc_strdup(mem_ctx, tmp); - CHECK_ALLOC_DONE(*dn); - } else { - if (!fetch_ldap_pw(&user_dn, &secret)) { - DEBUG(2, ("get_credentials: Failed to lookup ldap " - "bind creds. Using anonymous connection.\n")); - anon = True; - } else { - *dn = talloc_strdup(mem_ctx, user_dn); - SAFE_FREE( user_dn ); - CHECK_ALLOC_DONE(*dn); - } - } - - smbldap_set_creds(ldap_state, anon, *dn, secret); - ret = NT_STATUS_OK; - -done: - SAFE_FREE(secret); - - return ret; -} - - -/********************************************************************** - Verify the sambaUnixIdPool entry in the directory. -**********************************************************************/ - -static NTSTATUS verify_idpool(void) -{ - NTSTATUS ret; - TALLOC_CTX *ctx; - LDAPMessage *result = NULL; - LDAPMod **mods = NULL; - const char **attr_list; - char *filter; - int count; - int rc; - - if ( ! idmap_alloc_ldap) { - return NT_STATUS_UNSUCCESSFUL; - } - - ctx = talloc_new(idmap_alloc_ldap); - if ( ! ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - filter = talloc_asprintf(ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL); - CHECK_ALLOC_DONE(filter); - - attr_list = get_attr_list(ctx, idpool_attr_list); - CHECK_ALLOC_DONE(attr_list); - - rc = smbldap_search(idmap_alloc_ldap->smbldap_state, - idmap_alloc_ldap->suffix, - LDAP_SCOPE_SUBTREE, - filter, - attr_list, - 0, - &result); - - if (rc != LDAP_SUCCESS) { - DEBUG(1, ("Unable to verify the idpool, " - "cannot continue initialization!\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, - result); - - ldap_msgfree(result); - - if ( count > 1 ) { - DEBUG(0,("Multiple entries returned from %s (base == %s)\n", - filter, idmap_alloc_ldap->suffix)); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - else if (count == 0) { - char *uid_str, *gid_str; - - uid_str = talloc_asprintf(ctx, "%lu", - (unsigned long)idmap_alloc_ldap->low_uid); - gid_str = talloc_asprintf(ctx, "%lu", - (unsigned long)idmap_alloc_ldap->low_gid); - - smbldap_set_mod(&mods, LDAP_MOD_ADD, - "objectClass", LDAP_OBJ_IDPOOL); - smbldap_set_mod(&mods, LDAP_MOD_ADD, - get_attr_key2string(idpool_attr_list, - LDAP_ATTR_UIDNUMBER), - uid_str); - smbldap_set_mod(&mods, LDAP_MOD_ADD, - get_attr_key2string(idpool_attr_list, - LDAP_ATTR_GIDNUMBER), - gid_str); - if (mods) { - rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, - idmap_alloc_ldap->suffix, - mods); - ldap_mods_free(mods, True); - } else { - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - } - - ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL; -done: - talloc_free(ctx); - return ret; -} - -/***************************************************************************** - Initialise idmap database. -*****************************************************************************/ - -static NTSTATUS idmap_ldap_alloc_init(const char *params) -{ - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - const char *range; - const char *tmp; - uid_t low_uid = 0; - uid_t high_uid = 0; - gid_t low_gid = 0; - gid_t high_gid = 0; - - /* Only do init if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context); - CHECK_ALLOC_DONE( idmap_alloc_ldap ); - - /* load ranges */ - - idmap_alloc_ldap->low_uid = 0; - idmap_alloc_ldap->high_uid = 0; - idmap_alloc_ldap->low_gid = 0; - idmap_alloc_ldap->high_gid = 0; - - range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL); - if (range && range[0]) { - unsigned low_id, high_id; - - if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) { - if (low_id < high_id) { - idmap_alloc_ldap->low_gid = low_id; - idmap_alloc_ldap->low_uid = low_id; - idmap_alloc_ldap->high_gid = high_id; - idmap_alloc_ldap->high_uid = high_id; - } else { - DEBUG(1, ("ERROR: invalid idmap alloc range " - "[%s]", range)); - } - } else { - DEBUG(1, ("ERROR: invalid syntax for idmap alloc " - "config:range [%s]", range)); - } - } - - if (lp_idmap_uid(&low_uid, &high_uid)) { - idmap_alloc_ldap->low_uid = low_uid; - idmap_alloc_ldap->high_uid = high_uid; - } - - if (lp_idmap_gid(&low_gid, &high_gid)) { - idmap_alloc_ldap->low_gid = low_gid; - idmap_alloc_ldap->high_gid= high_gid; - } - - if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) { - DEBUG(1, ("idmap uid range missing or invalid\n")); - DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) { - DEBUG(1, ("idmap gid range missing or invalid\n")); - DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - if (params && *params) { - /* assume location is the only parameter */ - idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params); - } else { - tmp = lp_parm_const_string(-1, "idmap alloc config", - "ldap_url", NULL); - - if ( ! tmp) { - DEBUG(1, ("ERROR: missing idmap ldap url\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp); - } - CHECK_ALLOC_DONE( idmap_alloc_ldap->url ); - - tmp = lp_parm_const_string(-1, "idmap alloc config", - "ldap_base_dn", NULL); - if ( ! tmp || ! *tmp) { - tmp = lp_ldap_idmap_suffix(); - if ( ! tmp) { - DEBUG(1, ("ERROR: missing idmap ldap suffix\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - } - - idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp); - CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix ); - - ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(), - idmap_alloc_ldap->url, - &idmap_alloc_ldap->smbldap_state); - if (!NT_STATUS_IS_OK(ret)) { - DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", - idmap_alloc_ldap->url)); - goto done; - } - - ret = get_credentials( idmap_alloc_ldap, - idmap_alloc_ldap->smbldap_state, - "idmap alloc config", NULL, - &idmap_alloc_ldap->user_dn ); - if ( !NT_STATUS_IS_OK(ret) ) { - DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection " - "credentials (%s)\n", nt_errstr(ret))); - goto done; - } - - /* see if the idmap suffix and sub entries exists */ - - ret = verify_idpool(); - - done: - if ( !NT_STATUS_IS_OK( ret ) ) - TALLOC_FREE( idmap_alloc_ldap ); - - return ret; -} - -/******************************** - Allocate a new uid or gid -********************************/ - -static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid) -{ - TALLOC_CTX *ctx; - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - int rc = LDAP_SERVER_DOWN; - int count = 0; - LDAPMessage *result = NULL; - LDAPMessage *entry = NULL; - LDAPMod **mods = NULL; - char *id_str; - char *new_id_str; - char *filter = NULL; - const char *dn = NULL; - const char **attr_list; - const char *type; - - /* Only do query if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - if ( ! idmap_alloc_ldap) { - return NT_STATUS_UNSUCCESSFUL; - } - - ctx = talloc_new(idmap_alloc_ldap); - if ( ! ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - /* get type */ - switch (xid->type) { - - case ID_TYPE_UID: - type = get_attr_key2string(idpool_attr_list, - LDAP_ATTR_UIDNUMBER); - break; - - case ID_TYPE_GID: - type = get_attr_key2string(idpool_attr_list, - LDAP_ATTR_GIDNUMBER); - break; - - default: - DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type)); - return NT_STATUS_INVALID_PARAMETER; - } - - filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL); - CHECK_ALLOC_DONE(filter); - - attr_list = get_attr_list(ctx, idpool_attr_list); - CHECK_ALLOC_DONE(attr_list); - - DEBUG(10, ("Search of the id pool (filter: %s)\n", filter)); - - rc = smbldap_search(idmap_alloc_ldap->smbldap_state, - idmap_alloc_ldap->suffix, - LDAP_SCOPE_SUBTREE, filter, - attr_list, 0, &result); - - if (rc != LDAP_SUCCESS) { - DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL)); - goto done; - } - - talloc_autofree_ldapmsg(ctx, result); - - count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, - result); - if (count != 1) { - DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL)); - goto done; - } - - entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, - result); - - dn = smbldap_talloc_dn(ctx, - idmap_alloc_ldap->smbldap_state->ldap_struct, - entry); - if ( ! dn) { - goto done; - } - - if ( ! (id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct, - entry, type, ctx))) { - DEBUG(0,("%s attribute not found\n", type)); - goto done; - } - if ( ! id_str) { - DEBUG(0,("Out of memory\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - xid->id = strtoul(id_str, NULL, 10); - - /* make sure we still have room to grow */ - - switch (xid->type) { - case ID_TYPE_UID: - if (xid->id > idmap_alloc_ldap->high_uid) { - DEBUG(0,("Cannot allocate uid above %lu!\n", - (unsigned long)idmap_alloc_ldap->high_uid)); - goto done; - } - break; - - case ID_TYPE_GID: - if (xid->id > idmap_alloc_ldap->high_gid) { - DEBUG(0,("Cannot allocate gid above %lu!\n", - (unsigned long)idmap_alloc_ldap->high_uid)); - goto done; - } - break; - - default: - /* impossible */ - goto done; - } - - new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id + 1); - if ( ! new_id_str) { - DEBUG(0,("Out of memory\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str); - smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str); - - if (mods == NULL) { - DEBUG(0,("smbldap_set_mod() failed.\n")); - goto done; - } - - DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n", - id_str, new_id_str)); - - rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods); - - ldap_mods_free(mods, True); - - if (rc != LDAP_SUCCESS) { - DEBUG(1,("Failed to allocate new %s. " - "smbldap_modify() failed.\n", type)); - goto done; - } - - ret = NT_STATUS_OK; - -done: - talloc_free(ctx); - return ret; -} - -/********************************** - Get current highest id. -**********************************/ - -static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid) -{ - TALLOC_CTX *memctx; - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - int rc = LDAP_SERVER_DOWN; - int count = 0; - LDAPMessage *result = NULL; - LDAPMessage *entry = NULL; - char *id_str; - char *filter = NULL; - const char **attr_list; - const char *type; - - /* Only do query if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - if ( ! idmap_alloc_ldap) { - return NT_STATUS_UNSUCCESSFUL; - } - - memctx = talloc_new(idmap_alloc_ldap); - if ( ! memctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - /* get type */ - switch (xid->type) { - - case ID_TYPE_UID: - type = get_attr_key2string(idpool_attr_list, - LDAP_ATTR_UIDNUMBER); - break; - - case ID_TYPE_GID: - type = get_attr_key2string(idpool_attr_list, - LDAP_ATTR_GIDNUMBER); - break; - - default: - DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type)); - return NT_STATUS_INVALID_PARAMETER; - } - - filter = talloc_asprintf(memctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL); - CHECK_ALLOC_DONE(filter); - - attr_list = get_attr_list(memctx, idpool_attr_list); - CHECK_ALLOC_DONE(attr_list); - - rc = smbldap_search(idmap_alloc_ldap->smbldap_state, - idmap_alloc_ldap->suffix, - LDAP_SCOPE_SUBTREE, filter, - attr_list, 0, &result); - - if (rc != LDAP_SUCCESS) { - DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL)); - goto done; - } - - talloc_autofree_ldapmsg(memctx, result); - - count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, - result); - if (count != 1) { - DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL)); - goto done; - } - - entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, - result); - - id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct, - entry, type, memctx); - if ( ! id_str) { - DEBUG(0,("%s attribute not found\n", type)); - goto done; - } - if ( ! id_str) { - DEBUG(0,("Out of memory\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - xid->id = strtoul(id_str, NULL, 10); - - ret = NT_STATUS_OK; -done: - talloc_free(memctx); - return ret; -} -/********************************** - Set highest id. -**********************************/ - -static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid) -{ - TALLOC_CTX *ctx; - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - int rc = LDAP_SERVER_DOWN; - int count = 0; - LDAPMessage *result = NULL; - LDAPMessage *entry = NULL; - LDAPMod **mods = NULL; - char *new_id_str; - char *filter = NULL; - const char *dn = NULL; - const char **attr_list; - const char *type; - - /* Only do query if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - if ( ! idmap_alloc_ldap) { - return NT_STATUS_UNSUCCESSFUL; - } - - ctx = talloc_new(idmap_alloc_ldap); - if ( ! ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - /* get type */ - switch (xid->type) { - - case ID_TYPE_UID: - type = get_attr_key2string(idpool_attr_list, - LDAP_ATTR_UIDNUMBER); - break; - - case ID_TYPE_GID: - type = get_attr_key2string(idpool_attr_list, - LDAP_ATTR_GIDNUMBER); - break; - - default: - DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type)); - return NT_STATUS_INVALID_PARAMETER; - } - - filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL); - CHECK_ALLOC_DONE(filter); - - attr_list = get_attr_list(ctx, idpool_attr_list); - CHECK_ALLOC_DONE(attr_list); - - rc = smbldap_search(idmap_alloc_ldap->smbldap_state, - idmap_alloc_ldap->suffix, - LDAP_SCOPE_SUBTREE, filter, - attr_list, 0, &result); - - if (rc != LDAP_SUCCESS) { - DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL)); - goto done; - } - - talloc_autofree_ldapmsg(ctx, result); - - count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, - result); - if (count != 1) { - DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL)); - goto done; - } - - entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, - result); - - dn = smbldap_talloc_dn(ctx, - idmap_alloc_ldap->smbldap_state->ldap_struct, - entry); - if ( ! dn) { - goto done; - } - - new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id); - if ( ! new_id_str) { - DEBUG(0,("Out of memory\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - smbldap_set_mod(&mods, LDAP_MOD_REPLACE, type, new_id_str); - - if (mods == NULL) { - DEBUG(0,("smbldap_set_mod() failed.\n")); - goto done; - } - - rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods); - - ldap_mods_free(mods, True); - - if (rc != LDAP_SUCCESS) { - DEBUG(1,("Failed to allocate new %s. " - "smbldap_modify() failed.\n", type)); - goto done; - } - - ret = NT_STATUS_OK; - -done: - talloc_free(ctx); - return ret; -} - -/********************************** - Close idmap ldap alloc -**********************************/ - -static NTSTATUS idmap_ldap_alloc_close(void) -{ - if (idmap_alloc_ldap) { - smbldap_free_struct(&idmap_alloc_ldap->smbldap_state); - DEBUG(5,("The connection to the LDAP server was closed\n")); - /* maybe free the results here --metze */ - TALLOC_FREE(idmap_alloc_ldap); - } - return NT_STATUS_OK; -} - - -/********************************************************************** - IDMAP MAPPING LDAP BACKEND -**********************************************************************/ - -static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx) -{ - smbldap_free_struct(&ctx->smbldap_state); - DEBUG(5,("The connection to the LDAP server was closed\n")); - /* maybe free the results here --metze */ - - return 0; -} - -/******************************** - Initialise idmap database. -********************************/ - -static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom) -{ - NTSTATUS ret; - struct idmap_ldap_context *ctx = NULL; - char *config_option = NULL; - const char *range = NULL; - const char *tmp = NULL; - - /* Only do init if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context); - if ( ! ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - config_option = talloc_asprintf(ctx, "idmap config %s", dom->name); - if ( ! config_option) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - /* load ranges */ - range = lp_parm_const_string(-1, config_option, "range", NULL); - if (range && range[0]) { - if ((sscanf(range, "%u - %u", &ctx->filter_low_id, - &ctx->filter_high_id) != 2) || - (ctx->filter_low_id > ctx->filter_high_id)) { - DEBUG(1, ("ERROR: invalid filter range [%s]", range)); - ctx->filter_low_id = 0; - ctx->filter_high_id = 0; - } - } - - if (dom->params && *(dom->params)) { - /* assume location is the only parameter */ - ctx->url = talloc_strdup(ctx, dom->params); - } else { - tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL); - - if ( ! tmp) { - DEBUG(1, ("ERROR: missing idmap ldap url\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - ctx->url = talloc_strdup(ctx, tmp); - } - CHECK_ALLOC_DONE(ctx->url); - - tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL); - if ( ! tmp || ! *tmp) { - tmp = lp_ldap_idmap_suffix(); - if ( ! tmp) { - DEBUG(1, ("ERROR: missing idmap ldap suffix\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - } - - ctx->suffix = talloc_strdup(ctx, tmp); - CHECK_ALLOC_DONE(ctx->suffix); - - ret = smbldap_init(ctx, winbind_event_context(), ctx->url, - &ctx->smbldap_state); - if (!NT_STATUS_IS_OK(ret)) { - DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url)); - goto done; - } - - ret = get_credentials( ctx, ctx->smbldap_state, config_option, - dom, &ctx->user_dn ); - if ( !NT_STATUS_IS_OK(ret) ) { - DEBUG(1,("idmap_ldap_db_init: Failed to get connection " - "credentials (%s)\n", nt_errstr(ret))); - goto done; - } - - /* set the destructor on the context, so that resource are properly - freed if the contexts is released */ - - talloc_set_destructor(ctx, idmap_ldap_close_destructor); - - dom->private_data = ctx; - dom->initialized = True; - - talloc_free(config_option); - return NT_STATUS_OK; - -/*failed */ -done: - talloc_free(ctx); - return ret; -} - -/* max number of ids requested per batch query */ -#define IDMAP_LDAP_MAX_IDS 30 - -/********************************** - lookup a set of unix ids. -**********************************/ - -/* this function searches up to IDMAP_LDAP_MAX_IDS entries - * in maps for a match */ -static struct id_map *find_map_by_id(struct id_map **maps, - enum id_type type, - uint32_t id) -{ - int i; - - for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) { - if (maps[i] == NULL) { /* end of the run */ - return NULL; - } - if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) { - return maps[i]; - } - } - - return NULL; -} - -static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom, - struct id_map **ids) -{ - NTSTATUS ret; - TALLOC_CTX *memctx; - struct idmap_ldap_context *ctx; - LDAPMessage *result = NULL; - const char *uidNumber; - const char *gidNumber; - const char **attr_list; - char *filter = NULL; - BOOL multi = False; - int idx = 0; - int bidx = 0; - int count; - int rc; - int i; - - /* Only do query if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - /* Initilization my have been deferred because we were offline */ - if ( ! dom->initialized) { - ret = idmap_ldap_db_init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context); - - memctx = talloc_new(ctx); - if ( ! memctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER); - gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER); - - attr_list = get_attr_list(memctx, sidmap_attr_list); - - if ( ! ids[1]) { - /* if we are requested just one mapping use the simple filter */ - - filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))", - LDAP_OBJ_IDMAP_ENTRY, - (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber, - (unsigned long)ids[0]->xid.id); - CHECK_ALLOC_DONE(filter); - DEBUG(10, ("Filter: [%s]\n", filter)); - } else { - /* multiple mappings */ - multi = True; - } - -again: - if (multi) { - - talloc_free(filter); - filter = talloc_asprintf(memctx, - "(&(objectClass=%s)(|", - LDAP_OBJ_IDMAP_ENTRY); - CHECK_ALLOC_DONE(filter); - - bidx = idx; - for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) { - filter = talloc_asprintf_append(filter, "(%s=%lu)", - (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber, - (unsigned long)ids[idx]->xid.id); - CHECK_ALLOC_DONE(filter); - } - filter = talloc_asprintf_append(filter, "))"); - CHECK_ALLOC_DONE(filter); - DEBUG(10, ("Filter: [%s]\n", filter)); - } else { - bidx = 0; - idx = 1; - } - - rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE, - filter, attr_list, 0, &result); - - if (rc != LDAP_SUCCESS) { - DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc))); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result); - - if (count == 0) { - DEBUG(10, ("NO SIDs found\n")); - } - - for (i = 0; i < count; i++) { - LDAPMessage *entry = NULL; - char *sidstr = NULL; - char *tmp = NULL; - enum id_type type; - struct id_map *map; - uint32_t id; - - if (i == 0) { /* first entry */ - entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, - result); - } else { /* following ones */ - entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, - entry); - } - if ( ! entry) { - DEBUG(2, ("ERROR: Unable to fetch ldap entries " - "from results\n")); - break; - } - - /* first check if the SID is present */ - sidstr = smbldap_talloc_single_attribute( - ctx->smbldap_state->ldap_struct, - entry, LDAP_ATTRIBUTE_SID, memctx); - if ( ! sidstr) { /* no sid, skip entry */ - DEBUG(2, ("WARNING SID not found on entry\n")); - continue; - } - - /* now try to see if it is a uid, if not try with a gid - * (gid is more common, but in case both uidNumber and - * gidNumber are returned the SID is mapped to the uid - *not the gid) */ - type = ID_TYPE_UID; - tmp = smbldap_talloc_single_attribute( - ctx->smbldap_state->ldap_struct, - entry, uidNumber, memctx); - if ( ! tmp) { - type = ID_TYPE_GID; - tmp = smbldap_talloc_single_attribute( - ctx->smbldap_state->ldap_struct, - entry, gidNumber, memctx); - } - if ( ! tmp) { /* wow very strange entry, how did it match ? */ - DEBUG(5, ("Unprobable match on (%s), no uidNumber, " - "nor gidNumber returned\n", sidstr)); - TALLOC_FREE(sidstr); - continue; - } - - id = strtoul(tmp, NULL, 10); - if ((id == 0) || - (ctx->filter_low_id && (id < ctx->filter_low_id)) || - (ctx->filter_high_id && (id > ctx->filter_high_id))) { - DEBUG(5, ("Requested id (%u) out of range (%u - %u). " - "Filtered!\n", id, - ctx->filter_low_id, ctx->filter_high_id)); - TALLOC_FREE(sidstr); - TALLOC_FREE(tmp); - continue; - } - TALLOC_FREE(tmp); - - map = find_map_by_id(&ids[bidx], type, id); - if (!map) { - DEBUG(2, ("WARNING: couldn't match sid (%s) " - "with requested ids\n", sidstr)); - TALLOC_FREE(sidstr); - continue; - } - - if ( ! string_to_sid(map->sid, sidstr)) { - DEBUG(2, ("ERROR: Invalid SID on entry\n")); - TALLOC_FREE(sidstr); - continue; - } - TALLOC_FREE(sidstr); - - /* mapped */ - map->status = ID_MAPPED; - - DEBUG(10, ("Mapped %s -> %lu (%d)\n", - sid_string_static(map->sid), - (unsigned long)map->xid.id, map->xid.type)); - } - - /* free the ldap results */ - if (result) { - ldap_msgfree(result); - result = NULL; - } - - if (multi && ids[idx]) { /* still some values to map */ - goto again; - } - - ret = NT_STATUS_OK; - - /* mark all unknwon/expired ones as unmapped */ - for (i = 0; ids[i]; i++) { - if (ids[i]->status != ID_MAPPED) - ids[i]->status = ID_UNMAPPED; - } - -done: - talloc_free(memctx); - return ret; -} - -/********************************** - lookup a set of sids. -**********************************/ - -/* this function searches up to IDMAP_LDAP_MAX_IDS entries - * in maps for a match */ -static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid) -{ - int i; - - for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) { - if (maps[i] == NULL) { /* end of the run */ - return NULL; - } - if (sid_equal(maps[i]->sid, sid)) { - return maps[i]; - } - } - - return NULL; -} - -static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom, - struct id_map **ids) -{ - LDAPMessage *entry = NULL; - NTSTATUS ret; - TALLOC_CTX *memctx; - struct idmap_ldap_context *ctx; - LDAPMessage *result = NULL; - const char *uidNumber; - const char *gidNumber; - const char **attr_list; - char *filter = NULL; - BOOL multi = False; - int idx = 0; - int bidx = 0; - int count; - int rc; - int i; - - /* Only do query if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - /* Initilization my have been deferred because we were offline */ - if ( ! dom->initialized) { - ret = idmap_ldap_db_init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context); - - memctx = talloc_new(ctx); - if ( ! memctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER); - gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER); - - attr_list = get_attr_list(memctx, sidmap_attr_list); - - if ( ! ids[1]) { - /* if we are requested just one mapping use the simple filter */ - - filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))", - LDAP_OBJ_IDMAP_ENTRY, - LDAP_ATTRIBUTE_SID, - sid_string_static(ids[0]->sid)); - CHECK_ALLOC_DONE(filter); - DEBUG(10, ("Filter: [%s]\n", filter)); - } else { - /* multiple mappings */ - multi = True; - } - -again: - if (multi) { - - TALLOC_FREE(filter); - filter = talloc_asprintf(memctx, - "(&(objectClass=%s)(|", - LDAP_OBJ_IDMAP_ENTRY); - CHECK_ALLOC_DONE(filter); - - bidx = idx; - for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) { - filter = talloc_asprintf_append(filter, "(%s=%s)", - LDAP_ATTRIBUTE_SID, - sid_string_static(ids[idx]->sid)); - CHECK_ALLOC_DONE(filter); - } - filter = talloc_asprintf_append(filter, "))"); - CHECK_ALLOC_DONE(filter); - DEBUG(10, ("Filter: [%s]", filter)); - } else { - bidx = 0; - idx = 1; - } - - rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE, - filter, attr_list, 0, &result); - - if (rc != LDAP_SUCCESS) { - DEBUG(3,("Failure looking up sids (%s)\n", - ldap_err2string(rc))); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result); - - if (count == 0) { - DEBUG(10, ("NO SIDs found\n")); - } - - for (i = 0; i < count; i++) { - char *sidstr = NULL; - char *tmp = NULL; - enum id_type type; - struct id_map *map; - DOM_SID sid; - uint32_t id; - - if (i == 0) { /* first entry */ - entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, - result); - } else { /* following ones */ - entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, - entry); - } - if ( ! entry) { - DEBUG(2, ("ERROR: Unable to fetch ldap entries " - "from results\n")); - break; - } - - /* first check if the SID is present */ - sidstr = smbldap_talloc_single_attribute( - ctx->smbldap_state->ldap_struct, - entry, LDAP_ATTRIBUTE_SID, memctx); - if ( ! sidstr) { /* no sid ??, skip entry */ - DEBUG(2, ("WARNING SID not found on entry\n")); - continue; - } - - if ( ! string_to_sid(&sid, sidstr)) { - DEBUG(2, ("ERROR: Invalid SID on entry\n")); - TALLOC_FREE(sidstr); - continue; - } - - map = find_map_by_sid(&ids[bidx], &sid); - if (!map) { - DEBUG(2, ("WARNING: couldn't find entry sid (%s) " - "in ids", sidstr)); - TALLOC_FREE(sidstr); - continue; - } - - TALLOC_FREE(sidstr); - - /* now try to see if it is a uid, if not try with a gid - * (gid is more common, but in case both uidNumber and - * gidNumber are returned the SID is mapped to the uid - * not the gid) */ - type = ID_TYPE_UID; - tmp = smbldap_talloc_single_attribute( - ctx->smbldap_state->ldap_struct, - entry, uidNumber, memctx); - if ( ! tmp) { - type = ID_TYPE_GID; - tmp = smbldap_talloc_single_attribute( - ctx->smbldap_state->ldap_struct, - entry, gidNumber, memctx); - } - if ( ! tmp) { /* no ids ?? */ - DEBUG(5, ("no uidNumber, " - "nor gidNumber attributes found\n")); - continue; - } - - id = strtoul(tmp, NULL, 10); - if ((id == 0) || - (ctx->filter_low_id && (id < ctx->filter_low_id)) || - (ctx->filter_high_id && (id > ctx->filter_high_id))) { - DEBUG(5, ("Requested id (%u) out of range (%u - %u). " - "Filtered!\n", id, - ctx->filter_low_id, ctx->filter_high_id)); - TALLOC_FREE(tmp); - continue; - } - TALLOC_FREE(tmp); - - /* mapped */ - map->xid.type = type; - map->xid.id = id; - map->status = ID_MAPPED; - - DEBUG(10, ("Mapped %s -> %lu (%d)\n", - sid_string_static(map->sid), - (unsigned long)map->xid.id, map->xid.type)); - } - - /* free the ldap results */ - if (result) { - ldap_msgfree(result); - result = NULL; - } - - if (multi && ids[idx]) { /* still some values to map */ - goto again; - } - - ret = NT_STATUS_OK; - - /* mark all unknwon/expired ones as unmapped */ - for (i = 0; ids[i]; i++) { - if (ids[i]->status != ID_MAPPED) - ids[i]->status = ID_UNMAPPED; - } - -done: - talloc_free(memctx); - return ret; -} - -/********************************** - set a mapping. -**********************************/ - -/* TODO: change this: This function cannot be called to modify a mapping, - * only set a new one */ - -static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom, - const struct id_map *map) -{ - NTSTATUS ret; - TALLOC_CTX *memctx; - struct idmap_ldap_context *ctx; - LDAPMessage *entry = NULL; - LDAPMod **mods = NULL; - const char *type; - char *id_str; - char *sid; - char *dn; - int rc = -1; - - /* Only do query if we are online */ - if (idmap_is_offline()) { - return NT_STATUS_FILE_IS_OFFLINE; - } - - /* Initilization my have been deferred because we were offline */ - if ( ! dom->initialized) { - ret = idmap_ldap_db_init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context); - - switch(map->xid.type) { - case ID_TYPE_UID: - type = get_attr_key2string(sidmap_attr_list, - LDAP_ATTR_UIDNUMBER); - break; - - case ID_TYPE_GID: - type = get_attr_key2string(sidmap_attr_list, - LDAP_ATTR_GIDNUMBER); - break; - - default: - return NT_STATUS_INVALID_PARAMETER; - } - - memctx = talloc_new(ctx); - if ( ! memctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id); - CHECK_ALLOC_DONE(id_str); - - sid = talloc_strdup(memctx, sid_string_static(map->sid)); - CHECK_ALLOC_DONE(sid); - - dn = talloc_asprintf(memctx, "%s=%s,%s", - get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID), - sid, - ctx->suffix); - CHECK_ALLOC_DONE(dn); - - smbldap_set_mod(&mods, LDAP_MOD_ADD, - "objectClass", LDAP_OBJ_IDMAP_ENTRY); - - smbldap_make_mod(ctx->smbldap_state->ldap_struct, - entry, &mods, type, id_str); - - smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods, - get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID), - sid); - - if ( ! mods) { - DEBUG(2, ("ERROR: No mods?\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* TODO: remove conflicting mappings! */ - - smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY); - - DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str)); - - rc = smbldap_add(ctx->smbldap_state, dn, mods); - ldap_mods_free(mods, True); - - if (rc != LDAP_SUCCESS) { - char *ld_error = NULL; - ldap_get_option(ctx->smbldap_state->ldap_struct, - LDAP_OPT_ERROR_STRING, &ld_error); - DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu " - "mapping [%s]\n", sid, - (unsigned long)map->xid.id, type)); - DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n", - ld_error ? ld_error : "(NULL)", ldap_err2string (rc))); - if (ld_error) { - ldap_memfree(ld_error); - } - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to " - "%lu [%s]\n", sid, (unsigned long)map->xid.id, type)); - - ret = NT_STATUS_OK; - -done: - talloc_free(memctx); - return ret; -} - -/********************************** - Close the idmap ldap instance -**********************************/ - -static NTSTATUS idmap_ldap_close(struct idmap_domain *dom) -{ - struct idmap_ldap_context *ctx; - - if (dom->private_data) { - ctx = talloc_get_type(dom->private_data, - struct idmap_ldap_context); - - talloc_free(ctx); - dom->private_data = NULL; - } - - return NT_STATUS_OK; -} - -static struct idmap_methods idmap_ldap_methods = { - - .init = idmap_ldap_db_init, - .unixids_to_sids = idmap_ldap_unixids_to_sids, - .sids_to_unixids = idmap_ldap_sids_to_unixids, - .set_mapping = idmap_ldap_set_mapping, - .close_fn = idmap_ldap_close -}; - -static struct idmap_alloc_methods idmap_ldap_alloc_methods = { - - .init = idmap_ldap_alloc_init, - .allocate_id = idmap_ldap_allocate_id, - .get_id_hwm = idmap_ldap_get_hwm, - .set_id_hwm = idmap_ldap_set_hwm, - .close_fn = idmap_ldap_alloc_close, - /* .dump_data = TODO */ -}; - -NTSTATUS idmap_alloc_ldap_init(void) -{ - return smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "ldap", - &idmap_ldap_alloc_methods); -} - -NTSTATUS idmap_ldap_init(void) -{ - NTSTATUS ret; - - /* FIXME: bad hack to actually register also the alloc_ldap module - * without changining configure.in */ - ret = idmap_alloc_ldap_init(); - if (! NT_STATUS_IS_OK(ret)) { - return ret; - } - return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap", - &idmap_ldap_methods); -} - diff --git a/source3/nsswitch/idmap_nss.c b/source3/nsswitch/idmap_nss.c deleted file mode 100644 index 5bb2389c93..0000000000 --- a/source3/nsswitch/idmap_nss.c +++ /dev/null @@ -1,223 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - idmap PASSDB backend - - Copyright (C) Simo Sorce 2006 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_IDMAP - -/***************************** - Initialise idmap database. -*****************************/ - -static NTSTATUS idmap_nss_int_init(struct idmap_domain *dom) -{ - dom->initialized = True; - return NT_STATUS_OK; -} - -/********************************** - lookup a set of unix ids. -**********************************/ - -static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids) -{ - TALLOC_CTX *ctx; - int i; - - if (! dom->initialized) { - return NT_STATUS_UNSUCCESSFUL; - } - - ctx = talloc_new(dom); - if ( ! ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - for (i = 0; ids[i]; i++) { - struct passwd *pw; - struct group *gr; - const char *name; - enum lsa_SidType type; - BOOL ret; - - switch (ids[i]->xid.type) { - case ID_TYPE_UID: - pw = getpwuid((uid_t)ids[i]->xid.id); - - if (!pw) { - ids[i]->status = ID_UNMAPPED; - continue; - } - name = pw->pw_name; - break; - case ID_TYPE_GID: - gr = getgrgid((gid_t)ids[i]->xid.id); - - if (!gr) { - ids[i]->status = ID_UNMAPPED; - continue; - } - name = gr->gr_name; - break; - default: /* ?? */ - ids[i]->status = ID_UNKNOWN; - continue; - } - - /* by default calls to winbindd are disabled - the following call will not recurse so this is safe */ - winbind_on(); - /* Lookup name from PDC using lsa_lookup_names() */ - ret = winbind_lookup_name(dom->name, name, ids[i]->sid, &type); - winbind_off(); - - if (!ret) { - /* TODO: how do we know if the name is really not mapped, - * or something just failed ? */ - ids[i]->status = ID_UNMAPPED; - continue; - } - - switch (type) { - case SID_NAME_USER: - if (ids[i]->xid.type == ID_TYPE_UID) { - ids[i]->status = ID_MAPPED; - } - break; - - case SID_NAME_DOM_GRP: - case SID_NAME_ALIAS: - case SID_NAME_WKN_GRP: - if (ids[i]->xid.type == ID_TYPE_GID) { - ids[i]->status = ID_MAPPED; - } - break; - - default: - ids[i]->status = ID_UNKNOWN; - break; - } - } - - - talloc_free(ctx); - return NT_STATUS_OK; -} - -/********************************** - lookup a set of sids. -**********************************/ - -static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids) -{ - TALLOC_CTX *ctx; - int i; - - if (! dom->initialized) { - return NT_STATUS_UNSUCCESSFUL; - } - - ctx = talloc_new(dom); - if ( ! ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - for (i = 0; ids[i]; i++) { - struct passwd *pw; - struct group *gr; - enum lsa_SidType type; - const char *dom_name = NULL; - const char *name = NULL; - BOOL ret; - - /* by default calls to winbindd are disabled - the following call will not recurse so this is safe */ - winbind_on(); - ret = winbind_lookup_sid(ctx, ids[i]->sid, &dom_name, &name, &type); - winbind_off(); - - if (!ret) { - /* TODO: how do we know if the name is really not mapped, - * or something just failed ? */ - ids[i]->status = ID_UNMAPPED; - continue; - } - - switch (type) { - case SID_NAME_USER: - - /* this will find also all lower case name and use username level */ - - pw = Get_Pwnam(name); - if (pw) { - ids[i]->xid.id = pw->pw_uid; - ids[i]->xid.type = ID_TYPE_UID; - ids[i]->status = ID_MAPPED; - } - break; - - case SID_NAME_DOM_GRP: - case SID_NAME_ALIAS: - case SID_NAME_WKN_GRP: - - gr = getgrnam(name); - if (gr) { - ids[i]->xid.id = gr->gr_gid; - ids[i]->xid.type = ID_TYPE_GID; - ids[i]->status = ID_MAPPED; - } - break; - - default: - ids[i]->status = ID_UNKNOWN; - break; - } - } - - talloc_free(ctx); - return NT_STATUS_OK; -} - -/********************************** - Close the idmap tdb instance -**********************************/ - -static NTSTATUS idmap_nss_close(struct idmap_domain *dom) -{ - return NT_STATUS_OK; -} - -static struct idmap_methods nss_methods = { - - .init = idmap_nss_int_init, - .unixids_to_sids = idmap_nss_unixids_to_sids, - .sids_to_unixids = idmap_nss_sids_to_unixids, - .close_fn = idmap_nss_close -}; - -NTSTATUS idmap_nss_init(void) -{ - return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "nss", &nss_methods); -} diff --git a/source3/nsswitch/idmap_passdb.c b/source3/nsswitch/idmap_passdb.c deleted file mode 100644 index 17afd71ab8..0000000000 --- a/source3/nsswitch/idmap_passdb.c +++ /dev/null @@ -1,139 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - idmap PASSDB backend - - Copyright (C) Simo Sorce 2006 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_IDMAP - -/***************************** - Initialise idmap database. -*****************************/ - -static NTSTATUS idmap_pdb_init(struct idmap_domain *dom) -{ - dom->initialized = True; - return NT_STATUS_OK; -} - -/********************************** - lookup a set of unix ids. -**********************************/ - -static NTSTATUS idmap_pdb_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids) -{ - int i; - - if (! dom->initialized) { - return NT_STATUS_UNSUCCESSFUL; - } - - for (i = 0; ids[i]; i++) { - - /* unmapped by default */ - ids[i]->status = ID_UNMAPPED; - - switch (ids[i]->xid.type) { - case ID_TYPE_UID: - if (pdb_uid_to_sid((uid_t)ids[i]->xid.id, ids[i]->sid)) { - ids[i]->status = ID_MAPPED; - } - break; - case ID_TYPE_GID: - if (pdb_gid_to_sid((gid_t)ids[i]->xid.id, ids[i]->sid)) { - ids[i]->status = ID_MAPPED; - } - break; - default: /* ?? */ - ids[i]->status = ID_UNKNOWN; - } - } - - return NT_STATUS_OK; -} - -/********************************** - lookup a set of sids. -**********************************/ - -static NTSTATUS idmap_pdb_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids) -{ - int i; - - if (! dom->initialized) { - return NT_STATUS_UNSUCCESSFUL; - } - - for (i = 0; ids[i]; i++) { - enum lsa_SidType type; - union unid_t id; - - if (pdb_sid_to_id(ids[i]->sid, &id, &type)) { - switch (type) { - case SID_NAME_USER: - ids[i]->xid.id = id.uid; - ids[i]->xid.type = ID_TYPE_UID; - ids[i]->status = ID_MAPPED; - break; - - case SID_NAME_DOM_GRP: - case SID_NAME_ALIAS: - case SID_NAME_WKN_GRP: - ids[i]->xid.id = id.gid; - ids[i]->xid.type = ID_TYPE_GID; - ids[i]->status = ID_MAPPED; - break; - - default: /* ?? */ - /* make sure it is marked as unmapped */ - ids[i]->status = ID_UNKNOWN; - break; - } - } else { - /* Query Failed */ - ids[i]->status = ID_UNMAPPED; - } - } - - return NT_STATUS_OK; -} - -/********************************** - Close the idmap tdb instance -**********************************/ - -static NTSTATUS idmap_pdb_close(struct idmap_domain *dom) -{ - return NT_STATUS_OK; -} - -static struct idmap_methods passdb_methods = { - - .init = idmap_pdb_init, - .unixids_to_sids = idmap_pdb_unixids_to_sids, - .sids_to_unixids = idmap_pdb_sids_to_unixids, - .close_fn =idmap_pdb_close -}; - -NTSTATUS idmap_passdb_init(void) -{ - return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "passdb", &passdb_methods); -} diff --git a/source3/nsswitch/idmap_rid.c b/source3/nsswitch/idmap_rid.c deleted file mode 100644 index 8e5f1302f7..0000000000 --- a/source3/nsswitch/idmap_rid.c +++ /dev/null @@ -1,267 +0,0 @@ -/* - * idmap_rid: static map between Active Directory/NT RIDs and RFC 2307 accounts - * Copyright (C) Guenther Deschner, 2004 - * Copyright (C) Sumit Bose, 2004 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - * - */ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_IDMAP - -struct idmap_rid_context { - const char *domain_name; - uint32_t low_id; - uint32_t high_id; - uint32_t base_rid; -}; - -/****************************************************************************** - compat params can't be used because of the completely different way - we support multiple domains in the new idmap - *****************************************************************************/ - -static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom) -{ - NTSTATUS ret; - struct idmap_rid_context *ctx; - char *config_option = NULL; - const char *range; - uid_t low_uid = 0; - uid_t high_uid = 0; - gid_t low_gid = 0; - gid_t high_gid = 0; - - if ( (ctx = TALLOC_ZERO_P(dom, struct idmap_rid_context)) == NULL ) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - config_option = talloc_asprintf(ctx, "idmap config %s", dom->name); - if ( ! config_option) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto failed; - } - - range = lp_parm_const_string(-1, config_option, "range", NULL); - if ( !range || - (sscanf(range, "%u - %u", &ctx->low_id, &ctx->high_id) != 2) || - (ctx->low_id > ctx->high_id)) - { - ctx->low_id = 0; - ctx->high_id = 0; - } - - /* lets see if the range is defined by the old idmap uid/idmap gid */ - if (!ctx->low_id && !ctx->high_id) { - if (lp_idmap_uid(&low_uid, &high_uid)) { - ctx->low_id = low_uid; - ctx->high_id = high_uid; - } - - if (lp_idmap_gid(&low_gid, &high_gid)) { - if ((ctx->low_id != low_gid) || - (ctx->high_id != high_uid)) { - DEBUG(1, ("ERROR: idmap uid range must match idmap gid range\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto failed; - } - } - } - - if (!ctx->low_id || !ctx->high_id) { - DEBUG(1, ("ERROR: Invalid configuration, ID range missing or invalid\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto failed; - } - - ctx->base_rid = lp_parm_int(-1, config_option, "base_rid", 0); - ctx->domain_name = talloc_strdup( ctx, dom->name ); - - dom->private_data = ctx; - dom->initialized = True; - - talloc_free(config_option); - return NT_STATUS_OK; - -failed: - talloc_free(ctx); - return ret; -} - -static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context *ctx, struct id_map *map) -{ - struct winbindd_domain *domain; - - /* apply filters before checking */ - if ((map->xid.id < ctx->low_id) || (map->xid.id > ctx->high_id)) { - DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", - map->xid.id, ctx->low_id, ctx->high_id)); - return NT_STATUS_NONE_MAPPED; - } - - if ( (domain = find_domain_from_name_noinit(ctx->domain_name)) == NULL ) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - - sid_compose(map->sid, &domain->sid, map->xid.id - ctx->low_id + ctx->base_rid); - - /* We **really** should have some way of validating - the SID exists and is the correct type here. But - that is a deficiency in the idmap_rid design. */ - - map->status = ID_MAPPED; - - return NT_STATUS_OK; -} - -/********************************** - Single sid to id lookup function. -**********************************/ - -static NTSTATUS idmap_rid_sid_to_id(TALLOC_CTX *memctx, struct idmap_rid_context *ctx, struct id_map *map) -{ - uint32_t rid; - - sid_peek_rid(map->sid, &rid); - map->xid.id = rid - ctx->base_rid + ctx->low_id; - - /* apply filters before returning result */ - - if ((map->xid.id < ctx->low_id) || (map->xid.id > ctx->high_id)) { - DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", - map->xid.id, ctx->low_id, ctx->high_id)); - map->status = ID_UNMAPPED; - return NT_STATUS_NONE_MAPPED; - } - - /* We **really** should have some way of validating - the SID exists and is the correct type here. But - that is a deficiency in the idmap_rid design. */ - - map->status = ID_MAPPED; - - return NT_STATUS_OK; -} - -/********************************** - lookup a set of unix ids. -**********************************/ - -static NTSTATUS idmap_rid_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids) -{ - struct idmap_rid_context *ridctx; - TALLOC_CTX *ctx; - NTSTATUS ret; - int i; - - /* Initilization my have been deferred because of an error, retry or fail */ - if ( ! dom->initialized) { - ret = idmap_rid_initialize(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - ridctx = talloc_get_type(dom->private_data, struct idmap_rid_context); - - ctx = talloc_new(dom); - if ( ! ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - for (i = 0; ids[i]; i++) { - - ret = idmap_rid_id_to_sid(ctx, ridctx, ids[i]); - - if (( ! NT_STATUS_IS_OK(ret)) && - ( ! NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) { - /* some fatal error occurred, log it */ - DEBUG(3, ("Unexpected error resolving an ID (%d)\n", ids[i]->xid.id)); - } - } - - talloc_free(ctx); - return NT_STATUS_OK; -} - -/********************************** - lookup a set of sids. -**********************************/ - -static NTSTATUS idmap_rid_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids) -{ - struct idmap_rid_context *ridctx; - TALLOC_CTX *ctx; - NTSTATUS ret; - int i; - - /* Initilization my have been deferred because of an error, retry or fail */ - if ( ! dom->initialized) { - ret = idmap_rid_initialize(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - ridctx = talloc_get_type(dom->private_data, struct idmap_rid_context); - - ctx = talloc_new(dom); - if ( ! ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - for (i = 0; ids[i]; i++) { - - ret = idmap_rid_sid_to_id(ctx, ridctx, ids[i]); - - if (( ! NT_STATUS_IS_OK(ret)) && - ( ! NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) { - /* some fatal error occurred, log it */ - DEBUG(3, ("Unexpected error resolving a SID (%s)\n", - sid_string_static(ids[i]->sid))); - } - } - - talloc_free(ctx); - return NT_STATUS_OK; -} - -static NTSTATUS idmap_rid_close(struct idmap_domain *dom) -{ - if (dom->private_data) { - TALLOC_FREE(dom->private_data); - } - return NT_STATUS_OK; -} - -static struct idmap_methods rid_methods = { - .init = idmap_rid_initialize, - .unixids_to_sids = idmap_rid_unixids_to_sids, - .sids_to_unixids = idmap_rid_sids_to_unixids, - .close_fn = idmap_rid_close -}; - -NTSTATUS idmap_rid_init(void) -{ - return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "rid", &rid_methods); -} - diff --git a/source3/nsswitch/idmap_tdb.c b/source3/nsswitch/idmap_tdb.c deleted file mode 100644 index 97000689fa..0000000000 --- a/source3/nsswitch/idmap_tdb.c +++ /dev/null @@ -1,1232 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - idmap TDB backend - - Copyright (C) Tim Potter 2000 - Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 - Copyright (C) Jeremy Allison 2006 - Copyright (C) Simo Sorce 2003-2006 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_IDMAP - -/* High water mark keys */ -#define HWM_GROUP "GROUP HWM" -#define HWM_USER "USER HWM" - -static struct idmap_tdb_state { - - /* User and group id pool */ - uid_t low_uid, high_uid; /* Range of uids to allocate */ - gid_t low_gid, high_gid; /* Range of gids to allocate */ - -} idmap_tdb_state; - -/***************************************************************************** - For idmap conversion: convert one record to new format - Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid - instead of the SID. -*****************************************************************************/ -static int convert_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA data, void *state) -{ - struct winbindd_domain *domain; - char *p; - DOM_SID sid; - uint32 rid; - fstring keystr; - fstring dom_name; - TDB_DATA key2; - BOOL *failed = (BOOL *)state; - - DEBUG(10,("Converting %s\n", (const char *)key.dptr)); - - p = strchr((const char *)key.dptr, '/'); - if (!p) - return 0; - - *p = 0; - fstrcpy(dom_name, (const char *)key.dptr); - *p++ = '/'; - - domain = find_domain_from_name(dom_name); - if (domain == NULL) { - /* We must delete the old record. */ - DEBUG(0,("Unable to find domain %s\n", dom_name )); - DEBUG(0,("deleting record %s\n", (const char *)key.dptr )); - - if (tdb_delete(tdb, key) != 0) { - DEBUG(0, ("Unable to delete record %s\n", (const char *)key.dptr)); - *failed = True; - return -1; - } - - return 0; - } - - rid = atoi(p); - - sid_copy(&sid, &domain->sid); - sid_append_rid(&sid, rid); - - sid_to_string(keystr, &sid); - key2 = string_term_tdb_data(keystr); - - if (tdb_store(tdb, key2, data, TDB_INSERT) != 0) { - DEBUG(0,("Unable to add record %s\n", (const char *)key2.dptr )); - *failed = True; - return -1; - } - - if (tdb_store(tdb, data, key2, TDB_REPLACE) != 0) { - DEBUG(0,("Unable to update record %s\n", (const char *)data.dptr )); - *failed = True; - return -1; - } - - if (tdb_delete(tdb, key) != 0) { - DEBUG(0,("Unable to delete record %s\n", (const char *)key.dptr )); - *failed = True; - return -1; - } - - return 0; -} - -/***************************************************************************** - Convert the idmap database from an older version. -*****************************************************************************/ - -static BOOL idmap_tdb_upgrade(const char *idmap_name) -{ - int32 vers; - BOOL bigendianheader; - BOOL failed = False; - TDB_CONTEXT *idmap_tdb; - - DEBUG(0, ("Upgrading winbindd_idmap.tdb from an old version\n")); - - if (!(idmap_tdb = tdb_open_log(idmap_name, 0, - TDB_DEFAULT, O_RDWR, - 0600))) { - DEBUG(0, ("Unable to open idmap database\n")); - return False; - } - - bigendianheader = (tdb_get_flags(idmap_tdb) & TDB_BIGENDIAN) ? True : False; - - vers = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION"); - - if (((vers == -1) && bigendianheader) || (IREV(vers) == IDMAP_VERSION)) { - /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */ - /* - * high and low records were created on a - * big endian machine and will need byte-reversing. - */ - - int32 wm; - - wm = tdb_fetch_int32(idmap_tdb, HWM_USER); - - if (wm != -1) { - wm = IREV(wm); - } else { - wm = idmap_tdb_state.low_uid; - } - - if (tdb_store_int32(idmap_tdb, HWM_USER, wm) == -1) { - DEBUG(0, ("Unable to byteswap user hwm in idmap database\n")); - tdb_close(idmap_tdb); - return False; - } - - wm = tdb_fetch_int32(idmap_tdb, HWM_GROUP); - if (wm != -1) { - wm = IREV(wm); - } else { - wm = idmap_tdb_state.low_gid; - } - - if (tdb_store_int32(idmap_tdb, HWM_GROUP, wm) == -1) { - DEBUG(0, ("Unable to byteswap group hwm in idmap database\n")); - tdb_close(idmap_tdb); - return False; - } - } - - /* the old format stored as DOMAIN/rid - now we store the SID direct */ - tdb_traverse(idmap_tdb, convert_fn, &failed); - - if (failed) { - DEBUG(0, ("Problem during conversion\n")); - tdb_close(idmap_tdb); - return False; - } - - if (tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION) == -1) { - DEBUG(0, ("Unable to dtore idmap version in databse\n")); - tdb_close(idmap_tdb); - return False; - } - - tdb_close(idmap_tdb); - return True; -} - -/* WARNING: We can't open a tdb twice inthe same process, for that reason - * I'm going to use a hack with open ref counts to open the winbindd_idmap.tdb - * only once. We will later decide whether to split the db in multiple files - * or come up with a better solution to share them. */ - -static TDB_CONTEXT *idmap_tdb_common_ctx; -static int idmap_tdb_open_ref_count = 0; - -static NTSTATUS idmap_tdb_open_db(TALLOC_CTX *memctx, TDB_CONTEXT **tdbctx) -{ - NTSTATUS ret; - TALLOC_CTX *ctx; - SMB_STRUCT_STAT stbuf; - char *tdbfile = NULL; - int32 version; - BOOL tdb_is_new = False; - - if (idmap_tdb_open_ref_count) { /* the tdb has already been opened */ - idmap_tdb_open_ref_count++; - *tdbctx = idmap_tdb_common_ctx; - return NT_STATUS_OK; - } - - /* use our own context here */ - ctx = talloc_new(memctx); - if (!ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - /* use the old database if present */ - tdbfile = talloc_strdup(ctx, lock_path("winbindd_idmap.tdb")); - if (!tdbfile) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - if (!file_exist(tdbfile, &stbuf)) { - tdb_is_new = True; - } - - DEBUG(10,("Opening tdbfile %s\n", tdbfile )); - - /* Open idmap repository */ - if (!(idmap_tdb_common_ctx = tdb_open_log(tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644))) { - DEBUG(0, ("Unable to open idmap database\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - if (tdb_is_new) { - /* the file didn't existed before opening it, let's - * store idmap version as nobody else yet opened and - * stored it. I do not like this method but didn't - * found a way to understand if an opened tdb have - * been just created or not --- SSS */ - tdb_store_int32(idmap_tdb_common_ctx, "IDMAP_VERSION", IDMAP_VERSION); - } - - /* check against earlier versions */ - version = tdb_fetch_int32(idmap_tdb_common_ctx, "IDMAP_VERSION"); - if (version != IDMAP_VERSION) { - - /* backup_tdb expects the tdb not to be open */ - tdb_close(idmap_tdb_common_ctx); - - if ( ! idmap_tdb_upgrade(tdbfile)) { - - DEBUG(0, ("Unable to open idmap database, it's in an old formati, and upgrade failed!\n")); - ret = NT_STATUS_INTERNAL_DB_ERROR; - goto done; - } - - /* Re-Open idmap repository */ - if (!(idmap_tdb_common_ctx = tdb_open_log(tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644))) { - DEBUG(0, ("Unable to open idmap database\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - } - - *tdbctx = idmap_tdb_common_ctx; - idmap_tdb_open_ref_count++; - ret = NT_STATUS_OK; - -done: - talloc_free(ctx); - return ret; -} - - /* NEVER use tdb_close() except for the conversion routines that are guaranteed - * to run only when the database is opened the first time, always use this function. */ - -BOOL idmap_tdb_tdb_close(TDB_CONTEXT *tdbctx) -{ - if (tdbctx != idmap_tdb_common_ctx) { - DEBUG(0, ("ERROR: Invalid tdb context!")); - return False; - } - - idmap_tdb_open_ref_count--; - if (idmap_tdb_open_ref_count) { - return True; - } - - return tdb_close(idmap_tdb_common_ctx); -} - -/********************************************************************** - IDMAP ALLOC TDB BACKEND -**********************************************************************/ - -static TDB_CONTEXT *idmap_alloc_tdb; - -/********************************** - Initialise idmap alloc database. -**********************************/ - -static NTSTATUS idmap_tdb_alloc_init( const char *params ) -{ - NTSTATUS ret; - TALLOC_CTX *ctx; - const char *range; - uid_t low_uid = 0; - uid_t high_uid = 0; - gid_t low_gid = 0; - gid_t high_gid = 0; - - /* use our own context here */ - ctx = talloc_new(NULL); - if (!ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - ret = idmap_tdb_open_db(ctx, &idmap_alloc_tdb); - if ( ! NT_STATUS_IS_OK(ret)) { - talloc_free(ctx); - return ret; - } - - talloc_free(ctx); - - /* load ranges */ - idmap_tdb_state.low_uid = 0; - idmap_tdb_state.high_uid = 0; - idmap_tdb_state.low_gid = 0; - idmap_tdb_state.high_gid = 0; - - range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL); - if (range && range[0]) { - unsigned low_id, high_id; - - if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) { - if (low_id < high_id) { - idmap_tdb_state.low_gid = idmap_tdb_state.low_uid = low_id; - idmap_tdb_state.high_gid = idmap_tdb_state.high_uid = high_id; - } else { - DEBUG(1, ("ERROR: invalid idmap alloc range [%s]", range)); - } - } else { - DEBUG(1, ("ERROR: invalid syntax for idmap alloc config:range [%s]", range)); - } - } - - /* Create high water marks for group and user id */ - if (lp_idmap_uid(&low_uid, &high_uid)) { - idmap_tdb_state.low_uid = low_uid; - idmap_tdb_state.high_uid = high_uid; - } - - if (lp_idmap_gid(&low_gid, &high_gid)) { - idmap_tdb_state.low_gid = low_gid; - idmap_tdb_state.high_gid = high_gid; - } - - if (idmap_tdb_state.high_uid <= idmap_tdb_state.low_uid) { - DEBUG(1, ("idmap uid range missing or invalid\n")); - DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); - return NT_STATUS_UNSUCCESSFUL; - } else { - uint32 low_id; - - if (((low_id = tdb_fetch_int32(idmap_alloc_tdb, HWM_USER)) == -1) || - (low_id < idmap_tdb_state.low_uid)) { - if (tdb_store_int32(idmap_alloc_tdb, HWM_USER, idmap_tdb_state.low_uid) == -1) { - DEBUG(0, ("Unable to initialise user hwm in idmap database\n")); - return NT_STATUS_INTERNAL_DB_ERROR; - } - } - } - - if (idmap_tdb_state.high_gid <= idmap_tdb_state.low_gid) { - DEBUG(1, ("idmap gid range missing or invalid\n")); - DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); - return NT_STATUS_UNSUCCESSFUL; - } else { - uint32 low_id; - - if (((low_id = tdb_fetch_int32(idmap_alloc_tdb, HWM_GROUP)) == -1) || - (low_id < idmap_tdb_state.low_gid)) { - if (tdb_store_int32(idmap_alloc_tdb, HWM_GROUP, idmap_tdb_state.low_gid) == -1) { - DEBUG(0, ("Unable to initialise group hwm in idmap database\n")); - return NT_STATUS_INTERNAL_DB_ERROR; - } - } - } - - return NT_STATUS_OK; -} - -/********************************** - Allocate a new id. -**********************************/ - -static NTSTATUS idmap_tdb_allocate_id(struct unixid *xid) -{ - BOOL ret; - const char *hwmkey; - const char *hwmtype; - uint32_t high_hwm; - uint32_t hwm; - - /* Get current high water mark */ - switch (xid->type) { - - case ID_TYPE_UID: - hwmkey = HWM_USER; - hwmtype = "UID"; - high_hwm = idmap_tdb_state.high_uid; - break; - - case ID_TYPE_GID: - hwmkey = HWM_GROUP; - hwmtype = "GID"; - high_hwm = idmap_tdb_state.high_gid; - break; - - default: - DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type)); - return NT_STATUS_INVALID_PARAMETER; - } - - if ((hwm = tdb_fetch_int32(idmap_alloc_tdb, hwmkey)) == -1) { - return NT_STATUS_INTERNAL_DB_ERROR; - } - - /* check it is in the range */ - if (hwm > high_hwm) { - DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n", - hwmtype, (unsigned long)high_hwm)); - return NT_STATUS_UNSUCCESSFUL; - } - - /* fetch a new id and increment it */ - ret = tdb_change_uint32_atomic(idmap_alloc_tdb, hwmkey, &hwm, 1); - if (!ret) { - DEBUG(1, ("Fatal error while fetching a new %s value\n!", hwmtype)); - return NT_STATUS_UNSUCCESSFUL; - } - - /* recheck it is in the range */ - if (hwm > high_hwm) { - DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n", - hwmtype, (unsigned long)high_hwm)); - return NT_STATUS_UNSUCCESSFUL; - } - - xid->id = hwm; - DEBUG(10,("New %s = %d\n", hwmtype, hwm)); - - return NT_STATUS_OK; -} - -/********************************** - Get current highest id. -**********************************/ - -static NTSTATUS idmap_tdb_get_hwm(struct unixid *xid) -{ - const char *hwmkey; - const char *hwmtype; - uint32_t hwm; - uint32_t high_hwm; - - /* Get current high water mark */ - switch (xid->type) { - - case ID_TYPE_UID: - hwmkey = HWM_USER; - hwmtype = "UID"; - high_hwm = idmap_tdb_state.high_uid; - break; - - case ID_TYPE_GID: - hwmkey = HWM_GROUP; - hwmtype = "GID"; - high_hwm = idmap_tdb_state.high_gid; - break; - - default: - return NT_STATUS_INVALID_PARAMETER; - } - - if ((hwm = tdb_fetch_int32(idmap_alloc_tdb, hwmkey)) == -1) { - return NT_STATUS_INTERNAL_DB_ERROR; - } - - xid->id = hwm; - - /* Warn if it is out of range */ - if (hwm >= high_hwm) { - DEBUG(0, ("Warning: %s range full!! (max: %lu)\n", - hwmtype, (unsigned long)high_hwm)); - } - - return NT_STATUS_OK; -} - -/********************************** - Set high id. -**********************************/ - -static NTSTATUS idmap_tdb_set_hwm(struct unixid *xid) -{ - const char *hwmkey; - const char *hwmtype; - uint32_t hwm; - uint32_t high_hwm; - - /* Get current high water mark */ - switch (xid->type) { - - case ID_TYPE_UID: - hwmkey = HWM_USER; - hwmtype = "UID"; - high_hwm = idmap_tdb_state.high_uid; - break; - - case ID_TYPE_GID: - hwmkey = HWM_GROUP; - hwmtype = "GID"; - high_hwm = idmap_tdb_state.high_gid; - break; - - default: - return NT_STATUS_INVALID_PARAMETER; - } - - hwm = xid->id; - - if ((hwm = tdb_store_int32(idmap_alloc_tdb, hwmkey, hwm)) == -1) { - return NT_STATUS_INTERNAL_DB_ERROR; - } - - /* Warn if it is out of range */ - if (hwm >= high_hwm) { - DEBUG(0, ("Warning: %s range full!! (max: %lu)\n", - hwmtype, (unsigned long)high_hwm)); - } - - return NT_STATUS_OK; -} - -/********************************** - Close the alloc tdb -**********************************/ - -static NTSTATUS idmap_tdb_alloc_close(void) -{ - if (idmap_alloc_tdb) { - if (idmap_tdb_tdb_close(idmap_alloc_tdb) == 0) { - return NT_STATUS_OK; - } else { - return NT_STATUS_UNSUCCESSFUL; - } - } - return NT_STATUS_OK; -} - -/********************************************************************** - IDMAP MAPPING TDB BACKEND -**********************************************************************/ - -struct idmap_tdb_context { - TDB_CONTEXT *tdb; - uint32_t filter_low_id; - uint32_t filter_high_id; -}; - -/***************************** - Initialise idmap database. -*****************************/ - -static NTSTATUS idmap_tdb_db_init(struct idmap_domain *dom) -{ - NTSTATUS ret; - struct idmap_tdb_context *ctx; - char *config_option = NULL; - const char *range; - - ctx = talloc(dom, struct idmap_tdb_context); - if ( ! ctx) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - - config_option = talloc_asprintf(ctx, "idmap config %s", dom->name); - if ( ! config_option) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto failed; - } - - ret = idmap_tdb_open_db(ctx, &ctx->tdb); - if ( ! NT_STATUS_IS_OK(ret)) { - goto failed; - } - - range = lp_parm_const_string(-1, config_option, "range", NULL); - if (( ! range) || - (sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) || - (ctx->filter_low_id > ctx->filter_high_id)) { - ctx->filter_low_id = 0; - ctx->filter_high_id = 0; - } - - dom->private_data = ctx; - dom->initialized = True; - - talloc_free(config_option); - return NT_STATUS_OK; - -failed: - talloc_free(ctx); - return ret; -} - -/********************************** - Single id to sid lookup function. -**********************************/ - -static NTSTATUS idmap_tdb_id_to_sid(struct idmap_tdb_context *ctx, struct id_map *map) -{ - NTSTATUS ret; - TDB_DATA data; - char *keystr; - - if (!ctx || !map) { - return NT_STATUS_INVALID_PARAMETER; - } - - /* apply filters before checking */ - if ((ctx->filter_low_id && (map->xid.id < ctx->filter_low_id)) || - (ctx->filter_high_id && (map->xid.id > ctx->filter_high_id))) { - DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", - map->xid.id, ctx->filter_low_id, ctx->filter_high_id)); - return NT_STATUS_NONE_MAPPED; - } - - switch (map->xid.type) { - - case ID_TYPE_UID: - keystr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id); - break; - - case ID_TYPE_GID: - keystr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id); - break; - - default: - DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type)); - return NT_STATUS_INVALID_PARAMETER; - } - - /* final SAFE_FREE safe */ - data.dptr = NULL; - - if (keystr == NULL) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - DEBUG(10,("Fetching record %s\n", keystr)); - - /* Check if the mapping exists */ - data = tdb_fetch_bystring(ctx->tdb, keystr); - - if (!data.dptr) { - DEBUG(10,("Record %s not found\n", keystr)); - ret = NT_STATUS_NONE_MAPPED; - goto done; - } - - if (!string_to_sid(map->sid, (const char *)data.dptr)) { - DEBUG(10,("INVALID SID (%s) in record %s\n", - (const char *)data.dptr, keystr)); - ret = NT_STATUS_INTERNAL_DB_ERROR; - goto done; - } - - DEBUG(10,("Found record %s -> %s\n", keystr, (const char *)data.dptr)); - ret = NT_STATUS_OK; - -done: - SAFE_FREE(data.dptr); - talloc_free(keystr); - return ret; -} - -/********************************** - Single sid to id lookup function. -**********************************/ - -static NTSTATUS idmap_tdb_sid_to_id(struct idmap_tdb_context *ctx, struct id_map *map) -{ - NTSTATUS ret; - TDB_DATA data; - char *keystr; - unsigned long rec_id = 0; - - if ((keystr = talloc_asprintf(ctx, "%s", sid_string_static(map->sid))) == NULL) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - DEBUG(10,("Fetching record %s\n", keystr)); - - /* Check if sid is present in database */ - data = tdb_fetch_bystring(ctx->tdb, keystr); - if (!data.dptr) { - DEBUG(10,("Record %s not found\n", keystr)); - ret = NT_STATUS_NONE_MAPPED; - goto done; - } - - /* What type of record is this ? */ - if (sscanf((const char *)data.dptr, "UID %lu", &rec_id) == 1) { /* Try a UID record. */ - map->xid.id = rec_id; - map->xid.type = ID_TYPE_UID; - DEBUG(10,("Found uid record %s -> %s \n", keystr, (const char *)data.dptr )); - ret = NT_STATUS_OK; - - } else if (sscanf((const char *)data.dptr, "GID %lu", &rec_id) == 1) { /* Try a GID record. */ - map->xid.id = rec_id; - map->xid.type = ID_TYPE_GID; - DEBUG(10,("Found gid record %s -> %s \n", keystr, (const char *)data.dptr )); - ret = NT_STATUS_OK; - - } else { /* Unknown record type ! */ - DEBUG(2, ("Found INVALID record %s -> %s\n", keystr, (const char *)data.dptr)); - ret = NT_STATUS_INTERNAL_DB_ERROR; - } - - SAFE_FREE(data.dptr); - - /* apply filters before returning result */ - if ((ctx->filter_low_id && (map->xid.id < ctx->filter_low_id)) || - (ctx->filter_high_id && (map->xid.id > ctx->filter_high_id))) { - DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", - map->xid.id, ctx->filter_low_id, ctx->filter_high_id)); - ret = NT_STATUS_NONE_MAPPED; - } - -done: - talloc_free(keystr); - return ret; -} - -/********************************** - lookup a set of unix ids. -**********************************/ - -static NTSTATUS idmap_tdb_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids) -{ - struct idmap_tdb_context *ctx; - NTSTATUS ret; - int i; - - /* make sure we initialized */ - if ( ! dom->initialized) { - ret = idmap_tdb_db_init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context); - - for (i = 0; ids[i]; i++) { - ret = idmap_tdb_id_to_sid(ctx, ids[i]); - if ( ! NT_STATUS_IS_OK(ret)) { - - /* if it is just a failed mapping continue */ - if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) { - - /* make sure it is marked as unmapped */ - ids[i]->status = ID_UNMAPPED; - continue; - } - - /* some fatal error occurred, return immediately */ - goto done; - } - - /* all ok, id is mapped */ - ids[i]->status = ID_MAPPED; - } - - ret = NT_STATUS_OK; - -done: - return ret; -} - -/********************************** - lookup a set of sids. -**********************************/ - -static NTSTATUS idmap_tdb_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids) -{ - struct idmap_tdb_context *ctx; - NTSTATUS ret; - int i; - - /* make sure we initialized */ - if ( ! dom->initialized) { - ret = idmap_tdb_db_init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context); - - for (i = 0; ids[i]; i++) { - ret = idmap_tdb_sid_to_id(ctx, ids[i]); - if ( ! NT_STATUS_IS_OK(ret)) { - - /* if it is just a failed mapping continue */ - if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) { - - /* make sure it is marked as unmapped */ - ids[i]->status = ID_UNMAPPED; - continue; - } - - /* some fatal error occurred, return immediately */ - goto done; - } - - /* all ok, id is mapped */ - ids[i]->status = ID_MAPPED; - } - - ret = NT_STATUS_OK; - -done: - return ret; -} - -/********************************** - set a mapping. -**********************************/ - -static NTSTATUS idmap_tdb_set_mapping(struct idmap_domain *dom, const struct id_map *map) -{ - struct idmap_tdb_context *ctx; - NTSTATUS ret; - TDB_DATA ksid, kid, data; - char *ksidstr, *kidstr; - - /* make sure we initialized */ - if ( ! dom->initialized) { - ret = idmap_tdb_db_init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - if (!map || !map->sid) { - return NT_STATUS_INVALID_PARAMETER; - } - - ksidstr = kidstr = NULL; - data.dptr = NULL; - - /* TODO: should we filter a set_mapping using low/high filters ? */ - - ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context); - - switch (map->xid.type) { - - case ID_TYPE_UID: - kidstr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id); - break; - - case ID_TYPE_GID: - kidstr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id); - break; - - default: - DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type)); - return NT_STATUS_INVALID_PARAMETER; - } - - if (kidstr == NULL) { - DEBUG(0, ("ERROR: Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - if ((ksidstr = talloc_asprintf(ctx, "%s", sid_string_static(map->sid))) == NULL) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - DEBUG(10, ("Storing %s <-> %s map\n", ksidstr, kidstr)); - kid = string_term_tdb_data(kidstr); - ksid = string_term_tdb_data(ksidstr); - - /* *DELETE* previous mappings if any. - * This is done both SID and [U|G]ID passed in */ - - /* Lock the record for this SID. */ - if (tdb_chainlock(ctx->tdb, ksid) != 0) { - DEBUG(10,("Failed to lock record %s. Error %s\n", - ksidstr, tdb_errorstr(ctx->tdb) )); - return NT_STATUS_UNSUCCESSFUL; - } - - data = tdb_fetch(ctx->tdb, ksid); - if (data.dptr) { - DEBUG(10, ("Deleting existing mapping %s <-> %s\n", (const char *)data.dptr, ksidstr )); - tdb_delete(ctx->tdb, data); - tdb_delete(ctx->tdb, ksid); - SAFE_FREE(data.dptr); - } - - data = tdb_fetch(ctx->tdb, kid); - if (data.dptr) { - DEBUG(10,("Deleting existing mapping %s <-> %s\n", (const char *)data.dptr, kidstr )); - tdb_delete(ctx->tdb, data); - tdb_delete(ctx->tdb, kid); - SAFE_FREE(data.dptr); - } - - if (tdb_store(ctx->tdb, ksid, kid, TDB_INSERT) == -1) { - DEBUG(0, ("Error storing SID -> ID: %s\n", tdb_errorstr(ctx->tdb))); - tdb_chainunlock(ctx->tdb, ksid); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - if (tdb_store(ctx->tdb, kid, ksid, TDB_INSERT) == -1) { - DEBUG(0, ("Error stroing ID -> SID: %s\n", tdb_errorstr(ctx->tdb))); - /* try to remove the previous stored SID -> ID map */ - tdb_delete(ctx->tdb, ksid); - tdb_chainunlock(ctx->tdb, ksid); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - tdb_chainunlock(ctx->tdb, ksid); - DEBUG(10,("Stored %s <-> %s\n", ksidstr, kidstr)); - ret = NT_STATUS_OK; - -done: - talloc_free(ksidstr); - talloc_free(kidstr); - SAFE_FREE(data.dptr); - return ret; -} - -/********************************** - remove a mapping. -**********************************/ - -static NTSTATUS idmap_tdb_remove_mapping(struct idmap_domain *dom, const struct id_map *map) -{ - struct idmap_tdb_context *ctx; - NTSTATUS ret; - TDB_DATA ksid, kid, data; - char *ksidstr, *kidstr; - - /* make sure we initialized */ - if ( ! dom->initialized) { - ret = idmap_tdb_db_init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - if (!map || !map->sid) { - return NT_STATUS_INVALID_PARAMETER; - } - - ksidstr = kidstr = NULL; - data.dptr = NULL; - - /* TODO: should we filter a remove_mapping using low/high filters ? */ - - ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context); - - switch (map->xid.type) { - - case ID_TYPE_UID: - kidstr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id); - break; - - case ID_TYPE_GID: - kidstr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id); - break; - - default: - DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type)); - return NT_STATUS_INVALID_PARAMETER; - } - - if (kidstr == NULL) { - DEBUG(0, ("ERROR: Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - if ((ksidstr = talloc_asprintf(ctx, "%s", sid_string_static(map->sid))) == NULL) { - DEBUG(0, ("Out of memory!\n")); - ret = NT_STATUS_NO_MEMORY; - goto done; - } - - DEBUG(10, ("Checking %s <-> %s map\n", ksidstr, kidstr)); - ksid = string_term_tdb_data(ksidstr); - kid = string_term_tdb_data(kidstr); - - /* Lock the record for this SID. */ - if (tdb_chainlock(ctx->tdb, ksid) != 0) { - DEBUG(10,("Failed to lock record %s. Error %s\n", - ksidstr, tdb_errorstr(ctx->tdb) )); - return NT_STATUS_UNSUCCESSFUL; - } - - /* Check if sid is present in database */ - data = tdb_fetch(ctx->tdb, ksid); - if (!data.dptr) { - DEBUG(10,("Record %s not found\n", ksidstr)); - tdb_chainunlock(ctx->tdb, ksid); - ret = NT_STATUS_NONE_MAPPED; - goto done; - } - - /* Check if sid is mapped to the specified ID */ - if ((data.dsize != kid.dsize) || - (memcmp(data.dptr, kid.dptr, data.dsize) != 0)) { - DEBUG(10,("Specified SID does not map to specified ID\n")); - DEBUGADD(10,("Actual mapping is %s -> %s\n", ksidstr, (const char *)data.dptr)); - tdb_chainunlock(ctx->tdb, ksid); - ret = NT_STATUS_NONE_MAPPED; - goto done; - } - - DEBUG(10, ("Removing %s <-> %s map\n", ksidstr, kidstr)); - - /* Delete previous mappings. */ - - DEBUG(10, ("Deleting existing mapping %s -> %s\n", ksidstr, kidstr )); - tdb_delete(ctx->tdb, ksid); - - DEBUG(10,("Deleting existing mapping %s -> %s\n", kidstr, ksidstr )); - tdb_delete(ctx->tdb, kid); - - tdb_chainunlock(ctx->tdb, ksid); - ret = NT_STATUS_OK; - -done: - talloc_free(ksidstr); - talloc_free(kidstr); - SAFE_FREE(data.dptr); - return ret; -} - -/********************************** - Close the idmap tdb instance -**********************************/ - -static NTSTATUS idmap_tdb_close(struct idmap_domain *dom) -{ - struct idmap_tdb_context *ctx; - - if (dom->private_data) { - ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context); - - if (idmap_tdb_tdb_close(ctx->tdb) == 0) { - return NT_STATUS_OK; - } else { - return NT_STATUS_UNSUCCESSFUL; - } - } - return NT_STATUS_OK; -} - -struct dump_data { - TALLOC_CTX *memctx; - struct id_map **maps; - int *num_maps; - NTSTATUS ret; -}; - -static int idmap_tdb_dump_one_entry(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA value, void *pdata) -{ - struct dump_data *data = talloc_get_type(pdata, struct dump_data); - struct id_map *maps; - int num_maps = *data->num_maps; - - /* ignore any record but the ones with a SID as key */ - if (strncmp((const char *)key.dptr, "S-", 2) == 0) { - - maps = talloc_realloc(NULL, *data->maps, struct id_map, num_maps+1); - if ( ! maps) { - DEBUG(0, ("Out of memory!\n")); - data->ret = NT_STATUS_NO_MEMORY; - return -1; - } - *data->maps = maps; - maps[num_maps].sid = talloc(maps, DOM_SID); - if ( ! maps[num_maps].sid) { - DEBUG(0, ("Out of memory!\n")); - data->ret = NT_STATUS_NO_MEMORY; - return -1; - } - - if (!string_to_sid(maps[num_maps].sid, (const char *)key.dptr)) { - DEBUG(10,("INVALID record %s\n", (const char *)key.dptr)); - /* continue even with errors */ - return 0; - } - - /* Try a UID record. */ - if (sscanf((const char *)value.dptr, "UID %u", &(maps[num_maps].xid.id)) == 1) { - maps[num_maps].xid.type = ID_TYPE_UID; - maps[num_maps].status = ID_MAPPED; - *data->num_maps = num_maps + 1; - - /* Try a GID record. */ - } else - if (sscanf((const char *)value.dptr, "GID %u", &(maps[num_maps].xid.id)) == 1) { - maps[num_maps].xid.type = ID_TYPE_GID; - maps[num_maps].status = ID_MAPPED; - *data->num_maps = num_maps + 1; - - /* Unknown record type ! */ - } else { - maps[num_maps].status = ID_UNKNOWN; - DEBUG(2, ("Found INVALID record %s -> %s\n", - (const char *)key.dptr, (const char *)value.dptr)); - /* do not increment num_maps */ - } - } - - return 0; -} - -/********************************** - Dump all mappings out -**********************************/ - -static NTSTATUS idmap_tdb_dump_data(struct idmap_domain *dom, struct id_map **maps, int *num_maps) -{ - struct idmap_tdb_context *ctx; - struct dump_data *data; - NTSTATUS ret = NT_STATUS_OK; - - /* make sure we initialized */ - if ( ! dom->initialized) { - ret = idmap_tdb_db_init(dom); - if ( ! NT_STATUS_IS_OK(ret)) { - return ret; - } - } - - ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context); - - data = TALLOC_ZERO_P(ctx, struct dump_data); - if ( ! data) { - DEBUG(0, ("Out of memory!\n")); - return NT_STATUS_NO_MEMORY; - } - data->maps = maps; - data->num_maps = num_maps; - data->ret = NT_STATUS_OK; - - tdb_traverse(ctx->tdb, idmap_tdb_dump_one_entry, data); - - if ( ! NT_STATUS_IS_OK(data->ret)) { - ret = data->ret; - } - - talloc_free(data); - return ret; -} - -static struct idmap_methods db_methods = { - - .init = idmap_tdb_db_init, - .unixids_to_sids = idmap_tdb_unixids_to_sids, - .sids_to_unixids = idmap_tdb_sids_to_unixids, - .set_mapping = idmap_tdb_set_mapping, - .remove_mapping = idmap_tdb_remove_mapping, - .dump_data = idmap_tdb_dump_data, - .close_fn = idmap_tdb_close -}; - -static struct idmap_alloc_methods db_alloc_methods = { - - .init = idmap_tdb_alloc_init, - .allocate_id = idmap_tdb_allocate_id, - .get_id_hwm = idmap_tdb_get_hwm, - .set_id_hwm = idmap_tdb_set_hwm, - .close_fn = idmap_tdb_alloc_close -}; - -NTSTATUS idmap_alloc_tdb_init(void) -{ - return smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "tdb", &db_alloc_methods); -} - -NTSTATUS idmap_tdb_init(void) -{ - NTSTATUS ret; - - /* FIXME: bad hack to actually register also the alloc_tdb module without changining configure.in */ - ret = idmap_alloc_tdb_init(); - if (! NT_STATUS_IS_OK(ret)) { - return ret; - } - return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "tdb", &db_methods); -} diff --git a/source3/nsswitch/idmap_util.c b/source3/nsswitch/idmap_util.c deleted file mode 100644 index 077c599739..0000000000 --- a/source3/nsswitch/idmap_util.c +++ /dev/null @@ -1,171 +0,0 @@ -/* - Unix SMB/CIFS implementation. - ID Mapping - Copyright (C) Simo Sorce 2003 - Copyright (C) Jeremy Allison 2006 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>.*/ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_IDMAP - -/***************************************************************** - Returns the SID mapped to the given UID. - If mapping is not possible returns an error. -*****************************************************************/ - -NTSTATUS idmap_uid_to_sid(DOM_SID *sid, uid_t uid) -{ - NTSTATUS ret; - struct id_map map; - struct id_map *maps[2]; - - DEBUG(10,("uid = [%lu]\n", (unsigned long)uid)); - - map.sid = sid; - map.xid.type = ID_TYPE_UID; - map.xid.id = uid; - - maps[0] = ↦ - maps[1] = NULL; - - ret = idmap_unixids_to_sids(maps); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(10, ("error mapping uid [%lu]\n", (unsigned long)uid)); - return ret; - } - - if (map.status != ID_MAPPED) { - DEBUG(10, ("uid [%lu] not mapped\n", (unsigned long)uid)); - return NT_STATUS_NONE_MAPPED; - } - - return NT_STATUS_OK; -} - -/***************************************************************** - Returns SID mapped to the given GID. - If mapping is not possible returns an error. -*****************************************************************/ - -NTSTATUS idmap_gid_to_sid(DOM_SID *sid, gid_t gid) -{ - NTSTATUS ret; - struct id_map map; - struct id_map *maps[2]; - - DEBUG(10,("gid = [%lu]\n", (unsigned long)gid)); - - map.sid = sid; - map.xid.type = ID_TYPE_GID; - map.xid.id = gid; - - maps[0] = ↦ - maps[1] = NULL; - - ret = idmap_unixids_to_sids(maps); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(10, ("error mapping gid [%lu]\n", (unsigned long)gid)); - return ret; - } - - if (map.status != ID_MAPPED) { - DEBUG(10, ("gid [%lu] not mapped\n", (unsigned long)gid)); - return NT_STATUS_NONE_MAPPED; - } - - return NT_STATUS_OK; -} - -/***************************************************************** - Returns the UID mapped to the given SID. - If mapping is not possible or SID maps to a GID returns an error. -*****************************************************************/ - -NTSTATUS idmap_sid_to_uid(DOM_SID *sid, uid_t *uid) -{ - NTSTATUS ret; - struct id_map map; - struct id_map *maps[2]; - - DEBUG(10,("idmap_sid_to_uid: sid = [%s]\n", sid_string_static(sid))); - - map.sid = sid; - map.xid.type = ID_TYPE_UID; - - maps[0] = ↦ - maps[1] = NULL; - - ret = idmap_sids_to_unixids(maps); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(10, ("error mapping sid [%s] to uid\n", - sid_string_static(sid))); - return ret; - } - - if ((map.status != ID_MAPPED) || (map.xid.type != ID_TYPE_UID)) { - DEBUG(10, ("sid [%s] not mapped to an uid [%u,%u,%u]\n", - sid_string_static(sid), - map.status, - map.xid.type, - map.xid.id)); - return NT_STATUS_NONE_MAPPED; - } - - *uid = map.xid.id; - - return NT_STATUS_OK; -} - -/***************************************************************** - Returns the GID mapped to the given SID. - If mapping is not possible or SID maps to a UID returns an error. -*****************************************************************/ - -NTSTATUS idmap_sid_to_gid(DOM_SID *sid, gid_t *gid) -{ - NTSTATUS ret; - struct id_map map; - struct id_map *maps[2]; - - DEBUG(10,("idmap_sid_to_gid: sid = [%s]\n", sid_string_static(sid))); - - map.sid = sid; - map.xid.type = ID_TYPE_GID; - - maps[0] = ↦ - maps[1] = NULL; - - ret = idmap_sids_to_unixids(maps); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(10, ("error mapping sid [%s] to gid\n", - sid_string_static(sid))); - return ret; - } - - if ((map.status != ID_MAPPED) || (map.xid.type != ID_TYPE_GID)) { - DEBUG(10, ("sid [%s] not mapped to a gid [%u,%u,%u]\n", - sid_string_static(sid), - map.status, - map.xid.type, - map.xid.id)); - return NT_STATUS_NONE_MAPPED; - } - - *gid = map.xid.id; - - return NT_STATUS_OK; -} diff --git a/source3/nsswitch/nss_info.c b/source3/nsswitch/nss_info.c deleted file mode 100644 index ea51e9dde8..0000000000 --- a/source3/nsswitch/nss_info.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - Unix SMB/CIFS implementation. - Idmap NSS headers - - Copyright (C) Gerald Carter 2006 - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 3 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Library General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "nss_info.h" - -static struct nss_function_entry *backends = NULL; -static struct nss_domain_entry *nss_domain_list = NULL; - -/********************************************************************** - Get idmap nss methods. -**********************************************************************/ - -static struct nss_function_entry *nss_get_backend(const char *name ) -{ - struct nss_function_entry *entry = backends; - - for(entry = backends; entry; entry = entry->next) { - if ( strequal(entry->name, name) ) - return entry; - } - - return NULL; -} - -/********************************************************************* - Allow a module to register itself as a backend. -**********************************************************************/ - - NTSTATUS smb_register_idmap_nss(int version, const char *name, struct nss_info_methods *methods) -{ - struct nss_function_entry *entry; - - if ((version != SMB_NSS_INFO_INTERFACE_VERSION)) { - DEBUG(0, ("smb_register_idmap_nss: Failed to register idmap_nss module.\n" - "The module was compiled against SMB_NSS_INFO_INTERFACE_VERSION %d,\n" - "current SMB_NSS_INFO_INTERFACE_VERSION is %d.\n" - "Please recompile against the current version of samba!\n", - version, SMB_NSS_INFO_INTERFACE_VERSION)); - return NT_STATUS_OBJECT_TYPE_MISMATCH; - } - - if (!name || !name[0] || !methods) { - DEBUG(0,("smb_register_idmap_nss: called with NULL pointer or empty name!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - if ( nss_get_backend(name) ) { - DEBUG(0,("smb_register_idmap_nss: idmap module %s " - "already registered!\n", name)); - return NT_STATUS_OBJECT_NAME_COLLISION; - } - - entry = SMB_XMALLOC_P(struct nss_function_entry); - entry->name = smb_xstrdup(name); - entry->methods = methods; - - DLIST_ADD(backends, entry); - DEBUG(5, ("smb_register_idmap_nss: Successfully added idmap " - "nss backend '%s'\n", name)); - - return NT_STATUS_OK; -} - -/******************************************************************** - *******************************************************************/ - -static BOOL parse_nss_parm( const char *config, char **backend, char **domain ) -{ - char *p; - char *q; - int len; - - *backend = *domain = NULL; - - if ( !config ) - return False; - - p = strchr( config, ':' ); - - /* if no : then the string must be the backend name only */ - - if ( !p ) { - *backend = SMB_STRDUP( config ); - return (*backend != NULL); - } - - /* split the string and return the two parts */ - - if ( strlen(p+1) > 0 ) { - *domain = SMB_STRDUP( p+1 ); - } - - len = PTR_DIFF(p,config)+1; - if ( (q = SMB_MALLOC_ARRAY( char, len )) == NULL ) { - SAFE_FREE( *backend ); - return False; - } - - StrnCpy( q, config, len-1); - q[len-1] = '\0'; - *backend = q; - - return True; -} - -/******************************************************************** - Each nss backend must not store global state, but rather be able - to initialize the state on a per domain basis. - *******************************************************************/ - - NTSTATUS nss_init( const char **nss_list ) -{ - NTSTATUS status; - static NTSTATUS nss_initialized = NT_STATUS_UNSUCCESSFUL; - int i; - char *backend, *domain; - struct nss_function_entry *nss_backend; - struct nss_domain_entry *nss_domain; - - /* check for previous successful initializations */ - - if ( NT_STATUS_IS_OK(nss_initialized) ) - return NT_STATUS_OK; - - /* The "template" backend should alqays be registered as it - is a static module */ - - if ( (nss_backend = nss_get_backend( "template" )) == NULL ) { - static_init_nss_info; - } - - /* Create the list of nss_domains (loading any shared plugins - as necessary) */ - - for ( i=0; nss_list && nss_list[i]; i++ ) { - - if ( !parse_nss_parm(nss_list[i], &backend, &domain) ) { - DEBUG(0,("nss_init: failed to parse \"%s\"!\n", - nss_list[i])); - continue; - } - - /* validate the backend */ - - if ( (nss_backend = nss_get_backend( backend )) == NULL ) { - /* attempt to register the backend */ - status = smb_probe_module( "nss_info", backend ); - if ( !NT_STATUS_IS_OK(status) ) { - continue; - } - - /* try again */ - if ( (nss_backend = nss_get_backend( backend )) == NULL ) { - DEBUG(0,("nss_init: unregistered backend %s!. Skipping\n", - backend)); - continue; - } - - } - - /* fill in the nss_domain_entry and add it to the - list of domains */ - - nss_domain = TALLOC_ZERO_P( nss_domain_list, struct nss_domain_entry ); - if ( !nss_domain ) { - DEBUG(0,("nss_init: talloc() failure!\n")); - return NT_STATUS_NO_MEMORY; - } - - nss_domain->backend = nss_backend; - nss_domain->domain = talloc_strdup( nss_domain, domain ); - - /* Try to init and ave the result */ - - nss_domain->init_status = nss_domain->backend->methods->init( nss_domain ); - DLIST_ADD( nss_domain_list, nss_domain ); - if ( !NT_STATUS_IS_OK(nss_domain->init_status) ) { - DEBUG(0,("nss_init: Failed to init backend for %s domain!\n", - nss_domain->domain)); - } - - /* cleanup */ - - SAFE_FREE( backend ); - SAFE_FREE( domain ); - } - - if ( !nss_domain_list ) { - DEBUG(3,("nss_init: no nss backends configured. " - "Defaulting to \"template\".\n")); - - - /* we shouild default to use template here */ - } - - - nss_initialized = NT_STATUS_OK; - - return NT_STATUS_OK; -} - -/******************************************************************** - *******************************************************************/ - -static struct nss_domain_entry *find_nss_domain( const char *domain ) -{ - NTSTATUS status; - struct nss_domain_entry *p; - - status = nss_init( lp_winbind_nss_info() ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(4,("nss_get_info: Failed to init nss_info API (%s)!\n", - nt_errstr(status))); - return NULL; - } - - for ( p=nss_domain_list; p; p=p->next ) { - if ( strequal( p->domain, domain ) ) - break; - } - - /* If we didn't find a match, then use the default nss info */ - - if ( !p ) { - if ( !nss_domain_list ) { - return NULL; - } - - p = nss_domain_list; - } - - if ( !NT_STATUS_IS_OK( p->init_status ) ) { - p->init_status = p->backend->methods->init( p ); - } - - return p; -} - -/******************************************************************** - *******************************************************************/ - - NTSTATUS nss_get_info( const char *domain, const DOM_SID *user_sid, - TALLOC_CTX *ctx, - ADS_STRUCT *ads, LDAPMessage *msg, - char **homedir, char **shell, char **gecos, - gid_t *p_gid) -{ - struct nss_domain_entry *p; - struct nss_info_methods *m; - - if ( (p = find_nss_domain( domain )) == NULL ) { - DEBUG(4,("nss_get_info: Failed to find nss domain pointer for %s\n", - domain )); - return NT_STATUS_NOT_FOUND; - } - - m = p->backend->methods; - - return m->get_nss_info( p, user_sid, ctx, ads, msg, - homedir, shell, gecos, p_gid ); -} - -/******************************************************************** - *******************************************************************/ - - NTSTATUS nss_close( const char *parameters ) -{ - struct nss_domain_entry *p = nss_domain_list; - struct nss_domain_entry *q; - - while ( p && p->backend && p->backend->methods ) { - /* close the backend */ - p->backend->methods->close_fn(); - - /* free the memory */ - q = p; - p = p->next; - TALLOC_FREE( q ); - } - - return NT_STATUS_OK; -} - diff --git a/source3/nsswitch/nss_info_template.c b/source3/nsswitch/nss_info_template.c deleted file mode 100644 index aaf02e4abe..0000000000 --- a/source3/nsswitch/nss_info_template.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - Unix SMB/CIFS implementation. - idMap nss template plugin - - Copyright (C) Gerald Carter 2006 - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 3 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Library General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "nss_info.h" - -/************************************************************************ - ***********************************************************************/ - -static NTSTATUS nss_template_init( struct nss_domain_entry *e ) -{ - return NT_STATUS_OK; -} - -/************************************************************************ - ***********************************************************************/ - -static NTSTATUS nss_template_get_info( struct nss_domain_entry *e, - const DOM_SID *sid, - TALLOC_CTX *ctx, - ADS_STRUCT *ads, - LDAPMessage *msg, - char **homedir, - char **shell, - char **gecos, - gid_t *gid ) -{ - if ( !homedir || !shell || !gecos ) - return NT_STATUS_INVALID_PARAMETER; - - *homedir = talloc_strdup( ctx, lp_template_homedir() ); - *shell = talloc_strdup( ctx, lp_template_shell() ); - *gecos = NULL; - - if ( !*homedir || !*shell ) { - return NT_STATUS_NO_MEMORY; - } - - return NT_STATUS_OK; -} - -/************************************************************************ - ***********************************************************************/ - -static NTSTATUS nss_template_close( void ) -{ - return NT_STATUS_OK; -} - - -/************************************************************************ - ***********************************************************************/ - -static struct nss_info_methods nss_template_methods = { - .init = nss_template_init, - .get_nss_info = nss_template_get_info, - .close_fn = nss_template_close -}; - -NTSTATUS nss_info_template_init( void ) -{ - return smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION, - "template", - &nss_template_methods); -} - diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c deleted file mode 100644 index 17915fb01b..0000000000 --- a/source3/nsswitch/winbindd.c +++ /dev/null @@ -1,1254 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon for ntdom nss module - - Copyright (C) by Tim Potter 2000-2002 - Copyright (C) Andrew Tridgell 2002 - Copyright (C) Jelmer Vernooij 2003 - Copyright (C) Volker Lendecke 2004 - Copyright (C) James Peach 2007 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -BOOL opt_nocache = False; - -extern BOOL override_logfile; - -struct event_context *winbind_event_context(void) -{ - static struct event_context *ctx; - - if (!ctx && !(ctx = event_context_init(NULL))) { - smb_panic("Could not init winbind event context"); - } - return ctx; -} - -struct messaging_context *winbind_messaging_context(void) -{ - static struct messaging_context *ctx; - - if (!ctx && !(ctx = messaging_init(NULL, server_id_self(), - winbind_event_context()))) { - smb_panic("Could not init winbind messaging context"); - } - return ctx; -} - -/* Reload configuration */ - -static BOOL reload_services_file(void) -{ - BOOL ret; - - if (lp_loaded()) { - pstring fname; - - pstrcpy(fname,lp_configfile()); - if (file_exist(fname,NULL) && !strcsequal(fname,dyn_CONFIGFILE)) { - pstrcpy(dyn_CONFIGFILE,fname); - } - } - - reopen_logs(); - ret = lp_load(dyn_CONFIGFILE,False,False,True,True); - - reopen_logs(); - load_interfaces(); - - return(ret); -} - - -/**************************************************************************** ** - Handle a fault.. - **************************************************************************** */ - -static void fault_quit(void) -{ - dump_core(); -} - -static void winbindd_status(void) -{ - struct winbindd_cli_state *tmp; - - DEBUG(0, ("winbindd status:\n")); - - /* Print client state information */ - - DEBUG(0, ("\t%d clients currently active\n", winbindd_num_clients())); - - if (DEBUGLEVEL >= 2 && winbindd_num_clients()) { - DEBUG(2, ("\tclient list:\n")); - for(tmp = winbindd_client_list(); tmp; tmp = tmp->next) { - DEBUGADD(2, ("\t\tpid %lu, sock %d\n", - (unsigned long)tmp->pid, tmp->sock)); - } - } -} - -/* Print winbindd status to log file */ - -static void print_winbindd_status(void) -{ - winbindd_status(); -} - -/* Flush client cache */ - -static void flush_caches(void) -{ - /* We need to invalidate cached user list entries on a SIGHUP - otherwise cached access denied errors due to restrict anonymous - hang around until the sequence number changes. */ - - wcache_invalidate_cache(); -} - -/* Handle the signal by unlinking socket and exiting */ - -static void terminate(void) -{ - - winbindd_release_sockets(); - idmap_close(); - - trustdom_cache_shutdown(); - -#if 0 - if (interactive) { - TALLOC_CTX *mem_ctx = talloc_init("end_description"); - char *description = talloc_describe_all(mem_ctx); - - DEBUG(3, ("tallocs left:\n%s\n", description)); - talloc_destroy(mem_ctx); - } -#endif - - exit(0); -} - -static BOOL do_sigterm; - -static void termination_handler(int signum) -{ - do_sigterm = True; - sys_select_signal(signum); -} - -static BOOL do_sigusr2; - -static void sigusr2_handler(int signum) -{ - do_sigusr2 = True; - sys_select_signal(SIGUSR2); -} - -static BOOL do_sighup; - -static void sighup_handler(int signum) -{ - do_sighup = True; - sys_select_signal(SIGHUP); -} - -static BOOL do_sigchld; - -static void sigchld_handler(int signum) -{ - do_sigchld = True; - sys_select_signal(SIGCHLD); -} - -/* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/ -static void msg_reload_services(struct messaging_context *msg, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - /* Flush various caches */ - flush_caches(); - reload_services_file(); -} - -/* React on 'smbcontrol winbindd shutdown' in the same way as on SIGTERM*/ -static void msg_shutdown(struct messaging_context *msg, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - do_sigterm = True; -} - - -static void winbind_msg_validate_cache(struct messaging_context *msg_ctx, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - uint8 ret; - pid_t child_pid; - struct sigaction act; - struct sigaction oldact; - - DEBUG(10, ("winbindd_msg_validate_cache: got validate-cache " - "message.\n")); - - /* - * call the validation code from a child: - * so we don't block the main winbindd and the validation - * code can safely use fork/waitpid... - */ - CatchChild(); - child_pid = sys_fork(); - - if (child_pid == -1) { - DEBUG(1, ("winbind_msg_validate_cache: Could not fork: %s\n", - strerror(errno))); - return; - } - - if (child_pid != 0) { - /* parent */ - DEBUG(5, ("winbind_msg_validate_cache: child created with " - "pid %d.\n", child_pid)); - return; - } - - /* child */ - - /* install default SIGCHLD handler: validation code uses fork/waitpid */ - ZERO_STRUCT(act); - act.sa_handler = SIG_DFL; -#ifdef SA_RESTART - /* We *want* SIGALRM to interrupt a system call. */ - act.sa_flags = SA_RESTART; -#endif - sigemptyset(&act.sa_mask); - sigaddset(&act.sa_mask,SIGCHLD); - sigaction(SIGCHLD,&act,&oldact); - - ret = (uint8)winbindd_validate_cache_nobackup(); - DEBUG(10, ("winbindd_msg_validata_cache: got return value %d\n", ret)); - messaging_send_buf(msg_ctx, server_id, MSG_WINBIND_VALIDATE_CACHE, &ret, - (size_t)1); - _exit(0); -} - -static struct winbindd_dispatch_table { - enum winbindd_cmd cmd; - void (*fn)(struct winbindd_cli_state *state); - const char *winbindd_cmd_name; -} dispatch_table[] = { - - /* User functions */ - - { WINBINDD_GETPWNAM, winbindd_getpwnam, "GETPWNAM" }, - { WINBINDD_GETPWUID, winbindd_getpwuid, "GETPWUID" }, - - { WINBINDD_SETPWENT, winbindd_setpwent, "SETPWENT" }, - { WINBINDD_ENDPWENT, winbindd_endpwent, "ENDPWENT" }, - { WINBINDD_GETPWENT, winbindd_getpwent, "GETPWENT" }, - - { WINBINDD_GETGROUPS, winbindd_getgroups, "GETGROUPS" }, - { WINBINDD_GETUSERSIDS, winbindd_getusersids, "GETUSERSIDS" }, - { WINBINDD_GETUSERDOMGROUPS, winbindd_getuserdomgroups, - "GETUSERDOMGROUPS" }, - - /* Group functions */ - - { WINBINDD_GETGRNAM, winbindd_getgrnam, "GETGRNAM" }, - { WINBINDD_GETGRGID, winbindd_getgrgid, "GETGRGID" }, - { WINBINDD_SETGRENT, winbindd_setgrent, "SETGRENT" }, - { WINBINDD_ENDGRENT, winbindd_endgrent, "ENDGRENT" }, - { WINBINDD_GETGRENT, winbindd_getgrent, "GETGRENT" }, - { WINBINDD_GETGRLST, winbindd_getgrent, "GETGRLST" }, - - /* PAM auth functions */ - - { WINBINDD_PAM_AUTH, winbindd_pam_auth, "PAM_AUTH" }, - { WINBINDD_PAM_AUTH_CRAP, winbindd_pam_auth_crap, "AUTH_CRAP" }, - { WINBINDD_PAM_CHAUTHTOK, winbindd_pam_chauthtok, "CHAUTHTOK" }, - { WINBINDD_PAM_LOGOFF, winbindd_pam_logoff, "PAM_LOGOFF" }, - { WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP, winbindd_pam_chng_pswd_auth_crap, "CHNG_PSWD_AUTH_CRAP" }, - - /* Enumeration functions */ - - { WINBINDD_LIST_USERS, winbindd_list_users, "LIST_USERS" }, - { WINBINDD_LIST_GROUPS, winbindd_list_groups, "LIST_GROUPS" }, - { WINBINDD_LIST_TRUSTDOM, winbindd_list_trusted_domains, - "LIST_TRUSTDOM" }, - { WINBINDD_SHOW_SEQUENCE, winbindd_show_sequence, "SHOW_SEQUENCE" }, - - /* SID related functions */ - - { WINBINDD_LOOKUPSID, winbindd_lookupsid, "LOOKUPSID" }, - { WINBINDD_LOOKUPNAME, winbindd_lookupname, "LOOKUPNAME" }, - { WINBINDD_LOOKUPRIDS, winbindd_lookuprids, "LOOKUPRIDS" }, - - /* Lookup related functions */ - - { WINBINDD_SID_TO_UID, winbindd_sid_to_uid, "SID_TO_UID" }, - { WINBINDD_SID_TO_GID, winbindd_sid_to_gid, "SID_TO_GID" }, - { WINBINDD_UID_TO_SID, winbindd_uid_to_sid, "UID_TO_SID" }, - { WINBINDD_GID_TO_SID, winbindd_gid_to_sid, "GID_TO_SID" }, -#if 0 /* DISABLED until we fix the interface in Samba 3.0.26 --jerry */ - { WINBINDD_SIDS_TO_XIDS, winbindd_sids_to_unixids, "SIDS_TO_XIDS" }, -#endif /* end DISABLED */ - { WINBINDD_ALLOCATE_UID, winbindd_allocate_uid, "ALLOCATE_UID" }, - { WINBINDD_ALLOCATE_GID, winbindd_allocate_gid, "ALLOCATE_GID" }, - { WINBINDD_SET_MAPPING, winbindd_set_mapping, "SET_MAPPING" }, - { WINBINDD_SET_HWM, winbindd_set_hwm, "SET_HWMS" }, - - /* Miscellaneous */ - - { WINBINDD_DUMP_MAPS, winbindd_dump_maps, "DUMP_MAPS" }, - - { WINBINDD_CHECK_MACHACC, winbindd_check_machine_acct, "CHECK_MACHACC" }, - { WINBINDD_PING, winbindd_ping, "PING" }, - { WINBINDD_INFO, winbindd_info, "INFO" }, - { WINBINDD_INTERFACE_VERSION, winbindd_interface_version, - "INTERFACE_VERSION" }, - { WINBINDD_DOMAIN_NAME, winbindd_domain_name, "DOMAIN_NAME" }, - { WINBINDD_DOMAIN_INFO, winbindd_domain_info, "DOMAIN_INFO" }, - { WINBINDD_NETBIOS_NAME, winbindd_netbios_name, "NETBIOS_NAME" }, - { WINBINDD_PRIV_PIPE_DIR, winbindd_priv_pipe_dir, - "WINBINDD_PRIV_PIPE_DIR" }, - { WINBINDD_GETDCNAME, winbindd_getdcname, "GETDCNAME" }, - { WINBINDD_DSGETDCNAME, winbindd_dsgetdcname, "DSGETDCNAME" }, - - /* Credential cache access */ - { WINBINDD_CCACHE_NTLMAUTH, winbindd_ccache_ntlm_auth, "NTLMAUTH" }, - - /* WINS functions */ - - { WINBINDD_WINS_BYNAME, winbindd_wins_byname, "WINS_BYNAME" }, - { WINBINDD_WINS_BYIP, winbindd_wins_byip, "WINS_BYIP" }, - - /* End of list */ - - { WINBINDD_NUM_CMDS, NULL, "NONE" } -}; - -static void process_request(struct winbindd_cli_state *state) -{ - struct winbindd_dispatch_table *table = dispatch_table; - - /* Free response data - we may be interrupted and receive another - command before being able to send this data off. */ - - SAFE_FREE(state->response.extra_data.data); - - ZERO_STRUCT(state->response); - - state->response.result = WINBINDD_PENDING; - state->response.length = sizeof(struct winbindd_response); - - state->mem_ctx = talloc_init("winbind request"); - if (state->mem_ctx == NULL) - return; - - /* Remember who asked us. */ - state->pid = state->request.pid; - - /* Process command */ - - for (table = dispatch_table; table->fn; table++) { - if (state->request.cmd == table->cmd) { - DEBUG(10,("process_request: request fn %s\n", - table->winbindd_cmd_name )); - table->fn(state); - break; - } - } - - if (!table->fn) { - DEBUG(10,("process_request: unknown request fn number %d\n", - (int)state->request.cmd )); - request_error(state); - } -} - -/* - * A list of file descriptors being monitored by select in the main processing - * loop. fd_event->handler is called whenever the socket is readable/writable. - */ - -static struct fd_event *fd_events = NULL; - -void add_fd_event(struct fd_event *ev) -{ - struct fd_event *match; - - /* only add unique fd_event structs */ - - for (match=fd_events; match; match=match->next ) { -#ifdef DEVELOPER - SMB_ASSERT( match != ev ); -#else - if ( match == ev ) - return; -#endif - } - - DLIST_ADD(fd_events, ev); -} - -void remove_fd_event(struct fd_event *ev) -{ - DLIST_REMOVE(fd_events, ev); -} - -/* - * Handler for fd_events to complete a read/write request, set up by - * setup_async_read/setup_async_write. - */ - -static void rw_callback(struct fd_event *event, int flags) -{ - size_t todo; - ssize_t done = 0; - - todo = event->length - event->done; - - if (event->flags & EVENT_FD_WRITE) { - SMB_ASSERT(flags == EVENT_FD_WRITE); - done = sys_write(event->fd, - &((char *)event->data)[event->done], - todo); - - if (done <= 0) { - event->flags = 0; - event->finished(event->private_data, False); - return; - } - } - - if (event->flags & EVENT_FD_READ) { - SMB_ASSERT(flags == EVENT_FD_READ); - done = sys_read(event->fd, &((char *)event->data)[event->done], - todo); - - if (done <= 0) { - event->flags = 0; - event->finished(event->private_data, False); - return; - } - } - - event->done += done; - - if (event->done == event->length) { - event->flags = 0; - event->finished(event->private_data, True); - } -} - -/* - * Request an async read/write on a fd_event structure. (*finished) is called - * when the request is completed or an error had occurred. - */ - -void setup_async_read(struct fd_event *event, void *data, size_t length, - void (*finished)(void *private_data, BOOL success), - void *private_data) -{ - SMB_ASSERT(event->flags == 0); - event->data = data; - event->length = length; - event->done = 0; - event->handler = rw_callback; - event->finished = finished; - event->private_data = private_data; - event->flags = EVENT_FD_READ; -} - -void setup_async_write(struct fd_event *event, void *data, size_t length, - void (*finished)(void *private_data, BOOL success), - void *private_data) -{ - SMB_ASSERT(event->flags == 0); - event->data = data; - event->length = length; - event->done = 0; - event->handler = rw_callback; - event->finished = finished; - event->private_data = private_data; - event->flags = EVENT_FD_WRITE; -} - -/* - * This is the main event loop of winbind requests. It goes through a - * state-machine of 3 read/write requests, 4 if you have extra data to send. - * - * An idle winbind client has a read request of 4 bytes outstanding, - * finalizing function is request_len_recv, checking the length. request_recv - * then processes the packet. The processing function then at some point has - * to call request_finished which schedules sending the response. - */ - -static void request_len_recv(void *private_data, BOOL success); -static void request_recv(void *private_data, BOOL success); -static void request_main_recv(void *private_data, BOOL success); -static void request_finished(struct winbindd_cli_state *state); -void request_finished_cont(void *private_data, BOOL success); -static void response_main_sent(void *private_data, BOOL success); -static void response_extra_sent(void *private_data, BOOL success); - -static void response_extra_sent(void *private_data, BOOL success) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (state->mem_ctx != NULL) { - talloc_destroy(state->mem_ctx); - state->mem_ctx = NULL; - } - - if (!success) { - state->finished = True; - return; - } - - SAFE_FREE(state->request.extra_data.data); - SAFE_FREE(state->response.extra_data.data); - - setup_async_read(&state->fd_event, &state->request, sizeof(uint32), - request_len_recv, state); -} - -static void response_main_sent(void *private_data, BOOL success) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - state->finished = True; - return; - } - - if (state->response.length == sizeof(state->response)) { - if (state->mem_ctx != NULL) { - talloc_destroy(state->mem_ctx); - state->mem_ctx = NULL; - } - - setup_async_read(&state->fd_event, &state->request, - sizeof(uint32), request_len_recv, state); - return; - } - - setup_async_write(&state->fd_event, state->response.extra_data.data, - state->response.length - sizeof(state->response), - response_extra_sent, state); -} - -static void request_finished(struct winbindd_cli_state *state) -{ - setup_async_write(&state->fd_event, &state->response, - sizeof(state->response), response_main_sent, state); -} - -void request_error(struct winbindd_cli_state *state) -{ - SMB_ASSERT(state->response.result == WINBINDD_PENDING); - state->response.result = WINBINDD_ERROR; - request_finished(state); -} - -void request_ok(struct winbindd_cli_state *state) -{ - SMB_ASSERT(state->response.result == WINBINDD_PENDING); - state->response.result = WINBINDD_OK; - request_finished(state); -} - -void request_finished_cont(void *private_data, BOOL success) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (success) - request_ok(state); - else - request_error(state); -} - -static void request_len_recv(void *private_data, BOOL success) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - state->finished = True; - return; - } - - if (*(uint32 *)(&state->request) != sizeof(state->request)) { - DEBUG(0,("request_len_recv: Invalid request size received: %d\n", - *(uint32 *)(&state->request))); - state->finished = True; - return; - } - - setup_async_read(&state->fd_event, (uint32 *)(&state->request)+1, - sizeof(state->request) - sizeof(uint32), - request_main_recv, state); -} - -static void request_main_recv(void *private_data, BOOL success) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - state->finished = True; - return; - } - - if (state->request.extra_len == 0) { - state->request.extra_data.data = NULL; - request_recv(state, True); - return; - } - - if ((!state->privileged) && - (state->request.extra_len > WINBINDD_MAX_EXTRA_DATA)) { - DEBUG(3, ("Got request with %d bytes extra data on " - "unprivileged socket\n", (int)state->request.extra_len)); - state->request.extra_data.data = NULL; - state->finished = True; - return; - } - - state->request.extra_data.data = - SMB_MALLOC_ARRAY(char, state->request.extra_len + 1); - - if (state->request.extra_data.data == NULL) { - DEBUG(0, ("malloc failed\n")); - state->finished = True; - return; - } - - /* Ensure null termination */ - state->request.extra_data.data[state->request.extra_len] = '\0'; - - setup_async_read(&state->fd_event, state->request.extra_data.data, - state->request.extra_len, request_recv, state); -} - -static void request_recv(void *private_data, BOOL success) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - state->finished = True; - return; - } - - process_request(state); -} - -/* Process a new connection by adding it to the client connection list */ - -static void new_connection(int listen_sock, BOOL privileged) -{ - struct sockaddr_un sunaddr; - struct winbindd_cli_state *state; - socklen_t len; - int sock; - - /* Accept connection */ - - len = sizeof(sunaddr); - - do { - sock = accept(listen_sock, (struct sockaddr *)&sunaddr, &len); - } while (sock == -1 && errno == EINTR); - - if (sock == -1) - return; - - DEBUG(6,("accepted socket %d\n", sock)); - - /* Create new connection structure */ - - if ((state = TALLOC_ZERO_P(NULL, struct winbindd_cli_state)) == NULL) { - close(sock); - return; - } - - state->sock = sock; - - state->last_access = time(NULL); - - state->privileged = privileged; - - state->fd_event.fd = state->sock; - state->fd_event.flags = 0; - add_fd_event(&state->fd_event); - - setup_async_read(&state->fd_event, &state->request, sizeof(uint32), - request_len_recv, state); - - /* Add to connection list */ - - winbindd_add_client(state); -} - -/* Remove a client connection from client connection list */ - -static void remove_client(struct winbindd_cli_state *state) -{ - /* It's a dead client - hold a funeral */ - - if (state == NULL) { - return; - } - - /* Close socket */ - - close(state->sock); - - /* Free any getent state */ - - free_getent_state(state->getpwent_state); - free_getent_state(state->getgrent_state); - - /* We may have some extra data that was not freed if the client was - killed unexpectedly */ - - SAFE_FREE(state->response.extra_data.data); - - if (state->mem_ctx != NULL) { - talloc_destroy(state->mem_ctx); - state->mem_ctx = NULL; - } - - remove_fd_event(&state->fd_event); - - /* Remove from list and free */ - - winbindd_remove_client(state); - TALLOC_FREE(state); -} - -/* Shutdown client connection which has been idle for the longest time */ - -static BOOL remove_idle_client(void) -{ - struct winbindd_cli_state *state, *remove_state = NULL; - time_t last_access = 0; - int nidle = 0; - - for (state = winbindd_client_list(); state; state = state->next) { - if (state->response.result != WINBINDD_PENDING && - !state->getpwent_state && !state->getgrent_state) { - nidle++; - if (!last_access || state->last_access < last_access) { - last_access = state->last_access; - remove_state = state; - } - } - } - - if (remove_state) { - DEBUG(5,("Found %d idle client connections, shutting down sock %d, pid %u\n", - nidle, remove_state->sock, (unsigned int)remove_state->pid)); - remove_client(remove_state); - return True; - } - - return False; -} - -/* Process incoming clients on listen_sock. We use a tricky non-blocking, - non-forking, non-threaded model which allows us to handle many - simultaneous connections while remaining impervious to many denial of - service attacks. */ - -static int process_loop(int listen_sock, int listen_priv_sock) -{ - struct winbindd_cli_state *state; - struct fd_event *ev; - fd_set r_fds, w_fds; - int maxfd, selret; - struct timeval timeout, ev_timeout; - - /* We'll be doing this a lot */ - - /* Handle messages */ - - message_dispatch(winbind_messaging_context()); - - run_events(winbind_event_context(), 0, NULL, NULL); - - /* refresh the trusted domain cache */ - - rescan_trusted_domains(); - - /* Initialise fd lists for select() */ - - maxfd = MAX(listen_sock, listen_priv_sock); - - FD_ZERO(&r_fds); - FD_ZERO(&w_fds); - FD_SET(listen_sock, &r_fds); - FD_SET(listen_priv_sock, &r_fds); - - timeout.tv_sec = WINBINDD_ESTABLISH_LOOP; - timeout.tv_usec = 0; - - /* Check for any event timeouts. */ - if (get_timed_events_timeout(winbind_event_context(), &ev_timeout)) { - timeout = timeval_min(&timeout, &ev_timeout); - } - - /* Set up client readers and writers */ - - state = winbindd_client_list(); - - while (state) { - - struct winbindd_cli_state *next = state->next; - - /* Dispose of client connection if it is marked as - finished */ - - if (state->finished) - remove_client(state); - - state = next; - } - - for (ev = fd_events; ev; ev = ev->next) { - if (ev->flags & EVENT_FD_READ) { - FD_SET(ev->fd, &r_fds); - maxfd = MAX(ev->fd, maxfd); - } - if (ev->flags & EVENT_FD_WRITE) { - FD_SET(ev->fd, &w_fds); - maxfd = MAX(ev->fd, maxfd); - } - } - - /* Call select */ - - selret = sys_select(maxfd + 1, &r_fds, &w_fds, NULL, &timeout); - - if (selret == 0) { - goto no_fds_ready; - } - - if (selret == -1) { - if (errno == EINTR) { - goto no_fds_ready; - } - - /* Select error, something is badly wrong */ - - perror("select"); - exit(1); - } - - /* selret > 0 */ - - ev = fd_events; - while (ev != NULL) { - struct fd_event *next = ev->next; - int flags = 0; - if (FD_ISSET(ev->fd, &r_fds)) - flags |= EVENT_FD_READ; - if (FD_ISSET(ev->fd, &w_fds)) - flags |= EVENT_FD_WRITE; - if (flags) - ev->handler(ev, flags); - ev = next; - } - - if (FD_ISSET(listen_sock, &r_fds)) { - while (winbindd_num_clients() > - WINBINDD_MAX_SIMULTANEOUS_CLIENTS - 1) { - DEBUG(5,("winbindd: Exceeding %d client " - "connections, removing idle " - "connection.\n", - WINBINDD_MAX_SIMULTANEOUS_CLIENTS)); - if (!remove_idle_client()) { - DEBUG(0,("winbindd: Exceeding %d " - "client connections, no idle " - "connection found\n", - WINBINDD_MAX_SIMULTANEOUS_CLIENTS)); - break; - } - } - /* new, non-privileged connection */ - new_connection(listen_sock, False); - } - - if (FD_ISSET(listen_priv_sock, &r_fds)) { - while (winbindd_num_clients() > - WINBINDD_MAX_SIMULTANEOUS_CLIENTS - 1) { - DEBUG(5,("winbindd: Exceeding %d client " - "connections, removing idle " - "connection.\n", - WINBINDD_MAX_SIMULTANEOUS_CLIENTS)); - if (!remove_idle_client()) { - DEBUG(0,("winbindd: Exceeding %d " - "client connections, no idle " - "connection found\n", - WINBINDD_MAX_SIMULTANEOUS_CLIENTS)); - break; - } - } - /* new, privileged connection */ - new_connection(listen_priv_sock, True); - } - - no_fds_ready: - -#if 0 - winbindd_check_cache_size(time(NULL)); -#endif - - /* Check signal handling things */ - - if (do_sigterm) - terminate(); - - if (do_sighup) { - - DEBUG(3, ("got SIGHUP\n")); - - flush_caches(); - reload_services_file(); - - do_sighup = False; - } - - if (do_sigusr2) { - print_winbindd_status(); - do_sigusr2 = False; - } - - if (do_sigchld) { - pid_t pid; - - do_sigchld = False; - - while ((pid = sys_waitpid(-1, NULL, WNOHANG)) > 0) { - winbind_child_died(pid); - } - } - - - return winbindd_num_clients(); -} - -static void winbindd_process_loop(enum smb_server_mode server_mode) -{ - int idle_timeout_sec; - struct timeval starttime; - int listen_public, listen_priv; - - errno = 0; - if (!winbindd_init_sockets(&listen_public, &listen_priv, - &idle_timeout_sec)) { - terminate(); - } - - starttime = timeval_current(); - - if (listen_public == -1 || listen_priv == -1) { - DEBUG(0, ("failed to open winbindd pipes: %s\n", - errno ? strerror(errno) : "unknown error")); - terminate(); - } - - for (;;) { - TALLOC_CTX *frame = talloc_stackframe(); - int clients = process_loop(listen_public, listen_priv); - - /* Don't bother figuring out the idle time if we won't be - * timing out anyway. - */ - if (idle_timeout_sec < 0) { - TALLOC_FREE(frame); - continue; - } - - if (clients == 0 && server_mode == SERVER_MODE_FOREGROUND) { - struct timeval now; - - now = timeval_current(); - if (timeval_elapsed2(&starttime, &now) > - (double)idle_timeout_sec) { - DEBUG(0, ("idle for %d secs, exitting\n", - idle_timeout_sec)); - terminate(); - } - } else { - starttime = timeval_current(); - } - TALLOC_FREE(frame); - } -} - -/* Main function */ - -int main(int argc, char **argv, char **envp) -{ - pstring logfile; - BOOL log_stdout = False; - BOOL no_process_group = False; - - enum smb_server_mode server_mode = SERVER_MODE_DAEMON; - - struct poptOption long_options[] = { - POPT_AUTOHELP - { "stdout", 'S', POPT_ARG_VAL, &log_stdout, True, "Log to stdout" }, - { "foreground", 'F', POPT_ARG_VAL, &server_mode, SERVER_MODE_FOREGROUND, "Daemon in foreground mode" }, - { "no-process-group", 0, POPT_ARG_VAL, &no_process_group, True, "Don't create a new process group" }, - { "daemon", 'D', POPT_ARG_VAL, &server_mode, SERVER_MODE_DAEMON, "Become a daemon (default)" }, - { "interactive", 'i', POPT_ARG_VAL, &server_mode, SERVER_MODE_INTERACTIVE, "Interactive mode" }, - { "no-caching", 'n', POPT_ARG_VAL, &opt_nocache, True, "Disable caching" }, - POPT_COMMON_SAMBA - POPT_TABLEEND - }; - poptContext pc; - int opt; - - /* glibc (?) likes to print "User defined signal 1" and exit if a - SIGUSR[12] is received before a handler is installed */ - - CatchSignal(SIGUSR1, SIG_IGN); - CatchSignal(SIGUSR2, SIG_IGN); - - fault_setup((void (*)(void *))fault_quit ); - dump_core_setup("winbindd"); - - load_case_tables(); - - /* Initialise for running in non-root mode */ - - sec_init(); - - set_remote_machine_name("winbindd", False); - - /* Set environment variable so we don't recursively call ourselves. - This may also be useful interactively. */ - - if ( !winbind_off() ) { - DEBUG(0,("Failed to disable recusive winbindd calls. Exiting.\n")); - exit(1); - } - - /* Initialise samba/rpc client stuff */ - - pc = poptGetContext("winbindd", argc, (const char **)argv, long_options, 0); - - while ((opt = poptGetNextOpt(pc)) != -1) { - switch (opt) { - default: - d_fprintf(stderr, "\nInvalid option %s: %s\n\n", - poptBadOption(pc, 0), poptStrerror(opt)); - poptPrintUsage(pc, stderr, 0); - exit(1); - } - } - - if (server_mode == SERVER_MODE_INTERACTIVE) { - log_stdout = True; - if (DEBUGLEVEL >= 9) { - talloc_enable_leak_report(); - } - } - - if (log_stdout && server_mode == SERVER_MODE_DAEMON) { - printf("Can't log to stdout (-S) unless daemon is in foreground (-F) or interactive (-i)\n"); - poptPrintUsage(pc, stderr, 0); - exit(1); - } - - poptFreeContext(pc); - - if (!override_logfile) { - pstr_sprintf(logfile, "%s/log.winbindd", dyn_LOGFILEBASE); - lp_set_logfile(logfile); - } - setup_logging("winbindd", log_stdout); - reopen_logs(); - - DEBUG(1, ("winbindd version %s started.\n%s\n", - SAMBA_VERSION_STRING, - COPYRIGHT_STARTUP_MESSAGE) ); - - if (!reload_services_file()) { - DEBUG(0, ("error opening config file\n")); - exit(1); - } - - if (!directory_exist(lp_lockdir(), NULL)) { - mkdir(lp_lockdir(), 0755); - } - - /* Setup names. */ - - if (!init_names()) - exit(1); - - load_interfaces(); - - if (!secrets_init()) { - - DEBUG(0,("Could not initialize domain trust account secrets. Giving up\n")); - return False; - } - - /* Enable netbios namecache */ - - namecache_enable(); - - /* Winbind daemon initialisation */ - - if ( ! NT_STATUS_IS_OK(idmap_init_cache()) ) { - DEBUG(1, ("Could not init idmap cache!\n")); - } - - /* Unblock all signals we are interested in as they may have been - blocked by the parent process. */ - - BlockSignals(False, SIGINT); - BlockSignals(False, SIGQUIT); - BlockSignals(False, SIGTERM); - BlockSignals(False, SIGUSR1); - BlockSignals(False, SIGUSR2); - BlockSignals(False, SIGHUP); - BlockSignals(False, SIGCHLD); - - /* Setup signal handlers */ - - CatchSignal(SIGINT, termination_handler); /* Exit on these sigs */ - CatchSignal(SIGQUIT, termination_handler); - CatchSignal(SIGTERM, termination_handler); - CatchSignal(SIGCHLD, sigchld_handler); - - CatchSignal(SIGPIPE, SIG_IGN); /* Ignore sigpipe */ - - CatchSignal(SIGUSR2, sigusr2_handler); /* Debugging sigs */ - CatchSignal(SIGHUP, sighup_handler); - - if (server_mode == SERVER_MODE_DAEMON) { - DEBUG( 3, ( "Becoming a daemon.\n" ) ); - become_daemon(True, no_process_group); - } else if (server_mode == SERVER_MODE_FOREGROUND) { - become_daemon(False, no_process_group); - } - - pidfile_create("winbindd"); - - /* Ensure all cache and idmap caches are consistent - before we startup. */ - - if (winbindd_validate_cache()) { - /* We have a bad cache, but luckily we - just deleted it. Restart ourselves */ - int i; - /* Ensure we have no open low fd's. */ - for (i = 3; i < 100; i++) { - close(i); - } - return execve(argv[0], argv, envp); - } - -#if HAVE_SETPGID - /* - * If we're interactive we want to set our own process group for - * signal management. - */ - if (server_mode == SERVER_MODE_INTERACTIVE && !no_process_group) { - setpgid( (pid_t)0, (pid_t)0); - } -#endif - - TimeInit(); - - /* Initialise messaging system */ - - if (winbind_messaging_context() == NULL) { - DEBUG(0, ("unable to initialize messaging system\n")); - exit(1); - } - - /* Initialize cache (ensure version is correct). */ - if (!initialize_winbindd_cache()) { - exit(1); - } - - /* React on 'smbcontrol winbindd reload-config' in the same way - as to SIGHUP signal */ - messaging_register(winbind_messaging_context(), NULL, - MSG_SMB_CONF_UPDATED, msg_reload_services); - messaging_register(winbind_messaging_context(), NULL, - MSG_SHUTDOWN, msg_shutdown); - - /* Handle online/offline messages. */ - messaging_register(winbind_messaging_context(), NULL, - MSG_WINBIND_OFFLINE, winbind_msg_offline); - messaging_register(winbind_messaging_context(), NULL, - MSG_WINBIND_ONLINE, winbind_msg_online); - messaging_register(winbind_messaging_context(), NULL, - MSG_WINBIND_ONLINESTATUS, winbind_msg_onlinestatus); - - messaging_register(winbind_messaging_context(), NULL, - MSG_DUMP_EVENT_LIST, winbind_msg_dump_event_list); - - messaging_register(winbind_messaging_context(), NULL, - MSG_WINBIND_VALIDATE_CACHE, - winbind_msg_validate_cache); - - netsamlogon_cache_init(); /* Non-critical */ - - /* clear the cached list of trusted domains */ - - wcache_tdc_clear(); - - if (!init_domain_list()) { - DEBUG(0,("unable to initalize domain list\n")); - exit(1); - } - - init_idmap_child(); - init_locator_child(); - - smb_nscd_flush_user_cache(); - smb_nscd_flush_group_cache(); - - /* Loop waiting for requests */ - winbindd_process_loop(server_mode); - - return 0; -} diff --git a/source3/nsswitch/winbindd.h b/source3/nsswitch/winbindd.h deleted file mode 100644 index 27406ac438..0000000000 --- a/source3/nsswitch/winbindd.h +++ /dev/null @@ -1,365 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon for ntdom nss module - - Copyright (C) Tim Potter 2000 - Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 3 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Library General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#ifndef _WINBINDD_H -#define _WINBINDD_H - -#include "nsswitch/winbind_struct_protocol.h" - -#ifdef HAVE_LIBNSCD -#include <libnscd.h> -#endif - -#ifdef HAVE_SYS_MMAN_H -#include <sys/mman.h> -#endif - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -#define WB_REPLACE_CHAR '_' - -/* bits for fd_event.flags */ -#define EVENT_FD_READ 1 -#define EVENT_FD_WRITE 2 - -struct fd_event { - struct fd_event *next, *prev; - int fd; - int flags; /* see EVENT_FD_* flags */ - void (*handler)(struct fd_event *fde, int flags); - void *data; - size_t length, done; - void (*finished)(void *private_data, BOOL success); - void *private_data; -}; - -struct sid_ctr { - DOM_SID *sid; - BOOL finished; - const char *domain; - const char *name; - enum lsa_SidType type; -}; - -struct winbindd_cli_state { - struct winbindd_cli_state *prev, *next; /* Linked list pointers */ - int sock; /* Open socket from client */ - struct fd_event fd_event; - pid_t pid; /* pid of client */ - BOOL finished; /* Can delete from list */ - BOOL write_extra_data; /* Write extra_data field */ - time_t last_access; /* Time of last access (read or write) */ - BOOL privileged; /* Is the client 'privileged' */ - - TALLOC_CTX *mem_ctx; /* memory per request */ - struct winbindd_request request; /* Request from client */ - struct winbindd_response response; /* Respose to client */ - BOOL getpwent_initialized; /* Has getpwent_state been - * initialized? */ - BOOL getgrent_initialized; /* Has getgrent_state been - * initialized? */ - struct getent_state *getpwent_state; /* State for getpwent() */ - struct getent_state *getgrent_state; /* State for getgrent() */ -}; - -/* State between get{pw,gr}ent() calls */ - -struct getent_state { - struct getent_state *prev, *next; - void *sam_entries; - uint32 sam_entry_index, num_sam_entries; - BOOL got_sam_entries; - fstring domain_name; -}; - -/* Storage for cached getpwent() user entries */ - -struct getpwent_user { - fstring name; /* Account name */ - fstring gecos; /* User information */ - fstring homedir; /* User Home Directory */ - fstring shell; /* User Login Shell */ - DOM_SID user_sid; /* NT user and primary group SIDs */ - DOM_SID group_sid; -}; - -/* Server state structure */ - -typedef struct { - char *acct_name; - char *full_name; - char *homedir; - char *shell; - gid_t primary_gid; /* allow the nss_info - backend to set the primary group */ - DOM_SID user_sid; /* NT user and primary group SIDs */ - DOM_SID group_sid; -} WINBIND_USERINFO; - -/* Our connection to the DC */ - -struct winbindd_cm_conn { - struct cli_state *cli; - - struct rpc_pipe_client *samr_pipe; - POLICY_HND sam_connect_handle, sam_domain_handle; - - struct rpc_pipe_client *lsa_pipe; - POLICY_HND lsa_policy; - - struct rpc_pipe_client *netlogon_pipe; -}; - -struct winbindd_async_request; - -/* Async child */ - -struct winbindd_child { - struct winbindd_child *next, *prev; - - pid_t pid; - struct winbindd_domain *domain; - pstring logfilename; - - struct fd_event event; - struct timed_event *lockout_policy_event; - struct winbindd_async_request *requests; -}; - -/* Structures to hold per domain information */ - -struct winbindd_domain { - fstring name; /* Domain name (NetBIOS) */ - fstring alt_name; /* alt Domain name, if any (FQDN for ADS) */ - fstring forest_name; /* Name of the AD forest we're in */ - DOM_SID sid; /* SID for this domain */ - uint32 domain_flags; /* Domain flags from rpc_ds.h */ - uint32 domain_type; /* Domain type from rpc_ds.h */ - uint32 domain_trust_attribs; /* Trust attribs from rpc_ds.h */ - BOOL initialized; /* Did we already ask for the domain mode? */ - BOOL native_mode; /* is this a win2k domain in native mode ? */ - BOOL active_directory; /* is this a win2k active directory ? */ - BOOL primary; /* is this our primary domain ? */ - BOOL internal; /* BUILTIN and member SAM */ - BOOL online; /* is this domain available ? */ - time_t startup_time; /* When we set "startup" true. */ - BOOL startup; /* are we in the first 30 seconds after startup_time ? */ - - BOOL can_do_samlogon_ex; /* Due to the lack of finer control what type - * of DC we have, let us try to do a - * credential-chain less samlogon_ex call - * with AD and schannel. If this fails with - * DCERPC_FAULT_OP_RNG_ERROR, then set this - * to False. This variable is around so that - * we don't have to try _ex every time. */ - - /* Lookup methods for this domain (LDAP or RPC) */ - struct winbindd_methods *methods; - - /* the backend methods are used by the cache layer to find the right - backend */ - struct winbindd_methods *backend; - - /* Private data for the backends (used for connection cache) */ - - void *private_data; - - /* A working DC */ - fstring dcname; - struct sockaddr_in dcaddr; - - /* Sequence number stuff */ - - time_t last_seq_check; - uint32 sequence_number; - NTSTATUS last_status; - - /* The smb connection */ - - struct winbindd_cm_conn conn; - - /* The child pid we're talking to */ - - struct winbindd_child child; - - /* Callback we use to try put us back online. */ - - uint32 check_online_timeout; - struct timed_event *check_online_event; - - /* Linked list info */ - - struct winbindd_domain *prev, *next; -}; - -/* per-domain methods. This is how LDAP vs RPC is selected - */ -struct winbindd_methods { - /* does this backend provide a consistent view of the data? (ie. is the primary group - always correct) */ - BOOL consistent; - - /* get a list of users, returning a WINBIND_USERINFO for each one */ - NTSTATUS (*query_user_list)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - WINBIND_USERINFO **info); - - /* get a list of domain groups */ - NTSTATUS (*enum_dom_groups)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info); - - /* get a list of domain local groups */ - NTSTATUS (*enum_local_groups)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info); - - /* convert one user or group name to a sid */ - NTSTATUS (*name_to_sid)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - enum winbindd_cmd orig_cmd, - const char *domain_name, - const char *name, - DOM_SID *sid, - enum lsa_SidType *type); - - /* convert a sid to a user or group name */ - NTSTATUS (*sid_to_name)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - char **domain_name, - char **name, - enum lsa_SidType *type); - - NTSTATUS (*rids_to_names)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *domain_sid, - uint32 *rids, - size_t num_rids, - char **domain_name, - char ***names, - enum lsa_SidType **types); - - /* lookup user info for a given SID */ - NTSTATUS (*query_user)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - WINBIND_USERINFO *user_info); - - /* lookup all groups that a user is a member of. The backend - can also choose to lookup by username or rid for this - function */ - NTSTATUS (*lookup_usergroups)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - uint32 *num_groups, DOM_SID **user_gids); - - /* Lookup all aliases that the sids delivered are member of. This is - * to implement 'domain local groups' correctly */ - NTSTATUS (*lookup_useraliases)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 num_sids, - const DOM_SID *sids, - uint32 *num_aliases, - uint32 **alias_rids); - - /* find all members of the group with the specified group_rid */ - NTSTATUS (*lookup_groupmem)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *group_sid, - uint32 *num_names, - DOM_SID **sid_mem, char ***names, - uint32 **name_types); - - /* return the current global sequence number */ - NTSTATUS (*sequence_number)(struct winbindd_domain *domain, uint32 *seq); - - /* return the lockout policy */ - NTSTATUS (*lockout_policy)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - SAM_UNK_INFO_12 *lockout_policy); - - /* return the lockout policy */ - NTSTATUS (*password_policy)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - SAM_UNK_INFO_1 *password_policy); - - /* enumerate trusted domains */ - NTSTATUS (*trusted_domains)(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_domains, - char ***names, - char ***alt_names, - DOM_SID **dom_sids); -}; - -/* Used to glue a policy handle and cli_state together */ - -typedef struct { - struct cli_state *cli; - POLICY_HND pol; -} CLI_POLICY_HND; - -/* Filled out by IDMAP backends */ -struct winbindd_idmap_methods { - /* Called when backend is first loaded */ - BOOL (*init)(void); - - BOOL (*get_sid_from_uid)(uid_t uid, DOM_SID *sid); - BOOL (*get_sid_from_gid)(gid_t gid, DOM_SID *sid); - - BOOL (*get_uid_from_sid)(DOM_SID *sid, uid_t *uid); - BOOL (*get_gid_from_sid)(DOM_SID *sid, gid_t *gid); - - /* Called when backend is unloaded */ - BOOL (*close)(void); - /* Called to dump backend status */ - void (*status)(void); -}; - -/* Data structures for dealing with the trusted domain cache */ - -struct winbindd_tdc_domain { - const char *domain_name; - const char *dns_name; - DOM_SID sid; - uint32 trust_flags; - uint32 trust_attribs; - uint32 trust_type; -}; - - -#include "nsswitch/winbindd_proto.h" - -#define WINBINDD_ESTABLISH_LOOP 30 -#define WINBINDD_RESCAN_FREQ lp_winbind_cache_time() -#define WINBINDD_PAM_AUTH_KRB5_RENEW_TIME 2592000 /* one month */ -#define DOM_SEQUENCE_NONE ((uint32)-1) - -#define IS_DOMAIN_OFFLINE(x) ( lp_winbind_offline_logon() && \ - ( get_global_winbindd_state_offline() \ - || !(x)->online ) ) -#endif /* _WINBINDD_H */ diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c deleted file mode 100644 index 65cc00bb97..0000000000 --- a/source3/nsswitch/winbindd_ads.c +++ /dev/null @@ -1,1312 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind ADS backend functions - - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003 - Copyright (C) Gerald (Jerry) Carter 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#ifdef HAVE_ADS - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -extern struct winbindd_methods reconnect_methods; - -/* - return our ads connections structure for a domain. We keep the connection - open to make things faster -*/ -static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) -{ - ADS_STRUCT *ads; - ADS_STATUS status; - fstring dc_name; - struct in_addr dc_ip; - - DEBUG(10,("ads_cached_connection\n")); - - if (domain->private_data) { - - time_t expire; - time_t now = time(NULL); - - /* check for a valid structure */ - ads = (ADS_STRUCT *)domain->private_data; - - expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire); - - DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n", - (uint32)expire-(uint32)now, (uint32) expire, (uint32) now)); - - if ( ads->config.realm && (expire > now)) { - return ads; - } else { - /* we own this ADS_STRUCT so make sure it goes away */ - DEBUG(7,("Deleting expired krb5 credential cache\n")); - ads->is_mine = True; - ads_destroy( &ads ); - ads_kdestroy("MEMORY:winbind_ccache"); - domain->private_data = NULL; - } - } - - /* we don't want this to affect the users ccache */ - setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1); - - ads = ads_init(domain->alt_name, domain->name, NULL); - if (!ads) { - DEBUG(1,("ads_init for domain %s failed\n", domain->name)); - return NULL; - } - - /* the machine acct password might have change - fetch it every time */ - - SAFE_FREE(ads->auth.password); - SAFE_FREE(ads->auth.realm); - - if ( IS_DC ) { - DOM_SID sid; - time_t last_set_time; - - if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, &sid, &last_set_time ) ) { - ads_destroy( &ads ); - return NULL; - } - ads->auth.realm = SMB_STRDUP( ads->server.realm ); - strupper_m( ads->auth.realm ); - } - else { - struct winbindd_domain *our_domain = domain; - - ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); - - /* always give preference to the alt_name in our - primary domain if possible */ - - if ( !domain->primary ) - our_domain = find_our_domain(); - - if ( our_domain->alt_name[0] != '\0' ) { - ads->auth.realm = SMB_STRDUP( our_domain->alt_name ); - strupper_m( ads->auth.realm ); - } - else - ads->auth.realm = SMB_STRDUP( lp_realm() ); - } - - ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME; - - /* Setup the server affinity cache. We don't reaally care - about the name. Just setup affinity and the KRB5_CONFIG - file. */ - - get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ip ); - - status = ads_connect(ads); - if (!ADS_ERR_OK(status) || !ads->config.realm) { - DEBUG(1,("ads_connect for domain %s failed: %s\n", - domain->name, ads_errstr(status))); - ads_destroy(&ads); - - /* if we get ECONNREFUSED then it might be a NT4 - server, fall back to MSRPC */ - if (status.error_type == ENUM_ADS_ERROR_SYSTEM && - status.err.rc == ECONNREFUSED) { - /* 'reconnect_methods' is the MS-RPC backend. */ - DEBUG(1,("Trying MSRPC methods\n")); - domain->backend = &reconnect_methods; - } - return NULL; - } - - /* set the flag that says we don't own the memory even - though we do so that ads_destroy() won't destroy the - structure we pass back by reference */ - - ads->is_mine = False; - - domain->private_data = (void *)ads; - return ads; -} - - -/* Query display info for a realm. This is the basic user list fn */ -static NTSTATUS query_user_list(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - WINBIND_USERINFO **info) -{ - ADS_STRUCT *ads = NULL; - const char *attrs[] = { "*", NULL }; - int i, count; - ADS_STATUS rc; - LDAPMessage *res = NULL; - LDAPMessage *msg = NULL; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - - *num_entries = 0; - - DEBUG(3,("ads: query_user_list\n")); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("query_user_list: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - ads = ads_cached_connection(domain); - - if (!ads) { - domain->last_status = NT_STATUS_SERVER_DISABLED; - goto done; - } - - rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs); - if (!ADS_ERR_OK(rc) || !res) { - DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc))); - goto done; - } - - count = ads_count_replies(ads, res); - if (count == 0) { - DEBUG(1,("query_user_list: No users found\n")); - goto done; - } - - (*info) = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, count); - if (!*info) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - i = 0; - - for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { - char *name, *gecos = NULL; - char *homedir = NULL; - char *shell = NULL; - uint32 group; - uint32 atype; - DOM_SID user_sid; - gid_t primary_gid = (gid_t)-1; - - if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) || - ads_atype_map(atype) != SID_NAME_USER) { - DEBUG(1,("Not a user account? atype=0x%x\n", atype)); - continue; - } - - name = ads_pull_username(ads, mem_ctx, msg); - - if ( ads_pull_sid( ads, msg, "objectSid", &user_sid ) ) { - status = nss_get_info_cached( domain, &user_sid, mem_ctx, - ads, msg, &homedir, &shell, &gecos, - &primary_gid ); - } - - if (gecos == NULL) { - gecos = ads_pull_string(ads, mem_ctx, msg, "name"); - } - - if (!ads_pull_sid(ads, msg, "objectSid", - &(*info)[i].user_sid)) { - DEBUG(1,("No sid for %s !?\n", name)); - continue; - } - if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) { - DEBUG(1,("No primary group for %s !?\n", name)); - continue; - } - - (*info)[i].acct_name = name; - (*info)[i].full_name = gecos; - (*info)[i].homedir = homedir; - (*info)[i].shell = shell; - (*info)[i].primary_gid = primary_gid; - sid_compose(&(*info)[i].group_sid, &domain->sid, group); - i++; - } - - (*num_entries) = i; - status = NT_STATUS_OK; - - DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries))); - -done: - if (res) - ads_msgfree(ads, res); - - return status; -} - -/* list all domain groups */ -static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info) -{ - ADS_STRUCT *ads = NULL; - const char *attrs[] = {"userPrincipalName", "sAMAccountName", - "name", "objectSid", NULL}; - int i, count; - ADS_STATUS rc; - LDAPMessage *res = NULL; - LDAPMessage *msg = NULL; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - const char *filter; - BOOL enum_dom_local_groups = False; - - *num_entries = 0; - - DEBUG(3,("ads: enum_dom_groups\n")); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - /* only grab domain local groups for our domain */ - if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) { - enum_dom_local_groups = True; - } - - /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o - * rollup-fixes: - * - * According to Section 5.1(4) of RFC 2251 if a value of a type is it's - * default value, it MUST be absent. In case of extensible matching the - * "dnattr" boolean defaults to FALSE and so it must be only be present - * when set to TRUE. - * - * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a - * filter using bitwise matching rule then the buggy AD fails to decode - * the extensible match. As a workaround set it to TRUE and thereby add - * the dnAttributes "dn" field to cope with those older AD versions. - * It should not harm and won't put any additional load on the AD since - * none of the dn components have a bitmask-attribute. - * - * Thanks to Ralf Haferkamp for input and testing - Guenther */ - - filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", - ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED, - ADS_LDAP_MATCHING_RULE_BIT_AND, - enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP); - - if (filter == NULL) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - ads = ads_cached_connection(domain); - - if (!ads) { - domain->last_status = NT_STATUS_SERVER_DISABLED; - goto done; - } - - rc = ads_search_retry(ads, &res, filter, attrs); - if (!ADS_ERR_OK(rc) || !res) { - DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc))); - goto done; - } - - count = ads_count_replies(ads, res); - if (count == 0) { - DEBUG(1,("enum_dom_groups: No groups found\n")); - goto done; - } - - (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count); - if (!*info) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - i = 0; - - for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { - char *name, *gecos; - DOM_SID sid; - uint32 rid; - - name = ads_pull_username(ads, mem_ctx, msg); - gecos = ads_pull_string(ads, mem_ctx, msg, "name"); - if (!ads_pull_sid(ads, msg, "objectSid", &sid)) { - DEBUG(1,("No sid for %s !?\n", name)); - continue; - } - - if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) { - DEBUG(1,("No rid for %s !?\n", name)); - continue; - } - - fstrcpy((*info)[i].acct_name, name); - fstrcpy((*info)[i].acct_desc, gecos); - (*info)[i].rid = rid; - i++; - } - - (*num_entries) = i; - - status = NT_STATUS_OK; - - DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries))); - -done: - if (res) - ads_msgfree(ads, res); - - return status; -} - -/* list all domain local groups */ -static NTSTATUS enum_local_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info) -{ - /* - * This is a stub function only as we returned the domain - * local groups in enum_dom_groups() if the domain->native field - * was true. This is a simple performance optimization when - * using LDAP. - * - * if we ever need to enumerate domain local groups separately, - * then this the optimization in enum_dom_groups() will need - * to be split out - */ - *num_entries = 0; - - return NT_STATUS_OK; -} - -/* If you are looking for "dn_lookup": Yes, it used to be here! - * It has gone now since it was a major speed bottleneck in - * lookup_groupmem (its only use). It has been replaced by - * an rpc lookup sids call... R.I.P. */ - -/* Lookup user information from a rid */ -static NTSTATUS query_user(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - WINBIND_USERINFO *info) -{ - ADS_STRUCT *ads = NULL; - const char *attrs[] = { "*", NULL }; - ADS_STATUS rc; - int count; - LDAPMessage *msg = NULL; - char *ldap_exp; - char *sidstr; - uint32 group_rid; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - NET_USER_INFO_3 *user; - - DEBUG(3,("ads: query_user\n")); - - info->homedir = NULL; - info->shell = NULL; - info->primary_gid = (gid_t)-1; - - /* try netsamlogon cache first */ - - if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL ) - { - - DEBUG(5,("query_user: Cache lookup succeeded for %s\n", - sid_string_static(sid))); - - sid_compose(&info->user_sid, &domain->sid, user->user_rid); - sid_compose(&info->group_sid, &domain->sid, user->group_rid); - - info->acct_name = unistr2_tdup(mem_ctx, &user->uni_user_name); - info->full_name = unistr2_tdup(mem_ctx, &user->uni_full_name); - - nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL, - &info->homedir, &info->shell, &info->full_name, - &info->primary_gid ); - - TALLOC_FREE(user); - - return NT_STATUS_OK; - } - - if ( !winbindd_can_contact_domain(domain)) { - DEBUG(8,("query_user: No incoming trust from domain %s\n", - domain->name)); - - /* We still need to generate some basic information - about the user even if we cannot contact the - domain. Most of this stuff we can deduce. */ - - sid_copy( &info->user_sid, sid ); - - /* Assume "Domain Users" for the primary group */ - - sid_compose(&info->group_sid, &domain->sid, DOMAIN_GROUP_RID_USERS ); - - /* Try to fill in what the nss_info backend can do */ - - nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL, - &info->homedir, &info->shell, &info->full_name, - &info->primary_gid ); - - status = NT_STATUS_OK; - goto done; - } - - /* no cache...do the query */ - - if ( (ads = ads_cached_connection(domain)) == NULL ) { - domain->last_status = NT_STATUS_SERVER_DISABLED; - goto done; - } - - sidstr = sid_binstring(sid); - asprintf(&ldap_exp, "(objectSid=%s)", sidstr); - rc = ads_search_retry(ads, &msg, ldap_exp, attrs); - free(ldap_exp); - free(sidstr); - if (!ADS_ERR_OK(rc) || !msg) { - DEBUG(1,("query_user(sid=%s) ads_search: %s\n", - sid_string_static(sid), ads_errstr(rc))); - goto done; - } - - count = ads_count_replies(ads, msg); - if (count != 1) { - DEBUG(1,("query_user(sid=%s): Not found\n", - sid_string_static(sid))); - goto done; - } - - info->acct_name = ads_pull_username(ads, mem_ctx, msg); - - nss_get_info_cached( domain, sid, mem_ctx, ads, msg, - &info->homedir, &info->shell, &info->full_name, - &info->primary_gid ); - - if (info->full_name == NULL) { - info->full_name = ads_pull_string(ads, mem_ctx, msg, "name"); - } - - if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) { - DEBUG(1,("No primary group for %s !?\n", - sid_string_static(sid))); - goto done; - } - - sid_copy(&info->user_sid, sid); - sid_compose(&info->group_sid, &domain->sid, group_rid); - - status = NT_STATUS_OK; - - DEBUG(3,("ads query_user gave %s\n", info->acct_name)); -done: - if (msg) - ads_msgfree(ads, msg); - - return status; -} - -/* Lookup groups a user is a member of - alternate method, for when - tokenGroups are not available. */ -static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const char *user_dn, - DOM_SID *primary_group, - size_t *p_num_groups, DOM_SID **user_sids) -{ - ADS_STATUS rc; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - int count; - LDAPMessage *res = NULL; - LDAPMessage *msg = NULL; - char *ldap_exp; - ADS_STRUCT *ads; - const char *group_attrs[] = {"objectSid", NULL}; - char *escaped_dn; - size_t num_groups = 0; - - DEBUG(3,("ads: lookup_usergroups_member\n")); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - ads = ads_cached_connection(domain); - - if (!ads) { - domain->last_status = NT_STATUS_SERVER_DISABLED; - goto done; - } - - if (!(escaped_dn = escape_ldap_string_alloc(user_dn))) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - ldap_exp = talloc_asprintf(mem_ctx, - "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))", - escaped_dn, - ADS_LDAP_MATCHING_RULE_BIT_AND, - GROUP_TYPE_SECURITY_ENABLED); - if (!ldap_exp) { - DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn)); - SAFE_FREE(escaped_dn); - status = NT_STATUS_NO_MEMORY; - goto done; - } - - SAFE_FREE(escaped_dn); - - rc = ads_search_retry(ads, &res, ldap_exp, group_attrs); - - if (!ADS_ERR_OK(rc) || !res) { - DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc))); - return ads_ntstatus(rc); - } - - count = ads_count_replies(ads, res); - - *user_sids = NULL; - num_groups = 0; - - /* always add the primary group to the sid array */ - if (!add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups)) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - if (count > 0) { - for (msg = ads_first_entry(ads, res); msg; - msg = ads_next_entry(ads, msg)) { - DOM_SID group_sid; - - if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) { - DEBUG(1,("No sid for this group ?!?\n")); - continue; - } - - /* ignore Builtin groups from ADS - Guenther */ - if (sid_check_is_in_builtin(&group_sid)) { - continue; - } - - if (!add_sid_to_array(mem_ctx, &group_sid, user_sids, - &num_groups)) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - } - - } - - *p_num_groups = num_groups; - status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; - - DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn)); -done: - if (res) - ads_msgfree(ads, res); - - return status; -} - -/* Lookup groups a user is a member of - alternate method, for when - tokenGroups are not available. */ -static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const char *user_dn, - DOM_SID *primary_group, - size_t *p_num_groups, DOM_SID **user_sids) -{ - ADS_STATUS rc; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - ADS_STRUCT *ads; - const char *attrs[] = {"memberOf", NULL}; - size_t num_groups = 0; - DOM_SID *group_sids = NULL; - int i; - char **strings; - size_t num_strings = 0; - - - DEBUG(3,("ads: lookup_usergroups_memberof\n")); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("lookup_usergroups_memberof: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - ads = ads_cached_connection(domain); - - if (!ads) { - domain->last_status = NT_STATUS_SERVER_DISABLED; - goto done; - } - - rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs, - ADS_EXTENDED_DN_HEX_STRING, - &strings, &num_strings); - - if (!ADS_ERR_OK(rc)) { - DEBUG(1,("lookup_usergroups_memberof ads_search member=%s: %s\n", - user_dn, ads_errstr(rc))); - return ads_ntstatus(rc); - } - - *user_sids = NULL; - num_groups = 0; - - /* always add the primary group to the sid array */ - if (!add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups)) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - group_sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_strings + 1); - if (!group_sids) { - TALLOC_FREE(strings); - status = NT_STATUS_NO_MEMORY; - goto done; - } - - for (i=0; i<num_strings; i++) { - - if (!ads_get_sid_from_extended_dn(mem_ctx, strings[i], - ADS_EXTENDED_DN_HEX_STRING, - &(group_sids)[i])) { - TALLOC_FREE(group_sids); - TALLOC_FREE(strings); - status = NT_STATUS_NO_MEMORY; - goto done; - } - } - - if (i == 0) { - DEBUG(1,("No memberOf for this user?!?\n")); - status = NT_STATUS_NO_MEMORY; - goto done; - } - - for (i=0; i<num_strings; i++) { - - /* ignore Builtin groups from ADS - Guenther */ - if (sid_check_is_in_builtin(&group_sids[i])) { - continue; - } - - if (!add_sid_to_array(mem_ctx, &group_sids[i], user_sids, - &num_groups)) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - } - - *p_num_groups = num_groups; - status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; - - DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", user_dn)); -done: - TALLOC_FREE(group_sids); - - return status; -} - - -/* Lookup groups a user is a member of. */ -static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - uint32 *p_num_groups, DOM_SID **user_sids) -{ - ADS_STRUCT *ads = NULL; - const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL}; - ADS_STATUS rc; - int count; - LDAPMessage *msg = NULL; - char *user_dn = NULL; - DOM_SID *sids; - int i; - DOM_SID primary_group; - uint32 primary_group_rid; - fstring sid_string; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - size_t num_groups = 0; - - DEBUG(3,("ads: lookup_usergroups\n")); - *p_num_groups = 0; - - status = lookup_usergroups_cached(domain, mem_ctx, sid, - p_num_groups, user_sids); - if (NT_STATUS_IS_OK(status)) { - return NT_STATUS_OK; - } - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n", - domain->name)); - - /* Tell the cache manager not to remember this one */ - - return NT_STATUS_SYNCHRONIZATION_REQUIRED; - } - - ads = ads_cached_connection(domain); - - if (!ads) { - domain->last_status = NT_STATUS_SERVER_DISABLED; - status = NT_STATUS_SERVER_DISABLED; - goto done; - } - - rc = ads_search_retry_sid(ads, &msg, sid, attrs); - - if (!ADS_ERR_OK(rc)) { - status = ads_ntstatus(rc); - DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: %s\n", - sid_to_string(sid_string, sid), ads_errstr(rc))); - goto done; - } - - count = ads_count_replies(ads, msg); - if (count != 1) { - status = NT_STATUS_UNSUCCESSFUL; - DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: " - "invalid number of results (count=%d)\n", - sid_to_string(sid_string, sid), count)); - goto done; - } - - if (!msg) { - DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", - sid_to_string(sid_string, sid))); - status = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - user_dn = ads_get_dn(ads, msg); - if (user_dn == NULL) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) { - DEBUG(1,("%s: No primary group for sid=%s !?\n", - domain->name, sid_to_string(sid_string, sid))); - goto done; - } - - sid_copy(&primary_group, &domain->sid); - sid_append_rid(&primary_group, primary_group_rid); - - count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids); - - /* there must always be at least one group in the token, - unless we are talking to a buggy Win2k server */ - - /* actually this only happens when the machine account has no read - * permissions on the tokenGroup attribute - gd */ - - if (count == 0) { - - /* no tokenGroups */ - - /* lookup what groups this user is a member of by DN search on - * "memberOf" */ - - status = lookup_usergroups_memberof(domain, mem_ctx, user_dn, - &primary_group, - &num_groups, user_sids); - *p_num_groups = (uint32)num_groups; - if (NT_STATUS_IS_OK(status)) { - goto done; - } - - /* lookup what groups this user is a member of by DN search on - * "member" */ - - status = lookup_usergroups_member(domain, mem_ctx, user_dn, - &primary_group, - &num_groups, user_sids); - *p_num_groups = (uint32)num_groups; - goto done; - } - - *user_sids = NULL; - num_groups = 0; - - if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - for (i=0;i<count;i++) { - - /* ignore Builtin groups from ADS - Guenther */ - if (sid_check_is_in_builtin(&sids[i])) { - continue; - } - - if (!add_sid_to_array_unique(mem_ctx, &sids[i], - user_sids, &num_groups)) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - } - - *p_num_groups = (uint32)num_groups; - status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; - - DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n", - sid_to_string(sid_string, sid))); -done: - ads_memfree(ads, user_dn); - ads_msgfree(ads, msg); - return status; -} - -/* - find the members of a group, given a group rid and domain - */ -static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *group_sid, uint32 *num_names, - DOM_SID **sid_mem, char ***names, - uint32 **name_types) -{ - ADS_STATUS rc; - ADS_STRUCT *ads = NULL; - char *ldap_exp; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - char *sidbinstr; - char **members = NULL; - int i; - size_t num_members = 0; - ads_control args; - struct rpc_pipe_client *cli; - POLICY_HND lsa_policy; - DOM_SID *sid_mem_nocache = NULL; - char **names_nocache = NULL; - enum lsa_SidType *name_types_nocache = NULL; - char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */ - uint32 num_nocache = 0; - TALLOC_CTX *tmp_ctx = NULL; - - DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name, - sid_string_static(group_sid))); - - *num_names = 0; - - tmp_ctx = talloc_new(mem_ctx); - if (!tmp_ctx) { - DEBUG(1, ("ads: lookup_groupmem: talloc failed\n")); - status = NT_STATUS_NO_MEMORY; - goto done; - } - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - ads = ads_cached_connection(domain); - - if (!ads) { - domain->last_status = NT_STATUS_SERVER_DISABLED; - goto done; - } - - if ((sidbinstr = sid_binstring(group_sid)) == NULL) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - /* search for all members of the group */ - if (!(ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", - sidbinstr))) - { - SAFE_FREE(sidbinstr); - DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n")); - status = NT_STATUS_NO_MEMORY; - goto done; - } - SAFE_FREE(sidbinstr); - - args.control = ADS_EXTENDED_DN_OID; - args.val = ADS_EXTENDED_DN_HEX_STRING; - args.critical = True; - - rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path, - ldap_exp, &args, "member", &members, &num_members); - - if (!ADS_ERR_OK(rc)) { - DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc))); - status = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); - - /* Now that we have a list of sids, we need to get the - * lists of names and name_types belonging to these sids. - * even though conceptually not quite clean, we use the - * RPC call lsa_lookup_sids for this since it can handle a - * list of sids. ldap calls can just resolve one sid at a time. - * - * At this stage, the sids are still hidden in the exetended dn - * member output format. We actually do a little better than - * stated above: In extracting the sids from the member strings, - * we try to resolve as many sids as possible from the - * cache. Only the rest is passed to the lsa_lookup_sids call. */ - - if (num_members) { - (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members); - (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members); - (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members); - (sid_mem_nocache) = TALLOC_ZERO_ARRAY(tmp_ctx, DOM_SID, num_members); - - if ((members == NULL) || (*sid_mem == NULL) || - (*names == NULL) || (*name_types == NULL) || - (sid_mem_nocache == NULL)) - { - DEBUG(1, ("ads: lookup_groupmem: talloc failed\n")); - status = NT_STATUS_NO_MEMORY; - goto done; - } - } - else { - (*sid_mem) = NULL; - (*names) = NULL; - (*name_types) = NULL; - } - - for (i=0; i<num_members; i++) { - enum lsa_SidType name_type; - char *name, *domain_name; - DOM_SID sid; - - if (!ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val, &sid)) { - status = NT_STATUS_INVALID_PARAMETER; - goto done; - } - if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name, &name_type)) { - DEBUG(10,("ads: lookup_groupmem: got sid %s from cache\n", - sid_string_static(&sid))); - sid_copy(&(*sid_mem)[*num_names], &sid); - (*names)[*num_names] = talloc_asprintf(*names, "%s%c%s", - domain_name, - *lp_winbind_separator(), - name ); - - (*name_types)[*num_names] = name_type; - (*num_names)++; - } - else { - DEBUG(10, ("ads: lookup_groupmem: sid %s not found in cache\n", - sid_string_static(&sid))); - sid_copy(&(sid_mem_nocache)[num_nocache], &sid); - num_nocache++; - } - } - - DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, " - "%d left for lsa_lookupsids\n", *num_names, num_nocache)); - - /* handle sids not resolved from cache by lsa_lookup_sids */ - if (num_nocache > 0) { - - status = cm_connect_lsa(domain, tmp_ctx, &cli, &lsa_policy); - - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - - status = rpccli_lsa_lookup_sids_all(cli, tmp_ctx, - &lsa_policy, - num_nocache, - sid_mem_nocache, - &domains_nocache, - &names_nocache, - &name_types_nocache); - - if (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) - { - /* Copy the entries over from the "_nocache" arrays - * to the result arrays, skipping the gaps the - * lookup_sids call left. */ - for (i=0; i < num_nocache; i++) { - if (((names_nocache)[i] != NULL) && - ((name_types_nocache)[i] != SID_NAME_UNKNOWN)) - { - sid_copy(&(*sid_mem)[*num_names], - &sid_mem_nocache[i]); - (*names)[*num_names] = talloc_asprintf( *names, - "%s%c%s", - domains_nocache[i], - *lp_winbind_separator(), - names_nocache[i] ); - (*name_types)[*num_names] = name_types_nocache[i]; - (*num_names)++; - } - } - } - else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) { - DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could " - "not map any SIDs at all.\n")); - /* Don't handle this as an error here. - * There is nothing left to do with respect to the - * overall result... */ - } - else if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("lookup_groupmem: Error looking up %d " - "sids via rpc_lsa_lookup_sids: %s\n", - (int)num_members, nt_errstr(status))); - goto done; - } - } - - status = NT_STATUS_OK; - DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n", - sid_string_static(group_sid))); - -done: - - TALLOC_FREE(tmp_ctx); - - return status; -} - -/* find the sequence number for a domain */ -static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) -{ - ADS_STRUCT *ads = NULL; - ADS_STATUS rc; - - DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name)); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("sequence: No incoming trust for domain %s\n", - domain->name)); - *seq = time(NULL); - return NT_STATUS_OK; - } - - *seq = DOM_SEQUENCE_NONE; - - ads = ads_cached_connection(domain); - - if (!ads) { - domain->last_status = NT_STATUS_SERVER_DISABLED; - return NT_STATUS_UNSUCCESSFUL; - } - - rc = ads_USN(ads, seq); - - if (!ADS_ERR_OK(rc)) { - - /* its a dead connection, destroy it */ - - if (domain->private_data) { - ads = (ADS_STRUCT *)domain->private_data; - ads->is_mine = True; - ads_destroy(&ads); - ads_kdestroy("MEMORY:winbind_ccache"); - domain->private_data = NULL; - } - } - return ads_ntstatus(rc); -} - -/* get a list of trusted domains */ -static NTSTATUS trusted_domains(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_domains, - char ***names, - char ***alt_names, - DOM_SID **dom_sids) -{ - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - struct ds_domain_trust *domains = NULL; - int count = 0; - int i; - uint32 flags; - struct rpc_pipe_client *cli; - uint32 fr_flags = (DS_DOMAIN_IN_FOREST | DS_DOMAIN_TREE_ROOT); - int ret_count; - - DEBUG(3,("ads: trusted_domains\n")); - - *num_domains = 0; - *alt_names = NULL; - *names = NULL; - *dom_sids = NULL; - - /* If this is our primary domain or a root in our forest, - query for all trusts. If not, then just look for domain - trusts in the target forest */ - - if ( domain->primary || - ((domain->domain_flags&fr_flags) == fr_flags) ) - { - flags = DS_DOMAIN_DIRECT_OUTBOUND | - DS_DOMAIN_DIRECT_INBOUND | - DS_DOMAIN_IN_FOREST; - } else { - flags = DS_DOMAIN_IN_FOREST; - } - - result = cm_connect_netlogon(domain, &cli); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(5, ("trusted_domains: Could not open a connection to %s " - "for PIPE_NETLOGON (%s)\n", - domain->name, nt_errstr(result))); - return NT_STATUS_UNSUCCESSFUL; - } - - if ( NT_STATUS_IS_OK(result) ) { - result = rpccli_ds_enum_domain_trusts(cli, mem_ctx, - cli->cli->desthost, - flags, &domains, - (unsigned int *)&count); - } - - if ( NT_STATUS_IS_OK(result) && count) { - - /* Allocate memory for trusted domain names and sids */ - - if ( !(*names = TALLOC_ARRAY(mem_ctx, char *, count)) ) { - DEBUG(0, ("trusted_domains: out of memory\n")); - return NT_STATUS_NO_MEMORY; - } - - if ( !(*alt_names = TALLOC_ARRAY(mem_ctx, char *, count)) ) { - DEBUG(0, ("trusted_domains: out of memory\n")); - return NT_STATUS_NO_MEMORY; - } - - if ( !(*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, count)) ) { - DEBUG(0, ("trusted_domains: out of memory\n")); - return NT_STATUS_NO_MEMORY; - } - - /* Copy across names and sids */ - - - ret_count = 0; - for (i = 0; i < count; i++) { - struct winbindd_domain d; - - /* drop external trusts if this is not our primary - domain. This means that the returned number of - domains may be less that the ones actually trusted - by the DC. */ - - if ( (domains[i].trust_attributes == DS_DOMAIN_TRUST_ATTRIB_QUARANTINED_DOMAIN) && - !domain->primary ) - { - DEBUG(10,("trusted_domains: Skipping external trusted domain " - "%s because it is outside of our primary domain\n", - domains[i].netbios_domain)); - continue; - } - - (*names)[ret_count] = domains[i].netbios_domain; - (*alt_names)[ret_count] = domains[i].dns_domain; - sid_copy(&(*dom_sids)[ret_count], &domains[i].sid); - - /* add to the trusted domain cache */ - - fstrcpy( d.name, domains[i].netbios_domain ); - fstrcpy( d.alt_name, domains[i].dns_domain ); - sid_copy( &d.sid, &domains[i].sid ); - - /* This gets a little tricky. If we are - following a transitive forest trust, then - innerit the flags, type, and attrins from - the domain we queried to make sure we don't - record the view of the trust from the wrong - side. Always view it from the side of our - primary domain. --jerry */ - if ( domain->primary || - ((domain->domain_flags&fr_flags) == fr_flags) ) - { - DEBUG(10,("trusted_domains(ads): Storing trust " - "flags for domain %s\n", d.alt_name)); - - /* Look this up in cache to make sure - we have the current trust flags and - attributes */ - - d.domain_flags = domains[i].flags; - d.domain_type = domains[i].trust_type; - d.domain_trust_attribs = domains[i].trust_attributes; - } else { - DEBUG(10,("trusted_domains(ads): Inheriting trust " - "flags for domain %s\n", d.alt_name)); - d.domain_flags = domain->domain_flags; - d.domain_type = domain->domain_type; - d.domain_trust_attribs = domain->domain_trust_attribs; - } - - wcache_tdc_add_domain( &d ); - - ret_count++; - - } - - *num_domains = ret_count; - } - - return result; -} - -/* the ADS backend methods are exposed via this structure */ -struct winbindd_methods ads_methods = { - True, - query_user_list, - enum_dom_groups, - enum_local_groups, - msrpc_name_to_sid, - msrpc_sid_to_name, - msrpc_rids_to_names, - query_user, - lookup_usergroups, - msrpc_lookup_useraliases, - lookup_groupmem, - sequence_number, - msrpc_lockout_policy, - msrpc_password_policy, - trusted_domains, -}; - -#endif diff --git a/source3/nsswitch/winbindd_async.c b/source3/nsswitch/winbindd_async.c deleted file mode 100644 index 5d31ff0a41..0000000000 --- a/source3/nsswitch/winbindd_async.c +++ /dev/null @@ -1,1695 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Async helpers for blocking functions - - Copyright (C) Volker Lendecke 2005 - Copyright (C) Gerald Carter 2006 - - The helpers always consist of three functions: - - * A request setup function that takes the necessary parameters together - with a continuation function that is to be called upon completion - - * A private continuation function that is internal only. This is to be - called by the lower-level functions in do_async(). Its only task is to - properly call the continuation function named above. - - * A worker function that is called inside the appropriate child process. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -struct do_async_state { - TALLOC_CTX *mem_ctx; - struct winbindd_request request; - struct winbindd_response response; - void (*cont)(TALLOC_CTX *mem_ctx, - BOOL success, - struct winbindd_response *response, - void *c, void *private_data); - void *c, *private_data; -}; - -static void do_async_recv(void *private_data, BOOL success) -{ - struct do_async_state *state = - talloc_get_type_abort(private_data, struct do_async_state); - - state->cont(state->mem_ctx, success, &state->response, - state->c, state->private_data); -} - -static void do_async(TALLOC_CTX *mem_ctx, struct winbindd_child *child, - const struct winbindd_request *request, - void (*cont)(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data), - void *c, void *private_data) -{ - struct do_async_state *state; - - state = TALLOC_ZERO_P(mem_ctx, struct do_async_state); - if (state == NULL) { - DEBUG(0, ("talloc failed\n")); - cont(mem_ctx, False, NULL, c, private_data); - return; - } - - state->mem_ctx = mem_ctx; - state->request = *request; - state->request.length = sizeof(state->request); - state->cont = cont; - state->c = c; - state->private_data = private_data; - - async_request(mem_ctx, child, &state->request, - &state->response, do_async_recv, state); -} - -void do_async_domain(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, - const struct winbindd_request *request, - void (*cont)(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data), - void *c, void *private_data) -{ - struct do_async_state *state; - - state = TALLOC_ZERO_P(mem_ctx, struct do_async_state); - if (state == NULL) { - DEBUG(0, ("talloc failed\n")); - cont(mem_ctx, False, NULL, c, private_data); - return; - } - - state->mem_ctx = mem_ctx; - state->request = *request; - state->request.length = sizeof(state->request); - state->cont = cont; - state->c = c; - state->private_data = private_data; - - async_domain_request(mem_ctx, domain, &state->request, - &state->response, do_async_recv, state); -} - -static void winbindd_set_mapping_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ) = (void (*)(void *, BOOL))c; - - if (!success) { - DEBUG(5, ("Could not trigger idmap_set_mapping\n")); - cont(private_data, False); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("idmap_set_mapping returned an error\n")); - cont(private_data, False); - return; - } - - cont(private_data, True); -} - -void winbindd_set_mapping_async(TALLOC_CTX *mem_ctx, const struct id_map *map, - void (*cont)(void *private_data, BOOL success), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_SET_MAPPING; - request.data.dual_idmapset.id = map->xid.id; - request.data.dual_idmapset.type = map->xid.type; - sid_to_string(request.data.dual_idmapset.sid, map->sid); - - do_async(mem_ctx, idmap_child(), &request, winbindd_set_mapping_recv, - (void *)cont, private_data); -} - -enum winbindd_result winbindd_dual_set_mapping(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - struct id_map map; - DOM_SID sid; - NTSTATUS result; - - DEBUG(3, ("[%5lu]: dual_idmapset\n", (unsigned long)state->pid)); - - if (!string_to_sid(&sid, state->request.data.dual_idmapset.sid)) - return WINBINDD_ERROR; - - map.sid = &sid; - map.xid.id = state->request.data.dual_idmapset.id; - map.xid.type = state->request.data.dual_idmapset.type; - map.status = ID_MAPPED; - - result = idmap_set_mapping(&map); - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} - -static void winbindd_set_hwm_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ) = (void (*)(void *, BOOL))c; - - if (!success) { - DEBUG(5, ("Could not trigger idmap_set_hwm\n")); - cont(private_data, False); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("idmap_set_hwm returned an error\n")); - cont(private_data, False); - return; - } - - cont(private_data, True); -} - -void winbindd_set_hwm_async(TALLOC_CTX *mem_ctx, const struct unixid *xid, - void (*cont)(void *private_data, BOOL success), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_SET_HWM; - request.data.dual_idmapset.id = xid->id; - request.data.dual_idmapset.type = xid->type; - - do_async(mem_ctx, idmap_child(), &request, winbindd_set_hwm_recv, - (void *)cont, private_data); -} - -enum winbindd_result winbindd_dual_set_hwm(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - struct unixid xid; - NTSTATUS result; - - DEBUG(3, ("[%5lu]: dual_set_hwm\n", (unsigned long)state->pid)); - - xid.id = state->request.data.dual_idmapset.id; - xid.type = state->request.data.dual_idmapset.type; - - switch (xid.type) { - case ID_TYPE_UID: - result = idmap_set_uid_hwm(&xid); - break; - case ID_TYPE_GID: - result = idmap_set_gid_hwm(&xid); - break; - default: - return WINBINDD_ERROR; - } - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} - -static void winbindd_sids2xids_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, void *, int) = - (void (*)(void *, BOOL, void *, int))c; - - if (!success) { - DEBUG(5, ("Could not trigger sids2xids\n")); - cont(private_data, False, NULL, 0); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("sids2xids returned an error\n")); - cont(private_data, False, NULL, 0); - return; - } - - cont(private_data, True, response->extra_data.data, response->length - sizeof(response)); -} - -void winbindd_sids2xids_async(TALLOC_CTX *mem_ctx, void *sids, int size, - void (*cont)(void *private_data, BOOL success, void *data, int len), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_SIDS2XIDS; - request.extra_data.data = (char *)sids; - request.extra_len = size; - do_async(mem_ctx, idmap_child(), &request, winbindd_sids2xids_recv, - (void *)cont, private_data); -} - -enum winbindd_result winbindd_dual_sids2xids(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - DOM_SID *sids; - struct unixid *xids; - struct id_map **ids; - NTSTATUS result; - int num, i; - - DEBUG(3, ("[%5lu]: sids to unix ids\n", (unsigned long)state->pid)); - - if (state->request.extra_len == 0) { - DEBUG(0, ("Invalid buffer size!\n")); - return WINBINDD_ERROR; - } - - sids = (DOM_SID *)state->request.extra_data.data; - num = state->request.extra_len / sizeof(DOM_SID); - - ids = TALLOC_ZERO_ARRAY(state->mem_ctx, struct id_map *, num + 1); - if ( ! ids) { - DEBUG(0, ("Out of memory!\n")); - return WINBINDD_ERROR; - } - for (i = 0; i < num; i++) { - ids[i] = TALLOC_P(ids, struct id_map); - if ( ! ids[i]) { - DEBUG(0, ("Out of memory!\n")); - talloc_free(ids); - return WINBINDD_ERROR; - } - ids[i]->sid = &sids[i]; - } - - result = idmap_sids_to_unixids(ids); - - if (NT_STATUS_IS_OK(result)) { - - xids = SMB_MALLOC_ARRAY(struct unixid, num); - if ( ! xids) { - DEBUG(0, ("Out of memory!\n")); - talloc_free(ids); - return WINBINDD_ERROR; - } - - for (i = 0; i < num; i++) { - if (ids[i]->status == ID_MAPPED) { - xids[i].type = ids[i]->xid.type; - xids[i].id = ids[i]->xid.id; - } else { - xids[i].type = -1; - } - } - - state->response.length = sizeof(state->response) + (sizeof(struct unixid) * num); - state->response.extra_data.data = xids; - - } else { - DEBUG (2, ("idmap_sids_to_unixids returned an error: 0x%08x\n", NT_STATUS_V(result))); - talloc_free(ids); - return WINBINDD_ERROR; - } - - talloc_free(ids); - return WINBINDD_OK; -} - -static void winbindd_sid2uid_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, uid_t uid) = - (void (*)(void *, BOOL, uid_t))c; - - if (!success) { - DEBUG(5, ("Could not trigger sid2uid\n")); - cont(private_data, False, 0); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("sid2uid returned an error\n")); - cont(private_data, False, 0); - return; - } - - cont(private_data, True, response->data.uid); -} - -void winbindd_sid2uid_async(TALLOC_CTX *mem_ctx, const DOM_SID *sid, - void (*cont)(void *private_data, BOOL success, uid_t uid), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_SID2UID; - sid_to_string(request.data.dual_sid2id.sid, sid); - do_async(mem_ctx, idmap_child(), &request, winbindd_sid2uid_recv, - (void *)cont, private_data); -} - -enum winbindd_result winbindd_dual_sid2uid(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - DOM_SID sid; - NTSTATUS result; - - DEBUG(3, ("[%5lu]: sid to uid %s\n", (unsigned long)state->pid, - state->request.data.dual_sid2id.sid)); - - if (!string_to_sid(&sid, state->request.data.dual_sid2id.sid)) { - DEBUG(1, ("Could not get convert sid %s from string\n", - state->request.data.dual_sid2id.sid)); - return WINBINDD_ERROR; - } - - /* Find uid for this sid and return it, possibly ask the slow remote idmap */ - - result = idmap_sid_to_uid(&sid, &(state->response.data.uid)); - - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} - -#if 0 /* not used */ -static void uid2name_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data); - -void winbindd_uid2name_async(TALLOC_CTX *mem_ctx, uid_t uid, - void (*cont)(void *private_data, BOOL success, - const char *name), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_UID2NAME; - request.data.uid = uid; - do_async(mem_ctx, idmap_child(), &request, uid2name_recv, - (void *)cont, private_data); -} -#endif /* not used */ - -enum winbindd_result winbindd_dual_uid2name(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - struct passwd *pw; - - DEBUG(3, ("[%5lu]: uid2name %lu\n", (unsigned long)state->pid, - (unsigned long)state->request.data.uid)); - - pw = getpwuid(state->request.data.uid); - if (pw == NULL) { - DEBUG(5, ("User %lu not found\n", - (unsigned long)state->request.data.uid)); - return WINBINDD_ERROR; - } - - fstrcpy(state->response.data.name.name, pw->pw_name); - return WINBINDD_OK; -} - -#if 0 /* not used */ -static void uid2name_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, const char *name) = - (void (*)(void *, BOOL, const char *))c; - - if (!success) { - DEBUG(5, ("Could not trigger uid2name\n")); - cont(private_data, False, NULL); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("uid2name returned an error\n")); - cont(private_data, False, NULL); - return; - } - - cont(private_data, True, response->data.name.name); -} - -static void name2uid_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data); - -static void winbindd_name2uid_async(TALLOC_CTX *mem_ctx, const char *name, - void (*cont)(void *private_data, BOOL success, - uid_t uid), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_NAME2UID; - fstrcpy(request.data.username, name); - do_async(mem_ctx, idmap_child(), &request, name2uid_recv, - (void *)cont, private_data); -} -#endif /* not used */ - -enum winbindd_result winbindd_dual_name2uid(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - struct passwd *pw; - - /* Ensure null termination */ - state->request.data.username - [sizeof(state->request.data.username)-1] = '\0'; - - DEBUG(3, ("[%5lu]: name2uid %s\n", (unsigned long)state->pid, - state->request.data.username)); - - pw = getpwnam(state->request.data.username); - if (pw == NULL) { - return WINBINDD_ERROR; - } - - state->response.data.uid = pw->pw_uid; - return WINBINDD_OK; -} - -#if 0 /* not used */ -static void name2uid_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, uid_t uid) = - (void (*)(void *, BOOL, uid_t))c; - - if (!success) { - DEBUG(5, ("Could not trigger name2uid\n")); - cont(private_data, False, 0); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("name2uid returned an error\n")); - cont(private_data, False, 0); - return; - } - - cont(private_data, True, response->data.uid); -} -#endif /* not used */ - -static void winbindd_sid2gid_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, gid_t gid) = - (void (*)(void *, BOOL, gid_t))c; - - if (!success) { - DEBUG(5, ("Could not trigger sid2gid\n")); - cont(private_data, False, 0); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("sid2gid returned an error\n")); - cont(private_data, False, 0); - return; - } - - cont(private_data, True, response->data.gid); -} - -void winbindd_sid2gid_async(TALLOC_CTX *mem_ctx, const DOM_SID *sid, - void (*cont)(void *private_data, BOOL success, gid_t gid), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_SID2GID; - sid_to_string(request.data.dual_sid2id.sid, sid); - - DEBUG(7,("winbindd_sid2gid_async: Resolving %s to a gid\n", - request.data.dual_sid2id.sid)); - - do_async(mem_ctx, idmap_child(), &request, winbindd_sid2gid_recv, - (void *)cont, private_data); -} - -enum winbindd_result winbindd_dual_sid2gid(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - DOM_SID sid; - NTSTATUS result; - - DEBUG(3, ("[%5lu]: sid to gid %s\n", (unsigned long)state->pid, - state->request.data.dual_sid2id.sid)); - - if (!string_to_sid(&sid, state->request.data.dual_sid2id.sid)) { - DEBUG(1, ("Could not get convert sid %s from string\n", - state->request.data.dual_sid2id.sid)); - return WINBINDD_ERROR; - } - - /* Find gid for this sid and return it, possibly ask the slow remote idmap */ - - result = idmap_sid_to_gid(&sid, &state->response.data.gid); - - DEBUG(10, ("winbindd_dual_sid2gid: 0x%08x - %s - %u\n", NT_STATUS_V(result), sid_string_static(&sid), state->response.data.gid)); - - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} - -static void gid2name_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, const char *name) = - (void (*)(void *, BOOL, const char *))c; - - if (!success) { - DEBUG(5, ("Could not trigger gid2name\n")); - cont(private_data, False, NULL); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("gid2name returned an error\n")); - cont(private_data, False, NULL); - return; - } - - cont(private_data, True, response->data.name.name); -} - -void winbindd_gid2name_async(TALLOC_CTX *mem_ctx, gid_t gid, - void (*cont)(void *private_data, BOOL success, - const char *name), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_GID2NAME; - request.data.gid = gid; - do_async(mem_ctx, idmap_child(), &request, gid2name_recv, - (void *)cont, private_data); -} - -enum winbindd_result winbindd_dual_gid2name(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - struct group *gr; - - DEBUG(3, ("[%5lu]: gid2name %lu\n", (unsigned long)state->pid, - (unsigned long)state->request.data.gid)); - - gr = getgrgid(state->request.data.gid); - if (gr == NULL) - return WINBINDD_ERROR; - - fstrcpy(state->response.data.name.name, gr->gr_name); - return WINBINDD_OK; -} - -#if 0 /* not used */ -static void name2gid_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data); - -static void winbindd_name2gid_async(TALLOC_CTX *mem_ctx, const char *name, - void (*cont)(void *private_data, BOOL success, - gid_t gid), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_NAME2GID; - fstrcpy(request.data.groupname, name); - do_async(mem_ctx, idmap_child(), &request, name2gid_recv, - (void *)cont, private_data); -} -#endif /* not used */ - -enum winbindd_result winbindd_dual_name2gid(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - struct group *gr; - - /* Ensure null termination */ - state->request.data.groupname - [sizeof(state->request.data.groupname)-1] = '\0'; - - DEBUG(3, ("[%5lu]: name2gid %s\n", (unsigned long)state->pid, - state->request.data.groupname)); - - gr = getgrnam(state->request.data.groupname); - if (gr == NULL) { - return WINBINDD_ERROR; - } - - state->response.data.gid = gr->gr_gid; - return WINBINDD_OK; -} - -#if 0 /* not used */ -static void name2gid_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, gid_t gid) = - (void (*)(void *, BOOL, gid_t))c; - - if (!success) { - DEBUG(5, ("Could not trigger name2gid\n")); - cont(private_data, False, 0); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("name2gid returned an error\n")); - cont(private_data, False, 0); - return; - } - - cont(private_data, True, response->data.gid); -} -#endif /* not used */ - -struct lookupsid_state { - DOM_SID sid; - void *caller_private_data; -}; - - -static void lookupsid_recv2(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, const char *dom_name, - const char *name, enum lsa_SidType type) = - (void (*)(void *, BOOL, const char *, const char *, - enum lsa_SidType))c; - struct lookupsid_state *s = talloc_get_type_abort(private_data, - struct lookupsid_state); - - if (!success) { - DEBUG(5, ("Could not trigger lookupsid\n")); - cont(s->caller_private_data, False, NULL, NULL, SID_NAME_UNKNOWN); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("lookupsid (forest root) returned an error\n")); - cont(s->caller_private_data, False, NULL, NULL, SID_NAME_UNKNOWN); - return; - } - - cont(s->caller_private_data, True, response->data.name.dom_name, - response->data.name.name, - (enum lsa_SidType)response->data.name.type); -} - -static void lookupsid_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, const char *dom_name, - const char *name, enum lsa_SidType type) = - (void (*)(void *, BOOL, const char *, const char *, - enum lsa_SidType))c; - struct lookupsid_state *s = talloc_get_type_abort(private_data, - struct lookupsid_state); - - if (!success) { - DEBUG(5, ("Could not trigger lookupsid\n")); - cont(s->caller_private_data, False, NULL, NULL, SID_NAME_UNKNOWN); - return; - } - - if (response->result != WINBINDD_OK) { - /* Try again using the forest root */ - struct winbindd_domain *root_domain = find_root_domain(); - struct winbindd_request request; - - if ( !root_domain ) { - DEBUG(5,("lookupsid_recv: unable to determine forest root\n")); - cont(s->caller_private_data, False, NULL, NULL, SID_NAME_UNKNOWN); - return; - } - - ZERO_STRUCT(request); - request.cmd = WINBINDD_LOOKUPSID; - fstrcpy(request.data.sid, sid_string_static(&s->sid)); - - do_async_domain(mem_ctx, root_domain, &request, lookupsid_recv2, - (void *)cont, s); - - return; - } - - cont(s->caller_private_data, True, response->data.name.dom_name, - response->data.name.name, - (enum lsa_SidType)response->data.name.type); -} - -void winbindd_lookupsid_async(TALLOC_CTX *mem_ctx, const DOM_SID *sid, - void (*cont)(void *private_data, BOOL success, - const char *dom_name, - const char *name, - enum lsa_SidType type), - void *private_data) -{ - struct winbindd_domain *domain; - struct winbindd_request request; - struct lookupsid_state *s; - - domain = find_lookup_domain_from_sid(sid); - if (domain == NULL) { - DEBUG(5, ("Could not find domain for sid %s\n", - sid_string_static(sid))); - cont(private_data, False, NULL, NULL, SID_NAME_UNKNOWN); - return; - } - - ZERO_STRUCT(request); - request.cmd = WINBINDD_LOOKUPSID; - fstrcpy(request.data.sid, sid_string_static(sid)); - - if ( (s = TALLOC_ZERO_P(mem_ctx, struct lookupsid_state)) == NULL ) { - DEBUG(0, ("winbindd_lookupsid_async: talloc failed\n")); - cont(private_data, False, NULL, NULL, SID_NAME_UNKNOWN); - return; - } - - sid_copy( &s->sid, sid ); - s->caller_private_data = private_data; - - do_async_domain(mem_ctx, domain, &request, lookupsid_recv, - (void *)cont, s); -} - -enum winbindd_result winbindd_dual_lookupsid(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - enum lsa_SidType type; - DOM_SID sid; - char *name; - char *dom_name; - - /* Ensure null termination */ - state->request.data.sid[sizeof(state->request.data.sid)-1]='\0'; - - DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state->pid, - state->request.data.sid)); - - /* Lookup sid from PDC using lsa_lookup_sids() */ - - if (!string_to_sid(&sid, state->request.data.sid)) { - DEBUG(5, ("%s not a SID\n", state->request.data.sid)); - return WINBINDD_ERROR; - } - - /* Lookup the sid */ - - if (!winbindd_lookup_name_by_sid(state->mem_ctx, domain, &sid, - &dom_name, &name, &type)) - { - TALLOC_FREE(dom_name); - TALLOC_FREE(name); - return WINBINDD_ERROR; - } - - fstrcpy(state->response.data.name.dom_name, dom_name); - fstrcpy(state->response.data.name.name, name); - state->response.data.name.type = type; - - TALLOC_FREE(dom_name); - TALLOC_FREE(name); - return WINBINDD_OK; -} - -/******************************************************************** - This is the second callback after contacting the forest root -********************************************************************/ - -struct lookupname_state { - char *dom_name; - char *name; - void *caller_private_data; -}; - - -static void lookupname_recv2(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, const DOM_SID *sid, - enum lsa_SidType type) = - (void (*)(void *, BOOL, const DOM_SID *, enum lsa_SidType))c; - DOM_SID sid; - struct lookupname_state *s = talloc_get_type_abort( private_data, - struct lookupname_state ); - - - if (!success) { - DEBUG(5, ("Could not trigger lookup_name\n")); - cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("lookup_name returned an error\n")); - cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); - return; - } - - if (!string_to_sid(&sid, response->data.sid.sid)) { - DEBUG(0, ("Could not convert string %s to sid\n", - response->data.sid.sid)); - cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); - return; - } - - cont(s->caller_private_data, True, &sid, - (enum lsa_SidType)response->data.sid.type); -} - -/******************************************************************** - This is the first callback after contacting our own domain -********************************************************************/ - -static void lookupname_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, const DOM_SID *sid, - enum lsa_SidType type) = - (void (*)(void *, BOOL, const DOM_SID *, enum lsa_SidType))c; - DOM_SID sid; - struct lookupname_state *s = talloc_get_type_abort( private_data, - struct lookupname_state ); - - if (!success) { - DEBUG(5, ("lookupname_recv: lookup_name() failed!\n")); - cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); - return; - } - - if (response->result != WINBINDD_OK) { - /* Try again using the forest root */ - struct winbindd_domain *root_domain = find_root_domain(); - struct winbindd_request request; - - if ( !root_domain ) { - DEBUG(5,("lookupname_recv: unable to determine forest root\n")); - cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); - return; - } - - ZERO_STRUCT(request); - request.cmd = WINBINDD_LOOKUPNAME; - - fstrcpy( request.data.name.dom_name, s->dom_name ); - fstrcpy( request.data.name.name, s->name ); - - do_async_domain(mem_ctx, root_domain, &request, lookupname_recv2, - (void *)cont, s); - - return; - } - - if (!string_to_sid(&sid, response->data.sid.sid)) { - DEBUG(0, ("Could not convert string %s to sid\n", - response->data.sid.sid)); - cont(s->caller_private_data, False, NULL, SID_NAME_UNKNOWN); - return; - } - - cont(s->caller_private_data, True, &sid, - (enum lsa_SidType)response->data.sid.type); -} - -/******************************************************************** - The lookup name call first contacts a DC in its own domain - and fallbacks to contact a DC in the forest in our domain doesn't - know the name. -********************************************************************/ - -void winbindd_lookupname_async(TALLOC_CTX *mem_ctx, - const char *dom_name, const char *name, - void (*cont)(void *private_data, BOOL success, - const DOM_SID *sid, - enum lsa_SidType type), - enum winbindd_cmd orig_cmd, - void *private_data) -{ - struct winbindd_request request; - struct winbindd_domain *domain; - struct lookupname_state *s; - - if ( (domain = find_lookup_domain_from_name(dom_name)) == NULL ) { - DEBUG(5, ("Could not find domain for name %s\n", dom_name)); - cont(private_data, False, NULL, SID_NAME_UNKNOWN); - return; - } - - ZERO_STRUCT(request); - request.cmd = WINBINDD_LOOKUPNAME; - request.original_cmd = orig_cmd; - fstrcpy(request.data.name.dom_name, dom_name); - fstrcpy(request.data.name.name, name); - - if ( (s = TALLOC_ZERO_P(mem_ctx, struct lookupname_state)) == NULL ) { - DEBUG(0, ("winbindd_lookupname_async: talloc failed\n")); - cont(private_data, False, NULL, SID_NAME_UNKNOWN); - return; - } - - s->dom_name = talloc_strdup( s, dom_name ); - s->name = talloc_strdup( s, name ); - s->caller_private_data = private_data; - - do_async_domain(mem_ctx, domain, &request, lookupname_recv, - (void *)cont, s); -} - -enum winbindd_result winbindd_dual_lookupname(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - enum lsa_SidType type; - char *name_domain, *name_user; - DOM_SID sid; - char *p; - - /* Ensure null termination */ - state->request.data.name.dom_name[sizeof(state->request.data.name.dom_name)-1]='\0'; - - /* Ensure null termination */ - state->request.data.name.name[sizeof(state->request.data.name.name)-1]='\0'; - - /* cope with the name being a fully qualified name */ - p = strstr(state->request.data.name.name, lp_winbind_separator()); - if (p) { - *p = 0; - name_domain = state->request.data.name.name; - name_user = p+1; - } else { - name_domain = state->request.data.name.dom_name; - name_user = state->request.data.name.name; - } - - DEBUG(3, ("[%5lu]: lookupname %s%s%s\n", (unsigned long)state->pid, - name_domain, lp_winbind_separator(), name_user)); - - /* Lookup name from DC using lsa_lookup_names() */ - if (!winbindd_lookup_sid_by_name(state->mem_ctx, state->request.original_cmd, domain, name_domain, - name_user, &sid, &type)) { - return WINBINDD_ERROR; - } - - sid_to_string(state->response.data.sid.sid, &sid); - state->response.data.sid.type = type; - - return WINBINDD_OK; -} - -BOOL print_sidlist(TALLOC_CTX *mem_ctx, const DOM_SID *sids, - size_t num_sids, char **result, ssize_t *len) -{ - size_t i; - size_t buflen = 0; - - *len = 0; - *result = NULL; - for (i=0; i<num_sids; i++) { - sprintf_append(mem_ctx, result, len, &buflen, - "%s\n", sid_string_static(&sids[i])); - } - - if ((num_sids != 0) && (*result == NULL)) { - return False; - } - - return True; -} - -static BOOL parse_sidlist(TALLOC_CTX *mem_ctx, char *sidstr, - DOM_SID **sids, size_t *num_sids) -{ - char *p, *q; - - p = sidstr; - if (p == NULL) - return False; - - while (p[0] != '\0') { - DOM_SID sid; - q = strchr(p, '\n'); - if (q == NULL) { - DEBUG(0, ("Got invalid sidstr: %s\n", p)); - return False; - } - *q = '\0'; - q += 1; - if (!string_to_sid(&sid, p)) { - DEBUG(0, ("Could not parse sid %s\n", p)); - return False; - } - if (!add_sid_to_array(mem_ctx, &sid, sids, num_sids)) { - return False; - } - p = q; - } - return True; -} - -static BOOL parse_ridlist(TALLOC_CTX *mem_ctx, char *ridstr, - uint32 **rids, size_t *num_rids) -{ - char *p; - - p = ridstr; - if (p == NULL) - return False; - - while (p[0] != '\0') { - uint32 rid; - char *q; - rid = strtoul(p, &q, 10); - if (*q != '\n') { - DEBUG(0, ("Got invalid ridstr: %s\n", p)); - return False; - } - p = q+1; - ADD_TO_ARRAY(mem_ctx, uint32, rid, rids, num_rids); - } - return True; -} - -enum winbindd_result winbindd_dual_lookuprids(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - uint32 *rids = NULL; - size_t i, buflen, num_rids = 0; - ssize_t len; - DOM_SID domain_sid; - char *domain_name; - char **names; - enum lsa_SidType *types; - NTSTATUS status; - char *result; - - DEBUG(10, ("Looking up RIDs for domain %s (%s)\n", - state->request.domain_name, - state->request.data.sid)); - - if (!parse_ridlist(state->mem_ctx, state->request.extra_data.data, - &rids, &num_rids)) { - DEBUG(5, ("Could not parse ridlist\n")); - return WINBINDD_ERROR; - } - - if (!string_to_sid(&domain_sid, state->request.data.sid)) { - DEBUG(5, ("Could not parse domain sid %s\n", - state->request.data.sid)); - return WINBINDD_ERROR; - } - - status = domain->methods->rids_to_names(domain, state->mem_ctx, - &domain_sid, rids, num_rids, - &domain_name, - &names, &types); - - if (!NT_STATUS_IS_OK(status) && - !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) { - return WINBINDD_ERROR; - } - - len = 0; - buflen = 0; - result = NULL; - - for (i=0; i<num_rids; i++) { - sprintf_append(state->mem_ctx, &result, &len, &buflen, - "%d %s\n", types[i], names[i]); - } - - fstrcpy(state->response.data.domain_name, domain_name); - - if (result != NULL) { - state->response.extra_data.data = SMB_STRDUP(result); - if (!state->response.extra_data.data) { - return WINBINDD_ERROR; - } - state->response.length += len+1; - } - - return WINBINDD_OK; -} - -static void getsidaliases_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, - DOM_SID *aliases, size_t num_aliases) = - (void (*)(void *, BOOL, DOM_SID *, size_t))c; - char *aliases_str; - DOM_SID *sids = NULL; - size_t num_sids = 0; - - if (!success) { - DEBUG(5, ("Could not trigger getsidaliases\n")); - cont(private_data, success, NULL, 0); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("getsidaliases returned an error\n")); - cont(private_data, False, NULL, 0); - return; - } - - aliases_str = (char *)response->extra_data.data; - - if (aliases_str == NULL) { - DEBUG(10, ("getsidaliases return 0 SIDs\n")); - cont(private_data, True, NULL, 0); - return; - } - - if (!parse_sidlist(mem_ctx, aliases_str, &sids, &num_sids)) { - DEBUG(0, ("Could not parse sids\n")); - cont(private_data, False, NULL, 0); - return; - } - - SAFE_FREE(response->extra_data.data); - - cont(private_data, True, sids, num_sids); -} - -void winbindd_getsidaliases_async(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sids, size_t num_sids, - void (*cont)(void *private_data, - BOOL success, - const DOM_SID *aliases, - size_t num_aliases), - void *private_data) -{ - struct winbindd_request request; - char *sidstr = NULL; - ssize_t len; - - if (num_sids == 0) { - cont(private_data, True, NULL, 0); - return; - } - - if (!print_sidlist(mem_ctx, sids, num_sids, &sidstr, &len)) { - cont(private_data, False, NULL, 0); - return; - } - - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_GETSIDALIASES; - request.extra_len = len; - request.extra_data.data = sidstr; - - do_async_domain(mem_ctx, domain, &request, getsidaliases_recv, - (void *)cont, private_data); -} - -enum winbindd_result winbindd_dual_getsidaliases(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - DOM_SID *sids = NULL; - size_t num_sids = 0; - char *sidstr = NULL; - ssize_t len; - size_t i; - uint32 num_aliases; - uint32 *alias_rids; - NTSTATUS result; - - DEBUG(3, ("[%5lu]: getsidaliases\n", (unsigned long)state->pid)); - - sidstr = state->request.extra_data.data; - if (sidstr == NULL) { - sidstr = talloc_strdup(state->mem_ctx, "\n"); /* No SID */ - if (!sidstr) { - DEBUG(0, ("Out of memory\n")); - return WINBINDD_ERROR; - } - } - - DEBUG(10, ("Sidlist: %s\n", sidstr)); - - if (!parse_sidlist(state->mem_ctx, sidstr, &sids, &num_sids)) { - DEBUG(0, ("Could not parse SID list: %s\n", sidstr)); - return WINBINDD_ERROR; - } - - num_aliases = 0; - alias_rids = NULL; - - result = domain->methods->lookup_useraliases(domain, - state->mem_ctx, - num_sids, sids, - &num_aliases, - &alias_rids); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(3, ("Could not lookup_useraliases: %s\n", - nt_errstr(result))); - return WINBINDD_ERROR; - } - - num_sids = 0; - sids = NULL; - sidstr = NULL; - - DEBUG(10, ("Got %d aliases\n", num_aliases)); - - for (i=0; i<num_aliases; i++) { - DOM_SID sid; - DEBUGADD(10, (" rid %d\n", alias_rids[i])); - sid_copy(&sid, &domain->sid); - sid_append_rid(&sid, alias_rids[i]); - if (!add_sid_to_array(state->mem_ctx, &sid, &sids, &num_sids)) { - return WINBINDD_ERROR; - } - } - - - if (!print_sidlist(state->mem_ctx, sids, num_sids, &sidstr, &len)) { - DEBUG(0, ("Could not print_sidlist\n")); - state->response.extra_data.data = NULL; - return WINBINDD_ERROR; - } - - state->response.extra_data.data = NULL; - - if (sidstr) { - state->response.extra_data.data = SMB_STRDUP(sidstr); - if (!state->response.extra_data.data) { - DEBUG(0, ("Out of memory\n")); - return WINBINDD_ERROR; - } - DEBUG(10, ("aliases_list: %s\n", - (char *)state->response.extra_data.data)); - state->response.length += len+1; - } - - return WINBINDD_OK; -} - -struct gettoken_state { - TALLOC_CTX *mem_ctx; - DOM_SID user_sid; - struct winbindd_domain *alias_domain; - struct winbindd_domain *local_alias_domain; - struct winbindd_domain *builtin_domain; - DOM_SID *sids; - size_t num_sids; - void (*cont)(void *private_data, BOOL success, DOM_SID *sids, size_t num_sids); - void *private_data; -}; - -static void gettoken_recvdomgroups(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data); -static void gettoken_recvaliases(void *private_data, BOOL success, - const DOM_SID *aliases, - size_t num_aliases); - - -void winbindd_gettoken_async(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, - void (*cont)(void *private_data, BOOL success, - DOM_SID *sids, size_t num_sids), - void *private_data) -{ - struct winbindd_domain *domain; - struct winbindd_request request; - struct gettoken_state *state; - - state = TALLOC_ZERO_P(mem_ctx, struct gettoken_state); - if (state == NULL) { - DEBUG(0, ("talloc failed\n")); - cont(private_data, False, NULL, 0); - return; - } - - state->mem_ctx = mem_ctx; - sid_copy(&state->user_sid, user_sid); - state->alias_domain = find_our_domain(); - state->local_alias_domain = find_domain_from_name( get_global_sam_name() ); - state->builtin_domain = find_builtin_domain(); - state->cont = cont; - state->private_data = private_data; - - domain = find_domain_from_sid_noinit(user_sid); - if (domain == NULL) { - DEBUG(5, ("Could not find domain from SID %s\n", - sid_string_static(user_sid))); - cont(private_data, False, NULL, 0); - return; - } - - ZERO_STRUCT(request); - request.cmd = WINBINDD_GETUSERDOMGROUPS; - fstrcpy(request.data.sid, sid_string_static(user_sid)); - - do_async_domain(mem_ctx, domain, &request, gettoken_recvdomgroups, - NULL, state); -} - -static void gettoken_recvdomgroups(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - struct gettoken_state *state = - talloc_get_type_abort(private_data, struct gettoken_state); - char *sids_str; - - if (!success) { - DEBUG(10, ("Could not get domain groups\n")); - state->cont(state->private_data, False, NULL, 0); - return; - } - - sids_str = (char *)response->extra_data.data; - - if (sids_str == NULL) { - /* This could be normal if we are dealing with a - local user and local groups */ - - if ( !sid_check_is_in_our_domain( &state->user_sid ) ) { - DEBUG(10, ("Received no domain groups\n")); - state->cont(state->private_data, True, NULL, 0); - return; - } - } - - state->sids = NULL; - state->num_sids = 0; - - if (!add_sid_to_array(mem_ctx, &state->user_sid, &state->sids, - &state->num_sids)) { - DEBUG(0, ("Out of memory\n")); - state->cont(state->private_data, False, NULL, 0); - return; - } - - if (sids_str && !parse_sidlist(mem_ctx, sids_str, &state->sids, - &state->num_sids)) { - DEBUG(0, ("Could not parse sids\n")); - state->cont(state->private_data, False, NULL, 0); - return; - } - - SAFE_FREE(response->extra_data.data); - - if (state->alias_domain == NULL) { - DEBUG(10, ("Don't expand domain local groups\n")); - state->cont(state->private_data, True, state->sids, - state->num_sids); - return; - } - - winbindd_getsidaliases_async(state->alias_domain, mem_ctx, - state->sids, state->num_sids, - gettoken_recvaliases, state); -} - -static void gettoken_recvaliases(void *private_data, BOOL success, - const DOM_SID *aliases, - size_t num_aliases) -{ - struct gettoken_state *state = (struct gettoken_state *)private_data; - size_t i; - - if (!success) { - DEBUG(10, ("Could not receive domain local groups\n")); - state->cont(state->private_data, False, NULL, 0); - return; - } - - for (i=0; i<num_aliases; i++) { - if (!add_sid_to_array(state->mem_ctx, &aliases[i], - &state->sids, &state->num_sids)) { - DEBUG(0, ("Out of memory\n")); - state->cont(state->private_data, False, NULL, 0); - return; - } - } - - if (state->local_alias_domain != NULL) { - struct winbindd_domain *local_domain = state->local_alias_domain; - DEBUG(10, ("Expanding our own local groups\n")); - state->local_alias_domain = NULL; - winbindd_getsidaliases_async(local_domain, state->mem_ctx, - state->sids, state->num_sids, - gettoken_recvaliases, state); - return; - } - - if (state->builtin_domain != NULL) { - struct winbindd_domain *builtin_domain = state->builtin_domain; - DEBUG(10, ("Expanding our own BUILTIN groups\n")); - state->builtin_domain = NULL; - winbindd_getsidaliases_async(builtin_domain, state->mem_ctx, - state->sids, state->num_sids, - gettoken_recvaliases, state); - return; - } - - state->cont(state->private_data, True, state->sids, state->num_sids); -} - -static void query_user_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, const char *acct_name, - const char *full_name, const char *homedir, - const char *shell, uint32 gid, uint32 group_rid) = - (void (*)(void *, BOOL, const char *, const char *, - const char *, const char *, uint32, uint32))c; - - if (!success) { - DEBUG(5, ("Could not trigger query_user\n")); - cont(private_data, False, NULL, NULL, NULL, NULL, -1, -1); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("query_user returned an error\n")); - cont(private_data, False, NULL, NULL, NULL, NULL, -1, -1); - return; - } - - cont(private_data, True, response->data.user_info.acct_name, - response->data.user_info.full_name, - response->data.user_info.homedir, - response->data.user_info.shell, - response->data.user_info.primary_gid, - response->data.user_info.group_rid); -} - -void query_user_async(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, - const DOM_SID *sid, - void (*cont)(void *private_data, BOOL success, - const char *acct_name, - const char *full_name, - const char *homedir, - const char *shell, - gid_t gid, - uint32 group_rid), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_USERINFO; - sid_to_string(request.data.sid, sid); - do_async_domain(mem_ctx, domain, &request, query_user_recv, - (void *)cont, private_data); -} - -/* The following uid2sid/gid2sid functions has been contributed by - * Keith Reynolds <Keith.Reynolds@centrify.com> */ - -static void winbindd_uid2sid_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, const char *sid) = - (void (*)(void *, BOOL, const char *))c; - - if (!success) { - DEBUG(5, ("Could not trigger uid2sid\n")); - cont(private_data, False, NULL); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("uid2sid returned an error\n")); - cont(private_data, False, NULL); - return; - } - - cont(private_data, True, response->data.sid.sid); -} - -void winbindd_uid2sid_async(TALLOC_CTX *mem_ctx, uid_t uid, - void (*cont)(void *private_data, BOOL success, const char *sid), - void *private_data) -{ - struct winbindd_request request; - - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_UID2SID; - request.data.uid = uid; - do_async(mem_ctx, idmap_child(), &request, winbindd_uid2sid_recv, - (void *)cont, private_data); -} - -enum winbindd_result winbindd_dual_uid2sid(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - DOM_SID sid; - NTSTATUS result; - - DEBUG(3,("[%5lu]: uid to sid %lu\n", - (unsigned long)state->pid, - (unsigned long) state->request.data.uid)); - - /* Find sid for this uid and return it, possibly ask the slow remote idmap */ - result = idmap_uid_to_sid(&sid, state->request.data.uid); - - if (NT_STATUS_IS_OK(result)) { - sid_to_string(state->response.data.sid.sid, &sid); - state->response.data.sid.type = SID_NAME_USER; - return WINBINDD_OK; - } - - return WINBINDD_ERROR; -} - -static void winbindd_gid2sid_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ, const char *sid) = - (void (*)(void *, BOOL, const char *))c; - - if (!success) { - DEBUG(5, ("Could not trigger gid2sid\n")); - cont(private_data, False, NULL); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("gid2sid returned an error\n")); - cont(private_data, False, NULL); - return; - } - - cont(private_data, True, response->data.sid.sid); -} - -void winbindd_gid2sid_async(TALLOC_CTX *mem_ctx, gid_t gid, - void (*cont)(void *private_data, BOOL success, const char *sid), - void *private_data) -{ - struct winbindd_request request; - - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_GID2SID; - request.data.gid = gid; - do_async(mem_ctx, idmap_child(), &request, winbindd_gid2sid_recv, - (void *)cont, private_data); -} - -enum winbindd_result winbindd_dual_gid2sid(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - DOM_SID sid; - NTSTATUS result; - - DEBUG(3,("[%5lu]: gid %lu to sid\n", - (unsigned long)state->pid, - (unsigned long) state->request.data.gid)); - - /* Find sid for this gid and return it, possibly ask the slow remote idmap */ - result = idmap_gid_to_sid(&sid, state->request.data.gid); - - if (NT_STATUS_IS_OK(result)) { - sid_to_string(state->response.data.sid.sid, &sid); - DEBUG(10, ("[%5lu]: retrieved sid: %s\n", - (unsigned long)state->pid, - state->response.data.sid.sid)); - state->response.data.sid.type = SID_NAME_DOM_GRP; - return WINBINDD_OK; - } - - return WINBINDD_ERROR; -} - -static void winbindd_dump_id_maps_recv(TALLOC_CTX *mem_ctx, BOOL success, - struct winbindd_response *response, - void *c, void *private_data) -{ - void (*cont)(void *priv, BOOL succ) = - (void (*)(void *, BOOL))c; - - if (!success) { - DEBUG(5, ("Could not trigger a map dump\n")); - cont(private_data, False); - return; - } - - if (response->result != WINBINDD_OK) { - DEBUG(5, ("idmap dump maps returned an error\n")); - cont(private_data, False); - return; - } - - cont(private_data, True); -} - -void winbindd_dump_maps_async(TALLOC_CTX *mem_ctx, void *data, int size, - void (*cont)(void *private_data, BOOL success), - void *private_data) -{ - struct winbindd_request request; - ZERO_STRUCT(request); - request.cmd = WINBINDD_DUAL_DUMP_MAPS; - request.extra_data.data = (char *)data; - request.extra_len = size; - do_async(mem_ctx, idmap_child(), &request, winbindd_dump_id_maps_recv, - (void *)cont, private_data); -} - -enum winbindd_result winbindd_dual_dump_maps(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: dual dump maps\n", (unsigned long)state->pid)); - - idmap_dump_maps((char *)state->request.extra_data.data); - - return WINBINDD_OK; -} - diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c deleted file mode 100644 index e5090dfacf..0000000000 --- a/source3/nsswitch/winbindd_cache.c +++ /dev/null @@ -1,3892 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind cache backend functions - - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Gerald Carter 2003-2007 - Copyright (C) Volker Lendecke 2005 - Copyright (C) Guenther Deschner 2005 - Copyright (C) Michael Adam 2007 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -#define WINBINDD_CACHE_VERSION 1 -#define WINBINDD_CACHE_VERSION_KEYSTR "WINBINDD_CACHE_VERSION" - -extern struct winbindd_methods reconnect_methods; -extern BOOL opt_nocache; -#ifdef HAVE_ADS -extern struct winbindd_methods ads_methods; -#endif - -/* - * JRA. KEEP THIS LIST UP TO DATE IF YOU ADD CACHE ENTRIES. - * Here are the list of entry types that are *not* stored - * as form struct cache_entry in the cache. - */ - -static const char *non_centry_keys[] = { - "SEQNUM/", - "DR/", - "DE/", - "WINBINDD_OFFLINE", - WINBINDD_CACHE_VERSION_KEYSTR, - NULL -}; - -/************************************************************************ - Is this key a non-centry type ? -************************************************************************/ - -static BOOL is_non_centry_key(TDB_DATA kbuf) -{ - int i; - - if (kbuf.dptr == NULL || kbuf.dsize == 0) { - return False; - } - for (i = 0; non_centry_keys[i] != NULL; i++) { - size_t namelen = strlen(non_centry_keys[i]); - if (kbuf.dsize < namelen) { - continue; - } - if (strncmp(non_centry_keys[i], (const char *)kbuf.dptr, namelen) == 0) { - return True; - } - } - return False; -} - -/* Global online/offline state - False when online. winbindd starts up online - and sets this to true if the first query fails and there's an entry in - the cache tdb telling us to stay offline. */ - -static BOOL global_winbindd_offline_state; - -struct winbind_cache { - TDB_CONTEXT *tdb; -}; - -struct cache_entry { - NTSTATUS status; - uint32 sequence_number; - uint8 *data; - uint32 len, ofs; -}; - -void (*smb_panic_fn)(const char *const why) = smb_panic; - -#define WINBINDD_MAX_CACHE_SIZE (50*1024*1024) - -static struct winbind_cache *wcache; - -void winbindd_check_cache_size(time_t t) -{ - static time_t last_check_time; - struct stat st; - - if (last_check_time == (time_t)0) - last_check_time = t; - - if (t - last_check_time < 60 && t - last_check_time > 0) - return; - - if (wcache == NULL || wcache->tdb == NULL) { - DEBUG(0, ("Unable to check size of tdb cache - cache not open !\n")); - return; - } - - if (fstat(tdb_fd(wcache->tdb), &st) == -1) { - DEBUG(0, ("Unable to check size of tdb cache %s!\n", strerror(errno) )); - return; - } - - if (st.st_size > WINBINDD_MAX_CACHE_SIZE) { - DEBUG(10,("flushing cache due to size (%lu) > (%lu)\n", - (unsigned long)st.st_size, - (unsigned long)WINBINDD_MAX_CACHE_SIZE)); - wcache_flush_cache(); - } -} - -/* get the winbind_cache structure */ -static struct winbind_cache *get_cache(struct winbindd_domain *domain) -{ - struct winbind_cache *ret = wcache; - - /* We have to know what type of domain we are dealing with first. */ - - if ( !domain->initialized ) { - init_dc_connection( domain ); - } - - /* - OK. listen up becasue I'm only going to say this once. - We have the following scenarios to consider - (a) trusted AD domains on a Samba DC, - (b) trusted AD domains and we are joined to a non-kerberos domain - (c) trusted AD domains and we are joined to a kerberos (AD) domain - - For (a) we can always contact the trusted domain using krb5 - since we have the domain trust account password - - For (b) we can only use RPC since we have no way of - getting a krb5 ticket in our own domain - - For (c) we can always use krb5 since we have a kerberos trust - - --jerry - */ - - if (!domain->backend) { -#ifdef HAVE_ADS - struct winbindd_domain *our_domain = domain; - - /* find our domain first so we can figure out if we - are joined to a kerberized domain */ - - if ( !domain->primary ) - our_domain = find_our_domain(); - - if ((our_domain->active_directory || IS_DC) - && domain->active_directory - && !lp_winbind_rpc_only()) { - DEBUG(5,("get_cache: Setting ADS methods for domain %s\n", domain->name)); - domain->backend = &ads_methods; - } else { -#endif /* HAVE_ADS */ - DEBUG(5,("get_cache: Setting MS-RPC methods for domain %s\n", domain->name)); - domain->backend = &reconnect_methods; -#ifdef HAVE_ADS - } -#endif /* HAVE_ADS */ - } - - if (ret) - return ret; - - ret = SMB_XMALLOC_P(struct winbind_cache); - ZERO_STRUCTP(ret); - - wcache = ret; - wcache_flush_cache(); - - return ret; -} - -/* - free a centry structure -*/ -static void centry_free(struct cache_entry *centry) -{ - if (!centry) - return; - SAFE_FREE(centry->data); - free(centry); -} - -static BOOL centry_check_bytes(struct cache_entry *centry, size_t nbytes) -{ - if (centry->len - centry->ofs < nbytes) { - DEBUG(0,("centry corruption? needed %u bytes, have %d\n", - (unsigned int)nbytes, - centry->len - centry->ofs)); - return False; - } - return True; -} - -/* - pull a uint32 from a cache entry -*/ -static uint32 centry_uint32(struct cache_entry *centry) -{ - uint32 ret; - - if (!centry_check_bytes(centry, 4)) { - smb_panic_fn("centry_uint32"); - } - ret = IVAL(centry->data, centry->ofs); - centry->ofs += 4; - return ret; -} - -/* - pull a uint16 from a cache entry -*/ -static uint16 centry_uint16(struct cache_entry *centry) -{ - uint16 ret; - if (!centry_check_bytes(centry, 2)) { - smb_panic_fn("centry_uint16"); - } - ret = CVAL(centry->data, centry->ofs); - centry->ofs += 2; - return ret; -} - -/* - pull a uint8 from a cache entry -*/ -static uint8 centry_uint8(struct cache_entry *centry) -{ - uint8 ret; - if (!centry_check_bytes(centry, 1)) { - smb_panic_fn("centry_uint8"); - } - ret = CVAL(centry->data, centry->ofs); - centry->ofs += 1; - return ret; -} - -/* - pull a NTTIME from a cache entry -*/ -static NTTIME centry_nttime(struct cache_entry *centry) -{ - NTTIME ret; - if (!centry_check_bytes(centry, 8)) { - smb_panic_fn("centry_nttime"); - } - ret = IVAL(centry->data, centry->ofs); - centry->ofs += 4; - ret += (uint64_t)IVAL(centry->data, centry->ofs) << 32; - centry->ofs += 4; - return ret; -} - -/* - pull a time_t from a cache entry. time_t stored portably as a 64-bit time. -*/ -static time_t centry_time(struct cache_entry *centry) -{ - return (time_t)centry_nttime(centry); -} - -/* pull a string from a cache entry, using the supplied - talloc context -*/ -static char *centry_string(struct cache_entry *centry, TALLOC_CTX *mem_ctx) -{ - uint32 len; - char *ret; - - len = centry_uint8(centry); - - if (len == 0xFF) { - /* a deliberate NULL string */ - return NULL; - } - - if (!centry_check_bytes(centry, (size_t)len)) { - smb_panic_fn("centry_string"); - } - - ret = TALLOC_ARRAY(mem_ctx, char, len+1); - if (!ret) { - smb_panic_fn("centry_string out of memory\n"); - } - memcpy(ret,centry->data + centry->ofs, len); - ret[len] = 0; - centry->ofs += len; - return ret; -} - -/* pull a hash16 from a cache entry, using the supplied - talloc context -*/ -static char *centry_hash16(struct cache_entry *centry, TALLOC_CTX *mem_ctx) -{ - uint32 len; - char *ret; - - len = centry_uint8(centry); - - if (len != 16) { - DEBUG(0,("centry corruption? hash len (%u) != 16\n", - len )); - return NULL; - } - - if (!centry_check_bytes(centry, 16)) { - return NULL; - } - - ret = TALLOC_ARRAY(mem_ctx, char, 16); - if (!ret) { - smb_panic_fn("centry_hash out of memory\n"); - } - memcpy(ret,centry->data + centry->ofs, 16); - centry->ofs += 16; - return ret; -} - -/* pull a sid from a cache entry, using the supplied - talloc context -*/ -static BOOL centry_sid(struct cache_entry *centry, TALLOC_CTX *mem_ctx, DOM_SID *sid) -{ - char *sid_string; - sid_string = centry_string(centry, mem_ctx); - if ((sid_string == NULL) || (!string_to_sid(sid, sid_string))) { - return False; - } - return True; -} - - -/* - pull a NTSTATUS from a cache entry -*/ -static NTSTATUS centry_ntstatus(struct cache_entry *centry) -{ - NTSTATUS status; - - status = NT_STATUS(centry_uint32(centry)); - return status; -} - - -/* the server is considered down if it can't give us a sequence number */ -static BOOL wcache_server_down(struct winbindd_domain *domain) -{ - BOOL ret; - - if (!wcache->tdb) - return False; - - ret = (domain->sequence_number == DOM_SEQUENCE_NONE); - - if (ret) - DEBUG(10,("wcache_server_down: server for Domain %s down\n", - domain->name )); - return ret; -} - -static NTSTATUS fetch_cache_seqnum( struct winbindd_domain *domain, time_t now ) -{ - TDB_DATA data; - fstring key; - uint32 time_diff; - - if (!wcache->tdb) { - DEBUG(10,("fetch_cache_seqnum: tdb == NULL\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - fstr_sprintf( key, "SEQNUM/%s", domain->name ); - - data = tdb_fetch_bystring( wcache->tdb, key ); - if ( !data.dptr || data.dsize!=8 ) { - DEBUG(10,("fetch_cache_seqnum: invalid data size key [%s]\n", key )); - return NT_STATUS_UNSUCCESSFUL; - } - - domain->sequence_number = IVAL(data.dptr, 0); - domain->last_seq_check = IVAL(data.dptr, 4); - - SAFE_FREE(data.dptr); - - /* have we expired? */ - - time_diff = now - domain->last_seq_check; - if ( time_diff > lp_winbind_cache_time() ) { - DEBUG(10,("fetch_cache_seqnum: timeout [%s][%u @ %u]\n", - domain->name, domain->sequence_number, - (uint32)domain->last_seq_check)); - return NT_STATUS_UNSUCCESSFUL; - } - - DEBUG(10,("fetch_cache_seqnum: success [%s][%u @ %u]\n", - domain->name, domain->sequence_number, - (uint32)domain->last_seq_check)); - - return NT_STATUS_OK; -} - -static NTSTATUS store_cache_seqnum( struct winbindd_domain *domain ) -{ - TDB_DATA data; - fstring key_str; - uint8 buf[8]; - - if (!wcache->tdb) { - DEBUG(10,("store_cache_seqnum: tdb == NULL\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - fstr_sprintf( key_str, "SEQNUM/%s", domain->name ); - - SIVAL(buf, 0, domain->sequence_number); - SIVAL(buf, 4, domain->last_seq_check); - data.dptr = buf; - data.dsize = 8; - - if ( tdb_store_bystring( wcache->tdb, key_str, data, TDB_REPLACE) == -1 ) { - DEBUG(10,("store_cache_seqnum: tdb_store fail key [%s]\n", key_str )); - return NT_STATUS_UNSUCCESSFUL; - } - - DEBUG(10,("store_cache_seqnum: success [%s][%u @ %u]\n", - domain->name, domain->sequence_number, - (uint32)domain->last_seq_check)); - - return NT_STATUS_OK; -} - -/* - refresh the domain sequence number. If force is True - then always refresh it, no matter how recently we fetched it -*/ - -static void refresh_sequence_number(struct winbindd_domain *domain, BOOL force) -{ - NTSTATUS status; - unsigned time_diff; - time_t t = time(NULL); - unsigned cache_time = lp_winbind_cache_time(); - - if ( IS_DOMAIN_OFFLINE(domain) ) { - return; - } - - get_cache( domain ); - -#if 0 /* JERRY -- disable as the default cache time is now 5 minutes */ - /* trying to reconnect is expensive, don't do it too often */ - if (domain->sequence_number == DOM_SEQUENCE_NONE) { - cache_time *= 8; - } -#endif - - time_diff = t - domain->last_seq_check; - - /* see if we have to refetch the domain sequence number */ - if (!force && (time_diff < cache_time)) { - DEBUG(10, ("refresh_sequence_number: %s time ok\n", domain->name)); - goto done; - } - - /* try to get the sequence number from the tdb cache first */ - /* this will update the timestamp as well */ - - status = fetch_cache_seqnum( domain, t ); - if ( NT_STATUS_IS_OK(status) ) - goto done; - - /* important! make sure that we know if this is a native - mode domain or not. And that we can contact it. */ - - if ( winbindd_can_contact_domain( domain ) ) { - status = domain->backend->sequence_number(domain, - &domain->sequence_number); - } else { - /* just use the current time */ - status = NT_STATUS_OK; - domain->sequence_number = time(NULL); - } - - - /* the above call could have set our domain->backend to NULL when - * coming from offline to online mode, make sure to reinitialize the - * backend - Guenther */ - get_cache( domain ); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("refresh_sequence_number: failed with %s\n", nt_errstr(status))); - domain->sequence_number = DOM_SEQUENCE_NONE; - } - - domain->last_status = status; - domain->last_seq_check = time(NULL); - - /* save the new sequence number ni the cache */ - store_cache_seqnum( domain ); - -done: - DEBUG(10, ("refresh_sequence_number: %s seq number is now %d\n", - domain->name, domain->sequence_number)); - - return; -} - -/* - decide if a cache entry has expired -*/ -static BOOL centry_expired(struct winbindd_domain *domain, const char *keystr, struct cache_entry *centry) -{ - /* If we've been told to be offline - stay in that state... */ - if (lp_winbind_offline_logon() && global_winbindd_offline_state) { - DEBUG(10,("centry_expired: Key %s for domain %s valid as winbindd is globally offline.\n", - keystr, domain->name )); - return False; - } - - /* when the domain is offline return the cached entry. - * This deals with transient offline states... */ - - if (!domain->online) { - DEBUG(10,("centry_expired: Key %s for domain %s valid as domain is offline.\n", - keystr, domain->name )); - return False; - } - - /* if the server is OK and our cache entry came from when it was down then - the entry is invalid */ - if ((domain->sequence_number != DOM_SEQUENCE_NONE) && - (centry->sequence_number == DOM_SEQUENCE_NONE)) { - DEBUG(10,("centry_expired: Key %s for domain %s invalid sequence.\n", - keystr, domain->name )); - return True; - } - - /* if the server is down or the cache entry is not older than the - current sequence number then it is OK */ - if (wcache_server_down(domain) || - centry->sequence_number == domain->sequence_number) { - DEBUG(10,("centry_expired: Key %s for domain %s is good.\n", - keystr, domain->name )); - return False; - } - - DEBUG(10,("centry_expired: Key %s for domain %s expired\n", - keystr, domain->name )); - - /* it's expired */ - return True; -} - -static struct cache_entry *wcache_fetch_raw(char *kstr) -{ - TDB_DATA data; - struct cache_entry *centry; - TDB_DATA key; - - key = string_tdb_data(kstr); - data = tdb_fetch(wcache->tdb, key); - if (!data.dptr) { - /* a cache miss */ - return NULL; - } - - centry = SMB_XMALLOC_P(struct cache_entry); - centry->data = (unsigned char *)data.dptr; - centry->len = data.dsize; - centry->ofs = 0; - - if (centry->len < 8) { - /* huh? corrupt cache? */ - DEBUG(10,("wcache_fetch_raw: Corrupt cache for key %s (len < 8) ?\n", kstr)); - centry_free(centry); - return NULL; - } - - centry->status = centry_ntstatus(centry); - centry->sequence_number = centry_uint32(centry); - - return centry; -} - -/* - fetch an entry from the cache, with a varargs key. auto-fetch the sequence - number and return status -*/ -static struct cache_entry *wcache_fetch(struct winbind_cache *cache, - struct winbindd_domain *domain, - const char *format, ...) PRINTF_ATTRIBUTE(3,4); -static struct cache_entry *wcache_fetch(struct winbind_cache *cache, - struct winbindd_domain *domain, - const char *format, ...) -{ - va_list ap; - char *kstr; - struct cache_entry *centry; - - if (opt_nocache) { - return NULL; - } - - refresh_sequence_number(domain, False); - - va_start(ap, format); - smb_xvasprintf(&kstr, format, ap); - va_end(ap); - - centry = wcache_fetch_raw(kstr); - if (centry == NULL) { - free(kstr); - return NULL; - } - - if (centry_expired(domain, kstr, centry)) { - - DEBUG(10,("wcache_fetch: entry %s expired for domain %s\n", - kstr, domain->name )); - - centry_free(centry); - free(kstr); - return NULL; - } - - DEBUG(10,("wcache_fetch: returning entry %s for domain %s\n", - kstr, domain->name )); - - free(kstr); - return centry; -} - -static void wcache_delete(const char *format, ...) PRINTF_ATTRIBUTE(1,2); -static void wcache_delete(const char *format, ...) -{ - va_list ap; - char *kstr; - TDB_DATA key; - - va_start(ap, format); - smb_xvasprintf(&kstr, format, ap); - va_end(ap); - - key = string_tdb_data(kstr); - - tdb_delete(wcache->tdb, key); - free(kstr); -} - -/* - make sure we have at least len bytes available in a centry -*/ -static void centry_expand(struct cache_entry *centry, uint32 len) -{ - if (centry->len - centry->ofs >= len) - return; - centry->len *= 2; - centry->data = SMB_REALLOC_ARRAY(centry->data, unsigned char, - centry->len); - if (!centry->data) { - DEBUG(0,("out of memory: needed %d bytes in centry_expand\n", centry->len)); - smb_panic_fn("out of memory in centry_expand"); - } -} - -/* - push a uint32 into a centry -*/ -static void centry_put_uint32(struct cache_entry *centry, uint32 v) -{ - centry_expand(centry, 4); - SIVAL(centry->data, centry->ofs, v); - centry->ofs += 4; -} - -/* - push a uint16 into a centry -*/ -static void centry_put_uint16(struct cache_entry *centry, uint16 v) -{ - centry_expand(centry, 2); - SIVAL(centry->data, centry->ofs, v); - centry->ofs += 2; -} - -/* - push a uint8 into a centry -*/ -static void centry_put_uint8(struct cache_entry *centry, uint8 v) -{ - centry_expand(centry, 1); - SCVAL(centry->data, centry->ofs, v); - centry->ofs += 1; -} - -/* - push a string into a centry - */ -static void centry_put_string(struct cache_entry *centry, const char *s) -{ - int len; - - if (!s) { - /* null strings are marked as len 0xFFFF */ - centry_put_uint8(centry, 0xFF); - return; - } - - len = strlen(s); - /* can't handle more than 254 char strings. Truncating is probably best */ - if (len > 254) { - DEBUG(10,("centry_put_string: truncating len (%d) to: 254\n", len)); - len = 254; - } - centry_put_uint8(centry, len); - centry_expand(centry, len); - memcpy(centry->data + centry->ofs, s, len); - centry->ofs += len; -} - -/* - push a 16 byte hash into a centry - treat as 16 byte string. - */ -static void centry_put_hash16(struct cache_entry *centry, const uint8 val[16]) -{ - centry_put_uint8(centry, 16); - centry_expand(centry, 16); - memcpy(centry->data + centry->ofs, val, 16); - centry->ofs += 16; -} - -static void centry_put_sid(struct cache_entry *centry, const DOM_SID *sid) -{ - fstring sid_string; - centry_put_string(centry, sid_to_string(sid_string, sid)); -} - - -/* - put NTSTATUS into a centry -*/ -static void centry_put_ntstatus(struct cache_entry *centry, NTSTATUS status) -{ - uint32 status_value = NT_STATUS_V(status); - centry_put_uint32(centry, status_value); -} - - -/* - push a NTTIME into a centry -*/ -static void centry_put_nttime(struct cache_entry *centry, NTTIME nt) -{ - centry_expand(centry, 8); - SIVAL(centry->data, centry->ofs, nt & 0xFFFFFFFF); - centry->ofs += 4; - SIVAL(centry->data, centry->ofs, nt >> 32); - centry->ofs += 4; -} - -/* - push a time_t into a centry - use a 64 bit size. - NTTIME here is being used as a convenient 64-bit size. -*/ -static void centry_put_time(struct cache_entry *centry, time_t t) -{ - NTTIME nt = (NTTIME)t; - centry_put_nttime(centry, nt); -} - -/* - start a centry for output. When finished, call centry_end() -*/ -struct cache_entry *centry_start(struct winbindd_domain *domain, NTSTATUS status) -{ - struct cache_entry *centry; - - if (!wcache->tdb) - return NULL; - - centry = SMB_XMALLOC_P(struct cache_entry); - - centry->len = 8192; /* reasonable default */ - centry->data = SMB_XMALLOC_ARRAY(uint8, centry->len); - centry->ofs = 0; - centry->sequence_number = domain->sequence_number; - centry_put_ntstatus(centry, status); - centry_put_uint32(centry, centry->sequence_number); - return centry; -} - -/* - finish a centry and write it to the tdb -*/ -static void centry_end(struct cache_entry *centry, const char *format, ...) PRINTF_ATTRIBUTE(2,3); -static void centry_end(struct cache_entry *centry, const char *format, ...) -{ - va_list ap; - char *kstr; - TDB_DATA key, data; - - if (opt_nocache) { - return; - } - - va_start(ap, format); - smb_xvasprintf(&kstr, format, ap); - va_end(ap); - - key = string_tdb_data(kstr); - data.dptr = centry->data; - data.dsize = centry->ofs; - - tdb_store(wcache->tdb, key, data, TDB_REPLACE); - free(kstr); -} - -static void wcache_save_name_to_sid(struct winbindd_domain *domain, - NTSTATUS status, const char *domain_name, - const char *name, const DOM_SID *sid, - enum lsa_SidType type) -{ - struct cache_entry *centry; - fstring uname; - - centry = centry_start(domain, status); - if (!centry) - return; - centry_put_uint32(centry, type); - centry_put_sid(centry, sid); - fstrcpy(uname, name); - strupper_m(uname); - centry_end(centry, "NS/%s/%s", domain_name, uname); - DEBUG(10,("wcache_save_name_to_sid: %s\\%s -> %s (%s)\n", domain_name, uname, - sid_string_static(sid), nt_errstr(status))); - centry_free(centry); -} - -static void wcache_save_sid_to_name(struct winbindd_domain *domain, NTSTATUS status, - const DOM_SID *sid, const char *domain_name, const char *name, enum lsa_SidType type) -{ - struct cache_entry *centry; - fstring sid_string; - - centry = centry_start(domain, status); - if (!centry) - return; - - if (NT_STATUS_IS_OK(status)) { - centry_put_uint32(centry, type); - centry_put_string(centry, domain_name); - centry_put_string(centry, name); - } - - centry_end(centry, "SN/%s", sid_to_string(sid_string, sid)); - DEBUG(10,("wcache_save_sid_to_name: %s -> %s (%s)\n", sid_string, - name, nt_errstr(status))); - centry_free(centry); -} - - -static void wcache_save_user(struct winbindd_domain *domain, NTSTATUS status, WINBIND_USERINFO *info) -{ - struct cache_entry *centry; - fstring sid_string; - - if (is_null_sid(&info->user_sid)) { - return; - } - - centry = centry_start(domain, status); - if (!centry) - return; - centry_put_string(centry, info->acct_name); - centry_put_string(centry, info->full_name); - centry_put_string(centry, info->homedir); - centry_put_string(centry, info->shell); - centry_put_uint32(centry, info->primary_gid); - centry_put_sid(centry, &info->user_sid); - centry_put_sid(centry, &info->group_sid); - centry_end(centry, "U/%s", sid_to_string(sid_string, &info->user_sid)); - DEBUG(10,("wcache_save_user: %s (acct_name %s)\n", sid_string, info->acct_name)); - centry_free(centry); -} - -static void wcache_save_lockout_policy(struct winbindd_domain *domain, NTSTATUS status, SAM_UNK_INFO_12 *lockout_policy) -{ - struct cache_entry *centry; - - centry = centry_start(domain, status); - if (!centry) - return; - - centry_put_nttime(centry, lockout_policy->duration); - centry_put_nttime(centry, lockout_policy->reset_count); - centry_put_uint16(centry, lockout_policy->bad_attempt_lockout); - - centry_end(centry, "LOC_POL/%s", domain->name); - - DEBUG(10,("wcache_save_lockout_policy: %s\n", domain->name)); - - centry_free(centry); -} - -static void wcache_save_password_policy(struct winbindd_domain *domain, NTSTATUS status, SAM_UNK_INFO_1 *policy) -{ - struct cache_entry *centry; - - centry = centry_start(domain, status); - if (!centry) - return; - - centry_put_uint16(centry, policy->min_length_password); - centry_put_uint16(centry, policy->password_history); - centry_put_uint32(centry, policy->password_properties); - centry_put_nttime(centry, policy->expire); - centry_put_nttime(centry, policy->min_passwordage); - - centry_end(centry, "PWD_POL/%s", domain->name); - - DEBUG(10,("wcache_save_password_policy: %s\n", domain->name)); - - centry_free(centry); -} - -NTSTATUS wcache_cached_creds_exist(struct winbindd_domain *domain, const DOM_SID *sid) -{ - struct winbind_cache *cache = get_cache(domain); - TDB_DATA data; - fstring key_str; - uint32 rid; - - if (!cache->tdb) { - return NT_STATUS_INTERNAL_DB_ERROR; - } - - if (is_null_sid(sid)) { - return NT_STATUS_INVALID_SID; - } - - if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) { - return NT_STATUS_INVALID_SID; - } - - fstr_sprintf(key_str, "CRED/%s", sid_string_static(sid)); - - data = tdb_fetch(cache->tdb, string_tdb_data(key_str)); - if (!data.dptr) { - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - SAFE_FREE(data.dptr); - return NT_STATUS_OK; -} - -/* Lookup creds for a SID - copes with old (unsalted) creds as well - as new salted ones. */ - -NTSTATUS wcache_get_creds(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - const uint8 **cached_nt_pass, - const uint8 **cached_salt) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - time_t t; - uint32 rid; - - if (!cache->tdb) { - return NT_STATUS_INTERNAL_DB_ERROR; - } - - if (is_null_sid(sid)) { - return NT_STATUS_INVALID_SID; - } - - if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) { - return NT_STATUS_INVALID_SID; - } - - /* Try and get a salted cred first. If we can't - fall back to an unsalted cred. */ - - centry = wcache_fetch(cache, domain, "CRED/%s", sid_string_static(sid)); - if (!centry) { - DEBUG(10,("wcache_get_creds: entry for [CRED/%s] not found\n", - sid_string_static(sid))); - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - t = centry_time(centry); - - /* In the salted case this isn't actually the nt_hash itself, - but the MD5 of the salt + nt_hash. Let the caller - sort this out. It can tell as we only return the cached_salt - if we are returning a salted cred. */ - - *cached_nt_pass = (const uint8 *)centry_hash16(centry, mem_ctx); - if (*cached_nt_pass == NULL) { - const char *sidstr = sid_string_static(sid); - - /* Bad (old) cred cache. Delete and pretend we - don't have it. */ - DEBUG(0,("wcache_get_creds: bad entry for [CRED/%s] - deleting\n", - sidstr)); - wcache_delete("CRED/%s", sidstr); - centry_free(centry); - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - /* We only have 17 bytes more data in the salted cred case. */ - if (centry->len - centry->ofs == 17) { - *cached_salt = (const uint8 *)centry_hash16(centry, mem_ctx); - } else { - *cached_salt = NULL; - } - - dump_data_pw("cached_nt_pass", *cached_nt_pass, NT_HASH_LEN); - if (*cached_salt) { - dump_data_pw("cached_salt", *cached_salt, NT_HASH_LEN); - } - - status = centry->status; - - DEBUG(10,("wcache_get_creds: [Cached] - cached creds for user %s status: %s\n", - sid_string_static(sid), nt_errstr(status) )); - - centry_free(centry); - return status; -} - -/* Store creds for a SID - only writes out new salted ones. */ - -NTSTATUS wcache_save_creds(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - const uint8 nt_pass[NT_HASH_LEN]) -{ - struct cache_entry *centry; - fstring sid_string; - uint32 rid; - uint8 cred_salt[NT_HASH_LEN]; - uint8 salted_hash[NT_HASH_LEN]; - - if (is_null_sid(sid)) { - return NT_STATUS_INVALID_SID; - } - - if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) { - return NT_STATUS_INVALID_SID; - } - - centry = centry_start(domain, NT_STATUS_OK); - if (!centry) { - return NT_STATUS_INTERNAL_DB_ERROR; - } - - dump_data_pw("nt_pass", nt_pass, NT_HASH_LEN); - - centry_put_time(centry, time(NULL)); - - /* Create a salt and then salt the hash. */ - generate_random_buffer(cred_salt, NT_HASH_LEN); - E_md5hash(cred_salt, nt_pass, salted_hash); - - centry_put_hash16(centry, salted_hash); - centry_put_hash16(centry, cred_salt); - centry_end(centry, "CRED/%s", sid_to_string(sid_string, sid)); - - DEBUG(10,("wcache_save_creds: %s\n", sid_string)); - - centry_free(centry); - - return NT_STATUS_OK; -} - - -/* Query display info. This is the basic user list fn */ -static NTSTATUS query_user_list(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - WINBIND_USERINFO **info) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - unsigned int i, retry; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "UL/%s", domain->name); - if (!centry) - goto do_query; - - *num_entries = centry_uint32(centry); - - if (*num_entries == 0) - goto do_cached; - - (*info) = TALLOC_ARRAY(mem_ctx, WINBIND_USERINFO, *num_entries); - if (! (*info)) { - smb_panic_fn("query_user_list out of memory"); - } - for (i=0; i<(*num_entries); i++) { - (*info)[i].acct_name = centry_string(centry, mem_ctx); - (*info)[i].full_name = centry_string(centry, mem_ctx); - (*info)[i].homedir = centry_string(centry, mem_ctx); - (*info)[i].shell = centry_string(centry, mem_ctx); - centry_sid(centry, mem_ctx, &(*info)[i].user_sid); - centry_sid(centry, mem_ctx, &(*info)[i].group_sid); - } - -do_cached: - status = centry->status; - - DEBUG(10,("query_user_list: [Cached] - cached list for domain %s status: %s\n", - domain->name, nt_errstr(status) )); - - centry_free(centry); - return status; - -do_query: - *num_entries = 0; - *info = NULL; - - /* Return status value returned by seq number check */ - - if (!NT_STATUS_IS_OK(domain->last_status)) - return domain->last_status; - - /* Put the query_user_list() in a retry loop. There appears to be - * some bug either with Windows 2000 or Samba's handling of large - * rpc replies. This manifests itself as sudden disconnection - * at a random point in the enumeration of a large (60k) user list. - * The retry loop simply tries the operation again. )-: It's not - * pretty but an acceptable workaround until we work out what the - * real problem is. */ - - retry = 0; - do { - - DEBUG(10,("query_user_list: [Cached] - doing backend query for list for domain %s\n", - domain->name )); - - status = domain->backend->query_user_list(domain, mem_ctx, num_entries, info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(3, ("query_user_list: returned 0x%08x, " - "retrying\n", NT_STATUS_V(status))); - } - if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) { - DEBUG(3, ("query_user_list: flushing " - "connection cache\n")); - invalidate_cm_connection(&domain->conn); - } - - } while (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL) && - (retry++ < 5)); - - /* and save it */ - refresh_sequence_number(domain, False); - centry = centry_start(domain, status); - if (!centry) - goto skip_save; - centry_put_uint32(centry, *num_entries); - for (i=0; i<(*num_entries); i++) { - centry_put_string(centry, (*info)[i].acct_name); - centry_put_string(centry, (*info)[i].full_name); - centry_put_string(centry, (*info)[i].homedir); - centry_put_string(centry, (*info)[i].shell); - centry_put_sid(centry, &(*info)[i].user_sid); - centry_put_sid(centry, &(*info)[i].group_sid); - if (domain->backend && domain->backend->consistent) { - /* when the backend is consistent we can pre-prime some mappings */ - wcache_save_name_to_sid(domain, NT_STATUS_OK, - domain->name, - (*info)[i].acct_name, - &(*info)[i].user_sid, - SID_NAME_USER); - wcache_save_sid_to_name(domain, NT_STATUS_OK, - &(*info)[i].user_sid, - domain->name, - (*info)[i].acct_name, - SID_NAME_USER); - wcache_save_user(domain, NT_STATUS_OK, &(*info)[i]); - } - } - centry_end(centry, "UL/%s", domain->name); - centry_free(centry); - -skip_save: - return status; -} - -/* list all domain groups */ -static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - unsigned int i; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "GL/%s/domain", domain->name); - if (!centry) - goto do_query; - - *num_entries = centry_uint32(centry); - - if (*num_entries == 0) - goto do_cached; - - (*info) = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries); - if (! (*info)) { - smb_panic_fn("enum_dom_groups out of memory"); - } - for (i=0; i<(*num_entries); i++) { - fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx)); - fstrcpy((*info)[i].acct_desc, centry_string(centry, mem_ctx)); - (*info)[i].rid = centry_uint32(centry); - } - -do_cached: - status = centry->status; - - DEBUG(10,("enum_dom_groups: [Cached] - cached list for domain %s status: %s\n", - domain->name, nt_errstr(status) )); - - centry_free(centry); - return status; - -do_query: - *num_entries = 0; - *info = NULL; - - /* Return status value returned by seq number check */ - - if (!NT_STATUS_IS_OK(domain->last_status)) - return domain->last_status; - - DEBUG(10,("enum_dom_groups: [Cached] - doing backend query for list for domain %s\n", - domain->name )); - - status = domain->backend->enum_dom_groups(domain, mem_ctx, num_entries, info); - - /* and save it */ - refresh_sequence_number(domain, False); - centry = centry_start(domain, status); - if (!centry) - goto skip_save; - centry_put_uint32(centry, *num_entries); - for (i=0; i<(*num_entries); i++) { - centry_put_string(centry, (*info)[i].acct_name); - centry_put_string(centry, (*info)[i].acct_desc); - centry_put_uint32(centry, (*info)[i].rid); - } - centry_end(centry, "GL/%s/domain", domain->name); - centry_free(centry); - -skip_save: - return status; -} - -/* list all domain groups */ -static NTSTATUS enum_local_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - unsigned int i; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "GL/%s/local", domain->name); - if (!centry) - goto do_query; - - *num_entries = centry_uint32(centry); - - if (*num_entries == 0) - goto do_cached; - - (*info) = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries); - if (! (*info)) { - smb_panic_fn("enum_dom_groups out of memory"); - } - for (i=0; i<(*num_entries); i++) { - fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx)); - fstrcpy((*info)[i].acct_desc, centry_string(centry, mem_ctx)); - (*info)[i].rid = centry_uint32(centry); - } - -do_cached: - - /* If we are returning cached data and the domain controller - is down then we don't know whether the data is up to date - or not. Return NT_STATUS_MORE_PROCESSING_REQUIRED to - indicate this. */ - - if (wcache_server_down(domain)) { - DEBUG(10, ("enum_local_groups: returning cached user list and server was down\n")); - status = NT_STATUS_MORE_PROCESSING_REQUIRED; - } else - status = centry->status; - - DEBUG(10,("enum_local_groups: [Cached] - cached list for domain %s status: %s\n", - domain->name, nt_errstr(status) )); - - centry_free(centry); - return status; - -do_query: - *num_entries = 0; - *info = NULL; - - /* Return status value returned by seq number check */ - - if (!NT_STATUS_IS_OK(domain->last_status)) - return domain->last_status; - - DEBUG(10,("enum_local_groups: [Cached] - doing backend query for list for domain %s\n", - domain->name )); - - status = domain->backend->enum_local_groups(domain, mem_ctx, num_entries, info); - - /* and save it */ - refresh_sequence_number(domain, False); - centry = centry_start(domain, status); - if (!centry) - goto skip_save; - centry_put_uint32(centry, *num_entries); - for (i=0; i<(*num_entries); i++) { - centry_put_string(centry, (*info)[i].acct_name); - centry_put_string(centry, (*info)[i].acct_desc); - centry_put_uint32(centry, (*info)[i].rid); - } - centry_end(centry, "GL/%s/local", domain->name); - centry_free(centry); - -skip_save: - return status; -} - -/* convert a single name to a sid in a domain */ -static NTSTATUS name_to_sid(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - enum winbindd_cmd orig_cmd, - const char *domain_name, - const char *name, - DOM_SID *sid, - enum lsa_SidType *type) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - fstring uname; - - if (!cache->tdb) - goto do_query; - - fstrcpy(uname, name); - strupper_m(uname); - centry = wcache_fetch(cache, domain, "NS/%s/%s", domain_name, uname); - if (!centry) - goto do_query; - - status = centry->status; - if (NT_STATUS_IS_OK(status)) { - *type = (enum lsa_SidType)centry_uint32(centry); - centry_sid(centry, mem_ctx, sid); - } - - DEBUG(10,("name_to_sid: [Cached] - cached name for domain %s status: %s\n", - domain->name, nt_errstr(status) )); - - centry_free(centry); - return status; - -do_query: - ZERO_STRUCTP(sid); - - /* If the seq number check indicated that there is a problem - * with this DC, then return that status... except for - * access_denied. This is special because the dc may be in - * "restrict anonymous = 1" mode, in which case it will deny - * most unauthenticated operations, but *will* allow the LSA - * name-to-sid that we try as a fallback. */ - - if (!(NT_STATUS_IS_OK(domain->last_status) - || NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED))) - return domain->last_status; - - DEBUG(10,("name_to_sid: [Cached] - doing backend query for name for domain %s\n", - domain->name )); - - status = domain->backend->name_to_sid(domain, mem_ctx, orig_cmd, - domain_name, name, sid, type); - - /* and save it */ - refresh_sequence_number(domain, False); - - if (domain->online && - (NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))) { - wcache_save_name_to_sid(domain, status, domain_name, name, sid, *type); - - /* Only save the reverse mapping if this was not a UPN */ - if (!strchr(name, '@')) { - strupper_m(CONST_DISCARD(char *,domain_name)); - strlower_m(CONST_DISCARD(char *,name)); - wcache_save_sid_to_name(domain, status, sid, domain_name, name, *type); - } - } - - return status; -} - -/* convert a sid to a user or group name. The sid is guaranteed to be in the domain - given */ -static NTSTATUS sid_to_name(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - char **domain_name, - char **name, - enum lsa_SidType *type) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - fstring sid_string; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "SN/%s", sid_to_string(sid_string, sid)); - if (!centry) - goto do_query; - - status = centry->status; - if (NT_STATUS_IS_OK(status)) { - *type = (enum lsa_SidType)centry_uint32(centry); - *domain_name = centry_string(centry, mem_ctx); - *name = centry_string(centry, mem_ctx); - } - - DEBUG(10,("sid_to_name: [Cached] - cached name for domain %s status: %s\n", - domain->name, nt_errstr(status) )); - - centry_free(centry); - return status; - -do_query: - *name = NULL; - *domain_name = NULL; - - /* If the seq number check indicated that there is a problem - * with this DC, then return that status... except for - * access_denied. This is special because the dc may be in - * "restrict anonymous = 1" mode, in which case it will deny - * most unauthenticated operations, but *will* allow the LSA - * sid-to-name that we try as a fallback. */ - - if (!(NT_STATUS_IS_OK(domain->last_status) - || NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED))) - return domain->last_status; - - DEBUG(10,("sid_to_name: [Cached] - doing backend query for name for domain %s\n", - domain->name )); - - status = domain->backend->sid_to_name(domain, mem_ctx, sid, domain_name, name, type); - - /* and save it */ - refresh_sequence_number(domain, False); - wcache_save_sid_to_name(domain, status, sid, *domain_name, *name, *type); - - /* We can't save the name to sid mapping here, as with sid history a - * later name2sid would give the wrong sid. */ - - return status; -} - -static NTSTATUS rids_to_names(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *domain_sid, - uint32 *rids, - size_t num_rids, - char **domain_name, - char ***names, - enum lsa_SidType **types) -{ - struct winbind_cache *cache = get_cache(domain); - size_t i; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - BOOL have_mapped; - BOOL have_unmapped; - - *domain_name = NULL; - *names = NULL; - *types = NULL; - - if (!cache->tdb) { - goto do_query; - } - - if (num_rids == 0) { - return NT_STATUS_OK; - } - - *names = TALLOC_ARRAY(mem_ctx, char *, num_rids); - *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids); - - if ((*names == NULL) || (*types == NULL)) { - result = NT_STATUS_NO_MEMORY; - goto error; - } - - have_mapped = have_unmapped = False; - - for (i=0; i<num_rids; i++) { - DOM_SID sid; - struct cache_entry *centry; - - if (!sid_compose(&sid, domain_sid, rids[i])) { - result = NT_STATUS_INTERNAL_ERROR; - goto error; - } - - centry = wcache_fetch(cache, domain, "SN/%s", - sid_string_static(&sid)); - if (!centry) { - goto do_query; - } - - (*types)[i] = SID_NAME_UNKNOWN; - (*names)[i] = talloc_strdup(*names, ""); - - if (NT_STATUS_IS_OK(centry->status)) { - char *dom; - have_mapped = True; - (*types)[i] = (enum lsa_SidType)centry_uint32(centry); - - dom = centry_string(centry, mem_ctx); - if (*domain_name == NULL) { - *domain_name = dom; - } else { - talloc_free(dom); - } - - (*names)[i] = centry_string(centry, *names); - - } else if (NT_STATUS_EQUAL(centry->status, NT_STATUS_NONE_MAPPED)) { - have_unmapped = True; - - } else { - /* something's definitely wrong */ - result = centry->status; - goto error; - } - - centry_free(centry); - } - - if (!have_mapped) { - return NT_STATUS_NONE_MAPPED; - } - if (!have_unmapped) { - return NT_STATUS_OK; - } - return STATUS_SOME_UNMAPPED; - - do_query: - - TALLOC_FREE(*names); - TALLOC_FREE(*types); - - result = domain->backend->rids_to_names(domain, mem_ctx, domain_sid, - rids, num_rids, domain_name, - names, types); - - /* - None of the queried rids has been found so save all negative entries - */ - if (NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED)) { - for (i = 0; i < num_rids; i++) { - DOM_SID sid; - const char *name = ""; - const enum lsa_SidType type = SID_NAME_UNKNOWN; - NTSTATUS status = NT_STATUS_NONE_MAPPED; - - if (!sid_compose(&sid, domain_sid, rids[i])) { - return NT_STATUS_INTERNAL_ERROR; - } - - wcache_save_sid_to_name(domain, status, &sid, *domain_name, - name, type); - } - - return result; - } - - /* - Some or all of the queried rids have been found. - */ - if (!NT_STATUS_IS_OK(result) && - !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) { - return result; - } - - refresh_sequence_number(domain, False); - - for (i=0; i<num_rids; i++) { - DOM_SID sid; - NTSTATUS status; - - if (!sid_compose(&sid, domain_sid, rids[i])) { - result = NT_STATUS_INTERNAL_ERROR; - goto error; - } - - status = (*types)[i] == SID_NAME_UNKNOWN ? - NT_STATUS_NONE_MAPPED : NT_STATUS_OK; - - wcache_save_sid_to_name(domain, status, &sid, *domain_name, - (*names)[i], (*types)[i]); - } - - return result; - - error: - - TALLOC_FREE(*names); - TALLOC_FREE(*types); - return result; -} - -/* Lookup user information from a rid */ -static NTSTATUS query_user(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - WINBIND_USERINFO *info) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "U/%s", sid_string_static(user_sid)); - - /* If we have an access denied cache entry and a cached info3 in the - samlogon cache then do a query. This will force the rpc back end - to return the info3 data. */ - - if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) && - netsamlogon_cache_have(user_sid)) { - DEBUG(10, ("query_user: cached access denied and have cached info3\n")); - domain->last_status = NT_STATUS_OK; - centry_free(centry); - goto do_query; - } - - if (!centry) - goto do_query; - - /* if status is not ok then this is a negative hit - and the rest of the data doesn't matter */ - status = centry->status; - if (NT_STATUS_IS_OK(status)) { - info->acct_name = centry_string(centry, mem_ctx); - info->full_name = centry_string(centry, mem_ctx); - info->homedir = centry_string(centry, mem_ctx); - info->shell = centry_string(centry, mem_ctx); - info->primary_gid = centry_uint32(centry); - centry_sid(centry, mem_ctx, &info->user_sid); - centry_sid(centry, mem_ctx, &info->group_sid); - } - - DEBUG(10,("query_user: [Cached] - cached info for domain %s status: %s\n", - domain->name, nt_errstr(status) )); - - centry_free(centry); - return status; - -do_query: - ZERO_STRUCTP(info); - - /* Return status value returned by seq number check */ - - if (!NT_STATUS_IS_OK(domain->last_status)) - return domain->last_status; - - DEBUG(10,("query_user: [Cached] - doing backend query for info for domain %s\n", - domain->name )); - - status = domain->backend->query_user(domain, mem_ctx, user_sid, info); - - /* and save it */ - refresh_sequence_number(domain, False); - wcache_save_user(domain, status, info); - - return status; -} - - -/* Lookup groups a user is a member of. */ -static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - uint32 *num_groups, DOM_SID **user_gids) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - unsigned int i; - fstring sid_string; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "UG/%s", sid_to_string(sid_string, user_sid)); - - /* If we have an access denied cache entry and a cached info3 in the - samlogon cache then do a query. This will force the rpc back end - to return the info3 data. */ - - if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) && - netsamlogon_cache_have(user_sid)) { - DEBUG(10, ("lookup_usergroups: cached access denied and have cached info3\n")); - domain->last_status = NT_STATUS_OK; - centry_free(centry); - goto do_query; - } - - if (!centry) - goto do_query; - - *num_groups = centry_uint32(centry); - - if (*num_groups == 0) - goto do_cached; - - (*user_gids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups); - if (! (*user_gids)) { - smb_panic_fn("lookup_usergroups out of memory"); - } - for (i=0; i<(*num_groups); i++) { - centry_sid(centry, mem_ctx, &(*user_gids)[i]); - } - -do_cached: - status = centry->status; - - DEBUG(10,("lookup_usergroups: [Cached] - cached info for domain %s status: %s\n", - domain->name, nt_errstr(status) )); - - centry_free(centry); - return status; - -do_query: - (*num_groups) = 0; - (*user_gids) = NULL; - - /* Return status value returned by seq number check */ - - if (!NT_STATUS_IS_OK(domain->last_status)) - return domain->last_status; - - DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info for domain %s\n", - domain->name )); - - status = domain->backend->lookup_usergroups(domain, mem_ctx, user_sid, num_groups, user_gids); - - if ( NT_STATUS_EQUAL(status, NT_STATUS_SYNCHRONIZATION_REQUIRED) ) - goto skip_save; - - /* and save it */ - refresh_sequence_number(domain, False); - centry = centry_start(domain, status); - if (!centry) - goto skip_save; - - centry_put_uint32(centry, *num_groups); - for (i=0; i<(*num_groups); i++) { - centry_put_sid(centry, &(*user_gids)[i]); - } - - centry_end(centry, "UG/%s", sid_to_string(sid_string, user_sid)); - centry_free(centry); - -skip_save: - return status; -} - -static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 num_sids, const DOM_SID *sids, - uint32 *num_aliases, uint32 **alias_rids) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - char *sidlist = talloc_strdup(mem_ctx, ""); - int i; - - if (!cache->tdb) - goto do_query; - - if (num_sids == 0) { - *num_aliases = 0; - *alias_rids = NULL; - return NT_STATUS_OK; - } - - /* We need to cache indexed by the whole list of SIDs, the aliases - * resulting might come from any of the SIDs. */ - - for (i=0; i<num_sids; i++) { - sidlist = talloc_asprintf(mem_ctx, "%s/%s", sidlist, - sid_string_static(&sids[i])); - if (sidlist == NULL) - return NT_STATUS_NO_MEMORY; - } - - centry = wcache_fetch(cache, domain, "UA%s", sidlist); - - if (!centry) - goto do_query; - - *num_aliases = centry_uint32(centry); - *alias_rids = NULL; - - if (*num_aliases) { - (*alias_rids) = TALLOC_ARRAY(mem_ctx, uint32, *num_aliases); - - if ((*alias_rids) == NULL) { - centry_free(centry); - return NT_STATUS_NO_MEMORY; - } - } else { - (*alias_rids) = NULL; - } - - for (i=0; i<(*num_aliases); i++) - (*alias_rids)[i] = centry_uint32(centry); - - status = centry->status; - - DEBUG(10,("lookup_useraliases: [Cached] - cached info for domain: %s " - "status %s\n", domain->name, nt_errstr(status))); - - centry_free(centry); - return status; - - do_query: - (*num_aliases) = 0; - (*alias_rids) = NULL; - - if (!NT_STATUS_IS_OK(domain->last_status)) - return domain->last_status; - - DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info " - "for domain %s\n", domain->name )); - - status = domain->backend->lookup_useraliases(domain, mem_ctx, - num_sids, sids, - num_aliases, alias_rids); - - /* and save it */ - refresh_sequence_number(domain, False); - centry = centry_start(domain, status); - if (!centry) - goto skip_save; - centry_put_uint32(centry, *num_aliases); - for (i=0; i<(*num_aliases); i++) - centry_put_uint32(centry, (*alias_rids)[i]); - centry_end(centry, "UA%s", sidlist); - centry_free(centry); - - skip_save: - return status; -} - - -static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *group_sid, uint32 *num_names, - DOM_SID **sid_mem, char ***names, - uint32 **name_types) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - unsigned int i; - fstring sid_string; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "GM/%s", sid_to_string(sid_string, group_sid)); - if (!centry) - goto do_query; - - *num_names = centry_uint32(centry); - - if (*num_names == 0) - goto do_cached; - - (*sid_mem) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_names); - (*names) = TALLOC_ARRAY(mem_ctx, char *, *num_names); - (*name_types) = TALLOC_ARRAY(mem_ctx, uint32, *num_names); - - if (! (*sid_mem) || ! (*names) || ! (*name_types)) { - smb_panic_fn("lookup_groupmem out of memory"); - } - - for (i=0; i<(*num_names); i++) { - centry_sid(centry, mem_ctx, &(*sid_mem)[i]); - (*names)[i] = centry_string(centry, mem_ctx); - (*name_types)[i] = centry_uint32(centry); - } - -do_cached: - status = centry->status; - - DEBUG(10,("lookup_groupmem: [Cached] - cached info for domain %s status: %s\n", - domain->name, nt_errstr(status))); - - centry_free(centry); - return status; - -do_query: - (*num_names) = 0; - (*sid_mem) = NULL; - (*names) = NULL; - (*name_types) = NULL; - - /* Return status value returned by seq number check */ - - if (!NT_STATUS_IS_OK(domain->last_status)) - return domain->last_status; - - DEBUG(10,("lookup_groupmem: [Cached] - doing backend query for info for domain %s\n", - domain->name )); - - status = domain->backend->lookup_groupmem(domain, mem_ctx, group_sid, num_names, - sid_mem, names, name_types); - - /* and save it */ - refresh_sequence_number(domain, False); - centry = centry_start(domain, status); - if (!centry) - goto skip_save; - centry_put_uint32(centry, *num_names); - for (i=0; i<(*num_names); i++) { - centry_put_sid(centry, &(*sid_mem)[i]); - centry_put_string(centry, (*names)[i]); - centry_put_uint32(centry, (*name_types)[i]); - } - centry_end(centry, "GM/%s", sid_to_string(sid_string, group_sid)); - centry_free(centry); - -skip_save: - return status; -} - -/* find the sequence number for a domain */ -static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) -{ - refresh_sequence_number(domain, False); - - *seq = domain->sequence_number; - - return NT_STATUS_OK; -} - -/* enumerate trusted domains - * (we need to have the list of trustdoms in the cache when we go offline) - - * Guenther */ -static NTSTATUS trusted_domains(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_domains, - char ***names, - char ***alt_names, - DOM_SID **dom_sids) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - int i; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "TRUSTDOMS/%s", domain->name); - - if (!centry) { - goto do_query; - } - - *num_domains = centry_uint32(centry); - - if (*num_domains) { - (*names) = TALLOC_ARRAY(mem_ctx, char *, *num_domains); - (*alt_names) = TALLOC_ARRAY(mem_ctx, char *, *num_domains); - (*dom_sids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_domains); - - if (! (*dom_sids) || ! (*names) || ! (*alt_names)) { - smb_panic_fn("trusted_domains out of memory"); - } - } else { - (*names) = NULL; - (*alt_names) = NULL; - (*dom_sids) = NULL; - } - - for (i=0; i<(*num_domains); i++) { - (*names)[i] = centry_string(centry, mem_ctx); - (*alt_names)[i] = centry_string(centry, mem_ctx); - centry_sid(centry, mem_ctx, &(*dom_sids)[i]); - } - - status = centry->status; - - DEBUG(10,("trusted_domains: [Cached] - cached info for domain %s (%d trusts) status: %s\n", - domain->name, *num_domains, nt_errstr(status) )); - - centry_free(centry); - return status; - -do_query: - (*num_domains) = 0; - (*dom_sids) = NULL; - (*names) = NULL; - (*alt_names) = NULL; - - /* Return status value returned by seq number check */ - - if (!NT_STATUS_IS_OK(domain->last_status)) - return domain->last_status; - - DEBUG(10,("trusted_domains: [Cached] - doing backend query for info for domain %s\n", - domain->name )); - - status = domain->backend->trusted_domains(domain, mem_ctx, num_domains, - names, alt_names, dom_sids); - - /* no trusts gives NT_STATUS_NO_MORE_ENTRIES resetting to NT_STATUS_OK - * so that the generic centry handling still applies correctly - - * Guenther*/ - - if (!NT_STATUS_IS_ERR(status)) { - status = NT_STATUS_OK; - } - - -#if 0 /* Disabled as we want the trust dom list to be managed by - the main parent and always to make the query. --jerry */ - - /* and save it */ - refresh_sequence_number(domain, False); - - centry = centry_start(domain, status); - if (!centry) - goto skip_save; - - centry_put_uint32(centry, *num_domains); - - for (i=0; i<(*num_domains); i++) { - centry_put_string(centry, (*names)[i]); - centry_put_string(centry, (*alt_names)[i]); - centry_put_sid(centry, &(*dom_sids)[i]); - } - - centry_end(centry, "TRUSTDOMS/%s", domain->name); - - centry_free(centry); - -skip_save: -#endif - - return status; -} - -/* get lockout policy */ -static NTSTATUS lockout_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - SAM_UNK_INFO_12 *policy){ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "LOC_POL/%s", domain->name); - - if (!centry) - goto do_query; - - policy->duration = centry_nttime(centry); - policy->reset_count = centry_nttime(centry); - policy->bad_attempt_lockout = centry_uint16(centry); - - status = centry->status; - - DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n", - domain->name, nt_errstr(status) )); - - centry_free(centry); - return status; - -do_query: - ZERO_STRUCTP(policy); - - /* Return status value returned by seq number check */ - - if (!NT_STATUS_IS_OK(domain->last_status)) - return domain->last_status; - - DEBUG(10,("lockout_policy: [Cached] - doing backend query for info for domain %s\n", - domain->name )); - - status = domain->backend->lockout_policy(domain, mem_ctx, policy); - - /* and save it */ - refresh_sequence_number(domain, False); - wcache_save_lockout_policy(domain, status, policy); - - return status; -} - -/* get password policy */ -static NTSTATUS password_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - SAM_UNK_INFO_1 *policy) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS status; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "PWD_POL/%s", domain->name); - - if (!centry) - goto do_query; - - policy->min_length_password = centry_uint16(centry); - policy->password_history = centry_uint16(centry); - policy->password_properties = centry_uint32(centry); - policy->expire = centry_nttime(centry); - policy->min_passwordage = centry_nttime(centry); - - status = centry->status; - - DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n", - domain->name, nt_errstr(status) )); - - centry_free(centry); - return status; - -do_query: - ZERO_STRUCTP(policy); - - /* Return status value returned by seq number check */ - - if (!NT_STATUS_IS_OK(domain->last_status)) - return domain->last_status; - - DEBUG(10,("password_policy: [Cached] - doing backend query for info for domain %s\n", - domain->name )); - - status = domain->backend->password_policy(domain, mem_ctx, policy); - - /* and save it */ - refresh_sequence_number(domain, False); - wcache_save_password_policy(domain, status, policy); - - return status; -} - - -/* Invalidate cached user and group lists coherently */ - -static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, - void *state) -{ - if (strncmp((const char *)kbuf.dptr, "UL/", 3) == 0 || - strncmp((const char *)kbuf.dptr, "GL/", 3) == 0) - tdb_delete(the_tdb, kbuf); - - return 0; -} - -/* Invalidate the getpwnam and getgroups entries for a winbindd domain */ - -void wcache_invalidate_samlogon(struct winbindd_domain *domain, - NET_USER_INFO_3 *info3) -{ - struct winbind_cache *cache; - - /* dont clear cached U/SID and UG/SID entries when we want to logon - * offline - gd */ - - if (lp_winbind_offline_logon()) { - return; - } - - if (!domain) - return; - - cache = get_cache(domain); - netsamlogon_clear_cached_user(cache->tdb, info3); -} - -void wcache_invalidate_cache(void) -{ - struct winbindd_domain *domain; - - for (domain = domain_list(); domain; domain = domain->next) { - struct winbind_cache *cache = get_cache(domain); - - DEBUG(10, ("wcache_invalidate_cache: invalidating cache " - "entries for %s\n", domain->name)); - if (cache) - tdb_traverse(cache->tdb, traverse_fn, NULL); - } -} - -BOOL init_wcache(void) -{ - if (wcache == NULL) { - wcache = SMB_XMALLOC_P(struct winbind_cache); - ZERO_STRUCTP(wcache); - } - - if (wcache->tdb != NULL) - return True; - - /* when working offline we must not clear the cache on restart */ - wcache->tdb = tdb_open_log(lock_path("winbindd_cache.tdb"), - WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE, - lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST), - O_RDWR|O_CREAT, 0600); - - if (wcache->tdb == NULL) { - DEBUG(0,("Failed to open winbindd_cache.tdb!\n")); - return False; - } - - return True; -} - -/************************************************************************ - This is called by the parent to initialize the cache file. - We don't need sophisticated locking here as we know we're the - only opener. -************************************************************************/ - -BOOL initialize_winbindd_cache(void) -{ - BOOL cache_bad = True; - uint32 vers; - - if (!init_wcache()) { - DEBUG(0,("initialize_winbindd_cache: init_wcache failed.\n")); - return False; - } - - /* Check version number. */ - if (tdb_fetch_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, &vers) && - vers == WINBINDD_CACHE_VERSION) { - cache_bad = False; - } - - if (cache_bad) { - DEBUG(0,("initialize_winbindd_cache: clearing cache " - "and re-creating with version number %d\n", - WINBINDD_CACHE_VERSION )); - - tdb_close(wcache->tdb); - wcache->tdb = NULL; - - if (unlink(lock_path("winbindd_cache.tdb")) == -1) { - DEBUG(0,("initialize_winbindd_cache: unlink %s failed %s ", - lock_path("winbindd_cache.tdb"), - strerror(errno) )); - return False; - } - if (!init_wcache()) { - DEBUG(0,("initialize_winbindd_cache: re-initialization " - "init_wcache failed.\n")); - return False; - } - - /* Write the version. */ - if (!tdb_store_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, WINBINDD_CACHE_VERSION)) { - DEBUG(0,("initialize_winbindd_cache: version number store failed %s\n", - tdb_errorstr(wcache->tdb) )); - return False; - } - } - - tdb_close(wcache->tdb); - wcache->tdb = NULL; - return True; -} - -void cache_store_response(pid_t pid, struct winbindd_response *response) -{ - fstring key_str; - - if (!init_wcache()) - return; - - DEBUG(10, ("Storing response for pid %d, len %d\n", - pid, response->length)); - - fstr_sprintf(key_str, "DR/%d", pid); - if (tdb_store(wcache->tdb, string_tdb_data(key_str), - make_tdb_data((uint8 *)response, sizeof(*response)), - TDB_REPLACE) == -1) - return; - - if (response->length == sizeof(*response)) - return; - - /* There's extra data */ - - DEBUG(10, ("Storing extra data: len=%d\n", - (int)(response->length - sizeof(*response)))); - - fstr_sprintf(key_str, "DE/%d", pid); - if (tdb_store(wcache->tdb, string_tdb_data(key_str), - make_tdb_data((uint8 *)response->extra_data.data, - response->length - sizeof(*response)), - TDB_REPLACE) == 0) - return; - - /* We could not store the extra data, make sure the tdb does not - * contain a main record with wrong dangling extra data */ - - fstr_sprintf(key_str, "DR/%d", pid); - tdb_delete(wcache->tdb, string_tdb_data(key_str)); - - return; -} - -BOOL cache_retrieve_response(pid_t pid, struct winbindd_response * response) -{ - TDB_DATA data; - fstring key_str; - - if (!init_wcache()) - return False; - - DEBUG(10, ("Retrieving response for pid %d\n", pid)); - - fstr_sprintf(key_str, "DR/%d", pid); - data = tdb_fetch(wcache->tdb, string_tdb_data(key_str)); - - if (data.dptr == NULL) - return False; - - if (data.dsize != sizeof(*response)) - return False; - - memcpy(response, data.dptr, data.dsize); - SAFE_FREE(data.dptr); - - if (response->length == sizeof(*response)) { - response->extra_data.data = NULL; - return True; - } - - /* There's extra data */ - - DEBUG(10, ("Retrieving extra data length=%d\n", - (int)(response->length - sizeof(*response)))); - - fstr_sprintf(key_str, "DE/%d", pid); - data = tdb_fetch(wcache->tdb, string_tdb_data(key_str)); - - if (data.dptr == NULL) { - DEBUG(0, ("Did not find extra data\n")); - return False; - } - - if (data.dsize != (response->length - sizeof(*response))) { - DEBUG(0, ("Invalid extra data length: %d\n", (int)data.dsize)); - SAFE_FREE(data.dptr); - return False; - } - - dump_data(11, (uint8 *)data.dptr, data.dsize); - - response->extra_data.data = data.dptr; - return True; -} - -void cache_cleanup_response(pid_t pid) -{ - fstring key_str; - - if (!init_wcache()) - return; - - fstr_sprintf(key_str, "DR/%d", pid); - tdb_delete(wcache->tdb, string_tdb_data(key_str)); - - fstr_sprintf(key_str, "DE/%d", pid); - tdb_delete(wcache->tdb, string_tdb_data(key_str)); - - return; -} - - -BOOL lookup_cached_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid, - char **domain_name, char **name, - enum lsa_SidType *type) -{ - struct winbindd_domain *domain; - struct winbind_cache *cache; - struct cache_entry *centry = NULL; - NTSTATUS status; - - domain = find_lookup_domain_from_sid(sid); - if (domain == NULL) { - return False; - } - - cache = get_cache(domain); - - if (cache->tdb == NULL) { - return False; - } - - centry = wcache_fetch(cache, domain, "SN/%s", sid_string_static(sid)); - if (centry == NULL) { - return False; - } - - if (NT_STATUS_IS_OK(centry->status)) { - *type = (enum lsa_SidType)centry_uint32(centry); - *domain_name = centry_string(centry, mem_ctx); - *name = centry_string(centry, mem_ctx); - } - - status = centry->status; - centry_free(centry); - return NT_STATUS_IS_OK(status); -} - -BOOL lookup_cached_name(TALLOC_CTX *mem_ctx, - const char *domain_name, - const char *name, - DOM_SID *sid, - enum lsa_SidType *type) -{ - struct winbindd_domain *domain; - struct winbind_cache *cache; - struct cache_entry *centry = NULL; - NTSTATUS status; - fstring uname; - BOOL original_online_state; - - domain = find_lookup_domain_from_name(domain_name); - if (domain == NULL) { - return False; - } - - cache = get_cache(domain); - - if (cache->tdb == NULL) { - return False; - } - - fstrcpy(uname, name); - strupper_m(uname); - - /* If we are doing a cached logon, temporarily set the domain - offline so the cache won't expire the entry */ - - original_online_state = domain->online; - domain->online = False; - centry = wcache_fetch(cache, domain, "NS/%s/%s", domain_name, uname); - domain->online = original_online_state; - - if (centry == NULL) { - return False; - } - - if (NT_STATUS_IS_OK(centry->status)) { - *type = (enum lsa_SidType)centry_uint32(centry); - centry_sid(centry, mem_ctx, sid); - } - - status = centry->status; - centry_free(centry); - - return NT_STATUS_IS_OK(status); -} - -void cache_name2sid(struct winbindd_domain *domain, - const char *domain_name, const char *name, - enum lsa_SidType type, const DOM_SID *sid) -{ - refresh_sequence_number(domain, False); - wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name, - sid, type); -} - -/* - * The original idea that this cache only contains centries has - * been blurred - now other stuff gets put in here. Ensure we - * ignore these things on cleanup. - */ - -static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, - TDB_DATA dbuf, void *state) -{ - struct cache_entry *centry; - - if (is_non_centry_key(kbuf)) { - return 0; - } - - centry = wcache_fetch_raw((char *)kbuf.dptr); - if (!centry) { - return 0; - } - - if (!NT_STATUS_IS_OK(centry->status)) { - DEBUG(10,("deleting centry %s\n", (const char *)kbuf.dptr)); - tdb_delete(the_tdb, kbuf); - } - - centry_free(centry); - return 0; -} - -/* flush the cache */ -void wcache_flush_cache(void) -{ - if (!wcache) - return; - if (wcache->tdb) { - tdb_close(wcache->tdb); - wcache->tdb = NULL; - } - if (opt_nocache) - return; - - /* when working offline we must not clear the cache on restart */ - wcache->tdb = tdb_open_log(lock_path("winbindd_cache.tdb"), - WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE, - lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST), - O_RDWR|O_CREAT, 0600); - - if (!wcache->tdb) { - DEBUG(0,("Failed to open winbindd_cache.tdb!\n")); - return; - } - - tdb_traverse(wcache->tdb, traverse_fn_cleanup, NULL); - - DEBUG(10,("wcache_flush_cache success\n")); -} - -/* Count cached creds */ - -static int traverse_fn_cached_creds(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, - void *state) -{ - int *cred_count = (int*)state; - - if (strncmp((const char *)kbuf.dptr, "CRED/", 5) == 0) { - (*cred_count)++; - } - return 0; -} - -NTSTATUS wcache_count_cached_creds(struct winbindd_domain *domain, int *count) -{ - struct winbind_cache *cache = get_cache(domain); - - *count = 0; - - if (!cache->tdb) { - return NT_STATUS_INTERNAL_DB_ERROR; - } - - tdb_traverse(cache->tdb, traverse_fn_cached_creds, (void *)count); - - return NT_STATUS_OK; -} - -struct cred_list { - struct cred_list *prev, *next; - TDB_DATA key; - fstring name; - time_t created; -}; -static struct cred_list *wcache_cred_list; - -static int traverse_fn_get_credlist(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, - void *state) -{ - struct cred_list *cred; - - if (strncmp((const char *)kbuf.dptr, "CRED/", 5) == 0) { - - cred = SMB_MALLOC_P(struct cred_list); - if (cred == NULL) { - DEBUG(0,("traverse_fn_remove_first_creds: failed to malloc new entry for list\n")); - return -1; - } - - ZERO_STRUCTP(cred); - - /* save a copy of the key */ - - fstrcpy(cred->name, (const char *)kbuf.dptr); - DLIST_ADD(wcache_cred_list, cred); - } - - return 0; -} - -NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const DOM_SID *sid) -{ - struct winbind_cache *cache = get_cache(domain); - NTSTATUS status; - int ret; - struct cred_list *cred, *oldest = NULL; - - if (!cache->tdb) { - return NT_STATUS_INTERNAL_DB_ERROR; - } - - /* we possibly already have an entry */ - if (sid && NT_STATUS_IS_OK(wcache_cached_creds_exist(domain, sid))) { - - fstring key_str; - - DEBUG(11,("we already have an entry, deleting that\n")); - - fstr_sprintf(key_str, "CRED/%s", sid_string_static(sid)); - - tdb_delete(cache->tdb, string_tdb_data(key_str)); - - return NT_STATUS_OK; - } - - ret = tdb_traverse(cache->tdb, traverse_fn_get_credlist, NULL); - if (ret == 0) { - return NT_STATUS_OK; - } else if ((ret == -1) || (wcache_cred_list == NULL)) { - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - ZERO_STRUCTP(oldest); - - for (cred = wcache_cred_list; cred; cred = cred->next) { - - TDB_DATA data; - time_t t; - - data = tdb_fetch(cache->tdb, string_tdb_data(cred->name)); - if (!data.dptr) { - DEBUG(10,("wcache_remove_oldest_cached_creds: entry for [%s] not found\n", - cred->name)); - status = NT_STATUS_OBJECT_NAME_NOT_FOUND; - goto done; - } - - t = IVAL(data.dptr, 0); - SAFE_FREE(data.dptr); - - if (!oldest) { - oldest = SMB_MALLOC_P(struct cred_list); - if (oldest == NULL) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - fstrcpy(oldest->name, cred->name); - oldest->created = t; - continue; - } - - if (t < oldest->created) { - fstrcpy(oldest->name, cred->name); - oldest->created = t; - } - } - - if (tdb_delete(cache->tdb, string_tdb_data(oldest->name)) == 0) { - status = NT_STATUS_OK; - } else { - status = NT_STATUS_UNSUCCESSFUL; - } -done: - SAFE_FREE(wcache_cred_list); - SAFE_FREE(oldest); - - return status; -} - -/* Change the global online/offline state. */ -BOOL set_global_winbindd_state_offline(void) -{ - TDB_DATA data; - - DEBUG(10,("set_global_winbindd_state_offline: offline requested.\n")); - - /* Only go offline if someone has created - the key "WINBINDD_OFFLINE" in the cache tdb. */ - - if (wcache == NULL || wcache->tdb == NULL) { - DEBUG(10,("set_global_winbindd_state_offline: wcache not open yet.\n")); - return False; - } - - if (!lp_winbind_offline_logon()) { - DEBUG(10,("set_global_winbindd_state_offline: rejecting.\n")); - return False; - } - - if (global_winbindd_offline_state) { - /* Already offline. */ - return True; - } - - data = tdb_fetch_bystring( wcache->tdb, "WINBINDD_OFFLINE" ); - - if (!data.dptr || data.dsize != 4) { - DEBUG(10,("set_global_winbindd_state_offline: offline state not set.\n")); - SAFE_FREE(data.dptr); - return False; - } else { - DEBUG(10,("set_global_winbindd_state_offline: offline state set.\n")); - global_winbindd_offline_state = True; - SAFE_FREE(data.dptr); - return True; - } -} - -void set_global_winbindd_state_online(void) -{ - DEBUG(10,("set_global_winbindd_state_online: online requested.\n")); - - if (!lp_winbind_offline_logon()) { - DEBUG(10,("set_global_winbindd_state_online: rejecting.\n")); - return; - } - - if (!global_winbindd_offline_state) { - /* Already online. */ - return; - } - global_winbindd_offline_state = False; - - if (!wcache->tdb) { - return; - } - - /* Ensure there is no key "WINBINDD_OFFLINE" in the cache tdb. */ - tdb_delete_bystring(wcache->tdb, "WINBINDD_OFFLINE"); -} - -BOOL get_global_winbindd_state_offline(void) -{ - return global_winbindd_offline_state; -} - -/*********************************************************************** - Validate functions for all possible cache tdb keys. -***********************************************************************/ - -static struct cache_entry *create_centry_validate(const char *kstr, TDB_DATA data, - struct tdb_validation_status *state) -{ - struct cache_entry *centry; - - centry = SMB_XMALLOC_P(struct cache_entry); - centry->data = (unsigned char *)memdup(data.dptr, data.dsize); - if (!centry->data) { - SAFE_FREE(centry); - return NULL; - } - centry->len = data.dsize; - centry->ofs = 0; - - if (centry->len < 8) { - /* huh? corrupt cache? */ - DEBUG(0,("create_centry_validate: Corrupt cache for key %s (len < 8) ?\n", kstr)); - centry_free(centry); - state->bad_entry = True; - state->success = False; - return NULL; - } - - centry->status = NT_STATUS(centry_uint32(centry)); - centry->sequence_number = centry_uint32(centry); - return centry; -} - -static int validate_seqnum(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - if (dbuf.dsize != 8) { - DEBUG(0,("validate_seqnum: Corrupt cache for key %s (len %u != 8) ?\n", - keystr, (unsigned int)dbuf.dsize )); - state->bad_entry = True; - return 1; - } - return 0; -} - -static int validate_ns(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - if (!centry) { - return 1; - } - - (void)centry_uint32(centry); - if (NT_STATUS_IS_OK(centry->status)) { - DOM_SID sid; - (void)centry_sid(centry, mem_ctx, &sid); - } - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_ns: %s ok\n", keystr)); - return 0; -} - -static int validate_sn(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - if (!centry) { - return 1; - } - - if (NT_STATUS_IS_OK(centry->status)) { - (void)centry_uint32(centry); - (void)centry_string(centry, mem_ctx); - (void)centry_string(centry, mem_ctx); - } - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_sn: %s ok\n", keystr)); - return 0; -} - -static int validate_u(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - DOM_SID sid; - - if (!centry) { - return 1; - } - - (void)centry_string(centry, mem_ctx); - (void)centry_string(centry, mem_ctx); - (void)centry_string(centry, mem_ctx); - (void)centry_string(centry, mem_ctx); - (void)centry_uint32(centry); - (void)centry_sid(centry, mem_ctx, &sid); - (void)centry_sid(centry, mem_ctx, &sid); - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_u: %s ok\n", keystr)); - return 0; -} - -static int validate_loc_pol(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - - if (!centry) { - return 1; - } - - (void)centry_nttime(centry); - (void)centry_nttime(centry); - (void)centry_uint16(centry); - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_loc_pol: %s ok\n", keystr)); - return 0; -} - -static int validate_pwd_pol(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - - if (!centry) { - return 1; - } - - (void)centry_uint16(centry); - (void)centry_uint16(centry); - (void)centry_uint32(centry); - (void)centry_nttime(centry); - (void)centry_nttime(centry); - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_pwd_pol: %s ok\n", keystr)); - return 0; -} - -static int validate_cred(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - - if (!centry) { - return 1; - } - - (void)centry_time(centry); - (void)centry_hash16(centry, mem_ctx); - - /* We only have 17 bytes more data in the salted cred case. */ - if (centry->len - centry->ofs == 17) { - (void)centry_hash16(centry, mem_ctx); - } - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_cred: %s ok\n", keystr)); - return 0; -} - -static int validate_ul(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - int32 num_entries, i; - - if (!centry) { - return 1; - } - - num_entries = (int32)centry_uint32(centry); - - for (i=0; i< num_entries; i++) { - DOM_SID sid; - (void)centry_string(centry, mem_ctx); - (void)centry_string(centry, mem_ctx); - (void)centry_string(centry, mem_ctx); - (void)centry_string(centry, mem_ctx); - (void)centry_sid(centry, mem_ctx, &sid); - (void)centry_sid(centry, mem_ctx, &sid); - } - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_ul: %s ok\n", keystr)); - return 0; -} - -static int validate_gl(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - int32 num_entries, i; - - if (!centry) { - return 1; - } - - num_entries = centry_uint32(centry); - - for (i=0; i< num_entries; i++) { - (void)centry_string(centry, mem_ctx); - (void)centry_string(centry, mem_ctx); - (void)centry_uint32(centry); - } - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_gl: %s ok\n", keystr)); - return 0; -} - -static int validate_ug(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - int32 num_groups, i; - - if (!centry) { - return 1; - } - - num_groups = centry_uint32(centry); - - for (i=0; i< num_groups; i++) { - DOM_SID sid; - centry_sid(centry, mem_ctx, &sid); - } - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_ug: %s ok\n", keystr)); - return 0; -} - -static int validate_ua(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - int32 num_aliases, i; - - if (!centry) { - return 1; - } - - num_aliases = centry_uint32(centry); - - for (i=0; i < num_aliases; i++) { - (void)centry_uint32(centry); - } - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_ua: %s ok\n", keystr)); - return 0; -} - -static int validate_gm(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - int32 num_names, i; - - if (!centry) { - return 1; - } - - num_names = centry_uint32(centry); - - for (i=0; i< num_names; i++) { - DOM_SID sid; - centry_sid(centry, mem_ctx, &sid); - (void)centry_string(centry, mem_ctx); - (void)centry_uint32(centry); - } - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_gm: %s ok\n", keystr)); - return 0; -} - -static int validate_dr(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - /* Can't say anything about this other than must be nonzero. */ - if (dbuf.dsize == 0) { - DEBUG(0,("validate_dr: Corrupt cache for key %s (len == 0) ?\n", - keystr)); - state->bad_entry = True; - state->success = False; - return 1; - } - - DEBUG(10,("validate_dr: %s ok\n", keystr)); - return 0; -} - -static int validate_de(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - /* Can't say anything about this other than must be nonzero. */ - if (dbuf.dsize == 0) { - DEBUG(0,("validate_de: Corrupt cache for key %s (len == 0) ?\n", - keystr)); - state->bad_entry = True; - state->success = False; - return 1; - } - - DEBUG(10,("validate_de: %s ok\n", keystr)); - return 0; -} - -static int validate_trustdoms(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - struct cache_entry *centry = create_centry_validate(keystr, dbuf, state); - int32 num_domains, i; - - if (!centry) { - return 1; - } - - num_domains = centry_uint32(centry); - - for (i=0; i< num_domains; i++) { - DOM_SID sid; - (void)centry_string(centry, mem_ctx); - (void)centry_string(centry, mem_ctx); - (void)centry_sid(centry, mem_ctx, &sid); - } - - centry_free(centry); - - if (!(state->success)) { - return 1; - } - DEBUG(10,("validate_trustdoms: %s ok\n", keystr)); - return 0; -} - -static int validate_trustdomcache(TALLOC_CTX *mem_ctx, const char *keystr, - TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - if (dbuf.dsize == 0) { - DEBUG(0, ("validate_trustdomcache: Corrupt cache for " - "key %s (len ==0) ?\n", keystr)); - state->bad_entry = True; - state->success = False; - return 1; - } - - DEBUG(10, ("validate_trustdomcache: %s ok\n", keystr)); - DEBUGADD(10, (" Don't trust me, I am a DUMMY!\n")); - return 0; -} - -static int validate_offline(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - if (dbuf.dsize != 4) { - DEBUG(0,("validate_offline: Corrupt cache for key %s (len %u != 4) ?\n", - keystr, (unsigned int)dbuf.dsize )); - state->bad_entry = True; - state->success = False; - return 1; - } - DEBUG(10,("validate_offline: %s ok\n", keystr)); - return 0; -} - -static int validate_cache_version(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, - struct tdb_validation_status *state) -{ - if (dbuf.dsize != 4) { - DEBUG(0, ("validate_cache_version: Corrupt cache for " - "key %s (len %u != 4) ?\n", - keystr, (unsigned int)dbuf.dsize)); - state->bad_entry = True; - state->success = False; - return 1; - } - - DEBUG(10, ("validate_cache_version: %s ok\n", keystr)); - return 0; -} - -/*********************************************************************** - A list of all possible cache tdb keys with associated validation - functions. -***********************************************************************/ - -struct key_val_struct { - const char *keyname; - int (*validate_data_fn)(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, struct tdb_validation_status* state); -} key_val[] = { - {"SEQNUM/", validate_seqnum}, - {"NS/", validate_ns}, - {"SN/", validate_sn}, - {"U/", validate_u}, - {"LOC_POL/", validate_loc_pol}, - {"PWD_POL/", validate_pwd_pol}, - {"CRED/", validate_cred}, - {"UL/", validate_ul}, - {"GL/", validate_gl}, - {"UG/", validate_ug}, - {"UA", validate_ua}, - {"GM/", validate_gm}, - {"DR/", validate_dr}, - {"DE/", validate_de}, - {"TRUSTDOMS/", validate_trustdoms}, - {"TRUSTDOMCACHE/", validate_trustdomcache}, - {"WINBINDD_OFFLINE", validate_offline}, - {WINBINDD_CACHE_VERSION_KEYSTR, validate_cache_version}, - {NULL, NULL} -}; - -/*********************************************************************** - Function to look at every entry in the tdb and validate it as far as - possible. -***********************************************************************/ - -static int cache_traverse_validate_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, void *state) -{ - int i; - struct tdb_validation_status *v_state = (struct tdb_validation_status *)state; - - /* Paranoia check. */ - if (kbuf.dsize > 1024) { - DEBUG(0,("cache_traverse_validate_fn: key length too large (%u) > 1024\n\n", - (unsigned int)kbuf.dsize )); - return 1; - } - - for (i = 0; key_val[i].keyname; i++) { - size_t namelen = strlen(key_val[i].keyname); - if (kbuf.dsize >= namelen && ( - strncmp(key_val[i].keyname, (const char *)kbuf.dptr, namelen)) == 0) { - TALLOC_CTX *mem_ctx; - char *keystr; - int ret; - - keystr = SMB_MALLOC_ARRAY(char, kbuf.dsize+1); - if (!keystr) { - return 1; - } - memcpy(keystr, kbuf.dptr, kbuf.dsize); - keystr[kbuf.dsize] = '\0'; - - mem_ctx = talloc_init("validate_ctx"); - if (!mem_ctx) { - SAFE_FREE(keystr); - return 1; - } - - ret = key_val[i].validate_data_fn(mem_ctx, keystr, dbuf, - v_state); - - SAFE_FREE(keystr); - talloc_destroy(mem_ctx); - return ret; - } - } - - DEBUG(0,("cache_traverse_validate_fn: unknown cache entry\nkey :\n")); - dump_data(0, (uint8 *)kbuf.dptr, kbuf.dsize); - DEBUG(0,("data :\n")); - dump_data(0, (uint8 *)dbuf.dptr, dbuf.dsize); - v_state->unknown_key = True; - v_state->success = False; - return 1; /* terminate. */ -} - -static void validate_panic(const char *const why) -{ - DEBUG(0,("validating cache: would panic %s\n", why )); - DEBUGADD(0, ("exiting instead (cache validation mode)\n")); - exit(47); -} - -/*********************************************************************** - Try and validate every entry in the winbindd cache. If we fail here, - delete the cache tdb and return non-zero - the caller (main winbindd - function) will restart us as we don't know if we crashed or not. -***********************************************************************/ - -int winbindd_validate_cache(void) -{ - int ret = -1; - const char *tdb_path = lock_path("winbindd_cache.tdb"); - TDB_CONTEXT *tdb = NULL; - - DEBUG(10, ("winbindd_validate_cache: replacing panic function\n")); - smb_panic_fn = validate_panic; - - - tdb = tdb_open_log(tdb_path, - WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE, - ( lp_winbind_offline_logon() - ? TDB_DEFAULT - : TDB_DEFAULT | TDB_CLEAR_IF_FIRST ), - O_RDWR|O_CREAT, - 0600); - if (!tdb) { - DEBUG(0, ("winbindd_validate_cache: " - "error opening/initializing tdb\n")); - goto done; - } - tdb_close(tdb); - - ret = tdb_validate_and_backup(tdb_path, cache_traverse_validate_fn); - - if (ret != 0) { - DEBUG(10, ("winbindd_validate_cache: validation not successful.\n")); - DEBUGADD(10, ("removing tdb %s.\n", tdb_path)); - unlink(tdb_path); - } - -done: - DEBUG(10, ("winbindd_validate_cache: restoring panic function\n")); - smb_panic_fn = smb_panic; - return ret; -} - -/*********************************************************************** - Try and validate every entry in the winbindd cache. -***********************************************************************/ - -int winbindd_validate_cache_nobackup(void) -{ - int ret = -1; - const char *tdb_path = lock_path("winbindd_cache.tdb"); - - DEBUG(10, ("winbindd_validate_cache: replacing panic function\n")); - smb_panic_fn = validate_panic; - - - if (wcache == NULL || wcache->tdb == NULL) { - ret = tdb_validate_open(tdb_path, cache_traverse_validate_fn); - } else { - ret = tdb_validate(wcache->tdb, cache_traverse_validate_fn); - } - - if (ret != 0) { - DEBUG(10, ("winbindd_validate_cache_nobackup: validation not " - "successful.\n")); - } - - DEBUG(10, ("winbindd_validate_cache_nobackup: restoring panic " - "function\n")); - smb_panic_fn = smb_panic; - return ret; -} - -/********************************************************************* - ********************************************************************/ - -static BOOL add_wbdomain_to_tdc_array( struct winbindd_domain *new_dom, - struct winbindd_tdc_domain **domains, - size_t *num_domains ) -{ - struct winbindd_tdc_domain *list = NULL; - size_t idx; - int i; - BOOL set_only = False; - - /* don't allow duplicates */ - - idx = *num_domains; - list = *domains; - - for ( i=0; i< (*num_domains); i++ ) { - if ( strequal( new_dom->name, list[i].domain_name ) ) { - DEBUG(10,("add_wbdomain_to_tdc_array: Found existing record for %s\n", - new_dom->name)); - idx = i; - set_only = True; - - break; - } - } - - if ( !set_only ) { - if ( !*domains ) { - list = TALLOC_ARRAY( NULL, struct winbindd_tdc_domain, 1 ); - idx = 0; - } else { - list = TALLOC_REALLOC_ARRAY( *domains, *domains, - struct winbindd_tdc_domain, - (*num_domains)+1); - idx = *num_domains; - } - - ZERO_STRUCT( list[idx] ); - } - - if ( !list ) - return False; - - list[idx].domain_name = talloc_strdup( list, new_dom->name ); - list[idx].dns_name = talloc_strdup( list, new_dom->alt_name ); - - if ( !is_null_sid( &new_dom->sid ) ) - sid_copy( &list[idx].sid, &new_dom->sid ); - - if ( new_dom->domain_flags != 0x0 ) - list[idx].trust_flags = new_dom->domain_flags; - - if ( new_dom->domain_type != 0x0 ) - list[idx].trust_type = new_dom->domain_type; - - if ( new_dom->domain_trust_attribs != 0x0 ) - list[idx].trust_attribs = new_dom->domain_trust_attribs; - - if ( !set_only ) { - *domains = list; - *num_domains = idx + 1; - } - - return True; -} - -/********************************************************************* - ********************************************************************/ - -static TDB_DATA make_tdc_key( const char *domain_name ) -{ - char *keystr = NULL; - TDB_DATA key = { NULL, 0 }; - - if ( !domain_name ) { - DEBUG(5,("make_tdc_key: Keyname workgroup is NULL!\n")); - return key; - } - - - asprintf( &keystr, "TRUSTDOMCACHE/%s", domain_name ); - key = string_term_tdb_data(keystr); - - return key; -} - -/********************************************************************* - ********************************************************************/ - -static int pack_tdc_domains( struct winbindd_tdc_domain *domains, - size_t num_domains, - unsigned char **buf ) -{ - unsigned char *buffer = NULL; - int len = 0; - int buflen = 0; - int i = 0; - - DEBUG(10,("pack_tdc_domains: Packing %d trusted domains\n", - (int)num_domains)); - - buflen = 0; - - again: - len = 0; - - /* Store the number of array items first */ - len += tdb_pack( buffer+len, buflen-len, "d", - num_domains ); - - /* now pack each domain trust record */ - for ( i=0; i<num_domains; i++ ) { - - if ( buflen > 0 ) { - DEBUG(10,("pack_tdc_domains: Packing domain %s (%s)\n", - domains[i].domain_name, - domains[i].dns_name ? domains[i].dns_name : "UNKNOWN" )); - } - - len += tdb_pack( buffer+len, buflen-len, "fffddd", - domains[i].domain_name, - domains[i].dns_name, - sid_string_static(&domains[i].sid), - domains[i].trust_flags, - domains[i].trust_attribs, - domains[i].trust_type ); - } - - if ( buflen < len ) { - SAFE_FREE(buffer); - if ( (buffer = SMB_MALLOC_ARRAY(unsigned char, len)) == NULL ) { - DEBUG(0,("pack_tdc_domains: failed to alloc buffer!\n")); - buflen = -1; - goto done; - } - buflen = len; - goto again; - } - - *buf = buffer; - - done: - return buflen; -} - -/********************************************************************* - ********************************************************************/ - -static size_t unpack_tdc_domains( unsigned char *buf, int buflen, - struct winbindd_tdc_domain **domains ) -{ - fstring domain_name, dns_name, sid_string; - uint32 type, attribs, flags; - int num_domains; - int len = 0; - int i; - struct winbindd_tdc_domain *list = NULL; - - /* get the number of domains */ - len += tdb_unpack( buf+len, buflen-len, "d", &num_domains); - if ( len == -1 ) { - DEBUG(5,("unpack_tdc_domains: Failed to unpack domain array\n")); - return 0; - } - - list = TALLOC_ARRAY( NULL, struct winbindd_tdc_domain, num_domains ); - if ( !list ) { - DEBUG(0,("unpack_tdc_domains: Failed to talloc() domain list!\n")); - return 0; - } - - for ( i=0; i<num_domains; i++ ) { - len += tdb_unpack( buf+len, buflen-len, "fffddd", - domain_name, - dns_name, - sid_string, - &flags, - &attribs, - &type ); - - if ( len == -1 ) { - DEBUG(5,("unpack_tdc_domains: Failed to unpack domain array\n")); - TALLOC_FREE( list ); - return 0; - } - - DEBUG(11,("unpack_tdc_domains: Unpacking domain %s (%s) " - "SID %s, flags = 0x%x, attribs = 0x%x, type = 0x%x\n", - domain_name, dns_name, sid_string, - flags, attribs, type)); - - list[i].domain_name = talloc_strdup( list, domain_name ); - list[i].dns_name = talloc_strdup( list, dns_name ); - if ( !string_to_sid( &(list[i].sid), sid_string ) ) { - DEBUG(10,("unpack_tdc_domains: no SID for domain %s\n", - domain_name)); - } - list[i].trust_flags = flags; - list[i].trust_attribs = attribs; - list[i].trust_type = type; - } - - *domains = list; - - return num_domains; -} - -/********************************************************************* - ********************************************************************/ - -static BOOL wcache_tdc_store_list( struct winbindd_tdc_domain *domains, size_t num_domains ) -{ - TDB_DATA key = make_tdc_key( lp_workgroup() ); - TDB_DATA data = { NULL, 0 }; - int ret; - - if ( !key.dptr ) - return False; - - /* See if we were asked to delete the cache entry */ - - if ( !domains ) { - ret = tdb_delete( wcache->tdb, key ); - goto done; - } - - data.dsize = pack_tdc_domains( domains, num_domains, &data.dptr ); - - if ( !data.dptr ) { - ret = -1; - goto done; - } - - ret = tdb_store( wcache->tdb, key, data, 0 ); - - done: - SAFE_FREE( data.dptr ); - SAFE_FREE( key.dptr ); - - return ( ret != -1 ); -} - -/********************************************************************* - ********************************************************************/ - -BOOL wcache_tdc_fetch_list( struct winbindd_tdc_domain **domains, size_t *num_domains ) -{ - TDB_DATA key = make_tdc_key( lp_workgroup() ); - TDB_DATA data = { NULL, 0 }; - - *domains = NULL; - *num_domains = 0; - - if ( !key.dptr ) - return False; - - data = tdb_fetch( wcache->tdb, key ); - - SAFE_FREE( key.dptr ); - - if ( !data.dptr ) - return False; - - *num_domains = unpack_tdc_domains( data.dptr, data.dsize, domains ); - - SAFE_FREE( data.dptr ); - - if ( !*domains ) - return False; - - return True; -} - -/********************************************************************* - ********************************************************************/ - -BOOL wcache_tdc_add_domain( struct winbindd_domain *domain ) -{ - struct winbindd_tdc_domain *dom_list = NULL; - size_t num_domains = 0; - BOOL ret = False; - - DEBUG(10,("wcache_tdc_add_domain: Adding domain %s (%s), SID %s, " - "flags = 0x%x, attributes = 0x%x, type = 0x%x\n", - domain->name, domain->alt_name, - sid_string_static(&domain->sid), - domain->domain_flags, - domain->domain_trust_attribs, - domain->domain_type)); - - if ( !init_wcache() ) { - return False; - } - - /* fetch the list */ - - wcache_tdc_fetch_list( &dom_list, &num_domains ); - - /* add the new domain */ - - if ( !add_wbdomain_to_tdc_array( domain, &dom_list, &num_domains ) ) { - goto done; - } - - /* pack the domain */ - - if ( !wcache_tdc_store_list( dom_list, num_domains ) ) { - goto done; - } - - /* Success */ - - ret = True; - done: - TALLOC_FREE( dom_list ); - - return ret; -} - -/********************************************************************* - ********************************************************************/ - -struct winbindd_tdc_domain * wcache_tdc_fetch_domain( TALLOC_CTX *ctx, const char *name ) -{ - struct winbindd_tdc_domain *dom_list = NULL; - size_t num_domains = 0; - int i; - struct winbindd_tdc_domain *d = NULL; - - DEBUG(10,("wcache_tdc_fetch_domain: Searching for domain %s\n", name)); - - if ( !init_wcache() ) { - return False; - } - - /* fetch the list */ - - wcache_tdc_fetch_list( &dom_list, &num_domains ); - - for ( i=0; i<num_domains; i++ ) { - if ( strequal(name, dom_list[i].domain_name) || - strequal(name, dom_list[i].dns_name) ) - { - DEBUG(10,("wcache_tdc_fetch_domain: Found domain %s\n", - name)); - - d = TALLOC_P( ctx, struct winbindd_tdc_domain ); - if ( !d ) - break; - - d->domain_name = talloc_strdup( d, dom_list[i].domain_name ); - d->dns_name = talloc_strdup( d, dom_list[i].dns_name ); - sid_copy( &d->sid, &dom_list[i].sid ); - d->trust_flags = dom_list[i].trust_flags; - d->trust_type = dom_list[i].trust_type; - d->trust_attribs = dom_list[i].trust_attribs; - - break; - } - } - - TALLOC_FREE( dom_list ); - - return d; -} - - -/********************************************************************* - ********************************************************************/ - -void wcache_tdc_clear( void ) -{ - if ( !init_wcache() ) - return; - - wcache_tdc_store_list( NULL, 0 ); - - return; -} - - -/********************************************************************* - ********************************************************************/ - -static void wcache_save_user_pwinfo(struct winbindd_domain *domain, - NTSTATUS status, - const DOM_SID *user_sid, - const char *homedir, - const char *shell, - const char *gecos, - uint32 gid) -{ - struct cache_entry *centry; - - if ( (centry = centry_start(domain, status)) == NULL ) - return; - - centry_put_string( centry, homedir ); - centry_put_string( centry, shell ); - centry_put_string( centry, gecos ); - centry_put_uint32( centry, gid ); - - centry_end(centry, "NSS/PWINFO/%s", sid_string_static(user_sid) ); - - DEBUG(10,("wcache_save_user_pwinfo: %s\n", sid_string_static(user_sid) )); - - centry_free(centry); -} - -NTSTATUS nss_get_info_cached( struct winbindd_domain *domain, - const DOM_SID *user_sid, - TALLOC_CTX *ctx, - ADS_STRUCT *ads, LDAPMessage *msg, - char **homedir, char **shell, char **gecos, - gid_t *p_gid) -{ - struct winbind_cache *cache = get_cache(domain); - struct cache_entry *centry = NULL; - NTSTATUS nt_status; - - if (!cache->tdb) - goto do_query; - - centry = wcache_fetch(cache, domain, "NSS/PWINFO/%s", sid_string_static(user_sid)); - - if (!centry) - goto do_query; - - *homedir = centry_string( centry, ctx ); - *shell = centry_string( centry, ctx ); - *gecos = centry_string( centry, ctx ); - *p_gid = centry_uint32( centry ); - - centry_free(centry); - - DEBUG(10,("nss_get_info_cached: [Cached] - user_sid %s\n", - sid_string_static(user_sid))); - - return NT_STATUS_OK; - -do_query: - - nt_status = nss_get_info( domain->name, user_sid, ctx, ads, msg, - homedir, shell, gecos, p_gid ); - - if ( NT_STATUS_IS_OK(nt_status) ) { - wcache_save_user_pwinfo( domain, nt_status, user_sid, - *homedir, *shell, *gecos, *p_gid ); - } - - if ( NT_STATUS_EQUAL( nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND ) ) { - DEBUG(5,("nss_get_info_cached: Setting domain %s offline\n", - domain->name )); - set_domain_offline( domain ); - } - - return nt_status; -} - - -/* the cache backend methods are exposed via this structure */ -struct winbindd_methods cache_methods = { - True, - query_user_list, - enum_dom_groups, - enum_local_groups, - name_to_sid, - sid_to_name, - rids_to_names, - query_user, - lookup_usergroups, - lookup_useraliases, - lookup_groupmem, - sequence_number, - lockout_policy, - password_policy, - trusted_domains -}; diff --git a/source3/nsswitch/winbindd_ccache_access.c b/source3/nsswitch/winbindd_ccache_access.c deleted file mode 100644 index 99c5c0c4d1..0000000000 --- a/source3/nsswitch/winbindd_ccache_access.c +++ /dev/null @@ -1,283 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon - cached credentials funcions - - Copyright (C) Robert O'Callahan 2006 - Copyright (C) Jeremy Allison 2006 (minor fixes to fit into Samba and - protect against integer wrap). - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -static BOOL client_can_access_ccache_entry(uid_t client_uid, - struct WINBINDD_MEMORY_CREDS *entry) -{ - if (client_uid == entry->uid || client_uid == 0) { - DEBUG(10, ("Access granted to uid %d\n", client_uid)); - return True; - } - - DEBUG(1, ("Access denied to uid %d (expected %d)\n", client_uid, entry->uid)); - return False; -} - -static NTSTATUS do_ntlm_auth_with_hashes(const char *username, - const char *domain, - const unsigned char lm_hash[LM_HASH_LEN], - const unsigned char nt_hash[NT_HASH_LEN], - const DATA_BLOB initial_msg, - const DATA_BLOB challenge_msg, - DATA_BLOB *auth_msg) -{ - NTSTATUS status; - NTLMSSP_STATE *ntlmssp_state = NULL; - DATA_BLOB dummy_msg, reply; - - status = ntlmssp_client_start(&ntlmssp_state); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not start NTLMSSP client: %s\n", - nt_errstr(status))); - goto done; - } - - status = ntlmssp_set_username(ntlmssp_state, username); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not set username: %s\n", - nt_errstr(status))); - goto done; - } - - status = ntlmssp_set_domain(ntlmssp_state, domain); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not set domain: %s\n", - nt_errstr(status))); - goto done; - } - - status = ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not set hashes: %s\n", - nt_errstr(status))); - goto done; - } - - /* We need to get our protocol handler into the right state. So first - we ask it to generate the initial message. Actually the client has already - sent its own initial message, so we're going to drop this one on the floor. - The client might have sent a different message, for example with different - negotiation options, but as far as I can tell this won't hurt us. (Unless - the client sent a different username or domain, in which case that's their - problem for telling us the wrong username or domain.) - Since we have a copy of the initial message that the client sent, we could - resolve any discrepancies if we had to. - */ - dummy_msg = data_blob_null; - reply = data_blob_null; - status = ntlmssp_update(ntlmssp_state, dummy_msg, &reply); - data_blob_free(&dummy_msg); - data_blob_free(&reply); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(1, ("Failed to create initial message! [%s]\n", - nt_errstr(status))); - goto done; - } - - /* Now we are ready to handle the server's actual response. */ - status = ntlmssp_update(ntlmssp_state, challenge_msg, &reply); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) { - DEBUG(1, ("We didn't get a response to the challenge! [%s]\n", - nt_errstr(status))); - data_blob_free(&reply); - goto done; - } - *auth_msg = reply; - status = NT_STATUS_OK; - -done: - ntlmssp_end(&ntlmssp_state); - return status; -} - -static BOOL check_client_uid(struct winbindd_cli_state *state, uid_t uid) -{ - int ret; - uid_t ret_uid; - - ret_uid = (uid_t)-1; - - ret = sys_getpeereid(state->sock, &ret_uid); - if (ret != 0) { - DEBUG(1, ("check_client_uid: Could not get socket peer uid: %s; " - "denying access\n", strerror(errno))); - return False; - } - - if (uid != ret_uid) { - DEBUG(1, ("check_client_uid: Client lied about its uid: said %d, " - "actually was %d; denying access\n", - uid, ret_uid)); - return False; - } - - return True; -} - -void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - fstring name_domain, name_user; - - /* Ensure null termination */ - state->request.data.ccache_ntlm_auth.user[ - sizeof(state->request.data.ccache_ntlm_auth.user)-1]='\0'; - - DEBUG(3, ("[%5lu]: perform NTLM auth on behalf of user %s\n", (unsigned long)state->pid, - state->request.data.ccache_ntlm_auth.user)); - - /* Parse domain and username */ - - if (!canonicalize_username(state->request.data.ccache_ntlm_auth.user, - name_domain, name_user)) { - DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n", - state->request.data.ccache_ntlm_auth.user)); - request_error(state); - return; - } - - domain = find_auth_domain(state, name_domain); - - if (domain == NULL) { - DEBUG(5,("winbindd_ccache_ntlm_auth: can't get domain [%s]\n", - name_domain)); - request_error(state); - return; - } - - if (!check_client_uid(state, state->request.data.ccache_ntlm_auth.uid)) { - request_error(state); - return; - } - - sendto_domain(state, domain); -} - -enum winbindd_result winbindd_dual_ccache_ntlm_auth(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - NTSTATUS result = NT_STATUS_NOT_SUPPORTED; - struct WINBINDD_MEMORY_CREDS *entry; - DATA_BLOB initial, challenge, auth; - fstring name_domain, name_user; - uint32 initial_blob_len, challenge_blob_len, extra_len; - - /* Ensure null termination */ - state->request.data.ccache_ntlm_auth.user[ - sizeof(state->request.data.ccache_ntlm_auth.user)-1]='\0'; - - DEBUG(3, ("winbindd_dual_ccache_ntlm_auth: [%5lu]: perform NTLM auth on " - "behalf of user %s (dual)\n", (unsigned long)state->pid, - state->request.data.ccache_ntlm_auth.user)); - - /* validate blob lengths */ - initial_blob_len = state->request.data.ccache_ntlm_auth.initial_blob_len; - challenge_blob_len = state->request.data.ccache_ntlm_auth.challenge_blob_len; - extra_len = state->request.extra_len; - - if (initial_blob_len > extra_len || challenge_blob_len > extra_len || - initial_blob_len + challenge_blob_len > extra_len || - initial_blob_len + challenge_blob_len < initial_blob_len || - initial_blob_len + challenge_blob_len < challenge_blob_len) { - - DEBUG(10,("winbindd_dual_ccache_ntlm_auth: blob lengths overrun " - "or wrap. Buffer [%d+%d > %d]\n", - initial_blob_len, - challenge_blob_len, - extra_len)); - goto process_result; - } - - /* Parse domain and username */ - if (!parse_domain_user(state->request.data.ccache_ntlm_auth.user, name_domain, name_user)) { - DEBUG(10,("winbindd_dual_ccache_ntlm_auth: cannot parse " - "domain and user from name [%s]\n", - state->request.data.ccache_ntlm_auth.user)); - goto process_result; - } - - entry = find_memory_creds_by_name(state->request.data.ccache_ntlm_auth.user); - if (entry == NULL || entry->nt_hash == NULL || entry->lm_hash == NULL) { - DEBUG(10,("winbindd_dual_ccache_ntlm_auth: could not find " - "credentials for user %s\n", - state->request.data.ccache_ntlm_auth.user)); - goto process_result; - } - - DEBUG(10,("winbindd_dual_ccache_ntlm_auth: found ccache [%s]\n", entry->username)); - - if (!client_can_access_ccache_entry(state->request.data.ccache_ntlm_auth.uid, entry)) { - goto process_result; - } - - if (initial_blob_len == 0 && challenge_blob_len == 0) { - /* this is just a probe to see if credentials are available. */ - result = NT_STATUS_OK; - state->response.data.ccache_ntlm_auth.auth_blob_len = 0; - goto process_result; - } - - initial = data_blob(state->request.extra_data.data, initial_blob_len); - challenge = data_blob(state->request.extra_data.data + initial_blob_len, - state->request.data.ccache_ntlm_auth.challenge_blob_len); - - if (!initial.data || !challenge.data) { - result = NT_STATUS_NO_MEMORY; - } else { - result = do_ntlm_auth_with_hashes(name_user, name_domain, - entry->lm_hash, entry->nt_hash, - initial, challenge, &auth); - } - - data_blob_free(&initial); - data_blob_free(&challenge); - - if (!NT_STATUS_IS_OK(result)) { - goto process_result; - } - - state->response.extra_data.data = smb_xmemdup(auth.data, auth.length); - if (!state->response.extra_data.data) { - result = NT_STATUS_NO_MEMORY; - goto process_result; - } - state->response.length += auth.length; - state->response.data.ccache_ntlm_auth.auth_blob_len = auth.length; - - data_blob_free(&auth); - - process_result: - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c deleted file mode 100644 index 9ffb3dfb23..0000000000 --- a/source3/nsswitch/winbindd_cm.c +++ /dev/null @@ -1,2271 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon connection manager - - Copyright (C) Tim Potter 2001 - Copyright (C) Andrew Bartlett 2002 - Copyright (C) Gerald (Jerry) Carter 2003-2005. - Copyright (C) Volker Lendecke 2004-2005 - Copyright (C) Jeremy Allison 2006 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -/* - We need to manage connections to domain controllers without having to - mess up the main winbindd code with other issues. The aim of the - connection manager is to: - - - make connections to domain controllers and cache them - - re-establish connections when networks or servers go down - - centralise the policy on connection timeouts, domain controller - selection etc - - manage re-entrancy for when winbindd becomes able to handle - multiple outstanding rpc requests - - Why not have connection management as part of the rpc layer like tng? - Good question. This code may morph into libsmb/rpc_cache.c or something - like that but at the moment it's simply staying as part of winbind. I - think the TNG architecture of forcing every user of the rpc layer to use - the connection caching system is a bad idea. It should be an optional - method of using the routines. - - The TNG design is quite good but I disagree with some aspects of the - implementation. -tpot - - */ - -/* - TODO: - - - I'm pretty annoyed by all the make_nmb_name() stuff. It should be - moved down into another function. - - - Take care when destroying cli_structs as they can be shared between - various sam handles. - - */ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -struct dc_name_ip { - fstring name; - struct in_addr ip; -}; - -extern struct winbindd_methods reconnect_methods; -extern BOOL override_logfile; - -static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain); -static void set_dc_type_and_flags( struct winbindd_domain *domain ); -static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain, - struct dc_name_ip **dcs, int *num_dcs); - -/**************************************************************** - Child failed to find DC's. Reschedule check. -****************************************************************/ - -static void msg_failed_to_go_online(struct messaging_context *msg, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - struct winbindd_domain *domain; - const char *domainname = (const char *)data->data; - - if (data->data == NULL || data->length == 0) { - return; - } - - DEBUG(5,("msg_fail_to_go_online: received for domain %s.\n", domainname)); - - for (domain = domain_list(); domain; domain = domain->next) { - if (domain->internal) { - continue; - } - - if (strequal(domain->name, domainname)) { - if (domain->online) { - /* We're already online, ignore. */ - DEBUG(5,("msg_fail_to_go_online: domain %s " - "already online.\n", domainname)); - continue; - } - - /* Reschedule the online check. */ - set_domain_offline(domain); - break; - } - } -} - -/**************************************************************** - Actually cause a reconnect from a message. -****************************************************************/ - -static void msg_try_to_go_online(struct messaging_context *msg, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - struct winbindd_domain *domain; - const char *domainname = (const char *)data->data; - - if (data->data == NULL || data->length == 0) { - return; - } - - DEBUG(5,("msg_try_to_go_online: received for domain %s.\n", domainname)); - - for (domain = domain_list(); domain; domain = domain->next) { - if (domain->internal) { - continue; - } - - if (strequal(domain->name, domainname)) { - - if (domain->online) { - /* We're already online, ignore. */ - DEBUG(5,("msg_try_to_go_online: domain %s " - "already online.\n", domainname)); - continue; - } - - /* This call takes care of setting the online - flag to true if we connected, or re-adding - the offline handler if false. Bypasses online - check so always does network calls. */ - - init_dc_connection_network(domain); - break; - } - } -} - -/**************************************************************** - Fork a child to try and contact a DC. Do this as contacting a - DC requires blocking lookups and we don't want to block our - parent. -****************************************************************/ - -static BOOL fork_child_dc_connect(struct winbindd_domain *domain) -{ - struct dc_name_ip *dcs = NULL; - int num_dcs = 0; - TALLOC_CTX *mem_ctx = NULL; - pid_t child_pid; - pid_t parent_pid = sys_getpid(); - - /* Stop zombies */ - CatchChild(); - - child_pid = sys_fork(); - - if (child_pid == -1) { - DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno))); - return False; - } - - if (child_pid != 0) { - /* Parent */ - messaging_register(winbind_messaging_context(), NULL, - MSG_WINBIND_TRY_TO_GO_ONLINE, - msg_try_to_go_online); - messaging_register(winbind_messaging_context(), NULL, - MSG_WINBIND_FAILED_TO_GO_ONLINE, - msg_failed_to_go_online); - return True; - } - - /* Child. */ - - /* Leave messages blocked - we will never process one. */ - - /* tdb needs special fork handling */ - if (tdb_reopen_all(1) == -1) { - DEBUG(0,("tdb_reopen_all failed.\n")); - _exit(0); - } - - close_conns_after_fork(); - - if (!override_logfile) { - pstring logfile; - pstr_sprintf(logfile, "%s/log.winbindd-dc-connect", dyn_LOGFILEBASE); - lp_set_logfile(logfile); - reopen_logs(); - } - - mem_ctx = talloc_init("fork_child_dc_connect"); - if (!mem_ctx) { - DEBUG(0,("talloc_init failed.\n")); - _exit(0); - } - - if ((!get_dcs(mem_ctx, domain, &dcs, &num_dcs)) || (num_dcs == 0)) { - /* Still offline ? Can't find DC's. */ - messaging_send_buf(winbind_messaging_context(), - pid_to_procid(parent_pid), - MSG_WINBIND_FAILED_TO_GO_ONLINE, - (uint8 *)domain->name, - strlen(domain->name)+1); - _exit(0); - } - - /* We got a DC. Send a message to our parent to get it to - try and do the same. */ - - messaging_send_buf(winbind_messaging_context(), - pid_to_procid(parent_pid), - MSG_WINBIND_TRY_TO_GO_ONLINE, - (uint8 *)domain->name, - strlen(domain->name)+1); - _exit(0); -} - -/**************************************************************** - Handler triggered if we're offline to try and detect a DC. -****************************************************************/ - -static void check_domain_online_handler(struct event_context *ctx, - struct timed_event *te, - const struct timeval *now, - void *private_data) -{ - struct winbindd_domain *domain = - (struct winbindd_domain *)private_data; - - DEBUG(10,("check_domain_online_handler: called for domain " - "%s (online = %s)\n", domain->name, - domain->online ? "True" : "False" )); - - TALLOC_FREE(domain->check_online_event); - - /* Are we still in "startup" mode ? */ - - if (domain->startup && (now->tv_sec > domain->startup_time + 30)) { - /* No longer in "startup" mode. */ - DEBUG(10,("check_domain_online_handler: domain %s no longer in 'startup' mode.\n", - domain->name )); - domain->startup = False; - } - - /* We've been told to stay offline, so stay - that way. */ - - if (get_global_winbindd_state_offline()) { - DEBUG(10,("check_domain_online_handler: domain %s remaining globally offline\n", - domain->name )); - return; - } - - /* Fork a child to test if it can contact a DC. - If it can then send ourselves a message to - cause a reconnect. */ - - fork_child_dc_connect(domain); -} - -/**************************************************************** - If we're still offline setup the timeout check. -****************************************************************/ - -static void calc_new_online_timeout_check(struct winbindd_domain *domain) -{ - int wbc = lp_winbind_cache_time(); - - if (domain->startup) { - domain->check_online_timeout = 10; - } else if (domain->check_online_timeout < wbc) { - domain->check_online_timeout = wbc; - } -} - -/**************************************************************** - Set domain offline and also add handler to put us back online - if we detect a DC. -****************************************************************/ - -void set_domain_offline(struct winbindd_domain *domain) -{ - DEBUG(10,("set_domain_offline: called for domain %s\n", - domain->name )); - - TALLOC_FREE(domain->check_online_event); - - if (domain->internal) { - DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n", - domain->name )); - return; - } - - domain->online = False; - - /* Offline domains are always initialized. They're - re-initialized when they go back online. */ - - domain->initialized = True; - - /* We only add the timeout handler that checks and - allows us to go back online when we've not - been told to remain offline. */ - - if (get_global_winbindd_state_offline()) { - DEBUG(10,("set_domain_offline: domain %s remaining globally offline\n", - domain->name )); - return; - } - - /* If we're in statup mode, check again in 10 seconds, not in - lp_winbind_cache_time() seconds (which is 5 mins by default). */ - - calc_new_online_timeout_check(domain); - - domain->check_online_event = event_add_timed(winbind_event_context(), - NULL, - timeval_current_ofs(domain->check_online_timeout,0), - "check_domain_online_handler", - check_domain_online_handler, - domain); - - /* The above *has* to succeed for winbindd to work. */ - if (!domain->check_online_event) { - smb_panic("set_domain_offline: failed to add online handler"); - } - - DEBUG(10,("set_domain_offline: added event handler for domain %s\n", - domain->name )); - - /* Send an offline message to the idmap child when our - primary domain goes offline */ - - if ( domain->primary ) { - struct winbindd_child *idmap = idmap_child(); - - if ( idmap->pid != 0 ) { - messaging_send_buf(winbind_messaging_context(), - pid_to_procid(idmap->pid), - MSG_WINBIND_OFFLINE, - (uint8 *)domain->name, - strlen(domain->name)+1); - } - } - - return; -} - -/**************************************************************** - Set domain online - if allowed. -****************************************************************/ - -static void set_domain_online(struct winbindd_domain *domain) -{ - struct timeval now; - - DEBUG(10,("set_domain_online: called for domain %s\n", - domain->name )); - - if (domain->internal) { - DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n", - domain->name )); - return; - } - - if (get_global_winbindd_state_offline()) { - DEBUG(10,("set_domain_online: domain %s remaining globally offline\n", - domain->name )); - return; - } - - winbindd_set_locator_kdc_envs(domain); - - /* If we are waiting to get a krb5 ticket, trigger immediately. */ - GetTimeOfDay(&now); - set_event_dispatch_time(winbind_event_context(), - "krb5_ticket_gain_handler", now); - - /* Ok, we're out of any startup mode now... */ - domain->startup = False; - - if (domain->online == False) { - /* We were offline - now we're online. We default to - using the MS-RPC backend if we started offline, - and if we're going online for the first time we - should really re-initialize the backends and the - checks to see if we're talking to an AD or NT domain. - */ - - domain->initialized = False; - - /* 'reconnect_methods' is the MS-RPC backend. */ - if (domain->backend == &reconnect_methods) { - domain->backend = NULL; - } - } - - /* Ensure we have no online timeout checks. */ - domain->check_online_timeout = 0; - TALLOC_FREE(domain->check_online_event); - - /* Ensure we ignore any pending child messages. */ - messaging_deregister(winbind_messaging_context(), - MSG_WINBIND_TRY_TO_GO_ONLINE, NULL); - messaging_deregister(winbind_messaging_context(), - MSG_WINBIND_FAILED_TO_GO_ONLINE, NULL); - - domain->online = True; - - /* Send an online message to the idmap child when our - primary domain comes online */ - - if ( domain->primary ) { - struct winbindd_child *idmap = idmap_child(); - - if ( idmap->pid != 0 ) { - messaging_send_buf(winbind_messaging_context(), - pid_to_procid(idmap->pid), - MSG_WINBIND_ONLINE, - (uint8 *)domain->name, - strlen(domain->name)+1); - } - } - - return; -} - -/**************************************************************** - Requested to set a domain online. -****************************************************************/ - -void set_domain_online_request(struct winbindd_domain *domain) -{ - struct timeval tev; - - DEBUG(10,("set_domain_online_request: called for domain %s\n", - domain->name )); - - if (get_global_winbindd_state_offline()) { - DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n", - domain->name )); - return; - } - - /* We've been told it's safe to go online and - try and connect to a DC. But I don't believe it - because network manager seems to lie. - Wait at least 5 seconds. Heuristics suck... */ - - if (!domain->check_online_event) { - /* If we've come from being globally offline we - don't have a check online event handler set. - We need to add one now we're trying to go - back online. */ - - DEBUG(10,("set_domain_online_request: domain %s was globally offline.\n", - domain->name )); - - domain->check_online_event = event_add_timed(winbind_event_context(), - NULL, - timeval_current_ofs(5, 0), - "check_domain_online_handler", - check_domain_online_handler, - domain); - - /* The above *has* to succeed for winbindd to work. */ - if (!domain->check_online_event) { - smb_panic("set_domain_online_request: failed to add online handler"); - } - } - - GetTimeOfDay(&tev); - - /* Go into "startup" mode again. */ - domain->startup_time = tev.tv_sec; - domain->startup = True; - - tev.tv_sec += 5; - - set_event_dispatch_time(winbind_event_context(), "check_domain_online_handler", tev); -} - -/**************************************************************** - Add -ve connection cache entries for domain and realm. -****************************************************************/ - -void winbind_add_failed_connection_entry(const struct winbindd_domain *domain, - const char *server, - NTSTATUS result) -{ - add_failed_connection_entry(domain->name, server, result); - /* If this was the saf name for the last thing we talked to, - remove it. */ - saf_delete(domain->name); - if (*domain->alt_name) { - add_failed_connection_entry(domain->alt_name, server, result); - saf_delete(domain->alt_name); - } - winbindd_unset_locator_kdc_env(domain); -} - -/* Choose between anonymous or authenticated connections. We need to use - an authenticated connection if DCs have the RestrictAnonymous registry - entry set > 0, or the "Additional restrictions for anonymous - connections" set in the win2k Local Security Policy. - - Caller to free() result in domain, username, password -*/ - -static void cm_get_ipc_userpass(char **username, char **domain, char **password) -{ - *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL); - *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL); - *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL); - - if (*username && **username) { - - if (!*domain || !**domain) - *domain = smb_xstrdup(lp_workgroup()); - - if (!*password || !**password) - *password = smb_xstrdup(""); - - DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n", - *domain, *username)); - - } else { - DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n")); - *username = smb_xstrdup(""); - *domain = smb_xstrdup(""); - *password = smb_xstrdup(""); - } -} - -static BOOL get_dc_name_via_netlogon(const struct winbindd_domain *domain, - fstring dcname, struct in_addr *dc_ip) -{ - struct winbindd_domain *our_domain = NULL; - struct rpc_pipe_client *netlogon_pipe = NULL; - NTSTATUS result; - WERROR werr; - TALLOC_CTX *mem_ctx; - unsigned int orig_timeout; - fstring tmp; - char *p; - - /* Hmmmm. We can only open one connection to the NETLOGON pipe at the - * moment.... */ - - if (IS_DC) { - return False; - } - - if (domain->primary) { - return False; - } - - our_domain = find_our_domain(); - - if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) { - return False; - } - - result = cm_connect_netlogon(our_domain, &netlogon_pipe); - if (!NT_STATUS_IS_OK(result)) { - talloc_destroy(mem_ctx); - return False; - } - - /* This call can take a long time - allow the server to time out. - 35 seconds should do it. */ - - orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000); - - werr = rpccli_netlogon_getanydcname(netlogon_pipe, mem_ctx, our_domain->dcname, - domain->name, tmp); - - /* And restore our original timeout. */ - cli_set_timeout(netlogon_pipe->cli, orig_timeout); - - talloc_destroy(mem_ctx); - - if (!W_ERROR_IS_OK(werr)) { - DEBUG(10, ("rpccli_netlogon_getanydcname failed: %s\n", - dos_errstr(werr))); - return False; - } - - /* cli_netlogon_getanydcname gives us a name with \\ */ - p = tmp; - if (*p == '\\') { - p+=1; - } - if (*p == '\\') { - p+=1; - } - - fstrcpy(dcname, p); - - DEBUG(10, ("rpccli_netlogon_getanydcname returned %s\n", dcname)); - - if (!resolve_name(dcname, dc_ip, 0x20)) { - return False; - } - - return True; -} - -/************************************************************************ - Given a fd with a just-connected TCP connection to a DC, open a connection - to the pipe. -************************************************************************/ - -static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain, - const int sockfd, - const char *controller, - struct cli_state **cli, - BOOL *retry) -{ - char *machine_password, *machine_krb5_principal, *machine_account; - char *ipc_username, *ipc_domain, *ipc_password; - - BOOL got_mutex; - - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - struct sockaddr peeraddr; - socklen_t peeraddr_len; - - struct sockaddr_in *peeraddr_in = (struct sockaddr_in *)&peeraddr; - - DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n", - controller, domain->name )); - - machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL, - NULL); - - if (asprintf(&machine_account, "%s$", global_myname()) == -1) { - SAFE_FREE(machine_password); - return NT_STATUS_NO_MEMORY; - } - - if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(), - lp_realm()) == -1) { - SAFE_FREE(machine_account); - SAFE_FREE(machine_password); - return NT_STATUS_NO_MEMORY; - } - - cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password); - - *retry = True; - - got_mutex = secrets_named_mutex(controller, - WINBIND_SERVER_MUTEX_WAIT_TIME); - - if (!got_mutex) { - DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n", - controller)); - result = NT_STATUS_POSSIBLE_DEADLOCK; - goto done; - } - - if ((*cli = cli_initialise()) == NULL) { - DEBUG(1, ("Could not cli_initialize\n")); - result = NT_STATUS_NO_MEMORY; - goto done; - } - - (*cli)->timeout = 10000; /* 10 seconds */ - (*cli)->fd = sockfd; - fstrcpy((*cli)->desthost, controller); - (*cli)->use_kerberos = True; - - peeraddr_len = sizeof(peeraddr); - - if ((getpeername((*cli)->fd, &peeraddr, &peeraddr_len) != 0) || - (peeraddr_len != sizeof(struct sockaddr_in)) || - (peeraddr_in->sin_family != PF_INET)) - { - DEBUG(0,("cm_prepare_connection: %s\n", strerror(errno))); - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - if (ntohs(peeraddr_in->sin_port) == 139) { - struct nmb_name calling; - struct nmb_name called; - - make_nmb_name(&calling, global_myname(), 0x0); - make_nmb_name(&called, "*SMBSERVER", 0x20); - - if (!cli_session_request(*cli, &calling, &called)) { - DEBUG(8, ("cli_session_request failed for %s\n", - controller)); - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - } - - cli_setup_signing_state(*cli, Undefined); - - if (!cli_negprot(*cli)) { - DEBUG(1, ("cli_negprot failed\n")); - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) { - ADS_STATUS ads_status; - - if (lp_security() == SEC_ADS) { - - /* Try a krb5 session */ - - (*cli)->use_kerberos = True; - DEBUG(5, ("connecting to %s from %s with kerberos principal " - "[%s]\n", controller, global_myname(), - machine_krb5_principal)); - - winbindd_set_locator_kdc_envs(domain); - - ads_status = cli_session_setup_spnego(*cli, - machine_krb5_principal, - machine_password, - lp_workgroup()); - - if (!ADS_ERR_OK(ads_status)) { - DEBUG(4,("failed kerberos session setup with %s\n", - ads_errstr(ads_status))); - } - - result = ads_ntstatus(ads_status); - if (NT_STATUS_IS_OK(result)) { - /* Ensure creds are stored for NTLMSSP authenticated pipe access. */ - cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password); - goto session_setup_done; - } - } - - /* Fall back to non-kerberos session setup using NTLMSSP SPNEGO with the machine account. */ - (*cli)->use_kerberos = False; - - DEBUG(5, ("connecting to %s from %s with username " - "[%s]\\[%s]\n", controller, global_myname(), - lp_workgroup(), machine_account)); - - ads_status = cli_session_setup_spnego(*cli, - machine_account, - machine_password, - lp_workgroup()); - if (!ADS_ERR_OK(ads_status)) { - DEBUG(4, ("authenticated session setup failed with %s\n", - ads_errstr(ads_status))); - } - - result = ads_ntstatus(ads_status); - if (NT_STATUS_IS_OK(result)) { - /* Ensure creds are stored for NTLMSSP authenticated pipe access. */ - cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password); - goto session_setup_done; - } - } - - /* Fall back to non-kerberos session setup */ - - (*cli)->use_kerberos = False; - - if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) && - (strlen(ipc_username) > 0)) { - - /* Only try authenticated if we have a username */ - - DEBUG(5, ("connecting to %s from %s with username " - "[%s]\\[%s]\n", controller, global_myname(), - ipc_domain, ipc_username)); - - if (NT_STATUS_IS_OK(cli_session_setup( - *cli, ipc_username, - ipc_password, strlen(ipc_password)+1, - ipc_password, strlen(ipc_password)+1, - ipc_domain))) { - /* Successful logon with given username. */ - cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password); - goto session_setup_done; - } else { - DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n", - ipc_domain, ipc_username )); - } - } - - /* Fall back to anonymous connection, this might fail later */ - - if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0, - NULL, 0, ""))) { - DEBUG(5, ("Connected anonymously\n")); - cli_init_creds(*cli, "", "", ""); - goto session_setup_done; - } - - result = cli_nt_error(*cli); - - if (NT_STATUS_IS_OK(result)) - result = NT_STATUS_UNSUCCESSFUL; - - /* We can't session setup */ - - goto done; - - session_setup_done: - - /* cache the server name for later connections */ - - saf_store( domain->name, (*cli)->desthost ); - if (domain->alt_name && (*cli)->use_kerberos) { - saf_store( domain->alt_name, (*cli)->desthost ); - } - - winbindd_set_locator_kdc_envs(domain); - - if (!cli_send_tconX(*cli, "IPC$", "IPC", "", 0)) { - - result = cli_nt_error(*cli); - - DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result))); - - if (NT_STATUS_IS_OK(result)) - result = NT_STATUS_UNSUCCESSFUL; - - goto done; - } - - secrets_named_mutex_release(controller); - got_mutex = False; - *retry = False; - - /* set the domain if empty; needed for schannel connections */ - if ( !*(*cli)->domain ) { - fstrcpy( (*cli)->domain, domain->name ); - } - - result = NT_STATUS_OK; - - done: - if (got_mutex) { - secrets_named_mutex_release(controller); - } - - SAFE_FREE(machine_account); - SAFE_FREE(machine_password); - SAFE_FREE(machine_krb5_principal); - SAFE_FREE(ipc_username); - SAFE_FREE(ipc_domain); - SAFE_FREE(ipc_password); - - if (!NT_STATUS_IS_OK(result)) { - winbind_add_failed_connection_entry(domain, controller, result); - if ((*cli) != NULL) { - cli_shutdown(*cli); - *cli = NULL; - } - } - - return result; -} - -static BOOL add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name, - const char *dcname, struct in_addr ip, - struct dc_name_ip **dcs, int *num) -{ - if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) { - DEBUG(10, ("DC %s was in the negative conn cache\n", dcname)); - return False; - } - - *dcs = TALLOC_REALLOC_ARRAY(mem_ctx, *dcs, struct dc_name_ip, (*num)+1); - - if (*dcs == NULL) - return False; - - fstrcpy((*dcs)[*num].name, dcname); - (*dcs)[*num].ip = ip; - *num += 1; - return True; -} - -static BOOL add_sockaddr_to_array(TALLOC_CTX *mem_ctx, - struct in_addr ip, uint16 port, - struct sockaddr_in **addrs, int *num) -{ - *addrs = TALLOC_REALLOC_ARRAY(mem_ctx, *addrs, struct sockaddr_in, (*num)+1); - - if (*addrs == NULL) { - *num = 0; - return False; - } - - (*addrs)[*num].sin_family = PF_INET; - putip((char *)&((*addrs)[*num].sin_addr), (char *)&ip); - (*addrs)[*num].sin_port = htons(port); - - *num += 1; - return True; -} - -static void mailslot_name(struct in_addr dc_ip, fstring name) -{ - fstr_sprintf(name, "\\MAILSLOT\\NET\\GETDC%X", dc_ip.s_addr); -} - -static BOOL send_getdc_request(struct in_addr dc_ip, - const char *domain_name, - const DOM_SID *sid) -{ - pstring outbuf; - char *p; - fstring my_acct_name; - fstring my_mailslot; - - mailslot_name(dc_ip, my_mailslot); - - memset(outbuf, '\0', sizeof(outbuf)); - - p = outbuf; - - SCVAL(p, 0, SAMLOGON); - p++; - - SCVAL(p, 0, 0); /* Count pointer ... */ - p++; - - SIVAL(p, 0, 0); /* The sender's token ... */ - p += 2; - - p += dos_PutUniCode(p, global_myname(), sizeof(pstring), True); - fstr_sprintf(my_acct_name, "%s$", global_myname()); - p += dos_PutUniCode(p, my_acct_name, sizeof(pstring), True); - - memcpy(p, my_mailslot, strlen(my_mailslot)+1); - p += strlen(my_mailslot)+1; - - SIVAL(p, 0, 0x80); - p+=4; - - SIVAL(p, 0, sid_size(sid)); - p+=4; - - p = ALIGN4(p, outbuf); - - sid_linearize(p, sid_size(sid), sid); - p += sid_size(sid); - - SIVAL(p, 0, 1); - SSVAL(p, 4, 0xffff); - SSVAL(p, 6, 0xffff); - p+=8; - - return cli_send_mailslot(winbind_messaging_context(), - False, "\\MAILSLOT\\NET\\NTLOGON", 0, - outbuf, PTR_DIFF(p, outbuf), - global_myname(), 0, domain_name, 0x1c, - dc_ip); -} - -static BOOL receive_getdc_response(struct in_addr dc_ip, - const char *domain_name, - fstring dc_name) -{ - struct packet_struct *packet; - fstring my_mailslot; - char *buf, *p; - fstring dcname, user, domain; - int len; - - mailslot_name(dc_ip, my_mailslot); - - packet = receive_unexpected(DGRAM_PACKET, 0, my_mailslot); - - if (packet == NULL) { - DEBUG(5, ("Did not receive packet for %s\n", my_mailslot)); - return False; - } - - DEBUG(5, ("Received packet for %s\n", my_mailslot)); - - buf = packet->packet.dgram.data; - len = packet->packet.dgram.datasize; - - if (len < 70) { - /* 70 is a completely arbitrary value to make sure - the SVAL below does not read uninitialized memory */ - DEBUG(3, ("GetDC got short response\n")); - return False; - } - - /* This should be (buf-4)+SVAL(buf-4, smb_vwv12)... */ - p = buf+SVAL(buf, smb_vwv10); - - if (CVAL(p,0) != SAMLOGON_R) { - DEBUG(8, ("GetDC got invalid response type %d\n", CVAL(p, 0))); - return False; - } - - p+=2; - pull_ucs2(buf, dcname, p, sizeof(dcname), PTR_DIFF(buf+len, p), - STR_TERMINATE|STR_NOALIGN); - p = skip_unibuf(p, PTR_DIFF(buf+len, p)); - pull_ucs2(buf, user, p, sizeof(dcname), PTR_DIFF(buf+len, p), - STR_TERMINATE|STR_NOALIGN); - p = skip_unibuf(p, PTR_DIFF(buf+len, p)); - pull_ucs2(buf, domain, p, sizeof(dcname), PTR_DIFF(buf+len, p), - STR_TERMINATE|STR_NOALIGN); - p = skip_unibuf(p, PTR_DIFF(buf+len, p)); - - if (!strequal(domain, domain_name)) { - DEBUG(3, ("GetDC: Expected domain %s, got %s\n", - domain_name, domain)); - return False; - } - - p = dcname; - if (*p == '\\') p += 1; - if (*p == '\\') p += 1; - - fstrcpy(dc_name, p); - - DEBUG(10, ("GetDC gave name %s for domain %s\n", - dc_name, domain)); - - return True; -} - -/******************************************************************* - convert an ip to a name -*******************************************************************/ - -static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip, fstring name ) -{ - struct ip_service ip_list; - - ip_list.ip = ip; - ip_list.port = 0; - -#ifdef WITH_ADS - /* For active directory servers, try to get the ldap server name. - None of these failures should be considered critical for now */ - - if (lp_security() == SEC_ADS) { - ADS_STRUCT *ads; - - ads = ads_init(domain->alt_name, domain->name, NULL); - ads->auth.flags |= ADS_AUTH_NO_BIND; - - if (ads_try_connect( ads, inet_ntoa(ip) ) ) { - /* We got a cldap packet. */ - fstrcpy(name, ads->config.ldap_server_name); - namecache_store(name, 0x20, 1, &ip_list); - - DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags)); - - if (domain->primary && (ads->config.flags & ADS_KDC)) { - if (ads_closest_dc(ads)) { - char *sitename = sitename_fetch(ads->config.realm); - - /* We're going to use this KDC for this realm/domain. - If we are using sites, then force the krb5 libs - to use this KDC. */ - - create_local_private_krb5_conf_for_domain(domain->alt_name, - domain->name, - sitename, - ip); - - SAFE_FREE(sitename); - } else { - /* use an off site KDC */ - create_local_private_krb5_conf_for_domain(domain->alt_name, - domain->name, - NULL, - ip); - } - winbindd_set_locator_kdc_envs(domain); - - /* Ensure we contact this DC also. */ - saf_store( domain->name, name); - saf_store( domain->alt_name, name); - } - - ads_destroy( &ads ); - return True; - } - - ads_destroy( &ads ); - } -#endif - - /* try GETDC requests next */ - - if (send_getdc_request(ip, domain->name, &domain->sid)) { - int i; - smb_msleep(100); - for (i=0; i<5; i++) { - if (receive_getdc_response(ip, domain->name, name)) { - namecache_store(name, 0x20, 1, &ip_list); - return True; - } - smb_msleep(500); - } - } - - /* try node status request */ - - if ( name_status_find(domain->name, 0x1c, 0x20, ip, name) ) { - namecache_store(name, 0x20, 1, &ip_list); - return True; - } - return False; -} - -/******************************************************************* - Retreive a list of IP address for domain controllers. Fill in - the dcs[] with results. -*******************************************************************/ - -static BOOL get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain, - struct dc_name_ip **dcs, int *num_dcs) -{ - fstring dcname; - struct in_addr ip; - struct ip_service *ip_list = NULL; - int iplist_size = 0; - int i; - BOOL is_our_domain; - enum security_types sec = (enum security_types)lp_security(); - - is_our_domain = strequal(domain->name, lp_workgroup()); - - if ( !is_our_domain - && get_dc_name_via_netlogon(domain, dcname, &ip) - && add_one_dc_unique(mem_ctx, domain->name, dcname, ip, dcs, num_dcs) ) - { - DEBUG(10, ("Retrieved DC %s at %s via netlogon\n", - dcname, inet_ntoa(ip))); - return True; - } - - if (sec == SEC_ADS) { - char *sitename = NULL; - - /* We need to make sure we know the local site before - doing any DNS queries, as this will restrict the - get_sorted_dc_list() call below to only fetching - DNS records for the correct site. */ - - /* Find any DC to get the site record. - We deliberately don't care about the - return here. */ - - get_dc_name(domain->name, domain->alt_name, dcname, &ip); - - sitename = sitename_fetch(domain->alt_name); - if (sitename) { - - /* Do the site-specific AD dns lookup first. */ - get_sorted_dc_list(domain->alt_name, sitename, &ip_list, &iplist_size, True); - - for ( i=0; i<iplist_size; i++ ) { - add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip), - ip_list[i].ip, dcs, num_dcs); - } - - SAFE_FREE(ip_list); - SAFE_FREE(sitename); - iplist_size = 0; - } - - /* Now we add DCs from the main AD dns lookup. */ - get_sorted_dc_list(domain->alt_name, NULL, &ip_list, &iplist_size, True); - - for ( i=0; i<iplist_size; i++ ) { - add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip), - ip_list[i].ip, dcs, num_dcs); - } - } - - /* try standard netbios queries if no ADS */ - - if (iplist_size==0) { - get_sorted_dc_list(domain->name, NULL, &ip_list, &iplist_size, False); - } - - /* FIXME!! this is where we should re-insert the GETDC requests --jerry */ - - /* now add to the dc array. We'll wait until the last minute - to look up the name of the DC. But we fill in the char* for - the ip now in to make the failed connection cache work */ - - for ( i=0; i<iplist_size; i++ ) { - add_one_dc_unique(mem_ctx, domain->name, inet_ntoa(ip_list[i].ip), - ip_list[i].ip, dcs, num_dcs); - } - - SAFE_FREE( ip_list ); - - return True; -} - -static BOOL find_new_dc(TALLOC_CTX *mem_ctx, - const struct winbindd_domain *domain, - fstring dcname, struct sockaddr_in *addr, int *fd) -{ - struct dc_name_ip *dcs = NULL; - int num_dcs = 0; - - const char **dcnames = NULL; - int num_dcnames = 0; - - struct sockaddr_in *addrs = NULL; - int num_addrs = 0; - - int i, fd_index; - - again: - if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs) || (num_dcs == 0)) - return False; - - for (i=0; i<num_dcs; i++) { - - if (!add_string_to_array(mem_ctx, dcs[i].name, - &dcnames, &num_dcnames)) { - return False; - } - if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 445, - &addrs, &num_addrs)) { - return False; - } - - if (!add_string_to_array(mem_ctx, dcs[i].name, - &dcnames, &num_dcnames)) { - return False; - } - if (!add_sockaddr_to_array(mem_ctx, dcs[i].ip, 139, - &addrs, &num_addrs)) { - return False; - } - } - - if ((num_dcnames == 0) || (num_dcnames != num_addrs)) - return False; - - if ((addrs == NULL) || (dcnames == NULL)) - return False; - - /* 5 second timeout. */ - if ( !open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) - { - for (i=0; i<num_dcs; i++) { - DEBUG(10, ("find_new_dc: open_any_socket_out failed for " - "domain %s address %s. Error was %s\n", - domain->name, inet_ntoa(dcs[i].ip), strerror(errno) )); - winbind_add_failed_connection_entry(domain, - dcs[i].name, NT_STATUS_UNSUCCESSFUL); - } - return False; - } - - *addr = addrs[fd_index]; - - if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) { - /* Ok, we've got a name for the DC */ - fstrcpy(dcname, dcnames[fd_index]); - return True; - } - - /* Try to figure out the name */ - if (dcip_to_name( domain, addr->sin_addr, dcname )) { - return True; - } - - /* We can not continue without the DC's name */ - winbind_add_failed_connection_entry(domain, dcs[fd_index].name, - NT_STATUS_UNSUCCESSFUL); - goto again; -} - -static NTSTATUS cm_open_connection(struct winbindd_domain *domain, - struct winbindd_cm_conn *new_conn) -{ - TALLOC_CTX *mem_ctx; - NTSTATUS result; - char *saf_servername = saf_fetch( domain->name ); - int retries; - - if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) { - SAFE_FREE(saf_servername); - set_domain_offline(domain); - return NT_STATUS_NO_MEMORY; - } - - /* we have to check the server affinity cache here since - later we selecte a DC based on response time and not preference */ - - /* Check the negative connection cache - before talking to it. It going down may have - triggered the reconnection. */ - - if ( saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, saf_servername))) { - - DEBUG(10,("cm_open_connection: saf_servername is '%s' for domain %s\n", - saf_servername, domain->name )); - - /* convert an ip address to a name */ - if ( is_ipaddress( saf_servername ) ) { - fstring saf_name; - struct in_addr ip; - - ip = *interpret_addr2( saf_servername ); - if (dcip_to_name( domain, ip, saf_name )) { - fstrcpy( domain->dcname, saf_name ); - } else { - winbind_add_failed_connection_entry( - domain, saf_servername, - NT_STATUS_UNSUCCESSFUL); - } - } else { - fstrcpy( domain->dcname, saf_servername ); - } - - SAFE_FREE( saf_servername ); - } - - for (retries = 0; retries < 3; retries++) { - - int fd = -1; - BOOL retry = False; - - result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; - - DEBUG(10,("cm_open_connection: dcname is '%s' for domain %s\n", - domain->dcname, domain->name )); - - if (*domain->dcname - && NT_STATUS_IS_OK(check_negative_conn_cache( domain->name, domain->dcname)) - && (resolve_name(domain->dcname, &domain->dcaddr.sin_addr, 0x20))) - { - struct sockaddr_in *addrs = NULL; - int num_addrs = 0; - int dummy = 0; - - if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 445, &addrs, &num_addrs)) { - set_domain_offline(domain); - talloc_destroy(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - if (!add_sockaddr_to_array(mem_ctx, domain->dcaddr.sin_addr, 139, &addrs, &num_addrs)) { - set_domain_offline(domain); - talloc_destroy(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - /* 5 second timeout. */ - if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) { - fd = -1; - } - } - - if ((fd == -1) - && !find_new_dc(mem_ctx, domain, domain->dcname, &domain->dcaddr, &fd)) - { - /* This is the one place where we will - set the global winbindd offline state - to true, if a "WINBINDD_OFFLINE" entry - is found in the winbindd cache. */ - set_global_winbindd_state_offline(); - break; - } - - new_conn->cli = NULL; - - result = cm_prepare_connection(domain, fd, domain->dcname, - &new_conn->cli, &retry); - - if (!retry) - break; - } - - if (NT_STATUS_IS_OK(result)) { - - winbindd_set_locator_kdc_envs(domain); - - if (domain->online == False) { - /* We're changing state from offline to online. */ - set_global_winbindd_state_online(); - } - set_domain_online(domain); - } else { - /* Ensure we setup the retry handler. */ - set_domain_offline(domain); - } - - talloc_destroy(mem_ctx); - return result; -} - -/* Close down all open pipes on a connection. */ - -void invalidate_cm_connection(struct winbindd_cm_conn *conn) -{ - /* We're closing down a possibly dead - connection. Don't have impossibly long (10s) timeouts. */ - - if (conn->cli) { - cli_set_timeout(conn->cli, 1000); /* 1 second. */ - } - - if (conn->samr_pipe != NULL) { - if (!cli_rpc_pipe_close(conn->samr_pipe)) { - /* Ok, it must be dead. Drop timeout to 0.5 sec. */ - if (conn->cli) { - cli_set_timeout(conn->cli, 500); - } - } - conn->samr_pipe = NULL; - } - - if (conn->lsa_pipe != NULL) { - if (!cli_rpc_pipe_close(conn->lsa_pipe)) { - /* Ok, it must be dead. Drop timeout to 0.5 sec. */ - if (conn->cli) { - cli_set_timeout(conn->cli, 500); - } - } - conn->lsa_pipe = NULL; - } - - if (conn->netlogon_pipe != NULL) { - if (!cli_rpc_pipe_close(conn->netlogon_pipe)) { - /* Ok, it must be dead. Drop timeout to 0.5 sec. */ - if (conn->cli) { - cli_set_timeout(conn->cli, 500); - } - } - conn->netlogon_pipe = NULL; - } - - if (conn->cli) { - cli_shutdown(conn->cli); - } - - conn->cli = NULL; -} - -void close_conns_after_fork(void) -{ - struct winbindd_domain *domain; - - for (domain = domain_list(); domain; domain = domain->next) { - if (domain->conn.cli == NULL) - continue; - - if (domain->conn.cli->fd == -1) - continue; - - close(domain->conn.cli->fd); - domain->conn.cli->fd = -1; - } -} - -static BOOL connection_ok(struct winbindd_domain *domain) -{ - if (domain->conn.cli == NULL) { - DEBUG(8, ("connection_ok: Connection to %s for domain %s has NULL " - "cli!\n", domain->dcname, domain->name)); - return False; - } - - if (!domain->conn.cli->initialised) { - DEBUG(3, ("connection_ok: Connection to %s for domain %s was never " - "initialised!\n", domain->dcname, domain->name)); - return False; - } - - if (domain->conn.cli->fd == -1) { - DEBUG(3, ("connection_ok: Connection to %s for domain %s has died or was " - "never started (fd == -1)\n", - domain->dcname, domain->name)); - return False; - } - - if (domain->online == False) { - DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name)); - return False; - } - - return True; -} - -/* Initialize a new connection up to the RPC BIND. - Bypass online status check so always does network calls. */ - -static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain) -{ - NTSTATUS result; - - /* Internal connections never use the network. */ - if (domain->internal) { - domain->initialized = True; - return NT_STATUS_OK; - } - - if (connection_ok(domain)) { - if (!domain->initialized) { - set_dc_type_and_flags(domain); - } - return NT_STATUS_OK; - } - - invalidate_cm_connection(&domain->conn); - - result = cm_open_connection(domain, &domain->conn); - - if (NT_STATUS_IS_OK(result) && !domain->initialized) { - set_dc_type_and_flags(domain); - } - - return result; -} - -NTSTATUS init_dc_connection(struct winbindd_domain *domain) -{ - if (domain->initialized && !domain->online) { - /* We check for online status elsewhere. */ - return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; - } - - return init_dc_connection_network(domain); -} - -/****************************************************************************** - Set the trust flags (direction and forest location) for a domain -******************************************************************************/ - -static BOOL set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) -{ - struct winbindd_domain *our_domain; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - struct ds_domain_trust *domains = NULL; - int count = 0; - int i; - uint32 flags = (DS_DOMAIN_IN_FOREST | - DS_DOMAIN_DIRECT_OUTBOUND | - DS_DOMAIN_DIRECT_INBOUND); - struct rpc_pipe_client *cli; - TALLOC_CTX *mem_ctx = NULL; - - DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name )); - - /* Our primary domain doesn't need to worry about trust flags. - Force it to go through the network setup */ - if ( domain->primary ) { - return False; - } - - our_domain = find_our_domain(); - - if ( !connection_ok(our_domain) ) { - DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n")); - return False; - } - - /* This won't work unless our domain is AD */ - - if ( !our_domain->active_directory ) { - return False; - } - - /* Use DsEnumerateDomainTrusts to get us the trust direction - and type */ - - result = cm_connect_netlogon(our_domain, &cli); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open " - "a connection to %s for PIPE_NETLOGON (%s)\n", - domain->name, nt_errstr(result))); - return False; - } - - if ( (mem_ctx = talloc_init("set_dc_type_and_flags_trustinfo")) == NULL ) { - DEBUG(0,("set_dc_type_and_flags_trustinfo: talloc_init() failed!\n")); - return False; - } - - result = rpccli_ds_enum_domain_trusts(cli, mem_ctx, - cli->cli->desthost, - flags, &domains, - (unsigned int *)&count); - - /* Now find the domain name and get the flags */ - - for ( i=0; i<count; i++ ) { - if ( strequal( domain->name, domains[i].netbios_domain ) ) { - domain->domain_flags = domains[i].flags; - domain->domain_type = domains[i].trust_type; - domain->domain_trust_attribs = domains[i].trust_attributes; - - if ( domain->domain_type == DS_DOMAIN_TRUST_TYPE_UPLEVEL ) - domain->active_directory = True; - - /* This flag is only set if the domain is *our* - primary domain and the primary domain is in - native mode */ - - domain->native_mode = (domain->domain_flags & DS_DOMAIN_NATIVE_MODE); - - DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin " - "native mode.\n", domain->name, - domain->native_mode ? "" : "NOT ")); - - DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s" - "running active directory.\n", domain->name, - domain->active_directory ? "" : "NOT ")); - - - domain->initialized = True; - - if ( !winbindd_can_contact_domain( domain) ) - domain->internal = True; - - break; - } - } - - talloc_destroy( mem_ctx ); - - return domain->initialized; -} - -/****************************************************************************** - We can 'sense' certain things about the DC by it's replies to certain - questions. - - This tells us if this particular remote server is Active Directory, and if it - is native mode. -******************************************************************************/ - -static void set_dc_type_and_flags_connect( struct winbindd_domain *domain ) -{ - NTSTATUS result; - DS_DOMINFO_CTR ctr; - TALLOC_CTX *mem_ctx = NULL; - struct rpc_pipe_client *cli; - POLICY_HND pol; - - char *domain_name = NULL; - char *dns_name = NULL; - char *forest_name = NULL; - DOM_SID *dom_sid = NULL; - - ZERO_STRUCT( ctr ); - - if (!connection_ok(domain)) { - return; - } - - DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name )); - - cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC_DS, - &result); - - if (cli == NULL) { - DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to " - "PI_LSARPC_DS on domain %s: (%s)\n", - domain->name, nt_errstr(result))); - - /* if this is just a non-AD domain we need to continue - * identifying so that we can in the end return with - * domain->initialized = True - gd */ - - goto no_lsarpc_ds; - } - - result = rpccli_ds_getprimarydominfo(cli, cli->cli->mem_ctx, - DsRolePrimaryDomainInfoBasic, - &ctr); - cli_rpc_pipe_close(cli); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo " - "on domain %s failed: (%s)\n", - domain->name, nt_errstr(result))); - - /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for - * every opcode on the LSARPC_DS pipe, continue with - * no_lsarpc_ds mode here as well to get domain->initialized - * set - gd */ - - if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) { - goto no_lsarpc_ds; - } - - return; - } - - if ((ctr.basic->flags & DSROLE_PRIMARY_DS_RUNNING) && - !(ctr.basic->flags & DSROLE_PRIMARY_DS_MIXED_MODE)) { - domain->native_mode = True; - } else { - domain->native_mode = False; - } - -no_lsarpc_ds: - cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result); - - if (cli == NULL) { - DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to " - "PI_LSARPC on domain %s: (%s)\n", - domain->name, nt_errstr(result))); - cli_rpc_pipe_close(cli); - return; - } - - mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n", - domain->name); - if (!mem_ctx) { - DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n")); - cli_rpc_pipe_close(cli); - return; - } - - result = rpccli_lsa_open_policy2(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, &pol); - - if (NT_STATUS_IS_OK(result)) { - /* This particular query is exactly what Win2k clients use - to determine that the DC is active directory */ - result = rpccli_lsa_query_info_policy2(cli, mem_ctx, &pol, - 12, &domain_name, - &dns_name, &forest_name, - NULL, &dom_sid); - } - - if (NT_STATUS_IS_OK(result)) { - domain->active_directory = True; - - if (domain_name) - fstrcpy(domain->name, domain_name); - - if (dns_name) - fstrcpy(domain->alt_name, dns_name); - - if ( forest_name ) - fstrcpy(domain->forest_name, forest_name); - - if (dom_sid) - sid_copy(&domain->sid, dom_sid); - } else { - domain->active_directory = False; - - result = rpccli_lsa_open_policy(cli, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, - &pol); - - if (!NT_STATUS_IS_OK(result)) - goto done; - - result = rpccli_lsa_query_info_policy(cli, mem_ctx, - &pol, 5, &domain_name, - &dom_sid); - - if (NT_STATUS_IS_OK(result)) { - if (domain_name) - fstrcpy(domain->name, domain_name); - - if (dom_sid) - sid_copy(&domain->sid, dom_sid); - } - } -done: - - DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n", - domain->name, domain->native_mode ? "" : "NOT ")); - - DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n", - domain->name, domain->active_directory ? "" : "NOT ")); - - cli_rpc_pipe_close(cli); - - talloc_destroy(mem_ctx); - - domain->initialized = True; -} - -/********************************************************************** - Set the domain_flags (trust attributes, domain operating modes, etc... -***********************************************************************/ - -static void set_dc_type_and_flags( struct winbindd_domain *domain ) -{ - /* we always have to contact our primary domain */ - - if ( domain->primary ) { - DEBUG(10,("set_dc_type_and_flags: setting up flags for " - "primary domain\n")); - set_dc_type_and_flags_connect( domain ); - return; - } - - /* Use our DC to get the information if possible */ - - if ( !set_dc_type_and_flags_trustinfo( domain ) ) { - /* Otherwise, fallback to contacting the - domain directly */ - set_dc_type_and_flags_connect( domain ); - } - - return; -} - - - -/********************************************************************** -***********************************************************************/ - -static BOOL cm_get_schannel_dcinfo(struct winbindd_domain *domain, - struct dcinfo **ppdc) -{ - NTSTATUS result; - struct rpc_pipe_client *netlogon_pipe; - - if (lp_client_schannel() == False) { - return False; - } - - result = cm_connect_netlogon(domain, &netlogon_pipe); - if (!NT_STATUS_IS_OK(result)) { - return False; - } - - /* Return a pointer to the struct dcinfo from the - netlogon pipe. */ - - *ppdc = domain->conn.netlogon_pipe->dc; - return True; -} - -NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, - struct rpc_pipe_client **cli, POLICY_HND *sam_handle) -{ - struct winbindd_cm_conn *conn; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - fstring conn_pwd; - struct dcinfo *p_dcinfo; - - result = init_dc_connection(domain); - if (!NT_STATUS_IS_OK(result)) { - return result; - } - - conn = &domain->conn; - - if (conn->samr_pipe != NULL) { - goto done; - } - - /* - * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated - * sign and sealed pipe using the machine account password by - * preference. If we can't - try schannel, if that fails, try - * anonymous. - */ - - pwd_get_cleartext(&conn->cli->pwd, conn_pwd); - if ((conn->cli->user_name[0] == '\0') || - (conn->cli->domain[0] == '\0') || - (conn_pwd[0] == '\0')) { - DEBUG(10, ("cm_connect_sam: No no user available for " - "domain %s, trying schannel\n", conn->cli->domain)); - goto schannel; - } - - /* We have an authenticated connection. Use a NTLMSSP SPNEGO - authenticated SAMR pipe with sign & seal. */ - conn->samr_pipe = - cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR, - PIPE_AUTH_LEVEL_PRIVACY, - conn->cli->domain, - conn->cli->user_name, - conn_pwd, &result); - - if (conn->samr_pipe == NULL) { - DEBUG(10,("cm_connect_sam: failed to connect to SAMR " - "pipe for domain %s using NTLMSSP " - "authenticated pipe: user %s\\%s. Error was " - "%s\n", domain->name, conn->cli->domain, - conn->cli->user_name, nt_errstr(result))); - goto schannel; - } - - DEBUG(10,("cm_connect_sam: connected to SAMR pipe for " - "domain %s using NTLMSSP authenticated " - "pipe: user %s\\%s\n", domain->name, - conn->cli->domain, conn->cli->user_name )); - - result = rpccli_samr_connect(conn->samr_pipe, mem_ctx, - SEC_RIGHTS_MAXIMUM_ALLOWED, - &conn->sam_connect_handle); - if (NT_STATUS_IS_OK(result)) { - goto open_domain; - } - DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_connect " - "failed for domain %s, error was %s. Trying schannel\n", - domain->name, nt_errstr(result) )); - cli_rpc_pipe_close(conn->samr_pipe); - - schannel: - - /* Fall back to schannel if it's a W2K pre-SP1 box. */ - - if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) { - /* If this call fails - conn->cli can now be NULL ! */ - DEBUG(10, ("cm_connect_sam: Could not get schannel auth info " - "for domain %s, trying anon\n", domain->name)); - goto anonymous; - } - conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key - (conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY, - domain->name, p_dcinfo, &result); - - if (conn->samr_pipe == NULL) { - DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for " - "domain %s using schannel. Error was %s\n", - domain->name, nt_errstr(result) )); - goto anonymous; - } - DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using " - "schannel.\n", domain->name )); - - result = rpccli_samr_connect(conn->samr_pipe, mem_ctx, - SEC_RIGHTS_MAXIMUM_ALLOWED, - &conn->sam_connect_handle); - if (NT_STATUS_IS_OK(result)) { - goto open_domain; - } - DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_connect failed " - "for domain %s, error was %s. Trying anonymous\n", - domain->name, nt_errstr(result) )); - cli_rpc_pipe_close(conn->samr_pipe); - - anonymous: - - /* Finally fall back to anonymous. */ - conn->samr_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR, - &result); - - if (conn->samr_pipe == NULL) { - result = NT_STATUS_PIPE_NOT_AVAILABLE; - goto done; - } - - result = rpccli_samr_connect(conn->samr_pipe, mem_ctx, - SEC_RIGHTS_MAXIMUM_ALLOWED, - &conn->sam_connect_handle); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("cm_connect_sam: rpccli_samr_connect failed " - "for domain %s Error was %s\n", - domain->name, nt_errstr(result) )); - goto done; - } - - open_domain: - result = rpccli_samr_open_domain(conn->samr_pipe, - mem_ctx, - &conn->sam_connect_handle, - SEC_RIGHTS_MAXIMUM_ALLOWED, - &domain->sid, - &conn->sam_domain_handle); - - done: - - if (!NT_STATUS_IS_OK(result)) { - invalidate_cm_connection(conn); - return result; - } - - *cli = conn->samr_pipe; - *sam_handle = conn->sam_domain_handle; - return result; -} - -NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, - struct rpc_pipe_client **cli, POLICY_HND *lsa_policy) -{ - struct winbindd_cm_conn *conn; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - fstring conn_pwd; - struct dcinfo *p_dcinfo; - - result = init_dc_connection(domain); - if (!NT_STATUS_IS_OK(result)) - return result; - - conn = &domain->conn; - - if (conn->lsa_pipe != NULL) { - goto done; - } - - pwd_get_cleartext(&conn->cli->pwd, conn_pwd); - if ((conn->cli->user_name[0] == '\0') || - (conn->cli->domain[0] == '\0') || - (conn_pwd[0] == '\0')) { - DEBUG(10, ("cm_connect_lsa: No no user available for " - "domain %s, trying schannel\n", conn->cli->domain)); - goto schannel; - } - - /* We have an authenticated connection. Use a NTLMSSP SPNEGO - * authenticated LSA pipe with sign & seal. */ - conn->lsa_pipe = cli_rpc_pipe_open_spnego_ntlmssp - (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY, - conn->cli->domain, conn->cli->user_name, conn_pwd, &result); - - if (conn->lsa_pipe == NULL) { - DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for " - "domain %s using NTLMSSP authenticated pipe: user " - "%s\\%s. Error was %s. Trying schannel.\n", - domain->name, conn->cli->domain, - conn->cli->user_name, nt_errstr(result))); - goto schannel; - } - - DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using " - "NTLMSSP authenticated pipe: user %s\\%s\n", - domain->name, conn->cli->domain, conn->cli->user_name )); - - result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, - &conn->lsa_policy); - if (NT_STATUS_IS_OK(result)) { - goto done; - } - - DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying " - "schannel\n")); - - cli_rpc_pipe_close(conn->lsa_pipe); - - schannel: - - /* Fall back to schannel if it's a W2K pre-SP1 box. */ - - if (!cm_get_schannel_dcinfo(domain, &p_dcinfo)) { - /* If this call fails - conn->cli can now be NULL ! */ - DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info " - "for domain %s, trying anon\n", domain->name)); - goto anonymous; - } - conn->lsa_pipe = cli_rpc_pipe_open_schannel_with_key - (conn->cli, PI_LSARPC, PIPE_AUTH_LEVEL_PRIVACY, - domain->name, p_dcinfo, &result); - - if (conn->lsa_pipe == NULL) { - DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for " - "domain %s using schannel. Error was %s\n", - domain->name, nt_errstr(result) )); - goto anonymous; - } - DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using " - "schannel.\n", domain->name )); - - result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, - &conn->lsa_policy); - if (NT_STATUS_IS_OK(result)) { - goto done; - } - - DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying " - "anonymous\n")); - - cli_rpc_pipe_close(conn->lsa_pipe); - - anonymous: - - conn->lsa_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_LSARPC, - &result); - if (conn->lsa_pipe == NULL) { - result = NT_STATUS_PIPE_NOT_AVAILABLE; - goto done; - } - - result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True, - SEC_RIGHTS_MAXIMUM_ALLOWED, - &conn->lsa_policy); - done: - if (!NT_STATUS_IS_OK(result)) { - invalidate_cm_connection(conn); - return result; - } - - *cli = conn->lsa_pipe; - *lsa_policy = conn->lsa_policy; - return result; -} - -/**************************************************************************** - Open the netlogon pipe to this DC. Use schannel if specified in client conf. - session key stored in conn->netlogon_pipe->dc->sess_key. -****************************************************************************/ - -NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, - struct rpc_pipe_client **cli) -{ - struct winbindd_cm_conn *conn; - NTSTATUS result; - - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; - uint8 mach_pwd[16]; - uint32 sec_chan_type; - const char *account_name; - struct rpc_pipe_client *netlogon_pipe = NULL; - - *cli = NULL; - - result = init_dc_connection(domain); - if (!NT_STATUS_IS_OK(result)) { - return result; - } - - conn = &domain->conn; - - if (conn->netlogon_pipe != NULL) { - *cli = conn->netlogon_pipe; - return NT_STATUS_OK; - } - - if ((IS_DC || domain->primary) && !get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) { - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - } - - netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON, - &result); - if (netlogon_pipe == NULL) { - return result; - } - - if ((!IS_DC) && (!domain->primary)) { - /* Clear the schannel request bit and drop down */ - neg_flags &= ~NETLOGON_NEG_SCHANNEL; - goto no_schannel; - } - - if (lp_client_schannel() != False) { - neg_flags |= NETLOGON_NEG_SCHANNEL; - } - - /* if we are a DC and this is a trusted domain, then we need to use our - domain name in the net_req_auth2() request */ - - if ( IS_DC - && !strequal(domain->name, lp_workgroup()) - && lp_allow_trusted_domains() ) - { - account_name = lp_workgroup(); - } else { - account_name = domain->primary ? - global_myname() : domain->name; - } - - if (account_name == NULL) { - cli_rpc_pipe_close(netlogon_pipe); - return NT_STATUS_NO_MEMORY; - } - - result = rpccli_netlogon_setup_creds( - netlogon_pipe, - domain->dcname, /* server name. */ - domain->name, /* domain name */ - global_myname(), /* client name */ - account_name, /* machine account */ - mach_pwd, /* machine password */ - sec_chan_type, /* from get_trust_pw */ - &neg_flags); - - if (!NT_STATUS_IS_OK(result)) { - cli_rpc_pipe_close(netlogon_pipe); - return result; - } - - if ((lp_client_schannel() == True) && - ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { - DEBUG(3, ("Server did not offer schannel\n")); - cli_rpc_pipe_close(netlogon_pipe); - return NT_STATUS_ACCESS_DENIED; - } - - no_schannel: - if ((lp_client_schannel() == False) || - ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { - - /* - * NetSamLogonEx only works for schannel - */ - domain->can_do_samlogon_ex = False; - - /* We're done - just keep the existing connection to NETLOGON - * open */ - conn->netlogon_pipe = netlogon_pipe; - *cli = conn->netlogon_pipe; - return NT_STATUS_OK; - } - - /* Using the credentials from the first pipe, open a signed and sealed - second netlogon pipe. The session key is stored in the schannel - part of the new pipe auth struct. - */ - - conn->netlogon_pipe = - cli_rpc_pipe_open_schannel_with_key(conn->cli, - PI_NETLOGON, - PIPE_AUTH_LEVEL_PRIVACY, - domain->name, - netlogon_pipe->dc, - &result); - - /* We can now close the initial netlogon pipe. */ - cli_rpc_pipe_close(netlogon_pipe); - - if (conn->netlogon_pipe == NULL) { - DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error " - "was %s\n", nt_errstr(result))); - - /* make sure we return something besides OK */ - return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE; - } - - /* - * Try NetSamLogonEx for AD domains - */ - domain->can_do_samlogon_ex = domain->active_directory; - - *cli = conn->netlogon_pipe; - return NT_STATUS_OK; -} diff --git a/source3/nsswitch/winbindd_cred_cache.c b/source3/nsswitch/winbindd_cred_cache.c deleted file mode 100644 index 65dcbe5a00..0000000000 --- a/source3/nsswitch/winbindd_cred_cache.c +++ /dev/null @@ -1,802 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon - krb5 credential cache functions - and in-memory cache functions. - - Copyright (C) Guenther Deschner 2005-2006 - Copyright (C) Jeremy Allison 2006 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -/* uncomment this to do fast debugging on the krb5 ticket renewal event */ -#ifdef DEBUG_KRB5_TKT_RENEWAL -#undef DEBUG_KRB5_TKT_RENEWAL -#endif - -#define MAX_CCACHES 100 - -static struct WINBINDD_CCACHE_ENTRY *ccache_list; - -/* The Krb5 ticket refresh handler should be scheduled - at one-half of the period from now till the tkt - expiration */ -#define KRB5_EVENT_REFRESH_TIME(x) ((x) - (((x) - time(NULL))/2)) - -/**************************************************************** - Find an entry by name. -****************************************************************/ - -static struct WINBINDD_CCACHE_ENTRY *get_ccache_by_username(const char *username) -{ - struct WINBINDD_CCACHE_ENTRY *entry; - - for (entry = ccache_list; entry; entry = entry->next) { - if (strequal(entry->username, username)) { - return entry; - } - } - return NULL; -} - -/**************************************************************** - How many do we have ? -****************************************************************/ - -static int ccache_entry_count(void) -{ - struct WINBINDD_CCACHE_ENTRY *entry; - int i = 0; - - for (entry = ccache_list; entry; entry = entry->next) { - i++; - } - return i; -} - -/**************************************************************** - Do the work of refreshing the ticket. -****************************************************************/ - -static void krb5_ticket_refresh_handler(struct event_context *event_ctx, - struct timed_event *te, - const struct timeval *now, - void *private_data) -{ - struct WINBINDD_CCACHE_ENTRY *entry = - talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY); -#ifdef HAVE_KRB5 - int ret; - time_t new_start; - struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr; -#endif - - DEBUG(10,("krb5_ticket_refresh_handler called\n")); - DEBUGADD(10,("event called for: %s, %s\n", - entry->ccname, entry->username)); - - TALLOC_FREE(entry->event); - -#ifdef HAVE_KRB5 - - /* Kinit again if we have the user password and we can't renew the old - * tgt anymore */ - - if ((entry->renew_until < time(NULL)) && cred_ptr && cred_ptr->pass) { - - set_effective_uid(entry->uid); - - ret = kerberos_kinit_password_ext(entry->principal_name, - cred_ptr->pass, - 0, /* hm, can we do time correction here ? */ - &entry->refresh_time, - &entry->renew_until, - entry->ccname, - False, /* no PAC required anymore */ - True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL); - gain_root_privilege(); - - if (ret) { - DEBUG(3,("krb5_ticket_refresh_handler: " - "could not re-kinit: %s\n", - error_message(ret))); - TALLOC_FREE(entry->event); - return; - } - - DEBUG(10,("krb5_ticket_refresh_handler: successful re-kinit " - "for: %s in ccache: %s\n", - entry->principal_name, entry->ccname)); - -#if defined(DEBUG_KRB5_TKT_RENEWAL) - new_start = time(NULL) + 30; -#else - /* The tkt should be refreshed at one-half the period - from now to the expiration time */ - new_start = KRB5_EVENT_REFRESH_TIME(entry->refresh_time); -#endif - goto done; - } - - set_effective_uid(entry->uid); - - ret = smb_krb5_renew_ticket(entry->ccname, - entry->principal_name, - entry->service, - &new_start); -#if defined(DEBUG_KRB5_TKT_RENEWAL) - new_start = time(NULL) + 30; -#else - new_start = KRB5_EVENT_REFRESH_TIME(new_start); -#endif - - gain_root_privilege(); - - if (ret) { - DEBUG(3,("krb5_ticket_refresh_handler: " - "could not renew tickets: %s\n", - error_message(ret))); - /* maybe we are beyond the renewing window */ - - /* avoid breaking the renewal chain: retry in - * lp_winbind_cache_time() seconds when the KDC was not - * available right now. */ - - if (ret == KRB5_KDC_UNREACH) { - new_start = time(NULL) + - MAX(30, lp_winbind_cache_time()); - goto done; - } - - return; - } - -done: - - entry->event = event_add_timed(winbind_event_context(), entry, - timeval_set(new_start, 0), - "krb5_ticket_refresh_handler", - krb5_ticket_refresh_handler, - entry); - -#endif -} - -/**************************************************************** - Do the work of regaining a ticket when coming from offline auth. -****************************************************************/ - -static void krb5_ticket_gain_handler(struct event_context *event_ctx, - struct timed_event *te, - const struct timeval *now, - void *private_data) -{ - struct WINBINDD_CCACHE_ENTRY *entry = - talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY); -#ifdef HAVE_KRB5 - int ret; - struct timeval t; - struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr; - struct winbindd_domain *domain = NULL; -#endif - - DEBUG(10,("krb5_ticket_gain_handler called\n")); - DEBUGADD(10,("event called for: %s, %s\n", - entry->ccname, entry->username)); - - TALLOC_FREE(entry->event); - -#ifdef HAVE_KRB5 - - if (!cred_ptr || !cred_ptr->pass) { - DEBUG(10,("krb5_ticket_gain_handler: no memory creds\n")); - return; - } - - if ((domain = find_domain_from_name(entry->realm)) == NULL) { - DEBUG(0,("krb5_ticket_gain_handler: unknown domain\n")); - return; - } - - if (!domain->online) { - goto retry_later; - } - - set_effective_uid(entry->uid); - - ret = kerberos_kinit_password_ext(entry->principal_name, - cred_ptr->pass, - 0, /* hm, can we do time correction here ? */ - &entry->refresh_time, - &entry->renew_until, - entry->ccname, - False, /* no PAC required anymore */ - True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL); - gain_root_privilege(); - - if (ret) { - DEBUG(3,("krb5_ticket_gain_handler: " - "could not kinit: %s\n", - error_message(ret))); - goto retry_later; - } - - DEBUG(10,("krb5_ticket_gain_handler: " - "successful kinit for: %s in ccache: %s\n", - entry->principal_name, entry->ccname)); - - goto got_ticket; - - retry_later: - - t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0); - - entry->event = event_add_timed(winbind_event_context(), - entry, - t, - "krb5_ticket_gain_handler", - krb5_ticket_gain_handler, - entry); - - return; - - got_ticket: - -#if defined(DEBUG_KRB5_TKT_RENEWAL) - t = timeval_set(time(NULL) + 30, 0); -#else - t = timeval_set(KRB5_EVENT_REFRESH_TIME(entry->refresh_time), 0); -#endif - - entry->event = event_add_timed(winbind_event_context(), - entry, - t, - "krb5_ticket_refresh_handler", - krb5_ticket_refresh_handler, - entry); - - return; -#endif -} - -/**************************************************************** - Check if an ccache entry exists. -****************************************************************/ - -BOOL ccache_entry_exists(const char *username) -{ - struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username); - return (entry != NULL); -} - -/**************************************************************** - Ensure we're changing the correct entry. -****************************************************************/ - -BOOL ccache_entry_identical(const char *username, - uid_t uid, - const char *ccname) -{ - struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username); - - if (!entry) { - return False; - } - - if (entry->uid != uid) { - DEBUG(0,("cache_entry_identical: uid's differ: %u != %u\n", - (unsigned int)entry->uid, (unsigned int)uid)); - return False; - } - if (!strcsequal(entry->ccname, ccname)) { - DEBUG(0,("cache_entry_identical: " - "ccnames differ: (cache) %s != (client) %s\n", - entry->ccname, ccname)); - return False; - } - return True; -} - -NTSTATUS add_ccache_to_list(const char *princ_name, - const char *ccname, - const char *service, - const char *username, - const char *realm, - uid_t uid, - time_t create_time, - time_t ticket_end, - time_t renew_until, - BOOL postponed_request) -{ - struct WINBINDD_CCACHE_ENTRY *entry = NULL; - struct timeval t; - - if ((username == NULL && princ_name == NULL) || - ccname == NULL || uid < 0) { - return NT_STATUS_INVALID_PARAMETER; - } - - if (ccache_entry_count() + 1 > MAX_CCACHES) { - DEBUG(10,("add_ccache_to_list: " - "max number of ccaches reached\n")); - return NT_STATUS_NO_MORE_ENTRIES; - } - - /* Reference count old entries */ - entry = get_ccache_by_username(username); - if (entry) { - /* Check cached entries are identical. */ - if (!ccache_entry_identical(username, uid, ccname)) { - return NT_STATUS_INVALID_PARAMETER; - } - entry->ref_count++; - DEBUG(10,("add_ccache_to_list: " - "ref count on entry %s is now %d\n", - username, entry->ref_count)); - /* FIXME: in this case we still might want to have a krb5 cred - * event handler created - gd*/ - return NT_STATUS_OK; - } - - entry = TALLOC_P(NULL, struct WINBINDD_CCACHE_ENTRY); - if (!entry) { - return NT_STATUS_NO_MEMORY; - } - - ZERO_STRUCTP(entry); - - if (username) { - entry->username = talloc_strdup(entry, username); - if (!entry->username) { - goto no_mem; - } - } - if (princ_name) { - entry->principal_name = talloc_strdup(entry, princ_name); - if (!entry->principal_name) { - goto no_mem; - } - } - if (service) { - entry->service = talloc_strdup(entry, service); - if (!entry->service) { - goto no_mem; - } - } - - entry->ccname = talloc_strdup(entry, ccname); - if (!entry->ccname) { - goto no_mem; - } - - entry->realm = talloc_strdup(entry, realm); - if (!entry->realm) { - goto no_mem; - } - - entry->create_time = create_time; - entry->renew_until = renew_until; - entry->uid = uid; - entry->ref_count = 1; - - if (!lp_winbind_refresh_tickets() || renew_until <= 0) { - goto add_entry; - } - - if (postponed_request) { - t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0); - entry->event = event_add_timed(winbind_event_context(), - entry, - t, - "krb5_ticket_gain_handler", - krb5_ticket_gain_handler, - entry); - } else { - /* Renew at 1/2 the ticket expiration time */ -#if defined(DEBUG_KRB5_TKT_RENEWAL) - t = timeval_set(time(NULL)+30, 0); -#else - t = timeval_set(KRB5_EVENT_REFRESH_TIME(ticket_end), 0); -#endif - entry->event = event_add_timed(winbind_event_context(), - entry, - t, - "krb5_ticket_refresh_handler", - krb5_ticket_refresh_handler, - entry); - } - - if (!entry->event) { - goto no_mem; - } - - DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n")); - - add_entry: - - DLIST_ADD(ccache_list, entry); - - DEBUG(10,("add_ccache_to_list: " - "added ccache [%s] for user [%s] to the list\n", - ccname, username)); - - return NT_STATUS_OK; - - no_mem: - - TALLOC_FREE(entry); - return NT_STATUS_NO_MEMORY; -} - -/******************************************************************* - Remove a WINBINDD_CCACHE_ENTRY entry and the krb5 ccache if no longer - referenced. - *******************************************************************/ - -NTSTATUS remove_ccache(const char *username) -{ - struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username); - NTSTATUS status = NT_STATUS_OK; - #ifdef HAVE_KRB5 - krb5_error_code ret; -#endif - - if (!entry) { - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - if (entry->ref_count <= 0) { - DEBUG(0,("remove_ccache: logic error. " - "ref count for user %s = %d\n", - username, entry->ref_count)); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - entry->ref_count--; - - if (entry->ref_count > 0) { - DEBUG(10,("remove_ccache: entry %s ref count now %d\n", - username, entry->ref_count)); - return NT_STATUS_OK; - } - - /* no references any more */ - - DLIST_REMOVE(ccache_list, entry); - TALLOC_FREE(entry->event); /* unregisters events */ - -#ifdef HAVE_KRB5 - ret = ads_kdestroy(entry->ccname); - - /* we ignore the error when there has been no credential cache */ - if (ret == KRB5_FCC_NOFILE) { - ret = 0; - } else if (ret) { - DEBUG(0,("remove_ccache: " - "failed to destroy user krb5 ccache %s with: %s\n", - entry->ccname, error_message(ret))); - } else { - DEBUG(10,("remove_ccache: " - "successfully destroyed krb5 ccache %s for user %s\n", - entry->ccname, username)); - } - status = krb5_to_nt_status(ret); -#endif - - TALLOC_FREE(entry); - DEBUG(10,("remove_ccache: removed ccache for user %s\n", username)); - - return status; -} - -/******************************************************************* - In memory credentials cache code. -*******************************************************************/ - -static struct WINBINDD_MEMORY_CREDS *memory_creds_list; - -/*********************************************************** - Find an entry on the list by name. -***********************************************************/ - -struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username) -{ - struct WINBINDD_MEMORY_CREDS *p; - - for (p = memory_creds_list; p; p = p->next) { - if (strequal(p->username, username)) { - return p; - } - } - return NULL; -} - -/*********************************************************** - Store the required creds and mlock them. -***********************************************************/ - -static NTSTATUS store_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp, - const char *pass) -{ -#if !defined(HAVE_MLOCK) - return NT_STATUS_OK; -#else - /* new_entry->nt_hash is the base pointer for the block - of memory pointed into by new_entry->lm_hash and - new_entry->pass (if we're storing plaintext). */ - - memcredp->len = NT_HASH_LEN + LM_HASH_LEN; - if (pass) { - memcredp->len += strlen(pass)+1; - } - - -#if defined(LINUX) - /* aligning the memory on on x86_64 and compiling - with gcc 4.1 using -O2 causes a segv in the - next memset() --jerry */ - memcredp->nt_hash = SMB_MALLOC_ARRAY(unsigned char, memcredp->len); -#else - /* On non-linux platforms, mlock()'d memory must be aligned */ - memcredp->nt_hash = SMB_MEMALIGN_ARRAY(unsigned char, - getpagesize(), memcredp->len); -#endif - if (!memcredp->nt_hash) { - return NT_STATUS_NO_MEMORY; - } - memset(memcredp->nt_hash, 0x0, memcredp->len); - - memcredp->lm_hash = memcredp->nt_hash + NT_HASH_LEN; - -#ifdef DEBUG_PASSWORD - DEBUG(10,("mlocking memory: %p\n", memcredp->nt_hash)); -#endif - if ((mlock(memcredp->nt_hash, memcredp->len)) == -1) { - DEBUG(0,("failed to mlock memory: %s (%d)\n", - strerror(errno), errno)); - SAFE_FREE(memcredp->nt_hash); - return map_nt_error_from_unix(errno); - } - -#ifdef DEBUG_PASSWORD - DEBUG(10,("mlocked memory: %p\n", memcredp->nt_hash)); -#endif - - /* Create and store the password hashes. */ - E_md4hash(pass, memcredp->nt_hash); - E_deshash(pass, memcredp->lm_hash); - - if (pass) { - memcredp->pass = (char *)memcredp->lm_hash + LM_HASH_LEN; - memcpy(memcredp->pass, pass, - memcredp->len - NT_HASH_LEN - LM_HASH_LEN); - } - - return NT_STATUS_OK; -#endif -} - -/*********************************************************** - Destroy existing creds. -***********************************************************/ - -static NTSTATUS delete_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp) -{ -#if !defined(HAVE_MUNLOCK) - return NT_STATUS_OK; -#else - if (munlock(memcredp->nt_hash, memcredp->len) == -1) { - DEBUG(0,("failed to munlock memory: %s (%d)\n", - strerror(errno), errno)); - return map_nt_error_from_unix(errno); - } - memset(memcredp->nt_hash, '\0', memcredp->len); - SAFE_FREE(memcredp->nt_hash); - memcredp->nt_hash = NULL; - memcredp->lm_hash = NULL; - memcredp->pass = NULL; - memcredp->len = 0; - return NT_STATUS_OK; -#endif -} - -/*********************************************************** - Replace the required creds with new ones (password change). -***********************************************************/ - -static NTSTATUS winbindd_replace_memory_creds_internal(struct WINBINDD_MEMORY_CREDS *memcredp, - const char *pass) -{ - NTSTATUS status = delete_memory_creds(memcredp); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - return store_memory_creds(memcredp, pass); -} - -/************************************************************* - Store credentials in memory in a list. -*************************************************************/ - -static NTSTATUS winbindd_add_memory_creds_internal(const char *username, - uid_t uid, - const char *pass) -{ - /* Shortcut to ensure we don't store if no mlock. */ -#if !defined(HAVE_MLOCK) || !defined(HAVE_MUNLOCK) - return NT_STATUS_OK; -#else - NTSTATUS status; - struct WINBINDD_MEMORY_CREDS *memcredp = NULL; - - memcredp = find_memory_creds_by_name(username); - if (uid == (uid_t)-1) { - DEBUG(0,("winbindd_add_memory_creds_internal: " - "invalid uid for user %s.\n", username)); - return NT_STATUS_INVALID_PARAMETER; - } - - if (memcredp) { - /* Already exists. Increment the reference count and replace stored creds. */ - if (uid != memcredp->uid) { - DEBUG(0,("winbindd_add_memory_creds_internal: " - "uid %u for user %s doesn't " - "match stored uid %u. Replacing.\n", - (unsigned int)uid, username, - (unsigned int)memcredp->uid)); - memcredp->uid = uid; - } - memcredp->ref_count++; - DEBUG(10,("winbindd_add_memory_creds_internal: " - "ref count for user %s is now %d\n", - username, memcredp->ref_count)); - return winbindd_replace_memory_creds_internal(memcredp, pass); - } - - memcredp = TALLOC_ZERO_P(NULL, struct WINBINDD_MEMORY_CREDS); - if (!memcredp) { - return NT_STATUS_NO_MEMORY; - } - memcredp->username = talloc_strdup(memcredp, username); - if (!memcredp->username) { - talloc_destroy(memcredp); - return NT_STATUS_NO_MEMORY; - } - - status = store_memory_creds(memcredp, pass); - if (!NT_STATUS_IS_OK(status)) { - talloc_destroy(memcredp); - return status; - } - - memcredp->uid = uid; - memcredp->ref_count = 1; - DLIST_ADD(memory_creds_list, memcredp); - - DEBUG(10,("winbindd_add_memory_creds_internal: " - "added entry for user %s\n", username)); - - return NT_STATUS_OK; -#endif -} - -/************************************************************* - Store users credentials in memory. If we also have a - struct WINBINDD_CCACHE_ENTRY for this username with a - refresh timer, then store the plaintext of the password - and associate the new credentials with the struct WINBINDD_CCACHE_ENTRY. -*************************************************************/ - -NTSTATUS winbindd_add_memory_creds(const char *username, - uid_t uid, - const char *pass) -{ - struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username); - NTSTATUS status; - - status = winbindd_add_memory_creds_internal(username, uid, pass); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - if (entry) { - struct WINBINDD_MEMORY_CREDS *memcredp = NULL; - memcredp = find_memory_creds_by_name(username); - if (memcredp) { - entry->cred_ptr = memcredp; - } - } - - return status; -} - -/************************************************************* - Decrement the in-memory ref count - delete if zero. -*************************************************************/ - -NTSTATUS winbindd_delete_memory_creds(const char *username) -{ - struct WINBINDD_MEMORY_CREDS *memcredp = NULL; - struct WINBINDD_CCACHE_ENTRY *entry = NULL; - NTSTATUS status = NT_STATUS_OK; - - memcredp = find_memory_creds_by_name(username); - entry = get_ccache_by_username(username); - - if (!memcredp) { - DEBUG(10,("winbindd_delete_memory_creds: unknown user %s\n", - username)); - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - if (memcredp->ref_count <= 0) { - DEBUG(0,("winbindd_delete_memory_creds: logic error. " - "ref count for user %s = %d\n", - username, memcredp->ref_count)); - status = NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - memcredp->ref_count--; - if (memcredp->ref_count <= 0) { - delete_memory_creds(memcredp); - DLIST_REMOVE(memory_creds_list, memcredp); - talloc_destroy(memcredp); - DEBUG(10,("winbindd_delete_memory_creds: " - "deleted entry for user %s\n", - username)); - } else { - DEBUG(10,("winbindd_delete_memory_creds: " - "entry for user %s ref_count now %d\n", - username, memcredp->ref_count)); - } - - if (entry) { - /* Ensure we have no dangling references to this. */ - entry->cred_ptr = NULL; - } - - return status; -} - -/*********************************************************** - Replace the required creds with new ones (password change). -***********************************************************/ - -NTSTATUS winbindd_replace_memory_creds(const char *username, - const char *pass) -{ - struct WINBINDD_MEMORY_CREDS *memcredp = NULL; - - memcredp = find_memory_creds_by_name(username); - if (!memcredp) { - DEBUG(10,("winbindd_replace_memory_creds: unknown user %s\n", - username)); - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - DEBUG(10,("winbindd_replace_memory_creds: replaced creds for user %s\n", - username)); - - return winbindd_replace_memory_creds_internal(memcredp, pass); -} diff --git a/source3/nsswitch/winbindd_creds.c b/source3/nsswitch/winbindd_creds.c deleted file mode 100644 index 62facb6769..0000000000 --- a/source3/nsswitch/winbindd_creds.c +++ /dev/null @@ -1,162 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon - cached credentials funcions - - Copyright (C) Guenther Deschner 2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -#define MAX_CACHED_LOGINS 10 - -NTSTATUS winbindd_get_creds(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - NET_USER_INFO_3 **info3, - const uint8 *cached_nt_pass[NT_HASH_LEN], - const uint8 *cred_salt[NT_HASH_LEN]) -{ - NET_USER_INFO_3 *info; - NTSTATUS status; - - status = wcache_get_creds(domain, mem_ctx, sid, cached_nt_pass, cred_salt); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - info = netsamlogon_cache_get(mem_ctx, sid); - if (info == NULL) { - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - *info3 = info; - - return NT_STATUS_OK; -} - - -NTSTATUS winbindd_store_creds(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const char *user, - const char *pass, - NET_USER_INFO_3 *info3, - const DOM_SID *user_sid) -{ - NTSTATUS status; - uchar nt_pass[NT_HASH_LEN]; - DOM_SID cred_sid; - - if (info3 != NULL) { - - DOM_SID sid; - sid_copy(&sid, &(info3->dom_sid.sid)); - sid_append_rid(&sid, info3->user_rid); - sid_copy(&cred_sid, &sid); - info3->user_flgs |= LOGON_CACHED_ACCOUNT; - - } else if (user_sid != NULL) { - - sid_copy(&cred_sid, user_sid); - - } else if (user != NULL) { - - /* do lookup ourself */ - - enum lsa_SidType type; - - if (!lookup_cached_name(mem_ctx, - domain->name, - user, - &cred_sid, - &type)) { - return NT_STATUS_NO_SUCH_USER; - } - } else { - return NT_STATUS_INVALID_PARAMETER; - } - - if (pass) { - - int count = 0; - - status = wcache_count_cached_creds(domain, &count); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - DEBUG(11,("we have %d cached creds\n", count)); - - if (count + 1 > MAX_CACHED_LOGINS) { - - DEBUG(10,("need to delete the oldest cached login\n")); - - status = wcache_remove_oldest_cached_creds(domain, &cred_sid); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("failed to remove oldest cached cred: %s\n", - nt_errstr(status))); - return status; - } - } - - E_md4hash(pass, nt_pass); - - dump_data_pw("nt_pass", nt_pass, NT_HASH_LEN); - - status = wcache_save_creds(domain, mem_ctx, &cred_sid, nt_pass); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - } - - if (info3 != NULL && user != NULL) { - if (!netsamlogon_cache_store(user, info3)) { - return NT_STATUS_ACCESS_DENIED; - } - } - - return NT_STATUS_OK; -} - -NTSTATUS winbindd_update_creds_by_info3(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const char *user, - const char *pass, - NET_USER_INFO_3 *info3) -{ - return winbindd_store_creds(domain, mem_ctx, user, pass, info3, NULL); -} - -NTSTATUS winbindd_update_creds_by_sid(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - const char *pass) -{ - return winbindd_store_creds(domain, mem_ctx, NULL, pass, NULL, sid); -} - -NTSTATUS winbindd_update_creds_by_name(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const char *user, - const char *pass) -{ - return winbindd_store_creds(domain, mem_ctx, user, pass, NULL, NULL); -} - - diff --git a/source3/nsswitch/winbindd_dual.c b/source3/nsswitch/winbindd_dual.c deleted file mode 100644 index 67cf6abc2b..0000000000 --- a/source3/nsswitch/winbindd_dual.c +++ /dev/null @@ -1,1130 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind child daemons - - Copyright (C) Andrew Tridgell 2002 - Copyright (C) Volker Lendecke 2004,2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -/* - * We fork a child per domain to be able to act non-blocking in the main - * winbind daemon. A domain controller thousands of miles away being being - * slow replying with a 10.000 user list should not hold up netlogon calls - * that can be handled locally. - */ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -extern BOOL override_logfile; - -/* Read some data from a client connection */ - -static void child_read_request(struct winbindd_cli_state *state) -{ - ssize_t len; - - /* Read data */ - - len = read_data(state->sock, (char *)&state->request, - sizeof(state->request)); - - if (len != sizeof(state->request)) { - DEBUG(len > 0 ? 0 : 3, ("Got invalid request length: %d\n", (int)len)); - state->finished = True; - return; - } - - if (state->request.extra_len == 0) { - state->request.extra_data.data = NULL; - return; - } - - DEBUG(10, ("Need to read %d extra bytes\n", (int)state->request.extra_len)); - - state->request.extra_data.data = - SMB_MALLOC_ARRAY(char, state->request.extra_len + 1); - - if (state->request.extra_data.data == NULL) { - DEBUG(0, ("malloc failed\n")); - state->finished = True; - return; - } - - /* Ensure null termination */ - state->request.extra_data.data[state->request.extra_len] = '\0'; - - len = read_data(state->sock, state->request.extra_data.data, - state->request.extra_len); - - if (len != state->request.extra_len) { - DEBUG(0, ("Could not read extra data\n")); - state->finished = True; - return; - } -} - -/* - * Machinery for async requests sent to children. You set up a - * winbindd_request, select a child to query, and issue a async_request - * call. When the request is completed, the callback function you specified is - * called back with the private pointer you gave to async_request. - */ - -struct winbindd_async_request { - struct winbindd_async_request *next, *prev; - TALLOC_CTX *mem_ctx; - struct winbindd_child *child; - struct winbindd_request *request; - struct winbindd_response *response; - void (*continuation)(void *private_data, BOOL success); - struct timed_event *reply_timeout_event; - pid_t child_pid; /* pid of the child we're waiting on. Used to detect - a restart of the child (child->pid != child_pid). */ - void *private_data; -}; - -static void async_main_request_sent(void *private_data, BOOL success); -static void async_request_sent(void *private_data, BOOL success); -static void async_reply_recv(void *private_data, BOOL success); -static void schedule_async_request(struct winbindd_child *child); - -void async_request(TALLOC_CTX *mem_ctx, struct winbindd_child *child, - struct winbindd_request *request, - struct winbindd_response *response, - void (*continuation)(void *private_data, BOOL success), - void *private_data) -{ - struct winbindd_async_request *state; - - SMB_ASSERT(continuation != NULL); - - state = TALLOC_P(mem_ctx, struct winbindd_async_request); - - if (state == NULL) { - DEBUG(0, ("talloc failed\n")); - continuation(private_data, False); - return; - } - - state->mem_ctx = mem_ctx; - state->child = child; - state->request = request; - state->response = response; - state->continuation = continuation; - state->private_data = private_data; - - DLIST_ADD_END(child->requests, state, struct winbindd_async_request *); - - schedule_async_request(child); - - return; -} - -static void async_main_request_sent(void *private_data, BOOL success) -{ - struct winbindd_async_request *state = - talloc_get_type_abort(private_data, struct winbindd_async_request); - - if (!success) { - DEBUG(5, ("Could not send async request\n")); - - state->response->length = sizeof(struct winbindd_response); - state->response->result = WINBINDD_ERROR; - state->continuation(state->private_data, False); - return; - } - - if (state->request->extra_len == 0) { - async_request_sent(private_data, True); - return; - } - - setup_async_write(&state->child->event, state->request->extra_data.data, - state->request->extra_len, - async_request_sent, state); -} - -/**************************************************************** - Handler triggered if the child winbindd doesn't respond within - a given timeout. -****************************************************************/ - -static void async_request_timeout_handler(struct event_context *ctx, - struct timed_event *te, - const struct timeval *now, - void *private_data) -{ - struct winbindd_async_request *state = - talloc_get_type_abort(private_data, struct winbindd_async_request); - - DEBUG(0,("async_request_timeout_handler: child pid %u is not responding. " - "Closing connection to it.\n", - state->child_pid )); - - /* Deal with the reply - set to error. */ - async_reply_recv(private_data, False); -} - -/************************************************************** - Common function called on both async send and recv fail. - Cleans up the child and schedules the next request. -**************************************************************/ - -static void async_request_fail(struct winbindd_async_request *state) -{ - DLIST_REMOVE(state->child->requests, state); - - TALLOC_FREE(state->reply_timeout_event); - - SMB_ASSERT(state->child_pid != (pid_t)0); - - /* If not already reaped, send kill signal to child. */ - if (state->child->pid == state->child_pid) { - kill(state->child_pid, SIGTERM); - - /* - * Close the socket to the child. - */ - winbind_child_died(state->child_pid); - } - - state->response->length = sizeof(struct winbindd_response); - state->response->result = WINBINDD_ERROR; - state->continuation(state->private_data, False); -} - -static void async_request_sent(void *private_data_data, BOOL success) -{ - struct winbindd_async_request *state = - talloc_get_type_abort(private_data_data, struct winbindd_async_request); - - if (!success) { - DEBUG(5, ("Could not send async request to child pid %u\n", - (unsigned int)state->child_pid )); - async_request_fail(state); - return; - } - - /* Request successfully sent to the child, setup the wait for reply */ - - setup_async_read(&state->child->event, - &state->response->result, - sizeof(state->response->result), - async_reply_recv, state); - - /* - * Set up a timeout of 300 seconds for the response. - * If we don't get it close the child socket and - * report failure. - */ - - state->reply_timeout_event = event_add_timed(winbind_event_context(), - NULL, - timeval_current_ofs(300,0), - "async_request_timeout", - async_request_timeout_handler, - state); - if (!state->reply_timeout_event) { - smb_panic("async_request_sent: failed to add timeout handler.\n"); - } -} - -static void async_reply_recv(void *private_data, BOOL success) -{ - struct winbindd_async_request *state = - talloc_get_type_abort(private_data, struct winbindd_async_request); - struct winbindd_child *child = state->child; - - TALLOC_FREE(state->reply_timeout_event); - - state->response->length = sizeof(struct winbindd_response); - - if (!success) { - DEBUG(5, ("Could not receive async reply from child pid %u\n", - (unsigned int)state->child_pid )); - - cache_cleanup_response(state->child_pid); - async_request_fail(state); - return; - } - - SMB_ASSERT(cache_retrieve_response(state->child_pid, - state->response)); - - cache_cleanup_response(state->child_pid); - - DLIST_REMOVE(child->requests, state); - - schedule_async_request(child); - - state->continuation(state->private_data, True); -} - -static BOOL fork_domain_child(struct winbindd_child *child); - -static void schedule_async_request(struct winbindd_child *child) -{ - struct winbindd_async_request *request = child->requests; - - if (request == NULL) { - return; - } - - if (child->event.flags != 0) { - return; /* Busy */ - } - - if ((child->pid == 0) && (!fork_domain_child(child))) { - /* Cancel all outstanding requests */ - - while (request != NULL) { - /* request might be free'd in the continuation */ - struct winbindd_async_request *next = request->next; - request->continuation(request->private_data, False); - request = next; - } - return; - } - - /* Now we know who we're sending to - remember the pid. */ - request->child_pid = child->pid; - - setup_async_write(&child->event, request->request, - sizeof(*request->request), - async_main_request_sent, request); - - return; -} - -struct domain_request_state { - TALLOC_CTX *mem_ctx; - struct winbindd_domain *domain; - struct winbindd_request *request; - struct winbindd_response *response; - void (*continuation)(void *private_data_data, BOOL success); - void *private_data_data; -}; - -static void domain_init_recv(void *private_data_data, BOOL success); - -void async_domain_request(TALLOC_CTX *mem_ctx, - struct winbindd_domain *domain, - struct winbindd_request *request, - struct winbindd_response *response, - void (*continuation)(void *private_data_data, BOOL success), - void *private_data_data) -{ - struct domain_request_state *state; - - if (domain->initialized) { - async_request(mem_ctx, &domain->child, request, response, - continuation, private_data_data); - return; - } - - state = TALLOC_P(mem_ctx, struct domain_request_state); - if (state == NULL) { - DEBUG(0, ("talloc failed\n")); - continuation(private_data_data, False); - return; - } - - state->mem_ctx = mem_ctx; - state->domain = domain; - state->request = request; - state->response = response; - state->continuation = continuation; - state->private_data_data = private_data_data; - - init_child_connection(domain, domain_init_recv, state); -} - -static void domain_init_recv(void *private_data_data, BOOL success) -{ - struct domain_request_state *state = - talloc_get_type_abort(private_data_data, struct domain_request_state); - - if (!success) { - DEBUG(5, ("Domain init returned an error\n")); - state->continuation(state->private_data_data, False); - return; - } - - async_request(state->mem_ctx, &state->domain->child, - state->request, state->response, - state->continuation, state->private_data_data); -} - -static void recvfrom_child(void *private_data_data, BOOL success) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data_data, struct winbindd_cli_state); - enum winbindd_result result = state->response.result; - - /* This is an optimization: The child has written directly to the - * response buffer. The request itself is still in pending state, - * state that in the result code. */ - - state->response.result = WINBINDD_PENDING; - - if ((!success) || (result != WINBINDD_OK)) { - request_error(state); - return; - } - - request_ok(state); -} - -void sendto_child(struct winbindd_cli_state *state, - struct winbindd_child *child) -{ - async_request(state->mem_ctx, child, &state->request, - &state->response, recvfrom_child, state); -} - -void sendto_domain(struct winbindd_cli_state *state, - struct winbindd_domain *domain) -{ - async_domain_request(state->mem_ctx, domain, - &state->request, &state->response, - recvfrom_child, state); -} - - -struct winbindd_child_dispatch_table { - enum winbindd_cmd cmd; - enum winbindd_result (*fn)(struct winbindd_domain *domain, - struct winbindd_cli_state *state); - const char *winbindd_cmd_name; -}; - -static struct winbindd_child_dispatch_table child_dispatch_table[] = { - - { WINBINDD_LOOKUPSID, winbindd_dual_lookupsid, "LOOKUPSID" }, - { WINBINDD_LOOKUPNAME, winbindd_dual_lookupname, "LOOKUPNAME" }, - { WINBINDD_LOOKUPRIDS, winbindd_dual_lookuprids, "LOOKUPRIDS" }, - { WINBINDD_LIST_TRUSTDOM, winbindd_dual_list_trusted_domains, "LIST_TRUSTDOM" }, - { WINBINDD_INIT_CONNECTION, winbindd_dual_init_connection, "INIT_CONNECTION" }, - { WINBINDD_GETDCNAME, winbindd_dual_getdcname, "GETDCNAME" }, - { WINBINDD_DSGETDCNAME, winbindd_dual_dsgetdcname, "DSGETDCNAME" }, - { WINBINDD_SHOW_SEQUENCE, winbindd_dual_show_sequence, "SHOW_SEQUENCE" }, - { WINBINDD_PAM_AUTH, winbindd_dual_pam_auth, "PAM_AUTH" }, - { WINBINDD_PAM_AUTH_CRAP, winbindd_dual_pam_auth_crap, "AUTH_CRAP" }, - { WINBINDD_PAM_LOGOFF, winbindd_dual_pam_logoff, "PAM_LOGOFF" }, - { WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,winbindd_dual_pam_chng_pswd_auth_crap,"CHNG_PSWD_AUTH_CRAP" }, - { WINBINDD_PAM_CHAUTHTOK, winbindd_dual_pam_chauthtok, "PAM_CHAUTHTOK" }, - { WINBINDD_CHECK_MACHACC, winbindd_dual_check_machine_acct, "CHECK_MACHACC" }, - { WINBINDD_DUAL_SID2UID, winbindd_dual_sid2uid, "DUAL_SID2UID" }, - { WINBINDD_DUAL_SID2GID, winbindd_dual_sid2gid, "DUAL_SID2GID" }, -#if 0 /* DISABLED until we fix the interface in Samba 3.0.26 --jerry */ - { WINBINDD_DUAL_SIDS2XIDS, winbindd_dual_sids2xids, "DUAL_SIDS2XIDS" }, -#endif /* end DISABLED */ - { WINBINDD_DUAL_UID2SID, winbindd_dual_uid2sid, "DUAL_UID2SID" }, - { WINBINDD_DUAL_GID2SID, winbindd_dual_gid2sid, "DUAL_GID2SID" }, - { WINBINDD_DUAL_UID2NAME, winbindd_dual_uid2name, "DUAL_UID2NAME" }, - { WINBINDD_DUAL_NAME2UID, winbindd_dual_name2uid, "DUAL_NAME2UID" }, - { WINBINDD_DUAL_GID2NAME, winbindd_dual_gid2name, "DUAL_GID2NAME" }, - { WINBINDD_DUAL_NAME2GID, winbindd_dual_name2gid, "DUAL_NAME2GID" }, - { WINBINDD_DUAL_SET_MAPPING, winbindd_dual_set_mapping, "DUAL_SET_MAPPING" }, - { WINBINDD_DUAL_SET_HWM, winbindd_dual_set_hwm, "DUAL_SET_HWMS" }, - { WINBINDD_DUAL_DUMP_MAPS, winbindd_dual_dump_maps, "DUAL_DUMP_MAPS" }, - { WINBINDD_DUAL_USERINFO, winbindd_dual_userinfo, "DUAL_USERINFO" }, - { WINBINDD_ALLOCATE_UID, winbindd_dual_allocate_uid, "ALLOCATE_UID" }, - { WINBINDD_ALLOCATE_GID, winbindd_dual_allocate_gid, "ALLOCATE_GID" }, - { WINBINDD_GETUSERDOMGROUPS, winbindd_dual_getuserdomgroups, "GETUSERDOMGROUPS" }, - { WINBINDD_DUAL_GETSIDALIASES, winbindd_dual_getsidaliases, "GETSIDALIASES" }, - { WINBINDD_CCACHE_NTLMAUTH, winbindd_dual_ccache_ntlm_auth, "CCACHE_NTLM_AUTH" }, - /* End of list */ - - { WINBINDD_NUM_CMDS, NULL, "NONE" } -}; - -static void child_process_request(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - struct winbindd_child_dispatch_table *table; - - /* Free response data - we may be interrupted and receive another - command before being able to send this data off. */ - - state->response.result = WINBINDD_ERROR; - state->response.length = sizeof(struct winbindd_response); - - /* as all requests in the child are sync, we can use talloc_tos() */ - state->mem_ctx = talloc_tos(); - - /* Process command */ - - for (table = child_dispatch_table; table->fn; table++) { - if (state->request.cmd == table->cmd) { - DEBUG(10,("process_request: request fn %s\n", - table->winbindd_cmd_name )); - state->response.result = table->fn(domain, state); - break; - } - } - - if (!table->fn) { - DEBUG(10,("process_request: unknown request fn number %d\n", - (int)state->request.cmd )); - state->response.result = WINBINDD_ERROR; - } -} - -void setup_domain_child(struct winbindd_domain *domain, - struct winbindd_child *child, - const char *explicit_logfile) -{ - if (explicit_logfile != NULL) { - pstr_sprintf(child->logfilename, "%s/log.winbindd-%s", - dyn_LOGFILEBASE, explicit_logfile); - } else if (domain != NULL) { - pstr_sprintf(child->logfilename, "%s/log.wb-%s", - dyn_LOGFILEBASE, domain->name); - } else { - smb_panic("Internal error: domain == NULL && " - "explicit_logfile == NULL"); - } - - child->domain = domain; -} - -struct winbindd_child *children = NULL; - -void winbind_child_died(pid_t pid) -{ - struct winbindd_child *child; - - for (child = children; child != NULL; child = child->next) { - if (child->pid == pid) { - break; - } - } - - if (child == NULL) { - DEBUG(5, ("Already reaped child %u died\n", (unsigned int)pid)); - return; - } - - remove_fd_event(&child->event); - close(child->event.fd); - child->event.fd = 0; - child->event.flags = 0; - child->pid = 0; - - schedule_async_request(child); -} - -/* Ensure any negative cache entries with the netbios or realm names are removed. */ - -void winbindd_flush_negative_conn_cache(struct winbindd_domain *domain) -{ - flush_negative_conn_cache_for_domain(domain->name); - if (*domain->alt_name) { - flush_negative_conn_cache_for_domain(domain->alt_name); - } -} - -/* Set our domains as offline and forward the offline message to our children. */ - -void winbind_msg_offline(struct messaging_context *msg_ctx, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - struct winbindd_child *child; - struct winbindd_domain *domain; - - DEBUG(10,("winbind_msg_offline: got offline message.\n")); - - if (!lp_winbind_offline_logon()) { - DEBUG(10,("winbind_msg_offline: rejecting offline message.\n")); - return; - } - - /* Set our global state as offline. */ - if (!set_global_winbindd_state_offline()) { - DEBUG(10,("winbind_msg_offline: offline request failed.\n")); - return; - } - - /* Set all our domains as offline. */ - for (domain = domain_list(); domain; domain = domain->next) { - if (domain->internal) { - continue; - } - DEBUG(5,("winbind_msg_offline: marking %s offline.\n", domain->name)); - set_domain_offline(domain); - } - - for (child = children; child != NULL; child = child->next) { - /* Don't send message to internal childs. We've already - done so above. */ - if (!child->domain || winbindd_internal_child(child)) { - continue; - } - - /* Or internal domains (this should not be possible....) */ - if (child->domain->internal) { - continue; - } - - /* Each winbindd child should only process requests for one domain - make sure - we only set it online / offline for that domain. */ - - DEBUG(10,("winbind_msg_offline: sending message to pid %u for domain %s.\n", - (unsigned int)child->pid, domain->name )); - - messaging_send_buf(msg_ctx, pid_to_procid(child->pid), - MSG_WINBIND_OFFLINE, - (uint8 *)child->domain->name, - strlen(child->domain->name)+1); - } -} - -/* Set our domains as online and forward the online message to our children. */ - -void winbind_msg_online(struct messaging_context *msg_ctx, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - struct winbindd_child *child; - struct winbindd_domain *domain; - - DEBUG(10,("winbind_msg_online: got online message.\n")); - - if (!lp_winbind_offline_logon()) { - DEBUG(10,("winbind_msg_online: rejecting online message.\n")); - return; - } - - /* Set our global state as online. */ - set_global_winbindd_state_online(); - - smb_nscd_flush_user_cache(); - smb_nscd_flush_group_cache(); - - /* Set all our domains as online. */ - for (domain = domain_list(); domain; domain = domain->next) { - if (domain->internal) { - continue; - } - DEBUG(5,("winbind_msg_online: requesting %s to go online.\n", domain->name)); - - winbindd_flush_negative_conn_cache(domain); - set_domain_online_request(domain); - - /* Send an online message to the idmap child when our - primary domain comes back online */ - - if ( domain->primary ) { - struct winbindd_child *idmap = idmap_child(); - - if ( idmap->pid != 0 ) { - messaging_send_buf(msg_ctx, - pid_to_procid(idmap->pid), - MSG_WINBIND_ONLINE, - (uint8 *)domain->name, - strlen(domain->name)+1); - } - - } - } - - for (child = children; child != NULL; child = child->next) { - /* Don't send message to internal childs. */ - if (!child->domain || winbindd_internal_child(child)) { - continue; - } - - /* Or internal domains (this should not be possible....) */ - if (child->domain->internal) { - continue; - } - - /* Each winbindd child should only process requests for one domain - make sure - we only set it online / offline for that domain. */ - - DEBUG(10,("winbind_msg_online: sending message to pid %u for domain %s.\n", - (unsigned int)child->pid, child->domain->name )); - - messaging_send_buf(msg_ctx, pid_to_procid(child->pid), - MSG_WINBIND_ONLINE, - (uint8 *)child->domain->name, - strlen(child->domain->name)+1); - } -} - -/* Forward the online/offline messages to our children. */ -void winbind_msg_onlinestatus(struct messaging_context *msg_ctx, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - struct winbindd_child *child; - - DEBUG(10,("winbind_msg_onlinestatus: got onlinestatus message.\n")); - - for (child = children; child != NULL; child = child->next) { - if (child->domain && child->domain->primary) { - DEBUG(10,("winbind_msg_onlinestatus: " - "sending message to pid %u of primary domain.\n", - (unsigned int)child->pid)); - messaging_send_buf(msg_ctx, pid_to_procid(child->pid), - MSG_WINBIND_ONLINESTATUS, - (uint8 *)data->data, - data->length); - break; - } - } -} - -void winbind_msg_dump_event_list(struct messaging_context *msg_ctx, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - struct winbindd_child *child; - - DEBUG(10,("winbind_msg_dump_event_list received\n")); - - dump_event_list(winbind_event_context()); - - for (child = children; child != NULL; child = child->next) { - - DEBUG(10,("winbind_msg_dump_event_list: sending message to pid %u\n", - (unsigned int)child->pid)); - - messaging_send_buf(msg_ctx, pid_to_procid(child->pid), - MSG_DUMP_EVENT_LIST, - NULL, 0); - } - -} - -static void account_lockout_policy_handler(struct event_context *ctx, - struct timed_event *te, - const struct timeval *now, - void *private_data) -{ - struct winbindd_child *child = - (struct winbindd_child *)private_data; - TALLOC_CTX *mem_ctx = NULL; - struct winbindd_methods *methods; - SAM_UNK_INFO_12 lockout_policy; - NTSTATUS result; - - DEBUG(10,("account_lockout_policy_handler called\n")); - - TALLOC_FREE(child->lockout_policy_event); - - if ( !winbindd_can_contact_domain( child->domain ) ) { - DEBUG(10,("account_lockout_policy_handler: Removing myself since I " - "do not have an incoming trust to domain %s\n", - child->domain->name)); - - return; - } - - methods = child->domain->methods; - - mem_ctx = talloc_init("account_lockout_policy_handler ctx"); - if (!mem_ctx) { - result = NT_STATUS_NO_MEMORY; - } else { - result = methods->lockout_policy(child->domain, mem_ctx, &lockout_policy); - } - TALLOC_FREE(mem_ctx); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("account_lockout_policy_handler: lockout_policy failed error %s\n", - nt_errstr(result))); - } - - child->lockout_policy_event = event_add_timed(winbind_event_context(), NULL, - timeval_current_ofs(3600, 0), - "account_lockout_policy_handler", - account_lockout_policy_handler, - child); -} - -/* Deal with a request to go offline. */ - -static void child_msg_offline(struct messaging_context *msg, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - struct winbindd_domain *domain; - const char *domainname = (const char *)data->data; - - if (data->data == NULL || data->length == 0) { - return; - } - - DEBUG(5,("child_msg_offline received for domain %s.\n", domainname)); - - if (!lp_winbind_offline_logon()) { - DEBUG(10,("child_msg_offline: rejecting offline message.\n")); - return; - } - - /* Mark the requested domain offline. */ - - for (domain = domain_list(); domain; domain = domain->next) { - if (domain->internal) { - continue; - } - if (strequal(domain->name, domainname)) { - DEBUG(5,("child_msg_offline: marking %s offline.\n", domain->name)); - set_domain_offline(domain); - } - } -} - -/* Deal with a request to go online. */ - -static void child_msg_online(struct messaging_context *msg, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - struct winbindd_domain *domain; - const char *domainname = (const char *)data->data; - - if (data->data == NULL || data->length == 0) { - return; - } - - DEBUG(5,("child_msg_online received for domain %s.\n", domainname)); - - if (!lp_winbind_offline_logon()) { - DEBUG(10,("child_msg_online: rejecting online message.\n")); - return; - } - - /* Set our global state as online. */ - set_global_winbindd_state_online(); - - /* Try and mark everything online - delete any negative cache entries - to force a reconnect now. */ - - for (domain = domain_list(); domain; domain = domain->next) { - if (domain->internal) { - continue; - } - if (strequal(domain->name, domainname)) { - DEBUG(5,("child_msg_online: requesting %s to go online.\n", domain->name)); - winbindd_flush_negative_conn_cache(domain); - set_domain_online_request(domain); - } - } -} - -static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx) -{ - struct winbindd_domain *domain; - char *buf = NULL; - - if ((buf = talloc_asprintf(mem_ctx, "global:%s ", - get_global_winbindd_state_offline() ? - "Offline":"Online")) == NULL) { - return NULL; - } - - for (domain = domain_list(); domain; domain = domain->next) { - if ((buf = talloc_asprintf_append(buf, "%s:%s ", - domain->name, - domain->online ? - "Online":"Offline")) == NULL) { - return NULL; - } - } - - buf = talloc_asprintf_append(buf, "\n"); - - DEBUG(5,("collect_onlinestatus: %s", buf)); - - return buf; -} - -static void child_msg_onlinestatus(struct messaging_context *msg_ctx, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - TALLOC_CTX *mem_ctx; - const char *message; - struct server_id *sender; - - DEBUG(5,("winbind_msg_onlinestatus received.\n")); - - if (!data->data) { - return; - } - - sender = (struct server_id *)data->data; - - mem_ctx = talloc_init("winbind_msg_onlinestatus"); - if (mem_ctx == NULL) { - return; - } - - message = collect_onlinestatus(mem_ctx); - if (message == NULL) { - talloc_destroy(mem_ctx); - return; - } - - messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS, - (uint8 *)message, strlen(message) + 1); - - talloc_destroy(mem_ctx); -} - -static void child_msg_dump_event_list(struct messaging_context *msg, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - DEBUG(5,("child_msg_dump_event_list received\n")); - - dump_event_list(winbind_event_context()); -} - - -static BOOL fork_domain_child(struct winbindd_child *child) -{ - int fdpair[2]; - struct winbindd_cli_state state; - struct winbindd_domain *domain; - - if (socketpair(AF_UNIX, SOCK_STREAM, 0, fdpair) != 0) { - DEBUG(0, ("Could not open child pipe: %s\n", - strerror(errno))); - return False; - } - - ZERO_STRUCT(state); - state.pid = sys_getpid(); - - /* Stop zombies */ - CatchChild(); - - child->pid = sys_fork(); - - if (child->pid == -1) { - DEBUG(0, ("Could not fork: %s\n", strerror(errno))); - return False; - } - - if (child->pid != 0) { - /* Parent */ - close(fdpair[0]); - child->next = child->prev = NULL; - DLIST_ADD(children, child); - child->event.fd = fdpair[1]; - child->event.flags = 0; - child->requests = NULL; - add_fd_event(&child->event); - return True; - } - - /* Child */ - - state.sock = fdpair[0]; - close(fdpair[1]); - - /* tdb needs special fork handling */ - if (tdb_reopen_all(1) == -1) { - DEBUG(0,("tdb_reopen_all failed.\n")); - _exit(0); - } - - close_conns_after_fork(); - - if (!override_logfile) { - lp_set_logfile(child->logfilename); - reopen_logs(); - } - - /* - * For clustering, we need to re-init our ctdbd connection after the - * fork - */ - if (!NT_STATUS_IS_OK(messaging_reinit(winbind_messaging_context()))) - exit(1); - - /* Don't handle the same messages as our parent. */ - messaging_deregister(winbind_messaging_context(), - MSG_SMB_CONF_UPDATED, NULL); - messaging_deregister(winbind_messaging_context(), - MSG_SHUTDOWN, NULL); - messaging_deregister(winbind_messaging_context(), - MSG_WINBIND_OFFLINE, NULL); - messaging_deregister(winbind_messaging_context(), - MSG_WINBIND_ONLINE, NULL); - messaging_deregister(winbind_messaging_context(), - MSG_WINBIND_ONLINESTATUS, NULL); - messaging_deregister(winbind_messaging_context(), - MSG_DUMP_EVENT_LIST, NULL); - - /* Handle online/offline messages. */ - messaging_register(winbind_messaging_context(), NULL, - MSG_WINBIND_OFFLINE, child_msg_offline); - messaging_register(winbind_messaging_context(), NULL, - MSG_WINBIND_ONLINE, child_msg_online); - messaging_register(winbind_messaging_context(), NULL, - MSG_WINBIND_ONLINESTATUS, child_msg_onlinestatus); - messaging_register(winbind_messaging_context(), NULL, - MSG_DUMP_EVENT_LIST, child_msg_dump_event_list); - - if ( child->domain ) { - child->domain->startup = True; - child->domain->startup_time = time(NULL); - } - - /* Ensure we have no pending check_online events other - than one for this domain. */ - - for (domain = domain_list(); domain; domain = domain->next) { - if (domain != child->domain) { - TALLOC_FREE(domain->check_online_event); - } - } - - /* Ensure we're not handling an event inherited from - our parent. */ - - cancel_named_event(winbind_event_context(), - "krb5_ticket_refresh_handler"); - - /* We might be in the idmap child...*/ - if (child->domain && !(child->domain->internal) && - lp_winbind_offline_logon()) { - - set_domain_online_request(child->domain); - - child->lockout_policy_event = event_add_timed( - winbind_event_context(), NULL, timeval_zero(), - "account_lockout_policy_handler", - account_lockout_policy_handler, - child); - } - - while (1) { - - int ret; - fd_set read_fds; - struct timeval t; - struct timeval *tp; - struct timeval now; - TALLOC_CTX *frame = talloc_stackframe(); - - run_events(winbind_event_context(), 0, NULL, NULL); - - GetTimeOfDay(&now); - - if (child->domain && child->domain->startup && - (now.tv_sec > child->domain->startup_time + 30)) { - /* No longer in "startup" mode. */ - DEBUG(10,("fork_domain_child: domain %s no longer in 'startup' mode.\n", - child->domain->name )); - child->domain->startup = False; - } - - tp = get_timed_events_timeout(winbind_event_context(), &t); - if (tp) { - DEBUG(11,("select will use timeout of %u.%u seconds\n", - (unsigned int)tp->tv_sec, (unsigned int)tp->tv_usec )); - } - - /* Handle messages */ - - message_dispatch(winbind_messaging_context()); - - FD_ZERO(&read_fds); - FD_SET(state.sock, &read_fds); - - ret = sys_select(state.sock + 1, &read_fds, NULL, NULL, tp); - - if (ret == 0) { - DEBUG(11,("nothing is ready yet, continue\n")); - TALLOC_FREE(frame); - continue; - } - - if (ret == -1 && errno == EINTR) { - /* We got a signal - continue. */ - TALLOC_FREE(frame); - continue; - } - - if (ret == -1 && errno != EINTR) { - DEBUG(0,("select error occured\n")); - TALLOC_FREE(frame); - perror("select"); - return False; - } - - /* fetch a request from the main daemon */ - child_read_request(&state); - - if (state.finished) { - /* we lost contact with our parent */ - exit(0); - } - - DEBUG(4,("child daemon request %d\n", (int)state.request.cmd)); - - ZERO_STRUCT(state.response); - state.request.null_term = '\0'; - child_process_request(child->domain, &state); - - SAFE_FREE(state.request.extra_data.data); - - cache_store_response(sys_getpid(), &state.response); - - SAFE_FREE(state.response.extra_data.data); - - /* We just send the result code back, the result - * structure needs to be fetched via the - * winbindd_cache. Hmm. That needs fixing... */ - - if (write_data(state.sock, - (const char *)&state.response.result, - sizeof(state.response.result)) != - sizeof(state.response.result)) { - DEBUG(0, ("Could not write result\n")); - exit(1); - } - TALLOC_FREE(frame); - } -} diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c deleted file mode 100644 index 9a4b02f734..0000000000 --- a/source3/nsswitch/winbindd_group.c +++ /dev/null @@ -1,1746 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon for ntdom nss module - - Copyright (C) Tim Potter 2000 - Copyright (C) Jeremy Allison 2001. - Copyright (C) Gerald (Jerry) Carter 2003. - Copyright (C) Volker Lendecke 2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -extern BOOL opt_nocache; - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -static void add_member(const char *domain, const char *user, - char **pp_members, size_t *p_num_members) -{ - fstring name; - - fill_domain_username(name, domain, user, True); - safe_strcat(name, ",", sizeof(name)-1); - string_append(pp_members, name); - *p_num_members += 1; -} - -/********************************************************************** - Add member users resulting from sid. Expand if it is a domain group. -**********************************************************************/ - -static void add_expanded_sid(const DOM_SID *sid, char **pp_members, size_t *p_num_members) -{ - DOM_SID dom_sid; - uint32 rid; - struct winbindd_domain *domain; - size_t i; - - char *domain_name = NULL; - char *name = NULL; - enum lsa_SidType type; - - uint32 num_names; - DOM_SID *sid_mem; - char **names; - uint32 *types; - - NTSTATUS result; - - TALLOC_CTX *mem_ctx = talloc_init("add_expanded_sid"); - - if (mem_ctx == NULL) { - DEBUG(1, ("talloc_init failed\n")); - return; - } - - sid_copy(&dom_sid, sid); - sid_split_rid(&dom_sid, &rid); - - domain = find_lookup_domain_from_sid(sid); - - if (domain == NULL) { - DEBUG(3, ("Could not find domain for sid %s\n", - sid_string_static(sid))); - goto done; - } - - result = domain->methods->sid_to_name(domain, mem_ctx, sid, - &domain_name, &name, &type); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(3, ("sid_to_name failed for sid %s\n", - sid_string_static(sid))); - goto done; - } - - DEBUG(10, ("Found name %s, type %d\n", name, type)); - - if (type == SID_NAME_USER) { - add_member(domain_name, name, pp_members, p_num_members); - goto done; - } - - if (type != SID_NAME_DOM_GRP) { - DEBUG(10, ("Alias member %s neither user nor group, ignore\n", - name)); - goto done; - } - - /* Expand the domain group, this must be done via the target domain */ - - domain = find_domain_from_sid(sid); - - if (domain == NULL) { - DEBUG(3, ("Could not find domain from SID %s\n", - sid_string_static(sid))); - goto done; - } - - result = domain->methods->lookup_groupmem(domain, mem_ctx, - sid, &num_names, - &sid_mem, &names, - &types); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10, ("Could not lookup group members for %s: %s\n", - name, nt_errstr(result))); - goto done; - } - - for (i=0; i<num_names; i++) { - DEBUG(10, ("Adding group member SID %s\n", - sid_string_static(&sid_mem[i]))); - - if (types[i] != SID_NAME_USER) { - DEBUG(1, ("Hmmm. Member %s of group %s is no user. " - "Ignoring.\n", names[i], name)); - continue; - } - - add_member(domain->name, names[i], pp_members, p_num_members); - } - - done: - talloc_destroy(mem_ctx); - return; -} - -static BOOL fill_passdb_alias_grmem(struct winbindd_domain *domain, - DOM_SID *group_sid, - size_t *num_gr_mem, char **gr_mem, size_t *gr_mem_len) -{ - DOM_SID *members; - size_t i, num_members; - - *num_gr_mem = 0; - *gr_mem = NULL; - *gr_mem_len = 0; - - if (!NT_STATUS_IS_OK(pdb_enum_aliasmem(group_sid, &members, - &num_members))) - return True; - - for (i=0; i<num_members; i++) { - add_expanded_sid(&members[i], gr_mem, num_gr_mem); - } - - TALLOC_FREE(members); - - if (*gr_mem != NULL) { - size_t len; - - /* We have at least one member, strip off the last "," */ - len = strlen(*gr_mem); - (*gr_mem)[len-1] = '\0'; - *gr_mem_len = len; - } - - return True; -} - -/* Fill a grent structure from various other information */ - -static BOOL fill_grent(struct winbindd_gr *gr, const char *dom_name, - const char *gr_name, gid_t unix_gid) -{ - fstring full_group_name; - - fill_domain_username( full_group_name, dom_name, gr_name, True ); - - gr->gr_gid = unix_gid; - - /* Group name and password */ - - safe_strcpy(gr->gr_name, full_group_name, sizeof(gr->gr_name) - 1); - safe_strcpy(gr->gr_passwd, "x", sizeof(gr->gr_passwd) - 1); - - return True; -} - -/*********************************************************************** - If "enum users" is set to false, and the group being looked - up is the Domain Users SID: S-1-5-domain-513, then for the - list of members check if the querying user is in that group, - and if so only return that user as the gr_mem array. - We can change this to a different parameter than "enum users" - if neccessaey, or parameterize the group list we do this for. -***********************************************************************/ - -static BOOL fill_grent_mem_domusers( TALLOC_CTX *mem_ctx, - struct winbindd_domain *domain, - struct winbindd_cli_state *state, - DOM_SID *group_sid, - enum lsa_SidType group_name_type, - size_t *num_gr_mem, char **gr_mem, - size_t *gr_mem_len) -{ - DOM_SID querying_user_sid; - DOM_SID *pquerying_user_sid = NULL; - uint32 num_groups = 0; - DOM_SID *user_sids = NULL; - BOOL u_in_group = False; - NTSTATUS status; - int i; - unsigned int buf_len = 0; - char *buf = NULL; - - DEBUG(10,("fill_grent_mem_domain_users: domain %s\n", - domain->name )); - - if (state) { - uid_t ret_uid = (uid_t)-1; - if (sys_getpeereid(state->sock, &ret_uid)==0) { - /* We know who's asking - look up their SID if - it's one we've mapped before. */ - status = idmap_uid_to_sid(&querying_user_sid, ret_uid); - if (NT_STATUS_IS_OK(status)) { - pquerying_user_sid = &querying_user_sid; - DEBUG(10,("fill_grent_mem_domain_users: querying uid %u -> %s\n", - (unsigned int)ret_uid, - sid_string_static(pquerying_user_sid) )); - } - } - } - - /* Only look up if it was a winbindd user in this domain. */ - if (pquerying_user_sid && - (sid_compare_domain(pquerying_user_sid, &domain->sid) == 0)) { - - DEBUG(10,("fill_grent_mem_domain_users: querying user = %s\n", - sid_string_static(pquerying_user_sid) )); - - status = domain->methods->lookup_usergroups(domain, - mem_ctx, - pquerying_user_sid, - &num_groups, - &user_sids); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("fill_grent_mem_domain_users: lookup_usergroups failed " - "for sid %s in domain %s (error: %s)\n", - sid_string_static(pquerying_user_sid), - domain->name, - nt_errstr(status))); - return False; - } - - for (i = 0; i < num_groups; i++) { - if (sid_equal(group_sid, &user_sids[i])) { - /* User is in Domain Users, add their name - as the only group member. */ - u_in_group = True; - break; - } - } - } - - if (u_in_group) { - size_t len = 0; - char *domainname = NULL; - char *username = NULL; - fstring name; - enum lsa_SidType type; - - DEBUG(10,("fill_grent_mem_domain_users: sid %s in 'Domain Users' in domain %s\n", - sid_string_static(pquerying_user_sid), domain->name )); - - status = domain->methods->sid_to_name(domain, mem_ctx, - pquerying_user_sid, - &domainname, - &username, - &type); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("could not lookup username for user " - "sid %s in domain %s (error: %s)\n", - sid_string_static(pquerying_user_sid), - domain->name, - nt_errstr(status))); - return False; - } - fill_domain_username(name, domain->name, username, True); - len = strlen(name); - buf_len = len + 1; - if (!(buf = (char *)SMB_MALLOC(buf_len))) { - DEBUG(1, ("out of memory\n")); - return False; - } - memcpy(buf, name, buf_len); - - DEBUG(10,("fill_grent_mem_domain_users: user %s in " - "'Domain Users' in domain %s\n", - name, domain->name )); - - /* user is the only member */ - *num_gr_mem = 1; - } - - *gr_mem = buf; - *gr_mem_len = buf_len; - - DEBUG(10, ("fill_grent_mem_domain_users: num_mem = %u, len = %u, mem = %s\n", - (unsigned int)*num_gr_mem, - (unsigned int)buf_len, *num_gr_mem ? buf : "NULL")); - - return True; -} - -/*********************************************************************** - Add names to a list. Assumes a canonical version of the string - in DOMAIN\user -***********************************************************************/ - -static int namecmp( const void *a, const void *b ) -{ - return StrCaseCmp( * (char * const *) a, * (char * const *) b); -} - -static NTSTATUS add_names_to_list( TALLOC_CTX *ctx, - char ***list, uint32 *n_list, - char **names, uint32 n_names ) -{ - char **new_list = NULL; - uint32 n_new_list = 0; - int i, j; - - if ( !names || (n_names == 0) ) - return NT_STATUS_OK; - - /* Alloc the maximum size we'll need */ - - if ( *list == NULL ) { - if ( (new_list = TALLOC_ARRAY( ctx, char *, n_names )) == NULL ) - return NT_STATUS_NO_MEMORY; - n_new_list = n_names; - } else { - new_list = TALLOC_REALLOC_ARRAY( ctx, *list, char *, - (*n_list) + n_names ); - if ( !new_list ) - return NT_STATUS_NO_MEMORY; - n_new_list = (*n_list) + n_names; - } - - /* Add all names */ - - for ( i=*n_list, j=0; i<n_new_list; i++, j++ ) { - new_list[i] = talloc_strdup( new_list, names[j] ); - } - - /* search for duplicates for sorting and looking for matching - neighbors */ - - qsort( new_list, n_new_list, sizeof(char*), QSORT_CAST namecmp ); - - for ( i=1; i<n_new_list; i++ ) { - if ( strcmp( new_list[i-1], new_list[i] ) == 0 ) { - memmove( &new_list[i-1], &new_list[i], - sizeof(char*)*(n_new_list-i) ); - n_new_list--; - } - } - - *list = new_list; - *n_list = n_new_list; - - return NT_STATUS_OK; -} - -/*********************************************************************** -***********************************************************************/ - -static NTSTATUS expand_groups( TALLOC_CTX *ctx, - struct winbindd_domain *d, - DOM_SID *glist, uint32 n_glist, - DOM_SID **new_glist, uint32 *n_new_glist, - char ***members, uint32 *n_members ) -{ - int i, j; - NTSTATUS status = NT_STATUS_OK; - uint32 num_names = 0; - uint32 *name_types = NULL; - char **names = NULL; - DOM_SID *sid_mem = NULL; - TALLOC_CTX *tmp_ctx = NULL; - DOM_SID *new_groups = NULL; - size_t new_groups_size = 0; - - *members = NULL; - *n_members = 0; - *new_glist = NULL; - *n_new_glist = 0; - - for ( i=0; i<n_glist; i++ ) { - tmp_ctx = talloc_new( ctx ); - - /* Lookup the group membership */ - - status = d->methods->lookup_groupmem(d, tmp_ctx, - &glist[i], &num_names, - &sid_mem, &names, - &name_types); - if ( !NT_STATUS_IS_OK(status) ) - goto out; - - /* Separate users and groups into two lists */ - - for ( j=0; j<num_names; j++ ) { - - /* Users */ - if ( name_types[j] == SID_NAME_USER || - name_types[j] == SID_NAME_COMPUTER ) - { - status = add_names_to_list( ctx, members, - n_members, - names+j, 1 ); - if ( !NT_STATUS_IS_OK(status) ) - goto out; - - continue; - } - - /* Groups */ - if ( name_types[j] == SID_NAME_DOM_GRP || - name_types[j] == SID_NAME_ALIAS ) - { - BOOL ret; - - ret = add_sid_to_array_unique( ctx, - &sid_mem[j], - &new_groups, - &new_groups_size ); - if ( !ret ) { - status = NT_STATUS_NO_MEMORY; - goto out; - } - - continue; - } - } - - TALLOC_FREE( tmp_ctx ); - } - - *new_glist = new_groups; - *n_new_glist = (uint32)new_groups_size; - - out: - TALLOC_FREE( tmp_ctx ); - - return status; -} - -/*********************************************************************** - Fill in the group membership field of a NT group given by group_sid -***********************************************************************/ - -static BOOL fill_grent_mem(struct winbindd_domain *domain, - struct winbindd_cli_state *state, - DOM_SID *group_sid, - enum lsa_SidType group_name_type, - size_t *num_gr_mem, char **gr_mem, size_t *gr_mem_len) -{ - uint32 num_names = 0; - unsigned int buf_len = 0, buf_ndx = 0, i; - char **names = NULL, *buf = NULL; - BOOL result = False; - TALLOC_CTX *mem_ctx; - uint32 group_rid; - DOM_SID *glist = NULL; - DOM_SID *new_glist = NULL; - uint32 n_glist, n_new_glist; - int max_depth = lp_winbind_expand_groups(); - - if (!(mem_ctx = talloc_init("fill_grent_mem(%s)", domain->name))) - return False; - - DEBUG(10, ("group SID %s\n", sid_string_static(group_sid))); - - /* Initialize with no members */ - - *num_gr_mem = 0; - - /* HACK ALERT!! This whole routine does not cope with group members - * from more than one domain, ie aliases. Thus we have to work it out - * ourselves in a special routine. */ - - if (domain->internal) { - result = fill_passdb_alias_grmem(domain, group_sid, - num_gr_mem, - gr_mem, gr_mem_len); - goto done; - } - - /* Verify name type */ - - if ( !((group_name_type==SID_NAME_DOM_GRP) || - ((group_name_type==SID_NAME_ALIAS) && domain->primary)) ) - { - DEBUG(1, ("SID %s in domain %s isn't a domain group (%d)\n", - sid_string_static(group_sid), domain->name, - group_name_type)); - goto done; - } - - /* OPTIMIZATION / HACK. See comment in - fill_grent_mem_domusers() */ - - sid_peek_rid( group_sid, &group_rid ); - if (!lp_winbind_enum_users() && group_rid == DOMAIN_GROUP_RID_USERS) { - result = fill_grent_mem_domusers( mem_ctx, domain, state, - group_sid, group_name_type, - num_gr_mem, gr_mem, - gr_mem_len ); - goto done; - } - - /* Real work goes here. Create a list of group names to - expand startign with the initial one. Pass that to - expand_groups() which returns a list of more group names - to expand. Do this up to the max search depth. */ - - if ( (glist = TALLOC_ARRAY(mem_ctx, DOM_SID, 1 )) == NULL ) { - result = False; - DEBUG(0,("fill_grent_mem: talloc failure!\n")); - goto done; - } - sid_copy( &glist[0], group_sid ); - n_glist = 1; - - for ( i=0; i<max_depth && glist; i++ ) { - uint32 n_members = 0; - char **members = NULL; - NTSTATUS nt_status; - - nt_status = expand_groups( mem_ctx, domain, - glist, n_glist, - &new_glist, &n_new_glist, - &members, &n_members); - if ( !NT_STATUS_IS_OK(nt_status) ) { - result = False; - goto done; - } - - /* Add new group members to list */ - - nt_status = add_names_to_list( mem_ctx, &names, &num_names, - members, n_members ); - if ( !NT_STATUS_IS_OK(nt_status) ) { - result = False; - goto done; - } - - TALLOC_FREE( members ); - - /* If we have no more groups to expand, break out - early */ - - if ( !&new_glist ) - break; - - /* One more round */ - TALLOC_FREE(glist); - glist = new_glist; - n_glist = n_new_glist; - } - TALLOC_FREE( glist ); - - DEBUG(10, ("looked up %d names\n", num_names)); - - again: - /* Add members to list */ - - for (i = 0; i < num_names; i++) { - int len; - - DEBUG(10, ("processing name %s\n", names[i])); - - len = strlen(names[i]); - - /* Add to list or calculate buffer length */ - - if (!buf) { - buf_len += len + 1; /* List is comma separated */ - (*num_gr_mem)++; - DEBUG(10, ("buf_len + %d = %d\n", len + 1, buf_len)); - } else { - DEBUG(10, ("appending %s at ndx %d\n", names[i], buf_ndx)); - safe_strcpy(&buf[buf_ndx], names[i], len); - buf_ndx += len; - buf[buf_ndx] = ','; - buf_ndx++; - } - } - - /* Allocate buffer */ - - if (!buf && buf_len != 0) { - if (!(buf = (char *)SMB_MALLOC(buf_len))) { - DEBUG(1, ("out of memory\n")); - result = False; - goto done; - } - memset(buf, 0, buf_len); - goto again; - } - - /* Now we're done */ - - if (buf && buf_ndx > 0) { - buf[buf_ndx - 1] = '\0'; - } - - *gr_mem = buf; - *gr_mem_len = buf_len; - - DEBUG(10, ("num_mem = %u, len = %u, mem = %s\n", (unsigned int)*num_gr_mem, - (unsigned int)buf_len, *num_gr_mem ? buf : "NULL")); - result = True; - -done: - - talloc_destroy(mem_ctx); - - DEBUG(10, ("fill_grent_mem returning %d\n", result)); - - return result; -} - -static void winbindd_getgrsid( struct winbindd_cli_state *state, DOM_SID group_sid ); - -static void getgrnam_recv( void *private_data, BOOL success, const DOM_SID *sid, - enum lsa_SidType type ) -{ - struct winbindd_cli_state *state = (struct winbindd_cli_state*)private_data; - - if (!success) { - DEBUG(5,("getgrnam_recv: lookupname failed!\n")); - request_error(state); - return; - } - - if ( (type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) ) { - DEBUG(5,("getgrnam_recv: not a group!\n")); - request_error(state); - return; - } - - winbindd_getgrsid( state, *sid ); -} - - -/* Return a group structure from a group name */ - -void winbindd_getgrnam(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - fstring name_domain, name_group; - char *tmp; - - /* Ensure null termination */ - state->request.data.groupname[sizeof(state->request.data.groupname)-1]='\0'; - - DEBUG(3, ("[%5lu]: getgrnam %s\n", (unsigned long)state->pid, - state->request.data.groupname)); - - /* Parse domain and groupname */ - - memset(name_group, 0, sizeof(fstring)); - - tmp = state->request.data.groupname; - - name_domain[0] = '\0'; - name_group[0] = '\0'; - - parse_domain_user(tmp, name_domain, name_group); - - /* if no domain or our local domain and no local tdb group, default to - * our local domain for aliases */ - - if ( !*name_domain || strequal(name_domain, get_global_sam_name()) ) { - fstrcpy(name_domain, get_global_sam_name()); - } - - /* Get info for the domain */ - - if ((domain = find_domain_from_name(name_domain)) == NULL) { - DEBUG(3, ("could not get domain sid for domain %s\n", - name_domain)); - request_error(state); - return; - } - /* should we deal with users for our domain? */ - - if ( lp_winbind_trusted_domains_only() && domain->primary) { - DEBUG(7,("winbindd_getgrnam: My domain -- rejecting " - "getgrnam() for %s\\%s.\n", name_domain, name_group)); - request_error(state); - return; - } - - /* Get rid and name type from name */ - - ws_name_replace( name_group, WB_REPLACE_CHAR ); - - winbindd_lookupname_async( state->mem_ctx, domain->name, name_group, - getgrnam_recv, WINBINDD_GETGRNAM, state ); -} - -struct getgrsid_state { - struct winbindd_cli_state *state; - struct winbindd_domain *domain; - char *group_name; - enum lsa_SidType group_type; - uid_t gid; - DOM_SID group_sid; -}; - -static void getgrsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid) - { - struct getgrsid_state *s = - (struct getgrsid_state *)private_data; - struct winbindd_domain *domain; - size_t gr_mem_len; - size_t num_gr_mem; - char *gr_mem; - fstring dom_name, group_name; - - if (!success) { - DEBUG(5,("getgrsid_sid2gid_recv: sid2gid failed!\n")); - request_error(s->state); - return; - } - - s->gid = gid; - - if ( !parse_domain_user( s->group_name, dom_name, group_name ) ) { - DEBUG(5,("getgrsid_sid2gid_recv: parse_domain_user() failed!\n")); - request_error(s->state); - return; - } - - - /* Fill in group structure */ - - if ( (domain = find_domain_from_name_noinit(dom_name)) == NULL ) { - DEBUG(1,("Can't find domain from name (%s)\n", dom_name)); - request_error(s->state); - return; - } - - if (!fill_grent(&s->state->response.data.gr, dom_name, group_name, gid) || - !fill_grent_mem(domain, s->state, &s->group_sid, s->group_type, - &num_gr_mem, &gr_mem, &gr_mem_len)) - { - request_error(s->state); - return; - } - - s->state->response.data.gr.num_gr_mem = (uint32)num_gr_mem; - - /* Group membership lives at start of extra data */ - - s->state->response.data.gr.gr_mem_ofs = 0; - - s->state->response.length += gr_mem_len; - s->state->response.extra_data.data = gr_mem; - - request_ok(s->state); - } - -static void getgrsid_lookupsid_recv( void *private_data, BOOL success, - const char *dom_name, const char *name, - enum lsa_SidType name_type ) -{ - struct getgrsid_state *s = (struct getgrsid_state *)private_data; - - if (!success) { - DEBUG(5,("getgrsid_lookupsid_recv: lookupsid failed!\n")); - request_error(s->state); - return; - } - - /* either it's a domain group, a domain local group, or a - local group in an internal domain */ - - if ( !( (name_type==SID_NAME_DOM_GRP) || - ((name_type==SID_NAME_ALIAS) && - (s->domain->primary || s->domain->internal)) ) ) - { - DEBUG(1, ("name '%s\\%s' is not a local or domain group: %d\n", - dom_name, name, name_type)); - request_error(s->state); - return; -} - - if ( (s->group_name = talloc_asprintf( s->state->mem_ctx, - "%s\\%s", - dom_name, name )) == NULL ) -{ - DEBUG(1, ("getgrsid_lookupsid_recv: talloc_asprintf() Failed!\n")); - request_error(s->state); - return; - } - - s->group_type = name_type; - - winbindd_sid2gid_async(s->state->mem_ctx, &s->group_sid, - getgrsid_sid2gid_recv, s); - } - -static void winbindd_getgrsid( struct winbindd_cli_state *state, const DOM_SID group_sid ) - { - struct getgrsid_state *s; - - if ( (s = TALLOC_ZERO_P(state->mem_ctx, struct getgrsid_state)) == NULL ) { - DEBUG(0, ("talloc failed\n")); - request_error(state); - return; - } - - s->state = state; - - if ( (s->domain = find_domain_from_sid_noinit(&group_sid)) == NULL ) { - DEBUG(3, ("Could not find domain for sid %s\n", - sid_string_static(&group_sid))); - request_error(state); - return; - } - - sid_copy(&s->group_sid, &group_sid); - - winbindd_lookupsid_async( s->state->mem_ctx, &group_sid, - getgrsid_lookupsid_recv, s ); -} - - -static void getgrgid_recv(void *private_data, BOOL success, const char *sid) -{ - struct winbindd_cli_state *state = talloc_get_type_abort(private_data, struct winbindd_cli_state); - enum lsa_SidType name_type; - DOM_SID group_sid; - - if (success) { - DEBUG(10,("getgrgid_recv: gid %lu has sid %s\n", - (unsigned long)(state->request.data.gid), sid)); - - string_to_sid(&group_sid, sid); - winbindd_getgrsid(state, group_sid); - return; - } - - /* Ok, this might be "ours", i.e. an alias */ - if (pdb_gid_to_sid(state->request.data.gid, &group_sid) && - lookup_sid(state->mem_ctx, &group_sid, NULL, NULL, &name_type) && - (name_type == SID_NAME_ALIAS)) { - /* Hey, got an alias */ - DEBUG(10,("getgrgid_recv: we have an alias with gid %lu and sid %s\n", - (unsigned long)(state->request.data.gid), sid)); - winbindd_getgrsid(state, group_sid); - return; - } - - DEBUG(1, ("could not convert gid %lu to sid\n", - (unsigned long)state->request.data.gid)); - request_error(state); -} - -/* Return a group structure from a gid number */ -void winbindd_getgrgid(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: getgrgid %lu\n", (unsigned long)state->pid, - (unsigned long)state->request.data.gid)); - - /* always use the async interface */ - winbindd_gid2sid_async(state->mem_ctx, state->request.data.gid, getgrgid_recv, state); -} - -/* - * set/get/endgrent functions - */ - -/* "Rewind" file pointer for group database enumeration */ - -static BOOL winbindd_setgrent_internal(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - - DEBUG(3, ("[%5lu]: setgrent\n", (unsigned long)state->pid)); - - /* Check user has enabled this */ - - if (!lp_winbind_enum_groups()) { - return False; - } - - /* Free old static data if it exists */ - - if (state->getgrent_state != NULL) { - free_getent_state(state->getgrent_state); - state->getgrent_state = NULL; - } - - /* Create sam pipes for each domain we know about */ - - for (domain = domain_list(); domain != NULL; domain = domain->next) { - struct getent_state *domain_state; - - /* Create a state record for this domain */ - - /* don't add our domaina if we are a PDC or if we - are a member of a Samba domain */ - - if ( lp_winbind_trusted_domains_only() && domain->primary ) - { - continue; - } - - - if ((domain_state = SMB_MALLOC_P(struct getent_state)) == NULL) { - DEBUG(1, ("winbindd_setgrent: malloc failed for domain_state!\n")); - return False; - } - - ZERO_STRUCTP(domain_state); - - fstrcpy(domain_state->domain_name, domain->name); - - /* Add to list of open domains */ - - DLIST_ADD(state->getgrent_state, domain_state); - } - - state->getgrent_initialized = True; - return True; -} - -void winbindd_setgrent(struct winbindd_cli_state *state) -{ - if (winbindd_setgrent_internal(state)) { - request_ok(state); - } else { - request_error(state); - } -} - -/* Close file pointer to ntdom group database */ - -void winbindd_endgrent(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: endgrent\n", (unsigned long)state->pid)); - - free_getent_state(state->getgrent_state); - state->getgrent_initialized = False; - state->getgrent_state = NULL; - request_ok(state); -} - -/* Get the list of domain groups and domain aliases for a domain. We fill in - the sam_entries and num_sam_entries fields with domain group information. - The dispinfo_ndx field is incremented to the index of the next group to - fetch. Return True if some groups were returned, False otherwise. */ - -static BOOL get_sam_group_entries(struct getent_state *ent) -{ - NTSTATUS status; - uint32 num_entries; - struct acct_info *name_list = NULL; - TALLOC_CTX *mem_ctx; - BOOL result = False; - struct acct_info *sam_grp_entries = NULL; - struct winbindd_domain *domain; - - if (ent->got_sam_entries) - return False; - - if (!(mem_ctx = talloc_init("get_sam_group_entries(%s)", - ent->domain_name))) { - DEBUG(1, ("get_sam_group_entries: could not create talloc context!\n")); - return False; - } - - /* Free any existing group info */ - - SAFE_FREE(ent->sam_entries); - ent->num_sam_entries = 0; - ent->got_sam_entries = True; - - /* Enumerate domain groups */ - - num_entries = 0; - - if (!(domain = find_domain_from_name(ent->domain_name))) { - DEBUG(3, ("no such domain %s in get_sam_group_entries\n", ent->domain_name)); - goto done; - } - - /* always get the domain global groups */ - - status = domain->methods->enum_dom_groups(domain, mem_ctx, &num_entries, &sam_grp_entries); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(3, ("get_sam_group_entries: could not enumerate domain groups! Error: %s\n", nt_errstr(status))); - result = False; - goto done; - } - - /* Copy entries into return buffer */ - - if (num_entries) { - if ( !(name_list = SMB_MALLOC_ARRAY(struct acct_info, num_entries)) ) { - DEBUG(0,("get_sam_group_entries: Failed to malloc memory for %d domain groups!\n", - num_entries)); - result = False; - goto done; - } - memcpy( name_list, sam_grp_entries, num_entries * sizeof(struct acct_info) ); - } - - ent->num_sam_entries = num_entries; - - /* get the domain local groups if we are a member of a native win2k domain - and are not using LDAP to get the groups */ - - if ( ( lp_security() != SEC_ADS && domain->native_mode - && domain->primary) || domain->internal ) - { - DEBUG(4,("get_sam_group_entries: %s domain; enumerating local groups as well\n", - domain->native_mode ? "Native Mode 2k":"BUILTIN or local")); - - status = domain->methods->enum_local_groups(domain, mem_ctx, &num_entries, &sam_grp_entries); - - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(3,("get_sam_group_entries: Failed to enumerate domain local groups!\n")); - num_entries = 0; - } - else - DEBUG(4,("get_sam_group_entries: Returned %d local groups\n", num_entries)); - - /* Copy entries into return buffer */ - - if ( num_entries ) { - if ( !(name_list = SMB_REALLOC_ARRAY( name_list, struct acct_info, ent->num_sam_entries+num_entries)) ) - { - DEBUG(0,("get_sam_group_entries: Failed to realloc more memory for %d local groups!\n", - num_entries)); - result = False; - goto done; - } - - memcpy( &name_list[ent->num_sam_entries], sam_grp_entries, - num_entries * sizeof(struct acct_info) ); - } - - ent->num_sam_entries += num_entries; - } - - - /* Fill in remaining fields */ - - ent->sam_entries = name_list; - ent->sam_entry_index = 0; - - result = (ent->num_sam_entries > 0); - - done: - talloc_destroy(mem_ctx); - - return result; -} - -/* Fetch next group entry from ntdom database */ - -#define MAX_GETGRENT_GROUPS 500 - -void winbindd_getgrent(struct winbindd_cli_state *state) -{ - struct getent_state *ent; - struct winbindd_gr *group_list = NULL; - int num_groups, group_list_ndx, gr_mem_list_len = 0; - char *gr_mem_list = NULL; - - DEBUG(3, ("[%5lu]: getgrent\n", (unsigned long)state->pid)); - - /* Check user has enabled this */ - - if (!lp_winbind_enum_groups()) { - request_error(state); - return; - } - - num_groups = MIN(MAX_GETGRENT_GROUPS, state->request.data.num_entries); - - if (num_groups == 0) { - request_error(state); - return; - } - - if ((state->response.extra_data.data = SMB_MALLOC_ARRAY(struct winbindd_gr, num_groups)) == NULL) { - request_error(state); - return; - } - - memset(state->response.extra_data.data, '\0', - num_groups * sizeof(struct winbindd_gr) ); - - state->response.data.num_entries = 0; - - group_list = (struct winbindd_gr *)state->response.extra_data.data; - - if (!state->getgrent_initialized) - winbindd_setgrent_internal(state); - - if (!(ent = state->getgrent_state)) { - request_error(state); - return; - } - - /* Start sending back groups */ - - for (group_list_ndx = 0; group_list_ndx < num_groups; ) { - struct acct_info *name_list = NULL; - fstring domain_group_name; - uint32 result; - gid_t group_gid; - size_t gr_mem_len; - char *gr_mem; - DOM_SID group_sid; - struct winbindd_domain *domain; - - /* Do we need to fetch another chunk of groups? */ - - tryagain: - - DEBUG(10, ("entry_index = %d, num_entries = %d\n", - ent->sam_entry_index, ent->num_sam_entries)); - - if (ent->num_sam_entries == ent->sam_entry_index) { - - while(ent && !get_sam_group_entries(ent)) { - struct getent_state *next_ent; - - DEBUG(10, ("freeing state info for domain %s\n", ent->domain_name)); - - /* Free state information for this domain */ - - SAFE_FREE(ent->sam_entries); - - next_ent = ent->next; - DLIST_REMOVE(state->getgrent_state, ent); - - SAFE_FREE(ent); - ent = next_ent; - } - - /* No more domains */ - - if (!ent) - break; - } - - name_list = (struct acct_info *)ent->sam_entries; - - if (!(domain = - find_domain_from_name(ent->domain_name))) { - DEBUG(3, ("No such domain %s in winbindd_getgrent\n", ent->domain_name)); - result = False; - goto done; - } - - /* Lookup group info */ - - sid_copy(&group_sid, &domain->sid); - sid_append_rid(&group_sid, name_list[ent->sam_entry_index].rid); - - if (!NT_STATUS_IS_OK(idmap_sid_to_gid(&group_sid, &group_gid))) { - union unid_t id; - enum lsa_SidType type; - - DEBUG(10, ("SID %s not in idmap\n", - sid_string_static(&group_sid))); - - if (!pdb_sid_to_id(&group_sid, &id, &type)) { - DEBUG(1, ("could not look up gid for group " - "%s\n", - name_list[ent->sam_entry_index].acct_name)); - ent->sam_entry_index++; - goto tryagain; - } - - if ((type != SID_NAME_DOM_GRP) && - (type != SID_NAME_ALIAS) && - (type != SID_NAME_WKN_GRP)) { - DEBUG(1, ("Group %s is a %s, not a group\n", - sid_type_lookup(type), - name_list[ent->sam_entry_index].acct_name)); - ent->sam_entry_index++; - goto tryagain; - } - group_gid = id.gid; - } - - DEBUG(10, ("got gid %lu for group %lu\n", (unsigned long)group_gid, - (unsigned long)name_list[ent->sam_entry_index].rid)); - - /* Fill in group entry */ - - fill_domain_username(domain_group_name, ent->domain_name, - name_list[ent->sam_entry_index].acct_name, True); - - result = fill_grent(&group_list[group_list_ndx], - ent->domain_name, - name_list[ent->sam_entry_index].acct_name, - group_gid); - - /* Fill in group membership entry */ - - if (result) { - size_t num_gr_mem = 0; - DOM_SID member_sid; - group_list[group_list_ndx].num_gr_mem = 0; - gr_mem = NULL; - gr_mem_len = 0; - - /* Get group membership */ - if (state->request.cmd == WINBINDD_GETGRLST) { - result = True; - } else { - sid_copy(&member_sid, &domain->sid); - sid_append_rid(&member_sid, name_list[ent->sam_entry_index].rid); - result = fill_grent_mem( - domain, - NULL, - &member_sid, - SID_NAME_DOM_GRP, - &num_gr_mem, - &gr_mem, &gr_mem_len); - - group_list[group_list_ndx].num_gr_mem = (uint32)num_gr_mem; - } - } - - if (result) { - /* Append to group membership list */ - gr_mem_list = (char *)SMB_REALLOC( - gr_mem_list, gr_mem_list_len + gr_mem_len); - - if (!gr_mem_list && (group_list[group_list_ndx].num_gr_mem != 0)) { - DEBUG(0, ("out of memory\n")); - gr_mem_list_len = 0; - break; - } - - DEBUG(10, ("list_len = %d, mem_len = %u\n", - gr_mem_list_len, (unsigned int)gr_mem_len)); - - memcpy(&gr_mem_list[gr_mem_list_len], gr_mem, - gr_mem_len); - - SAFE_FREE(gr_mem); - - group_list[group_list_ndx].gr_mem_ofs = - gr_mem_list_len; - - gr_mem_list_len += gr_mem_len; - } - - ent->sam_entry_index++; - - /* Add group to return list */ - - if (result) { - - DEBUG(10, ("adding group num_entries = %d\n", - state->response.data.num_entries)); - - group_list_ndx++; - state->response.data.num_entries++; - - state->response.length += - sizeof(struct winbindd_gr); - - } else { - DEBUG(0, ("could not lookup domain group %s\n", - domain_group_name)); - } - } - - /* Copy the list of group memberships to the end of the extra data */ - - if (group_list_ndx == 0) - goto done; - - state->response.extra_data.data = SMB_REALLOC( - state->response.extra_data.data, - group_list_ndx * sizeof(struct winbindd_gr) + gr_mem_list_len); - - if (!state->response.extra_data.data) { - DEBUG(0, ("out of memory\n")); - group_list_ndx = 0; - SAFE_FREE(gr_mem_list); - request_error(state); - return; - } - - memcpy(&((char *)state->response.extra_data.data) - [group_list_ndx * sizeof(struct winbindd_gr)], - gr_mem_list, gr_mem_list_len); - - state->response.length += gr_mem_list_len; - - DEBUG(10, ("returning %d groups, length = %d\n", - group_list_ndx, gr_mem_list_len)); - - /* Out of domains */ - - done: - - SAFE_FREE(gr_mem_list); - - if (group_list_ndx > 0) - request_ok(state); - else - request_error(state); -} - -/* List domain groups without mapping to unix ids */ - -void winbindd_list_groups(struct winbindd_cli_state *state) -{ - uint32 total_entries = 0; - struct winbindd_domain *domain; - const char *which_domain; - char *extra_data = NULL; - unsigned int extra_data_len = 0, i; - - DEBUG(3, ("[%5lu]: list groups\n", (unsigned long)state->pid)); - - /* Ensure null termination */ - state->request.domain_name[sizeof(state->request.domain_name)-1]='\0'; - which_domain = state->request.domain_name; - - /* Enumerate over trusted domains */ - - for (domain = domain_list(); domain; domain = domain->next) { - struct getent_state groups; - - /* if we have a domain name restricting the request and this - one in the list doesn't match, then just bypass the remainder - of the loop */ - - if ( *which_domain && !strequal(which_domain, domain->name) ) - continue; - - ZERO_STRUCT(groups); - - /* Get list of sam groups */ - - fstrcpy(groups.domain_name, domain->name); - - get_sam_group_entries(&groups); - - if (groups.num_sam_entries == 0) { - /* this domain is empty or in an error state */ - continue; - } - - /* keep track the of the total number of groups seen so - far over all domains */ - total_entries += groups.num_sam_entries; - - /* Allocate some memory for extra data. Note that we limit - account names to sizeof(fstring) = 128 characters. */ - extra_data = (char *)SMB_REALLOC( - extra_data, sizeof(fstring) * total_entries); - - if (!extra_data) { - DEBUG(0,("failed to enlarge buffer!\n")); - request_error(state); - return; - } - - /* Pack group list into extra data fields */ - for (i = 0; i < groups.num_sam_entries; i++) { - char *group_name = ((struct acct_info *) - groups.sam_entries)[i].acct_name; - fstring name; - - fill_domain_username(name, domain->name, group_name, True); - /* Append to extra data */ - memcpy(&extra_data[extra_data_len], name, - strlen(name)); - extra_data_len += strlen(name); - extra_data[extra_data_len++] = ','; - } - - SAFE_FREE(groups.sam_entries); - } - - /* Assign extra_data fields in response structure */ - if (extra_data) { - extra_data[extra_data_len - 1] = '\0'; - state->response.extra_data.data = extra_data; - state->response.length += extra_data_len; - } - - /* No domains may have responded but that's still OK so don't - return an error. */ - - request_ok(state); -} - -/* Get user supplementary groups. This is much quicker than trying to - invert the groups database. We merge the groups from the gids and - other_sids info3 fields as trusted domain, universal group - memberships, and nested groups (win2k native mode only) are not - returned by the getgroups RPC call but are present in the info3. */ - -struct getgroups_state { - struct winbindd_cli_state *state; - struct winbindd_domain *domain; - char *domname; - char *username; - DOM_SID user_sid; - - const DOM_SID *token_sids; - size_t i, num_token_sids; - - gid_t *token_gids; - size_t num_token_gids; -}; - -static void getgroups_usersid_recv(void *private_data, BOOL success, - const DOM_SID *sid, enum lsa_SidType type); -static void getgroups_tokensids_recv(void *private_data, BOOL success, - DOM_SID *token_sids, size_t num_token_sids); -static void getgroups_sid2gid_recv(void *private_data, BOOL success, gid_t gid); - -void winbindd_getgroups(struct winbindd_cli_state *state) -{ - struct getgroups_state *s; - - /* Ensure null termination */ - state->request.data.username - [sizeof(state->request.data.username)-1]='\0'; - - DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid, - state->request.data.username)); - - /* Parse domain and username */ - - s = TALLOC_P(state->mem_ctx, struct getgroups_state); - if (s == NULL) { - DEBUG(0, ("talloc failed\n")); - request_error(state); - return; - } - - s->state = state; - - ws_name_return( state->request.data.username, WB_REPLACE_CHAR ); - - if (!parse_domain_user_talloc(state->mem_ctx, - state->request.data.username, - &s->domname, &s->username)) { - DEBUG(5, ("Could not parse domain user: %s\n", - state->request.data.username)); - - /* error out if we do not have nested group support */ - - if ( !lp_winbind_nested_groups() ) { - request_error(state); - return; - } - - s->domname = talloc_strdup( state->mem_ctx, get_global_sam_name() ); - s->username = talloc_strdup( state->mem_ctx, state->request.data.username ); - } - - /* Get info for the domain */ - - s->domain = find_domain_from_name_noinit(s->domname); - - if (s->domain == NULL) { - DEBUG(7, ("could not find domain entry for domain %s\n", - s->domname)); - request_error(state); - return; - } - - if ( s->domain->primary && lp_winbind_trusted_domains_only()) { - DEBUG(7,("winbindd_getgroups: My domain -- rejecting " - "getgroups() for %s\\%s.\n", s->domname, - s->username)); - request_error(state); - return; - } - - /* Get rid and name type from name. The following costs 1 packet */ - - winbindd_lookupname_async(state->mem_ctx, s->domname, s->username, - getgroups_usersid_recv, WINBINDD_GETGROUPS, s); -} - -static void getgroups_usersid_recv(void *private_data, BOOL success, - const DOM_SID *sid, enum lsa_SidType type) -{ - struct getgroups_state *s = - (struct getgroups_state *)private_data; - - if ((!success) || - ((type != SID_NAME_USER) && (type != SID_NAME_COMPUTER))) { - request_error(s->state); - return; - } - - sid_copy(&s->user_sid, sid); - - winbindd_gettoken_async(s->state->mem_ctx, &s->user_sid, - getgroups_tokensids_recv, s); -} - -static void getgroups_tokensids_recv(void *private_data, BOOL success, - DOM_SID *token_sids, size_t num_token_sids) -{ - struct getgroups_state *s = - (struct getgroups_state *)private_data; - - /* We need at least the user sid and the primary group in the token, - * otherwise it's an error */ - - if ((!success) || (num_token_sids < 2)) { - request_error(s->state); - return; - } - - s->token_sids = token_sids; - s->num_token_sids = num_token_sids; - s->i = 0; - - s->token_gids = NULL; - s->num_token_gids = 0; - - getgroups_sid2gid_recv(s, False, 0); -} - -static void getgroups_sid2gid_recv(void *private_data, BOOL success, gid_t gid) -{ - struct getgroups_state *s = - (struct getgroups_state *)private_data; - - if (success) { - if (!add_gid_to_array_unique(s->state->mem_ctx, gid, - &s->token_gids, - &s->num_token_gids)) { - return; - } - } - - if (s->i < s->num_token_sids) { - const DOM_SID *sid = &s->token_sids[s->i]; - s->i += 1; - - if (sid_equal(sid, &s->user_sid)) { - getgroups_sid2gid_recv(s, False, 0); - return; - } - - winbindd_sid2gid_async(s->state->mem_ctx, sid, - getgroups_sid2gid_recv, s); - return; - } - - s->state->response.data.num_entries = s->num_token_gids; - /* s->token_gids are talloced */ - s->state->response.extra_data.data = smb_xmemdup(s->token_gids, s->num_token_gids * sizeof(gid_t)); - s->state->response.length += s->num_token_gids * sizeof(gid_t); - request_ok(s->state); -} - -/* Get user supplementary sids. This is equivalent to the - winbindd_getgroups() function but it involves a SID->SIDs mapping - rather than a NAME->SID->SIDS->GIDS mapping, which means we avoid - idmap. This call is designed to be used with applications that need - to do ACL evaluation themselves. Note that the cached info3 data is - not used - - this function assumes that the SID that comes in is a user SID. If - you pass in another type of SID then you may get unpredictable - results. -*/ - -static void getusersids_recv(void *private_data, BOOL success, DOM_SID *sids, - size_t num_sids); - -void winbindd_getusersids(struct winbindd_cli_state *state) -{ - DOM_SID *user_sid; - - /* Ensure null termination */ - state->request.data.sid[sizeof(state->request.data.sid)-1]='\0'; - - user_sid = TALLOC_P(state->mem_ctx, DOM_SID); - if (user_sid == NULL) { - DEBUG(1, ("talloc failed\n")); - request_error(state); - return; - } - - if (!string_to_sid(user_sid, state->request.data.sid)) { - DEBUG(1, ("Could not get convert sid %s from string\n", - state->request.data.sid)); - request_error(state); - return; - } - - winbindd_gettoken_async(state->mem_ctx, user_sid, getusersids_recv, - state); -} - -static void getusersids_recv(void *private_data, BOOL success, DOM_SID *sids, - size_t num_sids) -{ - struct winbindd_cli_state *state = - (struct winbindd_cli_state *)private_data; - char *ret = NULL; - unsigned ofs, ret_size = 0; - size_t i; - - if (!success) { - request_error(state); - return; - } - - /* work out the response size */ - for (i = 0; i < num_sids; i++) { - const char *s = sid_string_static(&sids[i]); - ret_size += strlen(s) + 1; - } - - /* build the reply */ - ret = (char *)SMB_MALLOC(ret_size); - if (!ret) { - DEBUG(0, ("malloc failed\n")); - request_error(state); - return; - } - ofs = 0; - for (i = 0; i < num_sids; i++) { - const char *s = sid_string_static(&sids[i]); - safe_strcpy(ret + ofs, s, ret_size - ofs - 1); - ofs += strlen(ret+ofs) + 1; - } - - /* Send data back to client */ - state->response.data.num_entries = num_sids; - state->response.extra_data.data = ret; - state->response.length += ret_size; - request_ok(state); -} - -void winbindd_getuserdomgroups(struct winbindd_cli_state *state) -{ - DOM_SID user_sid; - struct winbindd_domain *domain; - - /* Ensure null termination */ - state->request.data.sid[sizeof(state->request.data.sid)-1]='\0'; - - if (!string_to_sid(&user_sid, state->request.data.sid)) { - DEBUG(1, ("Could not get convert sid %s from string\n", - state->request.data.sid)); - request_error(state); - return; - } - - /* Get info for the domain */ - if ((domain = find_domain_from_sid_noinit(&user_sid)) == NULL) { - DEBUG(0,("could not find domain entry for sid %s\n", - sid_string_static(&user_sid))); - request_error(state); - return; - } - - sendto_domain(state, domain); -} - -enum winbindd_result winbindd_dual_getuserdomgroups(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - DOM_SID user_sid; - NTSTATUS status; - - char *sidstring; - ssize_t len; - DOM_SID *groups; - uint32 num_groups; - - /* Ensure null termination */ - state->request.data.sid[sizeof(state->request.data.sid)-1]='\0'; - - if (!string_to_sid(&user_sid, state->request.data.sid)) { - DEBUG(1, ("Could not get convert sid %s from string\n", - state->request.data.sid)); - return WINBINDD_ERROR; - } - - status = domain->methods->lookup_usergroups(domain, state->mem_ctx, - &user_sid, &num_groups, - &groups); - if (!NT_STATUS_IS_OK(status)) - return WINBINDD_ERROR; - - if (num_groups == 0) { - state->response.data.num_entries = 0; - state->response.extra_data.data = NULL; - return WINBINDD_OK; - } - - if (!print_sidlist(state->mem_ctx, groups, num_groups, &sidstring, &len)) { - DEBUG(0, ("talloc failed\n")); - return WINBINDD_ERROR; - } - - state->response.extra_data.data = SMB_STRDUP(sidstring); - if (!state->response.extra_data.data) { - return WINBINDD_ERROR; - } - state->response.length += len+1; - state->response.data.num_entries = num_groups; - - return WINBINDD_OK; -} diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c deleted file mode 100644 index 9c3f634534..0000000000 --- a/source3/nsswitch/winbindd_misc.c +++ /dev/null @@ -1,634 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon - miscellaneous other functions - - Copyright (C) Tim Potter 2000 - Copyright (C) Andrew Bartlett 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -/* Check the machine account password is valid */ - -void winbindd_check_machine_acct(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: check machine account\n", - (unsigned long)state->pid)); - - sendto_domain(state, find_our_domain()); -} - -enum winbindd_result winbindd_dual_check_machine_acct(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - int num_retries = 0; - struct winbindd_domain *contact_domain; - - DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid)); - - /* Get trust account password */ - - again: - - contact_domain = find_our_domain(); - - /* This call does a cli_nt_setup_creds() which implicitly checks - the trust account password. */ - - invalidate_cm_connection(&contact_domain->conn); - - { - struct rpc_pipe_client *netlogon_pipe; - result = cm_connect_netlogon(contact_domain, &netlogon_pipe); - } - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(3, ("could not open handle to NETLOGON pipe\n")); - goto done; - } - - /* There is a race condition between fetching the trust account - password and the periodic machine password change. So it's - possible that the trust account password has been changed on us. - We are returned NT_STATUS_ACCESS_DENIED if this happens. */ - -#define MAX_RETRIES 8 - - if ((num_retries < MAX_RETRIES) && - NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED)) { - num_retries++; - goto again; - } - - /* Pass back result code - zero for success, other values for - specific failures. */ - - DEBUG(3, ("secret is %s\n", NT_STATUS_IS_OK(result) ? - "good" : "bad")); - - done: - state->response.data.auth.nt_status = NT_STATUS_V(result); - fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result)); - fstrcpy(state->response.data.auth.error_string, nt_errstr(result)); - state->response.data.auth.pam_error = nt_status_to_pam(result); - - DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Checking the trust account password returned %s\n", - state->response.data.auth.nt_status_string)); - - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} - -void winbindd_list_trusted_domains(struct winbindd_cli_state *state) -{ - struct winbindd_domain *d = NULL; - int extra_data_len = 0; - char *extra_data = NULL; - - DEBUG(3, ("[%5lu]: list trusted domains\n", - (unsigned long)state->pid)); - - for ( d=domain_list(); d; d=d->next ) { - if ( !extra_data ) { - extra_data = talloc_asprintf(state->mem_ctx, "%s\\%s\\%s", - d->name, - d->alt_name ? d->alt_name : d->name, - sid_string_static(&d->sid)); - } else { - extra_data = talloc_asprintf(state->mem_ctx, "%s\n%s\\%s\\%s", - extra_data, - d->name, - d->alt_name ? d->alt_name : d->name, - sid_string_static(&d->sid)); - } - } - - extra_data_len = 0; - if (extra_data != NULL) { - extra_data_len = strlen(extra_data); - } - - if (extra_data_len > 0) { - state->response.extra_data.data = SMB_STRDUP(extra_data); - state->response.length += extra_data_len+1; - } - - TALLOC_FREE( extra_data ); - - request_ok(state); -} - -enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - uint32 i, num_domains; - char **names, **alt_names; - DOM_SID *sids; - int extra_data_len = 0; - char *extra_data; - NTSTATUS result; - BOOL have_own_domain = False; - - DEBUG(3, ("[%5lu]: list trusted domains\n", - (unsigned long)state->pid)); - - result = domain->methods->trusted_domains(domain, state->mem_ctx, - &num_domains, &names, - &alt_names, &sids); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(3, ("winbindd_dual_list_trusted_domains: trusted_domains returned %s\n", - nt_errstr(result) )); - return WINBINDD_ERROR; - } - - extra_data = talloc_strdup(state->mem_ctx, ""); - - if (num_domains > 0) - extra_data = talloc_asprintf(state->mem_ctx, "%s\\%s\\%s", - names[0], - alt_names[0] ? alt_names[0] : names[0], - sid_string_static(&sids[0])); - - for (i=1; i<num_domains; i++) - extra_data = talloc_asprintf(state->mem_ctx, "%s\n%s\\%s\\%s", - extra_data, - names[i], - alt_names[i] ? alt_names[i] : names[i], - sid_string_static(&sids[i])); - /* add our primary domain */ - - for (i=0; i<num_domains; i++) { - if (strequal(names[i], domain->name)) { - have_own_domain = True; - break; - } - } - - if (state->request.data.list_all_domains && !have_own_domain) { - extra_data = talloc_asprintf(state->mem_ctx, "%s\n%s\\%s\\%s", - extra_data, - domain->name, - domain->alt_name ? domain->alt_name : domain->name, - sid_string_static(&domain->sid)); - } - - /* This is a bit excessive, but the extra data sooner or later will be - talloc'ed */ - - extra_data_len = 0; - if (extra_data != NULL) { - extra_data_len = strlen(extra_data); - } - - if (extra_data_len > 0) { - state->response.extra_data.data = SMB_STRDUP(extra_data); - state->response.length += extra_data_len+1; - } - - return WINBINDD_OK; -} - -void winbindd_getdcname(struct winbindd_cli_state *state) -{ - state->request.domain_name - [sizeof(state->request.domain_name)-1] = '\0'; - - DEBUG(3, ("[%5lu]: Get DC name for %s\n", (unsigned long)state->pid, - state->request.domain_name)); - - sendto_domain(state, find_our_domain()); -} - -enum winbindd_result winbindd_dual_getdcname(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - fstring dcname_slash; - char *p; - struct rpc_pipe_client *netlogon_pipe; - NTSTATUS result; - WERROR werr; - unsigned int orig_timeout; - - state->request.domain_name - [sizeof(state->request.domain_name)-1] = '\0'; - - DEBUG(3, ("[%5lu]: Get DC name for %s\n", (unsigned long)state->pid, - state->request.domain_name)); - - result = cm_connect_netlogon(domain, &netlogon_pipe); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(1, ("Can't contact the NETLOGON pipe\n")); - return WINBINDD_ERROR; - } - - /* This call can take a long time - allow the server to time out. - 35 seconds should do it. */ - - orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000); - - werr = rpccli_netlogon_getanydcname(netlogon_pipe, state->mem_ctx, domain->dcname, - state->request.domain_name, - dcname_slash); - /* And restore our original timeout. */ - cli_set_timeout(netlogon_pipe->cli, orig_timeout); - - if (!W_ERROR_IS_OK(werr)) { - DEBUG(5, ("Error requesting DCname for domain %s: %s\n", - state->request.domain_name, dos_errstr(werr))); - return WINBINDD_ERROR; - } - - p = dcname_slash; - if (*p == '\\') { - p+=1; - } - if (*p == '\\') { - p+=1; - } - - fstrcpy(state->response.data.dc_name, p); - return WINBINDD_OK; -} - -static struct winbindd_child static_locator_child; - -void init_locator_child(void) -{ - setup_domain_child(NULL, &static_locator_child, "locator"); -} - -struct winbindd_child *locator_child(void) -{ - return &static_locator_child; -} - -void winbindd_dsgetdcname(struct winbindd_cli_state *state) -{ - state->request.domain_name - [sizeof(state->request.domain_name)-1] = '\0'; - - DEBUG(3, ("[%5lu]: DsGetDcName for %s\n", (unsigned long)state->pid, - state->request.domain_name)); - - sendto_child(state, locator_child()); -} - -enum winbindd_result winbindd_dual_dsgetdcname(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - NTSTATUS result; - struct DS_DOMAIN_CONTROLLER_INFO *info = NULL; - const char *dc = NULL; - - state->request.domain_name - [sizeof(state->request.domain_name)-1] = '\0'; - - DEBUG(3, ("[%5lu]: DsGetDcName for %s\n", (unsigned long)state->pid, - state->request.domain_name)); - - result = DsGetDcName(state->mem_ctx, NULL, state->request.domain_name, - NULL, NULL, state->request.flags, &info); - - if (!NT_STATUS_IS_OK(result)) { - return WINBINDD_ERROR; - } - - if (info->domain_controller_address) { - dc = info->domain_controller_address; - if ((dc[0] == '\\') && (dc[1] == '\\')) { - dc += 2; - } - } - - if ((!dc || !is_ipaddress(dc)) && info->domain_controller_name) { - dc = info->domain_controller_name; - } - - if (!dc || !*dc) { - return WINBINDD_ERROR; - } - - fstrcpy(state->response.data.dc_name, dc); - - return WINBINDD_OK; -} - - -struct sequence_state { - TALLOC_CTX *mem_ctx; - struct winbindd_cli_state *cli_state; - struct winbindd_domain *domain; - struct winbindd_request *request; - struct winbindd_response *response; - char *extra_data; -}; - -static void sequence_recv(void *private_data, BOOL success); - -void winbindd_show_sequence(struct winbindd_cli_state *state) -{ - struct sequence_state *seq; - - /* Ensure null termination */ - state->request.domain_name[sizeof(state->request.domain_name)-1]='\0'; - - if (strlen(state->request.domain_name) > 0) { - struct winbindd_domain *domain; - domain = find_domain_from_name_noinit( - state->request.domain_name); - if (domain == NULL) { - request_error(state); - return; - } - sendto_domain(state, domain); - return; - } - - /* Ask all domains in sequence, collect the results in sequence_recv */ - - seq = TALLOC_P(state->mem_ctx, struct sequence_state); - if (seq == NULL) { - DEBUG(0, ("talloc failed\n")); - request_error(state); - return; - } - - seq->mem_ctx = state->mem_ctx; - seq->cli_state = state; - seq->domain = domain_list(); - if (seq->domain == NULL) { - DEBUG(0, ("domain list empty\n")); - request_error(state); - return; - } - seq->request = TALLOC_ZERO_P(state->mem_ctx, - struct winbindd_request); - seq->response = TALLOC_ZERO_P(state->mem_ctx, - struct winbindd_response); - seq->extra_data = talloc_strdup(state->mem_ctx, ""); - - if ((seq->request == NULL) || (seq->response == NULL) || - (seq->extra_data == NULL)) { - DEBUG(0, ("talloc failed\n")); - request_error(state); - return; - } - - seq->request->length = sizeof(*seq->request); - seq->request->cmd = WINBINDD_SHOW_SEQUENCE; - fstrcpy(seq->request->domain_name, seq->domain->name); - - async_domain_request(state->mem_ctx, seq->domain, - seq->request, seq->response, - sequence_recv, seq); -} - -static void sequence_recv(void *private_data, BOOL success) -{ - struct sequence_state *state = - (struct sequence_state *)private_data; - uint32 seq = DOM_SEQUENCE_NONE; - - if ((success) && (state->response->result == WINBINDD_OK)) - seq = state->response->data.domain_info.sequence_number; - - if (seq == DOM_SEQUENCE_NONE) { - state->extra_data = talloc_asprintf(state->mem_ctx, - "%s%s : DISCONNECTED\n", - state->extra_data, - state->domain->name); - } else { - state->extra_data = talloc_asprintf(state->mem_ctx, - "%s%s : %d\n", - state->extra_data, - state->domain->name, seq); - } - - state->domain->sequence_number = seq; - - state->domain = state->domain->next; - - if (state->domain == NULL) { - struct winbindd_cli_state *cli_state = state->cli_state; - cli_state->response.length = - sizeof(cli_state->response) + - strlen(state->extra_data) + 1; - cli_state->response.extra_data.data = - SMB_STRDUP(state->extra_data); - request_ok(cli_state); - return; - } - - /* Ask the next domain */ - fstrcpy(state->request->domain_name, state->domain->name); - async_domain_request(state->mem_ctx, state->domain, - state->request, state->response, - sequence_recv, state); -} - -/* This is the child-only version of --sequence. It only allows for a single - * domain (ie "our" one) to be displayed. */ - -enum winbindd_result winbindd_dual_show_sequence(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: show sequence\n", (unsigned long)state->pid)); - - /* Ensure null termination */ - state->request.domain_name[sizeof(state->request.domain_name)-1]='\0'; - - domain->methods->sequence_number(domain, &domain->sequence_number); - - state->response.data.domain_info.sequence_number = - domain->sequence_number; - - return WINBINDD_OK; -} - -struct domain_info_state { - struct winbindd_domain *domain; - struct winbindd_cli_state *cli_state; -}; - -static void domain_info_init_recv(void *private_data, BOOL success); - -void winbindd_domain_info(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - - DEBUG(3, ("[%5lu]: domain_info [%s]\n", (unsigned long)state->pid, - state->request.domain_name)); - - domain = find_domain_from_name_noinit(state->request.domain_name); - - if (domain == NULL) { - DEBUG(3, ("Did not find domain [%s]\n", - state->request.domain_name)); - request_error(state); - return; - } - - if (!domain->initialized) { - struct domain_info_state *istate; - - istate = TALLOC_P(state->mem_ctx, struct domain_info_state); - if (istate == NULL) { - DEBUG(0, ("talloc failed\n")); - request_error(state); - return; - } - - istate->cli_state = state; - istate->domain = domain; - - init_child_connection(domain, domain_info_init_recv, istate); - - return; - } - - fstrcpy(state->response.data.domain_info.name, - domain->name); - fstrcpy(state->response.data.domain_info.alt_name, - domain->alt_name); - fstrcpy(state->response.data.domain_info.sid, - sid_string_static(&domain->sid)); - - state->response.data.domain_info.native_mode = - domain->native_mode; - state->response.data.domain_info.active_directory = - domain->active_directory; - state->response.data.domain_info.primary = - domain->primary; - state->response.data.domain_info.sequence_number = - domain->sequence_number; - - request_ok(state); -} - -static void domain_info_init_recv(void *private_data, BOOL success) -{ - struct domain_info_state *istate = - (struct domain_info_state *)private_data; - struct winbindd_cli_state *state = istate->cli_state; - struct winbindd_domain *domain = istate->domain; - - DEBUG(10, ("Got back from child init: %d\n", success)); - - if ((!success) || (!domain->initialized)) { - DEBUG(5, ("Could not init child for domain %s\n", - domain->name)); - request_error(state); - return; - } - - fstrcpy(state->response.data.domain_info.name, - domain->name); - fstrcpy(state->response.data.domain_info.alt_name, - domain->alt_name); - fstrcpy(state->response.data.domain_info.sid, - sid_string_static(&domain->sid)); - - state->response.data.domain_info.native_mode = - domain->native_mode; - state->response.data.domain_info.active_directory = - domain->active_directory; - state->response.data.domain_info.primary = - domain->primary; - state->response.data.domain_info.sequence_number = - domain->sequence_number; - - request_ok(state); -} - -void winbindd_ping(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: ping\n", (unsigned long)state->pid)); - request_ok(state); -} - -/* List various tidbits of information */ - -void winbindd_info(struct winbindd_cli_state *state) -{ - - DEBUG(3, ("[%5lu]: request misc info\n", (unsigned long)state->pid)); - - state->response.data.info.winbind_separator = *lp_winbind_separator(); - fstrcpy(state->response.data.info.samba_version, SAMBA_VERSION_STRING); - request_ok(state); -} - -/* Tell the client the current interface version */ - -void winbindd_interface_version(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: request interface version\n", - (unsigned long)state->pid)); - - state->response.data.interface_version = WINBIND_INTERFACE_VERSION; - request_ok(state); -} - -/* What domain are we a member of? */ - -void winbindd_domain_name(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: request domain name\n", (unsigned long)state->pid)); - - fstrcpy(state->response.data.domain_name, lp_workgroup()); - request_ok(state); -} - -/* What's my name again? */ - -void winbindd_netbios_name(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: request netbios name\n", - (unsigned long)state->pid)); - - fstrcpy(state->response.data.netbios_name, global_myname()); - request_ok(state); -} - -/* Where can I find the privilaged pipe? */ - -void winbindd_priv_pipe_dir(struct winbindd_cli_state *state) -{ - - DEBUG(3, ("[%5lu]: request location of privileged pipe\n", - (unsigned long)state->pid)); - - state->response.extra_data.data = SMB_STRDUP(get_winbind_priv_pipe_dir()); - if (!state->response.extra_data.data) { - DEBUG(0, ("malloc failed\n")); - request_error(state); - return; - } - - /* must add one to length to copy the 0 for string termination */ - state->response.length += - strlen((char *)state->response.extra_data.data) + 1; - - request_ok(state); -} - diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c deleted file mode 100644 index 50b24864b5..0000000000 --- a/source3/nsswitch/winbindd_pam.c +++ /dev/null @@ -1,2382 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon - pam auth funcions - - Copyright (C) Andrew Tridgell 2000 - Copyright (C) Tim Potter 2001 - Copyright (C) Andrew Bartlett 2001-2002 - Copyright (C) Guenther Deschner 2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx, - struct winbindd_cli_state *state, - NET_USER_INFO_3 *info3) -{ - fstring str_sid; - - state->response.data.auth.info3.logon_time = - nt_time_to_unix(info3->logon_time); - state->response.data.auth.info3.logoff_time = - nt_time_to_unix(info3->logoff_time); - state->response.data.auth.info3.kickoff_time = - nt_time_to_unix(info3->kickoff_time); - state->response.data.auth.info3.pass_last_set_time = - nt_time_to_unix(info3->pass_last_set_time); - state->response.data.auth.info3.pass_can_change_time = - nt_time_to_unix(info3->pass_can_change_time); - state->response.data.auth.info3.pass_must_change_time = - nt_time_to_unix(info3->pass_must_change_time); - - state->response.data.auth.info3.logon_count = info3->logon_count; - state->response.data.auth.info3.bad_pw_count = info3->bad_pw_count; - - state->response.data.auth.info3.user_rid = info3->user_rid; - state->response.data.auth.info3.group_rid = info3->group_rid; - sid_to_string(str_sid, &(info3->dom_sid.sid)); - fstrcpy(state->response.data.auth.info3.dom_sid, str_sid); - - state->response.data.auth.info3.num_groups = info3->num_groups; - state->response.data.auth.info3.user_flgs = info3->user_flgs; - - state->response.data.auth.info3.acct_flags = info3->acct_flags; - state->response.data.auth.info3.num_other_sids = info3->num_other_sids; - - unistr2_to_ascii(state->response.data.auth.info3.user_name, - &info3->uni_user_name, -1); - unistr2_to_ascii(state->response.data.auth.info3.full_name, - &info3->uni_full_name, -1); - unistr2_to_ascii(state->response.data.auth.info3.logon_script, - &info3->uni_logon_script, -1); - unistr2_to_ascii(state->response.data.auth.info3.profile_path, - &info3->uni_profile_path, -1); - unistr2_to_ascii(state->response.data.auth.info3.home_dir, - &info3->uni_home_dir, -1); - unistr2_to_ascii(state->response.data.auth.info3.dir_drive, - &info3->uni_dir_drive, -1); - - unistr2_to_ascii(state->response.data.auth.info3.logon_srv, - &info3->uni_logon_srv, -1); - unistr2_to_ascii(state->response.data.auth.info3.logon_dom, - &info3->uni_logon_dom, -1); - - return NT_STATUS_OK; -} - -static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx, - struct winbindd_cli_state *state, - NET_USER_INFO_3 *info3) -{ - prs_struct ps; - uint32 size; - if (!prs_init(&ps, 256 /* Random, non-zero number */, mem_ctx, MARSHALL)) { - return NT_STATUS_NO_MEMORY; - } - if (!net_io_user_info3("", info3, &ps, 1, 3, False)) { - prs_mem_free(&ps); - return NT_STATUS_UNSUCCESSFUL; - } - - size = prs_data_size(&ps); - SAFE_FREE(state->response.extra_data.data); - state->response.extra_data.data = SMB_MALLOC(size); - if (!state->response.extra_data.data) { - prs_mem_free(&ps); - return NT_STATUS_NO_MEMORY; - } - memset( state->response.extra_data.data, '\0', size ); - prs_copy_all_data_out((char *)state->response.extra_data.data, &ps); - state->response.length += size; - prs_mem_free(&ps); - return NT_STATUS_OK; -} - -static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx, - struct winbindd_cli_state *state, - const NET_USER_INFO_3 *info3, - const char *name_domain, - const char *name_user) -{ - /* We've been asked to return the unix username, per - 'winbind use default domain' settings and the like */ - - fstring username_out; - const char *nt_username, *nt_domain; - - if (!(nt_domain = unistr2_tdup(mem_ctx, - &info3->uni_logon_dom))) { - /* If the server didn't give us one, just use the one - * we sent them */ - nt_domain = name_domain; - } - - if (!(nt_username = unistr2_tdup(mem_ctx, - &info3->uni_user_name))) { - /* If the server didn't give us one, just use the one - * we sent them */ - nt_username = name_user; - } - - fill_domain_username(username_out, nt_domain, nt_username, - True); - - DEBUG(5,("Setting unix username to [%s]\n", username_out)); - - SAFE_FREE(state->response.extra_data.data); - state->response.extra_data.data = SMB_STRDUP(username_out); - if (!state->response.extra_data.data) { - return NT_STATUS_NO_MEMORY; - } - state->response.length += - strlen((const char *)state->response.extra_data.data)+1; - - return NT_STATUS_OK; -} - -static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx, - struct winbindd_cli_state *state, - const NET_USER_INFO_3 *info3, - const char *name_domain, - const char *name_user) -{ - char *afsname = NULL; - char *cell; - - afsname = talloc_strdup(mem_ctx, lp_afs_username_map()); - if (afsname == NULL) { - return NT_STATUS_NO_MEMORY; - } - - afsname = talloc_string_sub(mem_ctx, - lp_afs_username_map(), - "%D", name_domain); - afsname = talloc_string_sub(mem_ctx, afsname, - "%u", name_user); - afsname = talloc_string_sub(mem_ctx, afsname, - "%U", name_user); - - { - DOM_SID user_sid; - fstring sidstr; - - sid_copy(&user_sid, &info3->dom_sid.sid); - sid_append_rid(&user_sid, info3->user_rid); - sid_to_string(sidstr, &user_sid); - afsname = talloc_string_sub(mem_ctx, afsname, - "%s", sidstr); - } - - if (afsname == NULL) { - return NT_STATUS_NO_MEMORY; - } - - strlower_m(afsname); - - DEBUG(10, ("Generating token for user %s\n", afsname)); - - cell = strchr(afsname, '@'); - - if (cell == NULL) { - return NT_STATUS_NO_MEMORY; - } - - *cell = '\0'; - cell += 1; - - /* Append an AFS token string */ - SAFE_FREE(state->response.extra_data.data); - state->response.extra_data.data = - afs_createtoken_str(afsname, cell); - - if (state->response.extra_data.data != NULL) { - state->response.length += - strlen((const char *)state->response.extra_data.data)+1; - } - - return NT_STATUS_OK; -} - -static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, - NET_USER_INFO_3 *info3, - const char *group_sid) -/** - * Check whether a user belongs to a group or list of groups. - * - * @param mem_ctx talloc memory context. - * @param info3 user information, including group membership info. - * @param group_sid One or more groups , separated by commas. - * - * @return NT_STATUS_OK on success, - * NT_STATUS_LOGON_FAILURE if the user does not belong, - * or other NT_STATUS_IS_ERR(status) for other kinds of failure. - */ -{ - DOM_SID *require_membership_of_sid; - size_t num_require_membership_of_sid; - fstring req_sid; - const char *p; - DOM_SID sid; - size_t i; - struct nt_user_token *token; - NTSTATUS status; - - /* Parse the 'required group' SID */ - - if (!group_sid || !group_sid[0]) { - /* NO sid supplied, all users may access */ - return NT_STATUS_OK; - } - - if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) { - DEBUG(0, ("talloc failed\n")); - return NT_STATUS_NO_MEMORY; - } - - num_require_membership_of_sid = 0; - require_membership_of_sid = NULL; - - p = group_sid; - - while (next_token(&p, req_sid, ",", sizeof(req_sid))) { - if (!string_to_sid(&sid, req_sid)) { - DEBUG(0, ("check_info3_in_group: could not parse %s " - "as a SID!", req_sid)); - return NT_STATUS_INVALID_PARAMETER; - } - - if (!add_sid_to_array(mem_ctx, &sid, - &require_membership_of_sid, - &num_require_membership_of_sid)) { - DEBUG(0, ("add_sid_to_array failed\n")); - return NT_STATUS_NO_MEMORY; - } - } - - status = sid_array_from_info3(mem_ctx, info3, - &token->user_sids, - &token->num_sids, - True); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(), - token)) - || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin, - token))) { - DEBUG(3, ("could not add aliases: %s\n", - nt_errstr(status))); - return status; - } - - debug_nt_user_token(DBGC_CLASS, 10, token); - - for (i=0; i<num_require_membership_of_sid; i++) { - DEBUG(10, ("Checking SID %s\n", sid_string_static( - &require_membership_of_sid[i]))); - if (nt_token_check_sid(&require_membership_of_sid[i], - token)) { - DEBUG(10, ("Access ok\n")); - return NT_STATUS_OK; - } - } - - /* Do not distinguish this error from a wrong username/pw */ - - return NT_STATUS_LOGON_FAILURE; -} - -struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state, - const char *domain_name) -{ - struct winbindd_domain *domain; - - if (IS_DC) { - domain = find_domain_from_name_noinit(domain_name); - if (domain == NULL) { - DEBUG(3, ("Authentication for domain [%s] refused" - "as it is not a trusted domain\n", - domain_name)); - } - return domain; - } - - if (is_myname(domain_name)) { - DEBUG(3, ("Authentication for domain %s (local domain " - "to this server) not supported at this " - "stage\n", domain_name)); - return NULL; - } - - /* we can auth against trusted domains */ - if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) { - domain = find_domain_from_name_noinit(domain_name); - if (domain == NULL) { - DEBUG(3, ("Authentication for domain [%s] skipped " - "as it is not a trusted domain\n", - domain_name)); - } else { - return domain; - } - } - - return find_our_domain(); -} - -static void set_auth_errors(struct winbindd_response *resp, NTSTATUS result) -{ - resp->data.auth.nt_status = NT_STATUS_V(result); - fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result)); - - /* we might have given a more useful error above */ - if (*resp->data.auth.error_string == '\0') - fstrcpy(resp->data.auth.error_string, - get_friendly_nt_error_msg(result)); - resp->data.auth.pam_error = nt_status_to_pam(result); -} - -static NTSTATUS fillup_password_policy(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - struct winbindd_methods *methods; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - SAM_UNK_INFO_1 password_policy; - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(5,("fillup_password_policy: No inbound trust to " - "contact domain %s\n", domain->name)); - return NT_STATUS_NOT_SUPPORTED; - } - - methods = domain->methods; - - status = methods->password_policy(domain, state->mem_ctx, &password_policy); - if (NT_STATUS_IS_ERR(status)) { - return status; - } - - state->response.data.auth.policy.min_length_password = - password_policy.min_length_password; - state->response.data.auth.policy.password_history = - password_policy.password_history; - state->response.data.auth.policy.password_properties = - password_policy.password_properties; - state->response.data.auth.policy.expire = - nt_time_to_unix_abs(&(password_policy.expire)); - state->response.data.auth.policy.min_passwordage = - nt_time_to_unix_abs(&(password_policy.min_passwordage)); - - return NT_STATUS_OK; -} - -static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint16 *max_allowed_bad_attempts) -{ - struct winbindd_methods *methods; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - SAM_UNK_INFO_12 lockout_policy; - - *max_allowed_bad_attempts = 0; - - methods = domain->methods; - - status = methods->lockout_policy(domain, mem_ctx, &lockout_policy); - if (NT_STATUS_IS_ERR(status)) { - return status; - } - - *max_allowed_bad_attempts = lockout_policy.bad_attempt_lockout; - - return NT_STATUS_OK; -} - -static NTSTATUS get_pwd_properties(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *password_properties) -{ - struct winbindd_methods *methods; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - SAM_UNK_INFO_1 password_policy; - - *password_properties = 0; - - methods = domain->methods; - - status = methods->password_policy(domain, mem_ctx, &password_policy); - if (NT_STATUS_IS_ERR(status)) { - return status; - } - - *password_properties = password_policy.password_properties; - - return NT_STATUS_OK; -} - -#ifdef HAVE_KRB5 - -static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, - const char *type, - uid_t uid, - BOOL *internal_ccache) -{ - /* accept FILE and WRFILE as krb5_cc_type from the client and then - * build the full ccname string based on the user's uid here - - * Guenther*/ - - const char *gen_cc = NULL; - - *internal_ccache = True; - - if (uid == -1) { - goto memory_ccache; - } - - if (!type || type[0] == '\0') { - goto memory_ccache; - } - - if (strequal(type, "FILE")) { - gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid); - } else if (strequal(type, "WRFILE")) { - gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid); - } else { - DEBUG(10,("we don't allow to set a %s type ccache\n", type)); - goto memory_ccache; - } - - *internal_ccache = False; - goto done; - - memory_ccache: - gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache"); - - done: - if (gen_cc == NULL) { - DEBUG(0,("out of memory\n")); - return NULL; - } - - DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":"")); - - return gen_cc; -} - -static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc) -{ - const char *type = state->request.data.auth.krb5_cc_type; - - state->response.data.auth.krb5ccname[0] = '\0'; - - if (type[0] == '\0') { - return; - } - - if (!strequal(type, "FILE") && - !strequal(type, "WRFILE")) { - DEBUG(10,("won't return krbccname for a %s type ccache\n", - type)); - return; - } - - fstrcpy(state->response.data.auth.krb5ccname, cc); -} - -#endif - -static uid_t get_uid_from_state(struct winbindd_cli_state *state) -{ - uid_t uid = -1; - - uid = state->request.data.auth.uid; - - if (uid < 0) { - DEBUG(1,("invalid uid: '%d'\n", uid)); - return -1; - } - return uid; -} - -/********************************************************************** - Authenticate a user with a clear text password using Kerberos and fill up - ccache if required - **********************************************************************/ - -static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, - struct winbindd_cli_state *state, - NET_USER_INFO_3 **info3) -{ -#ifdef HAVE_KRB5 - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - krb5_error_code krb5_ret; - const char *cc = NULL; - const char *principal_s = NULL; - const char *service = NULL; - char *realm = NULL; - fstring name_domain, name_user; - time_t ticket_lifetime = 0; - time_t renewal_until = 0; - uid_t uid = -1; - ADS_STRUCT *ads; - time_t time_offset = 0; - BOOL internal_ccache = True; - - ZERO_STRUCTP(info3); - - *info3 = NULL; - - /* 1st step: - * prepare a krb5_cc_cache string for the user */ - - uid = get_uid_from_state(state); - if (uid == -1) { - DEBUG(0,("no valid uid\n")); - } - - cc = generate_krb5_ccache(state->mem_ctx, - state->request.data.auth.krb5_cc_type, - state->request.data.auth.uid, - &internal_ccache); - if (cc == NULL) { - return NT_STATUS_NO_MEMORY; - } - - - /* 2nd step: - * get kerberos properties */ - - if (domain->private_data) { - ads = (ADS_STRUCT *)domain->private_data; - time_offset = ads->auth.time_offset; - } - - - /* 3rd step: - * do kerberos auth and setup ccache as the user */ - - parse_domain_user(state->request.data.auth.user, name_domain, name_user); - - realm = domain->alt_name; - strupper_m(realm); - - principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm); - if (principal_s == NULL) { - return NT_STATUS_NO_MEMORY; - } - - service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm); - if (service == NULL) { - return NT_STATUS_NO_MEMORY; - } - - /* if this is a user ccache, we need to act as the user to let the krb5 - * library handle the chown, etc. */ - - /************************ ENTERING NON-ROOT **********************/ - - if (!internal_ccache) { - set_effective_uid(uid); - DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid)); - } - - result = kerberos_return_info3_from_pac(state->mem_ctx, - principal_s, - state->request.data.auth.pass, - time_offset, - &ticket_lifetime, - &renewal_until, - cc, - True, - True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - info3); - if (!internal_ccache) { - gain_root_privilege(); - } - - /************************ RETURNED TO ROOT **********************/ - - if (!NT_STATUS_IS_OK(result)) { - goto failed; - } - - DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", - principal_s)); - - /* if we had a user's ccache then return that string for the pam - * environment */ - - if (!internal_ccache) { - - setup_return_cc_name(state, cc); - - result = add_ccache_to_list(principal_s, - cc, - service, - state->request.data.auth.user, - realm, - uid, - time(NULL), - ticket_lifetime, - renewal_until, - False); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n", - nt_errstr(result))); - } - } else { - - /* need to delete the memory cred cache, it is not used anymore */ - - krb5_ret = ads_kdestroy(cc); - if (krb5_ret) { - DEBUG(3,("winbindd_raw_kerberos_login: " - "could not destroy krb5 credential cache: " - "%s\n", error_message(krb5_ret))); - } - - } - - return NT_STATUS_OK; - -failed: - - /* we could have created a new credential cache with a valid tgt in it - * but we werent able to get or verify the service ticket for this - * local host and therefor didn't get the PAC, we need to remove that - * cache entirely now */ - - krb5_ret = ads_kdestroy(cc); - if (krb5_ret) { - DEBUG(3,("winbindd_raw_kerberos_login: " - "could not destroy krb5 credential cache: " - "%s\n", error_message(krb5_ret))); - } - - if (!NT_STATUS_IS_OK(remove_ccache(state->request.data.auth.user))) { - DEBUG(3,("winbindd_raw_kerberos_login: " - "could not remove ccache for user %s\n", - state->request.data.auth.user)); - } - - return result; -#else - return NT_STATUS_NOT_SUPPORTED; -#endif /* HAVE_KRB5 */ -} - -/**************************************************************** -****************************************************************/ - -static BOOL check_request_flags(uint32_t flags) -{ - uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN | - WBFLAG_PAM_UNIX_NAME | - WBFLAG_PAM_INFO3_NDR; - - if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) || - ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) || - ( (flags & flags_edata) == WBFLAG_PAM_UNIX_NAME) || - !(flags & flags_edata) ) { - return True; - } - - DEBUG(1,("check_request_flags: invalid request flags\n")); - - return False; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS append_data(struct winbindd_cli_state *state, - NET_USER_INFO_3 *info3, - const char *name_domain, - const char *name_user) -{ - NTSTATUS result; - uint32_t flags = state->request.flags; - - if (flags & WBFLAG_PAM_USER_SESSION_KEY) { - memcpy(state->response.data.auth.user_session_key, - info3->user_sess_key, - sizeof(state->response.data.auth.user_session_key) - /* 16 */); - } - - if (flags & WBFLAG_PAM_LMKEY) { - memcpy(state->response.data.auth.first_8_lm_hash, - info3->lm_sess_key, - sizeof(state->response.data.auth.first_8_lm_hash) - /* 8 */); - } - - if (flags & WBFLAG_PAM_INFO3_TEXT) { - result = append_info3_as_txt(state->mem_ctx, state, info3); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("Failed to append INFO3 (TXT): %s\n", - nt_errstr(result))); - return result; - } - } - - /* currently, anything from here on potentially overwrites extra_data. */ - - if (flags & WBFLAG_PAM_INFO3_NDR) { - result = append_info3_as_ndr(state->mem_ctx, state, info3); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("Failed to append INFO3 (NDR): %s\n", - nt_errstr(result))); - return result; - } - } - - if (flags & WBFLAG_PAM_UNIX_NAME) { - result = append_unix_username(state->mem_ctx, state, info3, - name_domain, name_user); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("Failed to append Unix Username: %s\n", - nt_errstr(result))); - return result; - } - } - - if (flags & WBFLAG_PAM_AFS_TOKEN) { - result = append_afs_token(state->mem_ctx, state, info3, - name_domain, name_user); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("Failed to append AFS token: %s\n", - nt_errstr(result))); - return result; - } - } - - return NT_STATUS_OK; -} - -void winbindd_pam_auth(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - fstring name_domain, name_user; - NTSTATUS result; - - /* Ensure null termination */ - state->request.data.auth.user - [sizeof(state->request.data.auth.user)-1]='\0'; - - /* Ensure null termination */ - state->request.data.auth.pass - [sizeof(state->request.data.auth.pass)-1]='\0'; - - DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid, - state->request.data.auth.user)); - - if (!check_request_flags(state->request.flags)) { - result = NT_STATUS_INVALID_PARAMETER_MIX; - goto done; - } - - /* Parse domain and username */ - - ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR ); - - if (!canonicalize_username(state->request.data.auth.user, - name_domain, name_user)) { - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - - domain = find_auth_domain(state, name_domain); - - if (domain == NULL) { - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - - sendto_domain(state, domain); - return; - done: - set_auth_errors(&state->response, result); - DEBUG(5, ("Plain text authentication for %s returned %s " - "(PAM: %d)\n", - state->request.data.auth.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - request_error(state); -} - -NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, - struct winbindd_cli_state *state, - NET_USER_INFO_3 **info3) -{ - NTSTATUS result = NT_STATUS_LOGON_FAILURE; - uint16 max_allowed_bad_attempts; - fstring name_domain, name_user; - DOM_SID sid; - enum lsa_SidType type; - uchar new_nt_pass[NT_HASH_LEN]; - const uint8 *cached_nt_pass; - const uint8 *cached_salt; - NET_USER_INFO_3 *my_info3; - time_t kickoff_time, must_change_time; - BOOL password_good = False; -#ifdef HAVE_KRB5 - struct winbindd_tdc_domain *tdc_domain = NULL; -#endif - - *info3 = NULL; - - ZERO_STRUCTP(info3); - - DEBUG(10,("winbindd_dual_pam_auth_cached\n")); - - /* Parse domain and username */ - - parse_domain_user(state->request.data.auth.user, name_domain, name_user); - - - if (!lookup_cached_name(state->mem_ctx, - name_domain, - name_user, - &sid, - &type)) { - DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n")); - return NT_STATUS_NO_SUCH_USER; - } - - if (type != SID_NAME_USER) { - DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type))); - return NT_STATUS_LOGON_FAILURE; - } - - result = winbindd_get_creds(domain, - state->mem_ctx, - &sid, - &my_info3, - &cached_nt_pass, - &cached_salt); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result))); - return result; - } - - *info3 = my_info3; - - E_md4hash(state->request.data.auth.pass, new_nt_pass); - - dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN); - dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN); - if (cached_salt) { - dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN); - } - - if (cached_salt) { - /* In this case we didn't store the nt_hash itself, - but the MD5 combination of salt + nt_hash. */ - uchar salted_hash[NT_HASH_LEN]; - E_md5hash(cached_salt, new_nt_pass, salted_hash); - - password_good = (memcmp(cached_nt_pass, salted_hash, NT_HASH_LEN) == 0) ? - True : False; - } else { - /* Old cached cred - direct store of nt_hash (bad bad bad !). */ - password_good = (memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN) == 0) ? - True : False; - } - - if (password_good) { - - /* User *DOES* know the password, update logon_time and reset - * bad_pw_count */ - - my_info3->user_flgs |= LOGON_CACHED_ACCOUNT; - - if (my_info3->acct_flags & ACB_AUTOLOCK) { - return NT_STATUS_ACCOUNT_LOCKED_OUT; - } - - if (my_info3->acct_flags & ACB_DISABLED) { - return NT_STATUS_ACCOUNT_DISABLED; - } - - if (my_info3->acct_flags & ACB_WSTRUST) { - return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; - } - - if (my_info3->acct_flags & ACB_SVRTRUST) { - return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; - } - - if (my_info3->acct_flags & ACB_DOMTRUST) { - return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; - } - - if (!(my_info3->acct_flags & ACB_NORMAL)) { - DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n", - my_info3->acct_flags)); - return NT_STATUS_LOGON_FAILURE; - } - - kickoff_time = nt_time_to_unix(my_info3->kickoff_time); - if (kickoff_time != 0 && time(NULL) > kickoff_time) { - return NT_STATUS_ACCOUNT_EXPIRED; - } - - must_change_time = nt_time_to_unix(my_info3->pass_must_change_time); - if (must_change_time != 0 && must_change_time < time(NULL)) { - /* we allow grace logons when the password has expired */ - my_info3->user_flgs |= LOGON_GRACE_LOGON; - /* return NT_STATUS_PASSWORD_EXPIRED; */ - goto success; - } - -#ifdef HAVE_KRB5 - if ((state->request.flags & WBFLAG_PAM_KRB5) && - ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) && - (tdc_domain->trust_type & DS_DOMAIN_TRUST_TYPE_UPLEVEL)) { - - uid_t uid = -1; - const char *cc = NULL; - char *realm = NULL; - const char *principal_s = NULL; - const char *service = NULL; - BOOL internal_ccache = False; - - uid = get_uid_from_state(state); - if (uid == -1) { - DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - cc = generate_krb5_ccache(state->mem_ctx, - state->request.data.auth.krb5_cc_type, - state->request.data.auth.uid, - &internal_ccache); - if (cc == NULL) { - return NT_STATUS_NO_MEMORY; - } - - realm = domain->alt_name; - strupper_m(realm); - - principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm); - if (principal_s == NULL) { - return NT_STATUS_NO_MEMORY; - } - - service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm); - if (service == NULL) { - return NT_STATUS_NO_MEMORY; - } - - if (!internal_ccache) { - - setup_return_cc_name(state, cc); - - result = add_ccache_to_list(principal_s, - cc, - service, - state->request.data.auth.user, - domain->alt_name, - uid, - time(NULL), - time(NULL) + lp_winbind_cache_time(), - time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - True); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_dual_pam_auth_cached: failed " - "to add ccache to list: %s\n", - nt_errstr(result))); - } - } - } -#endif /* HAVE_KRB5 */ - success: - /* FIXME: we possibly should handle logon hours as well (does xp when - * offline?) see auth/auth_sam.c:sam_account_ok for details */ - - unix_to_nt_time(&my_info3->logon_time, time(NULL)); - my_info3->bad_pw_count = 0; - - result = winbindd_update_creds_by_info3(domain, - state->mem_ctx, - state->request.data.auth.user, - state->request.data.auth.pass, - my_info3); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n", - nt_errstr(result))); - return result; - } - - return NT_STATUS_OK; - - } - - /* User does *NOT* know the correct password, modify info3 accordingly */ - - /* failure of this is not critical */ - result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. " - "Won't be able to honour account lockout policies\n")); - } - - /* increase counter */ - my_info3->bad_pw_count++; - - if (max_allowed_bad_attempts == 0) { - goto failed; - } - - /* lockout user */ - if (my_info3->bad_pw_count >= max_allowed_bad_attempts) { - - uint32 password_properties; - - result = get_pwd_properties(domain, state->mem_ctx, &password_properties); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n")); - } - - if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) || - (password_properties & DOMAIN_LOCKOUT_ADMINS)) { - my_info3->acct_flags |= ACB_AUTOLOCK; - } - } - -failed: - result = winbindd_update_creds_by_info3(domain, - state->mem_ctx, - state->request.data.auth.user, - NULL, - my_info3); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n", - nt_errstr(result))); - } - - return NT_STATUS_LOGON_FAILURE; -} - -NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, - struct winbindd_cli_state *state, - NET_USER_INFO_3 **info3) -{ - struct winbindd_domain *contact_domain; - fstring name_domain, name_user; - NTSTATUS result; - - DEBUG(10,("winbindd_dual_pam_auth_kerberos\n")); - - /* Parse domain and username */ - - parse_domain_user(state->request.data.auth.user, name_domain, name_user); - - /* what domain should we contact? */ - - if ( IS_DC ) { - if (!(contact_domain = find_domain_from_name(name_domain))) { - DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", - state->request.data.auth.user, name_domain, name_user, name_domain)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - - } else { - if (is_myname(name_domain)) { - DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - - contact_domain = find_domain_from_name(name_domain); - if (contact_domain == NULL) { - DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", - state->request.data.auth.user, name_domain, name_user, name_domain)); - - contact_domain = find_our_domain(); - } - } - - if (contact_domain->initialized && - contact_domain->active_directory) { - goto try_login; - } - - if (!contact_domain->initialized) { - init_dc_connection(contact_domain); - } - - if (!contact_domain->active_directory) { - DEBUG(3,("krb5 auth requested but domain is not Active Directory\n")); - return NT_STATUS_INVALID_LOGON_TYPE; - } -try_login: - result = winbindd_raw_kerberos_login(contact_domain, state, info3); -done: - return result; -} - -NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, - struct winbindd_cli_state *state, - NET_USER_INFO_3 **info3) -{ - - struct rpc_pipe_client *netlogon_pipe; - uchar chal[8]; - DATA_BLOB lm_resp; - DATA_BLOB nt_resp; - int attempts = 0; - unsigned char local_lm_response[24]; - unsigned char local_nt_response[24]; - struct winbindd_domain *contact_domain; - fstring name_domain, name_user; - BOOL retry; - NTSTATUS result; - NET_USER_INFO_3 *my_info3; - - ZERO_STRUCTP(info3); - - *info3 = NULL; - - my_info3 = TALLOC_ZERO_P(state->mem_ctx, NET_USER_INFO_3); - if (my_info3 == NULL) { - return NT_STATUS_NO_MEMORY; - } - - - DEBUG(10,("winbindd_dual_pam_auth_samlogon\n")); - - /* Parse domain and username */ - - parse_domain_user(state->request.data.auth.user, name_domain, name_user); - - /* do password magic */ - - - generate_random_buffer(chal, 8); - if (lp_client_ntlmv2_auth()) { - DATA_BLOB server_chal; - DATA_BLOB names_blob; - DATA_BLOB nt_response; - DATA_BLOB lm_response; - server_chal = data_blob_talloc(state->mem_ctx, chal, 8); - - /* note that the 'workgroup' here is a best guess - we don't know - the server's domain at this point. The 'server name' is also - dodgy... - */ - names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup()); - - if (!SMBNTLMv2encrypt(name_user, name_domain, - state->request.data.auth.pass, - &server_chal, - &names_blob, - &lm_response, &nt_response, NULL)) { - data_blob_free(&names_blob); - data_blob_free(&server_chal); - DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n")); - result = NT_STATUS_NO_MEMORY; - goto done; - } - data_blob_free(&names_blob); - data_blob_free(&server_chal); - lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data, - lm_response.length); - nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data, - nt_response.length); - data_blob_free(&lm_response); - data_blob_free(&nt_response); - - } else { - if (lp_client_lanman_auth() - && SMBencrypt(state->request.data.auth.pass, - chal, - local_lm_response)) { - lm_resp = data_blob_talloc(state->mem_ctx, - local_lm_response, - sizeof(local_lm_response)); - } else { - lm_resp = data_blob_null; - } - SMBNTencrypt(state->request.data.auth.pass, - chal, - local_nt_response); - - nt_resp = data_blob_talloc(state->mem_ctx, - local_nt_response, - sizeof(local_nt_response)); - } - - /* what domain should we contact? */ - - if ( IS_DC ) { - if (!(contact_domain = find_domain_from_name(name_domain))) { - DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", - state->request.data.auth.user, name_domain, name_user, name_domain)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - - } else { - if (is_myname(name_domain)) { - DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - - contact_domain = find_our_domain(); - } - - /* check authentication loop */ - - do { - NTSTATUS (*logon_fn)(struct rpc_pipe_client - *cli, TALLOC_CTX *mem_ctx, - uint32 logon_parameters, - const char *server, - const char *username, - const char *domain, - const char *workstation, - const uint8 chal[8], - DATA_BLOB lm_response, - DATA_BLOB nt_response, - NET_USER_INFO_3 *info3); - - ZERO_STRUCTP(my_info3); - retry = False; - - result = cm_connect_netlogon(contact_domain, &netlogon_pipe); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(3, ("could not open handle to NETLOGON pipe\n")); - goto done; - } - - logon_fn = contact_domain->can_do_samlogon_ex - ? rpccli_netlogon_sam_network_logon_ex - : rpccli_netlogon_sam_network_logon; - - result = logon_fn(netlogon_pipe, - state->mem_ctx, - 0, - contact_domain->dcname, /* server name */ - name_user, /* user name */ - name_domain, /* target domain */ - global_myname(), /* workstation */ - chal, - lm_resp, - nt_resp, - my_info3); - - if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) - && contact_domain->can_do_samlogon_ex) { - DEBUG(3, ("Got a DC that can not do NetSamLogonEx, " - "retrying with NetSamLogon\n")); - contact_domain->can_do_samlogon_ex = False; - retry = True; - continue; - } - - attempts += 1; - - /* We have to try a second time as cm_connect_netlogon - might not yet have noticed that the DC has killed - our connection. */ - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) { - retry = True; - continue; - } - - /* if we get access denied, a possible cause was that we had - and open connection to the DC, but someone changed our - machine account password out from underneath us using 'net - rpc changetrustpw' */ - - if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) { - DEBUG(3,("winbindd_pam_auth: sam_logon returned " - "ACCESS_DENIED. Maybe the trust account " - "password was changed and we didn't know it. " - "Killing connections to domain %s\n", - name_domain)); - invalidate_cm_connection(&contact_domain->conn); - retry = True; - } - - } while ( (attempts < 2) && retry ); - - /* handle the case where a NT4 DC does not fill in the acct_flags in - * the samlogon reply info3. When accurate info3 is required by the - * caller, we look up the account flags ourselve - gd */ - - if ((state->request.flags & WBFLAG_PAM_INFO3_TEXT) && - (my_info3->acct_flags == 0) && NT_STATUS_IS_OK(result)) { - - struct rpc_pipe_client *samr_pipe; - POLICY_HND samr_domain_handle, user_pol; - SAM_USERINFO_CTR *user_ctr; - NTSTATUS status_tmp; - uint32 acct_flags; - - ZERO_STRUCT(user_ctr); - - status_tmp = cm_connect_sam(contact_domain, state->mem_ctx, - &samr_pipe, &samr_domain_handle); - - if (!NT_STATUS_IS_OK(status_tmp)) { - DEBUG(3, ("could not open handle to SAMR pipe: %s\n", - nt_errstr(status_tmp))); - goto done; - } - - status_tmp = rpccli_samr_open_user(samr_pipe, state->mem_ctx, - &samr_domain_handle, - MAXIMUM_ALLOWED_ACCESS, - my_info3->user_rid, &user_pol); - - if (!NT_STATUS_IS_OK(status_tmp)) { - DEBUG(3, ("could not open user handle on SAMR pipe: %s\n", - nt_errstr(status_tmp))); - goto done; - } - - status_tmp = rpccli_samr_query_userinfo(samr_pipe, state->mem_ctx, - &user_pol, 16, &user_ctr); - - if (!NT_STATUS_IS_OK(status_tmp)) { - DEBUG(3, ("could not query user info on SAMR pipe: %s\n", - nt_errstr(status_tmp))); - rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol); - goto done; - } - - acct_flags = user_ctr->info.id16->acb_info; - - if (acct_flags == 0) { - rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol); - goto done; - } - - my_info3->acct_flags = acct_flags; - - DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags)); - - rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol); - } - - *info3 = my_info3; -done: - return result; -} - -enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - NTSTATUS result = NT_STATUS_LOGON_FAILURE; - NTSTATUS krb5_result = NT_STATUS_OK; - fstring name_domain, name_user; - NET_USER_INFO_3 *info3 = NULL; - - /* Ensure null termination */ - state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0'; - - /* Ensure null termination */ - state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0'; - - DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid, - state->request.data.auth.user)); - - if (!check_request_flags(state->request.flags)) { - result = NT_STATUS_INVALID_PARAMETER_MIX; - goto done; - } - - /* Parse domain and username */ - - ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR ); - - parse_domain_user(state->request.data.auth.user, name_domain, name_user); - - if (domain->online == False) { - result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; - if (domain->startup) { - /* Logons are very important to users. If we're offline and - we get a request within the first 30 seconds of startup, - try very hard to find a DC and go online. */ - - DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth " - "request in startup mode.\n", domain->name )); - - winbindd_flush_negative_conn_cache(domain); - result = init_dc_connection(domain); - } - } - - DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline")); - - /* Check for Kerberos authentication */ - if (domain->online && (state->request.flags & WBFLAG_PAM_KRB5)) { - - result = winbindd_dual_pam_auth_kerberos(domain, state, &info3); - /* save for later */ - krb5_result = result; - - - if (NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n")); - goto process_result; - } else { - DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result))); - } - - if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) || - NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) || - NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) { - DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n")); - set_domain_offline( domain ); - goto cached_logon; - } - - /* there are quite some NT_STATUS errors where there is no - * point in retrying with a samlogon, we explictly have to take - * care not to increase the bad logon counter on the DC */ - - if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) || - NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) || - NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) || - NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) || - NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) || - NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) || - NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) || - NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) || - NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) || - NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) { - goto process_result; - } - - if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) { - DEBUG(3,("falling back to samlogon\n")); - goto sam_logon; - } else { - goto cached_logon; - } - } - -sam_logon: - /* Check for Samlogon authentication */ - if (domain->online) { - result = winbindd_dual_pam_auth_samlogon(domain, state, &info3); - - if (NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n")); - /* add the Krb5 err if we have one */ - if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) { - info3->user_flgs |= LOGON_KRB5_FAIL_CLOCK_SKEW; - } - goto process_result; - } - - DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n", - nt_errstr(result))); - - if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) || - NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) || - NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) - { - DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n")); - set_domain_offline( domain ); - goto cached_logon; - } - - if (domain->online) { - /* We're still online - fail. */ - goto done; - } - } - -cached_logon: - /* Check for Cached logons */ - if (!domain->online && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) && - lp_winbind_offline_logon()) { - - result = winbindd_dual_pam_auth_cached(domain, state, &info3); - - if (NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n")); - goto process_result; - } else { - DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result))); - goto done; - } - } - -process_result: - - if (NT_STATUS_IS_OK(result)) { - - DOM_SID user_sid; - - /* In all codepaths where result == NT_STATUS_OK info3 must have - been initialized. */ - if (!info3) { - result = NT_STATUS_INTERNAL_ERROR; - goto done; - } - - netsamlogon_cache_store(name_user, info3); - wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3); - - /* save name_to_sid info as early as possible (only if - this is our primary domain so we don't invalidate - the cache entry by storing the seq_num for the wrong - domain). */ - if ( domain->primary ) { - sid_compose(&user_sid, &info3->dom_sid.sid, - info3->user_rid); - cache_name2sid(domain, name_domain, name_user, - SID_NAME_USER, &user_sid); - } - - /* Check if the user is in the right group */ - - if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3, - state->request.data.auth.require_membership_of_sid))) { - DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n", - state->request.data.auth.user, - state->request.data.auth.require_membership_of_sid)); - goto done; - } - - result = append_data(state, info3, name_domain, name_user); - if (!NT_STATUS_IS_OK(result)) { - goto done; - } - - if ((state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) { - - /* Store in-memory creds for single-signon using ntlm_auth. */ - result = winbindd_add_memory_creds(state->request.data.auth.user, - get_uid_from_state(state), - state->request.data.auth.pass); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("Failed to store memory creds: %s\n", nt_errstr(result))); - goto done; - } - - if (lp_winbind_offline_logon()) { - result = winbindd_store_creds(domain, - state->mem_ctx, - state->request.data.auth.user, - state->request.data.auth.pass, - info3, NULL); - if (!NT_STATUS_IS_OK(result)) { - - /* Release refcount. */ - winbindd_delete_memory_creds(state->request.data.auth.user); - - DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result))); - goto done; - } - } - } - - result = fillup_password_policy(domain, state); - - if (!NT_STATUS_IS_OK(result) - && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ) - { - DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result))); - goto done; - } - - result = NT_STATUS_OK; - } - -done: - /* give us a more useful (more correct?) error code */ - if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || - (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) { - result = NT_STATUS_NO_LOGON_SERVERS; - } - - state->response.data.auth.nt_status = NT_STATUS_V(result); - fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result)); - - /* we might have given a more useful error above */ - if (!*state->response.data.auth.error_string) - fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result)); - state->response.data.auth.pam_error = nt_status_to_pam(result); - - DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", - state->request.data.auth.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} - - -/********************************************************************** - Challenge Response Authentication Protocol -**********************************************************************/ - -void winbindd_pam_auth_crap(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain = NULL; - const char *domain_name = NULL; - NTSTATUS result; - - if (!check_request_flags(state->request.flags)) { - result = NT_STATUS_INVALID_PARAMETER_MIX; - goto done; - } - - if (!state->privileged) { - char *error_string = NULL; - DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access " - "denied. !\n")); - DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions " - "on %s are set correctly.\n", - get_winbind_priv_pipe_dir())); - /* send a better message than ACCESS_DENIED */ - error_string = talloc_asprintf(state->mem_ctx, - "winbind client not authorized " - "to use winbindd_pam_auth_crap." - " Ensure permissions on %s " - "are set correctly.", - get_winbind_priv_pipe_dir()); - fstrcpy(state->response.data.auth.error_string, error_string); - result = NT_STATUS_ACCESS_DENIED; - goto done; - } - - /* Ensure null termination */ - state->request.data.auth_crap.user - [sizeof(state->request.data.auth_crap.user)-1]=0; - state->request.data.auth_crap.domain - [sizeof(state->request.data.auth_crap.domain)-1]=0; - - DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n", - (unsigned long)state->pid, - state->request.data.auth_crap.domain, - state->request.data.auth_crap.user)); - - if (*state->request.data.auth_crap.domain != '\0') { - domain_name = state->request.data.auth_crap.domain; - } else if (lp_winbind_use_default_domain()) { - domain_name = lp_workgroup(); - } - - if (domain_name != NULL) - domain = find_auth_domain(state, domain_name); - - if (domain != NULL) { - sendto_domain(state, domain); - return; - } - - result = NT_STATUS_NO_SUCH_USER; - - done: - set_auth_errors(&state->response, result); - DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n", - state->request.data.auth_crap.domain, - state->request.data.auth_crap.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - request_error(state); - return; -} - - -enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - NTSTATUS result; - NET_USER_INFO_3 info3; - struct rpc_pipe_client *netlogon_pipe; - const char *name_user = NULL; - const char *name_domain = NULL; - const char *workstation; - struct winbindd_domain *contact_domain; - int attempts = 0; - BOOL retry; - - DATA_BLOB lm_resp, nt_resp; - - /* This is child-only, so no check for privileged access is needed - anymore */ - - /* Ensure null termination */ - state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0; - state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0; - - if (!check_request_flags(state->request.flags)) { - result = NT_STATUS_INVALID_PARAMETER_MIX; - goto done; - } - - name_user = state->request.data.auth_crap.user; - - if (*state->request.data.auth_crap.domain) { - name_domain = state->request.data.auth_crap.domain; - } else if (lp_winbind_use_default_domain()) { - name_domain = lp_workgroup(); - } else { - DEBUG(5,("no domain specified with username (%s) - failing auth\n", - name_user)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - - DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid, - name_domain, name_user)); - - if (*state->request.data.auth_crap.workstation) { - workstation = state->request.data.auth_crap.workstation; - } else { - workstation = global_myname(); - } - - if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp) - || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) { - DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", - state->request.data.auth_crap.lm_resp_len, - state->request.data.auth_crap.nt_resp_len)); - result = NT_STATUS_INVALID_PARAMETER; - goto done; - } - - lm_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.lm_resp, - state->request.data.auth_crap.lm_resp_len); - nt_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.nt_resp, - state->request.data.auth_crap.nt_resp_len); - - /* what domain should we contact? */ - - if ( IS_DC ) { - if (!(contact_domain = find_domain_from_name(name_domain))) { - DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", - state->request.data.auth_crap.user, name_domain, name_user, name_domain)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - } else { - if (is_myname(name_domain)) { - DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - contact_domain = find_our_domain(); - } - - do { - NTSTATUS (*logon_fn)(struct rpc_pipe_client - *cli, TALLOC_CTX *mem_ctx, - uint32 logon_parameters, - const char *server, - const char *username, - const char *domain, - const char *workstation, - const uint8 chal[8], - DATA_BLOB lm_response, - DATA_BLOB nt_response, - NET_USER_INFO_3 *info3); - - ZERO_STRUCT(info3); - retry = False; - - netlogon_pipe = NULL; - result = cm_connect_netlogon(contact_domain, &netlogon_pipe); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n", - nt_errstr(result))); - goto done; - } - - logon_fn = contact_domain->can_do_samlogon_ex - ? rpccli_netlogon_sam_network_logon_ex - : rpccli_netlogon_sam_network_logon; - - result = logon_fn(netlogon_pipe, - state->mem_ctx, - state->request.data.auth_crap.logon_parameters, - contact_domain->dcname, - name_user, - name_domain, - /* Bug #3248 - found by Stefan Burkei. */ - workstation, /* We carefully set this above so use it... */ - state->request.data.auth_crap.chal, - lm_resp, - nt_resp, - &info3); - - if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) - && contact_domain->can_do_samlogon_ex) { - DEBUG(3, ("Got a DC that can not do NetSamLogonEx, " - "retrying with NetSamLogon\n")); - contact_domain->can_do_samlogon_ex = False; - retry = True; - continue; - } - - attempts += 1; - - /* We have to try a second time as cm_connect_netlogon - might not yet have noticed that the DC has killed - our connection. */ - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) { - retry = True; - continue; - } - - /* if we get access denied, a possible cause was that we had and open - connection to the DC, but someone changed our machine account password - out from underneath us using 'net rpc changetrustpw' */ - - if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) { - DEBUG(3,("winbindd_pam_auth: sam_logon returned " - "ACCESS_DENIED. Maybe the trust account " - "password was changed and we didn't know it. " - "Killing connections to domain %s\n", - name_domain)); - invalidate_cm_connection(&contact_domain->conn); - retry = True; - } - - } while ( (attempts < 2) && retry ); - - if (NT_STATUS_IS_OK(result)) { - - netsamlogon_cache_store(name_user, &info3); - wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3); - - /* Check if the user is in the right group */ - - if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, &info3, - state->request.data.auth_crap.require_membership_of_sid))) { - DEBUG(3, ("User %s is not in the required group (%s), so " - "crap authentication is rejected\n", - state->request.data.auth_crap.user, - state->request.data.auth_crap.require_membership_of_sid)); - goto done; - } - - result = append_data(state, &info3, name_domain, name_user); - if (!NT_STATUS_IS_OK(result)) { - goto done; - } - } - -done: - - /* give us a more useful (more correct?) error code */ - if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || - (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) { - result = NT_STATUS_NO_LOGON_SERVERS; - } - - if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) { - result = nt_status_squash(result); - } - - state->response.data.auth.nt_status = NT_STATUS_V(result); - fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result)); - - /* we might have given a more useful error above */ - if (!*state->response.data.auth.error_string) { - fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result)); - } - state->response.data.auth.pam_error = nt_status_to_pam(result); - - DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, - ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n", - name_domain, - name_user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} - -/* Change a user password */ - -void winbindd_pam_chauthtok(struct winbindd_cli_state *state) -{ - fstring domain, user; - struct winbindd_domain *contact_domain; - - DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid, - state->request.data.chauthtok.user)); - - /* Setup crap */ - - ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR ); - - if (!canonicalize_username(state->request.data.chauthtok.user, domain, user)) { - set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); - DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s" - "(PAM: %d)\n", - state->request.data.auth.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - request_error(state); - return; - } - - contact_domain = find_domain_from_name(domain); - if (!contact_domain) { - set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); - DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", - state->request.data.chauthtok.user, domain, user, domain)); - request_error(state); - return; - } - - sendto_domain(state, contact_domain); -} - -enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain, - struct winbindd_cli_state *state) -{ - char *oldpass; - char *newpass = NULL; - POLICY_HND dom_pol; - struct rpc_pipe_client *cli; - BOOL got_info = False; - SAM_UNK_INFO_1 info; - SAMR_CHANGE_REJECT reject; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - fstring domain, user; - - DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid, - state->request.data.auth.user)); - - if (!parse_domain_user(state->request.data.chauthtok.user, domain, user)) { - goto done; - } - - /* Change password */ - - oldpass = state->request.data.chauthtok.oldpass; - newpass = state->request.data.chauthtok.newpass; - - /* Initialize reject reason */ - state->response.data.auth.reject_reason = Undefined; - - /* Get sam handle */ - - result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, - &dom_pol); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(1, ("could not get SAM handle on DC for %s\n", domain)); - goto done; - } - - result = rpccli_samr_chgpasswd3(cli, state->mem_ctx, user, newpass, oldpass, &info, &reject); - - /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */ - - if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) { - state->response.data.auth.policy.min_length_password = - info.min_length_password; - state->response.data.auth.policy.password_history = - info.password_history; - state->response.data.auth.policy.password_properties = - info.password_properties; - state->response.data.auth.policy.expire = - nt_time_to_unix_abs(&info.expire); - state->response.data.auth.policy.min_passwordage = - nt_time_to_unix_abs(&info.min_passwordage); - - state->response.data.auth.reject_reason = - reject.reject_reason; - - got_info = True; - } - - /* only fallback when the chgpasswd3 call is not supported */ - if ((NT_STATUS_EQUAL(result, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR))) || - (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) || - (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED))) { - - DEBUG(10,("Password change with chgpasswd3 failed with: %s, retrying chgpasswd_user\n", - nt_errstr(result))); - - result = rpccli_samr_chgpasswd_user(cli, state->mem_ctx, user, newpass, oldpass); - - /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION. - Map to the same status code as Windows 2003. */ - - if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) { - result = NT_STATUS_PASSWORD_RESTRICTION; - } - } - -done: - - if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) { - - /* Update the single sign-on memory creds. */ - result = winbindd_replace_memory_creds(state->request.data.chauthtok.user, - newpass); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result))); - goto process_result; - } - - if (lp_winbind_offline_logon()) { - result = winbindd_update_creds_by_name(contact_domain, - state->mem_ctx, user, - newpass); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result))); - goto process_result; - } - } - } - - if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) { - - NTSTATUS policy_ret; - - policy_ret = fillup_password_policy(contact_domain, state); - - /* failure of this is non critical, it will just provide no - * additional information to the client why the change has - * failed - Guenther */ - - if (!NT_STATUS_IS_OK(policy_ret)) { - DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret))); - goto process_result; - } - } - -process_result: - - state->response.data.auth.nt_status = NT_STATUS_V(result); - fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result)); - fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result)); - state->response.data.auth.pam_error = nt_status_to_pam(result); - - DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, - ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n", - domain, - user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} - -void winbindd_pam_logoff(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - fstring name_domain, user; - uid_t caller_uid = (uid_t)-1; - uid_t request_uid = state->request.data.logoff.uid; - - DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid, - state->request.data.logoff.user)); - - /* Ensure null termination */ - state->request.data.logoff.user - [sizeof(state->request.data.logoff.user)-1]='\0'; - - state->request.data.logoff.krb5ccname - [sizeof(state->request.data.logoff.krb5ccname)-1]='\0'; - - if (request_uid == (gid_t)-1) { - goto failed; - } - - if (!canonicalize_username(state->request.data.logoff.user, name_domain, user)) { - goto failed; - } - - if ((domain = find_auth_domain(state, name_domain)) == NULL) { - goto failed; - } - - if ((sys_getpeereid(state->sock, &caller_uid)) != 0) { - DEBUG(1,("winbindd_pam_logoff: failed to check peerid: %s\n", - strerror(errno))); - goto failed; - } - - switch (caller_uid) { - case -1: - goto failed; - case 0: - /* root must be able to logoff any user - gd */ - state->request.data.logoff.uid = request_uid; - break; - default: - if (caller_uid != request_uid) { - DEBUG(1,("winbindd_pam_logoff: caller requested invalid uid\n")); - goto failed; - } - state->request.data.logoff.uid = caller_uid; - break; - } - - sendto_domain(state, domain); - return; - - failed: - set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); - DEBUG(5, ("Pam Logoff for %s returned %s " - "(PAM: %d)\n", - state->request.data.logoff.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - request_error(state); - return; -} - -enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - NTSTATUS result = NT_STATUS_NOT_SUPPORTED; - - DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid, - state->request.data.logoff.user)); - - if (!(state->request.flags & WBFLAG_PAM_KRB5)) { - result = NT_STATUS_OK; - goto process_result; - } - - if (state->request.data.logoff.krb5ccname[0] == '\0') { - result = NT_STATUS_OK; - goto process_result; - } - -#ifdef HAVE_KRB5 - - if (state->request.data.logoff.uid < 0) { - DEBUG(0,("winbindd_pam_logoff: invalid uid\n")); - goto process_result; - } - - /* what we need here is to find the corresponding krb5 ccache name *we* - * created for a given username and destroy it */ - - if (!ccache_entry_exists(state->request.data.logoff.user)) { - result = NT_STATUS_OK; - DEBUG(10,("winbindd_pam_logoff: no entry found.\n")); - goto process_result; - } - - if (!ccache_entry_identical(state->request.data.logoff.user, - state->request.data.logoff.uid, - state->request.data.logoff.krb5ccname)) { - DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n")); - goto process_result; - } - - result = remove_ccache(state->request.data.logoff.user); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n", - nt_errstr(result))); - goto process_result; - } - -#else - result = NT_STATUS_NOT_SUPPORTED; -#endif - -process_result: - - winbindd_delete_memory_creds(state->request.data.logoff.user); - - state->response.data.auth.nt_status = NT_STATUS_V(result); - fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result)); - fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result)); - state->response.data.auth.pam_error = nt_status_to_pam(result); - - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} - -/* Change user password with auth crap*/ - -void winbindd_pam_chng_pswd_auth_crap(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain = NULL; - const char *domain_name = NULL; - - /* Ensure null termination */ - state->request.data.chng_pswd_auth_crap.user[ - sizeof(state->request.data.chng_pswd_auth_crap.user)-1]=0; - state->request.data.chng_pswd_auth_crap.domain[ - sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0; - - DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n", - (unsigned long)state->pid, - state->request.data.chng_pswd_auth_crap.domain, - state->request.data.chng_pswd_auth_crap.user)); - - if (*state->request.data.chng_pswd_auth_crap.domain != '\0') { - domain_name = state->request.data.chng_pswd_auth_crap.domain; - } else if (lp_winbind_use_default_domain()) { - domain_name = lp_workgroup(); - } - - if (domain_name != NULL) - domain = find_domain_from_name(domain_name); - - if (domain != NULL) { - DEBUG(7, ("[%5lu]: pam auth crap changing pswd in domain: " - "%s\n", (unsigned long)state->pid,domain->name)); - sendto_domain(state, domain); - return; - } - - set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER); - DEBUG(5, ("CRAP change password for %s\\%s returned %s (PAM: %d)\n", - state->request.data.chng_pswd_auth_crap.domain, - state->request.data.chng_pswd_auth_crap.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - request_error(state); - return; -} - -enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state) -{ - NTSTATUS result; - DATA_BLOB new_nt_password; - DATA_BLOB old_nt_hash_enc; - DATA_BLOB new_lm_password; - DATA_BLOB old_lm_hash_enc; - fstring domain,user; - POLICY_HND dom_pol; - struct winbindd_domain *contact_domain = domainSt; - struct rpc_pipe_client *cli; - - /* Ensure null termination */ - state->request.data.chng_pswd_auth_crap.user[ - sizeof(state->request.data.chng_pswd_auth_crap.user)-1]=0; - state->request.data.chng_pswd_auth_crap.domain[ - sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0; - *domain = 0; - *user = 0; - - DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n", - (unsigned long)state->pid, - state->request.data.chng_pswd_auth_crap.domain, - state->request.data.chng_pswd_auth_crap.user)); - - if (lp_winbind_offline_logon()) { - DEBUG(0,("Refusing password change as winbind offline logons are enabled. ")); - DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n")); - result = NT_STATUS_ACCESS_DENIED; - goto done; - } - - if (*state->request.data.chng_pswd_auth_crap.domain) { - fstrcpy(domain,state->request.data.chng_pswd_auth_crap.domain); - } else { - parse_domain_user(state->request.data.chng_pswd_auth_crap.user, - domain, user); - - if(!*domain) { - DEBUG(3,("no domain specified with username (%s) - " - "failing auth\n", - state->request.data.chng_pswd_auth_crap.user)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } - } - - if (!*domain && lp_winbind_use_default_domain()) { - fstrcpy(domain,(char *)lp_workgroup()); - } - - if(!*user) { - fstrcpy(user, state->request.data.chng_pswd_auth_crap.user); - } - - DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", - (unsigned long)state->pid, domain, user)); - - /* Change password */ - new_nt_password = data_blob_talloc( - state->mem_ctx, - state->request.data.chng_pswd_auth_crap.new_nt_pswd, - state->request.data.chng_pswd_auth_crap.new_nt_pswd_len); - - old_nt_hash_enc = data_blob_talloc( - state->mem_ctx, - state->request.data.chng_pswd_auth_crap.old_nt_hash_enc, - state->request.data.chng_pswd_auth_crap.old_nt_hash_enc_len); - - if(state->request.data.chng_pswd_auth_crap.new_lm_pswd_len > 0) { - new_lm_password = data_blob_talloc( - state->mem_ctx, - state->request.data.chng_pswd_auth_crap.new_lm_pswd, - state->request.data.chng_pswd_auth_crap.new_lm_pswd_len); - - old_lm_hash_enc = data_blob_talloc( - state->mem_ctx, - state->request.data.chng_pswd_auth_crap.old_lm_hash_enc, - state->request.data.chng_pswd_auth_crap.old_lm_hash_enc_len); - } else { - new_lm_password.length = 0; - old_lm_hash_enc.length = 0; - } - - /* Get sam handle */ - - result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(1, ("could not get SAM handle on DC for %s\n", domain)); - goto done; - } - - result = rpccli_samr_chng_pswd_auth_crap( - cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc, - new_lm_password, old_lm_hash_enc); - - done: - state->response.data.auth.nt_status = NT_STATUS_V(result); - fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result)); - fstrcpy(state->response.data.auth.error_string, - get_friendly_nt_error_msg(result)); - state->response.data.auth.pam_error = nt_status_to_pam(result); - - DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, - ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n", - domain, user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); - - return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; -} diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c deleted file mode 100644 index 5c36c0c327..0000000000 --- a/source3/nsswitch/winbindd_passdb.c +++ /dev/null @@ -1,467 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind rpc backend functions - - Copyright (C) Tim Potter 2000-2001,2003 - Copyright (C) Simo Sorce 2003 - Copyright (C) Volker Lendecke 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -/* Query display info for a domain. This returns enough information plus a - bit extra to give an overview of domain users for the User Manager - application. */ -static NTSTATUS query_user_list(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - WINBIND_USERINFO **info) -{ - /* We don't have users */ - *num_entries = 0; - *info = NULL; - return NT_STATUS_OK; -} - -/* list all domain groups */ -static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info) -{ - /* We don't have domain groups */ - *num_entries = 0; - *info = NULL; - return NT_STATUS_OK; -} - -/* List all domain groups */ - -static NTSTATUS enum_local_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info) -{ - struct pdb_search *search; - struct samr_displayentry *aliases; - int i; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - search = pdb_search_aliases(&domain->sid); - if (search == NULL) goto done; - - *num_entries = pdb_search_entries(search, 0, 0xffffffff, &aliases); - if (*num_entries == 0) goto done; - - *info = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries); - if (*info == NULL) { - result = NT_STATUS_NO_MEMORY; - goto done; - } - - for (i=0; i<*num_entries; i++) { - fstrcpy((*info)[i].acct_name, aliases[i].account_name); - fstrcpy((*info)[i].acct_desc, aliases[i].description); - (*info)[i].rid = aliases[i].rid; - } - - result = NT_STATUS_OK; - done: - pdb_search_destroy(search); - return result; -} - -/* convert a single name to a sid in a domain */ -static NTSTATUS name_to_sid(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - enum winbindd_cmd original_cmd, - const char *domain_name, - const char *name, - DOM_SID *sid, - enum lsa_SidType *type) -{ - uint32 flags = LOOKUP_NAME_ALL; - - switch ( original_cmd ) { - case WINBINDD_LOOKUPNAME: - /* This call is ok */ - break; - default: - /* Avoid any NSS calls in the lookup_name by default */ - flags |= LOOKUP_NAME_EXPLICIT; - DEBUG(10,("winbindd_passdb: limiting name_to_sid() to explicit mappings\n")); - break; - } - - DEBUG(10, ("Finding name %s\n", name)); - - if ( !lookup_name( mem_ctx, name, flags, NULL, NULL, sid, type ) ) { - return NT_STATUS_NONE_MAPPED; - } - - return NT_STATUS_OK; -} - -/* - convert a domain SID to a user or group name -*/ -static NTSTATUS sid_to_name(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - char **domain_name, - char **name, - enum lsa_SidType *type) -{ - const char *dom, *nam; - - DEBUG(10, ("Converting SID %s\n", sid_string_static(sid))); - - /* Paranoia check */ - if (!sid_check_is_in_builtin(sid) && - !sid_check_is_in_our_domain(sid) && - !sid_check_is_in_unix_users(sid) && - !sid_check_is_unix_users(sid) && - !sid_check_is_in_unix_groups(sid) && - !sid_check_is_unix_groups(sid) ) - { - DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with " - "passdb backend\n", sid_string_static(sid))); - return NT_STATUS_NONE_MAPPED; - } - - if (!lookup_sid(mem_ctx, sid, &dom, &nam, type)) { - return NT_STATUS_NONE_MAPPED; - } - - *domain_name = talloc_strdup(mem_ctx, dom); - *name = talloc_strdup(mem_ctx, nam); - - return NT_STATUS_OK; -} - -static NTSTATUS rids_to_names(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - uint32 *rids, - size_t num_rids, - char **domain_name, - char ***names, - enum lsa_SidType **types) -{ - return NT_STATUS_UNSUCCESSFUL; -} - -/* Lookup user information from a rid or username. */ -static NTSTATUS query_user(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - WINBIND_USERINFO *user_info) -{ - return NT_STATUS_NO_SUCH_USER; -} - -/* Lookup groups a user is a member of. I wish Unix had a call like this! */ -static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - uint32 *num_groups, DOM_SID **user_gids) -{ - NTSTATUS result; - DOM_SID *groups = NULL; - gid_t *gids = NULL; - size_t ngroups = 0; - struct samu *user; - - if ( (user = samu_new(mem_ctx)) == NULL ) { - return NT_STATUS_NO_MEMORY; - } - - if ( !pdb_getsampwsid( user, user_sid ) ) { - return NT_STATUS_NO_SUCH_USER; - } - - result = pdb_enum_group_memberships( mem_ctx, user, &groups, &gids, &ngroups ); - - TALLOC_FREE( user ); - - *num_groups = (uint32)ngroups; - *user_gids = groups; - - return result; -} - -static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 num_sids, const DOM_SID *sids, - uint32 *p_num_aliases, uint32 **rids) -{ - NTSTATUS result; - size_t num_aliases = 0; - - result = pdb_enum_alias_memberships(mem_ctx, &domain->sid, - sids, num_sids, rids, &num_aliases); - - *p_num_aliases = num_aliases; - return result; -} - -/* Lookup group membership given a rid. */ -static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *group_sid, uint32 *num_names, - DOM_SID **sid_mem, char ***names, - uint32 **name_types) -{ - size_t i, num_members, num_mapped; - uint32 *rids; - NTSTATUS result; - const DOM_SID **sids; - struct lsa_dom_info *lsa_domains; - struct lsa_name_info *lsa_names; - TALLOC_CTX *tmp_ctx; - - if (!sid_check_is_in_our_domain(group_sid)) { - /* There's no groups, only aliases in BUILTIN */ - return NT_STATUS_NO_SUCH_GROUP; - } - - if (!(tmp_ctx = talloc_init("lookup_groupmem"))) { - return NT_STATUS_NO_MEMORY; - } - - result = pdb_enum_group_members(tmp_ctx, group_sid, &rids, - &num_members); - if (!NT_STATUS_IS_OK(result)) { - TALLOC_FREE(tmp_ctx); - return result; - } - - if (num_members == 0) { - *num_names = 0; - *sid_mem = NULL; - *names = NULL; - *name_types = NULL; - TALLOC_FREE(tmp_ctx); - return NT_STATUS_OK; - } - - *sid_mem = TALLOC_ARRAY(mem_ctx, DOM_SID, num_members); - *names = TALLOC_ARRAY(mem_ctx, char *, num_members); - *name_types = TALLOC_ARRAY(mem_ctx, uint32, num_members); - sids = TALLOC_ARRAY(tmp_ctx, const DOM_SID *, num_members); - - if (((*sid_mem) == NULL) || ((*names) == NULL) || - ((*name_types) == NULL) || (sids == NULL)) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - - /* - * Prepare an array of sid pointers for the lookup_sids calling - * convention. - */ - - for (i=0; i<num_members; i++) { - DOM_SID *sid = &((*sid_mem)[i]); - if (!sid_compose(sid, &domain->sid, rids[i])) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_INTERNAL_ERROR; - } - sids[i] = sid; - } - - result = lookup_sids(tmp_ctx, num_members, sids, 1, - &lsa_domains, &lsa_names); - if (!NT_STATUS_IS_OK(result)) { - TALLOC_FREE(tmp_ctx); - return result; - } - - num_mapped = 0; - for (i=0; i<num_members; i++) { - if (lsa_names[i].type != SID_NAME_USER) { - DEBUG(2, ("Got %s as group member -- ignoring\n", - sid_type_lookup(lsa_names[i].type))); - continue; - } - if (!((*names)[i] = talloc_strdup((*names), - lsa_names[i].name))) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - - (*name_types)[i] = lsa_names[i].type; - - num_mapped += 1; - } - - *num_names = num_mapped; - - TALLOC_FREE(tmp_ctx); - return NT_STATUS_OK; -} - -/* find the sequence number for a domain */ -static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) -{ - BOOL result; - time_t seq_num; - - result = pdb_get_seq_num(&seq_num); - if (!result) { - *seq = 1; - } - - *seq = (int) seq_num; - /* *seq = 1; */ - return NT_STATUS_OK; -} - -static NTSTATUS lockout_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - SAM_UNK_INFO_12 *policy) -{ - /* actually we have that */ - return NT_STATUS_NOT_IMPLEMENTED; -} - -static NTSTATUS password_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - SAM_UNK_INFO_1 *policy) -{ - uint32 min_pass_len,pass_hist,password_properties; - time_t u_expire, u_min_age; - NTTIME nt_expire, nt_min_age; - uint32 account_policy_temp; - - if ((policy = TALLOC_ZERO_P(mem_ctx, SAM_UNK_INFO_1)) == NULL) { - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) { - return NT_STATUS_ACCESS_DENIED; - } - min_pass_len = account_policy_temp; - - if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) { - return NT_STATUS_ACCESS_DENIED; - } - pass_hist = account_policy_temp; - - if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) { - return NT_STATUS_ACCESS_DENIED; - } - password_properties = account_policy_temp; - - if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) { - return NT_STATUS_ACCESS_DENIED; - } - u_expire = account_policy_temp; - - if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) { - return NT_STATUS_ACCESS_DENIED; - } - u_min_age = account_policy_temp; - - unix_to_nt_time_abs(&nt_expire, u_expire); - unix_to_nt_time_abs(&nt_min_age, u_min_age); - - init_unk_info1(policy, (uint16)min_pass_len, (uint16)pass_hist, - password_properties, nt_expire, nt_min_age); - - return NT_STATUS_OK; -} - -/* get a list of trusted domains */ -static NTSTATUS trusted_domains(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_domains, - char ***names, - char ***alt_names, - DOM_SID **dom_sids) -{ - NTSTATUS nt_status; - struct trustdom_info **domains; - int i; - TALLOC_CTX *tmp_ctx; - - *num_domains = 0; - *names = NULL; - *alt_names = NULL; - *dom_sids = NULL; - - if (!(tmp_ctx = talloc_init("trusted_domains"))) { - return NT_STATUS_NO_MEMORY; - } - - nt_status = pdb_enum_trusteddoms(tmp_ctx, num_domains, &domains); - if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(tmp_ctx); - return nt_status; - } - - if (*num_domains) { - *names = TALLOC_ARRAY(mem_ctx, char *, *num_domains); - *alt_names = TALLOC_ARRAY(mem_ctx, char *, *num_domains); - *dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_domains); - - if ((*alt_names == NULL) || (*names == NULL) || (*dom_sids == NULL)) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - } else { - *names = NULL; - *alt_names = NULL; - *dom_sids = NULL; - } - - for (i=0; i<*num_domains; i++) { - (*alt_names)[i] = NULL; - if (!((*names)[i] = talloc_strdup((*names), - domains[i]->name))) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - sid_copy(&(*dom_sids)[i], &domains[i]->sid); - } - - TALLOC_FREE(tmp_ctx); - return NT_STATUS_OK; -} - -/* the rpc backend methods are exposed via this structure */ -struct winbindd_methods passdb_methods = { - False, - query_user_list, - enum_dom_groups, - enum_local_groups, - name_to_sid, - sid_to_name, - rids_to_names, - query_user, - lookup_usergroups, - lookup_useraliases, - lookup_groupmem, - sequence_number, - lockout_policy, - password_policy, - trusted_domains, -}; diff --git a/source3/nsswitch/winbindd_reconnect.c b/source3/nsswitch/winbindd_reconnect.c deleted file mode 100644 index a1f96a0359..0000000000 --- a/source3/nsswitch/winbindd_reconnect.c +++ /dev/null @@ -1,316 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Wrapper around winbindd_rpc.c to centralize retry logic. - - Copyright (C) Volker Lendecke 2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -extern struct winbindd_methods msrpc_methods; - -/* List all users */ -static NTSTATUS query_user_list(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - WINBIND_USERINFO **info) -{ - NTSTATUS result; - - result = msrpc_methods.query_user_list(domain, mem_ctx, - num_entries, info); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.query_user_list(domain, mem_ctx, - num_entries, info); - return result; -} - -/* list all domain groups */ -static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info) -{ - NTSTATUS result; - - result = msrpc_methods.enum_dom_groups(domain, mem_ctx, - num_entries, info); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.enum_dom_groups(domain, mem_ctx, - num_entries, info); - return result; -} - -/* List all domain groups */ - -static NTSTATUS enum_local_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info) -{ - NTSTATUS result; - - result = msrpc_methods.enum_local_groups(domain, mem_ctx, - num_entries, info); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.enum_local_groups(domain, mem_ctx, - num_entries, info); - - return result; -} - -/* convert a single name to a sid in a domain */ -static NTSTATUS name_to_sid(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - enum winbindd_cmd orig_cmd, - const char *domain_name, - const char *name, - DOM_SID *sid, - enum lsa_SidType *type) -{ - NTSTATUS result; - - result = msrpc_methods.name_to_sid(domain, mem_ctx, orig_cmd, - domain_name, name, - sid, type); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.name_to_sid(domain, mem_ctx, orig_cmd, - domain_name, name, - sid, type); - - return result; -} - -/* - convert a domain SID to a user or group name -*/ -static NTSTATUS sid_to_name(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - char **domain_name, - char **name, - enum lsa_SidType *type) -{ - NTSTATUS result; - - result = msrpc_methods.sid_to_name(domain, mem_ctx, sid, - domain_name, name, type); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.sid_to_name(domain, mem_ctx, sid, - domain_name, name, type); - - return result; -} - -static NTSTATUS rids_to_names(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - uint32 *rids, - size_t num_rids, - char **domain_name, - char ***names, - enum lsa_SidType **types) -{ - NTSTATUS result; - - result = msrpc_methods.rids_to_names(domain, mem_ctx, sid, - rids, num_rids, - domain_name, names, types); - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) { - result = msrpc_methods.rids_to_names(domain, mem_ctx, sid, - rids, num_rids, - domain_name, names, - types); - } - - return result; -} - -/* Lookup user information from a rid or username. */ -static NTSTATUS query_user(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - WINBIND_USERINFO *user_info) -{ - NTSTATUS result; - - result = msrpc_methods.query_user(domain, mem_ctx, user_sid, - user_info); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.query_user(domain, mem_ctx, user_sid, - user_info); - - return result; -} - -/* Lookup groups a user is a member of. I wish Unix had a call like this! */ -static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - uint32 *num_groups, DOM_SID **user_gids) -{ - NTSTATUS result; - - result = msrpc_methods.lookup_usergroups(domain, mem_ctx, - user_sid, num_groups, - user_gids); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.lookup_usergroups(domain, mem_ctx, - user_sid, num_groups, - user_gids); - - return result; -} - -static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 num_sids, const DOM_SID *sids, - uint32 *num_aliases, uint32 **alias_rids) -{ - NTSTATUS result; - - result = msrpc_methods.lookup_useraliases(domain, mem_ctx, - num_sids, sids, - num_aliases, - alias_rids); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.lookup_useraliases(domain, mem_ctx, - num_sids, sids, - num_aliases, - alias_rids); - - return result; -} - -/* Lookup group membership given a rid. */ -static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *group_sid, uint32 *num_names, - DOM_SID **sid_mem, char ***names, - uint32 **name_types) -{ - NTSTATUS result; - - result = msrpc_methods.lookup_groupmem(domain, mem_ctx, - group_sid, num_names, - sid_mem, names, - name_types); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.lookup_groupmem(domain, mem_ctx, - group_sid, num_names, - sid_mem, names, - name_types); - - return result; -} - -/* find the sequence number for a domain */ -static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) -{ - NTSTATUS result; - - result = msrpc_methods.sequence_number(domain, seq); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.sequence_number(domain, seq); - - return result; -} - -/* find the lockout policy of a domain */ -static NTSTATUS lockout_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - SAM_UNK_INFO_12 *policy) -{ - NTSTATUS result; - - result = msrpc_methods.lockout_policy(domain, mem_ctx, policy); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.lockout_policy(domain, mem_ctx, policy); - - return result; -} - -/* find the password policy of a domain */ -static NTSTATUS password_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - SAM_UNK_INFO_1 *policy) -{ - NTSTATUS result; - - result = msrpc_methods.password_policy(domain, mem_ctx, policy); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.password_policy(domain, mem_ctx, policy); - - return result; -} - -/* get a list of trusted domains */ -static NTSTATUS trusted_domains(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_domains, - char ***names, - char ***alt_names, - DOM_SID **dom_sids) -{ - NTSTATUS result; - - result = msrpc_methods.trusted_domains(domain, mem_ctx, - num_domains, names, - alt_names, dom_sids); - - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) - result = msrpc_methods.trusted_domains(domain, mem_ctx, - num_domains, names, - alt_names, dom_sids); - - return result; -} - -/* the rpc backend methods are exposed via this structure */ -struct winbindd_methods reconnect_methods = { - False, - query_user_list, - enum_dom_groups, - enum_local_groups, - name_to_sid, - sid_to_name, - rids_to_names, - query_user, - lookup_usergroups, - lookup_useraliases, - lookup_groupmem, - sequence_number, - lockout_policy, - password_policy, - trusted_domains, -}; diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c deleted file mode 100644 index 6d2dd35080..0000000000 --- a/source3/nsswitch/winbindd_rpc.c +++ /dev/null @@ -1,1111 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind rpc backend functions - - Copyright (C) Tim Potter 2000-2001,2003 - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Volker Lendecke 2005 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - - -/* Query display info for a domain. This returns enough information plus a - bit extra to give an overview of domain users for the User Manager - application. */ -static NTSTATUS query_user_list(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - WINBIND_USERINFO **info) -{ - NTSTATUS result; - POLICY_HND dom_pol; - unsigned int i, start_idx; - uint32 loop_count; - struct rpc_pipe_client *cli; - - DEBUG(3,("rpc: query_user_list\n")); - - *num_entries = 0; - *info = NULL; - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("query_user_list: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(result)) - return result; - - i = start_idx = 0; - loop_count = 0; - - do { - uint32 num_dom_users, j; - uint32 max_entries, max_size; - SAM_DISPINFO_CTR ctr; - SAM_DISPINFO_1 info1; - - ZERO_STRUCT( ctr ); - ZERO_STRUCT( info1 ); - ctr.sam.info1 = &info1; - - /* this next bit is copied from net_user_list_internal() */ - - get_query_dispinfo_params(loop_count, &max_entries, - &max_size); - - result = rpccli_samr_query_dispinfo(cli, mem_ctx, &dom_pol, - &start_idx, 1, - &num_dom_users, - max_entries, max_size, - &ctr); - - loop_count++; - - *num_entries += num_dom_users; - - *info = TALLOC_REALLOC_ARRAY(mem_ctx, *info, WINBIND_USERINFO, - *num_entries); - - if (!(*info)) { - return NT_STATUS_NO_MEMORY; - } - - for (j = 0; j < num_dom_users; i++, j++) { - fstring username, fullname; - uint32 rid = ctr.sam.info1->sam[j].rid_user; - - unistr2_to_ascii( username, &(&ctr.sam.info1->str[j])->uni_acct_name, sizeof(username)-1); - unistr2_to_ascii( fullname, &(&ctr.sam.info1->str[j])->uni_full_name, sizeof(fullname)-1); - - (*info)[i].acct_name = talloc_strdup(mem_ctx, username ); - (*info)[i].full_name = talloc_strdup(mem_ctx, fullname ); - (*info)[i].homedir = NULL; - (*info)[i].shell = NULL; - sid_compose(&(*info)[i].user_sid, &domain->sid, rid); - - /* For the moment we set the primary group for - every user to be the Domain Users group. - There are serious problems with determining - the actual primary group for large domains. - This should really be made into a 'winbind - force group' smb.conf parameter or - something like that. */ - - sid_compose(&(*info)[i].group_sid, &domain->sid, - DOMAIN_GROUP_RID_USERS); - } - - } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)); - - return result; -} - -/* list all domain groups */ -static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info) -{ - POLICY_HND dom_pol; - NTSTATUS status; - uint32 start = 0; - struct rpc_pipe_client *cli; - - *num_entries = 0; - *info = NULL; - - DEBUG(3,("rpc: enum_dom_groups\n")); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(status)) - return status; - - do { - struct acct_info *info2 = NULL; - uint32 count = 0; - TALLOC_CTX *mem_ctx2; - - mem_ctx2 = talloc_init("enum_dom_groups[rpc]"); - - /* start is updated by this call. */ - status = rpccli_samr_enum_dom_groups(cli, mem_ctx2, &dom_pol, - &start, - 0xFFFF, /* buffer size? */ - &info2, &count); - - if (!NT_STATUS_IS_OK(status) && - !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { - talloc_destroy(mem_ctx2); - break; - } - - (*info) = TALLOC_REALLOC_ARRAY(mem_ctx, *info, - struct acct_info, - (*num_entries) + count); - if (! *info) { - talloc_destroy(mem_ctx2); - return NT_STATUS_NO_MEMORY; - } - - memcpy(&(*info)[*num_entries], info2, count*sizeof(*info2)); - (*num_entries) += count; - talloc_destroy(mem_ctx2); - } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)); - - return NT_STATUS_OK; -} - -/* List all domain groups */ - -static NTSTATUS enum_local_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - struct acct_info **info) -{ - POLICY_HND dom_pol; - NTSTATUS result; - struct rpc_pipe_client *cli; - - *num_entries = 0; - *info = NULL; - - DEBUG(3,("rpc: enum_local_groups\n")); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(result)) - return result; - - do { - struct acct_info *info2 = NULL; - uint32 count = 0, start = *num_entries; - TALLOC_CTX *mem_ctx2; - - mem_ctx2 = talloc_init("enum_dom_local_groups[rpc]"); - - result = rpccli_samr_enum_als_groups( cli, mem_ctx2, &dom_pol, - &start, 0xFFFF, &info2, - &count); - - if (!NT_STATUS_IS_OK(result) && - !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES) ) - { - talloc_destroy(mem_ctx2); - return result; - } - - (*info) = TALLOC_REALLOC_ARRAY(mem_ctx, *info, - struct acct_info, - (*num_entries) + count); - if (! *info) { - talloc_destroy(mem_ctx2); - return NT_STATUS_NO_MEMORY; - } - - memcpy(&(*info)[*num_entries], info2, count*sizeof(*info2)); - (*num_entries) += count; - talloc_destroy(mem_ctx2); - - } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)); - - return NT_STATUS_OK; -} - -/* convert a single name to a sid in a domain */ -NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - enum winbindd_cmd original_cmd, - const char *domain_name, - const char *name, - DOM_SID *sid, - enum lsa_SidType *type) -{ - NTSTATUS result; - DOM_SID *sids = NULL; - enum lsa_SidType *types = NULL; - char *full_name = NULL; - struct rpc_pipe_client *cli; - POLICY_HND lsa_policy; - - if (name == NULL || *name=='\0') { - full_name = talloc_asprintf(mem_ctx, "%s", domain_name); - } else if (domain_name == NULL || *domain_name == '\0') { - full_name = talloc_asprintf(mem_ctx, "%s", name); - } else { - full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name); - } - if (!full_name) { - DEBUG(0, ("talloc_asprintf failed!\n")); - return NT_STATUS_NO_MEMORY; - } - - DEBUG(3,("rpc: name_to_sid name=%s\n", full_name)); - - ws_name_return( full_name, WB_REPLACE_CHAR ); - - DEBUG(3,("name_to_sid [rpc] %s for domain %s\n", full_name?full_name:"", domain_name )); - - result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); - if (!NT_STATUS_IS_OK(result)) - return result; - - result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1, - (const char**) &full_name, NULL, 1, &sids, &types); - - if (!NT_STATUS_IS_OK(result)) - return result; - - /* Return rid and type if lookup successful */ - - sid_copy(sid, &sids[0]); - *type = types[0]; - - return NT_STATUS_OK; -} - -/* - convert a domain SID to a user or group name -*/ -NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - char **domain_name, - char **name, - enum lsa_SidType *type) -{ - char **domains; - char **names; - enum lsa_SidType *types; - NTSTATUS result; - struct rpc_pipe_client *cli; - POLICY_HND lsa_policy; - - DEBUG(3,("sid_to_name [rpc] %s for domain %s\n", sid_string_static(sid), - domain->name )); - - result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(2,("msrpc_sid_to_name: cm_connect_lsa() failed (%s)\n", - nt_errstr(result))); - return result; - } - - - result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, - 1, sid, &domains, &names, &types); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(2,("msrpc_sid_to_name: rpccli_lsa_lookup_sids() failed (%s)\n", - nt_errstr(result))); - return result; - } - - *type = (enum lsa_SidType)types[0]; - *domain_name = domains[0]; - *name = names[0]; - - ws_name_replace( *name, WB_REPLACE_CHAR ); - - DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name)); - return NT_STATUS_OK; -} - -NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - uint32 *rids, - size_t num_rids, - char **domain_name, - char ***names, - enum lsa_SidType **types) -{ - char **domains; - NTSTATUS result; - struct rpc_pipe_client *cli; - POLICY_HND lsa_policy; - DOM_SID *sids; - size_t i; - char **ret_names; - - DEBUG(3, ("rids_to_names [rpc] for domain %s\n", domain->name )); - - if (num_rids) { - sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_rids); - if (sids == NULL) { - return NT_STATUS_NO_MEMORY; - } - } else { - sids = NULL; - } - - for (i=0; i<num_rids; i++) { - if (!sid_compose(&sids[i], sid, rids[i])) { - return NT_STATUS_INTERNAL_ERROR; - } - } - - result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); - if (!NT_STATUS_IS_OK(result)) { - return result; - } - - result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, - num_rids, sids, &domains, - names, types); - if (!NT_STATUS_IS_OK(result) && - !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) { - return result; - } - - ret_names = *names; - for (i=0; i<num_rids; i++) { - if ((*types)[i] != SID_NAME_UNKNOWN) { - ws_name_replace( ret_names[i], WB_REPLACE_CHAR ); - *domain_name = domains[i]; - } - } - - return result; -} - -/* Lookup user information from a rid or username. */ -static NTSTATUS query_user(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - WINBIND_USERINFO *user_info) -{ - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - POLICY_HND dom_pol, user_pol; - SAM_USERINFO_CTR *ctr; - fstring sid_string; - uint32 user_rid; - NET_USER_INFO_3 *user; - struct rpc_pipe_client *cli; - - DEBUG(3,("rpc: query_user sid=%s\n", - sid_to_string(sid_string, user_sid))); - - if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid)) - return NT_STATUS_UNSUCCESSFUL; - - user_info->homedir = NULL; - user_info->shell = NULL; - user_info->primary_gid = (gid_t)-1; - - /* try netsamlogon cache first */ - - if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL ) - { - - DEBUG(5,("query_user: Cache lookup succeeded for %s\n", - sid_string_static(user_sid))); - - sid_compose(&user_info->user_sid, &domain->sid, user->user_rid); - sid_compose(&user_info->group_sid, &domain->sid, - user->group_rid); - - user_info->acct_name = unistr2_tdup(mem_ctx, - &user->uni_user_name); - user_info->full_name = unistr2_tdup(mem_ctx, - &user->uni_full_name); - - TALLOC_FREE(user); - - return NT_STATUS_OK; - } - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("query_user: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("query_user: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - /* no cache; hit the wire */ - - result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(result)) - return result; - - /* Get user handle */ - result = rpccli_samr_open_user(cli, mem_ctx, &dom_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, - &user_pol); - - if (!NT_STATUS_IS_OK(result)) - return result; - - /* Get user info */ - result = rpccli_samr_query_userinfo(cli, mem_ctx, &user_pol, - 0x15, &ctr); - - rpccli_samr_close(cli, mem_ctx, &user_pol); - - if (!NT_STATUS_IS_OK(result)) - return result; - - sid_compose(&user_info->user_sid, &domain->sid, user_rid); - sid_compose(&user_info->group_sid, &domain->sid, - ctr->info.id21->group_rid); - user_info->acct_name = unistr2_tdup(mem_ctx, - &ctr->info.id21->uni_user_name); - user_info->full_name = unistr2_tdup(mem_ctx, - &ctr->info.id21->uni_full_name); - user_info->homedir = NULL; - user_info->shell = NULL; - user_info->primary_gid = (gid_t)-1; - - return NT_STATUS_OK; -} - -/* Lookup groups a user is a member of. I wish Unix had a call like this! */ -static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - uint32 *num_groups, DOM_SID **user_grpsids) -{ - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - POLICY_HND dom_pol, user_pol; - uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; - DOM_GID *user_groups; - unsigned int i; - fstring sid_string; - uint32 user_rid; - struct rpc_pipe_client *cli; - - DEBUG(3,("rpc: lookup_usergroups sid=%s\n", - sid_to_string(sid_string, user_sid))); - - if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid)) - return NT_STATUS_UNSUCCESSFUL; - - *num_groups = 0; - *user_grpsids = NULL; - - /* so lets see if we have a cached user_info_3 */ - result = lookup_usergroups_cached(domain, mem_ctx, user_sid, - num_groups, user_grpsids); - - if (NT_STATUS_IS_OK(result)) { - return NT_STATUS_OK; - } - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n", - domain->name)); - - /* Tell the cache manager not to remember this one */ - - return NT_STATUS_SYNCHRONIZATION_REQUIRED; - } - - /* no cache; hit the wire */ - - result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(result)) - return result; - - /* Get user handle */ - result = rpccli_samr_open_user(cli, mem_ctx, &dom_pol, - des_access, user_rid, &user_pol); - - if (!NT_STATUS_IS_OK(result)) - return result; - - /* Query user rids */ - result = rpccli_samr_query_usergroups(cli, mem_ctx, &user_pol, - num_groups, &user_groups); - - rpccli_samr_close(cli, mem_ctx, &user_pol); - - if (!NT_STATUS_IS_OK(result) || (*num_groups) == 0) - return result; - - (*user_grpsids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups); - if (!(*user_grpsids)) - return NT_STATUS_NO_MEMORY; - - for (i=0;i<(*num_groups);i++) { - sid_copy(&((*user_grpsids)[i]), &domain->sid); - sid_append_rid(&((*user_grpsids)[i]), - user_groups[i].g_rid); - } - - return NT_STATUS_OK; -} - -NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 num_sids, const DOM_SID *sids, - uint32 *num_aliases, uint32 **alias_rids) -{ - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - POLICY_HND dom_pol; - DOM_SID2 *query_sids; - uint32 num_query_sids = 0; - int i; - struct rpc_pipe_client *cli; - uint32 *alias_rids_query, num_aliases_query; - int rangesize = MAX_SAM_ENTRIES_W2K; - uint32 total_sids = 0; - int num_queries = 1; - - *num_aliases = 0; - *alias_rids = NULL; - - DEBUG(3,("rpc: lookup_useraliases\n")); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(result)) - return result; - - do { - /* prepare query */ - - num_query_sids = MIN(num_sids - total_sids, rangesize); - - DEBUG(10,("rpc: lookup_useraliases: entering query %d for %d sids\n", - num_queries, num_query_sids)); - - if (num_query_sids) { - query_sids = TALLOC_ARRAY(mem_ctx, DOM_SID2, num_query_sids); - if (query_sids == NULL) { - return NT_STATUS_NO_MEMORY; - } - } else { - query_sids = NULL; - } - - for (i=0; i<num_query_sids; i++) { - sid_copy(&query_sids[i].sid, &sids[total_sids++]); - query_sids[i].num_auths = query_sids[i].sid.num_auths; - } - - /* do request */ - - result = rpccli_samr_query_useraliases(cli, mem_ctx, &dom_pol, - num_query_sids, query_sids, - &num_aliases_query, - &alias_rids_query); - - if (!NT_STATUS_IS_OK(result)) { - *num_aliases = 0; - *alias_rids = NULL; - TALLOC_FREE(query_sids); - goto done; - } - - /* process output */ - - for (i=0; i<num_aliases_query; i++) { - size_t na = *num_aliases; - if (!add_rid_to_array_unique(mem_ctx, alias_rids_query[i], - alias_rids, &na)) { - return NT_STATUS_NO_MEMORY; - } - *num_aliases = na; - } - - TALLOC_FREE(query_sids); - - num_queries++; - - } while (total_sids < num_sids); - - done: - DEBUG(10,("rpc: lookup_useraliases: got %d aliases in %d queries " - "(rangesize: %d)\n", *num_aliases, num_queries, rangesize)); - - return result; -} - - -/* Lookup group membership given a rid. */ -static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *group_sid, uint32 *num_names, - DOM_SID **sid_mem, char ***names, - uint32 **name_types) -{ - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - uint32 i, total_names = 0; - POLICY_HND dom_pol, group_pol; - uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; - uint32 *rid_mem = NULL; - uint32 group_rid; - unsigned int j; - fstring sid_string; - struct rpc_pipe_client *cli; - unsigned int orig_timeout; - - DEBUG(10,("rpc: lookup_groupmem %s sid=%s\n", domain->name, - sid_to_string(sid_string, group_sid))); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_OK; - } - - if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid)) - return NT_STATUS_UNSUCCESSFUL; - - *num_names = 0; - - result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(result)) - return result; - - result = rpccli_samr_open_group(cli, mem_ctx, &dom_pol, - des_access, group_rid, &group_pol); - - if (!NT_STATUS_IS_OK(result)) - return result; - - /* Step #1: Get a list of user rids that are the members of the - group. */ - - /* This call can take a long time - allow the server to time out. - 35 seconds should do it. */ - - orig_timeout = cli_set_timeout(cli->cli, 35000); - - result = rpccli_samr_query_groupmem(cli, mem_ctx, - &group_pol, num_names, &rid_mem, - name_types); - - /* And restore our original timeout. */ - cli_set_timeout(cli->cli, orig_timeout); - - rpccli_samr_close(cli, mem_ctx, &group_pol); - - if (!NT_STATUS_IS_OK(result)) - return result; - - if (!*num_names) { - names = NULL; - name_types = NULL; - sid_mem = NULL; - return NT_STATUS_OK; - } - - /* Step #2: Convert list of rids into list of usernames. Do this - in bunches of ~1000 to avoid crashing NT4. It looks like there - is a buffer overflow or something like that lurking around - somewhere. */ - -#define MAX_LOOKUP_RIDS 900 - - *names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_names); - *name_types = TALLOC_ZERO_ARRAY(mem_ctx, uint32, *num_names); - *sid_mem = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_names); - - for (j=0;j<(*num_names);j++) - sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]); - - if (*num_names>0 && (!*names || !*name_types)) - return NT_STATUS_NO_MEMORY; - - for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) { - int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS); - uint32 tmp_num_names = 0; - char **tmp_names = NULL; - uint32 *tmp_types = NULL; - - /* Lookup a chunk of rids */ - - result = rpccli_samr_lookup_rids(cli, mem_ctx, - &dom_pol, - num_lookup_rids, - &rid_mem[i], - &tmp_num_names, - &tmp_names, &tmp_types); - - /* see if we have a real error (and yes the - STATUS_SOME_UNMAPPED is the one returned from 2k) */ - - if (!NT_STATUS_IS_OK(result) && - !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) - return result; - - /* Copy result into array. The talloc system will take - care of freeing the temporary arrays later on. */ - - memcpy(&(*names)[i], tmp_names, sizeof(char *) * - tmp_num_names); - - memcpy(&(*name_types)[i], tmp_types, sizeof(uint32) * - tmp_num_names); - - total_names += tmp_num_names; - } - - *num_names = total_names; - - return NT_STATUS_OK; -} - -#ifdef HAVE_LDAP - -#include <ldap.h> - -static int get_ldap_seq(const char *server, int port, uint32 *seq) -{ - int ret = -1; - struct timeval to; - const char *attrs[] = {"highestCommittedUSN", NULL}; - LDAPMessage *res = NULL; - char **values = NULL; - LDAP *ldp = NULL; - - *seq = DOM_SEQUENCE_NONE; - - /* - * Parameterised (5) second timeout on open. This is needed as the - * search timeout doesn't seem to apply to doing an open as well. JRA. - */ - - ldp = ldap_open_with_timeout(server, port, lp_ldap_timeout()); - if (ldp == NULL) - return -1; - - /* Timeout if no response within 20 seconds. */ - to.tv_sec = 10; - to.tv_usec = 0; - - if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)", - CONST_DISCARD(char **, attrs), 0, &to, &res)) - goto done; - - if (ldap_count_entries(ldp, res) != 1) - goto done; - - values = ldap_get_values(ldp, res, "highestCommittedUSN"); - if (!values || !values[0]) - goto done; - - *seq = atoi(values[0]); - ret = 0; - - done: - - if (values) - ldap_value_free(values); - if (res) - ldap_msgfree(res); - if (ldp) - ldap_unbind(ldp); - return ret; -} - -/********************************************************************** - Get the sequence number for a Windows AD native mode domain using - LDAP queries. -**********************************************************************/ - -static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32 *seq) -{ - int ret = -1; - fstring ipstr; - - fstrcpy( ipstr, inet_ntoa(domain->dcaddr.sin_addr)); - if ((ret = get_ldap_seq( ipstr, LDAP_PORT, seq)) == 0) { - DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence " - "number for Domain (%s) from DC (%s)\n", - domain->name, ipstr)); - } - return ret; -} - -#endif /* HAVE_LDAP */ - -/* find the sequence number for a domain */ -static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) -{ - TALLOC_CTX *mem_ctx; - SAM_UNK_CTR ctr; - NTSTATUS result; - POLICY_HND dom_pol; - BOOL got_seq_num = False; - struct rpc_pipe_client *cli; - - DEBUG(10,("rpc: fetch sequence_number for %s\n", domain->name)); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("sequence_number: No incoming trust for domain %s\n", - domain->name)); - *seq = time(NULL); - return NT_STATUS_OK; - } - - *seq = DOM_SEQUENCE_NONE; - - if (!(mem_ctx = talloc_init("sequence_number[rpc]"))) - return NT_STATUS_NO_MEMORY; - -#ifdef HAVE_LDAP - if ( domain->active_directory ) - { - int res; - - DEBUG(8,("using get_ldap_seq() to retrieve the " - "sequence number\n")); - - res = get_ldap_sequence_number( domain, seq ); - if (res == 0) - { - result = NT_STATUS_OK; - DEBUG(10,("domain_sequence_number: LDAP for " - "domain %s is %u\n", - domain->name, *seq)); - goto done; - } - - DEBUG(10,("domain_sequence_number: failed to get LDAP " - "sequence number for domain %s\n", - domain->name )); - } -#endif /* HAVE_LDAP */ - - result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(result)) { - goto done; - } - - /* Query domain info */ - - result = rpccli_samr_query_dom_info(cli, mem_ctx, &dom_pol, 8, &ctr); - - if (NT_STATUS_IS_OK(result)) { - *seq = ctr.info.inf8.seq_num; - got_seq_num = True; - goto seq_num; - } - - /* retry with info-level 2 in case the dc does not support info-level 8 - * (like all older samba2 and samba3 dc's - Guenther */ - - result = rpccli_samr_query_dom_info(cli, mem_ctx, &dom_pol, 2, &ctr); - - if (NT_STATUS_IS_OK(result)) { - *seq = ctr.info.inf2.seq_num; - got_seq_num = True; - } - - seq_num: - if (got_seq_num) { - DEBUG(10,("domain_sequence_number: for domain %s is %u\n", - domain->name, (unsigned)*seq)); - } else { - DEBUG(10,("domain_sequence_number: failed to get sequence " - "number (%u) for domain %s\n", - (unsigned)*seq, domain->name )); - } - - done: - - talloc_destroy(mem_ctx); - - return result; -} - -/* get a list of trusted domains */ -static NTSTATUS trusted_domains(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_domains, - char ***names, - char ***alt_names, - DOM_SID **dom_sids) -{ - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - uint32 enum_ctx = 0; - struct rpc_pipe_client *cli; - POLICY_HND lsa_policy; - - DEBUG(3,("rpc: trusted_domains\n")); - - *num_domains = 0; - *names = NULL; - *alt_names = NULL; - *dom_sids = NULL; - - result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); - if (!NT_STATUS_IS_OK(result)) - return result; - - result = STATUS_MORE_ENTRIES; - - while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) { - uint32 start_idx, num; - char **tmp_names; - DOM_SID *tmp_sids; - int i; - - result = rpccli_lsa_enum_trust_dom(cli, mem_ctx, - &lsa_policy, &enum_ctx, - &num, &tmp_names, - &tmp_sids); - - if (!NT_STATUS_IS_OK(result) && - !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) - break; - - start_idx = *num_domains; - *num_domains += num; - *names = TALLOC_REALLOC_ARRAY(mem_ctx, *names, - char *, *num_domains); - *dom_sids = TALLOC_REALLOC_ARRAY(mem_ctx, *dom_sids, - DOM_SID, *num_domains); - *alt_names = TALLOC_REALLOC_ARRAY(mem_ctx, *alt_names, - char *, *num_domains); - if ((*names == NULL) || (*dom_sids == NULL) || - (*alt_names == NULL)) - return NT_STATUS_NO_MEMORY; - - for (i=0; i<num; i++) { - (*names)[start_idx+i] = tmp_names[i]; - (*dom_sids)[start_idx+i] = tmp_sids[i]; - (*alt_names)[start_idx+i] = talloc_strdup(mem_ctx, ""); - } - } - return result; -} - -/* find the lockout policy for a domain */ -NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - SAM_UNK_INFO_12 *lockout_policy) -{ - NTSTATUS result; - struct rpc_pipe_client *cli; - POLICY_HND dom_pol; - SAM_UNK_CTR ctr; - - DEBUG(10,("rpc: fetch lockout policy for %s\n", domain->name)); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_NOT_SUPPORTED; - } - - result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(result)) { - goto done; - } - - result = rpccli_samr_query_dom_info(cli, mem_ctx, &dom_pol, 12, &ctr); - if (!NT_STATUS_IS_OK(result)) { - goto done; - } - - *lockout_policy = ctr.info.inf12; - - DEBUG(10,("msrpc_lockout_policy: bad_attempt_lockout %d\n", - ctr.info.inf12.bad_attempt_lockout)); - - done: - - return result; -} - -/* find the password policy for a domain */ -NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - SAM_UNK_INFO_1 *password_policy) -{ - NTSTATUS result; - struct rpc_pipe_client *cli; - POLICY_HND dom_pol; - SAM_UNK_CTR ctr; - - DEBUG(10,("rpc: fetch password policy for %s\n", domain->name)); - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n", - domain->name)); - return NT_STATUS_NOT_SUPPORTED; - } - - result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); - if (!NT_STATUS_IS_OK(result)) { - goto done; - } - - result = rpccli_samr_query_dom_info(cli, mem_ctx, &dom_pol, 1, &ctr); - if (!NT_STATUS_IS_OK(result)) { - goto done; - } - - *password_policy = ctr.info.inf1; - - DEBUG(10,("msrpc_password_policy: min_length_password %d\n", - ctr.info.inf1.min_length_password)); - - done: - - return result; -} - - -/* the rpc backend methods are exposed via this structure */ -struct winbindd_methods msrpc_methods = { - False, - query_user_list, - enum_dom_groups, - enum_local_groups, - msrpc_name_to_sid, - msrpc_sid_to_name, - msrpc_rids_to_names, - query_user, - lookup_usergroups, - msrpc_lookup_useraliases, - lookup_groupmem, - sequence_number, - msrpc_lockout_policy, - msrpc_password_policy, - trusted_domains, -}; diff --git a/source3/nsswitch/winbindd_sid.c b/source3/nsswitch/winbindd_sid.c deleted file mode 100644 index 48e84d35e5..0000000000 --- a/source3/nsswitch/winbindd_sid.c +++ /dev/null @@ -1,560 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon - sid related functions - - Copyright (C) Tim Potter 2000 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -/* Convert a string */ - -static void lookupsid_recv(void *private_data, BOOL success, - const char *dom_name, const char *name, - enum lsa_SidType type); - -void winbindd_lookupsid(struct winbindd_cli_state *state) -{ - DOM_SID sid; - - /* Ensure null termination */ - state->request.data.sid[sizeof(state->request.data.sid)-1]='\0'; - - DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state->pid, - state->request.data.sid)); - - if (!string_to_sid(&sid, state->request.data.sid)) { - DEBUG(5, ("%s not a SID\n", state->request.data.sid)); - request_error(state); - return; - } - - winbindd_lookupsid_async(state->mem_ctx, &sid, lookupsid_recv, state); -} - -static void lookupsid_recv(void *private_data, BOOL success, - const char *dom_name, const char *name, - enum lsa_SidType type) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - DEBUG(5, ("lookupsid returned an error\n")); - request_error(state); - return; - } - - fstrcpy(state->response.data.name.dom_name, dom_name); - fstrcpy(state->response.data.name.name, name); - state->response.data.name.type = type; - request_ok(state); -} - -/** - * Look up the SID for a qualified name. - **/ - -static void lookupname_recv(void *private_data, BOOL success, - const DOM_SID *sid, enum lsa_SidType type); - -void winbindd_lookupname(struct winbindd_cli_state *state) -{ - char *name_domain, *name_user; - char *p; - - /* Ensure null termination */ - state->request.data.name.dom_name[sizeof(state->request.data.name.dom_name)-1]='\0'; - - /* Ensure null termination */ - state->request.data.name.name[sizeof(state->request.data.name.name)-1]='\0'; - - /* cope with the name being a fully qualified name */ - p = strstr(state->request.data.name.name, lp_winbind_separator()); - if (p) { - *p = 0; - name_domain = state->request.data.name.name; - name_user = p+1; - } else { - name_domain = state->request.data.name.dom_name; - name_user = state->request.data.name.name; - } - - DEBUG(3, ("[%5lu]: lookupname %s%s%s\n", (unsigned long)state->pid, - name_domain, lp_winbind_separator(), name_user)); - - winbindd_lookupname_async(state->mem_ctx, name_domain, name_user, - lookupname_recv, WINBINDD_LOOKUPNAME, - state); -} - -static void lookupname_recv(void *private_data, BOOL success, - const DOM_SID *sid, enum lsa_SidType type) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - DEBUG(5, ("lookupname returned an error\n")); - request_error(state); - return; - } - - sid_to_string(state->response.data.sid.sid, sid); - state->response.data.sid.type = type; - request_ok(state); - return; -} - -void winbindd_lookuprids(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - DOM_SID domain_sid; - - /* Ensure null termination */ - state->request.data.sid[sizeof(state->request.data.sid)-1]='\0'; - - DEBUG(10, ("lookup_rids: %s\n", state->request.data.sid)); - - if (!string_to_sid(&domain_sid, state->request.data.sid)) { - DEBUG(5, ("Could not convert %s to SID\n", - state->request.data.sid)); - request_error(state); - return; - } - - domain = find_lookup_domain_from_sid(&domain_sid); - if (domain == NULL) { - DEBUG(10, ("Could not find domain for name %s\n", - state->request.domain_name)); - request_error(state); - return; - } - - sendto_domain(state, domain); -} - -static struct winbindd_child static_idmap_child; - -void init_idmap_child(void) -{ - setup_domain_child(NULL, &static_idmap_child, "idmap"); -} - -struct winbindd_child *idmap_child(void) -{ - return &static_idmap_child; -} - -/* Convert a sid to a uid. We assume we only have one rid attached to the - sid. */ - -static void sid2uid_recv(void *private_data, BOOL success, uid_t uid) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - DEBUG(5, ("Could not convert sid %s\n", - state->request.data.sid)); - request_error(state); - return; - } - - state->response.data.uid = uid; - request_ok(state); -} - -static void sid2uid_lookupsid_recv( void *private_data, BOOL success, - const char *domain_name, - const char *name, - enum lsa_SidType type) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - DOM_SID sid; - - if (!success) { - DEBUG(5, ("sid2uid_lookupsid_recv Could not convert get sid type for %s\n", - state->request.data.sid)); - request_error(state); - return; - } - - if ( (type!=SID_NAME_USER) && (type!=SID_NAME_COMPUTER) ) { - DEBUG(5,("sid2uid_lookupsid_recv: Sid %s is not a user or a computer.\n", - state->request.data.sid)); - request_error(state); - return; - } - - if (!string_to_sid(&sid, state->request.data.sid)) { - DEBUG(1, ("sid2uid_lookupsid_recv: Could not get convert sid %s from string\n", - state->request.data.sid)); - request_error(state); - return; - } - - /* always use the async interface (may block) */ - winbindd_sid2uid_async(state->mem_ctx, &sid, sid2uid_recv, state); -} - -void winbindd_sid_to_uid(struct winbindd_cli_state *state) -{ - DOM_SID sid; - - /* Ensure null termination */ - state->request.data.sid[sizeof(state->request.data.sid)-1]='\0'; - - DEBUG(3, ("[%5lu]: sid to uid %s\n", (unsigned long)state->pid, - state->request.data.sid)); - - if (!string_to_sid(&sid, state->request.data.sid)) { - DEBUG(1, ("Could not get convert sid %s from string\n", - state->request.data.sid)); - request_error(state); - return; - } - - /* Validate the SID as a user. Hopefully this will hit cache. - Needed to prevent DoS by exhausting the uid allocation - range from random SIDs. */ - - winbindd_lookupsid_async( state->mem_ctx, &sid, sid2uid_lookupsid_recv, state ); -} - -/* Convert a sid to a gid. We assume we only have one rid attached to the - sid.*/ - -static void sid2gid_recv(void *private_data, BOOL success, gid_t gid) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - DEBUG(5, ("Could not convert sid %s\n", - state->request.data.sid)); - request_error(state); - return; - } - - state->response.data.gid = gid; - request_ok(state); -} - -static void sid2gid_lookupsid_recv( void *private_data, BOOL success, - const char *domain_name, - const char *name, - enum lsa_SidType type) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - DOM_SID sid; - - if (!success) { - DEBUG(5, ("sid2gid_lookupsid_recv: Could not get sid type for %s\n", - state->request.data.sid)); - request_error(state); - return; - } - - if ( (type!=SID_NAME_DOM_GRP) && - (type!=SID_NAME_ALIAS) && - (type!=SID_NAME_WKN_GRP) ) - { - DEBUG(5,("sid2gid_lookupsid_recv: Sid %s is not a group.\n", - state->request.data.sid)); - request_error(state); - return; - } - - if (!string_to_sid(&sid, state->request.data.sid)) { - DEBUG(1, ("sid2gid_lookupsid_recv: Could not get convert sid %s from string\n", - state->request.data.sid)); - request_error(state); - return; - } - - /* always use the async interface (may block) */ - winbindd_sid2gid_async(state->mem_ctx, &sid, sid2gid_recv, state); -} - -void winbindd_sid_to_gid(struct winbindd_cli_state *state) -{ - DOM_SID sid; - - /* Ensure null termination */ - state->request.data.sid[sizeof(state->request.data.sid)-1]='\0'; - - DEBUG(3, ("[%5lu]: sid to gid %s\n", (unsigned long)state->pid, - state->request.data.sid)); - - if (!string_to_sid(&sid, state->request.data.sid)) { - DEBUG(1, ("Could not get convert sid %s from string\n", - state->request.data.sid)); - request_error(state); - return; - } - - /* Validate the SID as a group. Hopefully this will hit cache. - Needed to prevent DoS by exhausting the uid allocation - range from random SIDs. */ - - winbindd_lookupsid_async( state->mem_ctx, &sid, sid2gid_lookupsid_recv, state ); -} - -static void sids2xids_recv(void *private_data, BOOL success, void *data, int len) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - DEBUG(5, ("Could not convert sids to xids\n")); - request_error(state); - return; - } - - state->response.extra_data.data = data; - state->response.length = sizeof(state->response) + len; - request_ok(state); -} - -void winbindd_sids_to_unixids(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: sids to xids\n", (unsigned long)state->pid)); - - winbindd_sids2xids_async(state->mem_ctx, - state->request.extra_data.data, - state->request.extra_len, - sids2xids_recv, state); -} - -static void set_mapping_recv(void *private_data, BOOL success) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - DEBUG(5, ("Could not set sid mapping\n")); - request_error(state); - return; - } - - request_ok(state); -} - -void winbindd_set_mapping(struct winbindd_cli_state *state) -{ - struct id_map map; - DOM_SID sid; - - DEBUG(3, ("[%5lu]: set id map\n", (unsigned long)state->pid)); - - if ( ! state->privileged) { - DEBUG(0, ("Only root is allowed to set mappings!\n")); - request_error(state); - return; - } - - if (!string_to_sid(&sid, state->request.data.dual_idmapset.sid)) { - DEBUG(1, ("Could not get convert sid %s from string\n", - state->request.data.sid)); - request_error(state); - return; - } - - map.sid = &sid; - map.xid.id = state->request.data.dual_idmapset.id; - map.xid.type = state->request.data.dual_idmapset.type; - - winbindd_set_mapping_async(state->mem_ctx, &map, - set_mapping_recv, state); -} - -static void set_hwm_recv(void *private_data, BOOL success) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - DEBUG(5, ("Could not set sid mapping\n")); - request_error(state); - return; - } - - request_ok(state); -} - -void winbindd_set_hwm(struct winbindd_cli_state *state) -{ - struct unixid xid; - - DEBUG(3, ("[%5lu]: set hwm\n", (unsigned long)state->pid)); - - if ( ! state->privileged) { - DEBUG(0, ("Only root is allowed to set mappings!\n")); - request_error(state); - return; - } - - xid.id = state->request.data.dual_idmapset.id; - xid.type = state->request.data.dual_idmapset.type; - - winbindd_set_hwm_async(state->mem_ctx, &xid, set_hwm_recv, state); -} - -/* Convert a uid to a sid */ - -static void uid2sid_recv(void *private_data, BOOL success, const char *sid) -{ - struct winbindd_cli_state *state = - (struct winbindd_cli_state *)private_data; - - if (success) { - DEBUG(10,("uid2sid: uid %lu has sid %s\n", - (unsigned long)(state->request.data.uid), sid)); - fstrcpy(state->response.data.sid.sid, sid); - state->response.data.sid.type = SID_NAME_USER; - request_ok(state); - return; - } - - request_error(state); - return; -} - -void winbindd_uid_to_sid(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: uid to sid %lu\n", (unsigned long)state->pid, - (unsigned long)state->request.data.uid)); - - /* always go via the async interface (may block) */ - winbindd_uid2sid_async(state->mem_ctx, state->request.data.uid, uid2sid_recv, state); -} - -/* Convert a gid to a sid */ - -static void gid2sid_recv(void *private_data, BOOL success, const char *sid) -{ - struct winbindd_cli_state *state = - (struct winbindd_cli_state *)private_data; - - if (success) { - DEBUG(10,("gid2sid: gid %lu has sid %s\n", - (unsigned long)(state->request.data.gid), sid)); - fstrcpy(state->response.data.sid.sid, sid); - state->response.data.sid.type = SID_NAME_DOM_GRP; - request_ok(state); - return; - } - - request_error(state); - return; -} - - -void winbindd_gid_to_sid(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: gid to sid %lu\n", (unsigned long)state->pid, - (unsigned long)state->request.data.gid)); - - /* always use async calls (may block) */ - winbindd_gid2sid_async(state->mem_ctx, state->request.data.gid, gid2sid_recv, state); -} - -void winbindd_allocate_uid(struct winbindd_cli_state *state) -{ - if ( !state->privileged ) { - DEBUG(2, ("winbindd_allocate_uid: non-privileged access " - "denied!\n")); - request_error(state); - return; - } - - sendto_child(state, idmap_child()); -} - -enum winbindd_result winbindd_dual_allocate_uid(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - struct unixid xid; - - if (!NT_STATUS_IS_OK(idmap_allocate_uid(&xid))) { - return WINBINDD_ERROR; - } - state->response.data.uid = xid.id; - return WINBINDD_OK; -} - -void winbindd_allocate_gid(struct winbindd_cli_state *state) -{ - if ( !state->privileged ) { - DEBUG(2, ("winbindd_allocate_gid: non-privileged access " - "denied!\n")); - request_error(state); - return; - } - - sendto_child(state, idmap_child()); -} - -enum winbindd_result winbindd_dual_allocate_gid(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - struct unixid xid; - - if (!NT_STATUS_IS_OK(idmap_allocate_gid(&xid))) { - return WINBINDD_ERROR; - } - state->response.data.gid = xid.id; - return WINBINDD_OK; -} - -static void dump_maps_recv(void *private_data, BOOL success) -{ - struct winbindd_cli_state *state = - talloc_get_type_abort(private_data, struct winbindd_cli_state); - - if (!success) { - DEBUG(5, ("Could not dump maps\n")); - request_error(state); - return; - } - - request_ok(state); -} - -void winbindd_dump_maps(struct winbindd_cli_state *state) -{ - if ( ! state->privileged) { - DEBUG(0, ("Only root is allowed to ask for an idmap dump!\n")); - request_error(state); - return; - } - - DEBUG(3, ("[%5lu]: dump maps\n", (unsigned long)state->pid)); - - winbindd_dump_maps_async(state->mem_ctx, - state->request.extra_data.data, - state->request.extra_len, - dump_maps_recv, state); -} - diff --git a/source3/nsswitch/winbindd_sockinit.c b/source3/nsswitch/winbindd_sockinit.c deleted file mode 100644 index 50c53a5045..0000000000 --- a/source3/nsswitch/winbindd_sockinit.c +++ /dev/null @@ -1,126 +0,0 @@ -/* - Unix SMB/CIFS implementation. - Copyright (C) Tim Potter 2000-2001 - Copyright (C) 2001 by Martin Pool <mbp@samba.org> - Copyright (C) James Peach 2007 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" -#include "smb_launchd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -/* Open the winbindd socket */ - -static int _winbindd_socket = -1; -static int _winbindd_priv_socket = -1; -static BOOL unlink_winbindd_socket = True; - -static int open_winbindd_socket(void) -{ - if (_winbindd_socket == -1) { - _winbindd_socket = create_pipe_sock( - WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME, 0755); - DEBUG(10, ("open_winbindd_socket: opened socket fd %d\n", - _winbindd_socket)); - } - - return _winbindd_socket; -} - -static int open_winbindd_priv_socket(void) -{ - if (_winbindd_priv_socket == -1) { - _winbindd_priv_socket = create_pipe_sock( - get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750); - DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n", - _winbindd_priv_socket)); - } - - return _winbindd_priv_socket; -} - -/* Close the winbindd socket */ - -static void close_winbindd_socket(void) -{ - if (_winbindd_socket != -1) { - DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n", - _winbindd_socket)); - close(_winbindd_socket); - _winbindd_socket = -1; - } - if (_winbindd_priv_socket != -1) { - DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n", - _winbindd_priv_socket)); - close(_winbindd_priv_socket); - _winbindd_priv_socket = -1; - } -} - -BOOL winbindd_init_sockets(int *public_sock, int *priv_sock, - int *idle_timeout_sec) -{ - struct smb_launch_info linfo; - - if (smb_launchd_checkin_names(&linfo, "WinbindPublicPipe", - "WinbindPrivilegedPipe", NULL)) { - if (linfo.num_sockets != 2) { - DEBUG(0, ("invalid launchd configuration, " - "expected 2 sockets but got %d\n", - linfo.num_sockets)); - return False; - } - - *public_sock = _winbindd_socket = linfo.socket_list[0]; - *priv_sock = _winbindd_priv_socket = linfo.socket_list[1]; - *idle_timeout_sec = linfo.idle_timeout_secs; - - unlink_winbindd_socket = False; - - smb_launchd_checkout(&linfo); - return True; - } else { - *public_sock = open_winbindd_socket(); - *priv_sock = open_winbindd_priv_socket(); - *idle_timeout_sec = -1; - - if (*public_sock == -1 || *priv_sock == -1) { - DEBUG(0, ("failed to open winbindd pipes: %s\n", - errno ? strerror(errno) : "unknown error")); - return False; - } - - return True; - } -} - -void winbindd_release_sockets(void) -{ - pstring path; - - close_winbindd_socket(); - - /* Remove socket file */ - if (unlink_winbindd_socket) { - pstr_sprintf(path, "%s/%s", - WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME); - unlink(path); - } -} - diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c deleted file mode 100644 index fac2832f56..0000000000 --- a/source3/nsswitch/winbindd_user.c +++ /dev/null @@ -1,875 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon - user related functions - - Copyright (C) Tim Potter 2000 - Copyright (C) Jeremy Allison 2001. - Copyright (C) Gerald (Jerry) Carter 2003. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -static BOOL fillup_pw_field(const char *lp_template, - const char *username, - const char *domname, - uid_t uid, - gid_t gid, - const char *in, - fstring out) -{ - char *templ; - - if (out == NULL) - return False; - - /* The substitution of %U and %D in the 'template - homedir' is done by talloc_sub_specified() below. - If we have an in string (which means the value has already - been set in the nss_info backend), then use that. - Otherwise use the template value passed in. */ - - if ( in && !strequal(in,"") && lp_security() == SEC_ADS ) { - templ = talloc_sub_specified(NULL, in, - username, domname, - uid, gid); - } else { - templ = talloc_sub_specified(NULL, lp_template, - username, domname, - uid, gid); - } - - if (!templ) - return False; - - safe_strcpy(out, templ, sizeof(fstring) - 1); - TALLOC_FREE(templ); - - return True; - -} -/* Fill a pwent structure with information we have obtained */ - -static BOOL winbindd_fill_pwent(char *dom_name, char *user_name, - DOM_SID *user_sid, DOM_SID *group_sid, - char *full_name, char *homedir, char *shell, - struct winbindd_pw *pw) -{ - fstring output_username; - fstring sid_string; - - if (!pw || !dom_name || !user_name) - return False; - - /* Resolve the uid number */ - - if (!NT_STATUS_IS_OK(idmap_sid_to_uid(user_sid, &pw->pw_uid))) { - DEBUG(1, ("error getting user id for sid %s\n", sid_to_string(sid_string, user_sid))); - return False; - } - - /* Resolve the gid number */ - - if (!NT_STATUS_IS_OK(idmap_sid_to_gid(group_sid, &pw->pw_gid))) { - DEBUG(1, ("error getting group id for sid %s\n", sid_to_string(sid_string, group_sid))); - return False; - } - - strlower_m(user_name); - - /* Username */ - - fill_domain_username(output_username, dom_name, user_name, True); - - safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1); - - /* Full name (gecos) */ - - safe_strcpy(pw->pw_gecos, full_name, sizeof(pw->pw_gecos) - 1); - - /* Home directory and shell */ - - if (!fillup_pw_field(lp_template_homedir(), user_name, dom_name, - pw->pw_uid, pw->pw_gid, homedir, pw->pw_dir)) - return False; - - if (!fillup_pw_field(lp_template_shell(), user_name, dom_name, - pw->pw_uid, pw->pw_gid, shell, pw->pw_shell)) - return False; - - /* Password - set to "*" as we can't generate anything useful here. - Authentication can be done using the pam_winbind module. */ - - safe_strcpy(pw->pw_passwd, "*", sizeof(pw->pw_passwd) - 1); - - return True; -} - -/* Wrapper for domain->methods->query_user, only on the parent->child pipe */ - -enum winbindd_result winbindd_dual_userinfo(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - DOM_SID sid; - WINBIND_USERINFO user_info; - NTSTATUS status; - - /* Ensure null termination */ - state->request.data.sid[sizeof(state->request.data.sid)-1]='\0'; - - DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state->pid, - state->request.data.sid)); - - if (!string_to_sid(&sid, state->request.data.sid)) { - DEBUG(5, ("%s not a SID\n", state->request.data.sid)); - return WINBINDD_ERROR; - } - - status = domain->methods->query_user(domain, state->mem_ctx, - &sid, &user_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("error getting user info for sid %s\n", - sid_string_static(&sid))); - return WINBINDD_ERROR; - } - - fstrcpy(state->response.data.user_info.acct_name, user_info.acct_name); - fstrcpy(state->response.data.user_info.full_name, user_info.full_name); - fstrcpy(state->response.data.user_info.homedir, user_info.homedir); - fstrcpy(state->response.data.user_info.shell, user_info.shell); - state->response.data.user_info.primary_gid = user_info.primary_gid; - if (!sid_peek_check_rid(&domain->sid, &user_info.group_sid, - &state->response.data.user_info.group_rid)) { - DEBUG(1, ("Could not extract group rid out of %s\n", - sid_string_static(&sid))); - return WINBINDD_ERROR; - } - - return WINBINDD_OK; -} - -struct getpwsid_state { - struct winbindd_cli_state *state; - struct winbindd_domain *domain; - char *username; - char *fullname; - char *homedir; - char *shell; - DOM_SID user_sid; - uid_t uid; - DOM_SID group_sid; - gid_t gid; -}; - -static void getpwsid_queryuser_recv(void *private_data, BOOL success, - const char *acct_name, - const char *full_name, - const char *homedir, - const char *shell, - uint32 gid, - uint32 group_rid); -static void getpwsid_sid2uid_recv(void *private_data, BOOL success, uid_t uid); -static void getpwsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid); - -static void winbindd_getpwsid(struct winbindd_cli_state *state, - const DOM_SID *sid) -{ - struct getpwsid_state *s; - - s = TALLOC_ZERO_P(state->mem_ctx, struct getpwsid_state); - if (s == NULL) { - DEBUG(0, ("talloc failed\n")); - goto error; - } - - s->state = state; - s->domain = find_domain_from_sid_noinit(sid); - if (s->domain == NULL) { - DEBUG(3, ("Could not find domain for sid %s\n", - sid_string_static(sid))); - goto error; - } - - sid_copy(&s->user_sid, sid); - - query_user_async(s->state->mem_ctx, s->domain, sid, - getpwsid_queryuser_recv, s); - return; - - error: - request_error(state); -} - -static void getpwsid_queryuser_recv(void *private_data, BOOL success, - const char *acct_name, - const char *full_name, - const char *homedir, - const char *shell, - uint32 gid, - uint32 group_rid) -{ - fstring username; - struct getpwsid_state *s = - talloc_get_type_abort(private_data, struct getpwsid_state); - - if (!success) { - DEBUG(5, ("Could not query domain %s SID %s\n", s->domain->name, - sid_string_static(&s->user_sid))); - request_error(s->state); - return; - } - - if ( acct_name && *acct_name ) { - fstrcpy( username, acct_name ); - } else { - char *domain_name = NULL; - enum lsa_SidType type; - char *user_name = NULL; - struct winbindd_domain *domain = NULL; - - domain = find_lookup_domain_from_sid(&s->user_sid); - if (domain == NULL) { - DEBUG(5, ("find_lookup_domain_from_sid(%s) failed\n", - sid_string_static(&s->user_sid))); - request_error(s->state); - return; - } - winbindd_lookup_name_by_sid(s->state->mem_ctx, domain, - &s->user_sid, &domain_name, - &user_name, &type ); - - /* If this still fails we ar4e done. Just error out */ - if ( !user_name ) { - DEBUG(5,("Could not obtain a name for SID %s\n", - sid_string_static(&s->user_sid))); - request_error(s->state); - return; - } - - fstrcpy( username, user_name ); - } - - strlower_m( username ); - s->username = talloc_strdup(s->state->mem_ctx, username); - - ws_name_replace( s->username, WB_REPLACE_CHAR ); - - s->fullname = talloc_strdup(s->state->mem_ctx, full_name); - s->homedir = talloc_strdup(s->state->mem_ctx, homedir); - s->shell = talloc_strdup(s->state->mem_ctx, shell); - s->gid = gid; - sid_copy(&s->group_sid, &s->domain->sid); - sid_append_rid(&s->group_sid, group_rid); - - winbindd_sid2uid_async(s->state->mem_ctx, &s->user_sid, - getpwsid_sid2uid_recv, s); -} - -static void getpwsid_sid2uid_recv(void *private_data, BOOL success, uid_t uid) -{ - struct getpwsid_state *s = - talloc_get_type_abort(private_data, struct getpwsid_state); - - if (!success) { - DEBUG(5, ("Could not query uid for user %s\\%s\n", - s->domain->name, s->username)); - request_error(s->state); - return; - } - - s->uid = uid; - winbindd_sid2gid_async(s->state->mem_ctx, &s->group_sid, - getpwsid_sid2gid_recv, s); -} - -static void getpwsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid) -{ - struct getpwsid_state *s = - talloc_get_type_abort(private_data, struct getpwsid_state); - struct winbindd_pw *pw; - fstring output_username; - - /* allow the nss backend to override the primary group ID. - If the gid has already been set, then keep it. - This makes me feel dirty. If the nss backend already - gave us a gid, we don't really care whether the sid2gid() - call worked or not. --jerry */ - - if ( s->gid == (gid_t)-1 ) { - - if (!success) { - DEBUG(5, ("Could not query gid for user %s\\%s\n", - s->domain->name, s->username)); - goto failed; - } - - /* take what the sid2gid() call gave us */ - s->gid = gid; - } - - pw = &s->state->response.data.pw; - pw->pw_uid = s->uid; - pw->pw_gid = s->gid; - fill_domain_username(output_username, s->domain->name, s->username, True); - safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1); - safe_strcpy(pw->pw_gecos, s->fullname, sizeof(pw->pw_gecos) - 1); - - if (!fillup_pw_field(lp_template_homedir(), s->username, s->domain->name, - pw->pw_uid, pw->pw_gid, s->homedir, pw->pw_dir)) { - DEBUG(5, ("Could not compose homedir\n")); - goto failed; - } - - if (!fillup_pw_field(lp_template_shell(), s->username, s->domain->name, - pw->pw_uid, pw->pw_gid, s->shell, pw->pw_shell)) { - DEBUG(5, ("Could not compose shell\n")); - goto failed; - } - - /* Password - set to "*" as we can't generate anything useful here. - Authentication can be done using the pam_winbind module. */ - - safe_strcpy(pw->pw_passwd, "*", sizeof(pw->pw_passwd) - 1); - - request_ok(s->state); - return; - - failed: - request_error(s->state); -} - -/* Return a password structure from a username. */ - -static void getpwnam_name2sid_recv(void *private_data, BOOL success, - const DOM_SID *sid, enum lsa_SidType type); - -void winbindd_getpwnam(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - fstring domname, username; - - /* Ensure null termination */ - state->request.data.username[sizeof(state->request.data.username)-1]='\0'; - - DEBUG(3, ("[%5lu]: getpwnam %s\n", (unsigned long)state->pid, - state->request.data.username)); - - ws_name_return( state->request.data.username, WB_REPLACE_CHAR ); - - if (!parse_domain_user(state->request.data.username, domname, - username)) { - DEBUG(5, ("Could not parse domain user: %s\n", - state->request.data.username)); - request_error(state); - return; - } - - /* Get info for the domain */ - - domain = find_domain_from_name(domname); - - if (domain == NULL) { - DEBUG(7, ("could not find domain entry for domain %s. " - "Using primary domain\n", domname)); - if ( (domain = find_our_domain()) == NULL ) { - DEBUG(0,("Cannot find my primary domain structure!\n")); - request_error(state); - return; - } - } - - if ( strequal(domname, lp_workgroup()) && lp_winbind_trusted_domains_only() ) { - DEBUG(7,("winbindd_getpwnam: My domain -- rejecting getpwnam() for %s\\%s.\n", - domname, username)); - request_error(state); - return; - } - - /* Get rid and name type from name. The following costs 1 packet */ - - winbindd_lookupname_async(state->mem_ctx, domname, username, - getpwnam_name2sid_recv, WINBINDD_GETPWNAM, - state); -} - -static void getpwnam_name2sid_recv(void *private_data, BOOL success, - const DOM_SID *sid, enum lsa_SidType type) -{ - struct winbindd_cli_state *state = - (struct winbindd_cli_state *)private_data; - fstring domname, username; - - if (!success) { - DEBUG(5, ("Could not lookup name for user %s\n", - state->request.data.username)); - request_error(state); - return; - } - - if ((type != SID_NAME_USER) && (type != SID_NAME_COMPUTER)) { - DEBUG(5, ("%s is not a user\n", state->request.data.username)); - request_error(state); - return; - } - - if ( parse_domain_user(state->request.data.username, domname, username) ) { - check_domain_trusted( domname, sid ); - } - - - - winbindd_getpwsid(state, sid); -} - -static void getpwuid_recv(void *private_data, BOOL success, const char *sid) -{ - struct winbindd_cli_state *state = - (struct winbindd_cli_state *)private_data; - DOM_SID user_sid; - - if (!success) { - DEBUG(10,("uid2sid_recv: uid [%lu] to sid mapping failed\n.", - (unsigned long)(state->request.data.uid))); - request_error(state); - return; - } - - DEBUG(10,("uid2sid_recv: uid %lu has sid %s\n", - (unsigned long)(state->request.data.uid), sid)); - - string_to_sid(&user_sid, sid); - winbindd_getpwsid(state, &user_sid); -} - -/* Return a password structure given a uid number */ -void winbindd_getpwuid(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: getpwuid %lu\n", (unsigned long)state->pid, - (unsigned long)state->request.data.uid)); - - /* always query idmap via the async interface */ - /* if this turns to be too slow we will add here a direct query to the cache */ - winbindd_uid2sid_async(state->mem_ctx, state->request.data.uid, getpwuid_recv, state); -} - -/* - * set/get/endpwent functions - */ - -/* Rewind file pointer for ntdom passwd database */ - -static BOOL winbindd_setpwent_internal(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - - DEBUG(3, ("[%5lu]: setpwent\n", (unsigned long)state->pid)); - - /* Check user has enabled this */ - - if (!lp_winbind_enum_users()) { - return False; - } - - /* Free old static data if it exists */ - - if (state->getpwent_state != NULL) { - free_getent_state(state->getpwent_state); - state->getpwent_state = NULL; - } - -#if 0 /* JERRY */ - /* add any local users we have */ - - if ( (domain_state = (struct getent_state *)malloc(sizeof(struct getent_state))) == NULL ) - return False; - - ZERO_STRUCTP(domain_state); - - /* Add to list of open domains */ - - DLIST_ADD(state->getpwent_state, domain_state); -#endif - - /* Create sam pipes for each domain we know about */ - - for(domain = domain_list(); domain != NULL; domain = domain->next) { - struct getent_state *domain_state; - - - /* don't add our domaina if we are a PDC or if we - are a member of a Samba domain */ - - if ( (IS_DC || lp_winbind_trusted_domains_only()) - && strequal(domain->name, lp_workgroup()) ) - { - continue; - } - - /* Create a state record for this domain */ - - if ((domain_state = SMB_MALLOC_P(struct getent_state)) == NULL) { - DEBUG(0, ("malloc failed\n")); - return False; - } - - ZERO_STRUCTP(domain_state); - - fstrcpy(domain_state->domain_name, domain->name); - - /* Add to list of open domains */ - - DLIST_ADD(state->getpwent_state, domain_state); - } - - state->getpwent_initialized = True; - return True; -} - -void winbindd_setpwent(struct winbindd_cli_state *state) -{ - if (winbindd_setpwent_internal(state)) { - request_ok(state); - } else { - request_error(state); - } -} - -/* Close file pointer to ntdom passwd database */ - -void winbindd_endpwent(struct winbindd_cli_state *state) -{ - DEBUG(3, ("[%5lu]: endpwent\n", (unsigned long)state->pid)); - - free_getent_state(state->getpwent_state); - state->getpwent_initialized = False; - state->getpwent_state = NULL; - request_ok(state); -} - -/* Get partial list of domain users for a domain. We fill in the sam_entries, - and num_sam_entries fields with domain user information. The dispinfo_ndx - field is incremented to the index of the next user to fetch. Return True if - some users were returned, False otherwise. */ - -static BOOL get_sam_user_entries(struct getent_state *ent, TALLOC_CTX *mem_ctx) -{ - NTSTATUS status; - uint32 num_entries; - WINBIND_USERINFO *info; - struct getpwent_user *name_list = NULL; - struct winbindd_domain *domain; - struct winbindd_methods *methods; - unsigned int i; - - if (ent->num_sam_entries) - return False; - - if (!(domain = find_domain_from_name(ent->domain_name))) { - DEBUG(3, ("no such domain %s in get_sam_user_entries\n", - ent->domain_name)); - return False; - } - - methods = domain->methods; - - /* Free any existing user info */ - - SAFE_FREE(ent->sam_entries); - ent->num_sam_entries = 0; - - /* Call query_user_list to get a list of usernames and user rids */ - - num_entries = 0; - - status = methods->query_user_list(domain, mem_ctx, &num_entries, - &info); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("get_sam_user_entries: query_user_list failed with %s\n", - nt_errstr(status) )); - return False; - } - - if (num_entries) { - name_list = SMB_REALLOC_ARRAY(name_list, struct getpwent_user, ent->num_sam_entries + num_entries); - - if (!name_list) { - DEBUG(0,("get_sam_user_entries realloc failed.\n")); - return False; - } - } - - for (i = 0; i < num_entries; i++) { - /* Store account name and gecos */ - if (!info[i].acct_name) { - fstrcpy(name_list[ent->num_sam_entries + i].name, ""); - } else { - fstrcpy(name_list[ent->num_sam_entries + i].name, - info[i].acct_name); - } - if (!info[i].full_name) { - fstrcpy(name_list[ent->num_sam_entries + i].gecos, ""); - } else { - fstrcpy(name_list[ent->num_sam_entries + i].gecos, - info[i].full_name); - } - if (!info[i].homedir) { - fstrcpy(name_list[ent->num_sam_entries + i].homedir, ""); - } else { - fstrcpy(name_list[ent->num_sam_entries + i].homedir, - info[i].homedir); - } - if (!info[i].shell) { - fstrcpy(name_list[ent->num_sam_entries + i].shell, ""); - } else { - fstrcpy(name_list[ent->num_sam_entries + i].shell, - info[i].shell); - } - - - /* User and group ids */ - sid_copy(&name_list[ent->num_sam_entries+i].user_sid, - &info[i].user_sid); - sid_copy(&name_list[ent->num_sam_entries+i].group_sid, - &info[i].group_sid); - } - - ent->num_sam_entries += num_entries; - - /* Fill in remaining fields */ - - ent->sam_entries = name_list; - ent->sam_entry_index = 0; - return ent->num_sam_entries > 0; -} - -/* Fetch next passwd entry from ntdom database */ - -#define MAX_GETPWENT_USERS 500 - -void winbindd_getpwent(struct winbindd_cli_state *state) -{ - struct getent_state *ent; - struct winbindd_pw *user_list; - int num_users, user_list_ndx; - - DEBUG(3, ("[%5lu]: getpwent\n", (unsigned long)state->pid)); - - /* Check user has enabled this */ - - if (!lp_winbind_enum_users()) { - request_error(state); - return; - } - - /* Allocate space for returning a chunk of users */ - - num_users = MIN(MAX_GETPWENT_USERS, state->request.data.num_entries); - - if (num_users == 0) { - request_error(state); - return; - } - - if ((state->response.extra_data.data = SMB_MALLOC_ARRAY(struct winbindd_pw, num_users)) == NULL) { - request_error(state); - return; - } - - memset(state->response.extra_data.data, 0, num_users * - sizeof(struct winbindd_pw)); - - user_list = (struct winbindd_pw *)state->response.extra_data.data; - - if (!state->getpwent_initialized) - winbindd_setpwent_internal(state); - - if (!(ent = state->getpwent_state)) { - request_error(state); - return; - } - - /* Start sending back users */ - - for (user_list_ndx = 0; user_list_ndx < num_users; ) { - struct getpwent_user *name_list = NULL; - uint32 result; - - /* Do we need to fetch another chunk of users? */ - - if (ent->num_sam_entries == ent->sam_entry_index) { - - while(ent && - !get_sam_user_entries(ent, state->mem_ctx)) { - struct getent_state *next_ent; - - /* Free state information for this domain */ - - SAFE_FREE(ent->sam_entries); - - next_ent = ent->next; - DLIST_REMOVE(state->getpwent_state, ent); - - SAFE_FREE(ent); - ent = next_ent; - } - - /* No more domains */ - - if (!ent) - break; - } - - name_list = (struct getpwent_user *)ent->sam_entries; - - /* Lookup user info */ - - result = winbindd_fill_pwent( - ent->domain_name, - name_list[ent->sam_entry_index].name, - &name_list[ent->sam_entry_index].user_sid, - &name_list[ent->sam_entry_index].group_sid, - name_list[ent->sam_entry_index].gecos, - name_list[ent->sam_entry_index].homedir, - name_list[ent->sam_entry_index].shell, - &user_list[user_list_ndx]); - - /* Add user to return list */ - - if (result) { - - user_list_ndx++; - state->response.data.num_entries++; - state->response.length += - sizeof(struct winbindd_pw); - - } else - DEBUG(1, ("could not lookup domain user %s\n", - name_list[ent->sam_entry_index].name)); - - ent->sam_entry_index++; - - } - - /* Out of domains */ - - if (user_list_ndx > 0) - request_ok(state); - else - request_error(state); -} - -/* List domain users without mapping to unix ids */ - -void winbindd_list_users(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain; - WINBIND_USERINFO *info; - const char *which_domain; - uint32 num_entries = 0, total_entries = 0; - char *extra_data = NULL; - int extra_data_len = 0; - enum winbindd_result rv = WINBINDD_ERROR; - - DEBUG(3, ("[%5lu]: list users\n", (unsigned long)state->pid)); - - /* Ensure null termination */ - state->request.domain_name[sizeof(state->request.domain_name)-1]='\0'; - which_domain = state->request.domain_name; - - /* Enumerate over trusted domains */ - - for (domain = domain_list(); domain; domain = domain->next) { - NTSTATUS status; - struct winbindd_methods *methods; - unsigned int i; - - /* if we have a domain name restricting the request and this - one in the list doesn't match, then just bypass the remainder - of the loop */ - - if ( *which_domain && !strequal(which_domain, domain->name) ) - continue; - - methods = domain->methods; - - /* Query display info */ - status = methods->query_user_list(domain, state->mem_ctx, - &num_entries, &info); - - if (!NT_STATUS_IS_OK(status)) { - continue; - } - - if (num_entries == 0) - continue; - - /* Allocate some memory for extra data */ - total_entries += num_entries; - - extra_data = (char *)SMB_REALLOC( - extra_data, sizeof(fstring) * total_entries); - - if (!extra_data) { - DEBUG(0,("failed to enlarge buffer!\n")); - goto done; - } - - /* Pack user list into extra data fields */ - - for (i = 0; i < num_entries; i++) { - fstring acct_name, name; - - if (!info[i].acct_name) { - fstrcpy(acct_name, ""); - } else { - fstrcpy(acct_name, info[i].acct_name); - } - - fill_domain_username(name, domain->name, acct_name, True); - - /* Append to extra data */ - memcpy(&extra_data[extra_data_len], name, - strlen(name)); - extra_data_len += strlen(name); - extra_data[extra_data_len++] = ','; - } - } - - /* Assign extra_data fields in response structure */ - - if (extra_data) { - extra_data[extra_data_len - 1] = '\0'; - state->response.extra_data.data = extra_data; - state->response.length += extra_data_len; - } - - /* No domains responded but that's still OK so don't return an - error. */ - - rv = WINBINDD_OK; - - done: - - if (rv == WINBINDD_OK) - request_ok(state); - else - request_error(state); -} diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c deleted file mode 100644 index 37d29e1765..0000000000 --- a/source3/nsswitch/winbindd_util.c +++ /dev/null @@ -1,1460 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon for ntdom nss module - - Copyright (C) Tim Potter 2000-2001 - Copyright (C) 2001 by Martin Pool <mbp@samba.org> - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -extern struct winbindd_methods cache_methods; -extern struct winbindd_methods passdb_methods; - -/** - * @file winbindd_util.c - * - * Winbind daemon for NT domain authentication nss module. - **/ - -/* The list of trusted domains. Note that the list can be deleted and - recreated using the init_domain_list() function so pointers to - individual winbindd_domain structures cannot be made. Keep a copy of - the domain name instead. */ - -static struct winbindd_domain *_domain_list; - -/** - When was the last scan of trusted domains done? - - 0 == not ever -*/ - -static time_t last_trustdom_scan; - -struct winbindd_domain *domain_list(void) -{ - /* Initialise list */ - - if ((!_domain_list) && (!init_domain_list())) { - smb_panic("Init_domain_list failed"); - } - - return _domain_list; -} - -/* Free all entries in the trusted domain list */ - -void free_domain_list(void) -{ - struct winbindd_domain *domain = _domain_list; - - while(domain) { - struct winbindd_domain *next = domain->next; - - DLIST_REMOVE(_domain_list, domain); - SAFE_FREE(domain); - domain = next; - } -} - -static BOOL is_internal_domain(const DOM_SID *sid) -{ - if (sid == NULL) - return False; - - if ( IS_DC ) - return sid_check_is_builtin(sid); - - return (sid_check_is_domain(sid) || sid_check_is_builtin(sid)); -} - -static BOOL is_in_internal_domain(const DOM_SID *sid) -{ - if (sid == NULL) - return False; - - if ( IS_DC ) - return sid_check_is_in_builtin(sid); - - return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid)); -} - - -/* Add a trusted domain to our list of domains */ -static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name, - struct winbindd_methods *methods, - const DOM_SID *sid) -{ - struct winbindd_domain *domain; - const char *alternative_name = NULL; - - /* ignore alt_name if we are not in an AD domain */ - - if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) { - alternative_name = alt_name; - } - - /* We can't call domain_list() as this function is called from - init_domain_list() and we'll get stuck in a loop. */ - for (domain = _domain_list; domain; domain = domain->next) { - if (strequal(domain_name, domain->name) || - strequal(domain_name, domain->alt_name)) - { - break; - } - - if (alternative_name && *alternative_name) - { - if (strequal(alternative_name, domain->name) || - strequal(alternative_name, domain->alt_name)) - { - break; - } - } - - if (sid) - { - if (is_null_sid(sid)) { - continue; - } - - if (sid_equal(sid, &domain->sid)) { - break; - } - } - } - - /* See if we found a match. Check if we need to update the - SID. */ - - if ( domain && sid) { - if ( sid_equal( &domain->sid, &global_sid_NULL ) ) - sid_copy( &domain->sid, sid ); - - return domain; - } - - /* Create new domain entry */ - - if ((domain = SMB_MALLOC_P(struct winbindd_domain)) == NULL) - return NULL; - - /* Fill in fields */ - - ZERO_STRUCTP(domain); - - /* prioritise the short name */ - if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) { - fstrcpy(domain->name, alternative_name); - fstrcpy(domain->alt_name, domain_name); - } else { - fstrcpy(domain->name, domain_name); - if (alternative_name) { - fstrcpy(domain->alt_name, alternative_name); - } - } - - domain->methods = methods; - domain->backend = NULL; - domain->internal = is_internal_domain(sid); - domain->sequence_number = DOM_SEQUENCE_NONE; - domain->last_seq_check = 0; - domain->initialized = False; - domain->online = is_internal_domain(sid); - domain->check_online_timeout = 0; - if (sid) { - sid_copy(&domain->sid, sid); - } - - /* Link to domain list */ - DLIST_ADD(_domain_list, domain); - - wcache_tdc_add_domain( domain ); - - DEBUG(2,("Added domain %s %s %s\n", - domain->name, domain->alt_name, - &domain->sid?sid_string_static(&domain->sid):"")); - - return domain; -} - -/******************************************************************** - rescan our domains looking for new trusted domains -********************************************************************/ - -struct trustdom_state { - TALLOC_CTX *mem_ctx; - BOOL primary; - BOOL forest_root; - struct winbindd_response *response; -}; - -static void trustdom_recv(void *private_data, BOOL success); -static void rescan_forest_root_trusts( void ); -static void rescan_forest_trusts( void ); - -static void add_trusted_domains( struct winbindd_domain *domain ) -{ - TALLOC_CTX *mem_ctx; - struct winbindd_request *request; - struct winbindd_response *response; - uint32 fr_flags = (DS_DOMAIN_TREE_ROOT|DS_DOMAIN_IN_FOREST); - - struct trustdom_state *state; - - mem_ctx = talloc_init("add_trusted_domains"); - if (mem_ctx == NULL) { - DEBUG(0, ("talloc_init failed\n")); - return; - } - - request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request); - response = TALLOC_P(mem_ctx, struct winbindd_response); - state = TALLOC_P(mem_ctx, struct trustdom_state); - - if ((request == NULL) || (response == NULL) || (state == NULL)) { - DEBUG(0, ("talloc failed\n")); - talloc_destroy(mem_ctx); - return; - } - - state->mem_ctx = mem_ctx; - state->response = response; - - /* Flags used to know how to continue the forest trust search */ - - state->primary = domain->primary; - state->forest_root = ((domain->domain_flags & fr_flags) == fr_flags ); - - request->length = sizeof(*request); - request->cmd = WINBINDD_LIST_TRUSTDOM; - - async_domain_request(mem_ctx, domain, request, response, - trustdom_recv, state); -} - -static void trustdom_recv(void *private_data, BOOL success) -{ - struct trustdom_state *state = - talloc_get_type_abort(private_data, struct trustdom_state); - struct winbindd_response *response = state->response; - char *p; - - if ((!success) || (response->result != WINBINDD_OK)) { - DEBUG(1, ("Could not receive trustdoms\n")); - talloc_destroy(state->mem_ctx); - return; - } - - p = (char *)response->extra_data.data; - - while ((p != NULL) && (*p != '\0')) { - char *q, *sidstr, *alt_name; - DOM_SID sid; - struct winbindd_domain *domain; - char *alternate_name = NULL; - - alt_name = strchr(p, '\\'); - if (alt_name == NULL) { - DEBUG(0, ("Got invalid trustdom response\n")); - break; - } - - *alt_name = '\0'; - alt_name += 1; - - sidstr = strchr(alt_name, '\\'); - if (sidstr == NULL) { - DEBUG(0, ("Got invalid trustdom response\n")); - break; - } - - *sidstr = '\0'; - sidstr += 1; - - q = strchr(sidstr, '\n'); - if (q != NULL) - *q = '\0'; - - if (!string_to_sid(&sid, sidstr)) { - /* Allow NULL sid for sibling domains */ - if ( strcmp(sidstr,"S-0-0") == 0) { - sid_copy( &sid, &global_sid_NULL); - } else { - DEBUG(0, ("Got invalid trustdom response\n")); - break; - } - } - - /* use the real alt_name if we have one, else pass in NULL */ - - if ( !strequal( alt_name, "(null)" ) ) - alternate_name = alt_name; - - /* If we have an existing domain structure, calling - add_trusted_domain() will update the SID if - necessary. This is important because we need the - SID for sibling domains */ - - if ( find_domain_from_name_noinit(p) != NULL ) { - domain = add_trusted_domain(p, alternate_name, - &cache_methods, - &sid); - } else { - domain = add_trusted_domain(p, alternate_name, - &cache_methods, - &sid); - if (domain) { - setup_domain_child(domain, &domain->child, NULL); - } - } - p=q; - if (p != NULL) - p += 1; - } - - SAFE_FREE(response->extra_data.data); - - /* - Cases to consider when scanning trusts: - (a) we are calling from a child domain (primary && !forest_root) - (b) we are calling from the root of the forest (primary && forest_root) - (c) we are calling from a trusted forest domain (!primary - && !forest_root) - */ - - if ( state->primary ) { - /* If this is our primary domain and we are not the in the - forest root, we have to scan the root trusts first */ - - if ( !state->forest_root ) - rescan_forest_root_trusts(); - else - rescan_forest_trusts(); - - } else if ( state->forest_root ) { - /* Once we have done root forest trust search, we can - go on to search thing trusted forests */ - - rescan_forest_trusts(); - } - - talloc_destroy(state->mem_ctx); - - return; -} - -/******************************************************************** - Scan the trusts of our forest root -********************************************************************/ - -static void rescan_forest_root_trusts( void ) -{ - struct winbindd_tdc_domain *dom_list = NULL; - size_t num_trusts = 0; - int i; - - /* The only transitive trusts supported by Windows 2003 AD are - (a) Parent-Child, (b) Tree-Root, and (c) Forest. The - first two are handled in forest and listed by - DsEnumerateDomainTrusts(). Forest trusts are not so we - have to do that ourselves. */ - - if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) ) - return; - - for ( i=0; i<num_trusts; i++ ) { - struct winbindd_domain *d = NULL; - - /* Find the forest root. Don't necessarily trust - the domain_list() as our primary domain may not - have been initialized. */ - - if ( !(dom_list[i].trust_flags & DS_DOMAIN_TREE_ROOT) ) { - continue; - } - - /* Here's the forest root */ - - d = find_domain_from_name_noinit( dom_list[i].domain_name ); - - if ( !d ) { - d = add_trusted_domain( dom_list[i].domain_name, - dom_list[i].dns_name, - &cache_methods, - &dom_list[i].sid ); - } - - DEBUG(10,("rescan_forest_root_trusts: Following trust path " - "for domain tree root %s (%s)\n", - d->name, d->alt_name )); - - d->domain_flags = dom_list[i].trust_flags; - d->domain_type = dom_list[i].trust_type; - d->domain_trust_attribs = dom_list[i].trust_attribs; - - add_trusted_domains( d ); - - break; - } - - TALLOC_FREE( dom_list ); - - return; -} - -/******************************************************************** - scan the transitive forest trists (not our own) -********************************************************************/ - - -static void rescan_forest_trusts( void ) -{ - struct winbindd_domain *d = NULL; - struct winbindd_tdc_domain *dom_list = NULL; - size_t num_trusts = 0; - int i; - - /* The only transitive trusts supported by Windows 2003 AD are - (a) Parent-Child, (b) Tree-Root, and (c) Forest. The - first two are handled in forest and listed by - DsEnumerateDomainTrusts(). Forest trusts are not so we - have to do that ourselves. */ - - if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) ) - return; - - for ( i=0; i<num_trusts; i++ ) { - uint32 flags = dom_list[i].trust_flags; - uint32 type = dom_list[i].trust_type; - uint32 attribs = dom_list[i].trust_attribs; - - d = find_domain_from_name_noinit( dom_list[i].domain_name ); - - /* ignore our primary and internal domains */ - - if ( d && (d->internal || d->primary ) ) - continue; - - if ( (flags & DS_DOMAIN_DIRECT_INBOUND) && - (type == DS_DOMAIN_TRUST_TYPE_UPLEVEL) && - (attribs == DS_DOMAIN_TRUST_ATTRIB_FOREST_TRANSITIVE) ) - { - /* add the trusted domain if we don't know - about it */ - - if ( !d ) { - d = add_trusted_domain( dom_list[i].domain_name, - dom_list[i].dns_name, - &cache_methods, - &dom_list[i].sid ); - } - - DEBUG(10,("Following trust path for domain %s (%s)\n", - d->name, d->alt_name )); - add_trusted_domains( d ); - } - } - - TALLOC_FREE( dom_list ); - - return; -} - -/********************************************************************* - The process of updating the trusted domain list is a three step - async process: - (a) ask our domain - (b) ask the root domain in our forest - (c) ask the a DC in any Win2003 trusted forests -*********************************************************************/ - -void rescan_trusted_domains( void ) -{ - time_t now = time(NULL); - - /* see if the time has come... */ - - if ((now >= last_trustdom_scan) && - ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) ) - return; - - /* clear the TRUSTDOM cache first */ - - wcache_tdc_clear(); - - /* this will only add new domains we didn't already know about - in the domain_list()*/ - - add_trusted_domains( find_our_domain() ); - - last_trustdom_scan = now; - - return; -} - -struct init_child_state { - TALLOC_CTX *mem_ctx; - struct winbindd_domain *domain; - struct winbindd_request *request; - struct winbindd_response *response; - void (*continuation)(void *private_data, BOOL success); - void *private_data; -}; - -static void init_child_recv(void *private_data, BOOL success); -static void init_child_getdc_recv(void *private_data, BOOL success); - -enum winbindd_result init_child_connection(struct winbindd_domain *domain, - void (*continuation)(void *private_data, - BOOL success), - void *private_data) -{ - TALLOC_CTX *mem_ctx; - struct winbindd_request *request; - struct winbindd_response *response; - struct init_child_state *state; - struct winbindd_domain *request_domain; - - mem_ctx = talloc_init("init_child_connection"); - if (mem_ctx == NULL) { - DEBUG(0, ("talloc_init failed\n")); - return WINBINDD_ERROR; - } - - request = TALLOC_ZERO_P(mem_ctx, struct winbindd_request); - response = TALLOC_P(mem_ctx, struct winbindd_response); - state = TALLOC_P(mem_ctx, struct init_child_state); - - if ((request == NULL) || (response == NULL) || (state == NULL)) { - DEBUG(0, ("talloc failed\n")); - TALLOC_FREE(mem_ctx); - continuation(private_data, False); - return WINBINDD_ERROR; - } - - request->length = sizeof(*request); - - state->mem_ctx = mem_ctx; - state->domain = domain; - state->request = request; - state->response = response; - state->continuation = continuation; - state->private_data = private_data; - - if (IS_DC || domain->primary || domain->internal ) { - /* The primary domain has to find the DC name itself */ - request->cmd = WINBINDD_INIT_CONNECTION; - fstrcpy(request->domain_name, domain->name); - request->data.init_conn.is_primary = domain->internal ? False : True; - fstrcpy(request->data.init_conn.dcname, ""); - async_request(mem_ctx, &domain->child, request, response, - init_child_recv, state); - return WINBINDD_PENDING; - } - - /* This is *not* the primary domain, let's ask our DC about a DC - * name */ - - request->cmd = WINBINDD_GETDCNAME; - fstrcpy(request->domain_name, domain->name); - - request_domain = find_our_domain(); - async_domain_request(mem_ctx, request_domain, request, response, - init_child_getdc_recv, state); - return WINBINDD_PENDING; -} - -static void init_child_getdc_recv(void *private_data, BOOL success) -{ - struct init_child_state *state = - talloc_get_type_abort(private_data, struct init_child_state); - const char *dcname = ""; - - DEBUG(10, ("Received getdcname response\n")); - - if (success && (state->response->result == WINBINDD_OK)) { - dcname = state->response->data.dc_name; - } - - state->request->cmd = WINBINDD_INIT_CONNECTION; - fstrcpy(state->request->domain_name, state->domain->name); - state->request->data.init_conn.is_primary = False; - fstrcpy(state->request->data.init_conn.dcname, dcname); - - async_request(state->mem_ctx, &state->domain->child, - state->request, state->response, - init_child_recv, state); -} - -static void init_child_recv(void *private_data, BOOL success) -{ - struct init_child_state *state = - talloc_get_type_abort(private_data, struct init_child_state); - - DEBUG(5, ("Received child initialization response for domain %s\n", - state->domain->name)); - - if ((!success) || (state->response->result != WINBINDD_OK)) { - DEBUG(3, ("Could not init child\n")); - state->continuation(state->private_data, False); - talloc_destroy(state->mem_ctx); - return; - } - - fstrcpy(state->domain->name, - state->response->data.domain_info.name); - fstrcpy(state->domain->alt_name, - state->response->data.domain_info.alt_name); - string_to_sid(&state->domain->sid, - state->response->data.domain_info.sid); - state->domain->native_mode = - state->response->data.domain_info.native_mode; - state->domain->active_directory = - state->response->data.domain_info.active_directory; - state->domain->sequence_number = - state->response->data.domain_info.sequence_number; - - init_dc_connection(state->domain); - - if (state->continuation != NULL) - state->continuation(state->private_data, True); - talloc_destroy(state->mem_ctx); -} - -enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domain, - struct winbindd_cli_state *state) -{ - /* Ensure null termination */ - state->request.domain_name - [sizeof(state->request.domain_name)-1]='\0'; - state->request.data.init_conn.dcname - [sizeof(state->request.data.init_conn.dcname)-1]='\0'; - - if (strlen(state->request.data.init_conn.dcname) > 0) { - fstrcpy(domain->dcname, state->request.data.init_conn.dcname); - } - - init_dc_connection(domain); - - if (!domain->initialized) { - /* If we return error here we can't do any cached authentication, - but we may be in disconnected mode and can't initialize correctly. - Do what the previous code did and just return without initialization, - once we go online we'll re-initialize. - */ - DEBUG(5, ("winbindd_dual_init_connection: %s returning without initialization " - "online = %d\n", domain->name, (int)domain->online )); - } - - fstrcpy(state->response.data.domain_info.name, domain->name); - fstrcpy(state->response.data.domain_info.alt_name, domain->alt_name); - fstrcpy(state->response.data.domain_info.sid, - sid_string_static(&domain->sid)); - - state->response.data.domain_info.native_mode - = domain->native_mode; - state->response.data.domain_info.active_directory - = domain->active_directory; - state->response.data.domain_info.primary - = domain->primary; - state->response.data.domain_info.sequence_number = - domain->sequence_number; - - return WINBINDD_OK; -} - -/* Look up global info for the winbind daemon */ -BOOL init_domain_list(void) -{ - struct winbindd_domain *domain; - int role = lp_server_role(); - - /* Free existing list */ - free_domain_list(); - - /* Add ourselves as the first entry. */ - - if ( role == ROLE_DOMAIN_MEMBER ) { - DOM_SID our_sid; - - if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) { - DEBUG(0, ("Could not fetch our SID - did we join?\n")); - return False; - } - - domain = add_trusted_domain( lp_workgroup(), lp_realm(), - &cache_methods, &our_sid); - if (domain) { - domain->primary = True; - setup_domain_child(domain, &domain->child, NULL); - - /* Even in the parent winbindd we'll need to - talk to the DC, so try and see if we can - contact it. Theoretically this isn't neccessary - as the init_dc_connection() in init_child_recv() - will do this, but we can start detecting the DC - early here. */ - set_domain_online_request(domain); - } - } - - /* Local SAM */ - - domain = add_trusted_domain(get_global_sam_name(), NULL, - &passdb_methods, get_global_sam_sid()); - if (domain) { - if ( role != ROLE_DOMAIN_MEMBER ) { - domain->primary = True; - } - setup_domain_child(domain, &domain->child, NULL); - } - - /* BUILTIN domain */ - - domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods, - &global_sid_Builtin); - if (domain) { - setup_domain_child(domain, &domain->child, NULL); - } - - return True; -} - -void check_domain_trusted( const char *name, const DOM_SID *user_sid ) -{ - struct winbindd_domain *domain; - DOM_SID dom_sid; - uint32 rid; - - domain = find_domain_from_name_noinit( name ); - if ( domain ) - return; - - sid_copy( &dom_sid, user_sid ); - if ( !sid_split_rid( &dom_sid, &rid ) ) - return; - - /* add the newly discovered trusted domain */ - - domain = add_trusted_domain( name, NULL, &cache_methods, - &dom_sid); - - if ( !domain ) - return; - - /* assume this is a trust from a one-way transitive - forest trust */ - - domain->active_directory = True; - domain->domain_flags = DS_DOMAIN_DIRECT_OUTBOUND; - domain->domain_type = DS_DOMAIN_TRUST_TYPE_UPLEVEL; - domain->internal = False; - domain->online = True; - - setup_domain_child(domain, &domain->child, NULL); - - wcache_tdc_add_domain( domain ); - - return; -} - -/** - * Given a domain name, return the struct winbindd domain info for it - * - * @note Do *not* pass lp_workgroup() to this function. domain_list - * may modify it's value, and free that pointer. Instead, our local - * domain may be found by calling find_our_domain(). - * directly. - * - * - * @return The domain structure for the named domain, if it is working. - */ - -struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name) -{ - struct winbindd_domain *domain; - - /* Search through list */ - - for (domain = domain_list(); domain != NULL; domain = domain->next) { - if (strequal(domain_name, domain->name) || - (domain->alt_name[0] && - strequal(domain_name, domain->alt_name))) { - return domain; - } - } - - /* Not found */ - - return NULL; -} - -struct winbindd_domain *find_domain_from_name(const char *domain_name) -{ - struct winbindd_domain *domain; - - domain = find_domain_from_name_noinit(domain_name); - - if (domain == NULL) - return NULL; - - if (!domain->initialized) - init_dc_connection(domain); - - return domain; -} - -/* Given a domain sid, return the struct winbindd domain info for it */ - -struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid) -{ - struct winbindd_domain *domain; - - /* Search through list */ - - for (domain = domain_list(); domain != NULL; domain = domain->next) { - if (sid_compare_domain(sid, &domain->sid) == 0) - return domain; - } - - /* Not found */ - - return NULL; -} - -/* Given a domain sid, return the struct winbindd domain info for it */ - -struct winbindd_domain *find_domain_from_sid(const DOM_SID *sid) -{ - struct winbindd_domain *domain; - - domain = find_domain_from_sid_noinit(sid); - - if (domain == NULL) - return NULL; - - if (!domain->initialized) - init_dc_connection(domain); - - return domain; -} - -struct winbindd_domain *find_our_domain(void) -{ - struct winbindd_domain *domain; - - /* Search through list */ - - for (domain = domain_list(); domain != NULL; domain = domain->next) { - if (domain->primary) - return domain; - } - - smb_panic("Could not find our domain"); - return NULL; -} - -struct winbindd_domain *find_root_domain(void) -{ - struct winbindd_domain *ours = find_our_domain(); - - if ( !ours ) - return NULL; - - if ( strlen(ours->forest_name) == 0 ) - return NULL; - - return find_domain_from_name( ours->forest_name ); -} - -struct winbindd_domain *find_builtin_domain(void) -{ - DOM_SID sid; - struct winbindd_domain *domain; - - string_to_sid(&sid, "S-1-5-32"); - domain = find_domain_from_sid(&sid); - - if (domain == NULL) { - smb_panic("Could not find BUILTIN domain"); - } - - return domain; -} - -/* Find the appropriate domain to lookup a name or SID */ - -struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid) -{ - /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */ - - if ( sid_check_is_in_unix_groups(sid) || - sid_check_is_unix_groups(sid) || - sid_check_is_in_unix_users(sid) || - sid_check_is_unix_users(sid) ) - { - return find_domain_from_sid(get_global_sam_sid()); - } - - /* A DC can't ask the local smbd for remote SIDs, here winbindd is the - * one to contact the external DC's. On member servers the internal - * domains are different: These are part of the local SAM. */ - - DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", - sid_string_static(sid))); - - if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) { - DEBUG(10, ("calling find_domain_from_sid\n")); - return find_domain_from_sid(sid); - } - - /* On a member server a query for SID or name can always go to our - * primary DC. */ - - DEBUG(10, ("calling find_our_domain\n")); - return find_our_domain(); -} - -struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name) -{ - if ( strequal(domain_name, unix_users_domain_name() ) || - strequal(domain_name, unix_groups_domain_name() ) ) - { - return find_domain_from_name_noinit( get_global_sam_name() ); - } - - if (IS_DC || strequal(domain_name, "BUILTIN") || - strequal(domain_name, get_global_sam_name())) - return find_domain_from_name_noinit(domain_name); - - /* The "Unix User" and "Unix Group" domain our handled by passdb */ - - return find_our_domain(); -} - -/* Lookup a sid in a domain from a name */ - -BOOL winbindd_lookup_sid_by_name(TALLOC_CTX *mem_ctx, - enum winbindd_cmd orig_cmd, - struct winbindd_domain *domain, - const char *domain_name, - const char *name, DOM_SID *sid, - enum lsa_SidType *type) -{ - NTSTATUS result; - - /* Lookup name */ - result = domain->methods->name_to_sid(domain, mem_ctx, orig_cmd, - domain_name, name, sid, type); - - /* Return sid and type if lookup successful */ - if (!NT_STATUS_IS_OK(result)) { - *type = SID_NAME_UNKNOWN; - } - - return NT_STATUS_IS_OK(result); -} - -/** - * @brief Lookup a name in a domain from a sid. - * - * @param sid Security ID you want to look up. - * @param name On success, set to the name corresponding to @p sid. - * @param dom_name On success, set to the 'domain name' corresponding to @p sid. - * @param type On success, contains the type of name: alias, group or - * user. - * @retval True if the name exists, in which case @p name and @p type - * are set, otherwise False. - **/ -BOOL winbindd_lookup_name_by_sid(TALLOC_CTX *mem_ctx, - struct winbindd_domain *domain, - DOM_SID *sid, - char **dom_name, - char **name, - enum lsa_SidType *type) -{ - NTSTATUS result; - - *dom_name = NULL; - *name = NULL; - - /* Lookup name */ - - result = domain->methods->sid_to_name(domain, mem_ctx, sid, dom_name, name, type); - - /* Return name and type if successful */ - - if (NT_STATUS_IS_OK(result)) { - return True; - } - - *type = SID_NAME_UNKNOWN; - - return False; -} - -/* Free state information held for {set,get,end}{pw,gr}ent() functions */ - -void free_getent_state(struct getent_state *state) -{ - struct getent_state *temp; - - /* Iterate over state list */ - - temp = state; - - while(temp != NULL) { - struct getent_state *next; - - /* Free sam entries then list entry */ - - SAFE_FREE(state->sam_entries); - DLIST_REMOVE(state, state); - next = temp->next; - - SAFE_FREE(temp); - temp = next; - } -} - -/* Is this a domain which we may assume no DOMAIN\ prefix? */ - -static BOOL assume_domain(const char *domain) -{ - /* never assume the domain on a standalone server */ - - if ( lp_server_role() == ROLE_STANDALONE ) - return False; - - /* domain member servers may possibly assume for the domain name */ - - if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { - if ( !strequal(lp_workgroup(), domain) ) - return False; - - if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() ) - return True; - } - - /* only left with a domain controller */ - - if ( strequal(get_global_sam_name(), domain) ) { - return True; - } - - return False; -} - -/* Parse a string of the form DOMAIN\user into a domain and a user */ - -BOOL parse_domain_user(const char *domuser, fstring domain, fstring user) -{ - char *p = strchr(domuser,*lp_winbind_separator()); - - if ( !p ) { - fstrcpy(user, domuser); - - if ( assume_domain(lp_workgroup())) { - fstrcpy(domain, lp_workgroup()); - } else if ((p = strchr(domuser, '@')) != NULL) { - fstrcpy(domain, ""); - } else { - return False; - } - } else { - fstrcpy(user, p+1); - fstrcpy(domain, domuser); - domain[PTR_DIFF(p, domuser)] = 0; - } - - strupper_m(domain); - - return True; -} - -BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser, - char **domain, char **user) -{ - fstring fstr_domain, fstr_user; - if (!parse_domain_user(domuser, fstr_domain, fstr_user)) { - return False; - } - *domain = talloc_strdup(mem_ctx, fstr_domain); - *user = talloc_strdup(mem_ctx, fstr_user); - return ((*domain != NULL) && (*user != NULL)); -} - -/* Ensure an incoming username from NSS is fully qualified. Replace the - incoming fstring with DOMAIN <separator> user. Returns the same - values as parse_domain_user() but also replaces the incoming username. - Used to ensure all names are fully qualified within winbindd. - Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth. - The protocol definitions of auth_crap, chng_pswd_auth_crap - really should be changed to use this instead of doing things - by hand. JRA. */ - -BOOL canonicalize_username(fstring username_inout, fstring domain, fstring user) -{ - if (!parse_domain_user(username_inout, domain, user)) { - return False; - } - slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s", - domain, *lp_winbind_separator(), - user); - return True; -} - -/* - Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and - 'winbind separator' options. - This means: - - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is - lp_workgroup() - - If we are a PDC or BDC, and this is for our domain, do likewise. - - Also, if omit DOMAIN if 'winbind trusted domains only = true', as the - username is then unqualified in unix - - We always canonicalize as UPPERCASE DOMAIN, lowercase username. -*/ -void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume) -{ - fstring tmp_user; - - fstrcpy(tmp_user, user); - strlower_m(tmp_user); - - if (can_assume && assume_domain(domain)) { - strlcpy(name, tmp_user, sizeof(fstring)); - } else { - slprintf(name, sizeof(fstring) - 1, "%s%c%s", - domain, *lp_winbind_separator(), - tmp_user); - } -} - -/* - * Winbindd socket accessor functions - */ - -char *get_winbind_priv_pipe_dir(void) -{ - return lock_path(WINBINDD_PRIV_SOCKET_SUBDIR); -} - -/* - * Client list accessor functions - */ - -static struct winbindd_cli_state *_client_list; -static int _num_clients; - -/* Return list of all connected clients */ - -struct winbindd_cli_state *winbindd_client_list(void) -{ - return _client_list; -} - -/* Add a connection to the list */ - -void winbindd_add_client(struct winbindd_cli_state *cli) -{ - DLIST_ADD(_client_list, cli); - _num_clients++; -} - -/* Remove a client from the list */ - -void winbindd_remove_client(struct winbindd_cli_state *cli) -{ - DLIST_REMOVE(_client_list, cli); - _num_clients--; -} - -/* Close all open clients */ - -void winbindd_kill_all_clients(void) -{ - struct winbindd_cli_state *cl = winbindd_client_list(); - - DEBUG(10, ("winbindd_kill_all_clients: going postal\n")); - - while (cl) { - struct winbindd_cli_state *next; - - next = cl->next; - winbindd_remove_client(cl); - cl = next; - } -} - -/* Return number of open clients */ - -int winbindd_num_clients(void) -{ - return _num_clients; -} - -NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - uint32 *p_num_groups, DOM_SID **user_sids) -{ - NET_USER_INFO_3 *info3 = NULL; - NTSTATUS status = NT_STATUS_NO_MEMORY; - int i; - size_t num_groups = 0; - DOM_SID group_sid, primary_group; - - DEBUG(3,(": lookup_usergroups_cached\n")); - - *user_sids = NULL; - num_groups = 0; - *p_num_groups = 0; - - info3 = netsamlogon_cache_get(mem_ctx, user_sid); - - if (info3 == NULL) { - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - - if (info3->num_groups == 0) { - TALLOC_FREE(info3); - return NT_STATUS_UNSUCCESSFUL; - } - - /* always add the primary group to the sid array */ - sid_compose(&primary_group, &info3->dom_sid.sid, info3->user_rid); - - if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) { - TALLOC_FREE(info3); - return NT_STATUS_NO_MEMORY; - } - - for (i=0; i<info3->num_groups; i++) { - sid_copy(&group_sid, &info3->dom_sid.sid); - sid_append_rid(&group_sid, info3->gids[i].g_rid); - - if (!add_sid_to_array(mem_ctx, &group_sid, user_sids, - &num_groups)) { - TALLOC_FREE(info3); - return NT_STATUS_NO_MEMORY; - } - } - - /* Add any Universal groups in the other_sids list */ - - for (i=0; i<info3->num_other_sids; i++) { - /* Skip Domain local groups outside our domain. - We'll get these from the getsidaliases() RPC call. */ - if (info3->other_sids_attrib[i] & SE_GROUP_RESOURCE) - continue; - - if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, - user_sids, &num_groups)) - { - TALLOC_FREE(info3); - return NT_STATUS_NO_MEMORY; - } - } - - - TALLOC_FREE(info3); - *p_num_groups = num_groups; - status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; - - DEBUG(3,(": lookup_usergroups_cached succeeded\n")); - - return status; -} - -/********************************************************************* - We use this to remove spaces from user and group names -********************************************************************/ - -void ws_name_replace( char *name, char replace ) -{ - char replace_char[2] = { 0x0, 0x0 }; - - if ( !lp_winbind_normalize_names() || (replace == '\0') ) - return; - - replace_char[0] = replace; - all_string_sub( name, " ", replace_char, 0 ); - - return; -} - -/********************************************************************* - We use this to do the inverse of ws_name_replace() -********************************************************************/ - -void ws_name_return( char *name, char replace ) -{ - char replace_char[2] = { 0x0, 0x0 }; - - if ( !lp_winbind_normalize_names() || (replace == '\0') ) - return; - - replace_char[0] = replace; - all_string_sub( name, replace_char, " ", 0 ); - - return; -} - -/********************************************************************* - ********************************************************************/ - -BOOL winbindd_can_contact_domain( struct winbindd_domain *domain ) -{ - /* We can contact the domain if it is our primary domain */ - - if ( domain->primary ) - return True; - - /* Can always contact a domain that is in out forest */ - - if ( domain->domain_flags & DS_DOMAIN_IN_FOREST ) - return True; - - /* We cannot contact the domain if it is running AD and - we have no inbound trust */ - - if ( domain->active_directory && - ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) ) - { - return False; - } - - /* Assume everything else is ok (probably not true but what - can you do?) */ - - return True; -} - -/********************************************************************* - ********************************************************************/ - -BOOL winbindd_internal_child(struct winbindd_child *child) -{ - if ((child == idmap_child()) || (child == locator_child())) { - return True; - } - - return False; -} - -#ifdef HAVE_KRB5_LOCATE_PLUGIN_H - -/********************************************************************* - ********************************************************************/ - -static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain) -{ - char *var = NULL; - const char *kdc = NULL; - int lvl = 11; - - if (!domain || !domain->alt_name || !*domain->alt_name) { - return; - } - - if (domain->initialized && !domain->active_directory) { - DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n", - domain->alt_name)); - return; - } - - kdc = inet_ntoa(domain->dcaddr.sin_addr); - if (!kdc) { - DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n", - domain->alt_name)); - kdc = domain->dcname; - } - - if (!kdc || !*kdc) { - DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n", - domain->alt_name)); - return; - } - - if (asprintf(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS, - strupper_static(domain->alt_name)) == -1) { - return; - } - - DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n", - var, kdc)); - - setenv(var, kdc, 1); - free(var); -} - -/********************************************************************* - ********************************************************************/ - -void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain) -{ - struct winbindd_domain *our_dom = find_our_domain(); - - winbindd_set_locator_kdc_env(domain); - - if (domain != our_dom) { - winbindd_set_locator_kdc_env(our_dom); - } -} - -/********************************************************************* - ********************************************************************/ - -void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain) -{ - char *var = NULL; - - if (!domain || !domain->alt_name || !*domain->alt_name) { - return; - } - - if (asprintf(&var, "%s_%s", WINBINDD_LOCATOR_KDC_ADDRESS, - strupper_static(domain->alt_name)) == -1) { - return; - } - - unsetenv(var); - free(var); -} -#else - -void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain) -{ - return; -} - -void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain) -{ - return; -} - -#endif /* HAVE_KRB5_LOCATE_PLUGIN_H */ diff --git a/source3/nsswitch/winbindd_wins.c b/source3/nsswitch/winbindd_wins.c deleted file mode 100644 index f84dfdf2de..0000000000 --- a/source3/nsswitch/winbindd_wins.c +++ /dev/null @@ -1,234 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind daemon - WINS related functions - - Copyright (C) Andrew Tridgell 1999 - Copyright (C) Herb Lewis 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "winbindd.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_WINBIND - -/* Use our own create socket code so we don't recurse.... */ - -static int wins_lookup_open_socket_in(void) -{ - struct sockaddr_in sock; - int val=1; - int res; - - memset((char *)&sock,'\0',sizeof(sock)); - -#ifdef HAVE_SOCK_SIN_LEN - sock.sin_len = sizeof(sock); -#endif - sock.sin_port = 0; - sock.sin_family = AF_INET; - sock.sin_addr.s_addr = interpret_addr("0.0.0.0"); - res = socket(AF_INET, SOCK_DGRAM, 0); - if (res == -1) - return -1; - - setsockopt(res,SOL_SOCKET,SO_REUSEADDR,(char *)&val,sizeof(val)); -#ifdef SO_REUSEPORT - setsockopt(res,SOL_SOCKET,SO_REUSEPORT,(char *)&val,sizeof(val)); -#endif /* SO_REUSEPORT */ - - /* now we've got a socket - we need to bind it */ - - if (bind(res, (struct sockaddr * ) &sock,sizeof(sock)) < 0) { - close(res); - return(-1); - } - - set_socket_options(res,"SO_BROADCAST"); - - return res; -} - - -static NODE_STATUS_STRUCT *lookup_byaddr_backend(char *addr, int *count) -{ - int fd; - struct in_addr ip; - struct nmb_name nname; - NODE_STATUS_STRUCT *status; - - fd = wins_lookup_open_socket_in(); - if (fd == -1) - return NULL; - - make_nmb_name(&nname, "*", 0); - ip = *interpret_addr2(addr); - status = node_status_query(fd,&nname,ip, count, NULL); - - close(fd); - return status; -} - -static struct in_addr *lookup_byname_backend(const char *name, int *count) -{ - int fd; - struct ip_service *ret = NULL; - struct in_addr *return_ip = NULL; - int j, i, flags = 0; - - *count = 0; - - /* always try with wins first */ - if (NT_STATUS_IS_OK(resolve_wins(name,0x20,&ret,count))) { - if ( *count == 0 ) - return NULL; - if ( (return_ip = SMB_MALLOC_ARRAY(struct in_addr, *count)) == NULL ) { - free( ret ); - return NULL; - } - - /* copy the IP addresses */ - for ( i=0; i<(*count); i++ ) - return_ip[i] = ret[i].ip; - - free( ret ); - return return_ip; - } - - fd = wins_lookup_open_socket_in(); - if (fd == -1) { - return NULL; - } - - /* uggh, we have to broadcast to each interface in turn */ - for (j=iface_count() - 1; - j >= 0; - j--) { - struct in_addr *bcast = iface_n_bcast(j); - return_ip = name_query(fd,name,0x20,True,True,*bcast,count, &flags, NULL); - if (return_ip) { - break; - } - } - - close(fd); - return return_ip; -} - -/* Get hostname from IP */ - -void winbindd_wins_byip(struct winbindd_cli_state *state) -{ - fstring response; - int i, count, maxlen, size; - NODE_STATUS_STRUCT *status; - - /* Ensure null termination */ - state->request.data.winsreq[sizeof(state->request.data.winsreq)-1]='\0'; - - DEBUG(3, ("[%5lu]: wins_byip %s\n", (unsigned long)state->pid, - state->request.data.winsreq)); - - *response = '\0'; - maxlen = sizeof(response) - 1; - - if ((status = lookup_byaddr_backend(state->request.data.winsreq, &count))){ - size = strlen(state->request.data.winsreq); - if (size > maxlen) { - SAFE_FREE(status); - request_error(state); - return; - } - fstrcat(response,state->request.data.winsreq); - fstrcat(response,"\t"); - for (i = 0; i < count; i++) { - /* ignore group names */ - if (status[i].flags & 0x80) continue; - if (status[i].type == 0x20) { - size = sizeof(status[i].name) + strlen(response); - if (size > maxlen) { - SAFE_FREE(status); - request_error(state); - return; - } - fstrcat(response, status[i].name); - fstrcat(response, " "); - } - } - /* make last character a newline */ - response[strlen(response)-1] = '\n'; - SAFE_FREE(status); - } - fstrcpy(state->response.data.winsresp,response); - request_ok(state); -} - -/* Get IP from hostname */ - -void winbindd_wins_byname(struct winbindd_cli_state *state) -{ - struct in_addr *ip_list; - int i, count, maxlen, size; - fstring response; - char * addr; - - /* Ensure null termination */ - state->request.data.winsreq[sizeof(state->request.data.winsreq)-1]='\0'; - - DEBUG(3, ("[%5lu]: wins_byname %s\n", (unsigned long)state->pid, - state->request.data.winsreq)); - - *response = '\0'; - maxlen = sizeof(response) - 1; - - if ((ip_list = lookup_byname_backend(state->request.data.winsreq,&count))){ - for (i = count; i ; i--) { - addr = inet_ntoa(ip_list[i-1]); - size = strlen(addr); - if (size > maxlen) { - SAFE_FREE(ip_list); - request_error(state); - return; - } - if (i != 0) { - /* Clear out the newline character */ - /* But only if there is something in there, - otherwise we clobber something in the stack */ - if (strlen(response)) - response[strlen(response)-1] = ' '; - } - fstrcat(response,addr); - fstrcat(response,"\t"); - } - size = strlen(state->request.data.winsreq) + strlen(response); - if (size > maxlen) { - SAFE_FREE(ip_list); - request_error(state); - return; - } - fstrcat(response,state->request.data.winsreq); - fstrcat(response,"\n"); - SAFE_FREE(ip_list); - } else { - request_error(state); - return; - } - - fstrcpy(state->response.data.winsresp,response); - - request_ok(state); -} |